China says the U.S. government took 127,000 BTC stolen from the LuBian mining pool

China just accused the United States of pulling off a cyber hit worth nearly $13 billion.

On Sunday, the Chinese National Computer Virus Emergency Response Center (CVERC) claimed that 127,272 Bitcoins stolen from the LuBian mining pool back in 2020 ended up under U.S. government control after a four-year-long silent operation.

The coins were held by Chen Zhi, head of Prince Group in Cambodia, who tried everything from blockchain messages to ransom offers to get them back, but got nothing but silence.

The Chinese agency said the coins were moved in bulk, stayed untouched for years, and were then quietly taken over by the U.S. Department of Justice last year, before the DOJ indicted Chen on October 14 this year and seized the entire stash.

CVERC’s report claims this entire chain of events points to a state-level hack designed to look like law enforcement.

But actually, the real issue started with LuBian’s key-generation system, because instead of using proper 256-bit random numbers, they cut corners.

According to the CVERC, the wallets were created using a 32-bit pseudo-random seed, relying on the Mersenne Twister MT19937-32 algorithm, which reportedly gave hackers only 4.29 billion combinations to brute-force instead of the trillions required for a proper key.

This is nearly identical to the MilkSad flaw disclosed in August 2023, which was later assigned CVE-2023-39910. The MilkSad team even listed LuBian’s compromised wallets, matching the 25 wallets in the DOJ’s case. Once the attacker figured out the vulnerability, the CVERC’s report said it took less than two hours to break in.

Over 5,000 addresses were generated with the same weak system, and they all had no multisig, no hardware wallets, no HD wallets, nothing.

Stolen coins stayed dormant before U.S. moved them

The LuBian mining pool, based mainly in China and Iran, was rising fast in 2020. It wasn’t using exchanges but stored Bitcoin in non-custodial wallets, the kind only you can unlock with your private key.

On December 29, 2020, LuBian’s wallets were hit in a bulk attack that drained 127,272.06953176 BTC, worth about $3.5 billion at the time. Less than 200 BTC were left behind.

All signs point to a brute-force script attacking over 5,000 wallets, all generated with a broken private key algorithm. The coins were swept out fast, then sat untouched in attacker-controlled wallets for four years. At least that’s what Arkham confirmed when it marked the final wallets as government-controlled.

During the dormancy period, Chen and his team tried to reach whoever stole the funds. In early 2021 and again in July 2022, they embedded over 1,500 messages into the Bitcoin blockchain using the OP_RETURN function. One allegedly said, “Please return our funds, we’ll pay a reward.”

Another pleaded, “To the whitehat who is saving our asset, contact us through 1228btc@gmail.com to discuss the return of asset and your reward.”

None of those got a reply.

Then, between June 22 and July 23, 2024, the CVERC said all the stolen Bitcoin suddenly moved to a new address, which according to Arkham’s on-chain tracking, belongs to Uncle.

China claims U.S. seizure and calls it a double-cross

By the time the DOJ made its move earlier this year, the stolen coins had already sat idle for nearly four years, with only less less than one ten-thousandth moved.

China says this doesn’t line up with typical hacker behavior, because we all know that hackers sell or mix coins, they don’t babysit them for years.

The indictment listed 127,271 BTC across 25 wallet addresses, all tracked back to LuBian’s December 2020 hack, with the funds coming from the three sources below:-

• ~17,800 BTC from independent mining
• ~2,300 BTC from mining pool wages
• ~107,100 BTC from exchanges and other inflows

But the DOJ claimed the coins were illicitly obtained. The numbers don’t match up. The impact, though, is that LuBian never recovered. More than 90% of its assets were wiped.

The pool went down. The Chinese report ends with a warning to the rest of the crypto community: fix your wallet code, use real random number generators, adopt multisig, cold storage, and real-time on-chain monitoring. Or next time, it might be you.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.