{"id":13944,"date":"2025-10-20T10:00:06","date_gmt":"2025-10-20T17:00:06","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=13944"},"modified":"2025-10-31T09:18:45","modified_gmt":"2025-10-31T16:18:45","slug":"i-just-had-over-3000000-of-xrp-stolen-off-of-my-cold-wallet","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2025\/10\/20\/i-just-had-over-3000000-of-xrp-stolen-off-of-my-cold-wallet\/","title":{"rendered":"I Just Had Over $3,000,000 of XRP Stolen off of My Cold Wallet"},"content":{"rendered":"\n<p>This is super suspicious. One, you&#8217;ve been in crypto for quite a while and you&#8217;re holding your $3 million in XRP? Per my understanding that was the property of a company handling international settlements and centrally controlled. The only cryptocurrency of value is <a href=\"https:\/\/jasonsblog.ddns.net\/index.php\/2025\/09\/12\/the-case-for-the-only-cryptocurrency-of-value-bitcoin\/\" target=\"_blank\" rel=\"noreferrer noopener\">Bitcoin<\/a> due to the worldwide distribution of mining equipment outside the control of any one government, opensource nodes run by people distributed around the world outside the control of governments (you can compile and run your own), and cryptographically sound so no central authority is needed, nor capable of reversing transactions. And Bitcoin has significantly been gaining in value over time, so why would you be invested in XRP if you know crypto? One angle is this could be a setup for a donation scam? Or perhaps just a psyop to scare people away from self-custody, to use custodial wallets, and\/or scare people away from cryptocurrencies altogether. Furthermore, this Ellipal cold wallet company is based out of Hong Kong and has closed source software, humongous red flags. If he used the device to create the seed phrase there might be a problem with their random number generator making a seed phrase attack possible as China isn&#8217;t known for their quality. And maybe his wallet was intercepted and flashed with malware, and he didn&#8217;t put verified firmware on it? If you don&#8217;t know what you&#8217;re doing, use proper consultants to help pick hardware and train you on security practices.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"I just had over $3,000,000 of XRP stolen off of my cold wallet\" width=\"1290\" height=\"726\" src=\"https:\/\/www.youtube.com\/embed\/qbrC240HVJQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>There was an update and it appears he typed his seed phrase into the wallet app on an iPad turning it into a hot wallet and wiping out the value of the air-gapped cold wallet (article below). So was the iPad hacked for the seed phrase or was the hardware wallet compromised? So if you&#8217;re going to self-custody a substantial amount of cryptocurrency and you don&#8217;t know what you&#8217;re doing, find some security consultants to help you navigate crypto choice, hardware, and security best practices. <\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_a2a74db5-d972-465c-93b8-3ca0c165cbd8\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<h1 class=\"wp-block-heading\">XRP Investor Says $3M in XRP Was Stolen; Cold Wallet Maker Says Seed Import Made Wallet Hot<\/h1>\n\n\n\n<h5 class=\"wp-block-heading\">Long-time XRP investor Brandon LaRoque says he discovered the loss on Oct. 15 in cold wallet maker Ellipal\u2019s mobile app, but the theft occurred on Oct. 12.<\/h5>\n\n\n\n<p>By Siamak Masnavi, AI Boost | Edited by Aoyon Ashraf<\/p>\n\n\n\n<p>Updated Oct 19, 2025, 12:01 p.m. Published Oct 19, 2025, 11:57 a.m.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.coindesk.com\/_next\/image?url=https%3A%2F%2Fcdn.sanity.io%2Fimages%2Fs3y3vcno%2Fproduction%2Fa76c7f177c8cbd64af93e464e7ab3c85812de274-3840x2160.png%3Fauto%3Dformat&amp;w=3840&amp;q=75\" alt=\"XRP Logo (Midjourney \/ Modified by CoinDesk)\"\/><figcaption class=\"wp-element-caption\">XRP Logo (Midjourney \/ Modified by CoinDesk)<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">What to know:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>He says he found the loss on Oct. 15 in the Ellipal app; the theft happened on Oct. 12.<\/li>\n\n\n\n<li>Ellipal told him that if you type a hardware wallet\u2019s seed into the Ellipal app, the private keys are saved on your phone or tablet, turning it into a hot wallet.<\/li>\n\n\n\n<li>He says his iPhone app showed a blue \u201ccold\u201d view while his iPad showed an orange \u201chot\u201d view, per Ellipal\u2019s color cues.<\/li>\n\n\n\n<li>On-chain sleuth ZackXBT traced Oct. 12 swaps via a bridge to Tron and then to OTC venues.<\/li>\n<\/ul>\n\n\n\n<p>An American retiree <a href=\"https:\/\/youtu.be\/lxcs94gQTTg?si=Y0HULhr-9LLXCm9N\" target=\"_blank\" rel=\"noreferrer noopener\">says<\/a> more than $3 million in XRP vanished after he checked Ellipal\u2019s mobile app on Oct. 15 and saw his balance gone, a discovery that spurred an on-chain tracing effort by pseudonymous analyst ZackXBT.<\/p>\n\n\n\n<p>CoinDesk has not independently verified the investor\u2019s identity, balances, or the complete on-chain path. The account comes from several YouTube videos posted since Oct. 15, Ellipal\u2019s public <a href=\"https:\/\/x.com\/ellipalwallet\/status\/1979565279412916431\" target=\"_blank\" rel=\"noreferrer noopener\">statement<\/a> on Oct. 18, and ZackXBT\u2019s Oct. 19 <a href=\"https:\/\/x.com\/zachxbt\/status\/1979899767212699910\" target=\"_blank\" rel=\"noreferrer noopener\">X thread<\/a>.