Investigator ZachXBT says he identified a Canadian individual known online as “Haby” or “Haverd” as the person behind a Coinbase-focused impersonation scheme, built around customer-support social engineering. The core claim is simple: this wasn’t a smart-contract hack, it was a people-hack—convincing users to hand over access or send assets.

The attribution work blends two tracks that complement each other. On the on-chain side, the thread leans on blockchain tracing to follow where funds moved and how specific addresses interacted over time. On the off-chain side, it relies on open-source breadcrumbs to connect wallets to a real-world identity, then cross-checks whether the story holds up.

1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. pic.twitter.com/bBqrV7GmPi

— ZachXBT (@zachxbt) December 29, 2025

How the attribution chain is built

The evidence described is a mix of artifacts that are weak alone but stronger in combination. Wallet activity is cross-referenced against leaked screenshots, Telegram chat logs, social posts, and screen recordings to create a consistent timeline and identity trail. One detail cited is a December 2024 screenshot referencing an alleged theft of 21,000 XRP, followed by February 2025 group messages where the actor allegedly bragged about proceeds. The thread’s logic is that when screenshots and chats expose wallet identifiers, you can test those claims against immutable on-chain flows and see whether they match.

From there, the report claims a linkage between a Bitcoin address and identifiers present in messaging and email contexts, creating a connective tissue between crypto rails and human infrastructure. This is the modern shape of attribution: you don’t “prove” identity from chain data alone, you connect chain patterns to the mistakes people make off-chain.

What the scam looked like and why it worked

The alleged campaign used a classic playbook: impersonate Coinbase support, create urgency, and steer victims into revealing credentials or transferring assets. That matters operationally because it means the security failure is not primarily technical—it’s process, verification, and user behavior under pressure.

The write-up also argues the suspect’s operational security failed in predictable ways. Lifestyle spending and public-facing posts—luxury purchases, gambling, paid usernames, nightlife—are described as signals that helped triangulate identity. Whether or not every link holds, the takeaway is consistent: flashy visibility is the enemy of anonymity when you’re leaving permanent financial trails.

What this case really underscores is a structural weakness in retail crypto. Human-targeted attacks remain one of the highest-probability loss vectors because they bypass code and go straight through trust, urgency, and verification gaps. And the investigative model is maturing: chain analytics plus ordinary OSINT is increasingly enough to build a credible narrative that can be handed to regulators, platforms, or law enforcement.

The story moves from “public attribution” to “formal consequence” only if Canadian authorities publicly confirm investigative action or file charges.