An American retiree says more than $3 million in XRP vanished after he checked Ellipal’s mobile app on Oct. 15 and saw his balance gone, a discovery that spurred an on-chain tracing effort by pseudonymous analyst ZackXBT.
CoinDesk has not independently verified the investor’s identity, balances, or the complete on-chain path. The account comes from several YouTube videos posted since Oct. 15, Ellipal’s public statement on Oct. 18, and ZackXBT’s Oct. 19 X thread.
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and that his wife, 60, is also retired. He said the XRP position was almost their entire retirement savings and that they had planned to buy a house in Las Vegas.
He said he had been accumulating XRP since 2017 and previously held more but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, Oct. 15, and then determined the drain occurred on the previous Sunday, Oct. 12.
He described two 10-XRP test pulls around 11:15 a.m. Eastern time, followed by a sweep of about 1,209,990 XRP to a newly created address, then rapid fan-out across dozens of wallets and eventually hundreds. He said smaller balances of other assets, including roughly $1,000 in XLM and about $900 in FLR, remained.
He said he filed with the FBI’s Internet Crime Complaint Center and contacted local authorities, but struggled to reach specialized cyber units quickly. He said he does not know precisely how the funds were taken from the hot wallet.
Ellipal said on Oct. 18 that its review indicated the user had imported the hardware wallet’s seed phrase into the Ellipal mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Ellipal explained that if a cold wallet’s seed is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively making it a hot wallet and greatly reducing security.
Brandon said he had Ellipal’s app on both an iPhone and an iPad. He mentioned that the iPhone app showed a blue background, which Ellipal told him denotes a cold-wallet connection, and the iPad app showed an orange background, which Ellipal told him indicates a hot wallet.
Ellipal emphasized that its hardware devices are air-gapped and said it has not seen thefts originate from the hardware itself. The company’s account points to user error, though it does not by itself prove how the compromise occurred.
An American retiree says more than $3 million in XRP vanished after he checked Ellipal’s mobile app on Oct. 15 and saw his balance gone, a discovery that spurred an on-chain tracing effort by pseudonymous analyst ZackXBT.
CoinDesk has not independently verified the investor’s identity, balances, or the complete on-chain path. The account comes from several YouTube videos posted since Oct. 15, Ellipal’s public statement on Oct. 18, and ZackXBT’s Oct. 19 X thread.
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54, and that his wife, 60, is also retired. He said the XRP position was almost their entire retirement savings and that they had planned to buy a house in Las Vegas.
He said he had been accumulating XRP since 2017 and previously held more but sold some for living expenses. In his YouTube videos, he said he discovered the theft by checking the Ellipal app on Wednesday, Oct. 15, and then determined the drain occurred on the previous Sunday, Oct. 12.
He described two 10-XRP test pulls around 11:15 a.m. Eastern time, followed by a sweep of about 1,209,990 XRP to a newly created address, then rapid fan-out across dozens of wallets and eventually hundreds. He said smaller balances of other assets, including roughly $1,000 in XLM and about $900 in FLR, remained.
He said he filed with the FBI’s Internet Crime Complaint Center and contacted local authorities, but struggled to reach specialized cyber units quickly. He said he does not know precisely how the funds were taken from the hot wallet.
Ellipal said on Oct. 18 that its review indicated the user had imported the hardware wallet’s seed phrase into the Ellipal mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Ellipal explained that if a cold wallet’s seed is used on a phone or tablet, the seed and resulting private keys would be stored on that device, effectively making it a hot wallet and greatly reducing security.
Brandon said he had Ellipal’s app on both an iPhone and an iPad. He mentioned that the iPhone app showed a blue background, which Ellipal told him denotes a cold-wallet connection, and the iPad app showed an orange background, which Ellipal told him indicates a hot wallet.
Ellipal emphasized that its hardware devices are air-gapped and said it has not seen thefts originate from the hardware itself. The company’s account points to user error, though it does not by itself prove how the compromise occurred.
Leave feedback about this