127,000 BTC Theft Case: The US and China each have their own claims, but the technical truth is very clear.

Chinese authorities accused the U.S. government of hacking the LuBian Mining Pool Wallet in 2020 and stealing 127,000 BTC (about $13 billion), but the Western on-chain evidence team provided a different story.

Case Review: Parts with Strong Evidence

Conclusive Facts:

• On December 28-29, 2020, 127,000 BTC were transferred from LuBian associated addresses within a few hours.
• The transfer characteristics are extremely regular: a fixed fee of 75000 satoshis, consistent batch address mode.
• Vulnerability source: Wallet software uses the MT19937 pseudo-random number generator, which initializes only 32 bits of entropy, resulting in a seed space of only 4.29 billion, making it vulnerable to brute force attacks.
• It only takes a few hours for the entire network GPU cluster to crack this space.

Subsequent Track:

• 2021-2022: Relevant addresses published OP_RETURN information to request return.
• 2024: These dormant coins that have been asleep for many years were suddenly transferred to a new Wallet.
• 2025: The U.S. Department of Justice announces that the 127271 BTC are now under the control of the U.S. government, linked to the money laundering case involving Chen Zhi and Prince Group.

Three interpretations, which one holds water?

Version A (supported by Arkham/MilkSad/Elliptic): An unknown hacker cracked a weak key in 2020, and U.S. law enforcement later obtained the private key through device seizures or informant tips, ultimately applying for asset freezing in federal court. This logical chain is supported by independent technical evidence.

Version B (DOJ Official Position): LuBian and its associated structures are in fact a money laundering network for the Prince Group, and the so-called “hacked” incident is actually an internal transfer, with the FBI only later obtaining these keys. This version is recorded in judicial documents, but public information lacks sufficient details on “how the keys were obtained.”

Version C (China Internet Media Push): The American intelligence agencies are the real hackers; they did it in 2020 and then disguised themselves as law enforcement confiscating in 2025. The only support for this claim is the reasoning “4 years without action = the authorities are hiding something,” with no new technical evidence.

Where the Real Divergence Lies

MilkSad and Arkham have both clearly stated: “We do not know who pressed the button in 2020”. This is not withholding; it is an honest limitation.

On-chain certification can trace the flow of funds and identify vulnerability mechanisms, but it cannot track the real identity of the operator. Cracking a 32-bit entropy space could be done by either professional hackers or state actors, and from a purely technical perspective, it is impossible to distinguish between them.

China's biggest accusation: using “long-term inactivity = suspicious” as counter-evidence, which is the weakest argument in cryptographic attribution. Criminal groups also let large amounts of funds sit idle to evade tracking.

The situation is like this.

• ✓ Technical vulnerability exists (verified)
• ✓ This coin has indeed been transferred (verified)
• ✓ Now in hand in the United States (verified)
• Who were the operators in 2020 (no consensus)

This case will not receive an answer simply because it is “reasonable and well-founded”—the anonymous nature of Bitcoin determines that certain historical truths may forever remain a black box.