Authors: Zhu Tonghui, Wu Tong

Note: For friendly reading, all wallet addresses, IDs, and Excel file names in the article are represented by the first four characters.

Zhu Tonghui, Wu Tong: Review Opinion on Virtual Currency Data in the Case of Li Certain Suspected of Stealing 108 Bitcoins

Table of Contents

1. Basic Information

2. Commission Situation

3. Terminology Explanation

4. Review Process and Corresponding Conclusions

   (1) The Relationship Between the Electronic Data Verified by KuShen Company and the Hardware Wallet

5. Binding Situation of Hardware Wallet and Wallet Address in KuShen Verification Document

6. Usage of Hardware Wallet by Yang Certain

7. Binding Situation of the Suspected Stolen Coin Address 59qs****** with the Hardware Wallet

8. Binding Situation of Two Addresses Suspected of Concealing Stolen Funds with the Hardware Wallet and Their Relationship with Other Addresses

9. Relationship Between the Hardware Wallet Purchased by Li Certain and Wallet Address 59qs******
   (2) Analysis of the Correlation Between Mobile ID, IP Address, and Wallet Address in KuShen Verification Data

10. The Mobile ID of the Phone Corresponding to Yang Certain's Wallet Address When Binding the Hardware Wallet Matches the Mobile ID of the Phone Corresponding to the Suspected Concealed Funds Wallet Address

11. The Login IP of the Phone Corresponding to Yang Certain's Wallet Address Matches the Login IP of the Phone Corresponding to the Suspected Concealed Funds Wallet Address
    (3) Review of the "Analysis Report on the Bitcoin Theft Case of Yang Certain"

12. The Issuing Entity of the Analysis Report Has No Qualifications and Cannot Serve as Evidence for the People's Court

13. The Analysis Report Contains Major Logical Errors

14. The Electronic Technology Company Lacks the Qualification to Conclude that a Natural Person is Suspected of a Crime

15. Review Opinions and Suggestions

1. Basic Information

Commissioning Unit (Client): Beijing Jingshi Law Firm, Wang Xibin

Trustee:

Zhu Tonghui
Doctor of Litigation Law from Peking University, Associate Professor at Nankai University Law School, Forensic Expert at Beijing Yunzheng International Data Security Technology Co., Ltd.

Wu Tong
Doctor from the School of Information Security Engineering, People's Public Security University of China, Postdoctoral Researcher at Beijing Jiaotong University, Part-time Teacher at the Evidence Science Research Institute of China University of Political Science and Law, Forensic Expert at the Electronic Data Forensic Center of Beijing Internet Industry Association.

Commissioned Review Matter: Based on the electronic data and other case materials in the case of Li Certain suspected of stealing 108 Bitcoins, defended by lawyer Wang Xibin from Beijing Jingshi Law Firm, analyze the correlation and control situation of the involved hardware wallet, interactive phone, login IP, and virtual currency wallet address.

Acceptance Date: September 17, 2025
Review Date: September 17, 2025 - November 25, 2025
Review Basis: "General Principles of Forensic Appraisal Procedures" (2016) SF/Z JD0400001-2014 General Implementation Standards for Electronic Data Forensic Appraisal
Review Location: Chaoyang District, Beijing

2. Commission Situation

The client accepts the commission from Beijing Jingshi Law Firm regarding the defendant Li Certain's suspected Bitcoin theft case, to conduct a professional analysis of the electronic evidence and related evidence of the case. One of the important bases for this case is the involved electronic data and other materials.
The client now commissions Zhu Tonghui (Forensic Expert at Beijing Yunzheng International Data Security Technology Co., Ltd.) and Wu Tong (Forensic Expert at the Electronic Data Forensic Center of Beijing Internet Industry Association) as expert assistants to conduct a professional review in conjunction with the electronic data and other evidence involved in this case.

