Arkham Profile picture
Aug 2 7 tweets 7 min read Read on X
BREAKING: ARKHAM UNCOVERS $3.5B HEIST - THE LARGEST EVER

LuBian was a Chinese mining pool with facilities in China & Iran. Based on analysis of on-chain data, it appears that 127,426 BTC was stolen from LuBian in December 2020, worth $3.5 billion at the time and now worth approximately $14.5 billion.

Neither LuBian nor the hacker have publicly acknowledged the hack. Arkham is the first to report it. Details below:Image
Image
Image
Image
LuBian was one of the world’s largest mining pools in 2020, controlling almost 6% of the Bitcoin network’s total hash-rate as of May 2020.

They appear to have been first hacked on December 28th, 2020 for over 90% of their BTC. Subsequently, on December 29th, around $6M of additional BTC & USDT was stolen from a Lubian address active on Bitcoin Omni layer.

On the 31st, LuBian rotated their remaining funds to recovery wallets.Image
Image
Image
Image
Each hacker address received the OP_RETURN message, shown in the screenshots, in which LuBian asks the hacker to return their funds.

LuBian spent 1.4 BTC across 1516 different transactions to send these messages, which suggests that this is not a spoof from another hacker who has brute-forced the private keys.

intel.arkm.com/explorer/tx/a7…
intel.arkm.com/explorer/tx/2a…Image
Image
Image
Image
It appears that LuBian was using an algorithm to generate its private keys that was susceptible to brute-force attacks. This may have been the vulnerability exploited by the hackers.

LuBian preserved 11,886 BTC, currently worth $1.35B, which they still hold. The hacker also still holds the stolen BTC, with their last known movement being a wallet consolidation in July 2024.Image
Image
Image
Image
With $3.5B in stolen assets at time of transfer, the LuBian hack is the largest ever.

Owing to BTC’s price appreciation since 2020, the current value of stolen assets is $14.5B, making the LuBian hacker the 13th largest BTC holder on Arkham, ahead of the Mt. Gox Hacker. Image
Image
Image
Image
Track the LuBian Hacker on Arkham:

intel.arkm.com/explorer/entit…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Arkham

Arkham Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @arkham

Jul 23
DID THE US GOVERNMENT JUST SELL 170,000 BTC ($20 BILLION)?

No. This Freedom of Information Request response from the US Marshals Service (USMS) cites them as holding 28,988 BTC ($3.4B), but other departments of the US Government also seize and hold Bitcoin, including the FBI, DOJ, DEA, and US Attorney’s Offices.

The US Government currently holds at least 198,000 BTC ($23.5B) across multiple addresses held by different government arms - none of this has moved for 4 months.Image
Image
Image
Image
$13.65B of US Government BTC was seized from the Bitfinex Hackers.

Of the USG’s current holdings, 94,000 BTC were seized from Ilya Lichtenstein and Heather ‘Razzlekhan’ Morgan in 2022, 6 years after they were stolen. Subsequent seizures brought this total up to 114,599 BTC (currently $13.65B) from the case.

The Bitcoin was originally stolen from Bitfinex customers, and may eventually be returned through legal process.

Most of the BTC is held in this address: bc1qazcm763858nkj2dj986etajv6wquslv8uxwcztImage
$8.26B of US Government BTC was seized from ‘Individual X’ in the Silk Road case (understood to be someone who had hacked Silk Road) in 2020.

The BTC is held in this address: bc1qa5wkgaew2dkv56kfvj49j0av5nml45x9ek9hz6 Image
Read 9 tweets
May 28
SAYLOR SAID HE WOULD NEVER REVEAL HIS ADDRESSES ... SO WE DID

We have identified an additional 70,816 BTC belonging to Strategy, bringing our total identified MSTR BTC holdings to $54.5 Billion. We are the first to publicly identify these holdings.

This represents 87.5% of total MSTR holdings (including assets in Fidelity Digital’s omnibus custody).Image
Previously, we tagged:

- 107K BTC sent to MSTR Fidelity deposits (Fidelity does not segregate custody, so these BTC do not appear in the MSTR entity)
- Over 327K BTC held in segregated custody including Coinbase Prime, in our MSTR entity. Image
Image
Image
Image
Track Strategy on Arkham:

intel.arkm.com/explorer/entit…
Read 4 tweets
Feb 17
CHINESE MAN BURNS $1.3M ETH CLAIMING ATTACK BY BRAIN-COMPUTER WEAPONS

This morning, an address sent $1.3M of ETH to the burn address, accusing some Chinese investors of using “brain-computer weapons”. It is now completely unrecoverable.

Did the brain-computer weapons make him do this?

