A crypto user in the U.S. has reportedly lost 3.05 million U.S. dollars worth of XRP (approximately 1.2 million coins) following the break-in into his Ellipal wallet. The whole event was made known to the public when a YouTube video featuring the theft went viral.
ZachXBT, a blockchain expert, scrutinized the transaction logs and followed the path of the stolen money, thereby revealing the manner in which it was moved and to whom it was sent.
Transaction Trail and Wallet Activity
ZachXBT located the wallet involved in the theft by matching the transaction amount and date shown in the video. The XRP was taken from the address r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc. According to his findings, the victim did not publicly share the theft address, which made tracking more difficult.
On October 12, the attacker used a service called Bridgers, formerly SWFT, to convert the stolen XRP to Tron (TRX). More than 120 swaps were made. These swaps showed up as Binance transactions due to Bridgers relying on Binance for liquidity. After the swaps, the TRX was sent to the address TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw. By October 15, all the funds had been transferred again and were no longer traceable through public platforms.
Final Destination Linked to Known Laundering Network
The funds were moved through OTC desks believed to be connected to Huione, an online platform in Southeast Asia. Huione has been linked to various illegal activities, including scams, fraud, and forced labor.
Last week, U.S. authorities added new restrictions targeting Huione, following action against the Prince Group, which involved over $15 billion. ZachXBT commented that Huione has played a role in moving large volumes of stolen funds across borders. This case, he said, fits a pattern that has become more common in the past few years.
Wallet Confusion and User Mistakes
One reason the theft occurred appears to be confusion over the type of wallet being used. The victim believed their Ellipal product was a cold wallet. It was, in fact, a hot wallet. This detail became clear after the theft had taken place.
ZachXBT noted that this kind of mistake is common. People often do not understand the difference between exchange wallets and separate custodial apps. As an example, he mentioned that some users think Coinbase Wallet is the same as the Coinbase exchange. These misunderstandings leave users open to scams and social engineering attacks.
Delay in Reporting Reduces Recovery Chances
The victim said in a follow-up video that they were not able to report the theft to law enforcement quickly. ZachXBT explained that this delay made the chances of recovering funds much lower.
“There’s few LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked,” he wrote.
Some jurisdictions, such as the United States, Netherlands, Singapore, and France, have better systems in place for dealing with such crimes, though outcomes still depend on who is assigned to the case. In many other countries, response times and support are less reliable.
Recovery Firms Often Fail Victims
ZachXBT warned that most companies offering crypto recovery services do not deliver useful results. Many charge large fees for basic work that leads nowhere.
“Predatory firms will pursue cases when recovery does seem not viable just to bill desperate victims,” he said.
These firms may stop tracing funds at the first exchange listed in a transaction and recommend actions that are no longer useful.
He added that only a few firms are worth hiring, and even then, people should not expect their funds to be returned. Recovery depends on timing, cooperation from exchanges, and many factors outside anyone’s control.
Funds Unlikely to Be Recovered
Based on the timeline and the lack of early action, ZachXBT said that recovery is unlikely in this case. The funds were quickly swapped, moved across chains, and filtered through OTC platforms linked to networks already flagged by authorities.
He advised victims to report thefts quickly to people who can help trace the movement of funds before they are fully laundered.
“I recommend victims try to report theft addresses to people as soon as possible as otherwise it can be difficult to detect that a theft even took place,” he said.
The case also brings attention to the limited support systems in some blockchain communities. ZachXBT noted that Ripple does not have as strong a network for helping theft victims as seen with Bitcoin, Ethereum, or Solana.
