Flash Depth Data Forum

Forum

Search Extension

When Randomness Isn't So Random: The Truth Behind the Theft of 120,000 BTC

2025-10-20 18:02

Read this article in 28 Minutes

From Wintermute to Lubian: Retrospective on the Largest Random Number Vulnerability in Crypto History

Source: Max He@Safeheron Lab

Lately, the cryptocurrency community has been widely discussing a groundbreaking piece of news: it is speculated that a U.S. law enforcement agency has obtained the private key to around 120,000 bitcoins transferred in 2020, worth up to $15 billion. According to Elliptic's report [1], these assets were initially associated with the mining pool Lubian.com and were later officially seized by the U.S. Department of Justice. It is widely believed that law enforcement agencies may have utilized a random number generation flaw at the time of wallet creation to reconstruct or take over the private key, with some speculating that this was a U.S. government-led technical hacking operation.

Following the spread of this news, it has sent shockwaves throughout the cryptocurrency industry, quickly becoming a focal point of discussion. Not only has it sparked widespread debates on the technical and security fronts, but it has also raised new concerns among investors regarding the reliability and risk mitigation of crypto assets. This article will take a dual perspective of technology and facts to systematically analyze this event and its underlying security implications, delve into key technical details, comprehensively review the evolution of the event, and explore its potential far-reaching consequences.

Randomness and Private Key Security: The Lifeline of the Blockchain World

In the world of blockchain, randomness is considered the cornerstone of encryption security. The private key of every Bitcoin or Ethereum wallet is generated by randomness—if the random number lacks sufficient "randomness," hackers may be able to predict the private key and directly steal digital assets. To effectively mitigate this risk, wallets must use a cryptographically secure pseudo-random number generator (CSPRNG) to ensure that the generated random numbers are truly unpredictable and non-reproducible.

Wallets that rely on insecure random algorithms may appear to operate normally on the surface but actually harbor hidden risks: once the randomness is successfully predicted, asset losses become irreversible.

A Recap of History: Insights from Several Major Security Incidents

Between 2022 and 2023, multiple significant security incidents caused by the same random number vulnerability were successively disclosed, fully exposing the severity and pervasiveness of this issue.

Security Incident 1: Wintermute's $160 Million Costly Lesson

On September 20, 2022, the prominent market maker Wintermute suffered a major security incident, with around $160 million in digital assets being stolen [2]. The attackers cleverly exploited a vulnerability in the address generation tool Profanity—this tool, in some use cases, relies on Mersenne Twister (MT19937) as a pseudo-random number source to generate "premium" addresses.

Due to the predictability of the output of MT19937 when there is a lack of sufficient entropy injection, attackers were able to partially reproduce the address/private key generation process, successfully calculate the corresponding private key, and transfer funds. This case became the first iconic event in crypto history where an institutional-grade wallet was breached due to misuse of random numbers, marking the transformation of the randomness issue from mere developer negligence to a systemic security risk.

Regarding this attack, Safeheron previously authored a detailed analysis of the attack's technical details and replicated the attack process. [3]

Security Event 2: Trust Wallet Trust Crisis Caused by Random Number Vulnerability

In April 2023, security researchers discovered that the Trust Wallet browser extension version 0.0.172–0.0.182 used a non-cryptographically secure random function when generating wallet mnemonic phrases [4], which also relied on the Mersenne Twister (MT19937) pseudorandom number algorithm at its core (as shown in the image below), with a random space of only about 2^32 possibilities, far from sufficient to resist exhaustive attacks.

Attackers could enumerate all possible mnemonic phrase combinations in a limited time, thus reconstructing the private key and stealing user assets. The Trust Wallet team subsequently issued an official announcement confirming the vulnerability's existence and urgently advised affected users to migrate their assets in a timely manner. According to an official statement on the project's community forum, this vulnerability has led to potential losses of approximately $170,000, as attackers may have successfully exploited this vulnerability to carry out targeted attacks.

This event became the first case of a random number vulnerability affecting mainstream wallet end-users, bringing "random number security" to the forefront of public attention on a large scale for the first time.

Security Event 3: Libbitcoin Explorer (bx seed) Weak Random Number Event

In August 2023, the security research team Distrust announced the discovery of a severe random number vulnerability in the command-line tool Libbitcoin Explorer (bx) version 3.x [5]. This tool, when executing the bx seed command to generate a wallet seed, also used the Mersenne Twister (MT19937) pseudorandom number generator internally and relied solely on system time as a seed source, resulting in very low randomness and predictable output. Attackers could enumerate all seed values in a limited time, reconstruct the wallet private key, and directly steal assets.

The vulnerability affects all users who generated wallets using Libbitcoin Explorer 3.x, as well as applications relying on the libbitcoin-system 3.6 library. As of August 2023, over $900,000 worth of cryptocurrency assets have been stolen due to this vulnerability [6]. The vulnerability was officially registered as CVE-2023-39910 after disclosure.

