Chris Larsen Hack

TOTAL LOST $112M
Critical #76 All-Time Access Control

Summarize with AI

Affected Chain 2024 Incident surface
Recovered - No recovery reported
All-Time Rank #76 By amount stolen
Protocol Type Exploit/Access control Target category

Incident Overview

Ripple co-founder Chris Larsen's personal account on Ripple chain was hacked, resulting in a loss of 213 million XRP tokens worth approximately $112.5 million.

On January 30, 2024, Ripple co-founder and executive chairman Chris Larsen was the victim of a hack of his personal account. This led to the theft of 213 million XRP tokens, worth approximately $112.5 million. The stolen assets were laundered through Kraken, KuCoin, Gate, Binance, MEXC, FixedFloat, and Whitebit, Huobi, EXMO and others.

Blockchain detective zachxbt noticed and posted about incident the strange movement of around 213 million XRP, the native token for the Ripple project.Ripple CEO Chris Larsen later went on X (formerly Twitter) to claim that the funds that were stolen had come from his personal wallets and not from wallets belonging to the Ripple project.

Attacker Address:

https://xrpscan.com/account/rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm

Funded Addresses:

https://xrpscan.com/account/rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg

https://xrpscan.com/account/rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV

https://xrpscan.com/account/rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t

https://xrpscan.com/account/rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa

https://xrpscan.com/account/rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT

https://xrpscan.com/account/rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w

https://xrpscan.com/account/rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj

https://xrpscan.com/account/rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7

Funds Transfer Transactions:

https://xrpscan.com/tx/7749F7605D8B9C10CEF8353CC3F976E3444A4B45CA8E03124C6CE4BE73814EC8

https://xrpscan.com/tx/34322EB8769E9616DD7C0AA4C6FD0E255D1DD6A577C0C9754C343E63123F5B03

https://xrpscan.com/tx/BB2A66793F3562B5949BB911F744B39A29B41D8D6B61B20AC3A99E672A4839B6

Chris Larsen's post:

https://twitter.com/chrislarsensf/status/1752742706462523882

Zachxbt's post:

https://twitter.com/zachxbt/status/1752694489905528943

Incident Report

Protocol / Project Chris Larsen
Date of Incident
Attack Technique Access Control
Classification Other
Primary Source View Post-Mortem

Protocol Information

Protocol Type Exploit/Access control
Affected Token XRP
Team Anonymous
Source Code Verified On-Chain

What the Attacker Needed to Succeed

Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.

Technical Knowledge Operational-security tradecraft (phishing, malware, leaked seed phrases, or insider access) to obtain treasury signing authority
Capital Required Minimal capital - only enough to cover gas while draining the compromised accounts
On-Chain Access Valid signing authority over the compromised wallets / multisig signers, allowing direct transfer of funds or stake authorization
Target Reconnaissance Identification of Chris Larsen's high-value treasury accounts and the authority / multisig structure controlling them
Execution Speed Speed to drain the compromised accounts before the team detects the breach and revokes signing authority or freezes the assets
Obfuscation Plan A strategy to launder and move stolen funds - typically through mixers, cross-chain bridges, or decentralized DEX swaps to resist tracing

What Auditors Should Check

Could this have been caught in audit? Likely — with a thorough Access Control audit checklist and test coverage

If you're auditing a protocol with similar architecture to Chris Larsen, these are the critical security checks that could have prevented this incident (January 2024).

  • Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
  • Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs

Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.

Free Trial

Related Attack Classes

The technique used in this hack maps to these vulnerability classes in our security curriculum:

See all Access Control Attacks examples →

Sources & References

Learn to Prevent the Next Chris Larsen

The Chris Larsen hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.

Recreate exploit patterns safely Free Trial