ZachXBT Uncovers $3M XRP Heist: Bridgers & Huione Laundering

Prominent on-chain investigator, ZachXBT, has recently brought to light a substantial theft involving $3.05 million worth of XRP. The incident, affecting a United States retail user, was meticulously traced through a complex laundering pipeline that utilized Bridgers—an aggregator previously associated with SWFT—before funneling into over-the-counter (OTC) platforms connected to Huione. Huione, a Cambodian financial network, was notably targeted last week by the U.S. government with measures designed to sever its ties with the American financial system.

The findings, disseminated on October 19, ZachXBT detailed how a "US based victim lost $3.05M (1.2M XRP) from their Ellipal wallet." He further elucidated the trajectory of the pilfered assets and provided crucial insights for understanding and mitigating similar future incidents. This revelation underscores the persistent challenges within the cryptocurrency domain concerning security, user awareness, and the sophisticated methodologies employed by malicious actors.

Deconstructing the $3 Million XRP Robbery

In a comprehensive thread, ZachXBT pinpointed the theft address, r3cf5mgj5qEcj9n4Th28Es7NVRnXGJjkzc, by correlating transaction dates and amounts with publicly available information from a viral YouTube video. He stated, "Although the victim did not directly share the theft address… I found it by reviewing the date and amount." ZachXBT also observed that the "victim seems inexperienced and does not provide enough details to determine how the Ellipal wallet became compromised besides it being user error," highlighting a common vulnerability stemming from inadequate user understanding of digital asset security protocols.

According to ZachXBT's detailed reconstruction, the perpetrator executed a rapid conversion of XRP across various blockchain networks. The attacker initiated over 120 Ripple to Tron orders via Bridgers on October 12, 2025. On blockchain explorers, these transactions appeared to originate from Binance, as Bridgers (formerly SWFT) leverages Binance for liquidity provision. The stolen funds were subsequently consolidated on the Tron network at the address TGF3hP5GeUPKaRJeWKpvF2PVVCMrfe2bYw by October 12. By October 15, the funds were entirely laundered to OTC services identified as being "adjacent to Huione (illicit online marketplace in SEA)." Bridgers positions itself as a versatile cross-chain swap platform supporting numerous networks, with DappRadar documentation corroborating its connection to SWFT’s AllChain Bridge infrastructure.

Huione's Entanglement and International Sanctions

The mention of Huione places this incident squarely within the context of an accelerating international sanctions regime. On October 14, 2025, the U.S. Treasury officially designated the Huione Group as a "primary money laundering concern." This designation effectively isolates Huione from the U.S. financial system due to its documented role in facilitating illicit financial flows linked to sophisticated Southeast Asian scam and human trafficking networks. This action was synchronized with a parallel sanctions package from the United Kingdom and additional U.S. initiatives targeting the Prince Group, another Cambodian conglomerate labeled by U.S. authorities as a transnational criminal organization.

ZachXBT's analysis placed the Ellipal wallet incident not on a zero-day exploit of the hardware itself, but rather on user confusion. He posited, "One lesson our industry needs to do better with is not causing confusion with products when you offer both custodial and non-custodial products. The XRP victim thought they were using the Ellipal cold wallet product when it was a hot wallet." This observation draws a parallel to "large Coinbase support impersonation thefts," where victims are socially engineered into transferring assets from exchange accounts to compromised non-custodial wallets.

Ellipal publicly confirmed this misidentification of wallet type. The company stated, "Our findings confirm that the loss occurred because the user mistakenly imported their cold wallet’s seed phrase into a hot wallet, which made the assets accessible online." Ellipal emphasized the inherent security of its "air-gapped cold wallets," asserting that they "remain 100% offline and have never been compromised since launch." The company also affirmed that it had reached out to the affected user and reiterated fundamental security practices: never import cold-wallet seed phrases into app-based wallets, and consistently keep recovery phrases and physical devices offline.

The laundering pattern meticulously described by ZachXBT—characterized by rapid cross-chain transfers via an aggregator, subsequent consolidation on Tron, and final distribution to OTC endpoints he categorized as "adjacent to Huione"—is consistent with typologies that U.S. authorities have frequently highlighted as scam ecosystems become increasingly professionalized. ZachXBT articulated, "Huione has directly facilitated laundering billions in illicit funds over the past couple years from pig butchering scams, investment scams, human trafficking and hacks/exploits in Southeast Asia… I hope centralized exchanges and stablecoin issuers implement stricter controls as they are one of the bigger threats impacting the longevity of our space."

Challenges in Asset Recovery and Ecosystem Support

The second significant theme explored in ZachXBT's thread pertains to the inherent structural difficulties associated with asset recovery. He noted, "The XRP victim mentioned… how they could not quickly get in touch with US law enforcement for a $3M theft." He elaborated on the issue, stating that there are "few LE qualified to handle such cases and endless victim reports so naturally incidents are overlooked." While acknowledging these systemic issues, he cited the U.S., Netherlands, Singapore, and France as comparatively more effective jurisdictions, albeit contingent on the expertise of the assigned investigator.

ZachXBT also critically evaluated the burgeoning crypto "recovery" industry, cautioning that ">95% of recovery companies are predatory and charge large amounts for basic reports with few actionable insights." He further illustrated this point: "Bad firms would have stopped tracing this XRP theft at Binance… when in reality the service was Bridgers or would have failed to identify addresses linked to Huione." This critique highlights the necessity for due diligence when seeking assistance for stolen assets.

Regarding the prospects of restitution, the outlook remains largely pessimistic. ZachXBT concluded, "Unfortunately the likelihood of this victim seeing any funds recovered is rather low due to a delay in reporting the theft to competent people within the private sector." He strongly advocated for the rapid reporting of theft addresses to maximize the potential for freezing illicit financial flows at critical choke points. Additionally, he pointed out a deficiency in ecosystem-level support, stating, "Ripple does not have as good of a support system for victims within their community as there is in Bitcoin, Ethereum, Solana, and major EVM chains." At the time of reporting, XRP was trading at $2.44.