<\/p>\n\n\n\n<p>By signing up, you will receive emails about CoinDesk products and you agree to our <a href=\"https:\/\/www.coindesk.com\/terms\">terms of use<\/a> and <a href=\"https:\/\/www.coindesk.com\/privacy\">privacy policy<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What the victim says happened<\/h3>\n\n\n\n<p>The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and that his wife, 60, is also retired. He said the XRP position was almost their entire retirement savings and that they had planned to buy a house in Las Vegas.<\/p>\n\n\n\n<p>He said he had been accumulating XRP since 2017 and previously held more but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, Oct. 15, and then determined the drain occurred on the previous Sunday, Oct. 12.<\/p>\n\n\n\n<p>He described two 10-XRP test pulls around 11:15 a.m. Eastern time, followed by a sweep of about 1,209,990 XRP to a newly created address, then rapid fan-out across dozens of wallets and eventually hundreds. He said smaller balances of other assets, including roughly $1,000 in XLM and about $900 in FLR, remained.<\/p>\n\n\n\n<p>He said he filed with the FBI\u2019s Internet Crime Complaint Center and contacted local authorities, but struggled to reach specialized cyber units quickly. He said he does not know precisely how the funds were taken from the hot wallet.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ellipal\u2019s explanation and the cold-to-hot confusion<\/h3>\n\n\n\n<p>Ellipal said on Oct. 18 that its review indicated the user had imported the hardware wallet\u2019s seed phrase into the Ellipal mobile app, which would recreate the wallet on an internet-connected device.<\/p>\n\n\n\n<p>In an email to the user, Ellipal explained that if a cold wallet\u2019s seed is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively making it a hot wallet and greatly reducing security.<\/p>\n\n\n\n<p>Brandon said he had Ellipal\u2019s app on both an iPhone and an iPad. He mentioned that the iPhone app showed a blue background, which Ellipal told him denotes a cold-wallet connection, and the iPad app showed an orange background, which Ellipal told him indicates a hot wallet.<\/p>\n\n\n\n<p>Ellipal emphasized that its hardware devices are air-gapped and said it has not seen thefts originate from the hardware itself. The company\u2019s account points to user error, though it does not by itself prove how the compromise occurred.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Where the funds reportedly went, per ZackXBT&#8217;s investigation<\/h3>\n\n\n\n<p>In an Oct. 19 thread, ZackXBT said he identified the theft address by matching the video\u2019s timing and amounts. He reported that the attacker created more than 120 Ripple-to-Tron orders on Oct. 12 using Bridgers, a swap service formerly known as SWFT. He noted that some block explorers label those hops as \u201cBinance\u201d because Bridgers uses the exchange for liquidity.<\/p>\n\n\n\n<p>He said the funds consolidated on Tron at a wallet TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and by Oct. 15 were dispersed to over-the-counter brokers adjacent to Huione, an online marketplace in Southeast Asia that has been cited in recent public actions by U.S. authorities. CoinDesk has not independently reproduced the full tracing or confirmed the ultimate recipients.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Recovery odds and user takeaways<\/h3>\n\n\n\n<p>ZackXBT cautioned that most \u201crecovery\u201d firms are predatory, often producing superficial reports while charging high fees. He said quick reporting to credible investigators and compliant platforms can improve the odds of flags or freezes, but recoveries are rare once funds move through cross-chain swaps and OTC venues.<\/p>\n\n\n\n<p>For users, the core lesson is straightforward: if the goal is cold storage, do not type a hardware wallet\u2019s seed into a mobile or desktop app. Use a distinct seed for any hot wallet and consider a BIP39 passphrase for high-value cold storage.<\/p>\n\n\n\n<p>Brandon said the loss wiped out what he considered the couple\u2019s retirement plan. He said he shared his experience to warn others and to seek guidance, while acknowledging the chances of recovery are low.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is super suspicious. One, you&#8217;ve been in crypto for quite a while and you&#8217;re holding your $3 million in XRP? Per my understanding that was the property of a company handling international settlements and centrally controlled. The only cryptocurrency of value is Bitcoin due to the worldwide distribution of mining equipment outside the control [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-13944","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/13944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=13944"}],"version-history":[{"count":6,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/13944\/revisions"}],"predecessor-version":[{"id":14124,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/13944\/revisions\/14124"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=13944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=13944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=13944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}