{"id":6832,"date":"2025-08-05T16:09:10","date_gmt":"2025-08-05T16:09:10","guid":{"rendered":"https:\/\/bitunikey.com\/news\/127000-bitcoin-went-missing-in-2020-no-one-asked-why\/"},"modified":"2025-08-05T16:09:13","modified_gmt":"2025-08-05T16:09:13","slug":"127000-bitcoin-went-missing-in-2020-no-one-asked-why","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/127000-bitcoin-went-missing-in-2020-no-one-asked-why\/","title":{"rendered":"127,000 Bitcoin went missing in 2020 \u2014 no one asked why"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>Arkham has uncovered a 2020 heist involving 127,000 Bitcoin. The mining pool never reported it, and the funds never moved.<\/p>\n<div id=\"cn-block-summary-block_48290e05b49bb25d1fe91ef9cb301c77\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>In December 2020, LuBian, a major Bitcoin mining pool, lost 127,000 BTC in a theft that went entirely unreported.<\/li>\n<li>For nearly five years, the stolen Bitcoin remained untouched, and LuBian quietly ceased operations without disclosing the breach.<\/li>\n<li>Arkham Intelligence uncovered the theft in August 2025 through on-chain analysis, revealing a critical flaw in LuBian\u2019s private key system.<\/li>\n<li>The attacker exploited weak entropy in wallet key generation, allowing them to brute-force access and transfer the funds undetected.<\/li>\n<li>The stolen assets, now worth over $14 billion, have never moved, making this the largest and most concealed crypto theft of its time.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<h2 class=\"wp-block-heading\">Bitcoin stolen in 2020, exposed only in 2025<\/h2>\n<p>In December 2020, one of the largest Bitcoin (BTC) mining pools in the world abruptly disappeared from the network. LuBian, a China-based operation that once accounted for nearly 6% of the Bitcoin network\u2019s total hash rate, had experienced a security breach.\u00a0<\/p>\n<p>More than 127,000 BTC were withdrawn from its wallets in two transactions, amounting to around $3.5 billion at the time.<\/p>\n<p>No official statement was released. There was no alert to the public. LuBian never acknowledged the breach, and for almost five years, the stolen funds remained dormant on the blockchain. The theft went unreported and received little attention.<\/p>\n<p>In August 2025, a detailed investigation by blockchain analytics firm <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/arkm.com\/\" target=\"_blank\" rel=\"nofollow\">Arkham Intelligence<\/a> revealed the full scope of what had happened in late 2020.\u00a0<\/p>\n<figure class=\"wp-block-embed is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">BREAKING: ARKHAM UNCOVERS $3.5B HEIST \u2013 THE LARGEST EVER<\/p>\n<p>LuBian was a Chinese mining pool with facilities in China &amp; Iran. Based on analysis of on-chain data, it appears that 127,426 BTC was stolen from LuBian in December 2020, worth $3.5 billion at the time and now worth\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/PnIOKgMt0i\" target=\"_blank\">pic.twitter.com\/PnIOKgMt0i<\/a><\/p>\n<p>\u2014 Arkham (@arkham) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/arkham\/status\/1951729790299394113?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">August 2, 2025<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>According to Arkham\u2019s on-chain analysis, over 90% of LuBian\u2019s holdings were moved in a single day, followed by a smaller outflow from a wallet associated with the Omni Layer protocol.\u00a0<\/p>\n<p>Just under 12,000 BTC remained, which LuBian promptly moved to new recovery wallets. Soon after, the mining pool halted all public activity.<\/p>\n<p>The stolen assets, now valued at over $14.5 billion due to Bitcoin\u2019s appreciation, have not been funneled through mixers or exchanges, keeping them unusually clean from an on-chain perspective.<\/p>\n<h2 class=\"wp-block-heading\">LuBian\u2019s mining dominance grew quickly in 2020<\/h2>\n<p>LuBian began its operations in 2020 and quickly rose to become one of the most influential mining pools in the Bitcoin ecosystem.\u00a0<\/p>\n<p>During its peak, the pool contributed nearly 6% of the network\u2019s total hash rate, ranking it among the ten largest mining entities globally.\u00a0<\/p>\n<p>Its infrastructure extended across mainland China and, reportedly, parts of Iran. Despite its size, LuBian maintained a low profile. The name, which translates to \u201croadside\u201d in Chinese, reflected an approach that favored discretion over public visibility.<\/p>\n<p>When LuBian abruptly went offline in early 2021, the move prompted speculation but no immediate concern. After months of consistent activity, the pool ceased block production and disappeared without explanation.\u00a0<\/p>\n<p>At the time, analysts attributed the shutdown to China\u2019s regulatory clampdown on crypto mining.\u00a0<\/p>\n<p>A combination of policy shifts, energy usage restrictions, and legal uncertainty had forced many operators to scale back or suspend activity, making LuBian\u2019s exit appear aligned with broader industry disruptions.<\/p>\n<p>That narrative remained intact for years, as there were no visible signs to challenge it. No user complaints surfaced. No unusual wallet activity was detected. In the absence of contrary evidence, the assumption of a regulatory exit was widely accepted.<\/p>\n<p>However, Arkham\u2019s findings point to a different conclusion. The pool\u2019s shutdown followed a large-scale financial breach rather than external pressure.\u00a0<\/p>\n<p>With what may have been billions in miner earnings and internal reserves lost, LuBian\u2019s team chose to remain silent and withdraw from public view.<\/p>\n<h2 class=\"wp-block-heading\">Arkham\u2019s investigation and technical findings<\/h2>\n<p>Arkham Intelligence\u2019s investigation combined blockchain tracing, message analysis, and key generation forensics to reconstruct the sequence of events.