Address: 0x1a19c370EA73d67a0a91085811A1E89e89B36813Image
Image
Image
Image
He enclosed a message in Chinese: “The CEOs of Kuande Investment: Feng Xin and Xu Yuzhi used brain-computer weapons to persecute all company employees and former employees, and even they themselves were controlled.”

The address appears to be controlled by “Hu Lezhi” who claims to be an “ordinary programmer and entrepreneur”Image
In total the address has sent $4.95M to the burn address, Wikileaks, and the Ethereum Foundation this week.

It has also transferred $825K ETH to a Coinbase Deposit and $273K ETH to a fresh address 0x2a6. Image
Read 4 tweets
Feb 15
LIBRA-CONNECTED ADDRESSES EXTRACT >$100M

Last night the President of Argentina, @JMilei posted a contract address of a Solana memecoin “LIBRA”

LIBRA hit a max valuation of over $4 BILLION before falling over 95% in less than 6 hours, and the tweet was later deleted.

Breakdown below:Image
Image
Image
Image
70% of the supply is held in 2 addresses, while 15% of supply was directly deposited into Meteora LP by the Developer address.

The developer address has claimed over $20M in trading fees from these deposits.

Additionally, 7 different addresses received a total of 60M LIBRA tokens from the deployer - each of these addresses deposited LIBRA into liquidity pools and later extracted SOL/USDC.Image
Image
Addresses connected to the LIBRA coin launch currently hold over $100M of USDC and SOL extracted from liquidity over the past 18 hours, mostly moved to separate holding addresses.

LIBRA-associated accounts currently hold $57.6M USDC and $48.6M SOL. Image
Read 6 tweets
Jan 30
ROSS ULBRICHT LOST $12M ON PUMPFUN...

Ross Ulbricht, or someone with access to his wallets, just accidentally nuked the price of a pumpfun coin sent to him while trying to provide liquidity on Raydium.

Because he initialized the liquidity pool at the wrong price, $1.5M of the token (5% supply) was instantly taken by a MEV Bot, then sold into the existing pool.

Then he did it again and he lost another $10.5M. (35% supply)Image
Image
Image
Image
Ross Ulbricht’s Solana donation address received 50% of the supply of ROSS (Ross Ulbricht Fund) from the developer last week.

Ross tried to add single-sided liquidity to sell the coins off passively, but accidentally created a pool with Raydium CPMM (Constant-Product Market Maker) instead of CLMM (Concentrated Liquidity Market Maker).Image
Image
The MEV Bot that took the coins managed to sell them off for over $600K, sending the price down -90% in the process.

Despite losing 40% of the supply, Ross still holds 10% of the token in a separate address, with LP correctly added on Raydium Concentrated Liquidity. (currently worth ~$200K)Image
Image
Image
Read 4 tweets
Jan 19
DID TRUMP SELL $500M TRUMP?

In short, no. The team holds around ~$500 M in TRUMP liquidity pools on-chain. They have removed a total of $20M from these pools as USDC. Separately, they appear to have sent $92M in TRUMP to exchanges.

Deep dive below:Image
Image
$TRUMP is 80% locked, with 10% for Liquidity and 10% for ‘Public Distribution’.

100M TRUMP was sent to the TRUMP Liquidity Provider, which added liquidity on Meteora.
8tKLhRyFC3RsQ41APTqKdzr9DdeGqV2RtRgSjVgsY4xb

another 10% was split between 3 wallets:

Initial TRUMP Deployer (kept 14M TRUMP)
5e2qRc1DNEXmyxP8qwPwJhRWjef7usLyi7v5xjqLr5G7

TRUMP Team Wallet 1 (received 56M TRUMP)
2Fe47zbh8svDNGNehFy1NY8bsjQNtomvKFuq1jNgWSkv

TRUMP Team Wallet 2 (received 30M TRUMP)
7qtDv72fGzuuGmyg1FkTxBybYH2sXkUd6u8WXwnkRnpEImage
Of these wallets, THREE added liquidity on Meteora. The TRUMP Liquidity Provider, the TRUMP Team Wallet 1, and the TRUMP Team Wallet 2.

Notably, TRUMP Liquidity Provider added 100M TRUMP
TRUMP Team Wallet 1 added 52.6M TRUMP [has removed 0 USDC]
TRUMP Team Wallet 2 added 2M TRUMP [has removed $19.9M USDC]

TRUMP Team Wallet 2 sent the proceeds to a new wallet:
GRvmQxtFRqtQZYaeF8bUqH8FrDHoK5Eabs5aYyU34bPg

This wallet currently holds $591M of TRUMP and $16M of USDC.Image
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(