North Carolina couple’s life savings wiped out in massive XRP theft

A retired American named Brandon Laroque from North Carolina said more than $3 million worth of XRP disappeared from his Ellipal mobile app after he checked his balance on October 15 and found nothing left.

The 54-year-old Brandon said this was his and his 60-year-old wife’s entire life savings, and they were planning to buy a house in Las Vegas. That dream collapsed overnight. Brandon said he had been building his XRP position since 2017, slowly selling pieces off to cover living costs.

“That was everything we had,” he said. “I’m speaking up because maybe someone out there can learn from what happened to us.” He admitted he doesn’t expect the funds to be recovered, but hopes the story will remind people to keep their cold wallets truly offline.

What remained was everything they had left for retirement. Brandon explained in a YouTube video released on Saturday that the theft likely happened on Sunday, October 12. Two small 10-XRP test transactions appeared around 11:15 a.m. Eastern time, followed by a full sweep of about 1,209,990 XRP to a new address.

From there, the funds were broken apart and moved across dozens of wallets in minutes, then hundreds more as the hours passed. His smaller holdings, about $1,000 in XLM and $900 in FLR, were untouched.

After realizing the funds were gone, he filed a report with the FBI’s Internet Crime Complaint Center and contacted local police, but he said it was hard to reach specialized cybercrime investigators quickly. “I don’t know exactly how they got in,” Brandon said. “All I know is everything was there one day and gone the next.”

Ellipal blames cold-to-hot wallet confusion

Ellipal released a public statement on October 18 claiming its internal review showed that Brandon had entered his hardware wallet seed phrase into the Ellipal mobile app, turning what was supposed to be cold storage into a hot wallet.

In an email to him, the company explained that when a seed phrase is imported into a phone or tablet, the device stores the private keys, connecting it to the internet and destroying the safety layer that makes a cold wallet secure.

Brandon said he had the Ellipal app installed on both an iPhone and an iPad. The iPhone app had a blue background, which Ellipal told him represented a cold wallet. The iPad version showed an orange background, which meant it was hot.

Ellipal said that color difference mattered, emphasizing that their hardware devices are air-gapped, meaning they never connect to Wi-Fi, Bluetooth, or USB. The company said no thefts had ever come from its physical wallets and insisted the incident looked like user error. Still, the company admitted it couldn’t prove how the theft technically happened.

Brandon said he simply followed the app’s interface. “If the blue means cold and orange means hot, why wasn’t that made clearer?” he said in one of his YouTube videos. Ellipal hasn’t confirmed whether the color indicators failed or were misunderstood, but maintained that entering a seed phrase into an app immediately removes all protection.

ZachXBT traces stolen XRP across Tron and OTC brokers

On Sunday, on-chain sleuth ZachXBT posted a detailed thread on X (formerly Twitter) sharing how he identified the theft address by matching the transaction times and values shown in Brandon’s videos.

In his post, Zach said the attacker used Bridgers, the swap service previously called SWFT, to create more than 120 Ripple-to-Tron conversions on October 12. Some block explorers labeled the transactions as “Binance” because Bridgers routes its liquidity through the exchange.

According to Zach’s X thread, the stolen XRP was eventually consolidated on the Tron network in a wallet labeled TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw, before being sent to multiple over-the-counter brokers tied to Huione, a Southeast Asian marketplace flagged in U.S. enforcement actions for handling illicit transfers.

Three days later, the funds had been reportedly scattered across countless addresses, making recovery practically impossible.

ZachXBT warned people to stay away from “crypto recovery” services, calling them scams that charge big fees for fake investigations. He said only fast reporting to legitimate investigators and compliant exchanges can sometimes help flag or freeze stolen funds.

“Once it’s bridged across chains and hits OTC desks, there’s almost no way back,” said Zach.

Join Bybit now and claim a $50 bonus in minutes