TLDR
- Brandon LaRoque, 54, lost $3 million in XRP after entering his Ellipal hardware wallet seed phrase into the mobile app
- The October 12 theft drained 1.2 million XRP tokens that represented the couple’s retirement savings accumulated since 2017
- Importing seed phrases into mobile apps converts cold wallets to hot wallets by storing private keys on internet-connected devices
- ZachXBT traced stolen funds through 120 bridge transactions to Tron, then to OTC desks linked to Huione, a sanctioned payments network
- Most crypto recovery firms charge high fees for basic services with minimal success rates
A North Carolina retiree discovered his entire cryptocurrency retirement fund had disappeared when he checked his wallet balance on October 15. Brandon LaRoque’s 1.2 million XRP tokens, valued at approximately $3 million, had been stolen three days earlier.
LaRoque and his 60-year-old wife had spent eight years building their XRP position. They planned to use the funds to purchase a home in Las Vegas. The theft wiped out nearly everything they had saved.
The attack began on October 12 around 11:15 a.m. Eastern time. The hacker executed two small 10 XRP test transactions before sweeping the remaining 1,209,990 XRP to a new address. Small amounts of other cryptocurrencies, including $1,000 in XLM and $900 in FLR, were left untouched.
LaRoque believed his funds were protected in cold storage using an Ellipal hardware wallet. He had imported his hardware wallet seed phrase into Ellipal’s mobile app, which compromised his security without his knowledge.
How Seed Phrases Compromise Cold Storage
Ellipal released a statement on October 18 explaining what went wrong. When users type a hardware wallet seed phrase into a mobile or desktop application, the private keys are saved on that device. This transforms the wallet from secure cold storage into a vulnerable hot wallet.
The company maintains that its air-gapped hardware devices remain secure. No thefts have originated from the hardware wallets themselves. The breach resulted from the seed phrase being entered into an internet-connected device.
LaRoque had installed the Ellipal app on both an iPhone and iPad. His iPhone displayed a blue background indicating cold wallet status, while his iPad showed an orange background signaling hot wallet mode. The confusion between these two setups may have contributed to the security lapse.
Tracking the Stolen Cryptocurrency
Blockchain investigator ZachXBT traced the stolen XRP through its conversion process. The attacker created over 120 Ripple-to-Tron bridge transactions using Bridgers, a swap service previously called SWFT. The transactions consolidated on the Tron blockchain within hours.
By October 15, the funds had moved to over-the-counter brokers associated with Huione. The U.S. Treasury sanctioned this Southeast Asian payments network for processing more than $15 billion in illicit transactions from scams, human trafficking, and cybercrime.
LaRoque filed reports with the FBI’s Internet Crime Complaint Center and local law enforcement. He encountered difficulties reaching specialized cybercrime units quickly enough to freeze the assets.
Recovery Prospects and Industry Warnings
ZachXBT issued a warning about cryptocurrency recovery services. Over 95% of recovery companies operate as predatory businesses that charge substantial fees for superficial blockchain reports. These firms typically provide little actionable information beyond suggesting victims contact exchanges directly.
Many recovery operations use search engine optimization and social media advertising to target desperate victims. They exploit the urgency of the situation while offering minimal real assistance.
The investigator noted that rapid reporting to legitimate investigators and regulated platforms offers the best chance for asset freezes. However, recovery becomes nearly impossible once funds pass through multiple cross-chain swaps and OTC venues.
LaRoque shared his experience through YouTube videos to warn other cryptocurrency holders. He acknowledged that recovering his funds is unlikely but hopes his story prevents similar losses.
Security experts recommend never entering hardware wallet seed phrases into mobile or desktop applications. Users should maintain separate seeds for hot wallets and consider using BIP39 passphrases for high-value cold storage protection.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
