Hacken links Ripple chairman’s hack to XRP official wallet

A key executive of Ripple, the company behind the XRP ledger, may have had his personal crypto wallets compromised via an inside job.

According to a Feb. 7 report from blockchain analytics platform Hacken, the hacker who exploited Ripple co-founder and chairman Chris Larsen’s personal wallets for $112.5 million worth of XRP (XRP) on Jan. 31 also had links to a wallet account that Ripple may have controlled.

However, the blockchain auditing firm stopped short of claiming that the attack was carried out by a Ripple employee, stating that it was “[too] early for conclusions.” Nevertheless, the firm claimed that “two wallets connected to XRP’s authorized wallet played key roles” in the attack.

On Jan. 31, Larsen claimed that some of his personal wallets had been compromised, causing him to lose 213 million XRP, worth $112.5 million at the time of the incident. The following day, Binance CEO Richard Teng revealed that his exchange had frozen $4.2 million worth of XRP stolen in the attack.

Hacken’s researchers say the attacker allegedly split up the stolen funds into eight different wallet accounts. From there, six of the wallets sent funds to a single intermediate wallet with an address that begins with “rHyqB,” which subsequently sent $70.9 million worth of XRP to yet another address starting with “ro4ha.”

Additional XRP was sent through other intermediate wallets before reaching a Binance deposit address.

Chart of fund flows after Chris Larsen wallet compromise. Source: Hacken

After establishing the funds’ whereabouts, Hacken began analyzing the incoming transactions to each wallet. Researchers found that a wallet address beginning in “rU1bPM4” had sent $64.6 million in XRP to Larsen in the past. It also sent $37,500 worth to one of the intermediate wallets later used to transfer the stolen funds.

This seems to imply either that a person who sent Larsen $65 million also sent $37,500 to the attacker or else the attacker is the person who sent these funds to Larsen.

This wallet account beginning in “rU1bPM4” also sent nearly $2 million to a Kraken deposit address in 2020, and the attacker made deposits to this same Kraken account, Hacken claimed. The firm claimed the Kraken deposit account was “allegedly used to funnel funds” from the attack.

In addition, researchers claim that the “rU1bPM4” account has “longstanding ties with XRP, predating the incident,” implying that it may have been an “authorized wallet.” Hacken wrote:

“In this [$112.5 million hack] incident, two wallets connected to XRP’s authorized wallet played key roles. It’s [too] early for conclusions, but the story is getting more interesting.”

An investigation into the hack is continuing.

Main, News