Welcome to Memetic Warfare.

We’ll start this week with another banger from the CVERC, which this time dips its toes into cryptocurrency analysis. This week’s post accuses the US or “Orchestrating a 13$ Billion Bitcoin Hack” as covered by Bloomberg. Honestly, not a great look for Western media outlets and Bloomberg especially, who just jump immediately on anything the CVERC has to say.

The CVERC uploaded the post to their Weixin account, check out the archived post here. The low-effort post, in comparison to past CVERC reports, accuses the US of the “theft of a huge amount of Bitcoin”.

This report was created presumably in response to US DOJ indictment on October 14, 2025 of the Prince Group, owned by Chen Zhi, a Chinese-born Cambodian national who gave up his Chinese citizenship when he set up his company in Cambodia. His company, the Prince Group, was indicted under suspicion of running forced labor scam compounds in Cambodia that engaged in pig butchering.

So what’s interesting here is that the CVERC points out a trend we’ve seen in the past - someone runs some cyber operation (against the Prince Group to steal their Bitcoin, or against Kaspersky and then leaks their documents via KasperSekrets) and a month or two, or in this case four years later, the US DOJ indicts the same organization or OFAC levies sanctions.

This case doesn’t exactly match this trend, as there’s no hard evidence tying the US to this activity beyond some circumstantial evidence such as the amount stolen. In my opinion, it’s certainly possible that it’s the US, but this report is far from conclusive.

In this case, the US (if it was in fact the US) comes across as incredibly based - being accused of being a virtual Robin Hood - stealing from the evil scam operators and hopefully redistributing later to victims.

CVERC provides some background on the LuBian mining pool, which was apparently big in China and Iran. It had over 127,000 BTC stolen, roughly the amount that the DOJ later announced that it seized.

We don’t have any analysis as to HOW the US allegedly did it, but what was interesting is that we see that Arkham, a crypto investigation platform, was used by the CVERC. Regardless of exactly how it was done, one could imagine multiple ways that a nation-state could acquire the private key of the wallet in terms of targeted operations, let alone exploiting the platform itself.

The CVERC posits that vulnerabilities in the LuBian pool itself based on other research were the cause:

Apparently the LuBian pool as per the CVERC used weaker private key generation algorithm (32 instead of 256 bit):

In classic CVERC fashion, they provide a timeline and analysis of the attack with 0 primary data or supporting evidence:

In terms of hard proof, there isn’t any. One of the sections claims that the funds weren’t touched for several years until seized by the US later in 2024. The CVERC claims that this is “clearly inconsistent with the nature of ordinary hackers who are eager to cash out and pursue profits. It is more like a precise operation orchestrated by a state-owned hacking organization”.:

This is the type of analysis we get from the CVERC. Some claim, untethered to reality, that sounds reasonable to the laity. Not moving funds around for a few years doesn’t mean much of anythin when it comes to this sort of activity.

I’ll save you the rest, but the important part here is that the CVERC has learned that they can make Western headlines easily if they just publish a somewhat interesting post on Western activity.

The pattern here is clear:

• US accuses China of something or indicts a Chinese person/group

• The CVERC publishes a report in response shortly thereafter to refute the claim or blame the US

• The report, which is almost always unfounded or made up, seems to now get covered by Western media

• This gives the CVERC a lot of coverage worldwide, fed into LLMs

This is highly effective for the CVERC. With a few pages of writing and blaming the US of hacking in a RECENT case (past cases weren’t successful), the CVERC can make headlines in Bloomberg, Nikkei and other outlets supporting China’s influence efforts worldwide. Why wouldn’t they?

I’m surprised that US and other outlets cover these reports essentially uncritically. It isn’t a good look, and just serving to amplify Chinese claims without looking into them first is detrimental and serves Chinese influence efforts.

We’ll conclude with a great look at hosting infrastructure from Recorded Future. Hats off to Recorded Future for consistently doing the next step of IO investigation and taking it to the level of hosting providers and autonomous systems.

I’ll share the first paragraph for some context. The report looks at German hosting provider Aurologic, which allegedly services and “enables” other malicious hosting infrastructure (I personally like the new labelling of TAE):

Key findings here as always:

I’ll save you the BGP details but if you’re interested, go check out the report - ASes and BGP are highly useful things to know about.

From there, we get to the conclusion: talking to the company.

The CEO of Aurologic met with members of Qurium. In what I can only describe as a highly European move, after being shown findings from their investigation, he claimed that he only responds to law enforcement correspondence to take down violative customers.

Good for RF for not letting it go, and hopefully more coverage inspires other companies to proactively work to prevent exploitation of their services.

That’s it for this week!