Despite Libbitcoin Explorer promptly applying the correct security patch, the saga was far from over.

The Tip of the Iceberg

Following the security incident of Libbitcoin Explorer 3.x, a group of white-hat researchers led by the Distrust team initiated the MilkSad project to continuously track the impact of the vulnerability and drive community responses.

By 2024, researchers systematically documented the generation mechanisms, wallet types, and pseudo-random number generator (PRNG) configurations of these 'weak wallets' [7], revealing their potential connection with the Bitcoin mining pool Lubian.com and the distribution characteristics of related funds.

In 2025, with a crucial lead from an anonymous white-hat researcher, the long-stalled analysis made a breakthrough. The MilkSad team uncovered that the affected software introduced a new parameter—PRNG offset—during private key generation. This discovery enabled researchers to reassociate previously disparate wallet clusters, exposing a unified random number generation pattern underlying the entire 'weak wallet' event [8].

Through further in-depth analysis by the team, the initial 2,630 problematic wallets discovered in 2023 were just the tip of the iceberg. By searching across different segments of PRNG output, researchers have now successfully reconstructed and identified over 227,200 distinct wallets (as shown in the diagram below). These wallets all have valid usage records on the mainnet, forming the largest known cluster of 'weak random wallets' to date.

On-chain data indicates that these wallets generated by the random number flaw collectively hold approximately 137,000 BTC. Within just two hours on December 28, 2020, these wallets were drained, with the balance plummeting from 137,000 BTC to less than 200 BTC. Around 9,500 BTC was sent to Lubian's mining pool payment address, while the remaining approximately 120,000 BTC is believed to have been transferred to wallets controlled by the attacker. All suspicious transactions shared the same fee, displaying clear signs of automated batch transfers.

Later on, a new important clue emerged, further confirming the existence of this large-scale theft event [9]. Researchers discovered on the Bitcoin mainnet that some of the compromised wallets still exhibited unusual transaction activity on July 3, 2022, and July 25, 2024. These transactions embedded the exact same information using the OP_RETURN mechanism:

「MSG from LB. To the whitehat who is saving our asset, you can contact us through 1228btc@gmail.com to discuss the return of asset and your reward.」

Researchers speculated that 「LB」 may represent Lubian.com, and 「saving our asset」 may refer to the large-scale fund transfer event on December 28, 2020. These messages were broadcasted multiple times to different addresses, appearing to be Lubian's attempt to establish contact with the 'white hat' in possession of the assets to discuss the public attempt of asset return and reward.

However, since the private keys of these wallets have long been compromised, theoretically, anyone could initiate transactions from these addresses or write messages. Therefore, it is still impossible to definitively confirm whether this information truly originates from the Lubian team or if it is a deceptive or prank-like operation.

Thus, the main body of the iceberg has finally emerged—the systemic vulnerability caused by a random number flaw has evolved into one of the largest and most impactful security events in Bitcoin's history.

Technical Details: The Full Process of Brute-Forcing 220,000 BTC Wallets

So, how were these 220,000 BTC weak random wallets generated? Let us delve into the specific technical search process [8].

Step One: Select the same Pseudo-Random Number Generator (PRNG) MT19937 to generate random numbers. It is important to emphasize again that this PRNG lacks any cryptographic security.

Step Two: Initialize MT19937 with an extremely low entropy seed (0 to 2^32-1). The primary culprit for the rapid inference of these BTC wallet private keys is this low-entropy seed.

Step Three: MT19937 outputs a 32-bit integer on each round but not all of it is used. Only the highest 8 bits are selected, meaning each round of MT19937 produces one byte.

Step 4: Introduce the OFFSET feature to expand the private key range. It is important to note that in BTC, the private key seed is 32 bytes (equivalent to 24 mnemonic words, i.e., 256 bits), and these 32 bytes are obtained from round (32 * OFFSET) to round (32 * OFFSET + 31) to generate the BTC private key seed. The BTC private key seed is 32 bytes, specifically:

(1) Rounds 0 to 31 output a 32-byte private key.

(2) Rounds 32 to 63 output a 32-byte private key.

(3) Rounds 32 * 2 to 95 output a 32-byte private key.

(4) And so on, with OFFSET able to reach up to 3232.

Step 5: Based on the private key seed, use the public BIP32 wallet derivation algorithm, following the derivation path m/49'/0'/0'/0/0 to derive child public-private key pairs.

Step 6: Based on the child public key, generate a P2WPKH-nested-in-P2SH type wallet address with a prefix of 3.

Step 7: If the generated address indeed has a usage record on the chain, it indicates the successful discovery of a weak random number wallet. Record its wallet address and corresponding private key.

The entire search process above is deterministic, with the only variable being the choice of a low-entropy seed, offering a total of 2^32 possibilities, far less than the 2^256 space of the BTC standard private key. Therefore, all 220,000 weak random wallets and their corresponding private keys can be obtained through a brute-force search.

The Full Story

Let's thoroughly review the development of the whole event.

