milksad
/
website-public
14
0
Fork 0
Code Issues Pull Requests Activity

Add blogpost no.14

This commit is contained in:
Christian Reitter 2025-08-04 13:00:57 +02:00
parent 8d2eb7aa90
commit 7c07b43f95
1 changed files with 110 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
_posts/2025-08-04-research-update-14.md Normal file
View File

@ -0,0 +1,110 @@
---
layout: post
title: "Update #14 - More Information on Suspected Lubian.com Hack"
author: ["Christian Reitter"]
date: 2025-08-04 11:00:00 +0000
---
Our [research update#7]({% link _posts/2024-04-20-research-update-7.md %}) from April 2024 first reported on a "billion dollar range" of weak wallets which previously held huge amounts of Bitcoins, and had all of their funds suddenly withdrawn in December 2020. Based on significant Bitcoin mining activity, we associated them with `lubian.com` as the former owner. In light of recent media coverage of this topic, here is some new research information on this wallet cluster, and what may have happened to it.
<div id="toc-container" markdown="1">
<h2 class="no_toc">Table of Contents</h2>
* placeholder
{:toc}
</div>
<br/>
## Billion Dollar Wallets
### Recent News
On Saturday 2nd of August 2025, the Twitter (X) account of [Arkham Intelligence](https://en.wikipedia.org/wiki/Arkham_Intelligence) posted a [widely seen thread](https://x.com/arkham/status/1951729790299394113) outlining the `lubian.com`-related weak wallets and corresponding wallet movements. They directly cited the [Milk Sad research from last year]({% link _posts/2024-04-20-research-update-7.md %}) through screenshots.
[My previous list]({% link _posts/2024-04-20-research-update-7.md %}#wallet-details) of related victim wallet addresses from weak private keys is composed of 8 addresses with major transaction histories, plus one ({{ "35v6FmTJSChgwcH6tgAwCwsEj315bvq3tB" | BtcLinkAddressUrlFull }}) which was older, but similar enough to include in the first list.
Through new research conducted over the last months, I've now found about 20 additional wallet private keys that were previously hidden. This new information gives a more complete view into what appears to be a massive trove of weakly secured Bitcoins that were controlled by a major entity, and then likely stolen on 2020-12-28 by an actor who found out about the weak private keys.
### New Research Breakthrough
Please see the [research update#7]({% link _posts/2024-04-20-research-update-7.md %}) for an overview on the specific mechanisms, wallet types and Pseudo Random Number Generator (PRNG) configurations that describe how the weak wallet private keys were created and doomed from the start. That blogpost also outlines the connections to Bitcoin mining and `lubian.com`, as well as the different sources of funds.
From a research point of view, the essential new discovery is the use of **PRNG offsets** by the vulnerable software which created the weak wallets, like I described in the recent [research update#13]({% link _posts/2025-07-24-research-update-13.md %}#technical-details) for an unrelated cluster of weak wallets. This explains how I didn't find all of them in my previous searches, and helps to further establish direct connections between seemingly separate wallets through shared PRNG states. I think we're the first to publish about this as well, and want to thank a fellow white hat security researcher who [gave us a hint]({% link _posts/2025-07-24-research-update-13.md %}#discovering-many-new-wallets) about the new search pattern.
