In October 2025, the U.S. government announced the seizure of 127,000 BTC from Prince Group. On‑chain tracing reports indicated that these funds were in fact the assets stolen from the LuBian mining pool in December 2020.
How did the U.S. government obtain LuBian’s wallet private key?
Apparently the LuBian mining pool wallet suffered from the Milk Sad vulnerability (#221391), using only 32 bytes of entropy when it was generated. Presumably this is how the Prince Group got LuBian Pool's bitcoin. It still doesn't answer however, how the US got Prince Group's keys.
Unfortunately, while this article uses this story as a hook, it doesn't answer the question it poses (I guess they are just implying that it could have happened via this kind of vulnerability). But it does go into some interesting details about hacking a Cypherock X1 Vault hardware wallet.
The Cypherock X1 VaultThe Cypherock X1 Vault
I had never heard of a Cypherock X1 Vault, and so I had to look it up: it's a screenless signing device that splits your seed into shamir secret shares which are stored on nfc chips in what look like credit cards. Their marketing copy says things like: "The Safest web3 wallet to ever exist" and "More than 18000+ crypto assets supported."
The DarkNavy people determined that:
Although the Cypherock X1 Vault has an ATECC608A secure element built in, this SE is only used for device authenticity checks.
They demonstrated live at GEEKCON that a device could be backdoored via the closed-source firmware and yet would still pass authenticity checks in Cypherock's companion app CySnc.
In March, DARKNAVY reported two vulnerabilities to Cypherock by email. They silently pushed patches to GitHub but did not even bother to send an acknowledgment. Coincidentally, at this year’s Hexacon, the session titled “Breaking the Vault: USB Bugs and Bug Bounty Failures” explicitly highlighted the experiences of peers reporting vulnerabilities to Cypherock.
The moral of the story is that you should probably use a signing device that has a screen on it. You should probably also use a signing device that has open source firmware (devices like Jade, BitBox, Trezor, SeedSigner, SpectorDIY, even ColdCard is source viewable).
A signing device is only as secure as the moment it signs. If you have five key shares, but you have to bring them all together on one device to sign, you need to be sure that one device is not compromised. This is one of the reasons PSBTs are so awesome. You can review the transaction and sign with different devices.
For now I'm still sticking to old school scripted multisig, but I was wondering if there is a place that tracks MuSig2 (and added PSBT fields from BIP-373 implementation across signing libs / devices?
I know that Core has had the fields implemented for a couple of months now, but what field-usable implementations (as in not-Core wallet) can we play with today?
I remember hearing that Nunchuk supported MuSig2, but when I did some looking just now, I saw something that said it is only supported for software wallets...which seems to imply that none of the hardware signers support it.
Ledger claims they support MuSig2 via their Bitcoinapp, and I thought that BitBox supported it, but their blog post about musig doesn't explicitly say they support it. I'm not aware of others that have rolled out MuSig2 support.
Thanks.
The problem with Ledger is that keys can be extracted from the device, so that's a (very expensive) testnet-only device. Maybe I should spend some time on Coldcard.
I've not personally used a Ledger, but Salvatore seems to keep them on the cutting edge.
The larger question of using purpose-specific signing device is very interesting to me. I still feel a little that it is a bigger target than the safety it provides. I know lots of people use them with no problem, but I still get nervous about the idea of a device that has no other purpose than to sign bitcoin transactions -- how are they not massive honey pots?
I guess the solution is multi-vendor multisig.
In the case of Ledger... they are. This was a whole scandal a few years back and it made me regret using that (and telling others to use it).
It all comes down to the secure element being sufficiently hard to extract data from (and arguably since any ledger app can extract a key, that isn't "hard", it's trustmebro). Hardware security buys you time to move funds; that's really all it does.