TLDR
- A 54-year-old retiree lost 1.2 million XRP worth $3 million after importing his hardware wallet seed phrase into Ellipal’s mobile app, converting his cold storage into a hot wallet
- The theft occurred on October 12, 2025, but was discovered three days later when the victim checked his balance
- Blockchain investigator ZachXBT traced the stolen funds through 120 cross-chain swaps to Tron, then to OTC desks linked to Huione, a sanctioned Southeast Asian payments network
- Over 95% of crypto recovery firms are predatory operations that charge high fees for basic reports with little chance of fund recovery
- Ellipal confirmed the security breach happened because entering a seed phrase into their mobile app stores private keys on the device, eliminating cold storage protection
Brandon LaRoque discovered his worst nightmare on October 15 when he checked his Ellipal wallet app. His 1.2 million XRP tokens, worth approximately $3 million, had vanished three days earlier.
The 54-year-old North Carolina resident had been accumulating XRP since 2017. The stolen funds represented nearly his entire retirement savings, which he and his 60-year-old wife had planned to use for buying a house in Las Vegas.
A Message to Our Community: Standing with Brandon LaRoque & Wallet Safety Awareness
We were saddened to learn that our U.S. user, @Blaroque , recently lost approximately $3 million worth of XRP — about 1.2 million XRP tokens in a hot wallet theft incident. Our hearts go out to… pic.twitter.com/KXFUPUKFX0
— ELLIPAL (@ellipalwallet) October 20, 2025
The theft occurred on October 12 at around 11:15 a.m. Eastern time. The attacker first made two test transactions of 10 XRP each, then swept the remaining 1,209,990 XRP to a newly created address.
LaRoque believed his funds were secure in cold storage using an Ellipal hardware wallet. The reality was different. He had imported his hardware wallet seed phrase into Ellipal’s mobile app, which changed his security setup.
When a hardware wallet seed phrase is entered into a mobile or desktop app, the private keys become stored on that internet-connected device. This converts the wallet from cold storage to a hot wallet, making it vulnerable to attacks.
Ellipal released a statement on October 18 explaining the security implications. The company confirmed that importing a seed phrase into their mobile app stores the keys on the device. Their air-gapped hardware devices have not seen thefts originate from the hardware itself.
LaRoque had the Ellipal app installed on both an iPhone and an iPad. His iPhone app displayed a blue background, which Ellipal says indicates a cold wallet connection. The iPad app showed an orange background, which signals a hot wallet setup.
Tracing the Stolen Funds
Blockchain investigator ZachXBT tracked the stolen XRP through its conversion path. The attacker created more than 120 Ripple-to-Tron bridge transactions using a service called Bridgers, formerly known as SWFT.
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.
Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. pic.twitter.com/Gyw0OWjts4
— ZachXBT (@zachxbt) October 19, 2025
The funds were consolidated on the Tron blockchain at a specific wallet address. Within three days, the assets had moved to over-the-counter brokers connected to Huione. The U.S. Treasury recently sanctioned Huione, a Southeast Asian payments network, for laundering over $15 billion from scams, human trafficking, and cybercrime.
Some blockchain explorers labeled the transaction hops as “Binance” because Bridgers uses the exchange for liquidity. The cross-jurisdictional nature of the laundering pipeline makes disruption difficult even when blockchain trails are public.
LaRoque filed a report with the FBI’s Internet Crime Complaint Center. He also contacted local authorities but struggled to reach specialized cyber units quickly.
The Predatory Recovery Industry
ZachXBT warned that over 95% of crypto recovery companies are predatory operations. These firms charge large fees for basic reports that provide few actionable insights.
Many recovery firms use search engine optimization and social media targeting to find victims. They often provide only superficial blockchain reports or tell clients to contact the exchange directly.
The investigator noted that quick reporting to credible investigators and compliant platforms can improve the chances of freezing funds. However, recoveries are rare once assets move through cross-chain swaps and OTC venues.
LaRoque said smaller balances of other cryptocurrencies remained in his wallet. These included roughly $1,000 in XLM and about $900 in FLR.
The victim shared his experience in several YouTube videos posted since October 15. He said he wanted to warn others about the risks and seek guidance, while acknowledging the chances of recovering his funds are low.
For users seeking cold storage security, the lesson is clear: never type a hardware wallet seed phrase into a mobile or desktop app. Use a separate seed for any hot wallet and consider adding a BIP39 passphrase for high-value cold storage.
