How On-Chain Investigators Exposed a $2M Coinbase Impersonation Fraud Ring

In a sophisticated scheme that highlights the vulnerabilities in crypto platform security, a Canadian fraudster successfully duped Coinbase users out of more than $2 million. Operating from Abbotsford near Vancouver, the attacker—known online as “Haby” or “Harvard”—posed as official Coinbase support staff to gain unauthorized access to victim accounts. Through carefully orchestrated phishing attacks and social engineering tactics, he systematically compromised user credentials and drained crypto holdings.

The Digital Trail That Led to Haby

The unraveling of this criminal operation began with meticulous on-chain detective work by ZachXBT, a renowned blockchain analyst specializing in tracking illicit fund movements. The breakthrough came when the scammer made a critical error: boasting about his activities on social media. In a post from late December 2024, Haby openly mentioned stealing $44,000 worth of XRP from one of his victims.

This public declaration provided the thread that investigators needed to pull. By cross-referencing the destination wallet address with historical transaction data, ZachXBT systematically connected multiple victim reports to the same perpetrator. The analysis revealed that Haby had targeted numerous Coinbase account holders, with each incident following a similar pattern. As ZachXBT noted in the investigation summary, “The extensive evidence in this case makes it an unusually easy win for law enforcement,” suggesting that the digital footprints left behind were comprehensive enough to support prosecution.

From Social Media Clues to Real-World Location

What made this case particularly revealing was how much personal information Haby carelessly shared across various platforms. His Telegram and Instagram accounts contained screenshots of wallet balances, unusual username registrations, and lifestyle spending patterns that seemed inconsistent with legitimate income sources. These digital breadcrumbs painted a portrait of someone enjoying sudden, unexplained wealth.

Investigators pieced together these social media clues alongside geographic metadata to narrow down his physical location to Abbotsford, British Columbia. The combination of public posts, transaction timings, and platform activity logs created a geographic profile that proved difficult to obscure. Coinbase users affected by this scam represented a specific target demographic, suggesting the attacker had researched and prioritized high-value accounts before launching his operation.

How Stolen Funds Were Laundered Through Crypto

The technical analysis of fund movement revealed a sophisticated money-laundering process. The stolen XRP tokens were rapidly converted into Bitcoin using instant-exchange services, a common tactic to obscure the criminal origin of funds. From there, the Bitcoin was fragmented across multiple wallet addresses, making traditional tracking significantly more difficult.

What proved particularly damaging was that portions of these stolen funds then flowed into online gambling platforms—a behavioral pattern that inadvertently left additional forensic evidence. Each transaction, timestamp, and intermediate wallet served as another data point in the investigation. The on-chain analysis painted a clear picture: systematic targeting of Coinbase users, rapid funds conversion, attempted money laundering, and suspicious end-use patterns all pointed to the same criminal actor.

Growing Security Threats: Coinbase’s Battle Against Account Takeovers

Haby’s $2 million fraud operation is merely one manifestation of a broader crisis affecting Coinbase and similar platforms. The exchange has faced surging impersonation scam attempts throughout 2025 and into 2026. A significant catalyst was a 2025 insider data breach that compromised sensitive information for approximately 70,000 high-net-worth clients, including names, email addresses, and phone numbers—the precise data needed to execute convincing phishing campaigns.

In response to this security failure, Coinbase mobilized aggressively. The platform announced a $20 million bounty fund and committed to reimbursing all confirmed victims. Later that year, law enforcement successfully arrested Ronald Spektor, who had orchestrated similar account takeover schemes targeting 100 Coinbase users and stealing $16 million. Spektor employed the same playbook: leveraging stolen customer data to impersonate Coinbase support and convincing victims to authorize unauthorized fund transfers.

These coordinated fraud rings demonstrate that the threat landscape for Coinbase users continues evolving. While exchanges strengthen technical defenses, the human element—phishing, social engineering, and impersonation—remains the primary attack vector. Both customers and the platform must adopt multi-layered security approaches, including hardware wallet usage, advanced authentication methods, and heightened skepticism toward any unsolicited communications claiming to represent official support channels.