Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
No reliable proof that the US government infiltrated Chinese Bitcoin wallets to appropriate $13 billion in BTC.
China’s National Computer Virus Emergency Response Center has recently accused the United States of executing the 2020 LuBian Bitcoin exploit.
In contrast, Western investigations attribute the incident to a flaw in wallet random-number generation and do not implicate any state actor.
Open-source analysis of the LuBian drain
The fundamental details of the incident are now thoroughly documented in open sources. As reported by Arkham, around 127,000 BTC were withdrawn from wallets linked to the LuBian mining pool over approximately two hours on December 28–29, 2020, through coordinated withdrawals across numerous addresses.
The MilkSad research team, along with CVE-2023-39910, indicates that those wallets were generated using software that seeded MT19937 with only 32 bits of entropy, which limited the search space to about 4.29 billion seeds and made batches of P2SH-P2WPKH addresses vulnerable to brute-force attacks.
MilkSad’s Update #14 connects a cluster containing roughly 136,951 BTC that was drained starting on 2020-12-28 to LuBian.com through on-chain mining activities and documents the consistent 75,000 sat fee pattern on the sweep transactions. Blockscope’s analysis reveals that the majority of the funds remained largely inactive for years.
These same coins are currently held in wallets managed by the U.S. government. The U.S. Department of Justice has stated that prosecutors are seeking the forfeiture of approximately 127,271 BTC as proceeds and instruments of alleged fraud and money laundering associated with Chen Zhi and the Prince Group. The DOJ asserts that the assets are currently in U.S. custody.
Elliptic indicates that the addresses mentioned in the DOJ complaint correspond to the LuBian weak-key cluster previously identified by MilkSad and Arkham, with Arkham now designating the consolidated destination wallets as U.S. government-controlled. On-chain investigators, including ZachXBT, have publicly acknowledged the connection between the seized addresses and the earlier weak-key set.
Insights from the forensic record regarding the LuBian exploit
In terms of attribution, the technical teams that initially identified the flaw and traced the transactions do not assert knowledge of who executed the 2020 drain. MilkSad consistently refers to an actor who discovered and exploited weak private keys, stating they do not know the identity.
Arkham and Blockscope characterize the entity as the LuBian hacker, concentrating on method and scale. Elliptic and TRM limit their claims to tracing and the correlation between the 2020 outflows and the subsequent DOJ seizure. None of these sources identifies a state actor for the 2020 operation.
CVERC, supported by the CCP-owned Global Times and local reports, presents a different narrative.
It contends that the four-year dormancy period diverges from typical criminal cash-out behaviors and thus suggests the involvement of a state-level hacking organization.
Related Posts
It subsequently connects the later U.S. custody of the coins to the assertion that U.S. actors executed the exploit in 2020 before converting it into a law enforcement seizure.
The technical sections of the report closely align with independent open research on weak keys, MT19937, address batching, and fee patterns.
Its attribution leap relies on circumstantial inferences regarding dormancy and ultimate custody rather than new forensic evidence, tooling connections, infrastructure overlaps, or other standard indicators typically used in state actor attribution.
What is known about the LuBian Bitcoin drain
There are at least three coherent interpretations that align with publicly available information.
- The first suggests that an unidentified party, whether criminal or not, discovered the weak-key pattern, drained the cluster in 2020, left the coins largely dormant, and that U.S. authorities later acquired the keys through device seizures, cooperating witnesses, or related investigative methods, culminating in consolidation and forfeiture filings in 2024–2025.
- The second views LuBian and related entities as part of an internal treasury and laundering network for the Prince Group, where an apparent hack could have been an obscure internal transfer between wallets controlled by weak keys, consistent with the DOJ’s characterization of the wallets as unhosted and within the defendant’s possession, although public documents do not fully clarify how Chen’s network came to control the specific keys.
- The third, proposed by CVERC, claims that a U.S. state actor was responsible for the 2020 operation. The first two interpretations align with the evidentiary stance presented in the filings of MilkSad, Arkham, Elliptic, TRM, and the DOJ.
The third interpretation is an allegation that lacks independent technical evidence in the public domain.
A brief timeline of the uncontested events is provided below.
| Date (UTC) | Event | Approx. BTC | Source |
|---|---|---|---|
| 2020-12-28/29 | Coordinated drains from LuBian-controlled addresses | ~127,000–127,426 | Arkham; Blockscope; MilkSad Update #14 |
| 2021–2022 | OP_RETURN messages from LuBian-linked addresses pleading for return | N/A | MilkSad Update #14; Blockscope |
| 2023-08 | Disclosure of CVE-2023-39910 (weak MT19937 seeding in Libbitcoin Explorer) | N/A | NVD CVE-2023-39910 |
| 2024 | Consolidation of dormant coins into new wallets | ~127,000 | Blockscope; Arkham |
| 2025 | DOJ forfeiture action and public statements of U.S. custody | ~127,271 | DOJ; CBS News; Elliptic; TRM |
From a capability perspective, brute-forcing a 2^32 seed space is well within the reach of determined actors. At approximately 1 million guesses per second, a single setup can navigate the space in a few hours, and distributed or GPU-accelerated systems can expedite this process further.
Feasibility is central to the MilkSad-class vulnerability, explaining how a single actor can simultaneously exploit thousands of susceptible addresses. The fixed-fee pattern and address derivation specifics published by MilkSad and echoed in CVERC’s technical documentation support this method of exploitation.
The remaining disagreements pertain to ownership and control at each stage, rather than the mechanics. The DOJ characterizes the wallets as repositories for criminal proceeds linked to Chen and asserts that the assets are subject to forfeiture under U.S. law.
Chinese authorities depict LuBian as a victim of theft and accuse a U.S. state actor of the initial exploit.
Independent blockchain forensic groups connect the 2020 outflows to the 2024–2025 consolidation and seizure, stopping short of identifying who executed the actions in 2020. This summarizes the current state of the record.
The post No credible evidence US government hacked Chinese Bitcoin wallets to “steal” $13 billion BTC appeared first on CryptoSlate.
