On October 19, 2025 at approximately 17:57 UTC, XRP investor Brandon LaRoque reported the unauthorized transfer of over 1.2 million XRP, valued at roughly $3 million, from his Ellipal hardware wallet after importing his seed phrase into the Ellipal mobile application. This action, which circumvented the device’s air-gapped security, effectively transformed the wallet into an internet-connected hot wallet. The investor discovered the loss when accessing the Ellipal app on October 15 and determined that the theft occurred on October 12, based on on-chain timestamps and transaction records.
According to LaRoque’s account, two small test transfers of 10 XRP each were executed around 11:15 a.m. ET on October 12, followed by a bulk transfer of 1,209,990 XRP. The attacker then distributed the stolen funds across dozens of intermediate addresses before consolidating them on the Tron network. From there, the funds were routed to over-the-counter trading venues adjacent to Huione, a Southeast Asia-based marketplace cited in recent U.S. enforcement actions. Blockchain sleuth ZackXBT identified these movements by correlating the transaction amounts and timings with the investor’s published video logs and Ellipal’s public statement released on October 18.
Ellipal responded to the incident on October 18, explaining that importing a hardware wallet seed into the mobile app stores the private keys on the device, negating the air-gap protection. The company asserted that its hardware units remain secure but cautioned that user actions can compromise overall security. LaRoque, a 54-year-old retiree from North Carolina, said the loss represented his and his wife’s retirement savings, erasing plans to purchase a home. He reported the incident to the FBI’s Internet Crime Complaint Center and local law enforcement, though specialized cyber crime units have yet to engage.
ZackXBT warned against engaging recovery firms, noting that many operate predatory models with high fees and low success rates. He advised prompt reporting to exchanges and authorities to increase chances of token freezes, but acknowledged the low likelihood of full recovery once funds cross chains and enter OTC markets. The case underscores the critical importance of maintaining distinct seeds for cold and hot wallets, using additional passphrases for high-value holdings, and avoiding seed imports into online environments.
Comments (0)