54-Year-Old Retiree Loses $3 Million in XRP After Hardware Wallet Seed Phrase Imported into Mobile App

Brandon LaRoque, a 54-year-old retiree from North Carolina, discovered on October 15, 2025, that 1.2 million XRP tokens worth approximately $3 million had vanished from his Ellipal wallet. The theft had actually occurred three days earlier, on October 12 at around 11:15 a.m. Eastern Time.

LaRoque had been accumulating XRP since 2017, and the stolen funds represented nearly his entire retirement savings. He and his 60-year-old wife had planned to use the savings to buy a house in Las Vegas.

How the Theft Occurred

LaRoque believed his funds were safely stored in cold storage using an Ellipal hardware wallet. However, the reality was quite different. He had imported his hardware wallet’s seed phrase into Ellipal’s mobile app, which significantly altered his security setup.

When a hardware wallet seed phrase is entered into a mobile or desktop app, the private keys become stored on that internet-connected device. This effectively converts the wallet from cold storage to a hot wallet, making it vulnerable to cyberattacks.

According to Ellipal’s statement released on October 18, importing a seed phrase into their mobile app results in private keys being stored on the device. The company confirmed that their air-gapped hardware devices themselves have not been compromised. LaRoque had the Ellipal app installed on both his iPhone and iPad, where the iPhone app showed a blue background (indicating a cold wallet connection), but the iPad app displayed an orange background, signaling a hot wallet setup.

Details of the Theft

The attacker first made two test transactions of 10 XRP each before sweeping the remaining 1,209,990 XRP to a newly created address.

Tracing the Stolen Funds

Blockchain investigator ZachXBT tracked the stolen XRP through its complex movement. The attacker performed more than 120 Ripple-to-Tron bridge transactions using a service called Bridgers (formerly SWFT). The funds were consolidated on the Tron blockchain at a specific wallet address.

Within three days, the assets moved to over-the-counter (OTC) brokers linked to Huione, a Southeast Asian payments network recently sanctioned by the U.S. Treasury for laundering over $15 billion from scams, human trafficking, and cybercrime.

Some blockchain explorers labeled parts of the transaction as “Binance” because Bridgers uses Binance for liquidity. The use of cross-chain swaps and OTC venues across jurisdictions makes disrupting the laundering pipeline extremely difficult, even when blockchain trails remain public.

Reporting and Challenges

LaRoque filed a report with the FBI’s Internet Crime Complaint Center and contacted local authorities. However, he struggled to gain quick access to specialized cyber crime units.

The Predatory Crypto Recovery Industry

ZachXBT warned that more than 95% of crypto recovery firms operate as predatory businesses. These companies often charge exorbitant fees for basic reports that offer little chance of fund recovery. They frequently use search engine optimization and social media to target victims but typically provide only superficial blockchain analyses or advise clients to contact exchanges directly.

The investigator emphasized that swift reporting to credible investigators and compliant platforms can improve the chance of freezing stolen funds. Nonetheless, actual recoveries remain rare once assets pass through cross-chain swaps and OTC brokers.

Warnings and Lessons Learned

LaRoque noted smaller balances of other cryptocurrencies remained in his wallet, including roughly $1,000 in Stellar Lumens (XLM) and about $900 in Flare (FLR). He has shared his experience through several YouTube videos since October 15, aiming to warn others about such risks and seek guidance, though he acknowledges the low likelihood of recovering his stolen funds.

For users seeking true cold storage security, the takeaway is clear: never type your hardware wallet seed phrase into any mobile or desktop app. Instead, use separate seed phrases for hot wallets and consider adding a BIP39 passphrase for high-value cold storage wallets.

https://coincentral.com/how-one-retiree-lost-his-entire-3-million-xrp-retirement-savings/