Lawyer: Can IP Addresses Determine Criminal Jurisdiction in Virtual Currency Cases?

Author: Shao Shiwei

Link:

Disclaimer: This article is a reprint. Readers can find more information through the original link. If the author has any objections to the reprint, please contact us, and we will make modifications according to the author’s requirements. Reprints are for information sharing only and do not constitute any investment advice or represent Wu Shuo’s views and positions.

One late night, I received a call from a family member.

“Lawyer Shao, my brother has been working in Area A, why did the police in Area B, 1000 kilometers away, arrest him?”

Initially, the family member was very confused. After further inquiries, it was understood that the suspect had logged into an account using a mobile phone in Area B to transfer virtual currency.

In other words, just based on the login IP address, the police in Area B identified the location as the place of the crime, thus establishing jurisdiction.

For criminal cases involving virtual currencies, because the involved amounts are often large and the boundary between crime and non-crime is relatively blurry, jurisdiction disputes are more likely to occur in practice. It is common to see disputes over jurisdiction or even artificially creating jurisdiction connection points. A typical example is the recent media reports of virtual currency thefts involving “black-hat” hackers, where the same case was investigated separately by police in two different locations.

In a virtual currency criminal case I am involved in, with a case amount exceeding one hundred million yuan, a similar situation exists where local police used IP addresses as the basis for jurisdiction.

The question is—can IP addresses truly determine jurisdiction in criminal cases?

For example, in property crimes such as theft or embezzlement, if the perpetrator only logs into an account via a mobile phone in a certain location to transfer virtual currency, can that location be considered the “place of the crime”? Is this approach supported by sufficient legal basis, or is there procedural controversy?

Legal Basis: Special Jurisdiction Rules for Cybercrimes

In cases like these, police often cite the 2022 “Opinions on Several Issues Concerning the Application of Criminal Procedure in Handling Cybercrime Cases” issued by the Supreme People’s Court, Supreme People’s Procuratorate, and Ministry of Public Security.

According to Article 2 of the “Opinions”:

“The place of the crime in cybercrime cases includes the location of the server used to carry out the criminal activity, the location of the service provider, the location of the affected information network system and its administrators, the location of the information network system used by suspects, victims, or other involved persons during the crime, the location where the victim was harmed, and the location where the victim’s property was damaged.”

In practice, investigation agencies often follow this logic:

1. Locate the IP address to determine the IP used during the relevant online operation by the suspect;

2. Trace the server to identify its physical location;

3. Based on this, determine that the server’s location is the crime scene, and initiate investigation by the police in that area.

However, for this logic to hold, an important premise must be met: the case must be an “information network crime.”

If the case is essentially a traditional property crime like theft or embezzlement, and only involved network tools during the commission, can the jurisdiction rules for cybercrimes be directly applied?

Prerequisite for IP-based jurisdiction: the case must be an “information network crime.”

Some investigators believe that as long as the “involvement” of information networks occurs during the crime, the expanded jurisdiction rules in the “Opinions” can be applied—even if the use of phones or the internet occurs only in certain parts of traditional crimes like theft or embezzlement.

But according to the “Opinions,” cybercrime cases include:

• Crimes endangering the security of computer information systems;

• Crimes involving failure to fulfill cybersecurity obligations, illegal use of information networks, or aiding cybercriminal activities;

• Crimes mainly carried out through information networks, such as fraud, gambling, or infringement of citizens’ personal information.

Therefore, Lawyer Shao believes that “cybercrime” should refer to crimes that take place in the space of information networks—that is, crimes that cannot be committed without the internet, such as illegal control of computer information systems or damage to computer systems. These crimes are inherently committed in cyberspace, making it difficult to determine the crime scene through traditional physical connection points, thus requiring special jurisdiction rules.

While virtual currency transfers on the blockchain are completed via networks, crimes like theft or embezzlement do not inherently depend on information networks. The act of transferring virtual currency is essentially a disposition of illicit gains, not the act of committing the crime itself. Equating the “network involvement” in traditional crimes with “cybercrimes” is an overextension of the scope of the “Opinions,” confusing the means of committing a crime with the nature of the crime itself.

Would changing the charge affect the IP-based jurisdiction?

In some virtual currency cases, another scenario may occur.

For example, during the case filing stage, police may charge under “Illegally Obtaining Computer Information System Data” or other cybercrime charges. Since it is an information network crime, the investigation agency can claim jurisdiction based on server location and similar rules.

