Written by: Zhu Tonghui, Wu Tong
Note: For ease of friendly reading, all wallet addresses, IDs, and Excel file names in the article are represented by the first four characters.
Zhu Tonghui, Wu Tong: Review of Virtual Currency Data on Li's Suspected Theft of 108 Bitcoin
Table of Contents
1. Basic Information
2. Commission Situation
3. Definition of Terms
4. Review Process and Corresponding Conclusions
(1) The relationship between the electronic data verified by the Library God company and the hardware wallet
1. Binding status of the hardware wallet and wallet address in the Library God verification document
2. Use of hardware wallets by Yang
3. The binding status of the address 59qs****** suspected of having its cryptocurrency stolen with the hardware wallet.
4. The binding details of the two addresses suspected of hiding the stolen funds to the hardware wallet and their relationship with other addresses.
5. The relationship between the hardware wallet purchased by Li and the wallet address 59qs******
(II) Correlation Analysis of Mobile Phone ID, IP Address and Wallet Address in Cosmos Authentication Data
1. The ID of the phone associated with the Cobo app when Yang's wallet address was linked to the hardware wallet is the same as the ID of the phone associated with the Cobo app linked to the wallet address suspected of concealing stolen funds.
2. The login IP address of the phone associated with Yang's wallet address and the KuShen APP is consistent with the login IP address of the phone associated with the KuShen APP associated with the wallet address suspected of concealing stolen funds.
(III) Review of the "Analysis Report on the Case of Yang's Bitcoin Theft")
1. The entity issuing the assessment report lacks any qualifications and cannot serve as the basis for a court's decision.
2. The analysis report contains significant logical errors.
3. Electronic technology companies are not qualified to conclude that a natural person is a suspect in a crime.
V. Review Opinions and Recommendations
I. Basic Information
Client: Beijing Jingshi Law Firm, Wang Xibin
trustee:
Zhu Tonghui
He holds a PhD in Procedural Law from Peking University, is an Associate Professor at the Law School of Nankai University, and a forensic expert at the Forensic Science Center of Beijing Yunzheng International Data Security Technology Co., Ltd.
Wu Tong
He holds a PhD from the School of Information Security Engineering at the People's Public Security University of China, completed postdoctoral research at the School of Computer and Information Technology at Beijing Jiaotong University, is a part-time lecturer at the Institute of Evidence Science at China University of Political Science and Law, and is a forensic expert at the Electronic Data Forensic Center of the Beijing Internet Industry Association.
Requested Review: Based on the electronic data and other case materials in the case of Li Moumou from Hebei Province, who is suspected of stealing 108 Bitcoins, defended by lawyer Wang Xibin of Beijing Jingshi Law Firm, analyze the association and control of the hardware wallets, interactive mobile phones, login IPs, and other information involved in the case with the virtual currency wallet addresses.
Date of acceptance: September 17, 2025
Review period: September 17, 2025 – November 25, 2025
Review Basis: (General Rules for Judicial Appraisal Procedures) (2016) SF/Z JD0400001-2014 General Implementation Specifications for Judicial Appraisal of Electronic Data
Review location: Chaoyang District, Beijing
II. Entrustment Details
The client was retained by Beijing Jingshi Law Firm to conduct a professional analysis of the electronic evidence and related evidence in the case of defendant Li Moumou's alleged Bitcoin theft. One of the key pieces of evidence in this case is the electronic data and other materials involved.
The client hereby appoints Zhu Tonghui (judicial appraiser of Beijing Yunzheng International Data Security Technology Co., Ltd. Judicial Appraisal Center) and Wu Tong (judicial appraiser of Beijing Internet Industry Association Electronic Data Judicial Appraisal Center) as expert assistants to conduct a professional review of the electronic data and other evidence involved in this case.
III. Glossary
BTC (Bitcoin): Bitcoin is a decentralized cryptocurrency and the first peer-to-peer electronic cash system based on blockchain technology. It was proposed by Satoshi Nakamoto in 2008 and officially launched in 2009. Its core features include decentralization, fixed total supply, global circulation, transparent addresses and transactions, and a degree of anonymity for associated entities.
