In virtual money cases, can evidence obtained from virtual money exchanges be used directly?

Written by: Lawyer Liu Zhengyao

Introduction

As more and more people become aware of virtual currencies, the use of virtual currencies to carry out criminal activities such as money laundering, fraud, operating casinos, and illegal businesses is increasing. Due to a series of regulatory policies on virtual currencies issued in mainland China in 2017 and 2021, which completely banned domestic virtual currency trading platforms, some virtual currency exchanges commonly used by Chinese users (such as Binance, OKEx, Bybit, Bitget, HTX, etc.) now operate entirely overseas.

This has posed a dilemma for domestic public security investigation agencies: criminal acts occur domestically or the victims are within the country, yet the crucial transaction data, exchange KYC (Know Your Customer) information, login log information, etc., are stored on overseas servers. Can the “electronic data” obtained by the investigation agencies from overseas exchanges through emails and online police systems be used as evidence in court?

The author will analyze this practical pain point from the perspective of a defense attorney, combining Chinese criminal procedure law and relevant judicial interpretations.

1. Current Situation: How do law enforcement agencies request evidence from overseas exchanges?

Before discussing “whether it can be used”, it is first necessary to understand “how to obtain” the electronic evidence involved. Currently, there are mainly three ways for public security organs in mainland China to obtain data from overseas exchanges, each with different legal effects:

(1) International Criminal Judicial Assistance

This is the most formal and compliant approach according to international legal procedures. Evidence can be obtained by contacting the competent authorities of the country or region where the virtual currency exchange is registered or where the servers are located, based on bilateral criminal justice assistance treaties. However, a significant drawback of this evidence collection is that the procedure is extremely cumbersome, and the timeline usually lasts from 6 months to several years. In the rapidly changing cryptocurrency space, the value of the involved virtual currency may drop to zero within a single day of delay, making this efficiency almost impossible to meet investigative needs. Therefore, it is rarely chosen as the first option in practice.

(2) Police Cooperation and “Green Channel”

Based on Interpol or other police cooperation mechanisms, it is possible to relatively quickly conduct evidence collection work for the involved exchanges.

But in fact, what is more commonly seen in judicial practice is the “law enforcement cooperation mechanism” established by domestic public security organs directly utilizing virtual currency exchanges (such as Binance, OKX).

(The above image is the “Government Enforcement Request Submission System” from the Binance official website, source: Binance official website)

(The above image is the “Law Enforcement Request Guidelines” from the Gate.io official website, source: Gate.io official website)

In terms of specific operational modes, the investigating officer can send a letter of evidence collection (such as a scanned copy of the case filing decision or notice of evidence collection) after identity verification in Binance's system (law firms or lawyers can also perform the verification), which will then be reviewed by the exchange's compliance team and replied to via email with an Excel sheet or PDF file. Okex, on the other hand, receives the evidence collection requests from judicial authorities via email. This is currently the main method of evidence collection for the vast majority of cryptocurrency-related cases in the country.

(The above image is the registration page for the Binance verification platform, sourced from the Binance official website)

(The above image shows the verification method of the Gate.io platform, source: Gate.io official website)

(3) Self-technical extraction and “remote inspection”

This is a relatively common evidence collection model in judicial practice. For arrested criminal suspects, if the public security investigation personnel can use the seized devices such as the suspect's mobile phone and computer to log into their exchange account, they can directly view and export transaction records and deposit/withdrawal records. The exchange data obtained in this way is often directly used as evidence to charge the crime.

According to Article 33 of the “Regulations on Electronic Data Forensics in Criminal Cases Handled by Public Security Organs” issued by the Ministry of Public Security in 2019 (hereinafter referred to as the “2019 Regulations”), this mode belongs to remote network inspection and is a direct extraction of electronic data from domestically controlled devices, rather than directly obtaining evidence from foreign entities. There are still certain controversies in the procedure (see below for details).