As early as several years ago (traceable back to as early as 2018), some digital asset projects mistakenly introduced a non-cryptographically secure pseudo-random number generator (PRNG) into the development process and applied it to wallet private key generation, a highly sensitive phase. Due to the developers' lack of understanding of cryptographic security at the time, this mistake went unnoticed but laid a security vulnerability for subsequent large-scale exploits.

Unfortunately, over time, this issue was gradually discovered by hackers and maliciously exploited. Various attack groups successively launched multiple well-known attack events based on the same principle—including the Wintermute theft, Trust Wallet random number vulnerability event, and the Libbitcoin weak wallet event, among others. These attacks collectively resulted in billions of dollars in asset losses, making "random number security," originally an overlooked technical detail, a focus of the industry.

Researchers analyzing the commonalities of these events found that all victim wallets had similar randomness flaws and further traced them back to an earlier theft incident involving the Lubian mining pool. After in-depth research, they confirmed that the wallets used by Lubian also relied on an insecure random number generation mechanism, making them part of this group of "weak wallets." A subsequent systematic analysis revealed a more astonishing fact: there are approximately 220,000 weak random wallets in the entire network, involving a total of 120,000 BTC, constituting the largest and most far-reaching random number security event to date.

As for the circulating claim that the "US Department of Justice led the Lubian.com theft incident," it mainly stems from a subtle fact: during the DOJ's official intervention in handling the related assets, a large-scale asset transfer suddenly occurred from the previously long-stagnant Lubian-associated Bitcoin addresses. The direct association of addresses at this timing coincidence led many observers to suspect that the government might have used brute force methods to recover the related private keys. Another possibility is that the US government did not directly brute force the private keys but instead controlled the individual or entity holding the private keys, facilitating the fund transfer.

Although these wallets belong to hackable weak random wallets, and their private keys theoretically could be reproduced through technical means, as of now, there is still no publicly verifiable evidence indicating that the US government led a "brute force" action against the corresponding private keys. Unless relevant agencies formally acknowledge the fact of technical intervention, the true process of the entire event will remain shrouded in mystery.

How to Obtain Cryptographically Secure Random Numbers?

Now that we recognize the importance of secure random numbers, how can we correctly obtain them in practical development and applications? The following principles should be followed:

(1) Prioritize using secure interfaces provided by the operating system to generate random numbers based on the system entropy pool.

(2) When conditions permit, use secure hardware entropy sources, such as the hardware random number instructions of Intel SGX CPUs.

(3) In MPC scenarios, multiple entropy sources can be combined to enhance overall security, such as combining the Linux system entropy pool with Intel SGX CPU hardware random numbers, thereby avoiding the risks of single entropy source failure or predictability.

(4) Use the secure random number generation interfaces in widely validated cryptographic libraries, such as libsodium, BoringSSL, OpenSSL, etc.

(5) Ensure that the seed entropy is no less than 128–256 bits, and prohibit the use of low-entropy sources like timestamps, process IDs, as seeds.

（6）It is strictly forbidden to use non-cryptographically secure pseudo-random number generators (non-CS-PRNG), such as Mersenne Twister (MT19937), Math.random(), rand().

The Advantages of Multi-Source Entropy Fusion in MPC

Compared to single-party systems, MPC has a natural advantage in entropy fusion: each party can independently provide a random entropy source, and the final random result is generated collectively by all parties. As long as any one party remains honest, the randomness of the entire system cannot be predicted or manipulated. This multi-source random structure significantly enhances the overall security and tamper resistance of the system, making it one of the core security advantages of MPC protocols.

Safeheron has built a digital asset secure custody protocol based on MPC and TEE technology. In this scheme, the participants of the MPC protocol use a variety of independent secure entropy sources, including the Linux system entropy pool and TEE hardware entropy sources (such as Intel SGX hardware random number instructions). This multi-source entropy fusion mechanism not only strengthens the security boundary of the system but also establishes a higher security baseline for building a trusted execution environment (TEE) and a distributed signature system.

Conclusion

The seemingly mysterious "theft of 120,000 bitcoins" event did not reveal the compromise of any algorithm, but rather the misuse of a non-cryptographically secure random number algorithm in the private key generation process by early developers, fundamentally weakening the security of the entire system.

The security of encrypted assets ultimately depends on the rigor of cryptographic implementation. Any subtle engineering oversight can be exploited by hackers, ultimately determining the ownership of digital assets. Only by ensuring random number security from the source, using trusted entropy sources and verified cryptographic libraries, can we allow "randomness" to return to its original intent—being unpredictable and tamper-proof.

About Safeheron Lab

Safeheron Lab, led by Safeheron's Chief Scientist Max He, brings together international experts in cryptography and security, focusing on foundational research in blockchain security and trusted computing. Safeheron Lab collaborates with partners such as the Turing Artificial Intelligence Research Institute to promote the transformation of research achievements and industrial applications, providing innovative solutions for digital asset security.