Crypto researcher ZachXBT has claimed that a 'Canadian threat actor' stole over 2 million dollars in cryptocurrency through social manipulation scams featuring Coinbase support.
The case highlights a troubling trend: attacks aimed at human behavior are now a significant threat in the Web3 ecosystem, causing substantial financial losses by the year 2025.
Involved in a 2000000000 dollar cryptocurrency scam operation
ZachXBT published on X (formerly Twitter) a detailed thread in which he presented Telegram screenshots, social media posts, and wallet transactions related to the alleged individual, Haby (Havard).
"Here is Haby (Havard), a Canadian threat actor who has stolen over 2 million dollars in the past year by posing as Coinbase support and using social manipulation scams, wasting the money on rare social media usernames, bottle service, and gambling," the researcher wrote.
ZachXBT's investigations tracked the activities of the alleged scammer starting in late 2024. A published screenshot posted by Haby in December 2024 showed how 21,000 XRP were taken from a Coinbase user, worth about 44,000 dollars.
Further analysis of wallets linked the alleged scammer's Bitcoin address to new thefts worth over 560,000 dollars. In group chats verified by ZachXBT, Haby boasted about his wallet balances, for example, around 237,000 dollars in February 2025.
A leaked video also showed a person conducting an active social manipulation call. The video displayed an email address and Telegram handles linked to the same online identity.
"Screenshots taken from his IG reveal more social manipulation scams. One story featured 'Harvi’s MacBook Air.' A participant urged Haby to stop showcasing information too frequently," the post added.
Although the number of thefts was significant, Haby did not invest in his operational security. According to the researcher, he published selfies and posts showcasing his lifestyle. Ultimately, ZachXBT urged Canadian authorities to intervene.
"Canadian police may already be aware of Haby, as several swatting attempts related to his personal information have been made. Unfortunately, Canada is typically a jurisdiction where community threat actors are rarely prosecuted. However, I hope Canadian authorities make an exception in this case because Haby shows no remorse towards the victims, and it is quite a straightforward case due to the large amount of evidence," he noted.
Web3 security under pressure as social manipulation scams become more common.
This case reflects a broader security crisis in the cryptocurrency space. Threat actors are increasingly using social manipulation rather than pure technical attacks and are leveraging the presence of well-known brands to achieve credibility and lure victims. In a recent phishing campaign, attackers falsely posed as Booking.com promoting a fake Dubai crypto summit.
At the beginning of this month, BeInCrypto reported that North Korean threat actors posed as trusted industry figures in fabricated Zoom and Microsoft Teams meetings, successfully stealing over 300 million dollars.
Additionally, in December 2025, Indian authorities raided 21 locations in Karnataka, Maharashtra, and Delhi, dismantling a cryptocurrency Ponzi scheme that had been operating for ten years. The multi-state operation revealed scam platforms, referral-based rewards, and aggressive social media marketing that had been luring victims since 2015.
These cases illustrate an important fact: in addition to technical vulnerabilities, human psychology has become a primary target for attacks. Instead of code, attackers are increasingly manipulating trust, authority, and a sense of urgency.
Web3 security company Kerberos's 2025 report highlights this shift: human behavior is now the biggest risk factor in the Web3 ecosystem.
