China’s National Computer Virus Emergency Response Center (CVERC) recently released a comprehensive analysis related to a high-profile case involving the seizure of a substantial amount of Bitcoin by U.S. authorities. The case centers on the accusations against Chen Zhi, the founder of the Cambodian business conglomerate Prince Group, who has been linked to a significant cryptocurrency scam. The CVERC characterized this incident as a classic example of a “thieves falling out,” allegedly orchestrated by a state-sponsored hacking organization.
According to the report, a severe hacking incident unfolded on December 29, 2020, at the LuBian mining pool, resulting in the theft of approximately 127,272 Bitcoins, initially valued at $3.5 billion but currently assessed at nearly $15 billion. These Bitcoins were the property of Chen Zhi, who, in the wake of the incident, made several appeals on the blockchain in both early 2021 and July 2022, beseeching the hackers to return the stolen funds and even offering a ransom. However, these efforts received no response from the hackers.
Intriguingly, the stolen Bitcoins remained dormant in a hacker-controlled wallet for nearly four years, a deviation from the typical hacker behavior of quickly liquidating stolen assets. The report posits that the unusual inactivity suggests a highly calculated operation by a state-level hacking entity. It wasn’t until June 2024 that these Bitcoins were moved to a new wallet, where they have remained untouched.
On October 14, 2025, the U.S. Department of Justice announced criminal charges against Chen Zhi and claimed to have seized 127,000 Bitcoins linked to him and the Prince Group. The evidence presented indicates that the seized Bitcoins correspond with those stolen from the LuBian mining pool in 2020, leading to the suggestion that the United States may have initially acquired Chen Zhi’s Bitcoins using hacking techniques. This adds a complex layer to the narrative, positioning it as another instance of “thieves falling out.”
The report meticulously outlines the timeline and details of the LuBian mining pool hack, categorizing it into distinct phases: the attack and theft, a dormancy phase, a recovery attempt phase, and finally the activation and transfer phase leading to the announcement of the seizure. The initial attack on December 29, 2020, saw hackers exploiting a system vulnerability to drain the Bitcoins swiftly, completing the theft in approximately two hours. All transactions associated with the theft bore identical fees, implying the use of an automated batch transfer script.
In the dormancy phase, lasting from December 30, 2020, to June 22, 2024, the stolen Bitcoins remained largely inactive, with minimal transactions hinting at testing activities. Throughout this interim, Chen Zhi and LuBian Mining reached out over 1,500 times, trying to negotiate the return of their assets while promising rewards.
The fourth phase, occurring between June 22 and July 23, 2024, included the activation and transfer of the Bitcoins to wallets identified as being controlled by the U.S. government, as confirmed by blockchain tracking tools.
Following these developments, the CVERC undertook a forensic examination of the Bitcoin transaction history, revealing that the millions of Bitcoins in question did not originate solely from illicit activities, contrary to claims made by the U.S. Justice Department. The report detailed the methods used to generate Bitcoin wallets and simulated the hack, emphasizing its vast impact, which effectively resulted in the near collapse of the LuBian mining pool, wiping out over 90% of its assets.
Moreover, the incident raised concerns about systemic flaws in random-number generation utilized throughout the cryptocurrency landscape. The CVERC urged the implementation of robust security protocols, such as cryptographically secure random number generators, multi-signature protocols, cold storage methods, and comprehensive security audits. It also called for real-time monitoring and alert systems to safeguard mining pools and advised individuals against using unverified key generation tools from open-source resources.
The report underscored the critical importance of cybersecurity to foster a safe environment for the future of digital currency and the broader digital economy.
