Hard lessons

When North Carolina retiree, Brandon LaRoque, opened his wallet app on October 15, he expected to see his nest egg. Instead – three million US dollars’ worth of XRP was gone.

The loss wasn’t from a hardware hack or a rogue firmware update. It was a small, easy-to-miss action: typing a cold wallet’s seed phrase into a mobile app.

The setup

Brandon had been stacking XRP since 2017 – his and his wife’s retirement fund, earmarked for a future Las Vegas home. He used an Ellipal hardware wallet, a brand marketed as air-gapped – meaning it never connects to the internet directly.

But alongside his hardware, Brandon also had the Ellipal mobile app installed on both his iPhone and iPad. The app is designed to view balances and sign transactions offline using QR codes – but it can also import a wallet if you type in the 12- or 24-word recovery seed. That’s where things went wrong.

The moment things went sideways

At some point before October 12, Brandon entered his seed phrase into the app – believing it would simply link to his existing cold wallet.

Ellipal later confirmed that doing this recreates the wallet on the device itself. The private keys are then stored on that phone or tablet – turning it into a hot wallet.

On Ellipal’s interface, a blue background indicates a cold, air-gapped connection; orange means hot, online storage. Brandon’s iPhone showed blue. His iPad showed orange.

That colour difference was the silent alarm.

The theft

On October 12, thieves began moving his funds: two small test transactions, then a sweep of roughly 1.2 million XRP (about US $3 million) to a fresh address. Within hours, the coins fanned out across hundreds of wallets.

Blockchain analyst ZachXBT traced the trail: XRP → Tron bridge → OTC brokers linked to a Southeast Asian marketplace called Huione. Once assets cross chains and hit over-the-counter desks, recovery odds fall close to zero.

"The likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector. I recommend victims try to report theft addresses to people as soon as possible as otherwise it can be difficult to detect that a theft even took place."

ZachXBT, On-chain Sleuth and Advisor at Paradigm.

What Ellipal said

Ellipal emphasised its hardware devices weren’t compromised. The company’s review pointed to user error – importing a cold wallet seed into an online environment. In other words: the hardware did its job; the setup didn’t.

Security Check

• Cold storage: Your recovery seed and private keys never touch the internet.
  
• Hot wallet: Keys live on an internet-connected device – fast, but exposed.
  
• Never mix the two: A cold wallet seed should never be typed into an app or desktop wallet.
  
• Pro tip: If you need a viewing wallet, use a watch-only setup or create a separate hot-wallet seed.

The Final Buzz

Brandon’s story isn’t about blame – it’s about the thin line between “cold” and “hot” in the crypto world. A single seed import can undo years of good habits.

The best defence?

Keep your cold wallet seed offline, add a BIP-39 passphrase for higher-value holdings, and regularly test your recovery process on an air-gapped device.

One small check today could save your entire stack tomorrow.

Stay safe. Stay smart. Be Crypto Safe.

Education is your best defence. Unlock member-only guides, checklists, and tools designed to protect your crypto, stay safe and be compliant.