Arkham Says $3.5B LuBian Bitcoin Theft Went Undetected for Nearly Five Years

Share this article

By Siamak Masnavi, AI Boost|Edited by Aoyon Ashraf

Updated Aug 2, 2025, 9:12 p.m. Published Aug 2, 2025, 9:02 p.m.

Arkham alleges 127,426 BTC was stolen from Chinese mining pool LuBian in December 2020, in what it calls the largest crypto heist in history.
According to the on-chain analytics firm, the attacker has not moved most of the funds, now worth $14.5 billion, and LuBian’s team appears to have quietly sent onchain pleas for their return.
Arkham attributes the breach to weak private key generation that may have allowed a brute-force attack, exposing security flaws in early mining infrastructure.

A crypto wallet tied to a little-known Chinese mining pool may have been the victim of the largest bitcoin theft ever recorded, according to new findings from Arkham Intelligence.

In an Aug. 2 thread on X, the onchain analytics firm said it had uncovered evidence that 127,426 BTC — worth $3.5 billion at the time — was stolen from LuBian Mining Pool in late December 2020. Neither LuBian nor the suspected hacker has ever publicly acknowledged the breach, and Arkham said it is the first to report the incident.

STORY CONTINUES BELOW

Don’t miss another story.Subscribe to the The Protocol Newsletter today.See all newslettersBy signing up, you will receive emails about CoinDesk products and you agree to ourterms of useandprivacy policy.

LuBian was one of the largest bitcoin mining pools globally in 2020, reportedly controlling nearly 6% of Bitcoin’s total hash rate as of May that year. The hack, if confirmed, would eclipse the scale of other high-profile exploits like Mt. Gox and Bitfinex by nominal value at the time of loss.

Arkham’s analysis indicates that on Dec. 28, 2020, more than 90% of LuBian’s BTC holdings were drained. Two days later, another theft involving about $6 million worth of BTC and USDT occurred, linked to a LuBian address operating on the Bitcoin Omni layer. The company appears to have moved its remaining 11,886 BTC — then worth hundreds of millions — into recovery wallets by Dec. 31, 2020.

A notable detail in Arkham’s report is the presence of OP_RETURN messages — special transactions that allow data to be embedded in the Bitcoin blockchain — sent from LuBian to the hacker. According to Arkham, the mining pool spent 1.4 BTC across over 1,500 transactions attempting to contact the thief, urging them to return the stolen funds. This effort suggests the messages were genuine and originated from the rightful wallet owner.

Arkham believes the vulnerability may have stemmed from LuBian’s use of a flawed private key generation algorithm that left it susceptible to brute-force attacks. The stolen BTC has apparently remained largely dormant, with the last major movement being a wallet consolidation in July 2024.

Due to the price appreciation of bitcoin since 2020, the current value of the stolen assets is estimated to be $14.5 billion. That makes the wallet associated with the LuBian hacker the 13th largest BTC holder tracked by Arkham — surpassing the holdings linked to the Mt. Gox breach.

As of today, both the hacker and LuBian are believed to still control their respective BTC balances. Arkham has published wallet trackers for both parties, but no additional details about the identities involved have been disclosed.

Disclaimer: Parts of this article were generated with the assistance from AI tools and reviewed by our editorial team to ensure accuracy and adherence to our standards. For more information, see CoinDesk’s full AI Policy.

Siamak Masnavi is a researcher specializing in blockchain technology, cryptocurrency regulations, and macroeconomic trends shaping the crypto market. He holds a PhD in computer science from the University of London and began his career in software development, including four years in the banking industry in the City of London and Zurich. In April 2018, Siamak transitioned to writing about cryptocurrency news, focusing on journalism until January 2025, when he shifted exclusively to research on the aforementioned topics.

“AI Boost” indicates a generative text tool, typically an AI chatbot, contributed to the article. In each and every case, the article was edited, fact-checked and published by a human. Read more about CoinDesk’s AI Policy.