II. Core Dispute: The Dilemma of the “Legitimacy” of Obtaining Evidence from Abroad

Currently, our defense will mainly focus on the legality and authenticity of the evidence when the prosecutor presents the Excel spreadsheets or PDF files directly sent from foreign virtual currency exchanges (via email) provided by the investigation agency in court.

(The above image shows the transaction records of a certain account obtained by the public security organs after verifying with huobi in cases involving virtual currencies handled by our team.)

(1) Legal basis for external evidence collection

As is well known, exchanges similar to Binance, OKEx, Bybit, etc. often register or actually operate in countries and regions such as the Cayman Islands, Seychelles, Dubai, Hong Kong, and Singapore. As mentioned earlier, according to the normal electronic evidence collection procedures for criminal cases, domestic public security investigation agencies cannot directly go abroad to collect evidence, and strictly speaking, it must be done through international criminal judicial assistance. However, in practice, very few adopt this model; more public security agencies directly rely on the 2016 “Two Highs and One Department” “Regulations on the Collection, Extraction, and Review of Electronic Data in Criminal Cases” (hereinafter referred to as the “2016 Regulations”) and the 2019 “Rules” to collect and extract electronic data stored abroad, which can be done through “online extraction” or “remote investigation and evidence collection.”

From this perspective, the basis for the public security organs to obtain evidence from overseas virtual currency exchanges is judicial interpretation or regulations from the Ministry of Public Security. However, according to Article 25 of the Law on International Criminal Judicial Assistance, for obtaining overseas electronic data, the case-handling authority should conduct this through criminal judicial assistance. However, friends familiar with the current situation of criminal defense in the country understand that such disputes may at most be considered procedural flaws or controversies, making it difficult to substantially affect the direction of the case.

(2) The “authenticity” and “integrity” of the data cannot be self-evident.

If the domestic public security organs operate according to the aforementioned “law enforcement cooperation mechanism,” what is usually sent back by the virtual currency exchanges is a regular Excel/PDF file, without any third-party notarization, some without digital signatures, and sometimes the sender is just a personal email of an exchange employee.

So, as a defense lawyer, there may be the following questions, such as: how to prove that the files sent and received via email have not been tampered with? How to prove that a personal email indeed represents the official exchange? How to prove that there were no technical errors in the data generation process? And so on.

In practice, since employees of the exchange cannot testify in court, the authenticity and completeness of such evidence are often difficult to prove.

(3) The legitimacy of the exchange itself is in doubt in the mainland.

According to the “Notice on Further Preventing and Dealing with the Risks of Speculation in Virtual Currency Transactions” issued by ten ministries and commissions of the state (including the “Two Highs and One Ministry”) on September 24, 2021, overseas virtual currency exchanges are prohibited from conducting business in any form in mainland China, and all their business activities are considered “illegal financial activities.” Therefore, it can be understood that from the regulatory perspective of mainland China, overseas virtual currency exchanges are subjects that inherently carry a “halo of illegality.” This raises significant doubts about the legality of the evidence obtained by public security organs in mainland China from these overseas illegal entities.

3. Can the court use relevant evidence?

Despite the aforementioned flaws, in current judicial practice, cases where evidence obtained by public security organs from overseas exchanges is excluded by the court are extremely rare. In most cases, even if there are obvious flaws, the evidence can still be accepted by the court after “correction.” When reviewing such evidence, the court usually follows the logic and standards below:

(1) Distinguishing between “defective evidence” and “illegal evidence”

The court tends to believe that obtaining evidence from overseas exchanges via email, although not entirely in line with rigorous judicial assistance procedures, typically does not fall under the category of “illegally obtained evidence that may seriously affect judicial fairness,” but rather falls under “defective evidence.” They can be remedied through correction or reasonable explanation, without the need for outright exclusion.

(2) Mutual verification of other evidence

A slightly more rigorous public security investigation agency and procuratorate will take the following measures to supplement the electronic data obtained directly from foreign exchanges:

First, record audio and video throughout the process of sending and receiving emails. At the same time, perform a hash calculation for integrity verification of the received email content (such as commonly used MD5 or SHA-256), to ensure that the data is not tampered with.

