A retired American claims that over $3 million in XRP disappeared after checking Ellipal’s mobile app on October 15, leading to an on-chain investigation by pseudonymous analyst ZackXBT.
CoinDesk has not independently verified the identity of the investor, their balances, or the entire on-chain transactions. This information is sourced from various YouTube videos posted after October 15, Ellipal’s public statement on October 18, and ZackXBT’s October 19 X thread.
The victim’s account of events
The investor, identifying himself as Brandon, stated he is 54 and lives in North Carolina, and his 60-year-old wife is also retired. He mentioned that the XRP holdings constituted nearly their entire retirement fund and that they had plans to purchase a house in Las Vegas.
Having accumulated XRP since 2017, he had previously sold some for daily expenses. In his YouTube videos, he revealed that he noticed the theft while checking the Ellipal app on Wednesday, October 15, and confirmed the theft occurred the prior Sunday, October 12.
Brandon reported test transactions of 10 XRP around 11:15 a.m. Eastern time, which were followed by a sweep of approximately 1,209,990 XRP to a newly created address, followed by swift movements across multiple wallets, eventually to hundreds. He noted that smaller amounts of other assets like around $1,000 in XLM and about $900 in FLR remained.
He reported the incident to the FBI’s Internet Crime Complaint Center and reached out to local authorities, but faced challenges connecting with specialized cyber units swiftly. He admitted he does not understand precisely how the funds were extracted from the hot wallet.
Ellipal’s clarification regarding cold-to-hot wallet confusion
On October 18, Ellipal stated their review found that the user had entered the hardware wallet’s seed phrase into the Ellipal mobile application, consequently recreating the wallet on a device connected to the internet.
In communication with the user, Ellipal clarified that if a cold wallet’s seed is entered on a phone or tablet, that seed and the corresponding private keys would get stored on that device, effectively transforming it into a hot wallet and significantly compromising security.
Brandon confirmed he had Ellipal’s app on both an iPhone and an iPad. He noted that the iPhone app displayed a blue background, which Ellipal indicated signals a cold wallet connection, whereas the iPad app showed an orange background, signifying a hot wallet.
Ellipal emphasized the air-gapped nature of its hardware devices and stated they have not observed thefts originating from the hardware itself. However, the company points to user error without providing evidence of how the breach occurred.
Findings from ZackXBT’s investigation on fund movements
In a thread dated October 19, ZackXBT revealed that he tracked the theft address by correlating the timings and amounts from the video. He disclosed that the attacker executed over 120 Ripple-to-Tron transactions on October 12 using Bridgers, a swap service previously known as SWFT. He added that some block explorers label these hops as “Binance” since Bridgers uses the exchange for its liquidity.
The funds pooled on Tron at wallet TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and were distributed to over-the-counter brokers linked to Huione, an online marketplace in Southeast Asia, which has been referenced in recent actions by U.S. authorities. CoinDesk has not independently verified the entire tracing or confirmed the final recipients.
Chances of recovery and user insights
ZackXBT warned that most “recovery” agencies are predatory, frequently generating superficial reports and charging exorbitant fees. He suggested that prompt reporting to reputable investigators and compliant platforms could enhance the chances of flagging or freezing the accounts, but actual recoveries are uncommon once funds are processed through cross-chain swaps and OTC markets.
The fundamental lesson for users is uncomplicated: if the intent is to maintain cold storage, avoid entering a hardware wallet’s seed into any mobile or desktop application. Utilize a unique seed for any hot wallet and contemplate a BIP39 passphrase for high-value cold storage.
Brandon remarked that this loss obliterated what he considered their retirement plan. He expressed his desire to share his experience to caution others and seek advice, while fully aware of the low chances of recovery.