Mnemonic phrases are a set of simple words with fixed rules derived from the private key of a digital currency wallet. They are a humanized and easy-to-remember expression of the private key and are also known as recovery phrases or seed phrases.
Its core function is to facilitate users' backup and recovery of their wallets. Because the private key is a long string of random characters that is difficult for ordinary people to remember and accurately record, the mnemonic phrase significantly reduces the difficulty of backup and safekeeping by mapping the private key to common English words (some wallets also support other languages such as Chinese).
A cryptocurrency wallet address, generated from a mnemonic phrase, is a unique character identifier used by users to receive and send digital assets (such as cryptocurrencies and NFTs) on the blockchain network. It is generated using an asymmetric encryption algorithm, derived from a public key derived from a private key, and simplified through hashing and other processing. It is essentially a "digital address" for asset transfers in the blockchain world. It only identifies the target or source of asset transactions and is not directly linked to the user's real identity. Transaction records can be publicly queried through a blockchain explorer, but the private key cannot be deduced from the wallet address, thus ensuring asset security.
Hardware wallets: Hardware wallets are physical devices with built-in high-security chips, possessing independent computing and storage capabilities. They are specifically designed for offline storage of cryptocurrency private keys and for offline signing, and are also known as cold wallets. Their core principle is to ensure that private keys are always stored internally and not exposed to the network environment through physical isolation of network connections, thus technically preventing the risk of private keys being stolen through network attacks. They also comply with common blockchain industry standards such as BIP-39 and BIP-44, making them highly secure dedicated devices in the field of cryptocurrency storage.
A unique hardware device identifier (UDI) is the most basic unique identifier for a device. Assigned by the device manufacturer, it is printed on the device itself, packaging, or system information. Applicable to all electronic devices (such as computers, mobile phones, printers, hardware wallets, etc.), it serves as the manufacturer's unique identification criterion. In this case, the "device code" in the electronic data is the unique code for the Cosmos hardware wallet device. The "phone ID" in the electronic data is a unique code calculated by the Cosmos wallet app from the hardware information obtained from the installed mobile phone. Both of these are unique hardware device identifiers and are therefore unique.
IP: Internet Protocol Address, is a unique digital identifier assigned to every networked device on the Internet. It follows the specifications of the TCP/IP protocol suite and is used both to locate the logical position of a device within the network and as a "network address" for data transmission between devices. Through IP addresses, different devices can achieve precise addressing and communication within the complex Internet topology. There are two main versions: IPv4 (32-bit binary number, using dotted decimal notation) and IPv6 (128-bit binary number, using colon-hexadecimal notation) to adapt to different network address resource requirements.
IV. Review Process and Corresponding Conclusions
(a) The relationship between the electronic data of Cosmos's verification certificates and the hardware wallet
1. The binding status of the hardware wallet and wallet address in the Cobo verification documents.
The evidence returned by Cosun Company (Supplementary Investigation Evidence File for Yang Moumou and Yang 2 Mou) (First Return) pp. 18-30 (printed version of the electronic data "6666******.xls") shows that there is a Cosun hardware wallet in this case, with the device code "5530f0d455e7ce108f". This device is bound to 28 addresses, and the device model is a Cosun P3 device (the "P1/P2" appearing in the last column of the screenshot is inaccurate according to Cosun Company's response; Cosun Company can confirm that the wallet is a P3 type wallet; equally importantly, the hardware wallet seized from Yang Moumou in this case, which will be analyzed in detail below, is a P1 type).
Among them, 59qs****** is the address suspected of having 108 bitcoins stolen. 55WA****** and 55Nq****** are addresses suspected of hiding the stolen funds.
More notably, the aforementioned four addresses—59qs******, ZX5i******, EECv******, and 28eV******—are also the addresses of Yang's P1 hardware wallet, which was seized in this case.
In summary, the electronic data and physical evidence in this case show that two different wallet models were involved. The address suspected of having 108 stolen bitcoins was linked to three other addresses on both devices. Furthermore, no wallet addresses controlled or used by Li were found.
