A cryptocurrency thief allegedly stole over $2 million from Coinbase users by impersonating customer support, then made a series of careless mistakes by constantly showing off his wealth on social media. The case stands out not for sophisticated hacking techniques, but for how the suspect documented his own activities while spending the allegedly stolen funds at nightclubs and on luxury purchases.
The individual, known online as “Hobby” or “Harvard,” allegedly operated from the Vancouver area in Canada throughout 2024 and early 2025. His method was relatively simple: he would call Coinbase users, claim their accounts were compromised, and guide them through what he described as security steps that actually transferred their cryptocurrency to his own wallets.
The investigation began when blockchain investigator ZachXBT discovered a screenshot in a Telegram group chat showing a fresh theft of 21,000 XRP, worth approximately $44,000 at the time. By tracing the wallet address from that screenshot, Zach found connections to two other thefts, totaling around half a million dollars from just three incidents.
1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. pic.twitter.com/bBqrV7GmPi
— ZachXBT (@zachxbt) December 29, 2025
What made this case particularly straightforward for investigators was the suspect’s behavior on social media. He regularly posted screenshots showing his wallet balances, Instagram stories from expensive clubs, and gambling sessions.
In one particularly damaging post from January 2025, he shared a screenshot that included both his Telegram username and Instagram handle alongside his wallet information. In February, he posted another screenshot displaying $237,000, which investigators matched to the Bitcoin address they were already tracking.
Perhaps most remarkably, a video allegedly showing the suspect conducting a scam call while pretending to be Coinbase support was leaked. The screen recording reportedly displayed his email address, Telegram details, and phone number.
The suspect also spent considerable amounts of stolen cryptocurrency on rare Telegram usernames, likely as status symbols. He would regularly purchase premium usernames, then create new accounts using the same aliases across platforms, allowing investigators to connect the different accounts back to the same person.
This case emerged during a larger security crisis at Coinbase. In 2025, it was revealed that customer support agents at overseas call centers, primarily in India, had been bribed to steal internal user data directly from Coinbase’s systems. This breach affected roughly 70,000 accounts and exposed full names, addresses, phone numbers, email addresses, government identification photos, account balances, and transaction histories. The stolen information enabled scammers to make highly convincing calls to targets.
The individuals behind that data breach attempted to extort Coinbase for $20 million. The company refused to pay and instead offered a $20 million bounty to catch the attackers while promising to reimburse affected users.
By December 2025, authorities began making arrests related to Coinbase impersonation schemes. Indian police arrested a former Coinbase support agent connected to the data breach, and US prosecutors charged someone from Brooklyn with stealing approximately $16 million from about 100 Coinbase users using similar tactics.
Security experts emphasize that legitimate financial institutions and cryptocurrency exchanges never call customers requesting they transfer funds to different accounts, regardless of how urgent the situation appears. If such a call seems legitimate, customers should request a support ticket number and verify it directly with the company through official channels.
At the time of reporting, the suspect had deleted most of his social media accounts. However, blockchain investigator ZachXBT noted that all cryptocurrency transactions remain permanently recorded, creating an unchangeable evidence trail. He called on Canadian law enforcement to take action, though no publicly reported arrests or charges have been announced in this specific case.
