Cryptocurrency Theft and the Legal Rights of Victims

Cryptocurrency Theft and the Legal Rights of Victims. In Turkey, the crypto asset ecosystem has been rescued from legal uncertainty and attained a super visable and secure structure through the amendment to the Capital Markets Law No. 7518, which entered into force in 2024, and the CMB (Capital Markets Board) communiqués issued in 2025. In this new legal plane, where the “Wild West” era has ended by classifying crypto assets as “intangible assets,” the processes for seeking rights for victims of cyberattacks and theft have been strengthened through mechanisms such as the strict liability of exchanges, heavy penal sanctions within the scope of embezzlement crimes, and mandatory cyber security insurance. This report deeply analyzes the criminal and legal rights of victims, compensation claims, and the current judicial roadmap they must follow, focusing on this reform process where legal gaps have been eliminated.

Our other article on this topic; Legal Regulations in Turkey Cryptocurrency Exchange

1. Criminal Law Perspective and Crime Classification in Crypto Asset Theft

The loss of crypto assets without the owner’s consent (theft) can give rise to different types of crimes in the Turkish Penal Code (TPC) depending on how the act was carried out. In this section, the fine lines between theft, fraud, breach of trust, and embezzlement are analyzed in light of Court of Cassation precedents and doctrinal discussions.

1.1. Theft (TPC Art. 141-142) vs. Cyber Crime (TPC Art. 244)

The legal classification of the act of seizing private keys of crypto asset wallets and transferring assets is one of the most controversial areas of criminal law.

1.1.1. Theft Committed by Using Information Systems (TPC Art. 142/2-e)

The crime of theft is the act of “taking a movable property belonging to another from where it is located without the consent of the possessor, with the intent to obtain a benefit for oneself or another.” In classical criminal law dogmatics, the concept of “property” generally refers to physical, tangible assets. However, with the digitalization of economic life, the Court of Cassation has tended to evaluate any asset with “economic value” as the subject of the crime of theft.

Particularly in internet banking fraud cases, the General Assembly of Criminal Chambers of the Court of Cassation and the 11th Criminal Chamber accept the transfer of money from a bank account to another account as Qualified Theft (TPC Art. 142/2-e) committed by using an information system as a “tool.” Through this analogy, the unauthorized transfer of crypto assets from one wallet to another is evaluated within the scope of qualified theft, as it causes a decrease in the victim’s assets and an increase in the perpetrator’s assets. The penalty for this crime is imprisonment from 5 to 10 years.

Reasoning: The victim’s sovereignty over the digital wallet is broken by using the private key (password), and possession of the asset is terminated.

1.1.2. Hindering or Destroying the System, Deleting or Altering Data (TPC Art. 244)

The opposing view argues that crypto assets are essentially “data.” A transaction on the blockchain is merely an update of data on the distributed ledger. According to this perspective, a perpetrator who transfers crypto money from a person’s wallet to their own wallet is actually “obtaining an unfair advantage by entering the system unlawfully and changing the data.” This act fits TPC Article 244/4.

TPC 244/4 Regulation: “If the execution of the acts defined in the above paragraphs serves to provide an unfair advantage to the person themselves or another, and if this act does not constitute another crime, a penalty of imprisonment from two to six years and a judicial fine of up to five thousand days shall be imposed.”
Differences in Precedent: Disputes regarding jurisdiction and classification occasionally occur between the 8th and 11th Criminal Chambers of the Court of Cassation. In some decisions, TPC 244 is applied when the act is merely data manipulation, while TPC 142 (Theft) or TPC 158 (Fraud) is preferred when a concrete economic loss is evident. For victims, the application of TPC 142 is more favorable due to both longer statute of limitations periods and a higher lower limit for the penalty.

1.2. Qualified Fraud (TPC Art. 157-158)

In the crime of theft, there is no consent of the victim; however, in the crime of fraud, the victim is deceived by the fraudulent behaviors of the perpetrator (their will is crippled) and hands over the asset with their own hands. “Phishing” and “Investment Fraud” cases in the crypto ecosystem fall into this category.

Use of Information Systems as a Tool (TPC Art. 158/1-f): The crime of Qualified Fraud occurs if the perpetrator sets up a fake exchange site, shares fake airdrop links on social media, or introduces themselves as an investment consultant to persuade the victim to send money.
Penalty Amount: The penalty for this crime is imprisonment from 3 to 10 years and a judicial fine of up to five thousand days. However, pursuant to the last paragraph of TPC 158/1, in fraud committed by using information systems, the lower limit of the imprisonment cannot be less than 4 years, and the amount of the judicial fine cannot be less than twice the benefit obtained.
Precedents of the 15th Criminal Chamber: The Court of Cassation accepts that in fraud acts carried out by communicating via the internet, telephone, or social media without the victim and perpetrator meeting face to face, information systems are used as a “tool facilitating the commission of the crime” and rules for the qualified form.

