On-chain sleuth ZachXBT has traced a theft of $3.05 million worth of
Publishing the findings on October 19, ZachXBT said that a “US-based victim lost $3.05 million (1.2 million
Inside the $3 Million XRP Heist
In one thread, ZachXBT identified the theft address – r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc – by matching dates and amounts from a viral YouTube video. “Although the victim did not directly share the theft address… I found it by looking at the date and amount,” he wrote. He warned that “the victim appears to be inexperienced and does not provide enough details to determine how the Ellipal wallet came to be compromised other than to say it is user error.”
According to his reconstruction, the attacker quickly converted the The funds were consolidated on Tron on October 12 at TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw and on October 15 “they were completely laundered to OTCs adjacent to Huione (illegal online marketplace in SEA),” he wrote. Bridgers bills itself as a “cross-chain swap” platform spanning dozens of networks; DappRadar documentation has also linked Bridgers to SWFT’s AllChain Bridge stack.
The reference to Huione comes in a rapidly changing sanctions environment. On October 14, 2025, the U.S. Treasury Department designated the Huione Group as a “primary money laundering concern,” effectively disconnecting it from the U.S. financial system for facilitating flows linked to Southeast Asian scam and human trafficking networks; The action was coordinated alongside a British sanctions package and parallel US actions against the Prince Group, a Cambodian conglomerate that US authorities labeled a transnational criminal organization.
ZachXBT’s thread placed the Ellipal wallet at the center of user confusion rather than a zero-day exploit of the hardware itself. “One lesson our industry needs to do better is not to cause product confusion when offering both custodial and non-custodial products. The moving assets from an exchange account to a compromised non-custodial wallet.
Ellipal publicly confirmed the confusion between cold and hot wallets. “Our findings confirm that the loss occurred because the user accidentally imported the seed phrase from their cold wallet into a hot wallet, causing the assets to become accessible online,” the company said, highlighting that its “air-gapped cold wallets remain 100% offline and have never been compromised since launch.” Ellipal said it had contacted the user and reiterated basic hygiene: never import cold wallet seeds into app-based wallets and keep recovery phrases and devices offline.
The money laundering arc ZachXBT described – fast cross-chain hop through an aggregator, consolidation on Tron, and distribution to OTC endpoints he characterizes as “Huione-adjacent” – reflects typologies that US authorities have warned about as scam ecosystems professionalize.
In his words: “Huione has directly facilitated the laundering of billions in illicit funds from pig slaughter, investment fraud, human trafficking and hacks/exploits in Southeast Asia in recent years… I hope centralized exchanges and stablecoin issuers implement stricter controls as they are one of the bigger threats impacting the longevity of our space.”
The second theme of the thread is the structural difficulty of recovery. “The researcher.
He also criticized much of the crypto “recovery” cottage industry: “>95% of recovery companies are predatory, charging large sums for basic reports with little actionable insights… Bad companies would have stopped tracking this XRP theft to Binance… when in reality the service was Bridgers or would have failed to identify addresses linked to Huione.”
As for the chances of restitution, the prospects are bleak. “Unfortunately, the likelihood of this victim seeing any recovered funds is quite low due to a delay in reporting the theft to appropriate people within the private sector,” he concluded, urging prompt reporting of theft addresses to maximize the chance of flows freezing at bottlenecks. He also criticized the support at the ecosystem level: “Ripple does not have as good a support system for victims within their community as in Bitcoin, Ethereum, Solana and large EVM chains.”
At the time of writing, XRP was trading at $2.44.
Featured image created with DALL.E, chart from TradingView.com
Editing process for bitcoinist is focused on providing thoroughly researched, accurate, and unbiased content. We have strict sourcing standards and every page is carefully reviewed by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
#ZachXBT #Tracks #Million #XRP #Theft #Hardware #Wallet