Evidence Methodology — Topic Explainers

Long-form explainers from the 5CIP analyst team on the specific topics that come up over and over again in recovery and counsel engagements. Each is grounded in the actual cases we've worked, with confidence-tier discipline and citations to the underlying primary sources.

EVIDENCE METHODOLOGY

Tornado Cash Deposit Evidence: What Courts Can and Cannot Infer

Tier 1A deposit chain + clearly labeled Tier 2 attribution analysis with corroborating evidence enumerated. Court-defensible methodology.

LEGAL OPERATIONS

VASP Subpoena Evidence Checklist: TX Hashes, Wallets, Timestamps, Labels

Every required field for a crypto-investigation subpoena packet so the VASP compliance team can act in 48 hours, not 6 weeks.

APAC TYPOLOGY

Pig Butchering USDT Tracing in APAC: Intake Checklist

Forensic signature, intake checklist, jurisdictional realities (HK/SG/MY/TH/PH), and honest recovery expectations.

ATTACKER TRADECRAFT

Lazarus-Style Chain Hopping: Cross-Chain Theft Evidence Model

Per-hop multi-source corroboration, explicit confidence tiers, WORM chain-of-custody for cross-chain laundering cases.

LEGAL OPERATIONS

USDT and USDC Freezing Requests: Evidence Packet Checklist

Tether and Circle can freeze stolen stablecoins on every supported chain. Evidence packet format, jurisdictional channels, realistic 24-72h timelines.

Methodology behind the topics

Every claim 5CIP publishes carries a confidence tier (1A direct, 1B event log, 2 indirect, 3 needs corroboration) and a cross-source verification record (Etherscan, MistTrack, Arkham, Bitquery). Read the full methodology at /methodology, the Trust Center at /trust, and the public Bo Shen case study at /case-studies/2022-1110-BS.

Working with this material

These topic explainers are reference material that counsel and investigators use to format their own engagements. When you have a live case, the entry points are:

Law firms representing victims: see crypto theft lawyer evidence packets for the court-grade forensic packet model, or /law-firms for the firmwide engagement structure.
Individual theft victims (USDT/USDC scams): see /usdt-scam-recovery for the realistic-timeline recovery process; counsel referrals listed there.
VASP compliance teams responding to subpoenas: the VASP subpoena checklist and our VASP compliance services page describe what well-formed requests look like from your side of the table.
APAC-jurisdiction matters: regional intake at /apac, and pig-butchering specifically via the 8-jurisdiction APAC typology page.
General platform evaluation: see crypto investigator software for 11-chain tracing for the 11-chain platform overview or Chainalysis alternative comparison for counsel evaluating per-case forensics vs an enterprise seat.
Open a case directly: /case-intake — first analyst response within 4 business hours, pay-per-case starting at $5,000.

How these topics connect

The five explainers are designed to be read in any order, but cases routinely span several at once. A typical APAC pig-butchering investigation touches the pig-butchering typology, the USDT/USDC freezing workflow, and the VASP subpoena checklist. A DPRK-attributed bridge incident pulls in Lazarus-style chain hopping, Tornado Cash deposit evidence, and again the subpoena checklist for off-ramp recovery.