1.3. Breach of Trust (TPC Art. 155) and the New “Embezzlement” Crime

Users who keep their crypto assets on an exchange (centralized platform – CEX) are legally deemed to have transferred the possession of the assets to the exchange. The misuse of these assets by exchange officials was formerly evaluated under TPC 155/2 (Breach of Trust Due to Service) (1 to 7 years imprisonment). However, with Law No. 7518, this situation has changed radically.

1.3.1. Embezzlement in Crypto Asset Service Providers (CML Art. 110/A)

With the new law, the transfer of customer assets to themselves or others by crypto asset exchange executives and employees is defined as the crime of Embezzlement. This is a much more serious type of crime, similar in severity to banking embezzlement.

Heavy Sanctions: The penalty for the crime is imprisonment from 8 to 14 years and a judicial fine of up to three times the damage. Additionally, a “personal bankruptcy” mechanism has been paved for those convicted of this crime, allowing for the confiscation of not only the exchange’s but also the executives’ entire personal assets.
Unauthorized Activity Crime (CML Art. 109/A): Persons operating as crypto asset service providers without obtaining permission from the CMB (unlicensed exchanges) are punished with imprisonment from 3 to 5 years. This article ensures that the state uses the penal stick more effectively in losses experienced by victims on unlicensed platforms.

The table below summarizes crime types and penal sanctions in the context of crypto asset theft:

Crime Type	Legal Basis	Nature of Act	Penal Sanction
Qualified Theft	TPC Art. 142/2-e	Unauthorized access to wallet, hacking, asset transfer.	5 – 10 Years Prison
Cyber Crime	TPC Art. 244/4	Corrupting, altering system data, obtaining benefit.	2 – 6 Years Prison
Qualified Fraud	TPC Art. 158/1-f	Deception, trickery, phishing, persuasion with fake project.	3 – 10 Years Prison (Min. 4 years)
Embezzlement	CML Art. 110/A	Exchange executives appropriating customer assets.	8 – 14 Years Prison + Judicial Fine
Unauthorized Activity	CML Art. 109/A	Operating an unlicensed exchange.	3 – 5 Years Prison

2. Secondary Regulations and Administrative Liability: CMB Communiqués (2025)

The framework outlined by Law No. 7518 was filled by the communiqués numbered III-35/B.1(Principles on Establishment and Operations) and III-35/B.2 (Principles on Operating Procedures) published by the CMB in 2025. These communiqués activated “preventive law” mechanisms to protect victims’ rights.

2.1. Cyber Security Insurance and Capital Adequacy

The biggest problem for victims is finding assets to collect from the opposing party (the exchange) even if they win the lawsuit. The CMB has introduced financial barriers to minimize this risk.

Cyber Security Insurance: Pursuant to Communiqué III-35/B.2, platforms are encouraged to take out cyber security insurance to cover customer losses arising from potential cyberattacks, technical failures, and personnel errors; if insurance is not taken out, blocking a certain amount as capital is made mandatory. This regulation creates a protection shield similar to the “Savings Deposit Insurance Fund” (TMSF) but run by the private sector in the crypto market.
Capital Adequacy Base: Crypto asset service providers are required to perform a dynamic capital adequacy calculation suitable for their risk profiles and keep their equity above a certain level. Fixed assets, intangible assets, and risky items are deducted from equity to find net liquid capital.

2.2. Custody Rules and Asset Segregation

The most critical regulation for the protection of customer assets in exchange bankruptcies or thefts is “custody” rules.

Segregation of Customer Assets: CMB Communiqués make it mandatory to keep customer cash and crypto assets completely separate from the platform’s own assets. Customers’ crypto assets cannot be seized for the platform’s debts and cannot be included in the bankruptcy estate.
Cold Wallet Obligation: Platforms are required to store a large portion of customer assets in “cold wallets” (offline) that are closed to the internet. This ratio and technical standards are audited according to criteria determined by TÜBİTAK. Thus, the spread of loss to all assets in a cyberattack on hot wallets is prevented.
Role of Banks: Integration with banks is mandatory for the custody of cash assets, thus securing the flow of fiat money (TL) through the banking system under state supervision.

3. Compensation Liability under Private Law

While the criminal case ensures public order, the compensation of the victim’s economic loss is possible through compensation lawsuits to be filed in civil courts.

3.1. Contractual Liability and “Disclaimer Clauses”

In the past, many exchanges tried to escape liability by adding a “we are not responsible for cyberattacks” clause to their user agreements. Law No. 7518 closed this path. The Law explicitly introduced the provision: “Any contract term that eliminates or limits the liability of crypto asset service providers towards their customers is invalid.”

This provision is also compatible with TCO (Turkish Code of Obligations) Art. 115 (Non-Liability Agreement). However, since it is a special law (CML), it provides sharper protection. An exchange can no longer escape compensation by saying “it was written in the contract” when hacked.

3.2. Prudent Merchant and Fault Liability (TCO Art. 112 & TCC Art. 18)

According to the Turkish Commercial Code (TCC), every merchant is obliged to act like a “prudent business person” in their commercial activities. For crypto asset exchanges, acting prudently means taking the most up-to-date cyber security measures, conducting regular penetration tests, and training personnel.