However, as the investigation deepens or during the review and prosecution stage, the case’s nature may change. For instance, a case initially filed as a cybercrime might ultimately be classified as theft or embezzlement.

In such cases, the question arises:

Does the original jurisdiction based on the IP address still hold?

If the case is still processed under the original charge, it may be difficult to establish facts or support evidence.

If the case is reclassified as a traditional property crime, the original jurisdiction based on “server location” may be undermined, leading to procedures such as case transfer or jurisdiction designation.

From a procedural law perspective, jurisdiction should be based on the facts of the crime, not the initial charge chosen.

If jurisdiction is determined first, then the charge is set to maintain jurisdiction, it risks procedural inversion.

Does IP address equate to the actual crime scene? What technical issues exist?

Even if IP addresses are accepted as a reference for jurisdiction, from a technical standpoint, this basis still has significant uncertainties.

1. Network Address Translation (NAT): One public IP may correspond to multiple devices

In home or corporate Wi-Fi environments, multiple devices often share a single public IP address. The public IP obtained by police usually points only to a network exit point, such as a building or an office area, and cannot directly identify a specific device.

To further pinpoint the device, additional data such as router NAT logs, terminal device information, and precise timestamps are needed to correlate internal IPs with the public IP.

2. Dynamic IP allocation: IP addresses may change over time

When using mobile networks, IP addresses are typically assigned dynamically by the carrier. As devices switch between base stations or reconnect to the network, their IP addresses can change.

Therefore, establishing the network location at the time of the crime often requires combining base station logs, connection records, and timestamps. Relying solely on post-hoc IP geolocation data may not accurately reflect the actual physical location at the time of the act.

3. Cloud computing and Content Delivery Networks (CDNs): Server locations are not fixed

Many virtual currency platforms or wallets use CDNs to accelerate network access. In such cases, the server IP connected to by the user may only be an edge node of the CDN, not the platform’s actual origin server.

Thus, the IP address’s indicated server location may not correspond directly to the actual location where the crime occurred.

Under this technical context, relying solely on IP geolocation to determine jurisdiction can lead to situations where regions with no real connection to the case claim jurisdiction simply because the server node or network exit is located there. From a procedural review perspective, this approach may also raise questions about the reasonableness of jurisdiction.

Can IP addresses alone prove the crime scene? Rules for electronic data evidence review

The “Regulations on the Collection, Extraction, and Review of Electronic Data in Criminal Cases” (hereinafter referred to as the Regulations) Article 25 clearly states:

“To determine the consistency between the network identity and the real identity of a suspect or defendant, one can comprehensively assess by checking relevant IP addresses, network activity records, terminal device ownership, witness testimonies, and confessions or defenses of the suspect or defendant.”

This establishes a principle of comprehensive assessment. IP addresses are just one type of electronic data evidence; their probative power must be corroborated with other evidence and cannot be used alone as the sole basis for identification.

In electronic data collection, it is usually necessary to cross-verify network activity logs (such as server logs), terminal device ownership records (e.g., NAT mappings), precise timestamps, and other data to reliably determine whether a particular network activity was carried out by a specific device.

Additionally, Article 23 of the Regulations requires that, during electronic data review, the integrity verification values, the process of seizure and extraction of original storage media, and other factors be checked to confirm the authenticity and completeness of the data, preventing tampering or contamination.

In practice, to trace network behavior back to a specific device and individual, it is often necessary to establish a multi-evidence system, such as:

• IP address logs of the device used, to prove the device accessed the network at a specific time;

• NAT logs (e.g., NAT mappings during Wi-Fi access), to link to a specific terminal device;

• Precise timestamps to confirm when the network activity occurred;

• Platform or server logs recording account operations or fund transfers;

• When involving CDN or similar architectures, further tracing to the actual origin server to confirm the true request path.

Without corroborating data, relying solely on IP geolocation cannot reliably determine the physical location at the time of the crime, and jurisdiction based solely on such information lacks substantive connection.

Final Remarks

In criminal proceedings, jurisdiction is a key safeguard of procedural justice. Which judicial authority files, investigates, prosecutes, and ultimately tries the case directly affects the scope of investigative authority and the defendant’s right to a fair trial.

Therefore, jurisdiction should be based on genuine, specific links to the facts of the crime. Overly broad interpretations of legal bases for jurisdiction may turn jurisdiction rules into tools for contesting case authority, weakening the system’s intended constraints, and undermining fairness and predictability in case handling.