Chris Larsen Hack
Incident Overview
Ripple co-founder Chris Larsen's personal account on Ripple chain was hacked, resulting in a loss of 213 million XRP tokens worth approximately $112.5 million.
On January 30, 2024, Ripple co-founder and executive chairman Chris Larsen was the victim of a hack of his personal account. This led to the theft of 213 million XRP tokens, worth approximately $112.5 million. The stolen assets were laundered through Kraken, KuCoin, Gate, Binance, MEXC, FixedFloat, and Whitebit, Huobi, EXMO and others.
Blockchain detective zachxbt noticed and posted about incident the strange movement of around 213 million XRP, the native token for the Ripple project.Ripple CEO Chris Larsen later went on X (formerly Twitter) to claim that the funds that were stolen had come from his personal wallets and not from wallets belonging to the Ripple project.
Attacker Address:
https://xrpscan.com/account/rJNLz3A1qPKfWCtJLPhmMZAfBkutC2Qojm
Funded Addresses:
https://xrpscan.com/account/rGhR13XyM43WdDaSMznHd5rZ4cJatybvEg
https://xrpscan.com/account/rHQVKntyfkDCPhEBL2ctryuEAkDZgckmmV
https://xrpscan.com/account/rLsUemhuBZtF44rqqzneb2F9JgyrRYYd4t
https://xrpscan.com/account/rKPERax7t9iFvT3RHXn5nifyNpzp9a4hBa
https://xrpscan.com/account/rpjs4HLX1gJoEenH69PsQmXaXY22QhCYAT
https://xrpscan.com/account/rLRhugR4ysNa2xkt4E6fKN8krs9jatCp6w
https://xrpscan.com/account/rnCyeUNvfDbtTagGEPjBfTCBz6EqJjf2Uj
https://xrpscan.com/account/rHVjfYzTaB8MzSoQGqpzH9barZr85QsZW7
Funds Transfer Transactions:
https://xrpscan.com/tx/7749F7605D8B9C10CEF8353CC3F976E3444A4B45CA8E03124C6CE4BE73814EC8
https://xrpscan.com/tx/34322EB8769E9616DD7C0AA4C6FD0E255D1DD6A577C0C9754C343E63123F5B03
https://xrpscan.com/tx/BB2A66793F3562B5949BB911F744B39A29B41D8D6B61B20AC3A99E672A4839B6
Chris Larsen's post:
https://twitter.com/chrislarsensf/status/1752742706462523882
Zachxbt's post:
https://twitter.com/zachxbt/status/1752694489905528943
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Chris Larsen, these are the critical security checks that could have prevented this incident (January 2024).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
Learn to Prevent the Next Chris Larsen
The Chris Larsen hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.