An American retiree said More than $3 million in XRP was lost after he checked Ellipal’s mobile app on October 15 and found his balance gone, a discovery that prompted an on-chain monitoring effort by pseudonymous analyst ZackXBT.
Coindesk has not independently verified the identity, investor balance, or complete on-chain path. The account comes from several YouTube videos posted since October 15, Ellipal said statement on October 18, and October 19 by Zackxbt X Thread.
What the victim said happened
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and his wife, 60, is also retired. He said the XRP position was almost their entire retirement savings and they planned to buy a house in Las Vegas.
He said he has accumulated XRP since 2017 and previously held but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, October 15, and then determined that the drain had taken place last Sunday, October 12.
He described two 10-xRP tests pulling in around 11:15 Eastern time, followed by a sweep of about 1,209,990 XRP to a newly created address, then a quick fan-out across dozens of wallets and eventually hundreds. He said smaller balances of other assets, including about $1,000 in XLM and about $900 in FLR, remained.
He said he filed a complaint with the FBI’s Internet Crime Complaint Center and contacted local authorities, but struggled to reach specialized cyber units quickly. He said he did not know exactly how the funds were taken from the hot wallet.
Ellipal’s explanation and the cold-for-hot confusion
Ellipal said on October 18 that its analysis indicated that the user imported the hardware seed phrase into the ellipal mobile app, which recreated the wallet on an Internet-connected device.
In an email to the user, Ellipal explained that if the seed of a cold wallet is used on a phone or tablet, the seed and resulting private keys will be stored on that device, effectively turning it into a hot wallet and greatly reducing security.
Brandon says he has Ellipal’s app on both an iPhone and an iPad. He noted that the iPhone app showed a blue background, which Ellipal told him indicated a cold wall connection, and the iPad app showed an orange background, which Ellipal told him indicated a hot wallet.
Ellipal stressed that its hardware devices are air-conditioned and said it has not seen thefts originating from the hardware itself. The company’s account points to user error, though it doesn’t itself prove how the compromise occurred.
Where the funds reportedly went, the investigation per ZackxBT
In an October 19 thread, ZackxBT said he identified the theft by matching the timing and value of the video. He reported that the attacker created more than 120 ripple-to-tron orders on October 12 using bridger, an exchange service formerly known as SWFT. He noted that some block explorers label hops as “Binance” because Bridger uses the liquidity exchange.
He said that the funds merged with tron in a wallet TGF3HP5GEUPKARJEWKPVF2PVVCMRFE2BYW and on October 15 were dispersed to over-the-counter brokers adjacent to Huione, an online marketplace in Southeast Asia that was mentioned in the recent actions of the US authorities. Coindesk has not independently reproduced the full tracking or confirmed the final recipients.
Withdrawal Odds and User Takeaways
ZackXBT warned that most “recovery” companies are predatory, often producing shallow reports while charging high fees. He said prompt reporting to credible investigators and compliant platforms can improve the odds of flags or freezes, but recoveries are rare when funds move through cross-chain swaps and OTC venues.
For users, the main lesson is straightforward: if the goal is cold storage, don’t type the seed of a hardware wallet into a mobile or desktop app. Use a unique seed for any hot wallet and consider a BIP39 passphrase for high value cold storage.
Brandon said the loss derailed what he considered the couple’s retirement plans. He said he shared his experience to warn others and seek guidance, while acknowledging the chances of recovery are low.
