Haby is the name of an internet user who has exhibited an extravagant lifestyle throughout 2025. His life was conceived online through a lavish lifestyle that can only be described as a “scam”. From bottle service in nightclubs to high-stakes gambling and the purchase of rare Telegram usernames, his social media feeds projected the image of a wealthy young influencer. But according to a new investigation released this week, that lifestyle was bankrolled by the life savings of Coinbase users targeted in a ruthless impersonation scam.
On-chain investigator ZachXBT has publicly identified the individual as a resident of Abbotsford, British Columbia, alleging he is responsible for stealing more than $2 million in cryptocurrency. The exposure comes just days after U.S. and Indian law enforcement launched coordinated raids to dismantle the sophisticated fraud ring that enabled scammers like Haby to operate with terrifying precision.
The “Elite Support” Charade
The scam relied on a terrifyingly effective form of social engineering. Unlike generic phishing emails that cast a wide net, Haby’s operation was surgical. Scammers posing as Coinbase Elite Support contacted victims to warn them of a fictitious unauthorized transaction that was pending on their account. Scammers called from phone numbers that appeared to be Coinbase’s and possessed scary amounts of private data including victims’ full names, email addresses, and even their real-time account balances. Panic-stricken, the victims were guided to move their funds into a “secure vault” or a “temporary holding wallet” for safety. In reality, these wallets were controlled directly by the attacker. Once the funds were transferred to the recipient’s account then disappeared. The funds were then laundered via many instant exchange processors.
Tracking the Digital Breadcrumbs
The probe into Haby commenced however quietly on the 30th of December, 2024 after the conman sent a screenshot of a massive $44,000, or 21,000 XRP, he apparently stole from someone, with a private chat’s many people. Using this single image, ZachXBT was able to isolate the specific transaction on the blockchain.
From there, the trail widened. The investigator matched the wallet address to two additional thefts amounting to approximately $500,000. Through blockchain analysis, it was established that the stolen XRP had an established pattern where stolen XRP would immediately be exchanged for Bitcoin by using non-KYC (Know Your Customers) instant exchanges to hide the money trail.
As the blockchain is unchangeable, the screenshots shared by Haby would be used against him. A screenshot posted by Haby in February 2025 showed a balance of $237,000 on a Bitcoin wallet. By comparing the date and time of the post to the details on the chain of transactions, ZachXBT was able to find the specific wallet to which Haby had sent funds. By tracing back through the history of that wallet used, three additional impersonation thefts totalling $560,000 were identified.
Tripped Up by Vanity
While his technical laundering was competent, Haby’s operational security (OPSEC) was fatally flawed by his need for recognition. Investigating the theft of money directly lead to Haby through a series of simple social media mistakes.
Through a video showing Haby being tricked by a con artist of a social engineering attack, he was able to share his private email account and Telegram identification without meaning to. In addition, Haby’s Instagram page provided what can only be described as a collection of evidence. In one of the posts, celebrating the success of the theft, Haby posted a message stating, “Posted from Harvi’s MacBook Air”, along with detailed information about the device being used.
Through the use of open-source intelligence (OSINT), a precise geographical location for Haby was determined to be the Abbotsford region of Vancouver. Despite his co-conspirators warning him to be more discreet, Haby continued to post images of himself enjoying the benefits of his status and collecting expensive digital virtual collectible items, providing enough data points to bring researchers to Haby’s address.
The Insider Data Pipeline
Haby’s high level of sophistication when launching attacks on Coinbase was due in part to the large-scale data breach of Coinbase’s client database that occurred in May 2025. The exchange confirmed that cybercriminals had bribed an outsourced customer support representative located in Hyderabad, India, for help stealing private information about Coinbase clients.
This breach provided scammers with a “hit list” of approximately 70,000 high-value users, complete with government ID images and account details. Haby did not need to guess who had money; he bought the data and knew exactly who to call. Coinbase famously refused a $20 million ransom demand from the hackers, opting instead to refund victims and place a bounty on the perpetrators.
A Month of Reckoning
The exposure of Haby is part of a broader, rapid collapse of the fraud network as 2025 comes to a close. This December, law enforcement appears to have reached a high point in its activities involving scammers; this indicates that as a result of these increased activities, scammers will no longer experience the comforts of immunity and will experience more significant accountability for their actions.
Earlier this month, federal prosecutors in Brooklyn charged Ronald Spektor with stealing $16 million using nearly identical tactics. Meanwhile, in a breakthrough for the source of the data leak, Indian police arrested a former Coinbase support agent in Hyderabad on December 29. With the supply chain of stolen data cut off and leading operators now publicly identified, the net appears to be closing on one of the most damaging crypto fraud sprees of the year.