The General Assembly of Civil Chambers of the Court of Cassation states that merchants are obliged to take precautions against foreseeable risks. In the crypto world, a cyberattack is not “force majeure” but a “foreseeable commercial risk.” Therefore, an exchange that does not provide necessary security is liable to compensate the customer for all damages (positive damage) and loss of profit under TCO Art. 112 (Breach of Contract) and Art. 49 (Tort).

3.3. Enforcement and Bankruptcy Law Aspect

The status of crypto assets has also been clarified during the enforcement phase of the judgment (decision) obtained from the civil court. Crypto assets are accepted as “attachable assets.” A blockage can be placed on the crypto wallets of the debtor (fraudster or at-fault exchange) by sending a foreclosure notice through Enforcement Directorates. It is even foreseen by jurists that court decisions can be given directly in the form of “payment of bitcoin” and this can be subject to enforcement with judgment.

4. Evidence Management, Proof, and Trial Procedure

The key to success in crypto asset theft cases is transforming technical data into legal evidence.

4.1. Blockchain Analysis and Evidentiary Value

Blockchain records (transaction hashes – TXID) are immutable and transparent, but anonymous (wallet address does not directly show the person).

Court of Cassation Approach: The 11th Criminal Chamber of the Court of Cassation has ruled that crypto transfer records may not be sufficient to prove the identity of the defendant on their own, but can be taken as “discretionary evidence” for the verdict when supported by IP addresses, exchange KYC information, telephone signal records (HTS), and witness statements.
Expert Reports: Courts request “Blockchain Analysis Reports” (Blockchain Forensics) to trace stolen funds. These reports visualize which wallets the funds passed through and which centralized exchange (Binance, Paribu, BTC Turk, etc.) they entered. While blockchain data is considered direct evidence in some countries like China, subjecting it to expert examination is a requirement of procedure in Turkey.

4.2. Investigation Phase and MASAK

The first and most important step victims should follow is to submit an effective complaint petition to the Chief Public Prosecutor’s Office.

Petition Content: The petition should include details such as the stolen amount, transaction date/time, sender and receiver wallet addresses (TXID), and exchange information used. Both “Theft” and “Fraud” crimes should be complained about, leaving the legal characterization to the prosecutor.
MASAK Cooperation: Prosecutors work in coordination with the Financial Crimes Investigation Board (MASAK) in crypto crimes. MASAK has the authority to receive instant information from all licensed CASPs in Turkey. The identification of the suspect is usually provided by MASAK reports. However, the Court of Cassation has stated that MASAK reports are in the nature of “intelligence/notice” and are not sufficient for conviction on their own; the court must verify this data during the trial phase.

4.3. International Letters Rogatory (Mutual Legal Assistance)

The cross-border nature of crypto crimes is the biggest handicap. Stolen funds are usually transferred to foreign-based exchanges or mixers within minutes.

Ministry of Justice Circulars: In the 2024-2025 period, the Ministry of Justice issued new circulars to accelerate the international requests of prosecutors and conducted studies to grant prosecutors broader powers regarding the seizure of crypto wallets.
Challenges: Foreign exchanges (e.g., based in Seychelles or Cayman Islands) may not always respond to the requests of Turkish courts. In this case, bilateral agreements and Interpol bulletins come into play.

5. Our Recommendations

The legal rights of victims in crypto asset theft have been moved from a theoretical plane to a practical and applicable ground with the reforms made in Turkey in the last two years. Law No. 7518 and CMB Communiqués have strengthened the hand of the judiciary in punishing theft and fraud acts by granting crypto assets the status of “asset under legal protection.”

In particular, the introduction of the crime of Embezzlement, the obligation for exchanges to have cyber security insurance, and the invalidity of disclaimer clauses have created a strong compensation infrastructure for victims. Victims now have the opportunity to engage in a legal struggle not only with “unidentified” hackers but also with corporate structures showing security vulnerabilities.

However, since the speed of technology is always ahead of the law, gaps regarding decentralized finance (DeFi) protocols and cross-border transactions continue. For victims to fully receive their rights, it is of critical importance to:

Secure all digital evidence (screenshots, TXID) at the moment of the incident,
Apply to the prosecutor’s office without losing time and request a “blockage” on wallets,
Show the exchange as a defendant in the civil lawsuit based on “strict liability” and “prudent merchant” principles.

Turkey’s crypto law regime has evolved into a modern and proactive structure compatible with the EU’s MiCA regulations, observing the balance of protecting the investor without hindering innovation. This structure builds a safe harbor for honest investors and a difficult legal wall to breach for malicious actors.

Our Latest Articles

« Previous Post

Legal Regulations in Turkey Cryptocurrency Exchange - Legal Crab says:
4 January 2026 at 18:36
[…] Our other article on this topic; Cryptocurrency Theft and the Legal Rights of Victims […]