China Alleges U.S. Government Stole $13 Billion in Bitcoin Mining Pool Hack

A Chinese government agency has leveled serious charges against the United States, asserting that American authorities executed a sophisticated hack to seize over 127,000 Bitcoin from a Chinese mining operation back in 2020. The National Computer Virus Emergency Response Center released a detailed technical report on Sunday, outlining what it describes as a state-sponsored theft now valued at approximately $13 billion.

The report centers on a December 2020 breach at the LuBian mining pool, which drained funds belonging to Chen Zhi, chairman of Cambodia's Prince Group. Chen and his organization faced U.S. Department of Justice charges on October 14, 2025, for allegedly operating scam compounds involving forced labor and cryptocurrency fraud. Prosecutors announced the seizure of the same batch of Bitcoin, prompting China's analysis to question the origins of U.S. possession.

Timeline and Technical Breakdown of the Breach

China's analysis reconstructs the incident across several distinct phases, starting with the initial exploit on December 29, 2020. Hackers targeted a vulnerability in the LuBian system's random-number generation, allowing them to drain 127,272 Bitcoin in under two hours through automated batch transfers. All transactions shared identical fees, a hallmark of scripted operations, and the receiving addresses remained dormant for nearly four years, an unusual delay that the report attributes to strategic holding rather than typical criminal liquidation.

During this dormancy period from late 2020 to mid-2024, the funds saw only minor activity, such as small test transactions, suggesting careful management by advanced actors. Chen Zhi's team responded by embedding over 1,500 blockchain messages in early 2021 and July 2022, appealing directly to the thieves for negotiation and offering rewards for the assets' return. No responses came, leaving the Bitcoin untouched until June 2024, when transfers led to wallets later flagged by blockchain analytics firm Arkham as U.S. government-controlled.

The report's forensic tracing leverages Bitcoin's immutable ledger to map the funds' sources, revealing a mix of origins that challenge the U.S. indictment's portrayal of the assets as purely illicit. Around 17,800 coins stemmed from direct Bitcoin mining efforts, 2,300 from pool distributions, and over 107,000 from exchanges and other legitimate channels. This diversity underscores potential oversights in the DOJ's narrative, as the seized total aligns precisely with the 2020 haul from LuBian.

Blockchain experts have noted that while the Chinese claims highlight transparency's double-edged nature, independent reviews question the evidence for state involvement. Open-source forensics point to weaknesses in key generation as the likely entry point, rather than a targeted government operation. Still, the four-year lag in movement raises eyebrows about how such a large sum evaded detection until recent U.S. action.

The LuBian hack devastated the operation, wiping out more than 90% of its holdings and contributing to its eventual shutdown. This event exposed broader risks in cryptocurrency infrastructure, particularly around pseudorandom number generators that fail under scrutiny. Affected parties, including Prince Group affiliates, have denied scam involvement, framing the seizure as an overreach tied to geopolitical frictions.

To address these vulnerabilities, the Chinese report advocates for stronger safeguards across the ecosystem. Mining pools should implement real-time onchain monitoring and automated alerts for unusual transfers to catch anomalies early. Multi-signature setups and cold storage can add layers of protection, while regular audits help identify flaws before exploitation.

Individual users face similar threats from unvetted tools, prompting calls to stick with verified crypto key generation methods from trusted sources. The incident serves as a stark reminder that even Bitcoin's robust design cannot fully shield against human error in setup.