Blockchain researcher ZachXBT has busted a Canada-based scammer who allegedly stole over $2 million in cryptocurrencies by impersonating Coinbase customer support, adding to the growing list of social engineering incidents targeting users of major exchanges.
In a series of posts about
ZachXBT tracks Coinbase scammers through screenshots and wallet data
Rather than technical exploits, the suspects relied on classic social engineering tactics to manipulate victims into believing their accounts were under threat and required immediate intervention, according to investigators.
ZachXBT said they were able to track the activity by cross-referencing screenshots shared in Telegram group chats, social media posts, and on-chain transaction data.
In one example dated December 30, 2024, the suspected scammer posted a screenshot taken from a Coinbase user boasting about stealing 21,000 XRP (worth approximately $44,000 at the time).
Further analysis linked that XRP address to additional Coinbase-related thefts totaling approximately $500,000.
Investigators said the suspects routinely used instant exchange services to convert stolen XRP into Bitcoin, a move intended to hide the trail of transactions.
ZachXBT said that by analyzing the timing of transactions and wallet balances, they later identified a Bitcoin address that displayed a balance of approximately $237,000 in February 2025, matching a screenshot the suspect shared while showing off his funds in a private chat.
Tracing backwards from that address revealed more than $560,000 in theft by three additional Coinbase impersonators.
ZachXBT also shared a leaked screen recording that allegedly shows the suspect pretending to be a Coinbase support person and talking to the victim.
In the video, the caller can be heard guiding the target through what appear to be fake security procedures, while falsely revealing email addresses and Telegram accounts associated with the operation.
The suspect reportedly bought an expensive Telegram username and deleted his old account to avoid detection, but his repeated online boasts made it easier to identify him.
The case came to light after Indian authorities recently arrested a former Coinbase customer support agent in Hyderabad in a separate data breach that affected nearly 70,000 users.
Former @Coinbase A support agent has been arrested in India over a data breach that affected around 70,000 users.#coinbase #Indiahttps://t.co/ebWl6bUXq8
— Cryptonews.com (@cryptonews) December 28, 2025
Coinbase CEO Brian Armstrong said the breach stemmed from a bribery scheme targeting offshore support staff, resulting in approximately $307 million in remediation and reimbursement costs.
Coinbase has refused to pay the $20 million ransom associated with the incident, instead launching a bounty program to assist with the investigation.
Social engineering scams like the one described by ZachXBT typically begin with an unsolicited phone call, text message, or email that appears to come from a legitimate company.
Scammers often increase urgency by claiming suspicious activity or an impending account compromise, pressuring victims to reveal login credentials, two-factor authentication codes, or transfer funds to a wallet controlled by the attacker.
The bust of the suspected Canadian fraudster follows other recent enforcement actions. In the United States, prosecutors have charged a 23-year-old Brooklyn resident with stealing about $16 million from about 100 Coinbase users using a similar impersonation scheme.
The investigation also relied on blockchain analysis, resulting in the seizure of cash and digital assets, and recovery efforts are ongoing.
Cryptocurrency theft remains prevalent, with more than $3.4 billion stolen across the industry from January to early December 2025, according to industry data.
Security experts continue to urge users not to respond to unsolicited messages, never share passwords or recovery phrases, and only contact support through the official website or app.
The post ZachXBT exposes ‘Canadian’ scammer who stole $2 million via fake Coinbase support appeared first on Cryptonews.
