A 54-year-old retiree from North Carolina reported the theft of over 1.2 million XRP tokens, worth more than $3 million, from what he believed was a secure cold wallet. The incident, discovered on October 15, 2025, involved an Ellipal hardware wallet and was traced by on-chain analyst ZackXBT. Ellipal attributed the breach to user error in importing a seed phrase into a mobile app.
Brandon LaRoque, a long-time XRP holder since 2017, discovered the theft on October 15, 2025, while checking the Ellipal mobile app. The drain had occurred three days earlier, on October 12, starting with two small 10-XRP test transactions around 11:15 a.m. Eastern time, followed by a transfer of approximately 1,209,990 XRP to a new address. The funds then spread across dozens of wallets and eventually hundreds, while smaller holdings of about $1,000 in XLM and $900 in FLR remained untouched.
LaRoque, who is retired along with his 60-year-old wife, described the XRP as nearly their entire retirement savings, intended for purchasing a house in Las Vegas. He filed complaints with the FBI’s Internet Crime Complaint Center and local authorities in North Carolina but faced delays in reaching cyber units. In YouTube videos posted since October 15, he expressed uncertainty about the exact method of compromise.
Ellipal, the cold wallet manufacturer, responded on October 18, stating that LaRoque had imported the hardware wallet’s seed phrase into the mobile app, which stores private keys on the internet-connected device, effectively turning it into a hot wallet. LaRoque noted that his iPhone app displayed a blue background, indicating a cold-wallet connection per Ellipal’s cues, while his iPad showed an orange hot-wallet view. The company emphasized that its air-gapped hardware devices have not been the source of any thefts.
On-chain investigator ZackXBT detailed the flow in an October 19 thread, identifying over 120 Ripple-to-Tron swaps via the Bridgers service on October 12. The funds consolidated on Tron at address TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and by October 15 reached over-the-counter brokers linked to Huione, a Southeast Asian marketplace flagged by U.S. authorities. ZackXBT warned that recovery is unlikely once funds pass through cross-chain swaps and OTC venues, advising against predatory recovery firms.
LaRoque shared his story to warn others, stressing the importance of avoiding seed imports into apps for cold storage. He acknowledged low recovery chances but hoped for guidance.