3. Terminology Explanation

BTC (Bitcoin): Bitcoin is a decentralized cryptocurrency and the first peer-to-peer electronic cash system based on blockchain technology, proposed by Satoshi Nakamoto in 2008 and officially launched in 2009. Its core features include decentralization, fixed total supply, global circulation, transparency of addresses and transactions, and a certain level of anonymity for associated entities.

Mnemonic Phrase: A set of simple words generated from the private key of a cryptocurrency wallet, following fixed rules, serving as a human-readable and memorable expression of the private key, also known as a recovery phrase or seed phrase.

Its core function is to facilitate users in backing up and recovering their wallets. Since the private key is a long string of random characters that is difficult for ordinary people to remember and accurately record, the mnemonic phrase significantly reduces the difficulty of backup and storage by mapping the private key to common English words (some wallets also support other languages like Chinese).

Cryptocurrency Wallet Address: Generated from the mnemonic phrase, it is a unique character identifier for users to receive and send digital assets (such as cryptocurrencies, NFTs, etc.) on the blockchain network. It is generated through asymmetric encryption algorithms, derived from the public key obtained from the private key, and simplified through hashing and other processes, serving as a "digital address" for asset transactions in the blockchain world. It is used solely to identify the target or source of asset flow, does not directly associate with the user's real identity, and transaction records can be publicly queried through blockchain explorers, but the private key cannot be reverse-engineered from the wallet address to ensure asset security.

Hardware Wallet: A hardware wallet is a physical device with a high-security chip built-in, designed for offline storage of cryptocurrency private keys and completing offline signatures, also known as a cold wallet. Its core principle is to ensure that the private key is always stored within the device and not exposed to a networked environment through physical isolation from network connections, thereby technically avoiding the risk of the private key being stolen by network attacks. It also adheres to blockchain industry standards such as BIP-39 and BIP-44, making it a highly secure dedicated device for cryptocurrency storage.

Unique Identification Code of Hardware Device: The most basic unique identifier assigned by the device manufacturer, printed on the device body, packaging, or system information, applicable to all electronic devices (such as computers, phones, printers, hardware wallets, etc.), serving as the unique identification basis at the manufacturer level. The "device code" in the electronic data of this case is the unique code of the KuShen Company hardware wallet. The "mobile ID" in the electronic data of this case is the unique code calculated from the hardware information obtained by the KuShen wallet app from the installed phone. Both belong to the unique identification code of hardware devices and possess uniqueness.

IP: Internet Protocol Address, a unique digital identifier assigned to each connected device on the internet, following the specifications of the TCP/IP protocol suite, used both to locate and identify devices logically within the network and as a "network address" for data transmission between devices. Through the IP address, different devices can achieve precise addressing and communication within the complex topology of the internet. It is mainly divided into two versions: IPv4 (32-bit binary number in dotted-decimal format) and IPv6 (128-bit binary number in colon-hexadecimal format) to accommodate different network address resource needs.

4. Review Process and Corresponding Conclusions

(1) The Relationship Between the Electronic Data Verified by KuShen Company and the Hardware Wallet

1. Binding Situation of Hardware Wallet and Wallet Address in KuShen Verification Document

The KuShen verification document "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P18-30 (printed version of electronic data "6666******.xls") shows that there is a KuShen hardware wallet in this case, with a device code of "5530f0d455e7ce108f". This device is bound to a total of 28 addresses, and the device model is KuShen P3 (the last column of the screenshot shows "P1/P2", which is inaccurate according to KuShen's response; KuShen can confirm that this wallet is a P3 model; importantly, the hardware wallet seized in this case belonging to Yang Certain, which will be analyzed in detail below, is a P1 model).

Among them, 59qs****** is the address suspected of having 108 stolen Bitcoins. 55WA****** and 55Nq****** are addresses suspected of concealing stolen funds.

Notably, the aforementioned 59qs******, along with ZX5i******, EECv******, and 28eV******, totals four addresses, which are also addresses of Yang Certain's P1 hardware wallet seized in this case.

