A year-long investigation linked “Haby” to multiple Coinbase support scams.
On-chain investigator ZachXBT has detailed a year-long investigation into a Canadian threat actor known as Haby, also referred to as Havard, who he claims has stolen more than $2 million through Coinbase support impersonation scams.
As per his latest findings, ZachXBT said Haby used social engineering tactics to trick Coinbase users into handing over access to their funds, before spending the stolen money on rare social media usernames, bottle service, and gambling.
Coinbase-Related Theft Network
According to the investigation, Haby openly bragged about his activities in private group chats. On December 30, 2024, he allegedly shared a screenshot showing a theft of 21,000 XRP, worth around $44,000 at the time, taken from a Coinbase user. A few days later, on January 3, 2025, he posted another screenshot from his Exodus wallet that included links to his Telegram and Instagram accounts.
ZachXBT said he matched historical wallet balances to these screenshots and linked the XRP address to two other Coinbase-related thefts. This brought the total traced amount to roughly $500,000. The investigator added that Haby regularly swapped stolen XRP into Bitcoin using instant exchange services. By analyzing the timing of these swaps, he managed to identify a Bitcoin address connected to Haby.
Further confirmation came in February 2025, when Haby reportedly showed off a wallet balance of $237,000 in a group chat, which matched the historical balance of the identified Bitcoin address. Upon tracing transactions from that address, he found three additional Coinbase impersonation scams, which added more than $560,000 to the total stolen.
The post also includes a leaked video that allegedly shows Haby actively social engineering a victim, during which his email address and Telegram contact were exposed. ZachXBT observed that Haby frequently flaunted his lifestyle on Instagram and Telegram, often ignoring basic operational security even as he was repeatedly warned by others to stop “flexing” his scams.
Based on open-source intelligence from his social media posts, Haby is believed to be located in Abbotsford, near Vancouver. ZachXBT said Canadian law enforcement may already be aware of him due to multiple swatting incidents linked to his personal details, and urged authorities to take action, while citing the large amount of publicly available evidence and Haby’s apparent lack of remorse for victims.
You may also like:
Social Engineering Attacks
Social engineering attacks are one of the most serious threats facing crypto users. An earlier report by ZachXBT revealed that at least $65 million was stolen from Coinbase users between December 2024 and January 2025 after attackers impersonated customer support using spoofed emails and phone numbers.
Victims were tricked into transferring funds or approving fraudulent wallet addresses.
Separate reports show the problem extends beyond a single platform. In the first half of 2025, over $2 billion was stolen across the crypto sector, and more than 80% of losses were tied to social engineering and insider-related attacks.
One recent case saw a single victim lose 783 Bitcoin, worth about $91 million, after scammers posed as wallet support. Security experts warn that leaked personal data and increasingly convincing impersonation tactics are making these scams harder to detect.
SECRET PARTNERSHIP BONUS for CryptoPotato readers: Use this link to register and unlock $1,500 in exclusive BingX Exchange rewards (limited time offer).
