Full Report
A new theory from the agency that brought us ‘America hacked itself to blame Beijing’ China’s National Computer Virus Emergency Response Center (CVERC) has alleged a nation-state entity, probably the USA, was behind a 2020 attack on a bitcoin mining operation and by doing so has gone into bat for entities that Beijing usually blasts.…
Analysis Summary
# Incident Report: Alleged 2020 Bitcoin Mining Operation Heist Attributed to US Nation-State Actor
## Executive Summary
In late 2020, a bitcoin mining pool operator named LuBian, running operations in Iran and China, suffered a significant theft of approximately 127,272 BTC. China’s CVERC has recently alleged that this attack was executed by a nation-state entity, strongly implying the USA, based on the subsequent dormancy of the assets and the recent US government recovery action. The stolen cryptocurrency was tied to Chen Zhi, Chairman of the Prince Group, who was later indicted by the US DOJ for fraud related to forced labor scam compounds. The primary impact was the loss of a large cryptocurrency holding, which was eventually seized by the US government following the indictment of the owner.
## Incident Details
- Discovery Date: Unknown (The report focuses on the 2025 discovery by CVERC of the US seizure, but the original attack occurred in **Late 2020**.)
- Incident Date: **Late 2020**
- Affected Organization: **LuBian** (A bitcoin mining pool operator)
- Sector: Cryptocurrency Mining / Financial Technology
- Geography: **Iran and China**
## Timeline of Events
### Initial Access
- Date/Time: **Late 2020** (Specific date not provided)
- Vector: Not explicitly detailed in the source, but implied to be a sophisticated attack given the CVERC assessment.
- Details: Unknown threat actor gained access resulting in the theft of 127,272 BTC from LuBian.
### Lateral Movement
- Details: No specific technical details regarding internal network movement are provided in the source material.
### Data Exfiltration/Impact
- Details: **127,272 Bitcoin** were exfiltrated from LuBian and moved to a wallet that remained "almost untouched" for four years. The BTC belonged to Chen Zhi, chairman of the Prince Group.
### Detection & Response
- **Detection (Initial Theft):** Implied to have gone undetected or unreported publicly for years by the affected parties.
- **Detection (Attribution/Seizure):** **October 14th, 2025** (US DOJ unsealed an indictment against Chen Zhi). CVERC published its analysis linking the theft to a likely US nation-state actor on **Sunday, November 9th, 2025**.
- **Response actions taken:** The US Department of Justice filed a civil forfeiture complaint and took custody of the approximately 127,271 BTC, stating they were proceeds of related fraud schemes. CVERC published a report urging improved security for Chinese blockchain operators.
## Attack Methodology
(Note: As the source details an allegation about the attack rather than a technical analysis of the actual intrusion, these fields are speculative or based on CVERC's assumptions about the actor.)
- Initial Access: **Unknown/Nation-State capability implied.**
- Persistence: Unclear; the primary persistence observed was the **dormancy of the stolen assets** for four years, suggesting a nation-state actor who was not motivated by immediate cash-out.
- Privilege Escalation: Not detailed.
- Defense Evasion: Implied high capability, as the theft went unpublicized until US seizure actions years later.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Cryptocurrency wallet access leading to mass withdrawal.
- Exfiltration: Transfer of 127,272 BTC to a controlled wallet.
- Impact: Significant financial loss to the alleged owner, Chen Zhi, followed by seizure by the US government.
## Impact Assessment
- Financial: Loss of **127,272 Bitcoin** (value fluctuating significantly between 2020 and 2025).
- Data Breach: Not applicable (The incident was a theft of assets, not a traditional PII/data breach).
- Operational: Disruption to the LuBian mining pool operation (implied).
- Reputational: Increased geopolitical tension between China (via CVERC claims) and the USA regarding cyber operations and asset recovery.
## Indicators of Compromise
*No specific network or file Indicators of Compromise (IOCs) were detailed in the provided summary article, as the focus was on the geopolitical attribution and blockchain tracing.*
## Response Actions
- **Containment:** The actual containment/seizure was executed by the **US Department of Justice**, which secured the cryptocurrency assets through civil forfeiture complaint following the indictment of the owner, Chen Zhi.
- **Eradication:** Not applicable to the original 2020 incident within the target network, but the assets were removed from the control of the alleged criminal enterprise (Prince Group).
- **Recovery:** The BTC was moved into US government custody.
## Lessons Learned
- **Long-Term Asset Dormancy as an Indicator:** CVERC deduced that the dormancy of the funds for four years was a sign of a sophisticated, non-criminal (nation-state) actor, as typical criminals would realize profit sooner.
- **Vulnerability of Crypto Assets:** Major cryptocurrency holdings remain attractive targets, and the security posture of mining operations is critical.
- **Conflicting Geopolitical Narratives:** State actors may use cyber incidents to advance domestic or international narratives, even when basic facts (like the theft and subsequent seizure) align.
## Recommendations
- Implement stringent, multi-signature policies and segregated control over large cryptocurrency reserves.
- Improve monitoring techniques to flag extremely long-term asset dormancy following large outflows, potentially cross-referencing with known nation-state operational patterns.
- Enhance infrastructure security for critical financial operation nodes involved in cryptocurrency processing (e.g., mining pools).