Crypto sleuth ZachXBT has alleged that a “Canadian threat actor” stole over $2 million in cryptocurrency through social engineering scams that impersonate Coinbase support.

This case highlights a concerning trend: attacks targeting human behavior are now a significant threat in the Web3 ecosystem, resulting in substantial losses throughout 2025.

Inside the $2 Million Crypto Scam Operation

In a detailed thread posted on X (formerly Twitter), ZachXBT shared Telegram screenshots, social media posts, and wallet transactions to support his claims about the individual identified as Haby (Havard).

“Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling,” the investigator wrote.

ZachXBT’s investigation traced the alleged scammer activities from late 2024. The sleuth shared a screenshot reportedly posted by Haby in December 2024, pointing to a theft of 21,000 XRP, valued at approximately $44,000, from a Coinbase user.

Further wallet analysis linked a Bitcoin address attributed to the alleged scammer to additional thefts exceeding $560,000. Group chats reviewed by ZachXBT showed the individual boasting about wallet balances, including approximately $237,000 in February 2025.

A leaked video also appeared to show the alleged individual conducting an active social engineering call. The video revealed an email address and Telegram handles linked to the same online identity.

“Additional screenshots taken from his IG show off more social engineering thefts. One story post leaked From ‘Harvi’s MacBook Air.’ A person from their chat even advised him to stop flexing so often,” the post added.

Despite the substantial scale of theft, Haby showed poor operational security. The investigator documented how the scammer posted selfies and posts showing off his lifestyle. Lastly, ZachXBT urged the Canadian authorities to intervene.

“Canadian law enforcement may already be familiar with Haby since there’s been several swatting attempts involving his personal details locally. Unfortunately, Canada is a jurisdiction that rarely ever prosecutes threat actors from The Com. I hope Canadian LE makes an exception as Haby shows zero remorse for victims and it is a rather easy case due to the large quantity of evidence available,” he wrote.

WEB3 Security Under Pressure as Social Engineering Scams Escalate

This case reflects a broader security crisis across the cryptocurrency industry. Threat actors are increasingly relying on social engineering rather than purely technical exploits, using brand impersonation to gain credibility and lure victims. In one recent phishing campaign, attackers falsely posed as Booking.com to promote a fake crypto summit in Dubai.

Earlier this month, BeInCrypto reported that North Korean threat actors were impersonating trusted industry figures in fake Zoom and Microsoft Teams meetings to steal over $300 million.

Separately, in December 2025, authorities in India raided 21 locations across Karnataka, Maharashtra, and Delhi, dismantling a decade-old crypto Ponzi scheme. The multi-state operation uncovered fraudulent platforms, referral-based incentives, and aggressive social media marketing tactics that had been used to attract victims since 2015.

These incidents uncover a critical reality: alongside technical vulnerabilities, human psychology has become a primary target for attack. Rather than exploiting code, attackers increasingly manipulate trust, authority, and urgency.

This shift is echoed in a 2025 report by Kerberus, a Web3 security firm, which revealed that human behavior now represents the primary risk factor in the Web3 ecosystem.