China’s National Computer Virus Emergency Response Center issues technical analysis over US govt bitcoins seizure, calling it a typical case of ‘thieves falling out’
China’s National Computer Virus Emergency Response Center (CVERC) on Sunday issued a technical analysis of the case in which the US government has seized vast amount of bitcoin and charged the owner – founder of Cambodian business empire the Prince Group – of allegedly masterminding a massive cryptocurrency scam. The center called it a typical case of “thieves falling out” orchestrated by a state-level hacking organization.
This report reconstructs the full timeline of the Bitcoin theft, analyzes each phase of the attack, and evaluates Bitcoin’s security mechanism.
It said that on December 29, 2020, a major hacking incident occurred at the LuBian mining pool, resulting in the theft of about 127,272 Bitcoins (then worth about $3.5 billion, now valued near $15 billion). The funds belonged to Chen Zhi, Chairman of Cambodia’s Prince Group.
Following the hacking incident, Chen Zhi and his Prince Group repeatedly posted messages on the blockchain in early 2021 and July 2022, pleading for the return of the stolen Bitcoins and offering a ransom. The hackers never replied.
Unusually, the entire stash then sat untouched in a wallet under the control of the attackers for almost four years. This deviates from the typical pattern of quick liquidation of gains, instead resembling a precision operation orchestrated by a “state-level hacking organization.” Only in June 2024 were the stolen coins moved to a new wallet, where they have remained untouched.
On October 14, 2025, the US Department of Justice filed criminal charges against Chen Zhi and claimed to have seized 127,000 Bitcoins linked to him and the Prince Group. Evidence indicates that the Bitcoins seized by the US government matched those stolen from the LuBian mining pool by hackers as early as 2020.
In other words, the US government likely stole Chen Zhi’s 127,000 Bitcoins as early as 2020 using hacking techniques, making this a typical case of “thieves falling out” orchestrated by a state-level hacking organization.
Technical traceback reveals the complete timeline and relevant details of the hacking of LuBian mining pool – namely attack and theft, dormancy phase, recovery attempt phase, activation and transfer phase and announcement and seizure phase.
On December 29, 2020, Beijing time, hackers exploited a system flaw in LuBian pool and within approximately two hours, drained 127,272.06953176 Bitcoins from targeted wallets.
All suspicious transactions carried an identical transaction fee, indicating that the theft was carried out using an automated batch transfer script. The sending wallet addresses are controlled by LuBian mine operating entity, which belongs to the Prince Group. The receiver addresses were unveiled.
The report then said that during the second dormancy phase from December 30, 2020 to June 22, 2024, the Bitcoins remained virtually frozen for four years with a negligible number of dust transactions—likely for testing purposes.
In the third phase, over 1,500 messages were sent by LuBian mine asking the hackers to return the assets and promised to negotiate reward.
During the fourth phase from June 22 to July 23 of 2024, the Bitcoins were activated and transferred to the final wallet addresses, which were tagged by the US’ famous blockchain tracking tool ARKHAM as owned by the US government.
On October 14, 2025, the US Department of Justice announced to charge Chen Zhi and seize his 127, 000 Bitcoins.
Using Bitcoin’s transparent, traceable ledger, the report conducted a forensic analysis tracing the origin of the massive amount of Bitcoins. In total, 127,272.06953176 Bitcoins were traced to several sources: about 17,800 coins from independent mining, approximately 2,300 coins from pool payouts, and approximately 107,100 coins from exchanges and other channels.
Preliminary findings contradicted the US Department of Justice’s claim in the indictment that all of the funds originated from illegal proceeds, the CVERC report said.
The report then detailed how the Bitcoin wallet was generated and simulated the attack process through pure technical tracking and analysis of documents related to the case.
This attack led to the de facto dissolution of the LuBian mine and the losses equal to more than 90 percent of its assets at that time, per the report.
The LuBian incident has exposed systemic risks in random-number generation across the cryptocurrency toolchain.
To prevent similar vulnerabilities, the report suggested to utilize cryptographically secure pseudorandom number generators, set up multi-layered defense mechanisms, including multi-signature protocols, cold storage solutions, and regular security audits, while avoiding custom private key generation algorithms.
For mining pools, the report advised to integrate real-time on-chain monitoring and abnormal transfer alert systems.
For individual users, it is crucial to avoid using unverified key generation modules from open-source communities, the report said, reminding that even with blockchain’s high transparency, weak security can still lead to catastrophic outcomes. It further underscores the vital importance of cybersecurity in the future development of the digital economy and digital currencies.
By Global Times
