On-chain sleuth ZachXBT has traced a $3.05 million theft of XRP from a US retail user to a laundering route that ran through Bridgers—an aggregator formerly associated with SWFT—and into over-the-counter venues linked to Huione, the Cambodian financial network that the US government moved last week to cut off from the American financial system.
The reference to Huione lands squarely in a fast-moving sanctions environment. On October 14, 2025, the US Treasury designated the Huione Group as a “primary money laundering concern,” effectively severing it from the US financial system for facilitating flows tied to Southeast Asian scam and trafficking networks; the action was coordinated alongside a UK sanctions package and parallel US actions targeting the Prince Group, a Cambodian conglomerate labeled by US authorities as a transnational criminal organization.
ZachXBT’s thread placed the Ellipal wallet at the center of user confusion rather than a zero-day exploit of the hardware itself. “One lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet,” he wrote, drawing a parallel to “large Coinbase support impersonation thefts” where victims move assets from an exchange account to a compromised non-custodial wallet after social-engineering.
Ellipal publicly corroborated the cold-to-hot wallet mix-up. “Our findings confirm that the loss occurred because the user mistakenly imported their cold wallet’s seed phrase into a hot wallet, which made the assets accessible online,” the company stated, stressing that its “air-gapped cold wallets remain 100% offline and have never been compromised since launch.” Ellipal said it had contacted the user and reiterated basic hygiene: never import cold-wallet seeds into app-based wallets, and keep recovery phrases and devices offline.
The laundering arc ZachXBT described—fast cross-chain hops via an aggregator, consolidation on Tron, and distribution to OTC endpoints he characterizes as “adjacent to Huione”—mirrors typologies that US authorities have warned about as scam ecosystems professionalize.
He also criticized much of the crypto “recovery” cottage industry: “>95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights… Bad firms would have stopped tracing this XRP theft at Binance… when in reality the service was Bridgers or would have failed to identify addresses linked to Huione.”
As for the odds of restitution, the outlook is grim. “Unfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector,” he concluded, urging rapid reporting of theft addresses to maximize the chance of freezing flows at chokepoints. He also faulted ecosystem-level support: “Ripple does not have as good of a support system for victims within their community as there is in Bitcoin, Ethereum, Solana, and major EVM chains.”
At press time, XRP traded at $2.44.
