Wallet Forensics and XRPL Funds Tracking

XRPL Wallet Intelligence, Forensics, and Funds Tracking

Read-only forensic layer that separates native XRP, IOUs, trustlines, NFT references, AMM/DEX context, exchange deposits, destination tags, and signing-key risk notes.

Tracked wallets

4

Tracked transactions

19

Exchange deposits

1

Known IOU codes

12

Where did the 81 XRP go?

81.417325 XRP left wallet rpP12ND2K7ZRzXZBEUnQM2i18tMGytXnW1 and was delivered successfully to the XRPL account labeled ChangeNOW (3). The transaction used destination tag 614122458. That means the XRP entered ChangeNOW's internal deposit system. To trace what happened after that, the destination tag and transaction hash must be provided to ChangeNOW support.

tx hash

84F7978E290E10A8F6FBFF17D04846C9E90EDC8224A40071DB70D55458A2FD47

amount: 81.417325 XRP

from: rpP12ND2K7ZRzXZBEUnQM2i18tMGytXnW1

to: rKKbNYZRqwPgZYkFWvqNUFBuscEyiFyCE

destination tag: 614122458

outcome: success

Support and recovery prompts

support message: ask ChangeNOW to map destination tag 614122458 to internal order.

refund question: if payout failed, can XRP be refunded to sender?

exchange order lookup: which payout asset/address was linked to this tag?

Most important control clue

The critical control question is who set and controlled the regular keys rpKmcC1PevAxTBRQgkYtakdGVup2K2Luqh and rJpKvdn64acBnVGNQ873JpQKujA4TAVbfN after master-key disablement.

  • rpKmcC1PevAxTBRQgkYtakdGVup2K2Luqh
  • rJpKvdn64acBnVGNQ873JpQKujA4TAVbfN
  • rK3SFG4BVWJyNjbMDeEJcEMoRG51ax2CGR

Plain-English timeline

  1. 2026-02-07: Legacy wallet set (issuer/treasury/escrow/attestation/amm/trading) generated offline.
  2. 2026-02-18 16:00–16:01 UTC: Issuer rGSDDiG (unykorn.org) distributes UnyKorn USDT to 4 holder wallets: rKNvud9 (39.7M), rnAF6Ki (38.8M), rPqUumc (38.8M), rGhaJrY (10M). Total: ~127.3M USDT issued.
  3. 2026-02-18: rpP12ND wallet ecosystem receives XRP and multiple IOUs from rGSDDiG (USDT, GOLD, EUR, USD, GBP, DONK). rDEW3 opens a USDT trustline (50M limit).
  4. 2026-02-21: NFT burn activity observed on rpP12ND.
  5. 2026-02-25 11:06:01 UTC: SetRegularKey on rpP12ND → rpKmcC1PevAxTBRQgkYtakdGVup2K2Luqh. [CRITICAL — first key takeover]
  6. 2026-02-25 11:06:10 UTC: AccountSet asfDisableMaster on rpP12ND. Original owner loses master key control.
  7. 2026-03-04 04:41 UTC: rDEW3 sends 20,000,513.71 USDT back to issuer rGSDDiG (tx: E29E7C...934C80). IOU burned.
  8. 2026-03-04 05:15 UTC: rPqUumc sends 38.8M USDT to rGSDDiG (tx: 95D3B8...C9DBD2). IOU burned.
  9. 2026-03-04 05:22 UTC: rnAF6Ki sends 38.8M USDT to rGSDDiG (tx: 0FCFAA...177124). IOU burned.
  10. 2026-03-04 05:35 UTC: rGhaJrY sends 10.0M USDT to rGSDDiG (tx: 646C49...CA0A80). IOU burned.
  11. 2026-03-04 06:45 UTC: rKNvud9 sends 39.7M USDT to rGSDDiG (tx: 6839ED...0114DA). IOU burned.
  12. 2026-03-04 07:37 UTC: rpP12ND sends 37.6M USDT to rGSDDiG (tx: 61717F...7D4943). IOU burned.
  13. 2026-03-04 21:47:41 UTC: rDEW3 sends 8.101678 XRP to rpP12ND — topping up reserve ahead of sweep.
  14. 2026-03-04 23:47 UTC: rKNvud9 closes all trustlines (USDT, DRUNKS, DONK, GOLD set to 0).
  15. 2026-03-04 23:47:41 UTC: rDEW3 AccountDelete attempt → FAILS (tecHAS_OBLIGATIONS, USDT trustline still open). Fee: 0.2 XRP.
  16. 2026-03-05 00:24:22 UTC: SetRegularKey on rpP12ND → rJpKvdn64acBnVGNQ873JpQKujA4TAVbfN. [CRITICAL — final controller set, 22 min before theft]
  17. 2026-03-05 00:25 UTC: AMM withdraw activity on rpP12ND.
  18. 2026-03-05 00:29–00:38 UTC: rpP12ND sends remaining IOU balances to rGSDDiG (USDT 37.6M, GOLD 15M, EUR 25M, USD 60K, GBP 22.5M, DONK 2M). All burned.
  19. 2026-03-05 00:33–00:43 UTC: rpP12ND closes all trustlines (DONK, USDT, GOLD, GBP, EUR, USD all set to 0).
  20. 2026-03-05 00:38 UTC: IOU drain complete. rGSDDiG now shows 0 IOUs issued, 0 held. Entire USDT supply destroyed.
  21. 2026-03-05 00:46:21 UTC: FINAL SWEEP — 81.417325 XRP sent from rpP12ND to ChangeNOW (rKKbNYZR...) destination tag 614122458. Tx: 84F7978E...
  22. 2026-03-24: rGSDDiG account still active with 7.02 XRP; no IOUs. Rippling still enabled. Two small 0.000001 XRP dust payments received.

Explorer Links

Quick actions

Track XRP FlowExchange Deposit ReportAdmin Reports