{"id":53705,"date":"2025-10-20T06:01:37","date_gmt":"2025-10-20T06:01:37","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=53705"},"modified":"2025-10-20T06:01:37","modified_gmt":"2025-10-20T06:01:37","slug":"zachxbt-exposes-3-million-xrp-heist-after-hardware-wallet-breach","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=53705","title":{"rendered":"ZachXBT Exposes $3 Million XRP Heist After Hardware Wallet Breach"},"content":{"rendered":"
\n

On-chain sleuth ZachXBT has traced a $3.05 million theft of XRP from a US retail user to a laundering route that ran through Bridgers\u2014an aggregator formerly associated with SWFT\u2014and into over-the-counter venues linked to Huione, the Cambodian financial network that the US government moved last week to cut off from the American financial system.<\/p>\n

Publishing the findings<\/a> on October 19, ZachXBT said a \u201cUS based victim lost $3.05M (1.2M XRP) from their Ellipal wallet,\u201d adding: \u201cHere\u2019s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts.\u201d<\/p>\n

Inside The $3 Million XRP Robbery<\/h2>\n

In a thread, ZachXBT<\/a> identified the theft address\u2014r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc\u2014by matching dates and amounts from a viral YouTube video. \u201cAlthough the victim did not directly share the theft address\u2026 I found it by reviewing the date and amount,\u201d he wrote. He cautioned that \u201cthe victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.\u201d<\/p>\n

According to his reconstruction, the attacker rapidly converted the XRP across chains: \u201cThe attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025. On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity.\u201d The funds were consolidated on Tron at TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw on October 12 and, by October 15, \u201cwere completely laundered away to OTCs adjacent to Huione<\/a> (illicit online marketplace in SEA),\u201d he wrote. Bridgers bills itself as a \u201ccross-chain swap\u201d platform spanning dozens of networks; DappRadar documentation has also linked Bridgers to SWFT\u2019s AllChain Bridge stack.<\/p>\n

The reference to Huione lands squarely in a fast-moving sanctions environment. On October 14, 2025, the US Treasury designated the Huione Group as a \u201cprimary money laundering concern,\u201d effectively severing it from the US financial system for facilitating flows tied to Southeast Asian scam and trafficking networks; the action was coordinated alongside a UK sanctions package and parallel US actions targeting the Prince Group, a Cambodian conglomerate labeled by US authorities as a transnational criminal organization.<\/p>\n

ZachXBT\u2019s thread placed the Ellipal wallet at the center of user confusion rather than a zero-day exploit of the hardware itself. \u201cOne lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet,\u201d he wrote, drawing a parallel to \u201clarge Coinbase support impersonation thefts\u201d where victims move assets from an exchange account to a compromised non-custodial wallet after social-engineering.<\/p>\n

Ellipal publicly corroborated the cold-to-hot wallet mix-up. \u201cOur findings confirm that the loss occurred because the user mistakenly imported their cold wallet\u2019s seed phrase into a hot wallet, which made the assets accessible online,\u201d the company stated, stressing that its \u201cair-gapped cold wallets remain 100% offline and have never been compromised since launch.\u201d Ellipal said it had contacted the user and reiterated basic hygiene: never import cold-wallet seeds into app-based wallets, and keep recovery phrases and devices offline.<\/p>\n

The laundering arc ZachXBT described\u2014fast cross-chain hops via an aggregator, consolidation on Tron, and distribution to OTC endpoints he characterizes as \u201cadjacent to Huione\u201d\u2014mirrors typologies that US authorities have warned about as scam ecosystems professionalize.<\/p>\n

In his words: \u201cHuione has directly facilitated laundering billions in illicit funds over the past couple years from pig butchering scams, investment scams, human trafficking and hacks\/exploits in Southeast Asia<\/a>\u2026 I hope centralized exchanges and stablecoin issuers implement stricter controls as they are one of the bigger threats impacting the longevity of our space.\u201d<\/p>\n

The thread\u2019s second theme is the structural difficulty of recovery. \u201cThe XRP victim mentioned\u2026 how they could not quickly get in touch with US law enforcement for a $3M theft,\u201d he wrote, adding that there are \u201cfew LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked,\u201d though he cited the US, Netherlands, Singapore and France<\/a> as comparatively better venues\u2014contingent on the assigned investigator.<\/p>\n

He also criticized much of the crypto \u201crecovery\u201d cottage industry: \u201c>95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights\u2026 Bad firms would have stopped tracing this XRP theft at Binance\u2026 when in reality the service was Bridgers or would have failed to identify addresses linked to Huione.\u201d<\/p>\n

As for the odds of restitution, the outlook is grim. \u201cUnfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector,\u201d he concluded, urging rapid reporting of theft addresses to maximize the chance of freezing flows at chokepoints. He also faulted ecosystem-level support: \u201cRipple does not have as good of a support system for victims within their community as there is in Bitcoin, Ethereum, Solana, and major EVM chains.\u201d<\/p>\n

At press time, XRP traded at $2.44.<\/p>\n

\"XRP<\/div>\n","protected":false},"excerpt":{"rendered":"

On-chain sleuth ZachXBT has traced a $3.05 million theft of XRP from a US retail user to a laundering route that ran through Bridgers\u2014an aggregator formerly associated with SWFT\u2014and into over-the-counter venues linked to Huione, the Cambodian financial network that the US government moved last week to cut off from the American financial system. Publishing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-53705","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/53705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53705"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/53705\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}