Ripple was not hacked for $112M XRP — but its co-founder was

ZachXBT flagged the outflows, which took place on Tuesday

share

An on-chain detective has flagged odd XRP outflows worth roughly $112 million from addresses linked to Ripple Labs.

ZachXBT, in a post on X Wednesday, said that Ripple seemed to have been hacked for 213 million XRP.

However, Ripple co-founder Chris Larsen responded that his Ripple accounts had been compromised, not Ripple itself.

Larsen said there had been “unauthorized access to a few of my personal XRP accounts.”

“We were quickly able to catch the problem and notify exchanges to freeze the affected addresses. Law enforcement is already involved,” he added.

Loading Tweet..

The stolen funds, ZachXBT found, were laundered through crypto exchanges including Gate, Binance, Kraken, OKX, HTX, HitBTC, and MEXC.

Loading Tweet..

He highlighted roughly 8 addresses tied to the alleged theft. 

Read more: Security review competition will offer a bounty of $1.2M

The timestamps for the transactions stand out, however, as they took place on Tuesday ranging from early on in the day to late Tuesday night. Ripple Labs or Larsen had not publicly disclosed the attack until ZachXBT’s posts on social media.

“The sheer number of [transactions] to exchanges in a short time span should tell you enough,” ZachXBT said in a follow up post. “Ripple team is not going to use a small instant exchange like FixedFloat in size.”

Following the post on X, XRP fell over 5%. It has since bounced back as of publication.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates.png

Research

Pipe Network is a decentralized content delivery network (dCDN) that replaces the sparse, capital intensive data center footprint of traditional CDNs with a permissionless mesh of independent node operators. By orchestrating under-utilized resources that already exist at the edge, rather than purchasing or leasing thousands of servers, Pipe slashes capital intensity while letting supply expand autonomously in the places where bandwidth is scarcest and most expensive.

article-image

Fiscal dominance isn’t about interest rates and it isn’t about Trump, either

article-image

Firestarter Storage brings decentralized storage and delivery to Solana

article-image

After lengthy closing arguments on Wednesday, the case is now in the hands of 12 jurors

article-image

Analysts cite weak trading volume and regulatory progress as factors

article-image

Builders weigh in on Ethereum’s first decade and the decisions that will define its next one

article-image

Closing arguments set to kick off Wednesday after Tuesday’s testimony from two expert witnesses and an a16z partner