Second, notarization by a notary office or third-party evidence preservation. Notarize the entire process of sending the verification email and receiving the reply email, or use blockchain evidence preservation to prove that “this email was indeed sent from the exchange's email address, and the content has not been modified by the investigators.”

Third, additional analysis report. Hire a domestic blockchain security company to issue an analysis report. Although they cannot verify internal data of the exchange (such as KYC), they can verify on-chain data. The basic logic is: if the transfer hash values in the Excel sheet provided by the exchange match the data publicly queried on the blockchain explorer, it can indirectly confirm the authenticity of the exchange's data.

Fourth, the verification of other evidence in the case. Compare the exchange data with the defendant's statements, the chat records in the seized mobile phone, and the local cached data. If multiple sources of data match, the court usually accepts it.

IV. Defense Perspective: How to Effectively Challenge Evidence?

For the parties involved and their defense attorneys, facing evidence from foreign exchanges submitted by the case-handling authority is not a dead end. Here are several frequently used effective cross-examination entry points summarized by Lawyer Liu based on his practical experience:

(1) Verify the authenticity of KYC (Account ownership issues)

The KYC data provided by exchanges (usually passport or ID card information) is often static. Therefore, the defender should pay special attention to whether the KYC information in a certain accused account may have been obtained through buying and selling KYC, meaning that without other supporting evidence, it is possible that the accused account is not actually operated by the registrant (referring to the numerous cases of buying and selling bank cards that exist in reality); in addition, checking whether the login IP address of the exchange account overlaps with the individual's living trajectory can also indirectly verify whether a specific account is indeed being used by the accused party.

(2) Challenge the integrity of the data

If the transaction account flow in the evidence is merely a screenshot of an Excel spreadsheet or other printouts, rather than an electronic original document, then it cannot prove that the evidence has uniqueness and there is a possibility of being edited or modified. Furthermore, some public prosecutors even use printed paper flows or chat records as documentary evidence, which is completely incorrect, and defense lawyers must firmly oppose this.

(3) The specificity of stablecoins such as USDT

The data retrieved from Tether or the data from decentralized wallets is different in nature from the data of centralized exchanges (such as Binance). On-chain data is public and anyone can check it. If the prosecutor only provides on-chain transfer diagrams but cannot provide the internal real-name authentication information from the exchange that links the address to a person, then the chain of evidence is broken.

V. Final Remarks

In summary, can evidence obtained from overseas exchanges be used? The short answer is: yes, but there are thresholds, and there is room for “technical breach.” Specifically:

First, at the level of evidentiary qualification. Chinese courts generally do not reject the evidentiary qualification of data from overseas exchanges. As long as the case-handling agency can prove the objectivity of the data source (such as through notarized email correspondence), this evidence is usually accepted.

Second, in terms of proof capability. A single exchange's Excel spreadsheet has relatively weak proof capability. It is necessary to form a closed loop of “on-chain data + internal exchange data + defendant's terminal data + fund flow.”

Third, practical trends. As major exchanges like Binance and OKX strengthen their compliance efforts, the format of the data they provide has become increasingly standardized (now basically including electronic signatures), making it more difficult for the defense to attack from the perspective of “formal authenticity.”

A little suggestion:

For case handlers: It is essential to ensure that the entire process of “Issuing Letters - Replying Letters” from foreign virtual currency exchanges is documented (audio or video recording or notarization). Additionally, consider entrusting a professional institution to conduct on-chain data authentication analysis to strengthen the evidence.

For the parties involved and defense lawyers: Focus on examining the originality of electronic data (whether the original electronic documents have been transferred), consistency (whether the hash values match), and relevance (whether it can exclude the possibility of others operating the account, etc.).

In the next few years, the game of technology and law in virtual currency cases will continue. The use of overseas evidence will constantly establish new judicial standards in this game.