Meet the World’s 13th Largest Bitcoin Holder: A Hacker Who Stole 127,400 BTC

One of history's largest Bitcoin thefts occurred back in 2020, yet remained hidden for nearly five years. The case involves LuBian – a Chinese Bitcoin mining pool that vanished overnight, taking virtually all user funds with it. Arkham analysts ultimately revealed that LuBian had been systematically looted, with its entire balance flowing to anonymous. The hacker remains unidentified.

The Great Disappearing Act: How 127,400 BTC Vanished Overnight

During spring 2020, LuBian commanded top-10 global status among Bitcoin mining pools, controlling over 5% of network hashrate. Then LuBian abruptly went dark – user interfaces disabled, wallets frozen, the entire operation vanishing within days. At the time, many assumed it was due to technical issues or pressure from Chinese regulators.

Only in August 2025 did Arkham analysts uncover the truth – LuBian had suffered a sophisticated, coordinated attack on December 28, 2020. Hackers drained 127,426 BTC – nearly 90% of Lubian’s holdings – was stolen. It ranks among crypto's largest heists ever recorded. According to Arkham, the hacker moved the coins to a cold wallet, where they remain untouched to this day.

The stolen BTC remains dormant, but that doesn’t mean it’s forgotten. Analysts continue to monitor the wallet for any movement, especially since such large holdings could disrupt markets if suddenly liquidated. However, because Bitcoin is decentralized and pseudonymous, seizing or freezing stolen coins is nearly impossible without access to private keys — making recovery an unlikely outcome unless the hacker slips up.

Preliminary data suggests LuBian was based in China, but there are no confirmed details about its ownership, legal structure, or the location of its servers. The lack of immediate investigation only deepens the mystery.

Four Years Later: Why Blockchain Detectives Finally Cracked the Case

The LuBian hack flew under the radar in 2020 primarily due to COVID-19's global disruption. Regulators, analysts, and crypto users remained fixated on economic collapse and lockdown chaos. Amid the uncertainty, the disappearance of a mining pool looked like just another service failure.

Solving this puzzle required years of development in blockchain forensics and tracing technology. Arkham’s team identified a wallet holding 127,426 BTC and cross-referenced its activity with LuBian’s last-known transactions. This previously dormant address had actually received funds directly from LuBian within hours of the shutdown. On December 29, an additional $6 million in BTC and USDT was drained from addresses linked to the pool.

The Mining Pool Black Hole: Why Billion-Dollar Crypto Heists Hide in Plain Sight

LuBian exposes crypto's darkest secret – billion-dollar heists can lurk undetected for years. This isn’t anomalous – it’s systemic to mining pool operations. Pooled mining represents crypto's most opaque sector, shrouded in operational secrecy. Users trust pools with their computing power and earnings, but they have no insight into how coins are stored or who has access to them. And when things go wrong, understanding what happened becomes nearly impossible.

LuBian isn’t the only mining pool to fall victim to theft or shutdown under suspicious circumstances. In 2014, GHash.io (then one of the most powerful pools) faced accusations of centralization and quietly ceased operations. In 2018, BTC Guild shut down, citing regulatory pressure. More recently, in 2021, Poolin suspended withdrawals due to “liquidity issues,” triggering concerns among users. Each case differed, but all highlighted a lack of oversight and transparency in how pools manage user funds.

Here are four reasons why such investigations remain so difficult:

1. Regulatory Vacuum. Mining pools operate without licensing requirements or mandatory audits across major jurisdictions as of August 2025, including the U.S., EU, and China. Regulatory efforts are ongoing but remain fragmented and incomplete.
2. Black Box Custody. Mining proceeds flow into operator-controlled central wallets with zero user visibility. Users contributing hashrate have no visibility into how funds are stored or moved and have no access to private keys or audit logs.
3. Legal Wild West. Users operate in a regulatory void with zero consumer protections or contractual rights. If a pool shuts down or is hacked, users have no legal recourse – there are no binding contracts or consumer protections.
4. Forensic Time Lag. It often takes years to reconstruct what happened. Investigators rely on new data, improved tracing tools, and correlations with unrelated transactions. In LuBian’s case, it took four years of developments in analytics and monitoring to piece the story together.

While LuBian's operators may have been victims rather than perpetrators, this incident exposes crypto mining's endemic security failures. Decentralization doesn’t eliminate responsibility, it redistributes it. Until the industry mandates proactive security measures – wallet protection, code audits, and key management – new LuBians remain inevitable.