An American retiree says more than $3 million worth of
CoinDesk has not independently verified the investor’s identity, balances, or complete on-chain journey. The account comes from several YouTube videos posted since October 15, Ellipal’s public statement on October 18, and ZackXBT’s X thread from October 19.
What the victim says happened
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54 years old, and that his wife, who is 60, is also retired. He said the XRP position was almost all of their retirement savings and that they had planned to buy a house in Las Vegas.
He said he had been hoarding XRP since 2017 and previously had more, but sold some to cover his living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, October 15, and then determined that the drain occurred the previous Sunday, October 12.
He described two tests of 10-XRP around 11:15 a.m. ET, followed by a sweep of approximately 1,209,990 XRP to a newly created address, then a rapid distribution to dozens of wallets, and finally hundreds. He said smaller balances of other assets remained, including about $1,000 in XLM and about $900 in FLR.
He said he filed the complaint with the FBI’s Internet Crime Complaint Center and contacted local authorities, but had difficulty quickly contacting specialized cyber units. He said he doesn’t know exactly how the funds were taken from the hot wallet.
Ellipal’s explanation and the confusion from cold to hot.
Ellipal said on Oct. 18 that its review indicated that the user had imported the seed phrase from the hardware wallet into Ellipal’s mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Ellipal explained that if a cold wallet seed is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively turning it into a hot wallet and greatly reducing security.
Brandon said he had the Ellipal app on both an iPhone and an iPad. He mentioned that the iPhone app displayed a blue background, which Ellipal told him denotes a cold wallet connection, and the iPad app displayed an orange background, which Ellipal told him denotes a hot wallet.
Ellipal emphasized that its hardware devices have air gaps and said it has not seen thefts originating from the hardware itself. The company’s account points to user error, although it alone does not prove how the compromise occurred.
Where the Funds Allegedly Went, According to ZackXBT Research
In a thread from October 19, ZackXBT said it identified the address of the robbery by matching the time and quantities of the video. It reported that the attacker created more than 120 Ripple orders to Tron on October 12 using Bridgers, an exchange service formerly known as SWFT. He noted that some block explorers label such hops as “Binance” because Bridgers uses the exchange for liquidity.
It said the funds were consolidated on Tron in a TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw wallet and on October 15 were distributed to over-the-counter brokers adjacent to Huione, an online marketplace in Southeast Asia that has been cited in recent public actions by US authorities. CoinDesk has not independently reproduced the full trace or confirmed the final recipients.
Recovery probabilities and user conclusions
ZackXBT warned that most “recovery” companies are predatory and often produce superficial reports while charging high fees. He said quickly reporting to credible investigators and compliant platforms can improve the odds of alerts or freezes, but recoveries are rare once funds move through cross-chain exchanges and OTC venues.
For users, the main lesson is simple: if cold storage is the goal, don’t write the seed of a hardware wallet in a mobile or desktop app. Use a different seed for any active wallet and consider a BIP39 passphrase for high-value cold storage.
Brandon said the loss wiped out what he considered the couple’s retirement plan. He said he shared his experience to warn others and seek guidance, although he acknowledged the chances of recovery are low.
