127,000 Bitcoin went missing in 2020 – Why no one asked

Arkham discovered a 2020 robbery containing 127,000 bitcoins. The mining pool never reported it, and the funds never moved.

Bitcoin stolen in 2020 was only exposed in 2025

In December 2020, one of the world’s largest Bitcoin (BTC) mining pools suddenly disappeared from the network. China-based Rubian, who once accounted for nearly 6% of the Bitcoin network’s total hashrate, had experienced a security breach.

Over 127,000 BTC was withdrawn from the wallet in two transactions, bringing it to around $3.5 billion at the time.

No official statements have been made. The public was not wary. Rubien did not admit the violation, and for almost five years the stolen funds remained dormant on the blockchain. No theft was reported and little attention was received.

In August 2025, a detailed investigation by blockchain analytics firm Arkham Intelligence revealed the full scope of what happened in the second half of 2020.

According to Arkham’s on-chain analysis, more than 90% of Lubian’s holdings moved in one day, followed by smaller spills from the wallet associated with the Omni layer protocol.

With just under 12,000 BTC remaining, Lubian quickly moved to a new recovery wallet. Soon after, the mining pool halted all public activities.

The stolen assets are valued at over $14.5 billion for thanks to Bitcoin, not poured through mixers or exchanges, and are kept unusually clean by chains.

Rubien’s mining advantage grew rapidly in 2020

Rubien began operations in 2020 and quickly rose to become one of the most influential mining pools in the Bitcoin ecosystem.

At peak times, the pool contributes almost 6% of the network’s total hashrate, ranking among the 10 largest mining entities worldwide.

Its infrastructure has been expanded throughout mainland China and is reportedly part of Iran. Despite its size, Rubien kept its inconspicuous. The names translated into the Chinese word “dochibata” reflect an approach that supports discretion over general visibility.

When Rubien suddenly went offline in early 2021, the move prompted speculation, but there was no immediate concern. After months of consistent activity, the pool stopped production of the block and disappeared without explanation.

At the time, analysts attributed the closure of Chinese regulators to Crypto Mining.

A combination of policy changes, energy use restrictions, and legal uncertainty forced many operators to reduce or suspend activity, and Rubian’s exit appeared to coincide with the wider industry disruption.

The story remained intact for years, with no visible signs of challenge. No user complaints have surfaced. No abnormal wallet activity was detected. In the absence of evidence to the contrary, the assumption of regulation exit was widely accepted.

However, Arkham’s findings point to another conclusion. The pool shutdown followed a massive financial infringement rather than external pressure.

With the miners’ income and internal reserves likely lost, Rubien’s team remained silent and chose to withdraw from public places.

Arkham research and technical survey results

Arkham Intelligence’s research blockchain tracing, message analysis, and key generation forensics were combined to reconstruct a series of events.

It started with two major Bitcoin transfers that took place in late December 2020. These were born from addresses known to be associated with Rubian mining operations and sent to previous inert wallets that showed no further movement after receiving the funds.

The size of the balance and lack of follow-up activity raised the red flag.

Further analysis revealed unusual details. For the days following the violation, Rubian sent over 1,500 microtransactions to hacker-controlled addresses.

Each contains a small amount of BTC and messages embedded in the Op_return field. This is the mechanism used in Bitcoin transactions to store any data.

These messages were not routine. They looked like a direct plea from the Rubien operator, asking the attacker to return the funds. One message asked recipients to act as white hat hackers and reach out to them via email to discuss the potential and rewards of cooperation.

In total, Lubian spent about 1.4 BTC on transaction fees just to send these messages, suggesting serious and intentional attempts to initiate communication.

The message was not replied and the stolen coins were not moved. Still, these public records left a clear digital trail confirming that theft had occurred.

Using address clustering techniques, Arkham was able to separate wallet groups related to Rubian mining activities from those related to attackers.

Wallets that receive me together or regularly tend to receive payments from the same source. Once the violation occurred, the attacker merged the stolen funds into a new group of wallets and then remained idle.

One of the most obvious aspects of the violation was how it happened. Arkham concluded that the theft stemmed from a serious defect in Rubien’s wallet construction. Violations, rather than malware or insider access, exploited the weaknesses of the way Rubian generates private keys.

The wallet software used an algorithm that relied solely on 32-bit entropy. This is a level of randomness that is far below the accepted cryptography standard.

With the search space limited to approximately 4 billion possible keys, attackers with modest computing power could realizeally brute-force the correct private key in a manageable time frame.

The vulnerability exposed Rubien’s wallet system to offline brute force attacks. Once a defect is identified, the attacker can systematically calculate the key, find the right key, and withdraw funds without triggering an alarm.

Rubien’s violations are now ranked as the most valuable crypto theft

Theft at Rubien is currently ranked as the most valuable crypto robber recorded at the time it occurred. In comparison, the collapse of Mount Gox in 2014 lost around 850,000 BTC, worth around $450 million at the time.

Mount Gox’s case contained more bitcoin, but about 200,000 BTC was later recovered, with the overall financial impact being lower than that of Rubien.

The Rubian violation also overturned the 2016 Bitfinex hack, with around 119,756 BTC being stolen. The incident was valued at $72 million when it happened, and it was focused for years until a large portion of the funds were eventually seized by US authorities.

Other major events, including the $610 million theft from Poly Network in 2021, the $625 million Ronin Bridge Exploit in 2022, and the $400 million discharged during the FTX collapse, were severe in scale, but did not match the liquid in terms of overall value.

In many of these cases, funds were either recovered or voluntarily returned. Until now, Rubien’s case remained completely invisible.

In February 2025, the major exploits at BYBit were temporarily attracting attention by removing $1.5 billion in digital assets from the platform. At the time, it was said to be the biggest hack in the history of code.

However, Arkham’s survey results changed its rankings. With Bitcoin prices rising considerably from Rubian violations, the value of stolen untouched holdings currently stands between $14 billion and $15 billion, making it the most valuable theft on record.

The latest data for Arkham is the address linked to the Rubian hacker, Mt. It shows that it holds more bitcoins than the cluster associated with the Gox event.

Hackers are currently ranked as the 13th largest owner of BTC Worldwide, and are more commonly associated with early miners who remain major exchanges or inactive. Few individuals or organizations control more individuals.

The complete inactivity of stolen assets is also unusual. In almost all previous high-value infringements, attackers have attempted to obfuscate or move funds using mixers, decentralized trading platforms, or privacy tools.

In this case, the funds are still completely left. That lack of movement left the theft unnoticed for years. Without an investigation into Arkham, no violations may have been found.