The LuBian Bitcoin Mining Pool Heist - Post-Mortem
Overview
On December 28, 2020, approximately 127,426 Bitcoin vanished from the LuBian mining pool—valued at $3.5 billion then, approximately $14.8 billion as of August 2025. The theft remained undetected for nearly five years until blockchain analysis firm Arkham Intelligence publicly exposed it in August 2025.
What Happened
LuBian operated as a Bitcoin mining pool that had grown to control "almost 6% of Bitcoin's network hashrate" by December 2020. The operation was run by Liu Ping and maintained facilities in Iran, leveraging extremely cheap electricity ($0.006 per kilowatt-hour). The organization claimed to be "the safest high-yielding mining pool in the world."
In February 2021, LuBian ceased operations without explanation, coinciding with China's intensifying cryptocurrency regulations.
Technical Root Cause
The fundamental failure was catastrophically weak cryptographic entropy in private key generation:
The Vulnerability: "LuBian used a private key generation algorithm with catastrophically weak 32-bit entropy," compared to the required 256-bit standard for Bitcoin security. This represented approximately 4 billion possible key combinations instead of 2^256 possibilities.
Attack Vector
• Attackers could enumerate the limited 32-bit keyspace using standard hardware
• "Any decent computer could churn through" the possibilities "in a few hours"
• Similar vulnerabilities had previously affected Trust Wallet and Libbitcoin Explorer
• The "Milk Sad" vulnerability demonstrated the broader pattern of weak entropy in crypto infrastructure
Financial Impact
• Stolen Amount: 127,426 Bitcoin
• Original Value (December 2020): ~$3.5 billion
• Current Value (August 2025): ~$14.8 billion
• Remaining Holdings: Approximately 11,886 Bitcoin worth $1.38 billion remained in attacker-controlled wallets as of August 2025
Victim Response & Recovery Efforts
• Sent over 1,500 messages via Bitcoin's OP_RETURN function directly to the attacker's wallets
• Burned 1.4 BTC (~$40,000) in transaction fees simply to transmit pleading messages
• Received no response; the attacker maintained complete silence
Fund Movement & Current Status
• Last Major Activity: July 2024, wallet consolidation
• Current Holdings Pattern: "Largely dormant"
• Distribution: Funds linked across 2,200+ addresses
• No Laundering: No mixing, no tumbling, no complex laundering schemes