Bloomberg: China accuses the U.S. of orchestrating a $13 billion Bitcoin heist, escalating the geopolitical cyber warfare?

On November 10, China’s National Computer Virus Emergency Response Center (CVERC) released a technical report directly implicating the U.S. government in orchestrating and executing the 2020 theft of 127,272 bitcoins from the Lubian mining pool (currently valued at $13 billion). The report also questions whether the U.S. Department of Justice’s confiscation action in 2024 was actually a government-level “black on black” operation.

The report points out that the stolen bitcoins, after a four-year silent period, suddenly transferred to wallets controlled by the U.S. government. Their technical characteristics align with behaviors typical of state-level hacking groups. U.S. prosecutors previously claimed these bitcoins were related to a fraud case involving Chen Zhi, chairman of the Cambodian Prince Group, but refused to disclose details of the seizure. This incident risks further deteriorating already tense China-U.S. cyber relations.

Event Timeline and Technical Forensics Analysis

According to Bloomberg, this is considered the largest hacking incident in cryptocurrency history. It began in December 2020 when the world’s leading bitcoin mining pool Lubian was targeted by a sophisticated supply chain attack, resulting in 127,272 bitcoins disappearing at block height 663,246.

Key evidence disclosed in the CVERC report includes: attackers using a variant of the SUNBURST malware linked to the SolarWinds incident, exploiting zero-day vulnerabilities to breach mining pool node isolation mechanisms, and using mixers to facilitate cross-chain fund transfers, ultimately converging on addresses regulated by the U.S. This level of operation exceeds the capabilities of ordinary criminal groups, with seven technical indicators closely matching known NSA attack patterns.

The coincidence of timelines raises further suspicion. These bitcoins remained dormant from 2020 to 2024, but in June 2024, they were suddenly transferred in three transactions to new addresses, which blockchain analysis firm Arkham subsequently marked as “controlled by the U.S. government.” The U.S. Department of Justice only publicly acknowledged seizing these assets in October 2024, claiming they are related to Chen Zhi’s fraud case, but the indictment did not specify when or how the assets were seized. CVERC believes this “theft followed by legalization” pattern aligns with the typical lifecycle of state-level hacking operations—obtaining assets through technical means and then transferring ownership via judicial procedures.

Legal Disputes and Geopolitical Power Play

The core issue involves the ambiguous realm of international law—whether state actors can acquire assets through hacking and legitimize them under law. The U.S. Department of Justice invoked the Civil Asset Forfeiture Law to claim rights, but this law generally applies to domestic criminal proceeds and lacks clear jurisdiction over transnational cyber operations. Chen Zhi’s defense lawyer, Matthew L. Schwartz, has filed a motion in the Southern District of New York demanding the government disclose seizure details, arguing that “the prosecution’s timeline contains fundamental logical contradictions”—the fraud Chen Zhi is accused of mainly occurred in 2021-2023, while the bitcoins were stolen earlier.

This incident occurs amid sensitive China-U.S. cyber relations. Since 2025, China has publicly accused the U.S. of conducting state-level cyberattacks three times, including exploiting Microsoft Exchange server vulnerabilities to infiltrate Chinese enterprises and attacking national time service centers. While these accusations lack traditional “court evidence,” they are reinforced by the technical report from CVERC, forming a public opinion offensive. Experts from the Center for Strategic and International Studies (CSIS) suggest this is part of China’s “reciprocal exposure” strategy, aiming to respond to recent U.S. accusations of Chinese hacking activities, with both sides engaged in an escalating “narrative war” in cyberspace.

Key Timeline of the Bitcoin Hacking Incident

Attack Phase (2020)

• Date: December 18, 2020
• Target: Lubian mining pool (at the time accounting for 6.3% of hash rate)
• Loss: 127,272 bitcoins (worth $2.3 billion at the time)
• Method: Supply chain attack + zero-day exploit

Dormant Phase (2020-2024)

• On-chain activity: Zero transfers
• Price environment: Bitcoin rising from $20,000 to $120,000
• International environment: Accelerated decoupling of China and U.S. tech sectors

Seizure Phase (2024)

• Transfer date: June 10-12, 2024
• Judicial process: Civil asset forfeiture (October 2024)
• Current value: $13 billion
• Legal basis: U.S. Code Title 18, Section 981

Reshaping Cryptocurrency Security Landscape

This incident could permanently alter institutional attitudes toward crypto custody. Traditional “hot and cold wallet separation” architectures are vulnerable against state-level attacks. Lubian’s loss was due to infiltration of its hot wallet signing servers. The industry is accelerating adoption of Multi-Party Computation (MPC) custody solutions, which split private keys across jurisdictions, requiring attackers to breach multiple systems simultaneously to access assets. Leading custody providers like Fireblocks and Copper report a 300% increase in MPC adoption in 2025.

A deeper impact concerns the Bitcoin network itself. While the protocol has never been successfully attacked, vulnerabilities in surrounding infrastructure are exposed. Mining pools, as nodes of hash rate concentration, are critical to network stability. Currently, the top ten pools control 68% of total hash power. Multiple simultaneous attacks could trigger chain reorganizations. Developers have proposed BIP-345 upgrades, introducing “Pool Isolation Witness” mechanisms to prevent a single pool’s security incident from affecting the entire network. However, these solutions require a 12-18 month deployment cycle, during which risks persist.

Investment Strategies and Asset Protection

For crypto investors, geopolitical risks are now an unavoidable factor. A three-layered protection approach is recommended: technically, prioritize custody with SOC2 Type II certified providers and diversify assets across at least three jurisdictions; legally, hold large assets via offshore entities in jurisdictions like the Cayman Islands or Switzerland for privacy; operationally, implement multi-signature thresholds involving cross-border legal counsel for large transfers.

In terms of asset allocation, this incident may provide short-term opportunities for privacy coins and decentralized storage projects. Zcash and Monero surged 8% and 12%, respectively, within 24 hours of the news, reflecting increased market demand for financial privacy. However, these assets face stricter regulatory scrutiny. A more conservative approach is to increase self-custody of Bitcoin and consider insurance coverage. Lloyd’s of London now offers specialized insurance products against state actor attacks, with annual premiums around 1.2-2% of assets.

Conclusion

The $13 billion Bitcoin controversy transcends ordinary criminal cases, becoming a key test of sovereignty boundaries in the digital age. Regardless of how the technical evidence is ultimately interpreted, this event exposes a harsh reality: in the absence of international consensus, the cryptocurrency market is becoming a new battleground for geopolitical conflicts. Investors must recognize the risks of state involvement and adopt a multi-faceted approach—leveraging technology, legal frameworks, and financial instruments—to build resilient digital asset protection systems for the future.