### New Wallet List
Here is a new list of weak wallets that were likely controlled by the actor behind `lubian.com`:
| PRNG index group | PRNG offset | Primary Wallet Address | Comments |
| - | - | - | - | - |
| A | 0 | {{ "338uPVW8drux5gSemDS4gFLSGrSfAiEvpX" | BtcLinkAddressUrlFull }}| |
| A | 32 | {{ "3GaB3nRWA1PLc3XQkkbpVtFwYYZEuMxD4i" | BtcLinkAddressUrlFull }} | |
| A | 64 | {{ "3AWpzKtkHfWsiv9RGXKA3Z8951LefsUGXQ" | BtcLinkAddressUrlFull }} | |
| A | 96 | {{ "3NmHmQte2rP8pS54U3B8LPYQKkpG1pFF69" | BtcLinkAddressUrlFull }} | |
| A | 128 | {{ "3FrM1He2ZDbsSKmYpEZQNGjFTLMgCZZkaf" | BtcLinkAddressUrlFull }} | |
| B | 0 | {{ "32vpyd3jos4mEe8CmBnreRRXJJnwLMF3Gn" | BtcLinkAddressUrlFull }} | |
| C | 0 | {{ "34Jpa4Eu3ApoPVUKNTN2WeuXVVq1jzxgPi" | BtcLinkAddressUrlFull }} | |
| C | 32 | {{ "3KabDvdetZXDHNm9HXowLc9SppiSXKn7UU" | BtcLinkAddressUrlFull }} | |
| C | 64 | {{ "3LjTXe31gepN8nW3AZyKpyD2QwbtmfjNwm" | BtcLinkAddressUrlFull }} | |
| C | 96 | {{ "38Md7BghVmV7XUUT1Vt9CvVcc5ssMD6ojt" | BtcLinkAddressUrlFull }} | |
| C | 128 | {{ "3BA3PEF4BMoy9y3kdMRUdMhL8Gp24vikhF" | BtcLinkAddressUrlFull }} | |
| D | 0 | {{ "36UNrMNN3xk1dTfqCWAPmrfBXA2gykCPBK" | BtcLinkAddressUrlFull }} | |
| D | 0 | {{ "3Jx6enuiaBi1tk1KJsx6LzAeVgiMcjx7NZ" | BtcLinkAddressUrlFull }} | `m/49'/0'/0'/1/0` derivation, first use in 2024 !? |
| E | 0 | {{ "3Pja5FPK1wFB9LkWWJai8XYL1qjbqqT9Ye" | BtcLinkAddressUrlFull }} | |
| F | 0 | {{ "3JJ8b7voMPSPChHazdHkrZMqxC7Cb4vNk2" | BtcLinkAddressUrlFull }} | |
| F | 32 | {{ "33uEsaGLcF9H46Dvzx1kMnuMCQ13ndkAjV" | BtcLinkAddressUrlFull }} | |
| F | 64 | {{ "32i6n2vXhjvJg1vniURFy7A5VK6eG6oDgg" | BtcLinkAddressUrlFull }} | |
| F | 96 | {{ "3B1u4PsuFzww1P8if5jYmitXxpMs2EMSqt" | BtcLinkAddressUrlFull }} | |
| G | 32 | {{ "3PQzDoiwW7pYh49MotPrVcsydQCq5ES1Bz" | BtcLinkAddressUrlFull }} | |
| H | 0 | {{ "3PWNGS2357TnjRX7FpewqR3e3qsWwpFrJH" | BtcLinkAddressUrlFull }} | |
| H | 32 | {{ "3HuUiXmKN3beQSoM97kWjK1fesWWJvKvaZ" | BtcLinkAddressUrlFull }} | |
| H | 64 | {{ "34KYo7VdVr5CJ7m4hYhH9RpwqXhbsTrw4T" | BtcLinkAddressUrlFull }} | |
| H | 96 | {{ "339khCuymVi4FKbW9hCHkH3CQwdopXiTvA" | BtcLinkAddressUrlFull }} | |
| H | 128 | {{ "389JrNcn8trYgYi2EtHi4X7bTCqtVbep86" | BtcLinkAddressUrlFull }} | |
| I | 0 | {{ "3J4sTPyD1g6KvNUSJxjwLs4iaPeDPqxUZr" | BtcLinkAddressUrlFull }} | |
| I | 32 | {{ "34MFtk9iMxYcUPZWXHfiGfqz4o7X3kpJbV" | BtcLinkAddressUrlFull }} | |
| I | 64 | {{ "3MHa8JJ3bu8j3x3iQHhqsrZvk1EjBQmC78" | BtcLinkAddressUrlFull }} | |
| I | 96 | {{ "3DdFSGcXaP2rZ9CaL3tjnqRARvQ5K3VW4a" | BtcLinkAddressUrlFull }} | |
| I | 128 | {{ "39B6oSa58qNpFMGpuowtRHAYp3fM4ghXRq" | BtcLinkAddressUrlFull }} | |
<details markdown=1>
<summary><b>Technical notes</b> (click to unfold)</summary>
* PRNG offset in rounds
* Each key generation requires 32 rounds to produce 256 weak key bits
* Wallets with the same PRNG index ID were likely generated in the same session
* Derivation path `m/49'/0'/0'/0/0` unless noted otherwise
</details>
<br/>
### Transaction Volume
There were around **136951 BTC** (Bitcoin) in all weak wallets of this PRNG range as of transaction {{ "8b9de493c3119b178a360ac303682c61dfa3240c10ec06cccedcfc9608f4a4c2" | BtcLinkTxUrlSliced }}.
