A U.S. retiree from North Carolina lost $3 million worth of XRP cryptocurrency in a high-profile hack that exposed vulnerabilities in self-custodied digital wallets, raising concerns about crypto security and funds recovery challenges. The victim, Brandon LaRoque, discovered unauthorized transactions in his Ellipal wallet on October 15, 2025, after hackers had initiated the theft a few days earlier, on October 12. The stolen amount, approximately 1.2 million XRP tokens, was traced by blockchain investigator ZachXBT to laundering activities involving cross-chain swaps and over-the-counter (OTC) exchanges linked to the illicit Huione marketplace, complicating asset recovery prospects.
Incident Details and Timeline
Brandon LaRoque, a 54-year-old retired individual who had accumulated XRP since 2017, trusted a wallet he believed to be an offline, secure “cold storage” solution. However, it was actually a hot wallet connected to a mobile app, which left it exposed. The breach involved hackers placing more than 120 swap orders to convert stolen XRP to TRX (Tron) tokens via the Bridgers aggregator, a cross-chain protocol. After consolidation on the Tron blockchain, the funds were laundered through OTC brokers affiliated with Huione, a notorious illegal crypto marketplace. The theft began with small test transfers of 10 XRP each, escalating rapidly to a massive transfer of approximately 1.2 million XRP to a newly created wallet address, which was then subdivided into hundreds of additional wallets to obscure the trail.
LaRoque was unaware of the compromise until he checked his wallet several days after the attack, only to find his balance wiped out. The stolen funds’ swift movement through numerous wallets and across blockchain networks has made tracking and recovering the assets exceedingly difficult. Besides XRP, smaller amounts of other tokens like Stellar Lumens (XLM) and Flare (FLR) were reportedly left untouched.
User Error and Security Lessons
Experts and blockchain forensics emphasized that the root cause was user error. LaRoque mistakenly entered his wallet seed phrase or access credentials into an online-connected application, turning what he thought was cold storage into a vulnerable hot wallet. This error allowed hackers to remotely access and drain the assets. Ellipal, the wallet provider, acknowledged this vulnerability was due to user actions and cautioned the crypto community about the risks of self-custody without full understanding of wallet types.
ZachXBT, a respected on-chain investigator who traced the transactions, highlighted the broader crypto theft trends. He stressed that many victims lack swift access to law enforcement specialized in crypto crimes, reducing recovery chances. He also pointed out that the Ripple community and crypto ecosystem overall lack robust victim support or asset recovery infrastructure, creating an environment ripe for exploitation.
Law Enforcement and Industry Response
Following the incident, LaRoque filed a report with the FBI’s Internet Crime Complaint Center (IC3) and local law enforcement agencies. However, he encountered difficulties finding investigators with cryptocurrency expertise, a common problem in emerging digital asset fraud cases. The investigative and regulatory community is still adapting to the technical complexities of blockchain-based crimes.
This high-value theft comes amid growing concerns about crypto security in the United States and worldwide. Following the revelation of the $1.5 billion ByBit hack earlier in 2025, which involved sophisticated state-level actors, the U.S. government is reportedly developing stricter oversight models and enhanced enforcement frameworks to combat crypto crime and safeguard investors’ funds.
Meanwhile, the crypto industry urges users to improve self-custody practices by better understanding wallet types and employing enhanced security measures, such as hardware wallets with verified cold storage functionality, multi-signature configurations, and cold wallet transaction verifications.
The Role of Crypto Laundering Networks
The stolen XRP’s laundering involved OTC exchanges tied to Huione, a platform recognized for facilitating large-scale illicit crypto trades. These OTC venues provide pseudo-anonymous off-chain services allowing fraudsters to convert stolen digital assets into fiat or other cryptocurrencies through layered transactions, frustrating tracing and enforcement efforts. Bridgers, used for cross-chain conversions, further complicated tracking by dispersing the tokens from the Ripple network to the Tron network, illustrating the fluidity cybercriminals exploit between blockchain ecosystems.
Industry experts have criticized many “crypto recovery” services targeting victims post-theft as mostly scams, underscoring the limited options available once funds enter such laundering pathways. Blockchain analytics firms continue developing sophisticated tracing tools, but the efficacy remains dependent on cooperation from exchanges, wallets, and regulatory frameworks.
Broader Impact and Advice for Crypto Users
This incident is a sobering reminder of the risks inherent in cryptocurrency ownership without professional-grade security safeguards. For individuals holding significant crypto assets:
- Confirm wallet type: Distinguish between true cold storage (disconnected hardware wallets) and software wallets linked to internet-connected devices.
- Safeguard seed phrases: Never input wallet seeds into apps or online platforms unless absolutely certain of security.
- Use multi-factor authentication and multi-signature wallets where possible.
- Monitor balances regularly for unauthorized activity.
- Report theft promptly to authorities and use reputable blockchain tracing services.
The $3 million XRP theft suffered by a U.S. retiree underscores both the perils and complexities of managing self-custodied cryptocurrency. While the technological advancements enabling decentralized finance offer vast opportunities, they equally demand high user awareness and cybersecurity discipline. Enhanced regulatory oversight and industry initiatives remain critical to protect investors from increasingly clever cybercriminal schemes exploiting weaknesses in wallet management and asset laundering networks.