Intelligence agents uncover unreported 2020 Bitcoin theft from Chinese mining pool LuBian

Arkham Intelligence has traced a December 2020 hack at the now-defunct Chinese mining pool LuBian that siphoned off 127,426 Bitcoins, worth $3.5 billion at the time and roughly $14.5 billion at today's prices. The pool briefly ranked sixth worldwide, controlling about six percent of Bitcoin's total hash rate in mid-2020, before disappearing from public view in 2021.

Blockchain forensics indicate that the main breach occurred on 28 December 2020, when more than 90 percent of LuBian's reserves vanished in a single transaction. A day later, attackers drained a further $6 million in Bitcoins and USDT from a LuBian address on the Bitcoin Omni layer. LuBian then hurriedly moved their remaining coins into recovery wallets on 31 December.

Arkham's analysis points to an unusually weak key-generation routine as the probable entry point: LuBian allegedly relied on just 32 bits of entropy, a level that can be brute-forced with gaming hardware given enough time.

The pool itself appears to have recognized the breach, spending 1.4 bitcoins on more than 1,500 OP_RETURN messages pleading with the attacker to return the funds, signs that strongly suggest the messages came from the legitimate operators rather than an opportunistic impersonator.

Both parties have held on to their coins ever since. LuBian still controls their remaining 11,886 Bitcoins (about $1.35 billion), while the hacker last moved funds only to consolidate wallets in July 2024. At current valuations, the stolen stash would place the attacker 13th on Arkham's ranking of the largest known Bitcoin holders, just ahead of the Mt. Gox attacker.