Can the transaction IP be traced? Can individuals be traced through Bitcoin address transaction records? Can Bitcoin money laundering be traced? Can public security trace Bitcoin accounts?
Question: Can the public security find out who made the Bitcoin transfer? Can they trace the transaction IP? Can they trace individuals through Bitcoin address transaction records? Can they investigate Bitcoin money laundering? Can public security trace Bitcoin accounts?
Answer: The transaction direction of Bitcoin can be queried. Bitcoin transactions are recorded on the Bitcoin blockchain, and the liquidity of Bitcoin can be traced from which wallet it was transferred to which wallet. However, you only know which wallet it was transferred to; you do not know who owns that wallet. Bitcoin is both transparent and public, yet anonymous; transactions and flows are public and recorded, but the individuals involved in the transactions are anonymous.
Special attention: In cases involving Bitcoin-related cybercrime, the evidence proving the flow of Bitcoin transactions generally revolves around the flow of funds and network traces. Our lawyers need to identify evidence-related issues from the evidence of fund flow and network traces when defending cases involving Bitcoin-related crimes.
The "Five Severance" methods to cut off the tracking of Bitcoin flows.
Bitcoin-related cybercrime differs from traditional crime; it does not leave traces or items that can prove the identity of the individuals involved in the crime in the crime space or scene. In many cases, the traces left by suspects are often false, making it challenging to find conclusive evidence for conviction among false traces because the linkage between online evidence and offline evidence is difficult, making it hard to form a complete evidence chain. This often leads to unclear facts and insufficient evidence, ultimately resulting in an inability to convict. This is what I often say: there is no truth in the world, only constructions and interpretations of facts based on evidence.
When handling such cases, we must first familiarize ourselves with the evidence system of such cases and categorize the relevant evidence. The evidence in such crimes generally falls into the following aspects:
1. The confessions of the suspect, the confessions of co-offenders, and testimonies from upstream or downstream parties.
2. Registration information, address information, and transaction information of Bitcoin wallets.
3. User information associated with wallet addresses obtained and analyzed through computer, mobile phone, and cloud evidence collection methods, such as email names, Weibo accounts, QQ login IPs, etc.
4. Transaction platform circulation records and situation descriptions.
5. Records of deposits and withdrawals in online games.
6. Banking transaction records.
7. Chat records from WeChat, QQ, and overseas chat software such as Bat and Paper Plane.
8. Extracted electronic data recovered from seized computers, mobile phones, external hard drives, etc., and analysis and verification reports; the Bitcoin addresses and keys controlled by the suspect, as well as the virtual address analysis of the individuals conducting transactions using the suspect's transaction records.
9. Targeted electronic data related to third-party trading platforms, clients, related mobile devices, and the payment behaviors of the funds involved.
Because such crimes mainly occur in virtual online spaces, the evidence collection is predominantly electronic. Like other forms of cybercrime, the electronic evidence has certain common characteristics, namely, it is easily destroyed and tampered with. Furthermore, because crimes in virtual spaces often leave inadequate traces, coupled with the fact that individuals involved in the black market generally possess certain counter-investigation capabilities, such as using Tor or proxies to initiate transactions, or conducting Bitcoin transactions offline with cash payments via USB drives and other storage devices, the individuals in the black market have a far superior grasp of networks and computers compared to the average person. Their destruction and deletion of electronic evidence is more thorough, and most cases involve original electronic data. Additionally, individuals in the black market often exhibit resistance and refuse to truthfully disclose their actions when apprehended, which makes it difficult to form a transaction behavior, transaction network, and fund flow evidence chain in many cases.
Now, I will briefly discuss the common methods and ideas we lawyers use to review the evidence chain when defending defendants in such crimes. When reviewing evidence for defense, we mainly consider whether the following five aspects of evidence can form an evidence chain.
1. Can the evidence chain be severed that connects the wallet address to the identity information of the suspect (defendant)? First, we lawyers need to review the evidence to see if we can sever the correspondence evidence between the receiving wallet address and the suspect's identity. To accuse a crime, there must first be evidence proving that the Bitcoin account receiving the illicit funds belongs to or is related to the suspect. The anonymity of Bitcoin inevitably leads to difficulties in proving that the receiving Bitcoin account is the suspect's. In the case involving Li et al. who established an online gambling platform, players could only use Bitcoin or Ethereum to place bets. Players needed to transfer Bitcoin or Ethereum into the wallet address of Koying Kele to place bets. Initially, the investigation agencies identified four Bitcoin wallet addresses as accounts receiving gambling funds based on the address provided by the complainant, but ultimately due to evidence issues, they could not break the anonymity of the Bitcoin wallets and only recognized one Bitcoin account as receiving gambling funds.
