Canadian Scammer Posing as Coinbase Support Exposed in $2 Million Crypto Theft
Another day, another crypto scam—but this one had a $2 million price tag and a Maple Leaf twist.
The Fake Support Racket
Forget phishing emails. This operation went straight for the jugular by impersonating frontline help. The scammer didn't just clone a website; they became the supposed lifeline for panicked traders, intercepting victims when they were most vulnerable. It's customer support as a weapon—a chillingly effective pivot in social engineering.
How the $2 Million Vanished
The playbook was simple: create urgency, establish fake authority, and bypass security through human error. No fancy smart contract exploits here—just old-fashioned confidence tricks dressed in crypto's clothing. Thefts like this underscore a brutal truth: the weakest link in blockchain security often sits between the chair and the keyboard.
The Aftermath and the Irony
While authorities work to trace the funds—a task both transparent and frustrating on a public ledger—the incident serves as a stark reminder. In an industry built on 'trustless' systems, we keep placing our trust in the wrong places. Maybe the real decentralized finance was the friends we didn't get scammed by along the way.
Let's be honest: if traditional finance had this level of public auditability for fraud, we'd have seen a run on banks just from the sheer embarrassment. Your keys, your crypto—and apparently, your problem when someone convinces you to hand them over.
ZachXBT traces theft via blockchain analysis.
Investigations began when Haby, on December 30, 2024, posted a screenshot showing a 21,000 XRP theft worth $44,000 from a Coinbase user. ZachXBT matched the wallet address to two additional Coinbase user thefts amounting to approximately $500,000. Analysis showed Haby had swapped stolen XRP to Bitcoin through instant exchanges.
9/ Additional screenshots taken from his IG show off more social engineering thefts.
One story post leaked "From "Harvi's MacBook Air"
A person from their chat even advised him to stop flexing so often. pic.twitter.com/YJQlbxTfyK
— ZachXBT (@zachxbt) December 29, 2025
Through timing analysis, ZachXBT tracked down Haby’s bitcoin address. In February 2025, Haby had shared screenshots in a group chat showing a wallet containing $237,000.
The Bitcoin balance for the identified address matched the screenshots from February 1, 2025. Tracing backward from this address uncovered three additional Coinbase support impersonation thefts totaling over $560,000.
The investigator linked the wallets to Haby through leaked information in social media posts and screen recordings. A leaked video showed Haby conducting a social engineering call with a target.
The screen recording exposed the email address and his Telegram account. Additional Instagram screenshots displayed posts bragging about social engineering thefts. One story post revealed “From Harvi’s MacBook Air” in the device information.
Scammer operated with poor operational security
Haby regularly posted stories and selfies on social media platforms displaying his lifestyle funded by stolen cryptocurrency. The posts showed purchases of expensive Telegram usernames, luxury items, bottle service, and gambling expenses. A member of his chat group advised him to stop posting about his activities so frequently.
The scammer appeared to have little concern for operational security. Social media analysis revealed his location in Abbotsford, NEAR Vancouver, British Columbia. OSINT performed on his story posts confirmed the location.
Haby frequently bought expensive Telegram usernames and deleted his most recent account two days before the investigation was published. Previous accounts showed his alias in various chats, confirming the authenticity of leaked screenshots.
Coinbase support impersonation scams escalated in 2025
The 2025 period was a rather challenging time for Coinbase users. Attackers moved from traditional phishing to precision targeting using data stolen from Coinbase support systems. A May 2025 insider data breach carried out highly effective impersonation scams throughout the year.
It involved bribery by cybercriminals who hired overseas customer support agents, mainly in Hyderabad, India, to steal internal data. Compromised information includes names, emails, phone numbers, home addresses, government ID images, and real-time account balances.
The attackers did not access the private keys and passwords directly. Overall, about 1% of Coinbase users were targeted, amounting to approximately 70,000 high-value clients.
Attackers demanded a $20 million ransom in exchange for deleting the stolen data. Coinbase declined the ransom demand, set up a $20 million bounty on the attackers, and refunded affected victims.
Multiple arrests happened in December 2025
Law enforcement activity peaked in December 2025 with several arrests related to Coinbase impersonation scams. Ronald Spektor of Brooklyn, New York, was charged with stealing $16 million from approximately 100 users.
His methodology involved using stolen customer data to pose as Coinbase “Elite Support” and alerting users to pending unauthorized transactions. He guided victims to MOVE funds to a “secure vault” that was actually a wallet he controlled.
Indian police arrested a former Coinbase support agent on December 29, 2025, connected to the May data theft. The arrest confirmed the bribed insider theory and was the first major law enforcement action against the source of the data leak.
If you're reading this, you’re already ahead. Stay there with our newsletter.
