Advertisement
Retiree Says $3M in XRP Stolen After Ellipal Cold Wallet Hack
- An American retiree lost his US$3 million in XRP savings after his funds were swept on October 12, representing nearly all of his and his wife’s retirement money.
- The victim used Ellipal’s mobile app; the company suggested user error as the hardware wallet is “air-gapped” but could not identify the compromise path.
- On-chain sleuth ZachXBT traced the stolen XRP as it was swapped to Tron, consolidated, and then dispersed to over-the-counter brokers connected to Huione, a Southeast Asian marketplace.
An American retiree, who identifies as Brandon, says his US$3 million (AU$4.65 million) savings in XRP vanished after he opened Ellipal’s mobile app on Oct. 15.
Brandon, 54, from North Carolina, said the XRP stack represented almost all retirement savings for him and his wife, 60, and was earmarked for a Las Vegas home. He said he had accumulated XRP since 2017 and had sold portions for living costs.
The story is a bit dense but let’s go ahead and unpack it.
Related: Ripple Makes $1B Move: Acquires GTreasury to Supercharge Blockchain Treasury Management
Over $3 Million in Savings Gone
As mentioned, on Oct. 15 Brandon noticed his entire savings were gone, but the drain actually occurred on Oct. 12 when he discovered two 10-XRP test pulls around 11:15 a.m. ET, followed by a sweep of about 1,209,990 XRP to a newly created address and rapid scatter across dozens (then hundreds) of wallets.
Smaller balances of other assets remained, including roughly US$1,000 (AU$1,550) in XLM and about US$900 (AU$1,395) in FLR. He said he filed with the FBI’s Internet Crime Complaint Center and contacted local authorities.
Where does Ellipal chime in here? Well, Brandon had Ellipal’s app on an iPhone and an iPad, and stated that the iPhone screen showed a blue background. Ellipal reached out and told him that blue denotes a cold-wallet connection, but Brandon said the iPad screen showed orange.
So, Ellipal told him orange indicates a hot wallet, and emphasised the wallet’s hardware devices are air-gapped and said it has not seen thefts originate from the hardware itself. The company’s version points to user error but does not establish the compromise path.
Enter ZachXBT
The incident led on-chain sleuth ZachXBT to trace the funds. As per his report on Oct. 19, the analyst said he identified the theft address by matching the video’s timestamps and amounts.
He reported the attacker executed more than 120 XRP-to-Tron swaps on Oct. 12 using Bridgers, a service formerly known as SWFT. He noted some block explorers label those hops as “Binance” because Bridgers sources exchange liquidity.
Advertisement
ZachXBT said the funds consolidated on Tron at GF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw, then by Oct. 15 dispersed to over-the-counter brokers connected to Huione, an online marketplace in Southeast Asia cited in recent US actions.
Not much to do, unfortunately, as ZachXBT concluded:
The likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector. I recommend victims try to report theft addresses to people as soon as possible as otherwise it can be difficult to detect that a theft even took place.
ZachXBT, On-chain Sleuth and Advisor at Paradigm. Related: Is There Space for Privacy Coins?
Author
José Oramas
José is a journalist and translator with a keen interest in blockchain and cryptocurrencies.