In summary, the electronic data materials and electronic evidence in this case show that there are two different models of wallets involved, including the address suspected of having 108 stolen Bitcoins and three other addresses, which have been bound in both devices. At the same time, no wallet addresses controlled or used by Li Certain have been found.

2. Usage of Hardware Wallet by Yang Certain

In the record of Yang Certain in the "Supplementary Investigation Volume of Yang Certain and Yang 2 Certain Bitcoin Theft Case" (one return) on page 4, Yang Certain stated: "I spent over 3000 yuan for Li Certain to help me buy a cold wallet. On February 22, 2019, I met Li Certain and asked him to help me operate with my phone to transfer 64 Bitcoins from the trading platform to the cold wallet…"

Combined with KuShen's response to the police's third question in this case: "The creation time of the address in KuShen's database is the time when the KuShen hardware wallet and the mobile phone were bound (February 22, 2019, 19:44:13). Binding the KuShen hardware device requires a mnemonic phrase. There are two ways to obtain a mnemonic phrase: 1. Importing a mnemonic phrase to bind the hardware device; 2. Using the cold wallet to generate a mnemonic phrase to bind the device. If the mnemonic phrase is imported to bind the device, it may have been used before binding the KuShen hardware device (after generating the address, there may have been transfers or receipts). The creation time of the address in KuShen's database being later than the first transfer time of the address may be due to this reason."

The binding time of the hardware wallet mentioned in Yang Certain's record on February 22, 2019, is consistent with the binding time of address 59qs****** with the device code "5530f0d455e7ce108f" of the KuShen P3 hardware wallet in the KuShen verification data on February 22, 2019.

Since this wallet address has had on-chain transactions since 2017, combined with the objective rule that the mnemonic phrase must be bound and used on the KuShen hardware wallet or another hardware wallet with the same function for transactions, and Yang Certain's statement that he only bound and used the newly purchased KuShen hardware wallet on February 22, 2019, it can be inferred that Yang Certain previously had another KuShen hardware wallet or a hardware wallet with the same function. This earlier hardware wallet is very likely the P1 KuShen hardware wallet that has been seized in this case.

3. Binding Situation of the Suspected Stolen Coin Address 59qs****** with the Hardware Wallet

In the aforementioned KuShen verification document "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P18, 24, 29 (printed version of electronic data "6666******.xls"), the suspected stolen coin address 59qs****** was bound to the KuShen hardware wallet with ID "5530f0d455e7ce108f" on February 22, 2019, at 19:44:13.

The response from KuShen Company to the police's second question in this case includes the statement that the addresses 59qs******, 55WA******, and 55Nq****** "are addresses generated from the same set of mnemonic phrases and have been used in the device (5530f0d455e7ce108f)."

Additionally, in KuShen Company's response to the police's fifth question, it is explicitly pointed out: "The device code associated with the police address investigation form is the device ID that last bound the KuShen hardware wallet using the same set of mnemonic phrases."

Furthermore, analyzing the screenshot of Yang Certain's KuShen P1 wallet that has been seized, it can be found that this P1 wallet contains two addresses with the same mnemonic phrase as 59qs******: zgwW****** (DASH) and 7y26****** (Ethereum Classic).

However, in the backend records of the P3 hardware wallet, which is bound to 28 addresses and includes the suspected stolen coin address 59qs******, these two addresses do not have any binding records. This indicates that if a mnemonic phrase binds a new hardware wallet but does not restore the wallet address within it, then the KuShen backend will not record the binding time of that address in the old KuShen wallet.

Therefore, a definitive conclusion can be drawn that the binding time of each address in the aforementioned KuShen verification document "6666******.xls" is the last time it was bound to the hardware wallet 5530f0d455e7ce108f.

In summary, based on the above analysis, it can be concluded that the last binding time of the suspected stolen coin address 59qs****** in the KuShen hardware wallet with device code 5530f0d455e7ce108f is February 22, 2019, and there have been no new KuShen hardware wallets binding, controlling this address, or conducting asset transactions thereafter. If there are questions regarding KuShen Company's technical descriptions, further verification can be conducted for analysis.