2. Yang's use of hardware wallets
In the supplementary investigation file (Yang Moumou and Yang 2 Mou Bitcoin theft case) (Part 1), on page 4 of Yang Moumou's statement, Yang Moumou stated: "I spent more than 3,000 yuan to have Li Moumou help me buy a cold wallet. On February 22, 2019, I met with Li Moumou and asked him to use my phone to transfer 64 Bitcoins from the trading platform to the cold wallet..."
Based on Cosmos's response to the police's third question in this case: "The creation time of the address in Cosmos's database is the time when the Cosmos hardware wallet and mobile app were bound (February 22, 2019, 19:44:13). Binding the Cosmos hardware device requires a mnemonic phrase. There are two ways to obtain a mnemonic phrase: 1. Importing the mnemonic phrase to bind the hardware device; 2. Generating the mnemonic phrase using a cold wallet to bind the device. If the mnemonic phrase was imported to bind the device, it's possible that the mnemonic phrase had already been used before binding the Cosmos hardware device (transfers or receipts occurred after the address was generated). The reason why the address creation time in the Cosmos database is later than the address's first transfer time may be due to this."
The hardware wallet binding date stated in Yang's statement, February 22, 2019, is consistent with the binding date of the Cosmos P3 hardware wallet with address 59qs****** and device code "5530f0d455e7ce108fbe" in the Cosmos verification data, which is also February 22, 2019.
Since the wallet address has had on-chain transactions since 2017, and considering the objective fact that the mnemonic phrase for transactions needs to be bound to a Cosmos hardware wallet or another hardware wallet with the same functionality, and given Yang's statement that he only bound and used the newly purchased Cosmos hardware wallet on February 22, 2019, it can be inferred that Yang previously possessed another Cosmos hardware wallet or a hardware wallet with the same functionality. This earlier hardware wallet is highly likely to be the P1 Cosmos hardware wallet already seized in this case.
3. The binding status of the address 59qs****** suspected of having its cryptocurrency stolen with the hardware wallet.
In the aforementioned Cosmos Company's response documents (Supplementary Investigation Evidence File for Yang Moumou and Yang 2 Mou) (First Retrieval) pp. 18, 24, and 29 (printed version of electronic data "6666******.xls"), the address 59qs******, which was suspected of having its cryptocurrency stolen, was bound to the Cosmos hard wallet with the ID "5530f0d455e7ce108f" at 19:44:13 on 2019-02-22.
In response to the police's second question in this case, Cosmos Company stated that the addresses 59qs******, 55WA******, and 55Nq****** were "generated from the same set of mnemonic phrases and were used in the device (5530f0d455e7ce108f)".
Meanwhile, in its response to the police's fifth question in this case, Cosmos explicitly stated: "The device code associated with the address in the police investigation form is the device ID that was last bound to the Cosmos hardware wallet using the same mnemonic phrase."
In addition, analysis of the screenshot of Yang's P1 wallet address, which was seized in the case, reveals that two addresses in the P1 wallet have the same mnemonic phrase as 59qs******: zgwW****** (Dash) and 7y26****** (Ethereum Classic).
However, in the backend records of the P3 hardware wallet mentioned earlier, which is bound to 28 addresses and has the device code "5530f0d455e7ce108f" for the address suspected of having its coins stolen (59qs******), neither of these two addresses has a binding record. This shows that if a mnemonic phrase is bound to a new hardware wallet but the wallet address is not restored within it, the Cobo wallet backend will not record the binding time of that address in the old Cobo wallet.
Therefore, it can be definitively concluded that the binding time of each address in the aforementioned Cosmos Company's verification document "6666******.xls" is the time of the last binding with the 5530f0d455e7ce108fbe hardware wallet.
In summary, based on the above analysis, we can conclude that the last time the address 59qs******, suspected of having its cryptocurrency stolen, was bound to the Cobo hardware wallet with device code 5530f0d455e7ce108f was February 22, 2019. There have been no further Cobo hardware wallets bound to, controlling, or used for asset transactions with this address since then. If there are any questions regarding Cobo's technical description, further investigation and analysis are needed.
4. The binding details of the two addresses suspected of hiding the stolen funds to the hardware wallet and their relationship with other addresses.
