How the U.S. Government Seized 120,000 BTC From Cambodia's "Pig-Butchering" Kingpin

Author｜Aki WuBlockchain

On October 14, 2025, the federal court in Brooklyn (E.D.N.Y.) unsealed an indictment revealing that the U.S. Department of Justice recently executed the largest cryptocurrency forfeiture in history, seizing roughly 127,000 BTC valued at more than $15 billion. The seized Bitcoin traces back to scam proceeds tied to Cambodia’s Prince Group, whose mastermind—Chen Zhi, widely labeled the “pig-butchering kingpin”—allegedly ran large-scale crypto investment fraud using forced labor. Prosecutors allege the scheme generated illicit profits of tens of millions of dollars per day. The Bitcoin is now held in U.S. government custody.

This article unpacks the case background, provenance of the assets, and the cross-border enforcement breakthroughs behind this crypto investigation.

The Scam Empire Behind a Gilded Façade

Chen Zhi is the founder and chairman of Cambodia’s Prince Holding Group. The conglomerate claims to operate real-estate, finance and other businesses in more than 30 countries, but U.S. authorities allege it has quietly morphed into one of Southeast Asia’s largest transnational criminal organizations. According to disclosures from the U.S. Department of Justice and the U.S. Department of the Treasury, since 2015 Chen and his associates have operated at least ten fraud “industrial parks” across Cambodia, luring global victims into sham crypto-investment schemes—better known as pig-butchering scams. Prosecutors describe Chen as the mastermind of this “cyber-fraud empire,” saying he tolerated violence against workers, bribed foreign officials for protection, and allowed the group to splurge illicit proceeds on luxury items—from yachts and private jets to Picasso paintings purchased at New York auction houses.

Although Chen Zhi himself remains at large — the U.S. has issued both a wanted notice and sanctions against him — his dual U.K.–Cambodia citizenship and deep political–business ties add uncertainty to any future extradition. And behind a criminal empire of this size, there is inevitably a systematized money-laundering apparatus.

To strike at the entire profit chain, OFAC (U.S. Treasury’s Office of Foreign Assets Control) imposed full blocking sanctions on 146 targets, including members of the Prince Group–led transnational criminal organization. Under Chen Zhi’s control, Huione Group—a Cambodia-based fintech and e-commerce ecosystem that includes HuionePay and Telegram broker-style marketplaces—was explicitly identified by FinCEN (the U.S. Financial Crimes Enforcement Network) as a core conduit for the organization’s money-laundering activities.

According to the U.S. Treasury, at least USD 4 billion in illicit funds was laundered through the Huione network between August 2021 and January 2025, including virtual assets originating from North Korea–linked cyber theft, crypto investment fraud, and other cybercrime. In its concurrent sanctions notice against the Prince Group’s transnational criminal organization, Treasury emphasized fully severing Huione Group’s access to the U.S. financial system: regulated financial institutions are prohibited from opening or maintaining correspondent accounts for or on behalf of Huione Group, and must take reasonable measures to ensure that correspondent accounts for foreign financial institutions are not used to process transactions involving Huione, thereby preventing indirect access to the U.S. financial system.

In a public post, OKX CEO Star Xu stated that Huione Group has had a seriously negative impact on the crypto-asset ecosystem. Given the associated risks, OKX has implemented strict anti–money laundering (AML) controls for any transactions involving the group. All Huione-linked crypto deposits and withdrawals will undergo compliance reviews; based on the findings, OKX may freeze funds or suspend/terminate account services.

Source of Funds: Scam Proceeds and Bitcoin Mines

Where did the eye-catching 127,000 BTC (roughly $15 billion) come from? According to the U.S. Department of Justice (DOJ), the stash represents both the proceeds and the instrumentality of Chen Zhi’s fraud and money-laundering schemes. It was previously held in non-custodial crypto wallets under his control, with private keys in his possession—ill-gotten funds that, the government alleges, were carefully “laundered” to evade forensic tracing.

The indictment alleges that Chen and his associates funneled scam proceeds into bitcoin mining operations they controlled, using newly minted coins to “launder” value into BTC untainted by the original crimes. By routing dirty money through ostensibly legitimate mining, the group sought to replace the traceable inflows with freshly mined, “clean” bitcoin—severing on-chain links back to victims. As a result, mines affiliated with the Prince Group became a steady source of BTC and one of the network’s key channels for concealing criminal proceeds.

The indictment singles out a mining enterprise tied to Chen Zhi’s laundering scheme: the Lubian mining pool. Once a well-known global Bitcoin pool headquartered in China with operations extending into Iran, Lubian at its peak controlled roughly 6% of the Bitcoin network’s hash rate. As part of Chen’s alleged washing network, Lubian helped convert fraud proceeds into large amounts of BTC.

