China just recently accused the United States of carrying out cyberattacks worth about $13 billion.
On Sunday, China’s National Computer Virus Emergency Response Center (CVERC) claimed that 127,272 Bitcoins stolen from the LuBian mining pool in 2020 were finally placed under the control of the US government after four years of silent operations.
The coin is in the possession of Cambodia’s Prince Group head Cheng Zhi, who has tried everything from blockchain messages to offers of ransom to get the coin back, but has been met with nothing but silence.
According to Chinese authorities, the coins were removed in large quantities and left unattended for years until they were secretly taken over by the U.S. Department of Justice last year, which indicted Mr. Chen on October 14 this year and seized the entire stash.
CVERC’s report claims that this entire sequence of events points to a state-level hack disguised as a law enforcement agency.
But in reality, the real problem started with LuBian’s key generation system. Because you cut corners instead of using a proper 256-bit random number.
According to CVERC, the wallet was created using a 32-bit pseudo-random seed that relied on the Mersenne Twister MT19937-32 algorithm, which reportedly gave hackers just 4.29 billion brute force combinations instead of the trillions required for a suitable key.
This is nearly identical to the MilkSad flaw that was published in August 2023 and later assigned CVE-2023-39910. The MilkSad team also listed LuBian’s compromised wallets, which match 25 wallets in the Department of Justice case. Once the attackers discovered the vulnerability, it took them less than two hours to break in, according to the CVERC report.
Over 5,000 addresses were generated on the same vulnerable system, and they were all multisig, hardware wallets, HD wallets, and nothing else.
The stolen coins lay dormant until the U.S. moved on.
The LuBian mining pool, primarily based in China and Iran, was on the rise rapidly in 2020. The mining pool did not use exchanges and stored Bitcoin in non-custodial wallets that could only be unlocked with private keys.
On December 29, 2020, LuBian’s wallet was attacked in bulk, and 127,272.06953176 BTC, worth approximately $3.5 billion at the time, was leaked. Less than 200 BTC was left.
All indications point to a brute force script attacking over 5,000 wallets, all generated with a broken private key algorithm. The coins were quickly swept away and remained untouched for four years in a wallet controlled by the attackers. At least that’s what Arkham confirmed when it marked its final wallet as government-controlled.
During the dormant period, Chen and his team attempted to contact the person who stole the funds. In early 2021 and July 2022, they embedded over 1,500 messages into the Bitcoin blockchain using the OP_RETURN function. One person is said to have said, “Please return the funds so I can pay you.”
Another implored: “To the white hats who are storing our assets, please contact us through 1228btc@gmail.com to discuss asset return and compensation.”
There was no reply to any of them.
Then, between June 22 and July 23, 2024, CVERC announced that all stolen Bitcoins were suddenly moved to a new address. According to Arkham’s on-chain tracking, the address belongs to Uncle.
China claims US occupation, calls double cross
By the time the Justice Department took action earlier this year, the stolen coins had already been sitting there for nearly four years, and less than one in 10,000 had been moved.
China claims that this is not consistent with typical hacker behavior, as everyone knows that hackers sell and mix coins, and they have not been looking after them for years.
The indictment lists 127,271 BTC in 25 wallet addresses, all dating back to the LuBian hack in December 2020, with the funds coming from three sources:
- ~17,800 BTC from independent mining
- ~2,300 BTC from mining pool wages
- ~107,100 BTC from exchanges and other inflows
But the Justice Department claimed the coins were obtained illegally. Numbers don’t match. But the impact was that LuBian never recovered. More than 90% of the assets were erased.
The pool has gone down. China’s report ends with a warning to the rest of the cryptocurrency community. Modify the wallet code to use a real random number generator, employ multisig, cold storage, and real-time on-chain monitoring. Or maybe it’s you next time.
Don’t just read cryptocurrency news. Please understand. Subscribe to our newsletter. It’s free.