TLDR
- $3M in XRP stolen after investor imported seed into Ellipal mobile app.
- Ellipal confirmed wallet became hot once seed was added to mobile app.
- ZackXBT traced stolen funds through cross-chain swaps to Tron wallets.
- Recovery is unlikely after XRP was funneled through OTC and swap tools.
A U.S. investor has claimed he lost over $3 million worth of XRP in a recent crypto theft. The wallet maker, Ellipal, responded by saying the investor had unknowingly made his cold wallet vulnerable. The case has led to online tracking of the funds and warnings for other crypto holders about wallet safety.
Investor Says Wallet Was Emptied Without Warning
The investor, Brandon, a 54-year-old retiree from North Carolina, said he discovered the loss on October 15. He noticed his XRP balance was missing when checking the Ellipal app on his phone. He later traced the theft to October 12, when a large transaction moved over 1.2 million XRP out of his wallet.
He said he had stored most of his retirement savings in XRP, with plans to buy a house in Las Vegas. Two small 10-XRP test transactions were followed by a large transfer to a new wallet. Brandon said smaller amounts of other tokens, including $1,000 in XLM and $900 in FLR, were not taken.
He posted videos online to explain what happened and also said he filed a report with the FBI’s Internet Crime Complaint Center. He said he also contacted local police but had difficulty reaching cybercrime experts in time.
Ellipal Says Seed Import Turned Cold Wallet Into Hot Wallet
Ellipal released a statement on October 18 saying the issue happened because the wallet’s seed phrase was imported into the Ellipal app. The company said that importing a seed phrase into any device with internet access makes the wallet hot, which weakens its security.
In a message to the user, Ellipal explained that cold wallets remain offline and secure, but once a seed is added to a phone or tablet, it becomes hot. This means private keys are stored on that device and can be accessed if the device is compromised.
Brandon said he used the Ellipal app on both an iPhone and an iPad. He noted that the iPhone app had a blue background, and the iPad app had an orange one. Ellipal told him that blue signals a cold wallet connection while orange means a hot wallet.
The company also stated that it has not seen any thefts linked to its actual hardware devices. It believes this incident resulted from the seed import, not a flaw in its hardware.
Online Analyst Tracks Funds Across Multiple Blockchains
Crypto analyst ZackXBT shared an update on October 19, saying he traced the stolen XRP using on-chain data. He matched the transaction times and amounts to Brandon’s videos. He said the stolen XRP was quickly converted to other assets using a swap tool known as Bridgers, previously called SWFT.
According to ZackXBT, the attacker used over 120 Ripple-to-Tron swaps and then moved the funds to a Tron wallet. He said the tokens were then sent to over-the-counter brokers connected to Huione, a Southeast Asian marketplace under U.S. investigation.
He warned that once funds go through such swaps and OTC routes, recovery becomes very difficult. He also said most crypto recovery firms are not trustworthy and charge high fees for limited help.
Caution Urged for Wallet Users Handling Large Crypto Holdings
ZackXBT said fast action is key in such cases. Reporting the theft to exchanges and law enforcement early can sometimes help freeze assets. However, when funds are moved across chains and swapped fast, stopping the flow becomes nearly impossible.
Brandon said he shared his experience to warn others. He admitted that the loss wiped out nearly all of the couple’s retirement funds. Experts now stress that users should never import a cold wallet’s seed into a hot wallet. They also advise using separate wallets for online and offline storage.
