127,000 bitcoin went missing in 2020 – no one asked because

Arkham has highlighted the 2020 successor associated with 127,000 bitcoins. The mining pool Navar reported this, and the funds went to the boat.

Bitcoin stolen in 2020, exposed only in 2025

In December 2020, one of the largest bitcoin (BTC) mining pools in the world was suddenly displayed from the network. Lubian, a China-based operation that was responsible for about 6% of the total hash rate of the bitcoin network, the Hadith experienced a security violation.

More than 127,000 BTC we withdrew from its purse in two transactions, at that time there was an amount of $ 3.5 billion.

No official statement was issued. There was no alert for the public. Lubian never calculated the violation, and for about five years, the stolen amount was dormant on the blockchain. The theft became unpounted and paid little attention.

In August 2025, a detailed investigation by Blockchain Analytics firm Arkham Intelligence revealed

For the on-chain analysis of Arkham, more than 90% of the lubian holdings were transferred to a single day, followed by a small outflow from a wallet attached to the Omni layer protocol.

The bus remained under 12,000 BTC, which Lubian immediately moved to the new recovery wallet. Soon after, the mining pool stopped all public action.

Due to the appreciation of bitcoin, the stolen assets are now worth more than $ 14.5 billion, not funnel through mixers or exchanges, keep them clearly clearly from on -4.

Lubian mining dominance increased quickly in 2020

Lubians started their operations in 2020 and quickly increased the most influential mining pools in the bitcoin ecosystem.

Dungar was about 6% of the total hash rate of the network in its peak, power, this ranking is one of the ten largest mining institutions.

Its infrastructure increased across China and, allegedly, in parts of Iran. Despite its size, Lubian maintained a low profile. The name, which translates into the Chinese into “Roadsed”, reflected an approach that was in favor of conscience on public visibility.

When Lubians suddenly became offline in early 2021, the move inspired speculation but no. After a few months of activities, the pool turned off the block product and disappeared with clarification.

At that time, analysts blamed Shutdown for China’s regulatory clampdown on crypto mining.

The combination of policy changes, limits of energy use and legal impure forced several operators to return or suspend the suspended activity, making Lubian’s exit APEPER aligned with a broad industry dispute.

The story has been intact for years, as there were no visible signs to challenge it. No user complaint came to light. No unusual wallet activity was determined. In contrast, in the absence of evidence, the perception of a regulatory exit was widely accepted.

However, the findings of Arakham point to a different conclusion. The shutdown of the pool followed a large -scale financial violations rather than external protection.

What could be with Khan’s earnings and billions in international reserves, Lubian’s team chose to stay and withdraw from a public point of view.

Arakham investigation and technical conclusions

The investigation of Arakham Intelligence combined blockchain tracing, message analysis and leading generation forensic to re -organize the sequence of events.

It began with two large bitcoin transfer in late December 2020. No other movement was shown after receiving money.

The size of the bleses and the lack of follow -up activation raised the red flag.

Further analysis revealed an unusual description. In the days after the break, Lubian sent more than 1,500 micro-lims to a hacker-controlled address.

Each included a small amount of BTC and a message that was embedded in the OP_TER field – the mechanism used in bitcoin transactions to store arbitrary data.

These messages were not regular. He appeared directed. A message asked the recipient to act as a white-hat hacker and reached through email via email through email and email for a reward.

Overall, Lubian spent only 1.4 BTC transactions fees to send these messages, suggesting a serious and intentional attempt to start communication.

The messages did not get any answer, and the cloud of theft remained precious. Nevertheless, these public records surpassed a clear digital trail, which confirmed that AFTHAD.

Using the address clustering techniques, Arakham was informed to separate the bail group tied to lubian mining activation from the attackers.

The wallets that receive simultaneous or regularly received from the same source are formed to create oveservable clusters over time. Once after a breakup, the attacker consolidated the stolen funds into a wallet in a new group, which then gives a passive reminiscent.

One of the most revealed aspects of the break was how it happened. Arkham concluded that the stolen was a result of a significant defect in the architecture of Lubian wallet. Instead of malware or insider access, Lubian exploited a weakness in the way a private key generates.

Its wallet software used an algorithm that was only on 32-bit entropy

With a search space limited to approximately 4 billion potential keys, an attacker with a minor computational power power in a managed time limit as well as the correct propivat key as well as the brutal-force force.

This vulnerability highlighted the Lubian’s wallet system to offer offline brut-form attacks. Once the defect is identified, the attacker can systematically calculate the keys, detect the right people, and can withdraw money with triggering the alarm.

Violation of Lubian now ranks as the most valuable crypto theft

The theft in Lubian now rank as the most valuable Crypto Heest recorded at that time. In comparison, MT’s 2014 collapse. The Gox resulted in a loss of about 850,000 BTC, at that time a price of $ 450 million.

While MT. The Goks case included a large amount of bitcoin, around 200,000 BTC was later resumed, and the overall financial impact was less than Lubian.

Lubian Breach also assumed the 2016 Bitfinx Hack, which stolen about 119,756 BTC. This phenomenon, when the value of $ 72 million, was focused for years, a large part of the fund was events, endorfaces.

Other major events, such as theft of $ 610 million from the poly network in 2021, exploited $ 625 million Ronin Bridge in 2022, and the FTX collapse did not match lubians in terms of overall value.

Among many of those cases, funds were retired or voluntarily retired. Lubian case is completely invisible so far.

In February 2025, a major exploitation in Bybit attracted attention by briefly removing $ 1.5 billion in digital assets from the platform. At that time, it was described as the largest hack in Crypto history.

However, Arakham’s findings have changed that ranking. With the price of bitcoin, there is sufficient increase in the years of Lubian Brech, the price of theft and untouched holdings now sits between $ 14 billion and $ 15 billion, which leads to the most valuable theft on the record.

The latest data of Arakham shows that the addresses associated with lubian hackers have more bitcoins than the cluster associated with MT. Gox event.

The hacker currently rank as the thirteenth of BTC Worldwide’s thirteenth big holder, which is associated with major exchange or early miners, who have deactivated. Some sexual intercourse or organizations control more.

Complete inactivity of stolen property is also unusual. In almost all previous high-value violations, the attackers attempted to remove or move money using mixers, decentralized trading platforms or privacy tools.

In this case, the funds are still still left. Lack of speed did not let the theft be noticed for years. Without the investigation of Arkham, it is as if the violated guards have rebuilt.