4. Binding Situation of the Two Addresses Suspected of Concealing Stolen Funds with the Hardware Wallet and Their Relationship with Other Addresses

The addresses suspected of concealing stolen funds, 55WA****** and 55Nq******, are among the 28 addresses in the aforementioned KuShen verification and were last bound in the hardware wallet with device code "5530f0d455e7ce108f."

As previously mentioned, the addresses 59qs******, ZX5i******, EECv******, and 28eV****** in the seized Yang Certain's P1 wallet are also bound to the P3 wallet with device code "5530f0d455e7ce108f," and are bound in the same P3 wallet as the addresses suspected of concealing stolen funds.

Combining the previous response from KuShen Company to the police's second question, it can be determined that the four addresses of Yang Certain are bound and have been used in the same hardware wallet "5530f0d455e7ce108f" as the two addresses suspected of concealing stolen funds.

5. Relationship Between the Hardware Wallet Purchased by Li Certain and Wallet Address 59qs******

In the case file "Supplementary Investigation Volume of Yang Certain and Yang 2 Certain Bitcoin Theft Case" (two returns) on page 109, it is noted that Li Certain purchased the KuShen hardware wallet on February 14, 2020.

If Li Certain used this purchased hardware wallet to transfer Bitcoins, he must have bound and controlled this wallet using the stolen private key, then the last binding time recorded in the KuShen backend for the suspected stolen coin address 59qs****** would be some point after the purchase date of February 14, 2020. However, the last binding time recorded by KuShen Company for this address is February 22, 2019, at 19:44:13.

Therefore, it can be concluded that Li Certain did not bind, control, or transfer coins using this newly purchased hardware wallet for the address 59qs******.

(2) Analysis of the Correlation Between Mobile ID, IP Address, and Wallet Address in KuShen Verification Data

1. The Mobile ID of the Phone Corresponding to Yang Certain's Wallet Address When Binding the Hardware Wallet Matches the Mobile ID of the Phone Corresponding to the Suspected Concealed Funds Wallet Address

The addresses ZX5i****** and EECv****** in Yang Certain's P1 wallet are shown in the aforementioned KuShen verification document "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P18, 24, 29 (printed version of electronic data "6666******.xls") to have a corresponding APP mobile ID of "777D******" when bound to the hardware wallet. The binding times are both before the alleged theft of coins on October 15, 2020, specifically on February 24 and 26, 2018. The suspected concealed funds address 55Nq****** in this same KuShen verification data shows that its corresponding APP mobile ID when bound to the hardware wallet is also "777D******."

At the same time, according to the KuShen verification document "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P14-17 (printed version of electronic data "19cd******.xls"), among the 19 transactions of the suspected concealed funds address 55Nq******, 18 transactions have their corresponding APP mobile ID as mentioned above: "777D******."

The address 28eV****** in Yang Certain's KuShen P1 wallet is shown in the same KuShen verification materials to have a corresponding APP mobile ID of "8g52******" when bound to the hardware wallet. The suspected concealed funds wallet address 55WA****** in this same KuShen verification data shows that its corresponding APP mobile ID when bound to the hardware wallet is also "8g52******."

Therefore, the two addresses suspected of concealing stolen funds have the same mobile ID corresponding to the APP when binding the hardware wallet, which is the same mobile ID corresponding to Yang Certain's wallet address when binding the hardware wallet.

Thus, based on the principle of identity recognition through electronic traces and the pattern of mobile software binding with mobile device IDs, these identical mobile ID records objectively reflect that Yang Certain has been controlling the aforementioned two addresses suspected of concealing stolen funds since the alleged theft of coins.

2. The Login IP of the Phone Corresponding to Yang Certain's Wallet Address Matches the Login IP of the Phone Corresponding to the Suspected Concealed Funds Wallet Address

The addresses ZX5i****** and EECv****** in Yang Certain's KuShen P1 wallet are shown in the aforementioned KuShen verification data "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P18, 24, 29 (printed version of electronic data "6666******.xls") to have a corresponding APP mobile login IP of 186.**.***.185 when bound to the hardware wallet, with binding times on February 24 and 26, 2018, before October 15, 2020.

