I looked up Ellipal, apparently the software and firmware are all proprietary and closed source. If they placed a backdoor, they very well could have been the thieves.

Also looking at that screenshot he had all 1+ million of his XRP in either one account or one UXTO. I'm not sure if XRP uses an account model or uxto model, but either way, KYC or not that's a huge target on the public blockchain for everyone to see. Any hacker would target those addresses first. If he were to have his XRP mixed correctly it would be likely that he wouldn't have been targeted. Goes to show how imperative privacy is especially for public surveillance coins.

Other than those two observations I'm curious to how else this could have happened. I hope he shares details about how he backed up his seed phrase and other details so the larger community can learn from this. To me Ellipal's proprietary software is a huge red flag.