A $3 million XRP theft incident left a US retiree’s Ellipal wallet empty, shedding light on the exploitative industry that targets victims post-hack.
Blockchain investigator ZachXBT traced the $3.05 million loss via over 120 cross-chain swaps, cautioning that many firms exploit desperate users by charging exorbitant fees for empty assurances of recovery.
Sponsored
Sponsored
$3 Million XRP Hack Unmasks Crypto’s Predatory Recovery Firms
The incident started when Brandon LaRoque found his 1.2 million XRP had been removed from his Ellipal wallet earlier this month. The stolen funds, currently valued at $2.88 million, represented the 54-year-old retiree’s life savings, accumulated since 2017.
He thought his assets were protected in cold storage but later discovered that entering his seed phrase into the Ellipal mobile app had turned the wallet into a hot wallet.
“I’ve been accumulating XRP for the past eight years,” LaRoque said in a YouTube video recalling the theft. “It was our whole retirement, and I don’t know what we’re going to do.”
ZachXBT’s on-chain analysis revealed that the attacker exchanged the stolen XRP through 120 Ripple-to-Tron bridge transactions, utilizing Bridgers (formerly SWFT), before pooling the funds on Tron.
Within three days, the assets disappeared into OTC desks associated with Huione, a payments network recently sanctioned by the US Treasury for laundering billions linked to scams, human trafficking, and cybercrime.
The case highlights a significant weakness in global enforcement by connecting the XRP theft to Huione’s network, which is accused of facilitating over $15 billion in illegal transfers.
This vulnerability persists even when blockchain trails are accessible, as cross-border laundering channels remain hard to disrupt.
Sponsored
Sponsored
Predatory Recovery Industry
As law enforcement often struggles to react quickly, ZachXBT mentions a recovery industry that capitalizes on the desperation of victims.
“Another lesson is >95% of recovery companies are predatory and charge high fees for basic reports with minimal actionable insights,” he wrote.
According to him, many of these firms use SEO and social-media strategies to attract victims, often providing only superficial blockchain analyses or directing clients to “contact the exchange.”
This secondary layer of exploitation transforms many significant hacks into multi-phase crimes—initially by the hacker and subsequently by fraudulent recovery firms promising to reclaim funds that are essentially lost.
Self-Custody Confusion and the Broader Risk
Beyond the laundering trails, the Ellipal situation has reignited discussions regarding the safety of self-custody. The victim’s misunderstanding between Ellipal’s cold wallet and its app-based hot wallet reflects a broader issue of ambiguous wallet design and gaps in user education.
The likelihood of recovering LaRoque’s $3 million remains low, as few law enforcement agencies are equipped to tackle crypto-related crimes. The challenge is amplified by cross-border laundering networks like Huione flourishing.
However, as ZachXBT suggests, the real tragedy might be that the next round of losses may stem not from hackers, but from those purporting to assist in retrieving the lost funds.