The suspected concealed funds wallet address 55Nq****** in the same KuShen verification data shows that its corresponding APP mobile login IP when bound to the hardware wallet is also 186.**.***.185.

Additionally, this wallet address in the KuShen verification data "Supplementary Investigation Evidence Volume of Yang Certain and Yang 2 Certain" (one return) P14 (printed version of electronic data "19cd******.xls") shows that its corresponding APP mobile login IP on May 4, 2021, was also 186.**.***.185.

Therefore, based on the principle of identity recognition through electronic traces and the objective rules of IP allocation and usage, these identical IP records also objectively reflect that Yang Certain has been controlling the suspected concealed funds address 55Nq****** since the alleged theft of coins.

No objective association has been found between Li Certain's devices and software and the above electronic evidence and wallet addresses.

(3) Review of the "Analysis Report on the Bitcoin Theft Case of Yang Certain"

In this case, Yue Shen Electronic Technology Co., Ltd. was commissioned by the police to issue the "Analysis Report on the Bitcoin Theft Case of Yang Certain." Based on the criminal procedure rules, general principles of forensic appraisal procedures, and the characteristics of blockchain transactions, the legality, reliability, and relevance of this analysis report are analyzed as follows.

1. The Issuing Entity of the Analysis Report Has No Qualifications and Cannot Serve as Evidence for the People's Court

Article 50, Paragraph 2 of the Criminal Procedure Law of the People's Republic of China stipulates that evidence includes: (1) physical evidence; (2) documentary evidence; (3) witness testimony; (4) victim statements; (5) confessions and defenses of the suspect or defendant; (6) expert opinions; (7) records of inspections, examinations, identifications, and investigative experiments; (8) audiovisual materials and electronic data. The "Analysis Report" does not fall into any of these categories.

Article 100, Paragraph 1 of the Supreme People's Court's Interpretation on the Application of the Criminal Procedure Law of the People's Republic of China states: "In the absence of an appraisal institution, or according to the provisions of laws and judicial interpretations, reports issued by persons with specialized knowledge on specialized issues of the case can be used as evidence."

However, this case's "Analysis Report" is only accompanied by a business license of Yue Shen Electronic Technology Co., Ltd. and a photocopy of the ID card of the legal representative "Qi Shan Shen." This company lacks the professional qualifications for electronic data analysis and forensic appraisal, and the legal representative has no qualifications as a "person with specialized knowledge." It is neither a forensic opinion nor a "specialized issue report" as defined in the aforementioned judicial interpretation. Therefore, this report cannot legally serve as the basis for the People's Court's decision.

2. The Analysis Report Contains Major Logical Errors

The "Analysis Report" concludes that the address 2tcx****** is Li Certain's early withdrawal address because Li Certain transferred 108 Bitcoins to this wallet address, asserting that it is under Li Certain's control. Based on the gas fee flow of this wallet, it concludes that the address 55WA****** suspected of concealing stolen funds is controlled by Li Certain. However, as previously mentioned, the verification data from KuShen Company indicates that this address is actually bound to the same hardware wallet device 5530f0d455e7ce108f as the suspected stolen coin address 59qs******, which is Yang Certain's wallet address.

At the same time, the logic of this determination does not conform to the characteristics of blockchain transaction records and the basic laws of identity relationships. The blockchain network only records asset transfer data between wallet addresses, and the addresses of both parties in a transaction are generated by algorithms, represented by a string of characters, with no direct correlation to the user's real identity information. Blockchain explorers can query information such as transaction time, amount, and flow, but cannot directly deduce or associate a user's name, ID number, contact information, or other real-name information from the address itself.

