127,000 Bitcoin went missing in 2020 — no one asked why

Arkham has uncovered a 2020 heist involving 127,000 Bitcoin. The mining pool never reported it, and the funds never moved.

Bitcoin stolen in 2020, exposed only in 2025

In December 2020, one of the largest Bitcoin (BTC) mining pools in the world abruptly disappeared from the network. LuBian, a China-based operation that once accounted for nearly 6% of the Bitcoin network’s total hash rate, had experienced a security breach. 

More than 127,000 BTC were withdrawn from its wallets in two transactions, amounting to around $3.5 billion at the time.

No official statement was released. There was no alert to the public. LuBian never acknowledged the breach, and for almost five years, the stolen funds remained dormant on the blockchain. The theft went unreported and received little attention.

In August 2025, a detailed investigation by blockchain analytics firm Arkham Intelligence revealed the full scope of what had happened in late 2020. 

BREAKING: ARKHAM UNCOVERS $3.5B HEIST – THE LARGEST EVER

LuBian was a Chinese mining pool with facilities in China & Iran. Based on analysis of on-chain data, it appears that 127,426 BTC was stolen from LuBian in December 2020, worth $3.5 billion at the time and now worth… pic.twitter.com/PnIOKgMt0i

— Arkham (@arkham) August 2, 2025

According to Arkham’s on-chain analysis, over 90% of LuBian’s holdings were moved in a single day, followed by a smaller outflow from a wallet associated with the Omni Layer protocol. 

Just under 12,000 BTC remained, which LuBian promptly moved to new recovery wallets. Soon after, the mining pool halted all public activity.

The stolen assets, now valued at over $14.5 billion due to Bitcoin’s appreciation, have not been funneled through mixers or exchanges, keeping them unusually clean from an on-chain perspective.

LuBian’s mining dominance grew quickly in 2020

LuBian began its operations in 2020 and quickly rose to become one of the most influential mining pools in the Bitcoin ecosystem. 

During its peak, the pool contributed nearly 6% of the network’s total hash rate, ranking it among the ten largest mining entities globally. 

Its infrastructure extended across mainland China and, reportedly, parts of Iran. Despite its size, LuBian maintained a low profile. The name, which translates to “roadside” in Chinese, reflected an approach that favored discretion over public visibility.

When LuBian abruptly went offline in early 2021, the move prompted speculation but no immediate concern. After months of consistent activity, the pool ceased block production and disappeared without explanation. 

At the time, analysts attributed the shutdown to China’s regulatory clampdown on crypto mining. 

A combination of policy shifts, energy usage restrictions, and legal uncertainty had forced many operators to scale back or suspend activity, making LuBian’s exit appear aligned with broader industry disruptions.

That narrative remained intact for years, as there were no visible signs to challenge it. No user complaints surfaced. No unusual wallet activity was detected. In the absence of contrary evidence, the assumption of a regulatory exit was widely accepted.

However, Arkham’s findings point to a different conclusion. The pool’s shutdown followed a large-scale financial breach rather than external pressure. 

With what may have been billions in miner earnings and internal reserves lost, LuBian’s team chose to remain silent and withdraw from public view.

Arkham’s investigation and technical findings

Arkham Intelligence’s investigation combined blockchain tracing, message analysis, and key generation forensics to reconstruct the sequence of events. 

It began with two large Bitcoin transfers that took place in late December 2020. These originated from addresses known to be associated with LuBian’s mining operations and were sent to previously inactive wallets that displayed no further movement after receiving the funds. 

The size of the balances and the lack of follow-up activity raised red flags.

Further analysis revealed an unusual detail. In the days following the breach, LuBian sent more than 1,500 micro-transactions to the hacker-controlled addresses. 

Each included a small amount of BTC and a message embedded in the OP_RETURN field—a mechanism used in Bitcoin transactions to store arbitrary data. 

These messages were not routine. They appeared to be direct pleas from LuBian’s operators, asking the attacker to return the funds. One message even asked the recipient to act as a white-hat hacker and reach out via email to discuss possible cooperation and a reward.

In total, LuBian spent around 1.4 BTC in transaction fees just to send these messages, suggesting a serious and deliberate attempt to initiate communication. 

The messages received no reply, and the stolen coins remained unmoved. Even so, these public records left behind a clear digital trail confirming that a theft had occurred.

Using address clustering techniques, Arkham was able to separate wallet groups tied to LuBian’s mining activity from those associated with the attacker. 

Wallets that mine together or regularly receive payouts from the same source tend to form observable clusters over time. Once the breach occurred, the attacker consolidated the stolen funds into a new group of wallets, which then remained idle.

One of the most revealing aspects of the breach was how it happened. Arkham concluded that the theft resulted from a critical flaw in LuBian’s wallet architecture. Rather than malware or insider access, the breach exploited a weakness in the way LuBian generated private keys. 

Its wallet software used an algorithm that relied on only 32-bit entropy — a level of randomness far below accepted cryptographic standards. 

With a search space limited to around 4 billion possible keys, an attacker with modest computational power could feasibly brute-force the correct private key in a manageable timeframe.

This vulnerability exposed LuBian’s wallet system to offline brute-force attacks. Once the flaw was identified, the attacker could systematically calculate keys, locate the right ones, and withdraw funds without triggering alarms.

LuBian’s breach now ranks as the most valuable crypto theft

The theft at LuBian now ranks as the most valuable crypto heist recorded at the time it occurred. In comparison, the 2014 collapse of Mt. Gox resulted in the loss of approximately 850,000 BTC, valued at around $450 million at the time. 

While the Mt. Gox case involved a greater volume of Bitcoin, roughly 200,000 BTC were later recovered, and the overall financial impact was lower than that of LuBian.

The LuBian breach also eclipsed the 2016 Bitfinex hack, which saw about 119,756 BTC stolen. That incident, valued at $72 million when it happened, remained in focus for years until a large portion of the funds was eventually seized by U.S. authorities. 

Other major events that followed, such as the $610 million theft from Poly Network in 2021, the $625 million Ronin bridge exploit in 2022, and the $400 million drained during the FTX collapse, were serious in scale but did not match LuBian in terms of overall value. 

In many of those cases, funds were either recovered or voluntarily returned. LuBian’s case remained entirely invisible until now.

In February 2025, a major exploit at Bybit briefly drew attention by removing $1.5 billion in digital assets from the platform. At the time, it was described as the largest hack in crypto history. 

However, Arkham’s findings have since altered that ranking. With Bitcoin’s price having risen substantially in the years since the LuBian breach, the value of the stolen and untouched holdings now sits between $14 billion and $15 billion, making it the most valuable theft on record.

Arkham’s latest data shows that the addresses linked to the LuBian hacker hold more Bitcoin than the cluster associated with the Mt. Gox event. 

The hacker currently ranks as the thirteenth largest holder of BTC worldwide, a position more commonly associated with major exchanges or early miners who have remained inactive. Few individuals or organizations control more.

The complete inactivity of the stolen assets is also unusual. In nearly all previous high-value breaches, attackers attempted to obfuscate or move funds using mixers, decentralized trading platforms, or privacy tools. 

In this case, the funds have remained entirely still. That lack of movement allowed the theft to go unnoticed for years. Without Arkham’s investigation, it is likely the breach would have remained undiscovered.