The addresses 55WA****** and 55Nq******, suspected of hiding the stolen money, are among the 28 addresses mentioned above in the Kushen evidence, and were last bound to the hardware wallet with device code "5530f0d455e7ce108f".
As mentioned earlier, the four addresses 59qs******, ZX5i******, EECv******, and 28eV****** in Yang's P1 wallet, which were seized in the case, were also bound to a P3 wallet with the device code "5530f0d455e7ce108f". This means that the wallet address suspected of hiding the stolen money was bound to the same P3 wallet.
Based on the aforementioned response from Kushen Company to the police's second question in this case, it can be determined that the four addresses of Yang Moumou and the two addresses where the stolen money was hidden were bound to and used in the same hardware wallet "5530f0d455e7ce108f".
5. The relationship between the hardware wallet purchased by Li and the wallet address 59qs******
On page 109 of the case file (Supplementary Investigation File for the Case of Yang Moumou and Yang 2 Mou's Bitcoin Theft) (Second Retrieval), it is stated that Li Moumou purchased the Cobo hard wallet on February 14, 2020.
If Li Moumou were to use the purchased hardware wallet to transfer Bitcoin, he would need to bind and control the wallet using the stolen private key. Therefore, the last binding time recorded in Cobo's backend for the suspected stolen address 59qs****** would be sometime after the purchase date of February 14, 2020. However, Cobo's backend records the last binding time for this address as 19:44:13 on February 22, 2019.
Therefore, it can be concluded that Li did not use this newly purchased hardware wallet to bind, control, or transfer coins to address 59qs******.
(II) Correlation Analysis of Mobile Phone ID, IP Address and Wallet Address in Cosmos Authentication Data
1. The ID of the phone associated with the Cobo app when Yang's wallet address was linked to the hardware wallet is the same as the ID of the phone associated with the Cobo app linked to the wallet address suspected of concealing stolen funds.
The addresses ZX5i****** and EECv****** in Yang's P1 wallet, as shown in the aforementioned Kushen Company's response (Supplementary Investigation Evidence File for Yang Moumou and Yang 2) (Returned Version 1) pp. 18, 24, and 29 (printed version of electronic data "6666******.xls"), correspond to the mobile phone ID "777D******" when they are bound to the hardware wallet. The binding dates are February 24th and 26th, 2018, prior to October 15th, 2020, the date of the alleged theft. The address 55Nq******, suspected of concealing stolen funds, also corresponds to the mobile phone ID "777D******" when bound to the hardware wallet.
Meanwhile, according to the evidence returned by Kushen Company (Supplementary Investigation Evidence File for Yang Moumou and Yang 2 Mou) (Returned) P14-17 (printed version of electronic data "19cd******.xls"), 18 out of the 19 transfers to the address 55Nq****** suspected of hiding the stolen money had the same ID on the mobile phone where the corresponding APP was located: "777D******".
The address 28eV****** in Yang's Cosmos P1 wallet, according to the aforementioned Cosmos verification materials, corresponds to the mobile phone ID "8g52******" when the wallet is linked to the hardware wallet. The wallet address 55WA******, suspected of concealing illicit funds, also corresponds to the mobile phone ID "8g52******" when linked to the hardware wallet, according to the same Cosmos verification data.
Therefore, the mobile phone IDs of the apps associated with the two addresses suspected of hiding embezzled funds when they were linked to the hardware wallets were the same mobile phone IDs associated with the apps linked to Yang's wallet address when they were linked to the hardware wallets.
Therefore, based on the principle of using electronic traces for identity verification and the pattern of binding mobile phone software with mobile device IDs, these identical mobile phone ID records objectively reflect that Yang Moumou has been controlling the two addresses mentioned above where the stolen money was hidden since the alleged theft.
2. The login IP address of the phone associated with Yang's wallet address and the KuShen APP is consistent with the login IP address of the phone associated with the KuShen APP associated with the wallet address suspected of concealing stolen funds.
