VASP Subpoena Evidence Checklist: TX Hashes, Wallets, Timestamps, and Labels

VASPs (Binance, MEXC, OKX, KuCoin, Bybit, Kraken, Coinbase, etc.) receive subpoenas and disclosure requests by the hundreds per week. A request that does not contain machine-parseable identifiers will sit in the queue. The same VASP team that responds in 48 hours to a well-formed request will take six weeks on a vague narrative.

The single biggest determinant of recovery velocity is the format of your evidence packet, not the sophistication of the trace. Below is the field-by-field anatomy of a packet that gets actioned, the per-VASP quirks that change response time by weeks, and the templates 5CIP ships with every per-case engagement.

Every consolidation point — every address where the trace identifies funds entering a VASP — needs ALL of these in machine-parseable form:

• TX hash — full 66-character 0x-prefixed string. Truncated hashes (e.g., 0x123...456) get rejected by every major VASP's compliance intake parser.
• From address — the address the funds left (42-char checksum-cased for EVM, base58 for TRON/Solana).
• To address — the deposit address (the VASP's hot wallet that received).
• Block number — exact integer, not a date range. Binance and KuCoin both index by block; date-only requests get bounced.
• Timestamp — ISO 8601 UTC (e.g., 2026-05-15T14:23:11Z), not local time, not "yesterday".
• Token contract address — if non-native (USDT, USDC, etc.). The contract address differs per chain — 0xdAC17F95...ec7 for ETH USDT, TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t for TRON USDT, 0x55d398... for BSC USDT.
• Token amount (dual format) — raw integer (uint256 wei/sat-equivalent) AND decimal-adjusted human value (e.g., 5,000,000,000 raw / 5,000.00 USDT).
• USD value at block time — for the prioritization triage the VASP runs (>$50K usually fast-tracked).
• Chain identifier — for multichain VASPs (chain_id or short name; e.g., 1 / ethereum, 56 / bsc, 137 / polygon).

• Suspected deposit user identifier — if the VASP has previously confirmed any earlier consolidation from a related address (e.g., a prior matter referenced by case number).
• Related TX hashes for the same flow — bridge contract calls (Stargate, Across, cBridge), DEX swaps (Uniswap, 1inch routes), or mixer-adjacent hops. Even if they predate the final consolidation, they help the compliance team rule out false positives.
• Confidence tier note — Tier 1A direct TX (99% confidence), Tier 1B event log (95%), Tier 2 indirect (80%), Tier 3 needs corroboration (50%). VASP compliance officers will act faster on Tier 1A claims.
• Counsel of record + bar number + matter number — for chain-of-custody and to confirm you are the attorney with standing.
• Preferred response channel — email, SFTP, or MFT. Some VASPs default to physical mail unless you specify.
• Acceptable disclosure scope — US vs non-US data, GDPR-restricted fields, EU-only vs global, etc.
• Underlying offense category — wire fraud, theft, ransomware, money laundering. Maps to the VASP's internal priority lane.
• LE liaison contact — if law enforcement is involved (FBI agent name + email, HK CSTCB officer, Singapore CAD investigator). LE-supported requests jump the queue at most VASPs.

Every major VASP has documented procedural quirks. Knowing them in advance prevents weeks of back-and-forth:

