A US retiree claims more than $3 million in XRP disappeared after he checked Ellipal’s mobile app on October 15 and saw his balance disappear, a discovery that spurred an on-chain tracing effort by pseudonymous analyst ZackXBT.
CoinDesk has not independently verified the investor’s identity, balances, or full chainpath. The account originates from several YouTube videos posted since October 15, Ellipal’s public statement from October 18, and ZackXBT’s X thread from October 19.
What the victim said happened
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and his wife, 60, is also retired. He said the XRP position represented almost all of their retirement savings and that they had planned to buy a house in Las Vegas.
He said he had been accumulating XRP since 2017 and previously held more but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, October 15, and then determined that the leak occurred the previous Sunday, October 12.
He described two tests of 10-XRP around 11:15 a.m. Eastern Time, followed by a sweep of approximately 1,209,990 XRP to a newly created address, then a rapid distribution to dozens of wallets and eventually hundreds. He said smaller balances of other assets remained, including about $1,000 in XLM and about $900 in FLR.
He said he filed a complaint with the FBI’s Internet Crime Complaint Center and contacted local authorities, but had difficulty quickly reaching cybercrime units. He said he did not know exactly how the funds were withdrawn from the hot wallet.
Ellipal’s explanation and the confusion between cold and hot
Ellipal said on Oct. 18 that its review indicated the user had imported the hardware wallet seed phrase into the Ellipal mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Ellipal explained that if the seed of a cold wallet is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively making it a hot wallet and significantly reducing security.
Brandon said he has the Ellipal app on an iPhone and iPad. He mentioned that the iPhone app showed a blue background, which Ellipal said denotes a connection to a cold wallet, and the iPad app showed an orange background, which Ellipal said denotes a hot wallet.
Ellipal stressed that its hardware devices are isolated and said it hasn’t seen any thefts coming from the hardware itself. The company’s account alleges user error, although it does not alone prove how the compromise occurred.
Where would the funds have gone, according to the ZackXBT investigation
In an October 19 thread, ZackXBT said it identified the address of the theft by matching the timing and amounts in the video. It reported that the attacker created more than 120 Ripple-to-Tron orders on October 12 using Bridgers, an exchange service formerly known as SWFT. He noted that some block explorers refer to these hops as “Binance” because Bridgers use the exchange to obtain liquidity.
He said funds consolidated on Tron in a wallet TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and on Oct. 15 were dispersed to over-the-counter brokers adjacent to Huione, a Southeast Asian online marketplace that has been cited in recent public actions by U.S. authorities. CoinDesk has not independently reproduced the full tracing or confirmed the final recipients.
Chances of recovery and takeaways for users
ZackXBT warned that most “turnaround” companies are predatory, often producing superficial reports while charging high fees. He said timely reporting to credible investigators and compliant platforms can improve the chances of reporting or freezing, but recoveries are rare once funds flow through cross-chain swaps and OTC venues.
For users, the main lesson is simple: if the goal is cold storage, don’t type the seed of a hardware wallet into a mobile or desktop app. Use a separate seed for any hot wallet and consider a BIP39 passphrase for high-value cold storage.
Brandon said the loss wiped out what he saw as the couple’s retirement plan. He said he shared his experience to warn others and seek advice, while recognizing the chances of recovery are low.
