On-chain sleuth ZachXBT has traced a $3.05 million theft of XRP from a US retail user to a laundering route that ran through Bridgers—an aggregator formerly associated with SWFT—and into over-the-counter venues linked to Huione, the Cambodian financial network that the US government moved last week to cut off from the American financial system.
Publishing the findings on October 19, ZachXBT said a “US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet,” adding: “Here’s the tracing of where the stolen funds ended up and the biggest takeaways for similar thefts.”
Inside The $3 Million XRP Robbery
In a thread, ZachXBT identified the theft address—r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc—by matching dates and amounts from a viral YouTube video. “Although the victim did not directly share the theft address… I found it by reviewing the date and amount,” he wrote. He cautioned that “the victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error.”
According to his reconstruction, the attacker rapidly converted the XRP across chains: “The attacker created 120+ Ripple -> Tron orders via Bridgers on Oct 12, 2025. On block explorers the transactions show as Binance since Bridgers (formerly SWFT) uses them for liquidity.” The funds were consolidated on Tron at TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw on October 12 and, by October 15, “were completely laundered away to OTCs adjacent to Huione (illicit online marketplace in SEA),” he wrote. Bridgers bills itself as a “cross-chain swap” platform spanning dozens of networks; DappRadar documentation has also linked Bridgers to SWFT’s AllChain Bridge stack.
The reference to Huione lands squarely in a fast-moving sanctions environment. On October 14, 2025, the US Treasury designated the Huione Group as a “primary money laundering concern,” effectively severing it from the US financial system for facilitating flows tied to Southeast Asian scam and trafficking networks; the action was coordinated alongside a UK sanctions package and parallel US actions targeting the Prince Group, a Cambodian conglomerate labeled by US authorities as a transnational criminal organization.
ZachXBT’s thread placed the Ellipal wallet at the center of user confusion rather than a zero-day exploit of the hardware itself. “One lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet,” he wrote, drawing a parallel to “large Coinbase support impersonation thefts” where victims move assets from an exchange account to a compromised non-custodial wallet after social-engineering.
Ellipal publicly corroborated the cold-to-hot wallet mix-up. “Our findings confirm that the loss occurred because the user mistakenly imported their cold wallet’s seed phrase into a hot wallet, which made the assets accessible online,” the company stated, stressing that its “air-gapped cold wallets remain 100% offline and have never been compromised since launch.” Ellipal said it had contacted the user and reiterated basic hygiene: never import cold-wallet seeds into app-based wallets, and keep recovery phrases and devices offline.
The laundering arc ZachXBT described—fast cross-chain hops via an aggregator, consolidation on Tron, and distribution to OTC endpoints he characterizes as “adjacent to Huione”—mirrors typologies that US authorities have warned about as scam ecosystems professionalize.
In his words: “Huione has directly facilitated laundering billions in illicit funds over the past couple years from pig butchering scams, investment scams, human trafficking and hacks/exploits in Southeast Asia… I hope centralized exchanges and stablecoin issuers implement stricter controls as they are one of the bigger threats impacting the longevity of our space.”
The thread’s second theme is the structural difficulty of recovery. “The XRP victim mentioned… how they could not quickly get in touch with US law enforcement for a $3M theft,” he wrote, adding that there are “few LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked,” though he cited the US, Netherlands, Singapore and France as comparatively better venues—contingent on the assigned investigator.
He also criticized much of the crypto “recovery” cottage industry: “>95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights… Bad firms would have stopped tracing this XRP theft at Binance… when in reality the service was Bridgers or would have failed to identify addresses linked to Huione.”
As for the odds of restitution, the outlook is grim. “Unfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector,” he concluded, urging rapid reporting of theft addresses to maximize the chance of freezing flows at chokepoints. He also faulted ecosystem-level support: “Ripple does not have as good of a support system for victims within their community as there is in Bitcoin, Ethereum, Solana, and major EVM chains.”
At press time, XRP traded at $2.44.