2. Whether it is possible to sever the evidence chain that correlates the wallet address with the suspect's IP address and the device's MAC address. We must understand the limitations of evidence obtained through triangulation or targeted traffic detection to get the source IP address. We should pay attention to the flaws and associations of IP address evidence when using Tor or VPN. Moreover, in information network crimes, when the criminal behavior is linked to a locked IP address, it only indicates: first, that the criminal behavior has a possible connection with the real address, but it does not mean there is a necessary connection. If there are circumstances such as random allocation of IP addresses, one cannot conclude a necessary connection between criminal behavior and the real location of the locked IP address. Second, even if the previous connection is established, it still cannot directly establish a connection between the real location and the perpetrator. It is still necessary to determine a necessary correlation between the real location and the perpetrator to ultimately establish the association between the perpetrator and the cybercrime behavior. We must know that with only the wallet address, it is hard to determine the login IP, and with only the IP address, it is impossible to directly establish a connection between the real location and the perpetrator, making it difficult to simply identify a crime. Most convicted individuals have other corroborating evidence, such as admitting guilt themselves or corroborating with data logs, cache logs, QQ login information, posting information, and other information found on their mobile phones or computers.
3. Whether it is possible to sever the evidence chain that forms corresponding or associative relationships between the Bitcoin transaction process and other online information or traces of the suspect. Bitcoin is only semi-anonymous; the protocol does not know the real names of the parties involved in transactions, but through various methods, it can still connect transaction information to real individuals. In many cases, suspects are not arrested because the Bitcoin wallet address corresponds to their real identity, but because various online traces left during the Bitcoin transaction process were analyzed and associated with the suspect's identity. When defending, our lawyers must pay attention to the legality of collecting these online trace evidences. For example, in a case where Feng was arrested for selling Bitcoin to a fraud gang, he was puzzled because he used public WiFi for Bitcoin transactions and took a series of measures to enhance anonymity, such as trading through proxies, repeatedly changing wallet addresses, and using online games for deposits and withdrawals. Why was he still found? This is a common confusion for many in the cryptocurrency sphere. In this case, although Feng used public WiFi for transactions, the Dropbox application on his laptop linked to his company server, causing his IP address to be associated with the Dropbox account in the company’s server logs. We must also be aware that even if the suspect does not visit any personal websites, the cookie information stored on the computer can also be linked to the cookie information of previous browsing history.
4. Whether it is possible to sever the evidence chain that associates the flow of funds with the suspect (defendant).
The flow of funds during the process of cashing out Bitcoin is key evidence for solving cases. Many cases are solved because evidence in the cashing out process is found to apprehend suspects. Cutting off related evidence of fund flow is a crucial part of our effort to seek case withdrawal, non-prosecution, or acquittal.
We need to pay attention to the fact that there are now counter-investigation measures in the cashing process of Bitcoin in many cases. For example, cashing out overseas through underground banks or casinos, or offline cash transactions, or through mixing services or the dark web, the flow of funds is difficult to clarify. Last year, I handled a case in Henan where Li searched for the QQ group 'Telecom Money Laundering' and 'Professional Money Laundering' on QQ, joined the group, and posted information offering money laundering services for a telecom fraud group. They purchased a large number of black cards to provide to the fraud gang, then bought Bitcoin with all the money in the bank cards through Huobi, and sold the Bitcoin to others through offline cash transactions, then handed over the cash received from selling the Bitcoin to the fraud gang after deducting the commission. They used offline cash transactions to escape investigation, increasing their anonymity. Therefore, the main perpetrator of the Bitcoin buying and selling only knew the WeChat name, and their identity could not be confirmed, nor could the amount involved be clarified.
In cybercrimes involving Bitcoin, due to Bitcoin’s anonymity and the counter-investigation capabilities of those involved in the black market, black cards, underground banks, gambling sites, or mixing services are often used in the flow of funds. Forming an evidence chain for every transaction pointing to a suspect is challenging. In a cyber fraud case I handled in 2017, they purchased Bitcoin for customer deposits entirely from foreign websites. The public security agency determined the case amount to be over 20 million, but during our defense, we found that a significant portion of this amount could not form a fund flow evidence chain. Ultimately, the prosecution reduced the determined case amount to over 7 million. In another network crime case I handled in Zhejiang, the fraud amount was reduced from the initial 190 million to 120 million, a reduction of about 70 million.
