A chilling episode has stroked the crypto
community: a U.S. investor believed his XRP holdings were safely locked away in a cold wallet, only to wake up and discover nearly 1.2 million XRP (worth around $3 million) had vanished. The twist? The “cold wallet” he trusted may have been, in fact, operating as a hot wallet. Here’s what happened — and the crucial warning that followed.
📌 What happened?
The investor, identified in coverage as Brandon LaRoque, a retiree from North Carolina, said he discovered the loss Oct 15 after checking his wallet. The theft itself is traced to Oct 12.
Two small 10 XRP withdrawals appeared first (apparently test transfers), followed by a sweeping transfer of ~1.2 million XRP to a new wallet, then rapid fan-out to dozens, then hundreds of addresses.
The victim said he’d been accumulating XRP since 2017 and that the sum represented his and his wife’s entire retirement savings – a house purchase in Las Vegas had been planned.
🧩 The surprising cause: Cold turned hot
The hardware wallet maker Ellipal (which markets an air-gapped cold wallet device) stated its review found the seed phrase was imported into the Ellipal mobile app, which meant the device effectively became a hot wallet (connected to the internet) rather than true offline cold storage.
Incidentally, the app shows different colour backgrounds: a blue background indicates the cold-wallet mode, while an orange background indicates hot-wallet mode – and the victim said his iPad showed orange (hot) although he believed he was using a cold wallet.
Ellipal emphasised their hardware device remains air-gapped with no WiFi/Bluetooth/USB, and said they have not seen thefts from the physical devices themselves — but the seed import into a mobile app removed the offline protection.
🔍 Where did the funds go?
Blockchain investigator ZachXBT traced the funds: the attacker used a bridging service (formerly SWFT, now called Bridgers) to convert XRP → Tron via ~120 bridge transactions, consolidated on Tron at address TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw, then sent to OTC brokers tied to the platform Huione (recently sanctioned by the U.S. Treasury for illicit transfers).
The rapid cross-chain and OTC movement makes recovery very difficult — once funds hit such networks, tracing and freezing becomes complicated.#Ripple1BXRPReserve
⚠️ Key Takeaways & Warning
“Cold wallet” does not always mean offline: The core mis-step here was importing the cold-wallet seed into the app, which removed the air-gapped protection and exposed the holdings to online vulnerability.
If you hold significant crypto for long-term storage:
Use distinct wallets for hot and cold storage (do not repurpose the same seed for both).
Ensure the cold wallet seed remains only on the hardware device, never imported into mobile/desktop apps.
Watch for wallet UI cues (in this case, app colour background) and understand them.
Be cautious about “crypto recovery” firms: The incident also highlights a secondary risk — many firms offering recovery services often charge large fees and may deliver little. The same blockchain investigator warns that > 95% of such recovery firms may be exploitative.
Act quickly if you’re hacked: Filing with credible law-enforcement or regulators early and contacting compliant exchanges might improve chances, but success is far from guaranteed.
📝 Final word
This case is a sobering reminder: even when you think you’re doing everything right, a small misunderstanding (seed import, app confusion, UI cue) can lead to catastrophic losses. For the XRP community and self-custody users at large, the message is clear — review your wallet workflows, verify how your assets are stored, and don’t assume “cold wallet” automatically equals offline.