In late December 2020, however, Lubian was swept into controversy by a puzzling “theft.” The pool reported a hack in which a huge trove of bitcoin was stolen. On-chain data indicates that 127,426 BTC—then worth about $3.5 billion—was siphoned from Lubian, briefly making the incident one of the largest Bitcoin thefts on record.

Lubian went quiet soon after and abruptly shut down its pool operations in February 2021. The more than 127,000 BTC then vanished from public view for a long stretch. On-chain analysis suggested the coins were moved into a small number of primary wallet clusters, but it remained unclear whether external attackers had looted Chen’s illicit funds—or whether the transfer was an insider-orchestrated move to spirit the money out of Lubian. Either way, the coins sat dormant on-chain, as if they had evaporated—until years later, when their fate finally came to light.

For more than three years, the 120k+ stolen BTC sat dormant on-chain with no obvious movement. On-chain analysis shows that from the late-2020 theft until mid-2024, these coins remained across dozens of hacker-controlled addresses. It wasn’t until July 2024 that roughly 127,000 BTC were consolidated in a large, coordinated transfer. Because those addresses had long been tagged by the community, on-chain intelligence platforms such as Arkham quickly identified the aggregating coins as the same assets from the 2020 Lubian mining-pool incident. The timing—moving from dormancy to activity on the eve of an international law-enforcement dragnet—is telling.

When the U.S. Department of Justice filed its civil forfeiture action in October 2025, the complaint listed 25 Bitcoin addresses as the prior repositories of the tainted BTC. Those addresses match the hacker addresses from the Lubian case, indicating that U.S. authorities attribute the 127k BTC to funds laundered by Chen Zhi and associates via Lubian—i.e., the same tranche that flowed out during the purported “theft” in 2020. The filing further states that the private keys were originally held by Chen, but the assets are now under U.S. government control. This strongly suggests that the July consolidation was carried out by U.S. authorities.

Was the U.S. “core technique” just brute-forcing?

Because early Bitcoin cases hyped “anonymous transactions,” the public gradually misread Bitcoin’s pseudonymity as strong anonymity, creating the illusion that Bitcoin is easier to launder. In reality, the public, immutable ledger gives law enforcement unprecedented flow-of-funds visibility. Investigators, using professional on-chain analytics, can stitch dispersed addresses into transaction graphs, identify which wallets belong to the same entity (via clustering heuristics), and flag anomalous flow patterns.

In this case, Arkham had long ago tagged the wallets tied to the Lubian mining pool. When the huge stash of BTC was stolen and later moved again, the analytics systems immediately linked the new addresses back to Lubian’s tags, locking in the path of the proceeds. Thanks to the blockchain’s immutability, even if fraudsters wait years before moving funds, they still can’t evade forensic tracking.

However, knowing an on-chain address is not the same as controlling the assets—the critical factor is control of the private key. There is still no definitive public account of how U.S. authorities obtained these keys. According to research by Arkham, the Lubian pool did not use a sufficiently secure source of randomness when generating wallet keys; its key-generation scheme had weaknesses that could be brute-forced. By contrast, Cobo co-founder Shenyu says investigators did not brute-force or hack the keys; rather, they discovered randomness defects present at the time the keys were created.

By incomplete counts, more than 220,000 addresses were affected, and a full list has been made public. The wallets’ private keys were produced by a flawed pseudo-random number generator (PRNG). Because the PRNG used a fixed offset and patterns, the private keys became more predictable.

Funds are still being sent to some of the affected addresses, indicating the risk has not been fully eliminated. It is also suspected that U.S. law-enforcement and security researchers may have access to similar techniques or indicators. Another possibility is that the U.S. obtained control via social engineering, search-and-seizure, and offline evidence collection—for example, recovering mnemonic phrases or signing authority—and, by infiltrating the fraud ring, gradually took over the keys. Either way, even though Chen Zhi himself remains at large, the “digital gold” his syndicate prized has already been fully seized.

Takeaways for Industry and Regulators

The once-untouchable fraud kingpin has now lost his hoard of “digital gold,” and crypto—once seen as a money-laundering tool—has, in this case, become a powerful instrument for recovering stolen assets. The seizure of the Cambodian “pig-butchering” kingpin’s bitcoins offers sobering lessons for both the industry and regulators.

First, the security of crypto assets ultimately rests on cryptographic strength: any weakness in key generation or operational security can be exploited—by attackers or by law enforcement—to determine who ultimately controls the assets. That is why more traditional law-enforcement bodies are adopting on-chain tracing and key-recovery/cryptanalytic techniques, steadily dismantling the illusion that criminals can rely on cryptography to evade accountability.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish