A US retiree says more than $3 million in XRP disappeared after he checked Ellipal’s mobile app on October 15 and saw his balance gone, a discovery that spurred a tracking effort on the chain by pseudonymous analyst ZackXBT.
CoinDesk has not independently verified the investor’s identity, balances or complete on-chain path. The account stems from several YouTube videos posted since October 15th, Ellipal’s public statement on October 18th, and ZackXBT’s X thread on October 19th.
What the victim says happened
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and that his wife, 60, is also retired. He said the XRP position was almost all of their retirement savings and that they had planned to buy a house in Las Vegas.
He said he had been accumulating XRP since 2017 and previously had more but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, October 15, and then determined that the drain took place the previous Sunday, October 12.
He described two 10-XRP test moves around 11:15 AM ET, followed by a sweep of about 1,209,990 XRP to a newly created address, then rapid fan-out across dozens of wallets and eventually hundreds. He said smaller balances of other assets, including about $1,000 in XLM and about $900 in FLR, remained.
He said he filed with the FBI’s Internet Crime Complaint Center and contacted local authorities, but struggled to reach specialized cyber units quickly. He said he does not know exactly how the funds were taken from the wallet.
Ellipal’s explanation and the cold to warm confusion
Ellipal said on October 18 that its notification indicated that the user had imported the hardware wallet’s passphrase into the Ellipal mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Ellipal explained that if a cold wallet’s seed is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively turning it into a hot wallet and significantly reducing security.
Brandon said he had Ellipal’s app on both an iPhone and an iPad. He mentioned that the iPhone app showed a blue background, which Ellipal told him signifies a cold wallet connection, and the iPad app showed an orange background, which Ellipal told him indicates a hot wallet.
Ellipal emphasized that its hardware devices are air-gapped and said it has not seen thefts stemming from the hardware itself. The company’s account points to user error, though that doesn’t itself prove how the compromise occurred.
Where the funds allegedly went, according to ZackXBT’s investigation
In an Oct. 19 thread, ZackXBT said he identified the theft address by matching the video’s timing and amount. He reported that the attacker created more than 120 Ripple-to-Tron orders on October 12 using Bridgers, an exchange service formerly known as SWFT. He noted that some block explorers refer to these hops as “Binance” because Bridgers use the exchange for liquidity.
He said the funds consolidated on Tron on a wallet TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and on October 15 were dispersed to over-the-counter brokers next to Huione, an online marketplace in Southeast Asia that has been cited in recent public actions by US authorities. CoinDesk has not independently reproduced the full tracking or confirmed the ultimate recipients.
Recovery odds and user takeaways
ZackXBT warned that most “recovery” companies are predatory, often producing superficial reports while charging high fees. He said prompt reporting to credible investigators and compliant platforms can improve the odds of a flag or freeze, but recoveries are rare once funds move through cross-chain swaps and OTC venues.
For users, the core lesson is straightforward: if the goal is cold storage, don’t write a hardware wallet’s seed in a mobile or desktop app. Use a separate seed for any hot wallet and consider a BIP39 passphrase for high-value cold storage.
Brandon said the loss wiped out what he considered the couple’s retirement plan. He said he was sharing his experience to warn others and to seek guidance, while acknowledging that the chances of recovery are low.