The addresses ZX5i****** and EECv****** in Yang's KuShen P1 wallet are shown in the aforementioned KuShen company's return evidence data (Yang Moumou, Yang 2 Mou Supplementary Investigation Evidence File) (First Retrieval) pp. 18, 24, 29 (printed version of electronic data "6666******.xls"). When bound to the hardware wallet, the login IP of the mobile phone where the corresponding APP is located is 186.**.***.185, and the binding time is February 24 and 26, 2018, before October 15, 2020.
The wallet address 55Nq******, suspected of hiding stolen funds, shows in the verification data of the same company, Cosmos, that when it was bound to the hardware wallet, the login IP of the corresponding mobile phone where the APP was located was also 186.**.***.185.
Meanwhile, the wallet address is shown in the Kushen Company's evidence return data (Yang Moumou, Yang 2 Mou supplementary investigation evidence file) (first withdrawal) P14 (electronic data "19cd******.xls" print version), and the IP address of the corresponding APP when it logged in on May 4, 2021 was also 186.**.***.185.
Therefore, based on the principle of using electronic traces for identity verification and the objective laws of IP allocation and use, these identical IP records objectively reflect that Yang Moumou has been controlling the address 55Nq****** where the stolen money was hidden since the alleged theft.
No objective connection was found between Li's devices and software and the above electronic evidence and wallet address.
(III) Review of the "Analysis Report on the Case of Yang's Bitcoin Theft")
In this case, Yue Shen Electronics Technology Co., Ltd. was commissioned by the police to issue an analysis report on the theft of Yang Moumou's Bitcoin. Based on the rules of criminal procedure, the general rules of judicial appraisal procedures, and the characteristics of blockchain transactions, the legality, reliability, and relevance of this analysis report are analyzed as follows.
1. The entity issuing the assessment report lacks any qualifications and cannot serve as the basis for a court's decision.
Article 50, Paragraph 2 of the Criminal Procedure Law of the People's Republic of China stipulates that evidence includes: (1) physical evidence; (2) documentary evidence; (3) witness testimony; (4) victim statements; (5) confessions and defenses of criminal suspects and defendants; (6) expert opinions; (7) records of on-site investigations, inspections, identifications, and investigative experiments; and (8) audiovisual materials and electronic data. This (analysis report) does not fall into any of the above categories.
Article 100, Paragraph 1 of the Interpretation of the Supreme People's Court on the Application of the Criminal Procedure Law of the People's Republic of China stipulates: "Reports issued by persons with specialized knowledge on specialized issues of a case, when there is no appraisal institution or in accordance with the provisions of laws and judicial interpretations, may be used as evidence."
However, the report in this case only included a copy of the business license of Yue Shen Electronics Technology Co., Ltd. and a copy of the ID card of its legal representative, "Qi Shanshen." The company lacks professional qualifications in electronic data analysis and forensic appraisal, and the legal representative has no proof of being a "person with specialized knowledge." Therefore, it is neither a forensic appraisal opinion nor a "report on specialized issues" as defined in the aforementioned judicial interpretation. Consequently, this report cannot be used as the basis for a court's decision.
2. The analysis report contains significant logical errors.
The analysis report concluded that because Li withdrew 108 bitcoins to the wallet address 2tcx******, this address was an early withdrawal address controlled by Li. Later, based on the wallet's gas fee flow, it was determined that the address 55WA******, where the "stolen funds" were hidden, was controlled by Li. However, as mentioned earlier, data from Cobo's verification system shows that this address is actually bound to the same hardware wallet device 5530f0d455e7ce108f as the suspected stolen address 59qs******, which is Yang's wallet address.
Furthermore, this logic contradicts the characteristics of blockchain transaction records and the fundamental principles of their relationship to identity. Blockchain networks only record asset transfer data between wallet addresses, and the addresses of both parties in a transaction are generated by an algorithm, presented merely as a string of characters, and have no direct connection to the user's real identity information. While blockchain explorers can query information such as the time, amount, and flow of a transaction, they cannot directly deduce or correlate the user's name, ID number, contact information, or other real-name information from the address itself.
