China’s National Computer Virus Emergency Response Center just accused the United States of carrying out the 2020 LuBian Bitcoin exploit.
However, Western research ties the event to a wallet random-number flaw and does not name a state actor.
Open-source forensics on the LuBian drain
The core facts of the episode are now well documented across open sources. According to Arkham, approximately 127,000 BTC were moved out of wallets associated with the LuBian mining pool over a period of about two hours on December 28–29, 2020, through coordinated withdrawals across hundreds of addresses.
According to the MilkSad research team and CVE-2023-39910, those wallets were created with software that seeded MT19937 with only 32 bits of entropy, which reduced the search space to approximately 4.29 billion seeds and exposed batches of P2SH-P2WPKH addresses to brute-force attacks.
MilkSad’s Update #14 links a cluster holding roughly 136,951 BTC that was drained beginning on 2020-12-28 to LuBian.com through on-chain mining activity and documents the fixed 75,000 sat fee pattern on the sweep transactions. Blockscope’s reconstruction shows the bulk of the funds then sat with minimal movement for years.
Those same coins now sit in wallets controlled by the U.S. government. According to the U.S. Department of Justice, prosecutors are pursuing the forfeiture of approximately 127,271 BTC as proceeds and instrumentalities of alleged fraud and money laundering tied to Chen Zhi and the Prince Group. The DOJ states that the assets are presently in U.S. custody.
Elliptic shows that addresses in the DOJ complaint map onto the LuBian weak-key cluster that MilkSad and Arkham had already identified, and Arkham now tags the consolidated destination wallets as U.S. government-controlled. On-chain sleuths, including ZachXBT, have publicly noted the overlap between the seized addresses and the earlier weak-key set.
What the forensic record shows about the LuBian exploit
Regarding attribution, technical teams that first identified the flaw and traced the flows do not claim knowledge of who executed the 2020 drain. MilkSad repeatedly refers to an actor who discovered and exploited weak private keys, stating they do not know the identity.
Arkham and Blockscope describe the entity as the LuBian hacker, focusing on method and scale. Elliptic and TRM confine their claims to tracing and to the match between the 2020 outflows and the later DOJ seizure. None of these sources names a state actor for the 2020 operation.
CVERC, amplified by the CCP-owned Global Times and local pickups, advances a different narrative.
It argues that the four-year dormancy period deviates from common criminal cash-out patterns and therefore points to a state-level hacking organization.
It then links the later U.S. custody of the coins to the allegation that U.S. actors executed the exploit in 2020 before converting it into a law enforcement seizure.
The report’s technical sections track closely with independent open research on weak keys, MT19937, address batching, and fee patterns.
Its attribution leap rests on circumstantial inferences about dormancy and ultimate custody rather than new forensics, tooling ties, infrastructure overlaps, or other standard indicators used in state actor attribution.
What we actually know about the LuBian Bitcoin drain
There are at least three coherent readings that fit what is public.
- One is that an unknown party, criminal or otherwise, found the weak-key pattern, drained the cluster in 2020, left the coins mostly dormant, and U.S. authorities later obtained the keys through seizures of devices, cooperating witnesses, or related investigative means, which culminated in consolidation and forfeiture filings in 2024–2025.
- A second treats LuBian and related entities as part of an internal treasury and laundering network for Prince Group, where an apparent hack could have been an opaque internal movement between weak-key-controlled wallets, consistent with DOJ’s framing of the wallets as unhosted and within the defendant’s possession, though public documents do not fully detail how Chen’s network came to control the specific keys.
- The third, advanced by CVERC, is that a U.S. state actor was responsible for the 2020 operation. The first two align with the evidentiary posture presented in the filings of MilkSad, Arkham, Elliptic, TRM, and the DOJ.
The third is an allegation not substantiated by independent technical evidence in the public domain.
A brief timeline of the uncontested events is below.
From a capability standpoint, brute forcing a 2^32 seed space is well within reach for motivated actors. At about 1 million guesses per second, a single setup can traverse the space in a few hours, and distributed or GPU-accelerated rigs compress that further.
Feasibility is central to the MilkSad-class weakness, explaining how a single actor can sweep thousands of vulnerable addresses simultaneously. The fixed-fee pattern and address derivation details published by MilkSad and mirrored in CVERC’s technical write-up reinforce this method of exploitation.
The remaining disputes lie in ownership and control at each step, not in the mechanics. DOJ frames the wallets as repositories for criminal proceeds tied to Chen and states the assets are forfeitable under U.S. law.
Chinese authorities frame LuBian as a victim of theft and accuse a U.S. state actor of the original exploit.
Independent blockchain forensics groups connect the 2020 outflows to the 2024–2025 consolidation and seizure, and stop short of naming who pressed the button in 2020. That is the status of the record.