LuBian Mining Pool Hacker Attack Incident Technical Traceability Analysis Report

On December 29, 2020, the LuBian mining pool, primarily operated from China and Iran, suffered a significant hacking attack, resulting in the theft of 127272.06953176 bitcoins (valued at $3.5 billion at the time, now reaching $15 billion), with the holder being Chen Zhi, chairman of the Cambodian Prince Group. After lying dormant for 4 years, the stolen bitcoins were transferred to a new address in June 2024, and on October 14, 2025, the U.S. Department of Justice announced criminal charges against Chen Zhi and seized this batch of bitcoins. Various evidence indicates that this was a "black eat black" incident orchestrated by a national-level hacking organization. This report traces the incident from a technical perspective, analyzing the details and security implications.

1. Incident Background
The LuBian mining pool was established in early 2020, using non-custodial wallets (cold wallets/hardware wallets) to store mining rewards and distribute them. The stolen amount accounted for over 90% of its bitcoin holdings, aligning closely with the 127271 BTC mentioned in the DOJ indictment. The on-chain address attribution and flow can be traced, with the private key being the only proof of asset control. On-chain data shows a high overlap between the stolen bitcoin addresses and those controlled by the U.S. government, but the U.S. has not yet disclosed how it obtained the private keys.

2. Attack Route Analysis
Bitcoin private keys require 256-bit completely random binary numbers for security, while the LuBian mining pool's private key generation has a critical flaw: it relies on a pseudo-random number generator (MT19937-32) initialized with only a 32-bit seed, providing only 32 bits of effective entropy. Attackers could brute-force (about 4.29 billion attempts) to crack it within 1-2 hours. This vulnerability is similar to the CVE-2023-39910 vulnerability published by the overseas security research team MilkSad in 2023, which included all 25 addresses mentioned in the DOJ indictment.

Complete Timeline
- Attack and Theft (2020.12.29): Hackers cracked over 5000 weak random wallet addresses and transferred 127272.06953176 BTC in bulk, leaving less than 200 BTC, with transactions executed by automated scripts.
- Dormant Phase (2020.12.30-2024.6.22): The stolen bitcoins lay dormant in the attackers' addresses for 4 years, with only a few test transactions that did not conform to normal hacker cashing-out behavior.
- Recovery Attempts (Early 2021, 2022.7): The LuBian mining pool sent over 1500 messages using the bitcoin OP_RETURN function, spending 1.4 BTC to plead for their return and offering a ransom, but received no response.
- Activation Transfer (2024.6.22-7.23): The stolen bitcoins were transferred to a new address, which the blockchain tracking platform flagged as owned by the U.S. government.
- Announcement of Seizure (2025.10.14): The U.S. Department of Justice announced charges against Chen Zhi and seized this batch of bitcoins. Furthermore, on-chain traceability indicates that the sources of the stolen bitcoins include mining, pool salaries, and exchanges, which contradicts the U.S. claim that "all originated from illegal income."

3. Vulnerability Technical Details
- Private Key Generation Defect: The mining pool used a non-cryptographically secure MT19937-32 generator initialized with a 32-bit seed, failing to comply with the BIP-39 standard. The private key can be reverse-engineered through seed enumeration, constituting a systemic vulnerability.
- Simulated Attack Process: Identify target address → Enumerate 32-bit seed → Generate private key and corresponding address → Sign and steal coins upon successful match, similar to the low-entropy vulnerabilities exposed by Trust Wallet and Libbitcoin Explorer.
- Defense Shortcomings: Lack of multi-signature, hardware wallets, or hierarchical deterministic wallets, indicating a lack of security protection mechanisms.
- Correlation Evidence: The 25 addresses in the U.S. indictment are directly linked to the stolen addresses, and the "stolen funds from the Iran-China mining" mentioned in the indictment is consistent with on-chain analysis, confirming that the attack was orchestrated by a national-level organization.

4. Impact and Recommendations
This incident led to the dissolution of the LuBian mining pool, highlighting the security risks of cryptocurrency toolchains and price volatility. At the industry level, it is recommended to use cryptographically secure pseudo-random number generators, implement multi-signature, cold storage, and regular audits, while mining pools should establish on-chain monitoring and anomaly alert systems; ordinary users should avoid using unverified key generation modules. The incident illustrates that blockchain transparency cannot compensate for fundamental security flaws, and cybersecurity is a core prerequisite for the development of the digital economy and cryptocurrency.