In judicial practice, the true identity of the controller can only be traced and inferred through indirect clues such as transaction characteristics of the address, the association between the device number and IP address, offline KYC information, offline KYT information, offline KYW information, and the verification results of these real-name information. Gas fee flow is only one method to infer the identity of the target address, and its reliability is very weak. It cannot completely rule out the possibility that gas fees are paid on behalf of the other party's address to facilitate timely transactions during the process of cooperating in buying and trading cryptocurrencies.
More importantly, the case data also shows that after receiving 108 bitcoins, the 2tcx****** address immediately transferred them to the address 59qs******, which Yang claimed had been the victim of the theft. In fact, the 2tcx****** address was also controlled by Yang; it was one of his transit addresses for transferring bitcoins and was not under Li's control.
3. Electronic technology companies are not qualified to conclude that a natural person is a suspect in a crime.
The determination of criminal suspicion falls under the exclusive authority of public security organs, procuratorates, and courts, and must be made through legal procedures and in conjunction with all the evidence in the case. The electronics technology company's assertion, based on its own so-called analysis, that a certain individual is a criminal suspect infringes upon the authority of public security organs, procuratorates, and courts; such behavior is unacceptable and should not be encouraged.
V. Review Opinions and Recommendations
Based on a thorough review of the documents and electronic data provided by the client, the following conclusions were reached:
First, Yang Moumou possesses at least two hardware wallets, and these wallets have the ability to generate, import, and use mnemonic phrases from the KuShen wallet.
Second, as of the time Cobo responded to the case, the last time the address suspected of having its cryptocurrency stolen, 59qs******, was linked to a hardware wallet was February 22, 2019, earlier than the time Li purchased the wallet. Furthermore, after that date, this address was not linked to any new Cobo hardware device, nor were there any asset transfers made through a new hardware wallet.
Third, the hardware wallet device IDs controlling Yang's multiple wallet addresses, the corresponding mobile phone IDs and login IPs of the KuShen APP, and the related information controlling the two wallet addresses suspected of concealing stolen funds, show a high degree of consistency across multiple points of evidence. This electronic evidence has objectively proven that Yang has been controlling these two wallet addresses where stolen funds were subsequently concealed.
Fourth, no objective connection was found between Li Moumou and the content of the reply from Kushen Company.
Fifth, the report in this case was made by an entity without professional qualifications, and therefore lacks legitimacy and credibility. Its reasoning process does not conform to the logic of blockchain anonymization, decentralization, and the speculation and verification of real identities. It does not have the qualification or authority to conclude that a natural person is suspected of committing a crime, and therefore cannot be used as the basis for a people's court's decision.
Sixth, in order to further identify the controller of the wallet address in this case, it is recommended that the judicial authorities in this case (1) continue to investigate the behavior trajectory and travel records of Li Moumou and Yang Moumou, and compare the geographical location with the login IP of the APP corresponding to the two wallet addresses where the stolen money was hidden afterward; (2) investigate the login IP of the APPs such as Ouyi, Bixin, and Zhima Kaimen that Yang Moumou claimed to have had his coins stolen, and compare it with the login IP of the APP corresponding to the latter two wallet addresses; (3) conduct a real-name information investigation on the login IP of the APP corresponding to the wallet addresses where the stolen money was hidden.
Note: Names, wallet addresses, unique hardware wallet device codes, mobile phone IDs, and login IPs in this document have been de-personalized and anonymized. This review opinion is only responsible for the entrusted matters. Based on existing electronic evidence, electronic data, and other evidentiary materials, and proactively following the technical specifications and appraisal procedures of the "Provisions on Several Issues Concerning the Collection, Extraction, Examination, and Judgment of Electronic Data in Handling Criminal Cases" (2016), the "Rules for Electronic Data Evidence Collection in Criminal Cases by Public Security Organs" (2019), the "General Rules for Judicial Appraisal Procedures" (2016), and SF/Z JD0400001-2014 General Implementation Specifications for Judicial Appraisal of Electronic Data," this professional review opinion is for reference only by relevant case-handling units. When necessary, judicial organs may also issue formal entrustment documents and provide complete data materials to handle appraisal entrustment matters in accordance with the "General Rules for Judicial Appraisal Procedures."
Expert assistants: Zhu Tonghui, Wu Tong
November 2025
