The $14.5B LuBian Hacker: How the Crypto World’s Biggest Theft Stayed Hidden for 5 Years

Executive Summary

In the early hours of December 28, 2020, while the crypto industry celebrated Bitcoin’s surge past $27,000, a lesser-known Chinese Bitcoin mining pool named LuBian quietly became the victim of an unprecedented heist. An astonishing 127,426 BTC, valued at around $3.5 billion at the time and roughly $14.5 billion today, vanished without a trace. Yet, remarkably, the world remained oblivious to the largest crypto theft in history until nearly five years later.

On August 2, 2025, Blockchain analytics firm Arkham shattered the silence with a post on X, finally uncovering the staggering details of this hidden catastrophe. The LuBian incident starkly reveals how opaque operational practices, weak security protocols, and the dormancy of stolen funds can obscure massive financial losses, underscoring the urgent need for stronger security measures and transparent institutional crypto custody engineered to withstand both adversaries and hindsight.

LuBian’s Brief Rise and Mysterious Disappearance

Founded with operations spanning China and Iran, LuBian quickly climbed the ranks of Bitcoin mining pools. At its peak, LuBian controlled about 6% of the Bitcoin network’s hashrate, making its centralized treasury holdings systemically significant. However, the promising trajectory abruptly halted in early 2021, when LuBian inexplicably disappeared from public view—a mystery now plausibly linked to the December 2020 theft.

Unraveling the Incident: Weak Keys and Coordinated Withdrawals

The chain of events leading to LuBian’s collapse began on December 28, 2020. The primary vulnerability behind this huge mess is thought to be a disturbingly elementary, weak private-key generation process susceptible to brute-force attacks, a foundational security oversight for custodial operations of this magnitude.

In a swift, coordinated effort, attackers drained over 90% of LuBian’s Bitcoin holdings. Blockscope’s transaction tracer vividly reveals the complex web of multiple receiving addresses capturing the stolen funds. Two days later, a secondary loss occurred, with an additional $6 million in Bitcoin (BTC) and Tether (USDT) drained from wallets associated with the Bitcoin Omni Protocol.

By December 31, LuBian desperately attempted damage control, sequestering 11,886 BTC into recovery wallets. Operations ceased almost immediately, marking the end of LuBian’s short-lived prominence.

Pleas Ignored: LuBian’s On-Chain Appeals

In a dramatic, yet ultimately futile, effort, LuBian publicly attempted to communicate with the thief via blockchain messages embedded in transactions. Between 2022 and 2023, LuBian embedded more than 1,500 OP_RETURN messages, spending approximately 1.4 BTC to appeal directly to the attacker. This unusual method offered transparent proof of distress and rightful ownership, yet all pleas went unanswered.

The Quiet Dormancy of Stolen Wealth

Remarkably, most of the stolen 127,426 BTC remain largely dormant to this day, with only minimal activity indicative of strategic, long-term storage. The last significant activity was observed in 2024, characterized by funds consolidation. Blockscope’s clustering analysis has linked over 2,200 addresses across LuBian’s compromised wallets and the attacker’s network, showcasing classic consolidation patterns spanning from 2020 to 2025.

Why Such a Massive Theft Stayed Hidden

Several factors contributed to the prolonged invisibility of this theft:

• Opaque Pool Operations: Limited transparency and external telemetry due to privacy practices and geographic considerations.

• Absence of Breach-Disclosure Norms: Unlike traditional finance, cryptocurrency mining pools lack mandatory reporting frameworks for breaches.

• Dormancy of Funds: Without immediate cash-out attempts, traditional exchange controls and detection mechanisms were never triggered.

• Fragmented Intelligence Sharing: Back in 2020, cross-organizational sharing of Indicators of Compromise (IOCs) lacked standardization and urgency.

How Blockscope Can Prevent Future “LuBian” Events

To address such gaps and prevent similar incidents, Blockscope employs advanced blockchain monitoring and forensic tools:

• Watchtower & Security Monitoring: Real-time detection of unusual treasury withdrawals, behavioral analysis of operations, and proactive alerts.

• Cross-chain Correlation: Multi-hop tracing capabilities to detect attempts at obfuscation.

• Cluster Mapping: Detailed visualizations linking thousands of addresses associated with an attacker’s network.

• Forensic Message Analysis: Tools to interpret embedded transaction messages (e.g., OP_RETURN), creating a clear provenance of theft.

• Legal Liaison: Packages ready for law enforcement with clear evidentiary trails suitable for subpoenas and court processes.

Conclusion: A Wake-Up Call for Crypto Security

The LuBian incident demonstrates how scale, silence, and weak security practices can effectively conceal even multi-billion-dollar thefts. For compliance professionals and law enforcement agencies, the directive is unmistakable: integrate robust on-chain telemetry as a fundamental security control, enforce rigorous key management practices, and standardize breach disclosures. The industry must aim to prevent the next "LuBian" rather than discover it five years too late.

Author: Tushar Tiwari, Forensics Analyst @ Blockscope

For more information, please reach out to us:

E-mail: [email protected]

X: x.com/BlockscopeCo

LinkedIn: www.linkedin.com/blockscopeco

Disclaimer: Best effort work

This article represents Blockscope’s best-effort analysis based on blockchain data, on-chain forensics, and open-source information available at the time of writing. While we strive for accuracy, readers should note that blockchain data can contain discrepancies and may evolve. Our findings reflect our understanding as of August 3, 2025, and may change as new information emerges.