In judicial practice, the true identity of the controller can only be traced and inferred through indirect clues such as the transaction characteristics of the address, traces of association with device numbers and IPs, offline KYC information, offline KYT information, offline KYW information, and the verification results of these real-name information. The flow of gas fees is merely one method of inferring the identity of the target address, with very weak reliability, and it cannot completely rule out the possibility that both parties cooperated in buying and trading coins and paid gas fees to each other's addresses for timely transactions.

More importantly, the case data also shows that the address 2tcx****** immediately transferred the 108 Bitcoins it received to the so-called stolen coin address 59qs****** of Yang Certain. In fact, the address 2tcx****** is also controlled by Yang Certain and is one of his transitional addresses for transferring coins, not under the control of Li Certain.

3. The Electronic Technology Company Lacks the Qualification to Conclude that a Natural Person is Suspected of a Crime

The determination of criminal suspicion is the exclusive authority of public security, prosecution, and judicial organs, requiring legal procedures and a judgment based on all evidence in the case. The electronic technology company, through its so-called analysis, determines that a certain natural person is suspected of a crime, which infringes upon the authority of public security, prosecution, and judicial organs. This behavior is undesirable and should not be encouraged.

V. Review Opinions and Suggestions

Based on the documents and electronic data provided by the client, a detailed review has led to the following conclusions:

First, Yang Certain holds at least two hardware wallets and has the capability to generate, import, and use KuShen wallet mnemonic phrases.

Second, as of the time of KuShen Company's verification in this case, the last binding time of the suspected stolen coin address 59qs****** to a hardware wallet was February 22, 2019, which is earlier than the time Li Certain purchased the wallet. Moreover, after that date, this address has not bound any new KuShen hardware devices, nor has it conducted any asset transfers through a new hardware wallet.

Third, the hardware wallet device ID controlling multiple wallet addresses of Yang Certain, the corresponding mobile ID of the KuShen APP, and the login IP show a high degree of consistency in association with the two wallet addresses suspected of concealing stolen funds. This electronic evidence objectively proves that Yang Certain has been controlling these two wallet addresses that concealed stolen funds.

Fourth, no objective association has been found between Li Certain and the content of KuShen Company's verification.

Fifth, the "Analysis Report" in this case was produced by a subject lacking professional qualifications, rendering it neither legal nor credible. Its reasoning process does not conform to the logic of blockchain anonymization, decentralization, and the inference and verification of real identities. It lacks the qualification and authority to conclude that a certain natural person is suspected of a crime and cannot serve as the basis for the People's Court's decision.

Sixth, to further ascertain the controller of the wallet addresses in this case, it is recommended that the judicial authorities (1) continue to investigate the behavioral trajectories and travel records of Li Certain and Yang Certain, and conduct geographical location comparisons with the login IPs of the APP corresponding to the two wallet addresses suspected of concealing stolen funds; (2) investigate the login IPs of Yang Certain's apps such as OKEx, CoinEx, and Sesame Credit, which claim to have been stolen, and compare them with the login IPs of the APP corresponding to the latter two wallet addresses; (3) conduct real-name information investigations on the login IPs of the APP corresponding to the latter two wallet addresses suspected of concealing stolen funds.

Explanation: The names, wallet addresses, hardware wallet device unique codes, mobile IDs, and login IPs in this document have been depersonalized and anonymized. This review opinion is solely responsible for the commissioned matters. It is based on existing electronic evidence, electronic data, and other evidence materials, actively following the "Regulations on the Collection, Extraction, and Review of Electronic Data in Criminal Cases" (2016), "Rules for the Collection of Electronic Data in Criminal Cases by Public Security Organs" (2019), "General Principles of Forensic Appraisal Procedures" (2016), SF/Z JD0400001-2014 General Implementation Specifications for Electronic Data Forensic Appraisal, and other technical specifications and appraisal processes, providing professional review opinions for reference by relevant case-handling units. If necessary, the judicial authorities can also issue formal commissioning procedures and provide complete data materials to handle appraisal commissioning matters according to the "General Principles of Forensic Appraisal Procedures."

Expert Assistants: Zhu Tonghui, Wu Tong

November 2025

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。