• Binance.com — accepts requests via [email protected] but routes through legal entity in Cayman Islands. Median LE-supported response: 5-10 business days. Requires MLAT for non-US LE requests on US persons. Binance.US is a separate entity with its own legal team — do not assume one accepts the other's filings.
• Coinbase — most mature compliance intake; their LE portal at request.coinbase.com handles most requests. Median response: 3-7 business days. Will sometimes pre-acknowledge within 24 hours.
• MEXC — Seychelles-incorporated; responds primarily to LE requests. Civil-only subpoenas to MEXC often require Singapore enforcement order. Median response: 10-20 business days.
• OKX — Malta and Bahamas entities; aggressive on KYC retention (3+ years). Response varies widely by case priority; typical 10-15 business days.
• KuCoin — Seychelles; recently entered consent decree with US DOJ (Mar 2025) — KYC posture significantly improved post-decree. Response 7-14 days.
• Kraken — US-based with explicit civil discovery process via [email protected]. Median 5-10 days.
• Bybit — BVI; responds to court orders from common-law jurisdictions. February 2025 hack response taught their compliance team — significantly more responsive in 2025-2026 than prior years.
• Bitget / Gate.io / HTX — Singapore/Seychelles; case-by-case responsiveness. Have observed faster response on LE-supported requests with parallel Tether freeze already in place.

• Submitting a "consolidation address" the VASP has already documented as a public hot wallet — useless on its own. Always include the originating TX hash that landed at the hot wallet.
• Sending a PDF screenshot of Etherscan instead of the raw TX hashes. Screenshots are not machine-parseable.
• Asking for "all activity on that wallet" instead of a bounded TX-hash set. VASPs reject scope-creep requests as fishing expeditions.
• Omitting block numbers; some VASPs (including Binance and KuCoin) index by block and refuse date ranges.
• Submitting under the wrong jurisdiction's mechanism — Binance.com vs Binance.US, BVI vs Singapore, etc. Wrong entity = automatic 6-week delay.
• Forgetting to attach a sworn declaration of authenticity for the forensic evidence. Many VASPs in 2026 require this following multiple cases of fabricated evidence packets being submitted by recovery scammers.
• Using a personal Gmail address for counsel-of-record. VASPs validate counsel via firm domain + bar registry. Use your firm email.
• Asking the VASP to "freeze" instead of submitting through the issuer (Tether/Circle) for stablecoin freezes. VASPs do not control stablecoin issuance.

Choosing the wrong legal vehicle adds weeks. Quick reference for the major VASP entity → response-eligible mechanism:

Note: this matrix reflects 5CIP's per-engagement experience as of May 2026. Always confirm current entity structure with the VASP's compliance team before drafting. The Crypto Forensic Investigations Association (CFIA) maintains a public registry that is updated quarterly.

The actual deliverable from a 5CIP per-case engagement is a directory bundle, GPG-signed and SHA-256 hashed. The internal structure:

5cip-case-CJ-2026-XXXX/
├── 01-summary/
│   ├── case-summary.pdf        (3-5 pages, executive read)
│   ├── chain-of-custody.pdf    (sworn declaration)
│   └── methodology-version.txt (linked to /methodology v1.4)
├── 02-evidence/
│   ├── timeline.json           (full timeline, machine-parseable)
│   ├── consolidation-points.json (per-VASP map)
│   ├── tx-hashes.csv           (every TX in the trace)
│   └── address-registry.json   (every address with provenance + confidence tier)
├── 03-subpoena-packets/
│   ├── binance-com-packet.pdf  (per-VASP, ready to file)
│   ├── coinbase-packet.pdf
│   ├── mexc-packet.pdf
│   └── ...
├── 04-freezing-requests/
│   ├── tether-freeze-request.eml (pre-formatted email to [email protected])
│   └── circle-freeze-request.eml
├── 05-attachments/
│   ├── etherscan-screenshots/  (for jurisdictions that require visual evidence)
│   ├── chain-explorer-pdfs/
│   └── methodology-excerpt.pdf
└── manifest.json + manifest.json.sig  (GPG signature; opposing counsel can verify)

The manifest.json includes SHA-256 of every other file in the bundle. The .sig is detached GPG signature against 5CIP's public key (downloadable at /5cip-gpg-public.asc). Opposing counsel can independently verify zero tampering by recomputing SHA-256 on each file and validating the GPG signature.

