A retired U.S. investor lost over $3 million worth of XRP after mistakenly treating a software connected wallet as offline cold storage, raising serious red flags for crypto self custody.
Key Takeaways
- A 54-year-old North Carolina retiree, Brandon LaRoque, says he lost 1.2 million XRP (~$3 million) after checking his Ellipal wallet on October 15 and seeing the balance gone.
- ZackXBT traced the theft to October 12, involving over 120 cross-chain swaps from Ripple to Tron using Bridgers, then laundered through OTC brokers tied to Huione Group.
- Ellipal says the loss was due to user error. The wallet seed was entered into a mobile app, turning cold storage into a hot wallet.
- Fund recovery is unlikely. Once assets move through bridges and OTCs, tracking becomes hard. Experts say most recovery services are scams.
What Happened?
Brandon LaRoque says he began accumulating XRP in 2017 and that the holdings represented nearly the couple’s entire retirement savings, intended for buying a house in Las Vegas. On October 15 he opened the Ellipal app and discovered the balance had been drained. He says the actual theft occurred on Sunday, October 12.
He described two small test transfers of 10 XRP each at around 11:15 a.m. Eastern, followed by a sweep of about 1,209,990 XRP to a newly created address and then rapid dispersal across dozens and eventually hundreds of wallets. Smaller balances in other assets such as roughly $1,000 in XLM and $900 in FLR remained untouched.
Brandon submitted a report to the Internet Crime Complaint Center (IC3) under the FBI but says he struggled to find specialized crypto theft investigators at the local level.
Cold Wallet or Hot Wallet?
Ellipal publicly noted on October 18 that its investigation showed Brandon had imported his hardware wallet seed into the mobile app. This action effectively stored the private keys on the device, converting the setup into a hot wallet exposed to the internet.
Brandon reports he had the Ellipal app on both an iPhone and iPad. The iPhone version displayed a blue background, which Ellipal states denotes cold wallet connection; the iPad version displayed orange, meaning hot wallet mode. He says the mixed signals added to his confusion.
Ellipal emphasized that its air gapped hardware devices remain offline and that it has not seen thefts from the physical wallets themselves, but stressed that importing a seed into an app bypasses those protections.
Where the Funds Went?
Blockchain investigator ZackXBT posted a detailed reconstruction. He identified the attacker’s move of more than 120 Ripple to Tron orders via Bridgers on October 12. Some block explorers label these swaps as “Binance” because Bridgers uses Binance for liquidity.
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.
— ZachXBT (@zachxbt) October 19, 2025
Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. pic.twitter.com/Gyw0OWjts4
The trail led to a Tron wallet at address TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw, and by October 15 the funds were dispersed to over the counter brokers linked to the Huione Group, a Southeast Asian financial network recently sanctioned by the U.S. Treasury for large scale money laundering activities.
Because the funds crossed chains and entered OTC channels, pathing the loot back to the victim or halting its flow is extremely difficult. Experts say such routes severely degrade the chances of any recovery.
Lessons for Crypto Holders
In my experience covering crypto custody incidents, this case illustrates a fundamental misunderstanding that still plagues many investors: thinking your funds are in cold storage when they are not. Even the best marketed hardware wallet cannot protect you if the seed is imported into an internet connected app.
CoinLaw’s Takeaway
I found this incident particularly striking because it combines a tremendous personal loss with a broader systemic lesson for the crypto community. This retired couple believed their savings were secure. Instead, a small misstep a seed phrase entered into the wrong application undid years of accumulation and a retirement plan. It is a painful reminder that the self custody model demands discipline, clarity and ongoing vigilance.
Even hardened users sometimes blur the line between cold and hot. Wallet manufacturers, apps and user interfaces can inadvertently contribute to misperceptions. As the crypto landscape evolves and attackers gain sophistication, the weakest link increasingly lies not with the technology alone but with how people use and understand it.
