An on-chain investigation has detailed how a single threat actor allegedly stole more than $2 million from Coinbase users over the past year by impersonating customer support and manipulating victims into granting access to their accounts.
The case, published by an independent researcher, highlights a broader security challenge facing brokers, exchanges, and fintech platforms: while infrastructure security has improved, fraud increasingly targets the human layer.
The threat actor, operating under the alias “Haby,” reportedly relied on low-tech but highly effective social engineering tactics to gain trust before draining user funds.
The Attack Vector: Social Engineering, Not Code
According to the investigation, the primary attack vector was not a software exploit but classic impersonation. Posing as a Coinbase support representative, the actor allegedly convinced users to authorize transactions or share account access under the guise of resolving urgent security issues.
Once funds were obtained, they were quickly laundered through a familiar on-chain playbook. Assets from multiple victims were consolidated, swapped across chains — including conversions from XRP to BTC via instant exchanges — and moved into personal wallets to obscure the transaction trail.
- Perpetual Futures Move $1.2 Trillion a Month as Crypto Spot Markets Lag
- How Coinbase Is Building a Gateway to Everything in Finance
- Is Coinbase Building A Secret Prediction Markets Site With Kalshi?
A Familiar Pattern Across the Industry
While the case centers on Coinbase, the underlying mechanics are increasingly familiar across the brokerage industry. Brand impersonation, phishing, and lookalike infrastructure have become some of the most common entry points for fraud.
Earlier this year, Tamas Szabo, CEO of Pepperstone, warned that taking down typosquatted domains has become a near-daily task. Even after securing hundreds of domain variations, new lookalikes continue to appear fast enough to occupy entire fraud teams.
Typosquatting itself is not a scam, but it enables phishing and impersonation at scale. Brokers across the market report a sharp rise in brand abuse driven by AI-assisted cloning tools and the near-zero cost of registering new domains — turning what was once an occasional nuisance into a continuous operational threat.
For brokers, exchanges, and fintech platforms, the case reinforces a shifting reality: as technical defences harden, attackers are increasingly targeting psychology, authority, and brand trust. Security strategies that focus solely on infrastructure, without addressing impersonation and social engineering, risk leaving the most exposed surface unprotected.
