Can Web3 project teams report a case and seek rights protection after suffering harm in Mainland China?

Author: Shao Shiwei

As the complainant, if you want to file a criminal complaint in Mainland China to hold the infringer accountable, the first prerequisite is: the infringer must be in Mainland China. If the infringer is in Hong Kong or overseas, even if domestic public security authorities file a case, it is likely that there will be no further action. For the reasons, see this article: “Can Chinese Public Security authorities cross borders to arrest telecom network fraud suspects abroad?” This article will not elaborate further. This is also why many overseas Web3 projects that engage in “cutting leeks” cannot be helped even if domestic users report the case, because these individuals are usually overseas.

Under this premise, we now proceed to the main topic. For the complainant, the first issues they face are:

What materials need to be submitted when reporting the case? Which public security authority should the complaint be filed with? If reporting to the police, will the authorities consider our activities as illegal, and instead initiate an investigation against us?

Who is qualified to act as the “victimized entity” to file a complaint?

For Web3 project teams, if the project personnel receive trading partners’ commercial kickbacks, embezzle or misappropriate project funds using their positions, or if the project funds are scammed or stolen, which entity should report the case as the victim? This depends on whether the Web3 project has established a legal entity in China, and should be discussed case by case.

Generally, Web3 platform operators often set up project entities in Hong Kong, Singapore, Cayman Islands, etc., but considering labor costs, communication, and management convenience, they may recruit employees domestically.

For larger platforms, such as virtual currency exchanges, it is common to cooperate with third-party companies in China, which sign employment contracts with employees and pay social security. However, many Web3 projects are controlled by actual controllers or instructed by them to establish companies independently, which are then used as the main entities to employ staff and pay social security.

In such cases, the appropriate reporting entity becomes critical for whether a case can be filed.

If a Web3 project registered overseas suffers losses, can a domestic entity act as the victim to file a complaint?

Referring to traditional criminal cases, if a foreign-funded enterprise is the victim and has subsidiaries, branches, or offices in China, then these subsidiaries, branches, or offices can jointly act as the victim to file a complaint.

Therefore, if a Web3 platform can prove that its domestic company has a certain connection with the project, then the domestic company should be able to jointly act as the victim entity to file a complaint.

However, in many Web3 projects, although the project entity is established overseas, it only establishes employment relationships with domestic employees through third-party outsourcing companies. This raises a practical issue: can the cooperating company be considered as the “victimized entity” to file a complaint?

From a legal perspective, third-party outsourcing companies usually do not directly manage project funds nor have control over or benefit from the assets involved, so their qualification as the victim is often difficult to establish. Filing a complaint in their name may be challenged for lacking direct loss or rights basis.

In judicial practice, there are cases where the cooperating company acts as the complaint entity, submitting materials through its staff. While this can sometimes advance the case into investigation, it also provides a defense angle for the defense to argue whether the complaint entity and the actual beneficiary are the same.

For Web3 project teams, another key issue is whether the platform itself can be recognized under Chinese law as a “victimized entity.”

Some Web3 business models, such as on-chain prediction markets, derivatives trading, and on-chain token liquidity matching, have clear regulatory positions in some countries and regions. But in Mainland China, since virtual currency-related activities are included in the “key prevention and cautious regulation scope,” judicial authorities often consider two aspects when determining whether a platform has “legitimate rights”:

• Whether the entity has legal qualification (whether it is compliant to operate within China)
• Whether the business content involves areas prohibited or restricted by domestic law

Therefore, if the platform’s core business falls within a prohibited scope in Mainland China, its legal basis as a “victimized entity” will be limited, and the complaint path will become more complicated.

However, this does not mean all Web3 activities are unable to be recognized as victims. If the platform’s business nature does not involve areas explicitly prohibited domestically, and it can prove actual damages and asset rights, it may still be recognized as a victim by judicial authorities.

Will reporting a case pose risks to the Web3 project itself?

This is one of the most concerned issues for project teams when considering criminal complaints.

Given policies such as the 924 Notice in China, virtual currency-related activities are classified as illegal financial activities. Therefore, if a project reports a case, it must evaluate the legality of the project itself. Otherwise, it may not only fail to be recognized as a “victimized entity” under Chinese law but also risk criminal liability.

However, illegal financial activities are not necessarily equivalent to criminal offenses, or specific criminal charges. The risk level of the business still depends on whether it targets Mainland Chinese users, whether it involves raising funds from domestic users, and other factors.

Because of this uncertainty, some individuals exploit project teams’ concerns about “domestic risks” to extort through “exposure,” “rights protection,” or “reporting.”

For example, there was a report about [i]: On October 16, 2023, Billy Wen, founder of Negentropy Capital, stated on X platform that last year his fund was extorted by a so-called rights protection group after investing in a Web3 project. He reported the case to Shenzhen Longgang police, which filed a case. The suspect, Wu Moumou, allegedly extorted 50,000 USDT (over 300,000 RMB). Wu claimed he was incited by a Twitter influencer called BitRun and used fabricated rights protection materials to extort online. The court will soon hear and decide the case.

This shows that even under cautious regulation, not all project teams are helpless in rights protection. As long as they can clearly establish their rights and conduct pre-assessment of legal risks, they may still gain support from judicial authorities.

Which public security authority should the case be reported to — jurisdiction?

Deciding which public security authority to report to, and which jurisdiction the case falls under, is crucial. If this is not clarified beforehand, reporting blindly may lead to:

• Authorities citing “lack of jurisdiction” and refusing acceptance
• Inter-agency transfer or evasion between different regions
• Even if filed, the case may be challenged later by defense on the grounds of “improper jurisdiction,” affecting the case’s progress

Therefore, clarifying jurisdiction is the first step in assessing whether rights protection is feasible.

In China’s criminal jurisdiction, the principle is based on the location of the crime, with the residence of the defendant as an exception. There are also special rules for cases like cybercrime.

According to basic territorial jurisdiction, if a Web3 project files a criminal complaint, the crime must have occurred within China. How to understand the “crime location”? In Web3 scenarios involving on-chain assets, permission management, and cross-region cooperation, the crime location is not limited to physical places but includes any of the following:

• The location where project funds or digital assets are transferred or controlled
• The location where private keys or account permissions are operated
• The final location where asset loss manifests
• The location where illegal gains are obtained, stored, or used

In other words: all on-chain operations ultimately land somewhere in the real world—whether involving people, devices, or fund flows—these “landing points” are within the scope of domestic jurisdiction.

For crimes like theft or fraud, complaints are generally filed with the public security departments at the location where the theft or fraud was committed, or where the transfer or receipt of funds occurred.

For crimes such as accepting bribes as a non-state official, embezzlement, or misappropriation of funds, if the Web3 project has a branch in China, complaints can be filed with the local public security bureau where the branch is located. For projects without domestic branches, complaints can be filed at the actual crime scene or where the suspect resides.

Do external evidence and on-chain evidence require notarization or certification?

Since Web3 projects often operate on overseas servers, on-chain systems, or cross-border communication tools, a practical issue arises when filing criminal complaints:

Can these pieces of evidence be directly used domestically? Is notarization or certification necessary?

According to criminal procedure law, if the Web3 project has collected relevant materials related to the case, including authorization documents for agents (such as employees or lawyers), notarization and certification are required. If the evidence involves foreign languages, a Chinese translation should be attached.