China alleges U.S. seized 127K BTC from 2020 LuBian hack

China’s National Computer Virus Emergency Response Center alleged the U.S. government took control of roughly 127,000 bitcoin linked to a 2020 breach of the LuBian mining pool. The U.S. Department of Justice has indicted Cambodian businessman Chen Zhi and characterizes the assets as proceeds of crime.

In a technical report released Sunday, the Chinese agency outlined how attackers exploited LuBian systems on December 29, 2020, draining about 127,272 BTC in roughly two hours through automated transfers that used identical fees. The bitcoins were tied by on-chain analysis to wallets connected to Prince Group, where Chen serves as chairman.

The report states the coins remained idle for nearly four years before moving to new addresses in June and July 2024. Blockchain tags by analytics firm Arkham later identified those destination wallets as associated with U.S. authorities. Such labels are often used to trace flows but do not on their own prove ownership.

U.S. prosecutors in October 2025 filed criminal charges against Chen and reported seizing about 127,000 BTC tied to him and Prince Group. The DOJ describes the bitcoins as proceeds of a large cryptocurrency fraud and calls the confiscation a lawful enforcement action.

CVERC challenges that framing. Using on-chain tracing, the agency says it identified 127,272.06953176 BTC feeding into the stash from several sources: about 17,800 coins from independent mining, roughly 2,300 from pool payouts, and approximately 107,100 from exchanges and other channels. The center argues this mix conflicts with claims that the entire balance came from illegal proceeds.

The agency labels the case “thieves falling out” and alleges involvement of a “state-level hacking organization.” It points to the extended dormancy and synchronized mid-2024 movements as indicators of a coordinated plan.

CVERC’s timeline lists five phases: the December 2020 attack; a long dormancy with only minor dust transactions; more than 1,500 on-chain messages in early 2021 and July 2022 seeking negotiations to return the coins; activation and transfers in mid-2024; and the U.S. seizure announcement in October 2025. 

The report attributes the sending addresses during the hack to LuBian operating wallets and says identical fees indicate scripted transfers. It adds the breach effectively dissolved LuBian and wiped out over 90% of its assets at the time. The agency cites weaknesses in private key generation and random-number practices as the main technical risk, recommending secure key generation, multi-signature, cold storage, real-time monitoring, and regular audits for custodians and pools.