LuBian Mining Pool Hack: A Technical Deep Dive into the $15 Billion Bitcoin Heist

Executive Summary

This report provides a comprehensive technical analysis of the LuBian mining pool hack that occurred in December 2020, resulting in the theft of 127,272.06953176 Bitcoin, now valued at approximately $15 billion. We will explore the timeline of events, dissect the vulnerabilities that enabled the attack, and assess the potential involvement of nation-state actors.

Key Takeaways:

* The background of the LuBian mining pool and the circumstances surrounding the hack. * A detailed examination of the pseudorandom number generator (PRNG) vulnerability that was exploited. * A reconstruction of the attack timeline, from the initial breach to the U.S. government's seizure of the stolen Bitcoin. * An assessment of Bitcoin's security mechanisms and recommendations for enhancing security in the cryptocurrency industry.

Introduction

On December 29, 2020, the LuBian mining pool suffered a massive cyberattack resulting in the theft of 127,272.06953176 Bitcoin. This substantial amount was owned by Chen Zhi, the Chairman of Prince Group in Cambodia. Following the hack, Chen Zhi and Prince Group repeatedly posted messages on the blockchain, appealing to the hackers to return the stolen Bitcoin and offering a reward, but received no response.

Technical Analysis

The stolen Bitcoin remained dormant in attacker-controlled wallets for nearly four years, suggesting a sophisticated operation orchestrated by a highly capable entity, possibly a nation-state sponsored hacking group. In June 2024, the stolen Bitcoin was transferred to new wallets, and subsequently, on October 14, 2025, the U.S. Department of Justice (DOJ) announced criminal charges against Chen Zhi and the seizure of 127,000 Bitcoin.

Evidence and Assessment

Evidence indicates that the Bitcoin seized by the U.S. government is the same Bitcoin stolen from the LuBian mining pool in 2020, raising questions about the U.S. government's role in the hack. Did the U.S. government hack the LuBian mining pool and steal the Bitcoin in a "hack-back" operation?

Attack Details

PRNG Vulnerability

The core vulnerability exploited by the attackers was the LuBian mining pool's reliance on a weak pseudorandom number generator (PRNG) for private key generation. Specifically, the pool used the Mersenne Twister (MT19937-32) algorithm with only a 32-bit seed, drastically reducing the entropy and making the private keys predictable.

Attack Timeline

* **December 29, 2020:** Attackers exploited the PRNG vulnerability to generate private keys for thousands of weak wallets within the LuBian pool. * **2020-2024:** The stolen Bitcoin remained dormant in attacker-controlled wallets. * **June 2024:** The stolen Bitcoin was transferred to new wallets controlled by the U.S. government. * **October 14, 2025:** The U.S. DOJ announced criminal charges against Chen Zhi and the seizure of 127,000 Bitcoin.

Findings and Recommendations

The LuBian mining pool hack highlights the critical risks in the cryptocurrency space, including weak PRNGs and the importance of robust security mechanisms such as multi-signature schemes and hardware wallets. The cryptocurrency industry must take significant steps to improve security and protect users from cyberattacks.