Where stolen funds are still sitting as USDT or USDC on a Tether/Circle-supported chain, the freezing-request packet is the parallel path that often resolves before any VASP subpoena lands. Tether's median time-to-freeze on a properly-formed LE-supported request is 24-72 hours (per Tether's published transparency page); Circle is similar.

Required fields for a Tether/Circle freezing request:

• Target address (the address holding the stolen tokens) — full 42-char EVM or full base58 TRON.
• Token contract address (chain-specific — see 5CIP's /tools/usdt-freeze-checker for the verified contract per chain).
• Current balance proof (Etherscan readContract balanceOf output or equivalent).
• Underlying offense category + jurisdiction.
• Filed police report number (Tether requires LE involvement for fast freeze).
• LE liaison contact.

For deeper detail see the dedicated stablecoin freezing topic. The tool at /tools/usdt-freeze-checker auto-fills the chain-specific contract address and generates the email template.

Opposing counsel will attack the evidence packet on three vectors:

• Has the evidence been altered after generation? — answered by SHA-256 hash anchors per artifact + GPG signature against published public key. Opposing counsel can recompute and verify mathematically.
• Was the evidence generated using a reproducible methodology? — answered by the public methodology page (/methodology) with version-stamped releases. Each evidence pack cites the methodology version used.
• Who authored the evidence and what are their qualifications? — answered by named-analyst byline (per E-E-A-T schema in the Article JSON-LD) with verifiable LinkedIn + credentials (CISSP/CISA/CAMS etc.).

5CIP stores every generated artifact in MinIO Object Lock under GOVERNANCE retention mode with 90-day retention minimum. Within the retention window, no admin (including 5CIP staff) can modify or delete the artifact. After the window, the artifact may be archived to long-term cold storage with the same hash anchor still verifiable.

For a fully-published example of the packet format described above, see the Bo Shen $30M cold-wallet investigation at /case-studies/2022-1110-BS. The case study walks through the trace, the confidence-tier labeling per hop, the consolidation-point identification, the VASP subpoena packets that were prepared, and the stablecoin freezing-request packets where applicable. It is the same template every 5CIP per-case engagement ships.

Engagement economics matter. A few honest scenarios where forensic engagement does not pencil:

• Loss <$10K and funds at a major US VASP — file directly through the VASP's consumer fraud-report flow. Binance, Coinbase, Kraken all have one. Faster + free.
• Funds entered Tornado Cash >30 days ago and no on-chain breadcrumbs — recovery via tracing alone is unlikely. Pivot to OFAC blocking (if sanctions match) or law-enforcement-led seizure of mixer infrastructure (rare).
• Loss is part of a larger class-action — coordinate with the lead recovery counsel rather than running an independent forensic. Bulk-pack pricing (5-pack / 20-pack) better economics here.
• VASP has already frozen the address — the trace is no longer the bottleneck. Counsel time is better spent on the legal vehicle to claim the funds.

Pitches that promise "guaranteed recovery" or "99% success rate" are almost universally secondary-fraud recovery scams. The FTC and CFTC have published explicit advisories. See /topics/pig-butchering-apac for the recovery-scam red-flag list.

Every 5CIP per-case engagement (US$5,000 flat via Stripe; 5-pack $20K at 20% off; 20-pack $80K) includes:

• Forensic trace across 11 supported chains with cross-chain bridge attribution.
• Per-VASP subpoena packets in the directory structure shown above.
• Tether/Circle freezing-request packets where stablecoin destinations identified.
• GPG-signed PDF report + WORM-stored evidence with 90-day GOVERNANCE retention.
• Named-analyst byline with credentials + sworn declaration of authenticity (free on request).
• 5-10 business days standard turnaround; 24-48 hours urgent (same fee, no rush charge).
• Output languages: English (default), 中文, Español, Português, Français.

Engagement defaults to work-product privileged (5CIP acts as consulting forensic vendor to counsel of record). Mutual NDA + matter-scoped SOW. Default Singapore law / SIAC arbitration; redlines welcome.