With transaction {{ "95384d1cb51085a8ec6a8e7c31147d31ee4e241bac7ac1d6806364a98617c9e2" | BtcLinkTxUrlSliced }}, a massive withdrawal run started and continued for about two hours until {{ "14bb56a2424bcc8cd7b36c814f70c51d290a0ba1d584534da35b6e4e07983bcd" | BtcLinkTxUrlSliced }}, with the overall balance down to about **193 BTC**. In the days after, the balance went down further to about 4 BTC.
Based on the estimated USD value of Bitcoins at the time of each withdrawal, this combines to an approximated **3.7 billion dollars** moved on 2020-12-28.
As Arkham Intelligence noted [in their tweets](https://x.com/arkham/status/1951729790299394113), not all of the funds moved that day went to the (likely) attacker. For example, a sizeable chunk of around 9500 BTC went to {{ "3HRzRMNbcHR5PTfAzt5Lo7AHgT3oUhq9zG" | BtcLinkAddressUrlFull }}, which `lubian.com` continued to use as a Bitcoin payout addresses. Overall, I currently suspect that about **$3.44 B** went to the attacker, which is still an absolutely insane figure 🤯.
Note the use of a fixed transaction fee of exactly 75000 sats for many of the suspicious transactions, which is unusual.
### Curious On-Chain Notes
Many of the previously listed Bitcoin victim wallet addresses have some interesting outgoing transactions on 2022-07-03 and 2024-07-25, which is a long time after the (likely) theft on 2020-12-28. Similar messages were apparently sent to the (suspected) attacker addresses. The purpose of those transactions appears to be a public broadcast message of some sort. The transactions include two short message snippets via the `OP_RETURN` Bitcoin mechanism, which combine to:
> MSG from LB. To the whitehat who is saving our asset, you can contact us
> through 1228btc@gmail.com to discuss the return of asset and your reward.
I suspect that "LB" refers to `lubian.com`, and that "saving our asset" alludes to the huge withdrawal of funds from the weak addresses on 2020-12-28.
The messages are visible in blockchain explorers which show `OP_RETURN` information. Identical messages were sent multiple times to different addresses in the cluster. Here are two examples: [first message](https://mempool.space/tx/eb063c0a98f043fa099518cee70a42793823afa008d9d19cbf84c12433b34d3e), [second message](https://mempool.space/tx/7e336a60323b2035546fd98e0643fa7df65a263f71a2ea77932978eadcd83c05). Notably, the second part of the message wasn't mentioned in the screenshots of Arkham Intelligence yet.
Please keep in mind that since the underlying wallet private keys are compromised, basically anyone can both send _and withdraw_ funds to and from these wallet addresses while attaching arbitrary messages. Wallet addresses with a history of large balances also frequently get some form of odd broadcast messages sent to them, for example here {{ "640ebe629ac937c86b85ec87b1b07063be494e3927da9c667b95248cb5caac0c" | BtcLinkTxUrlSliced }} with words encoded in bogus receiver addresses. To make informed guesses about whether the previously cited `"MSG from LB"` is a misleading scam/prank or a real (and late!) attempt by the `lubian.com` actor to get their funds back, I recommend looking into the origin of the Bitcoins that were used for this and drawing your own conclusions.
### More Data for Researchers, Note
There is a [research data repository](https://git.distrust.co/milksad/data) with more weak addresses in this range and other data.
A quick reminder: we have **no involvement** with the funds former and current owners or **any withdrawal of funds** in this range. The Bitcoins in question were moved years before we as the Milk Sad team discovered it, or reported about it. As researchers, we're mainly trying to shine a light at what happened, hoping to help avoid future disasters through more public awareness of the dangerous software flaws that caused them.
If other researchers want to get in touch, [let us know]({% link index.md %}#contact)!