As lawyers handling cybercrime cases, we need to focus on reviewing:
1. Whether the bank card receiving the illicit funds belongs to or is held by the suspect. Focus should be placed on issues related to black cards during the flow of illicit funds. It is important to determine whether these black cards are held by the suspect and to examine whether there is evidence of the seizure of black cards in the evidence. Also, attention should be paid to the evidence concerning the withdrawer, such as whether the withdrawer has been apprehended and whether there is evidence proving a connection between the withdrawer and the suspect.
2. Whether the Alipay, online banking, or other online payment accounts used to operate the illicit funds are held and operated by the suspect. In many cases, illicit funds flow into multiple Alipay, online banking, and other online payment accounts. When handling cases, our lawyers need to focus on reviewing whether there is evidence proving that these accounts are all owned or operated by the suspect. In the case of Wang, the illicit funds were transferred into five Alipay accounts, which subsequently flowed into online gambling platforms. There was no evidence to prove that these five Alipay accounts were operated by Wang. So why was Wang arrested? The reason is that the Cybersecurity Investigation Team analyzed the IP address trajectories of these five Alipay accounts and found that Wang's QQ number, email, and Alipay account IP trajectories matched multiple times at different points in time with these five Alipay accounts, thus proving that the users of the five Alipay accounts involved in the case were Wang. This is something we lawyers need to pay attention to: the issue of IP trajectory matching. In many cases, this issue arises, and we must be cautious that determining someone as a suspect based solely on matching IP address trajectories of multiple payment accounts is a presumption. Under the circumstances of renting virtual private servers (VPS) and virtual private networks (VPN), multiple computers' IP addresses in the same public network can be the same. If there is no other evidence to corroborate, it is possible to sever the evidence of the flow of funds.
5. Whether it is possible to sever the evidence chain of "person-case association," that is, to cut off the associating evidence between the suspect and co-offenders.
Crimes involving Bitcoin exhibit characteristics of a black industrial chain; suspects and co-offenders generally do not know each other and may only be online acquaintances, often unaware of each other’s real names. In cybercrime, the forms of communication between individuals are diverse, the parties involved are virtual, and joint actions are blurred. Sometimes, it is challenging to form an evidence chain pointing to a specific suspect. In many cases, public security agencies only apprehend suspects at one link of the black industrial chain, seeking evidence from these apprehended suspects to point to individuals in other links, which I refer to as evidence pointing from "person to person" in cybercrime.
With the enhancement of counter-investigation capabilities among those in the online black market, it is increasingly challenging for public security agencies to find evidence chains that point from "person to person" during evidence collection. In cases I handled last year in Jingzhou, Hubei, and Zhoukou, Henan, the criminal gang used the bat chat software and the Taiwanese chat software WhatsApp, which are end-to-end encrypted, with servers leaving no traces, logging in directly using IDs without binding any identity information, providing extreme security and privacy, with messages that can be viewed and then self-destructed, allowing for two-way withdrawal and deletion of chat information. These conditions and possibilities obstruct the cutting of the evidence chain from "person to person."
As lawyers handling cases, we need to review chat records, transfer records, call records, etc., within the evidence to see if there is sufficient evidence to prove that they conspired and were connected, striving to cut off the evidence chain of "person to person."
We must pay special attention to the suspect's own confession and the confessions of co-offenders. As mentioned, due to Bitcoin's anonymity and the difficulty in collecting electronic evidence, obtaining a complete evidence chain to accuse a crime is relatively challenging. In many cases, the suspect's confession is crucial, and many breakthroughs in cases come through confessions. We must examine the stability of the suspect's own confession and its consistency with other co-offenders' statements, as well as any contradictions. When the suspect's statements are contradictory or reversed, how to accept and verify these statements is a matter we must grasp when handling cases.
Cases involving Bitcoin-related cybercrime often involve many technical issues, making evidence collection difficult. It is often challenging to find sufficient evidence, and the evidence may be hard to trust. The objective facts of the crime, especially the amount involved, are not easy to ascertain, proving the subjective intent of the crime is challenging, and the loose connection among accomplices makes it hard to establish. Disputes over the qualification of crimes vary widely, all of which urgently require lawyers to enhance their legal knowledge and technical expertise, and to strengthen their research. Only by mastering the characteristics and defense skills of such new types of crimes can we hope to achieve acquittal or reduced sentences in the defense of these crimes.
