An American retiree says more than $3 million in XRP disappeared after he checked Alipay’s mobile app on October 15 and noticed his balance had vanished, a discovery that prompted an on-chain tracing effort by pseudonymous analyst Jack
CoinDesk has not independently verified the investor’s identity, balance, or entire on-chain path. This comes from several YouTube videos posted by the account since October 15, Alipal’s public statement on October 18, and JackXBT’s October 19 X thread.
What the victim says happened.
The investor, who identified himself as Brandon, said he lives in North Carolina, is 54 and his wife of 60 years is also retired. He said the XRP position was almost his entire retirement savings and he planned to buy a home in Las Vegas.
He said he has been accumulating XRP since 2017 and previously held more but sold some for living expenses. In his YouTube video, he said he discovered the theft by checking the Elipal app on Wednesday, October 15, and then determined that the theft had occurred last Sunday, October 12.
He described two 10-XRP test pulls around 11:15 a.m. Eastern time, followed by a sweep of approximately 1,209,990 XRP to a newly created address, then a rapid fan-out across dozens of wallets and eventually hundreds. He said small balances of other assets remained, including about $1,000 in XLM and about $900 in FLR.
He said he applied to the FBI’s Internet Crime Complaint Center and contacted local authorities, but struggled to get quick access to specialized cyber units. He said that he did not know exactly how the money was withdrawn from the hot wallet.
Eliphal’s explanation and the confusion of hot and cold
Alipay said on October 18 that its review indicated that the user had imported the seed phrase of the hardware wallet into the Alipay mobile app, which would recreate the wallet on an internet-connected device.
In an email to the user, Alipal explained that if a cold wallet seed is used on a phone or tablet, the seed and resulting private key will be stored on that device, effectively making it a hot wallet and greatly reducing security.
Brandon said he has Elipal’s app on both his iPhone and iPad. He noted that the iPhone app showed a blue background, which Alipal told him indicated a cold-wallet connection, and the iPad app showed an orange background, which Alipal told him indicated a hot wallet.
Alipal stressed that its hardware devices are air-gapped and said it has not seen theft originating from the hardware. The company’s account points to user error, although this in itself does not prove how the compromise occurred.
Where the money allegedly went, according to ZackXBT’s investigation
In an October 19 thread, JackXBT said he identified the stolen address by matching the time and volume of the videos. They reported that the attacker created more than 120 Ripple-to-Tron orders on October 12 using Bridgers, a swap service formerly known as SWFT. He said some block explorers label those hops as “Binance” because bridgers use the exchange for liquidity.
They said funds collected on a wallet on Tron, TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw, had been distributed by Oct. 15 to over-the-counter brokers adjacent to Huione, an online marketplace in Southeast Asia that has been cited in recent public actions by U.S. authorities. CoinDesk has not independently reproduced the full tracing or confirmed the ultimate recipients.
Recovery Possibilities and User Takeaways
ZackXBT cautioned that most “recovery” companies are predatory, often producing superficial reports while charging high fees. He said prompt reporting to trusted investigators and compliance platforms can improve the odds of flags or freezes, but recovery is rare once funds are moved through cross-chain swaps and OTC venues.
For users, the main lesson is straightforward: If the goal is cold storage, don’t type the hardware wallet seed into a mobile or desktop app. Use a specific seed for any hot wallet and consider a BIP39 passphrase for high-value cold storage.
Brandon said the loss destroyed what the couple had planned for their retirement plans. He said he shared his experience to warn others and seek guidance, while acknowledging that the chances of recovery are slim.