Kanadischer Betrüger enttarnt: Posing als Coinbase-Support klaut 2 Millionen Dollar in Krypto

Ein Betrüger aus Kanada hat sich als Coinbase-Support ausgegeben und damit Kunden um 2 Millionen Dollar in Kryptowährungen gebracht. Die Masche nutzte das Vertrauen in den bekannten Exchange aus.

Wie die Masche funktionierte

Der Scammer kontaktierte Opfer über gefälschte Support-Kanäle. Mit professionell wirkenden Phishing-Links und Drucktaktiken gelang es ihm, an Zugangsdaten und private Keys zu kommen. Ein klassischer Fall von Social Engineering – die Schwachstelle war der Mensch, nicht die Technologie.

Die dunkle Seite der Dezentralisierung

Transaktionen auf der Blockchain sind unwiderruflich. Sobald die Coins das Wallet verlassen haben, gibt es keine zentrale Instanz wie eine Bank, die den Diebstahl rückgängig machen kann. Das ist die Kehrseite der finanziellen Souveränität.

Ein teures Lehrgeld für die Branche

Solche Vorfälle sind Wasser auf die Mühlen traditioneller Finanzregulierer. Während die FSA in anderen Märkten schon schärfer zuschaut, zeigt der Fall: Eigenverantwortung ist das höchste Gut – und das größte Risiko. Am Ende zahlt immer jemand die Rechnung, meistens der, der am wenigsten Ahnung hat.

ZachXBT traces theft via blockchain analysis.

Investigations began when Haby, on December 30, 2024, posted a screenshot showing a 21,000 XRP theft worth $44,000 from a Coinbase user. ZachXBT matched the wallet address to two additional Coinbase user thefts amounting to approximately $500,000. Analysis showed Haby had swapped stolen XRP to Bitcoin through instant exchanges.

9/ Additional screenshots taken from his IG show off more social engineering thefts.

One Story post leaked "From "Harvi's MacBook Air"

A person from their chat even advised him to stop flexing so often. pic.twitter.com/YJQlbxTfyK

— ZachXBT (@zachxbt) December 29, 2025

Through timing analysis, ZachXBT tracked down Haby’s Bitcoin address. In February 2025, Haby had shared screenshots in a group chat showing a wallet containing $237,000.

The Bitcoin balance for the identified address matched the screenshots from February 1, 2025. Tracing backward from this address uncovered three additional Coinbase support impersonation thefts totaling over $560,000.

The investigator linked the wallets to Haby through leaked information in social media posts and screen recordings. A leaked video showed Haby conducting a social engineering call with a target.

The screen recording exposed the email address and his Telegram account. Additional Instagram screenshots displayed posts bragging about social engineering thefts. One story post revealed “From Harvi’s MacBook Air” in the device information.

Scammer operated with poor operational security

Haby regularly posted stories and selfies on social media platforms displaying his lifestyle funded by stolen cryptocurrency. The posts showed purchases of expensive Telegram usernames, luxury items, bottle service, and gambling expenses. A member of his chat group advised him to stop posting about his activities so frequently.

The scammer appeared to have little concern for operational security. Social media analysis revealed his location in Abbotsford, NEAR Vancouver, British Columbia. OSINT performed on his story posts confirmed the location.

Haby frequently bought expensive Telegram usernames and deleted his most recent account two days before the investigation was published. Previous accounts showed his alias in various chats, confirming the authenticity of leaked screenshots.

Coinbase support impersonation scams escalated in 2025

The 2025 period was a rather challenging time for Coinbase users. Attackers moved from traditional phishing to precision targeting using data stolen from Coinbase support systems. A May 2025 insider data breach carried out highly effective impersonation scams throughout the year.

It involved bribery by cybercriminals who hired overseas customer support agents, mainly in Hyderabad, India, to steal internal data. Compromised information includes names, emails, phone numbers, home addresses, government ID images, and real-time account balances.

The attackers did not access the private keys and passwords directly. Overall, about 1% of Coinbase users were targeted, amounting to approximately 70,000 high-value clients.

Attackers demanded a $20 million ransom in exchange for deleting the stolen data. Coinbase declined the ransom demand, set up a $20 million bounty on the attackers, and refunded affected victims.

Multiple arrests happened in December 2025

Law enforcement activity peaked in December 2025 with several arrests related to Coinbase impersonation scams. Ronald Spektor of Brooklyn, New York, was charged with stealing $16 million from approximately 100 users.

His methodology involved using stolen customer data to pose as Coinbase “Elite Support” and alerting users to pending unauthorized transactions. He guided victims to MOVE funds to a “secure vault” that was actually a wallet he controlled.

Indian police arrested a former Coinbase support agent on December 29, 2025, connected to the May data theft. The arrest confirmed the bribed insider theory and was the first major law enforcement action against the source of the data leak.

If you're reading this, you’re already ahead. Stay there with our newsletter.