\u00a0<\/p>\n<p>It began with two large Bitcoin transfers that took place in late December 2020. These originated from addresses known to be associated with LuBian\u2019s mining operations and were sent to previously inactive wallets that displayed no further movement after receiving the funds.\u00a0<\/p>\n<p>The size of the balances and the lack of follow-up activity raised red flags.<\/p>\n<p>Further analysis revealed an unusual detail. In the days following the breach, LuBian sent more than 1,500 micro-transactions to the hacker-controlled addresses.\u00a0<\/p>\n<p>Each included a small amount of BTC and a message embedded in the OP_RETURN field\u2014a mechanism used in Bitcoin transactions to store arbitrary data.\u00a0<\/p>\n<p>These messages were not routine. They appeared to be direct pleas from LuBian\u2019s operators, asking the attacker to return the funds. One message even asked the recipient to act as a white-hat hacker and reach out via email to discuss possible cooperation and a reward.<\/p>\n<p>In total, LuBian spent around 1.4 BTC in transaction fees just to send these messages, suggesting a serious and deliberate attempt to initiate communication.\u00a0<\/p>\n<p>The messages received no reply, and the stolen coins remained unmoved. Even so, these public records left behind a clear digital trail confirming that a theft had occurred.<\/p>\n<p>Using address clustering techniques, Arkham was able to separate wallet groups tied to LuBian\u2019s mining activity from those associated with the attacker.\u00a0<\/p>\n<p>Wallets that mine together or regularly receive payouts from the same source tend to form observable clusters over time. Once the breach occurred, the attacker consolidated the stolen funds into a new group of wallets, which then remained idle.<\/p>\n<p>One of the most revealing aspects of the breach was how it happened. Arkham concluded that the theft resulted from a critical flaw in LuBian\u2019s wallet architecture. Rather than malware or insider access, the breach exploited a weakness in the way LuBian generated private keys.\u00a0<\/p>\n<p>Its wallet software used an algorithm that relied on only 32-bit entropy \u2014 a level of randomness far below accepted cryptographic standards.\u00a0<\/p>\n<p>With a search space limited to around 4 billion possible keys, an attacker with modest computational power could feasibly brute-force the correct private key in a manageable timeframe.<\/p>\n<p>This vulnerability exposed LuBian\u2019s wallet system to offline brute-force attacks. Once the flaw was identified, the attacker could systematically calculate keys, locate the right ones, and withdraw funds without triggering alarms.<\/p>\n<h2 class=\"wp-block-heading\">LuBian\u2019s breach now ranks as the most valuable crypto theft<\/h2>\n<p>The theft at LuBian now ranks as the most valuable crypto heist recorded at the time it occurred. In comparison, the 2014 collapse of Mt. Gox resulted in the loss of approximately 850,000 BTC, valued at around $450 million at the time.\u00a0<\/p>\n<p>While the Mt. Gox case involved a greater volume of Bitcoin, roughly 200,000 BTC were later recovered, and the overall financial impact was lower than that of LuBian.<\/p>\n<p>The LuBian breach also eclipsed the 2016 Bitfinex hack, which saw about 119,756 BTC stolen. That incident, valued at $72 million when it happened, remained in focus for years until a large portion of the funds was eventually seized by U.S. authorities.\u00a0<\/p>\n<p>Other major events that followed, such as the $610 million theft from Poly Network in 2021, the $625 million Ronin bridge exploit in 2022, and the $400 million drained during the FTX collapse, were serious in scale but did not match LuBian in terms of overall value.\u00a0<\/p>\n<p>In many of those cases, funds were either recovered or voluntarily returned. LuBian\u2019s case remained entirely invisible until now.<\/p>\n<p>In February 2025, a major exploit at Bybit briefly drew attention by removing $1.5 billion in digital assets from the platform. At the time, it was described as the largest hack in crypto history.\u00a0<\/p>\n<p>However, Arkham\u2019s findings have since altered that ranking. With Bitcoin\u2019s price having risen substantially in the years since the LuBian breach, the value of the stolen and untouched holdings now sits between $14 billion and $15 billion, making it the most valuable theft on record.<\/p>\n<p>Arkham\u2019s latest data shows that the addresses linked to the LuBian hacker hold more Bitcoin than the cluster associated with the Mt. Gox event.\u00a0<\/p>\n<p>The hacker currently ranks as the thirteenth largest holder of BTC worldwide, a position more commonly associated with major exchanges or early miners who have remained inactive. Few individuals or organizations control more.<\/p>\n<p>The complete inactivity of the stolen assets is also unusual. In nearly all previous high-value breaches, attackers attempted to obfuscate or move funds using mixers, decentralized trading platforms, or privacy tools.\u00a0<\/p>\n<p>In this case, the funds have remained entirely still. That lack of movement allowed the theft to go unnoticed for years. Without Arkham\u2019s investigation, it is likely the breach would have remained undiscovered.<\/p>\n<\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Arkham has uncovered a 2020 heist involving 127,000 Bitcoin. The mining pool never reported it, and the funds never moved. Summary In December 2020, LuBian, a major Bitcoin mining pool,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":6833,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6832","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/6832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=6832"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/6832\/revisions"}],"predecessor-version":[{"id":6834,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/6832\/revisions\/6834"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/6833"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=6832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=6832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=6832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}