On-chain sleuth ZachXBT has traced a $3.05 million theft of XRP from a US retail user to a laundering route that ran through Bridgersâan aggregator formerly associated with SWFTâand into over-the-counter venues linked to Huione, the Cambodian financial network that the US government moved last week to cut off from the American financial system.
Publishing the findings on October 19, ZachXBT said a âUS based victim lost $3.05M (1.2M XRP) from their Ellipal wallet,â adding: âHereâs the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts.â
Inside The $3 Million XRP Robbery
In a thread, ZachXBT identified the theft addressâr3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzcâby matching dates and amounts from a viral YouTube video. âAlthough the victim did not directly share the theft address⊠I found it by reviewing the date and amount,â he wrote. He cautioned that âthe victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.â
According to his reconstruction, the attacker rapidly converted the XRP across chains: âThe attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025. On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity.â The funds were consolidated on Tron at TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw on October 12 and, by October 15, âwere completely laundered away to OTCs adjacent to Huione (illicit online marketplace in SEA),â he wrote. Bridgers bills itself as a âcross-chain swapâ platform spanning dozens of networks; DappRadar documentation has also linked Bridgers to SWFTâs AllChain Bridge stack.
The reference to Huione lands squarely in a fast-moving sanctions environment. On October 14, 2025, the US Treasury designated the Huione Group as a âprimary money laundering concern,â effectively severing it from the US financial system for facilitating flows tied to Southeast Asian scam and trafficking networks; the action was coordinated alongside a UK sanctions package and parallel US actions targeting the Prince Group, a Cambodian conglomerate labeled by US authorities as a transnational criminal organization.
ZachXBTâs thread placed the Ellipal wallet at the center of user confusion rather than a zero-day exploit of the hardware itself. âOne lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet,â he wrote, drawing a parallel to âlarge Coinbase support impersonation theftsâ where victims move assets from an exchange account to a compromised non-custodial wallet after social-engineering.
Ellipal publicly corroborated the cold-to-hot wallet mix-up. âOur findings confirm that the loss occurred because the user mistakenly imported their cold walletâs seed phrase into a hot wallet, which made the assets accessible online,â the company stated, stressing that its âair-gapped cold wallets remain 100% offline and have never been compromised since launch.â Ellipal said it had contacted the user and reiterated basic hygiene: never import cold-wallet seeds into app-based wallets, and keep recovery phrases and devices offline.
The laundering arc ZachXBT describedâfast cross-chain hops via an aggregator, consolidation on Tron, and distribution to OTC endpoints he characterizes as âadjacent to Huioneââmirrors typologies that US authorities have warned about as scam ecosystems professionalize.
In his words: âHuione has directly facilitated laundering billions in illicit funds over the past couple years from pig butchering scams, investment scams, human trafficking and hacks/exploits in Southeast Asia⊠I hope centralized exchanges and stablecoin issuers implement stricter controls as they are one of the bigger threats impacting the longevity of our space.â
The threadâs second theme is the structural difficulty of recovery. âThe XRP victim mentioned⊠how they could not quickly get in touch with US law enforcement for a $3M theft,â he wrote, adding that there are âfew LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked,â though he cited the US, Netherlands, Singapore and France as comparatively better venuesâcontingent on the assigned investigator.
He also criticized much of the crypto ârecoveryâ cottage industry: â>95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights⊠Bad firms would have stopped tracing this XRP theft at Binance⊠when in reality the service was Bridgers or would have failed to identify addresses linked to Huione.â
As for the odds of restitution, the outlook is grim. âUnfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector,â he concluded, urging rapid reporting of theft addresses to maximize the chance of freezing flows at chokepoints. He also faulted ecosystem-level support: âRipple does not have as good of a support system for victims within their community as there is in Bitcoin, Ethereum, Solana, and major EVM chains.â
At press time, XRP traded at $2.44.
Featured image created with DALL.E, chart from TradingView.com
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
