A U.S. investor has lost $3.05 million in XRP after their Ellipal hardware wallet was compromised.
The stolen assets were moved through Bridgers, a cross-chain bridge service, and later laundered via OTC channels connected to Huione, a Southeast Asian platform recently sanctioned by the U.S. government for large-scale fraud and money laundering operations.
The case, first detailed by blockchain investigator @ZachXBT, sheds light on one of the biggest XRP thefts of 2025, and how quickly digital assets can disappear once they leave a victim’s control.
“The victim didn’t share the address, but I found it by reviewing the date and amount,” ZachXBT explained on X
1/ A video went viral on YT this week after a US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet.
Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts. pic.twitter.com/Gyw0OWjts4
— ZachXBT (@zachxbt) October 19, 2025
How the Theft Happened
The stolen funds originated from address
r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc, the wallet tied to the victim’s compromised Ellipal.
While full details are unclear, ZachXBT noted that the victim seemed inexperienced, and evidence suggests user error led to the breach rather than a hardware exploit.
On October 12, 2025, the attacker initiated 120+ Ripple-to-Tron swaps via Bridgers, previously known as SWFT.
On blockchain explorers, these transactions appeared as Binance transfers since Bridgers relies on Binance for liquidity routing, a detail that can easily mislead recovery attempts.
By that same day, all funds were consolidated into a Tron wallet:
TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw.
Within three days, by October 15, the stolen XRP had been fully laundered through over-the-counter (OTC) brokers linked to Huione.
Huione’s Growing Shadow in Southeast Asia
Huione, an OTC network operating in Southeast Asia, has become a recurring name in crypto laundering investigations.
The platform has reportedly facilitated billions of dollars in illicit fund movements, tied to pig-butchering scams, human trafficking, investment fraud, and exploit laundering operations across the region.
Just last week, U.S. regulators imposed additional sanctions on Huione and entities linked to the $15 billion Prince Group seizure.
This latest XRP case adds to a growing list of thefts traced to Huione-affiliated brokers, reinforcing calls for stricter centralized exchange and stablecoin controls.
“CEXs and stablecoin issuers must implement tighter screening. They’ve become one of the biggest threats to crypto’s longevity,” ZachXBT wrote.
Cold Wallet or Hot Wallet? The Victim’s Costly Confusion
One of the biggest takeaways from this incident is product confusion, a recurring issue in retail crypto.
The victim reportedly believed they were using a cold wallet (fully offline storage) when in fact, it was a hot wallet, connected online.
That misunderstanding gave the attacker a clear opening.
Similar cases are seen frequently with Coinbase impersonation scams, where victims move assets from their Coinbase Exchange account to a fake Coinbase Wallet controlled by attackers, all through convincing social engineering.
ZachXBT emphasized that many users don’t understand the difference between custodial and non-custodial products, leading to these high-value losses.
Law Enforcement Response: Slow and Understaffed
In a later video, the victim said they struggled to reach U.S. law enforcement, despite the theft totaling over $3 million.
Unfortunately, that’s not unusual. Only a few law enforcement officers are trained to handle crypto-related cases, and most agencies are overloaded with reports.
ZachXBT noted that jurisdictions like the U.S., Netherlands, Singapore, and France tend to have better-trained cybercrime units, though recovery outcomes depend heavily on which investigator handles the case..
In many other regions, crypto recovery remains unreliable, and the civil route is expensive, often costing more than the potential recovery itself.
The Recovery Industry Problem
Another major issue exposed by the case is the rise of predatory recovery firms.
According to ZachXBT, over 95% of these companies offer little value. Many charge huge fees for basic blockchain reports that contain no actionable insights.
“Most of these firms just optimize SEO to prey on desperate victims,” he said.
These firms often stop tracing at the first centralized exchange (like Binance) and tell victims to “contact support,” completely missing the actual bridge or laundering path, such as Bridgers in this case.
By contrast, legitimate blockchain investigators dig deeper, identifying off-chain intermediaries, Huione-connected OTCs, and other laundering channels that generic firms overlook.
However, even with expert tracing, real recovery remains difficult. There’s no “magic button” to reverse onchain theft.
External variables, from jurisdictional barriers to off-chain cash outs, make fund retrieval an uphill battle.
This $3M XRP hack underscores several key lessons for the crypto community:
1. Hardware ≠ Security if used incorrectly.
A cold wallet becomes a hot wallet the moment it’s connected carelessly.
2. Bridges remain critical attack and laundering points.
Bridgers (formerly SWFT) played a central role in concealing the stolen funds’ flow.
3. Huione’s OTC network continues to evade sanctions enforcement.
Despite recent restrictions, funds keep cycling through its ecosystem.
4. Victims must act fast.
The longer the delay before reporting, the lower the odds of freezing assets or flagging bad addresses.
5. Recovery firms should be vetted carefully.
The Harsh Reality for Victims
For the XRP holder in this case, recovery chances are slim.
The tracing delay, lack of rapid reporting, and the cross-border nature of the laundering make it unlikely that any portion of the $3M will be retrieved.
ZachXBT recommends that victims immediately report theft addresses to reputable analysts and blockchain monitoring teams as soon as they detect suspicious activity.
Quick alerts make it easier to flag transactions and identify laundering routes before assets vanish into opaque OTC systems like Huione.
Ripple, he added, still lags behind Bitcoin, Ethereum, and Solana communities in terms of victim support and response infrastructure.
“I always try to reply to verified thefts over $250K,” he said, “but it’s tough when 30+ cases come in daily.
This case highlights a painful truth about onchain theft: once funds are gone, speed and precision are everything.
The rise of cross-chain bridges, pseudo-anonymous OTC networks, and weak global enforcement has made asset recovery nearly impossible once laundering begins.
ZachXBT’s investigation provides a rare, transparent look into how easily millions can move through legitimate-looking liquidity networks before disappearing into black markets.
It’s a wake-up call for users, regulators, and the entire crypto ecosystem, secure your wallets, verify your tools, and never assume a hardware wallet means full protection.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!