Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES

Criminal Defence for DeFi Scams: Rug Pulls, Stablecoins and Bridges

Criminal defense in stablecoin scams, DeFi project rug pulls and cross-chain bridge exploits with specialized technical expert evidence.

Last updated:

Scams in the DeFi ecosystem have evolved to a level of technical sophistication that requires combining classical criminal law with knowledge of decentralized protocols, smart contracts and multi-chain architectures. The criminal lawyer must identify precisely the frontier between the technical exploit (which may be civil or atypical) and the criminal offense (fraud, misappropriation, money laundering).

Rug Pull vs. Soft Pull

The classical rug pull is the massive withdrawal of liquidity by project promoters: after selling the token to investors and creating market appearance, the developers withdraw funds from the pool and abandon the project. When prior deception concurs (false whitepapers, fictitious team, invented audits) it is aggravated fraud (Art. 250 CP). The soft pull is the progressive dilution of value through abusive minting, excessive fees or unilateral changes in the smart contract: criminal qualification is more complex and requires proving initial intent.

Bridge Exploits

Cross-chain bridges (Wormhole, Ronin, Nomad, Multichain) are critical pieces and have suffered multi-million dollar losses due to technical exploits. Criminal qualification depends on who exploits and with what intention. If the exploiter is a black hat who appropriates the funds: fraud, money laundering and, eventually, Art. 264 CP computer offense (damage). If it is a white hat who returns the funds: the conduct may be atypical or covered by necessity defense.

Pool and Liquidity Manipulation

Beyond the rug pull there are conducts of on-chain market manipulation: wash trading to simulate volume, coordinated pump and dump over low-cap tokens, and abuses of MEV (Maximal Extractable Value) such as sandwiching of others' orders. Their criminal fit ranges from fraud (Art. 248 CP) to the offense relating to the market and consumers (Art. 284 CP) when false information is disseminated to alter the price. Proof requires reconstructing the transactions and establishing the coordination.

Private Prosecution in DeFi Frauds

For the victim, private prosecution allows driving the investigation beyond ex officio activity: requesting real precautionary measures over the identified funds, requiring stablecoin issuers to freeze wallets and directing the technical expert evidence. Early coordination between criminal action and administrative freezes on USDC/USDT is what separates partial recovery from total loss.

Penal Qualification of Each DeFi Conduct: from Article 248 to Article 282 bis

A sound defence begins with something often overlooked: each DeFi manoeuvre falls under a distinct criminal type, with its own penalties and limitation periods. Where a token promoter recruits investors through a sufficient deception that induces them to commit funds, we are dealing with ordinary fraud under Article 248 of the Criminal Code (CP), punishable by 6 months to 3 years in prison; if the defrauded amount does not exceed 400 euros, the minor fraud of Article 248.3 applies (a fine of 1 to 3 months). Where the funds are captured by manipulating an automated computer process, for instance by diverting contributions through a contract or an unauthorised transfer, the correct qualification is the computer fraud of Article 249.1.a CP, carrying the same penalty of 6 months to 3 years.

The penalty rises with the aggravated subtypes of Article 250.1 CP (1 to 6 years in prison), applicable, among other situations, where the fraud affects a large number of people, is especially serious given the value of the loss, or exploits a relationship of trust; and with the hyper-aggravation of Article 250.2 CP (4 to 8 years) where circumstances of maximum gravity concur. Alongside these types, disseminating false information to investors about the situation or viability of a project, apt to induce investment, may amount to investor fraud under Article 282 bis CP. The defence's task is to contest the existence of a sufficient deception, the objective attribution of the loss, and the choice between these types, because both the penalty and the limitation period turn on it.

Stages of the Criminal Proceedings and the Competent Court in a Crypto Fraud

Proceedings usually begin with a complaint or a private prosecution (querella) before the investigating court, which opens the preliminary proceedings of the abbreviated procedure or, depending on the penalty, of the ordinary procedure. During the investigation, the court orders the inquiries that are essential in these cases: requests to exchanges and crypto-asset service providers, orders to banks regarding the on-ramps and off-ramps into and out of fiat currency, blockchain analysis and, where appropriate, precautionary measures over assets to secure future confiscation. The defence intervenes from the outset by proposing investigative steps, challenging those of the prosecution, and contesting disproportionate precautionary measures.

Objective jurisdiction depends on the penalty: the basic types of Article 248 and Article 249.1.a, and the aggravated forms of Article 250 that do not exceed certain thresholds, are tried before the Criminal Court, whereas the higher penalties of Article 250.2 fall to the Provincial Court. Territorial jurisdiction raises its own problems in the digital environment, because the deception, the disposition of assets, and the loss may occur in different places; doctrine applies criteria such as the place where the act of disposition took place or where the loss arose. Where organised structures or ramifications across several judicial districts appear, fixing the competent court is a preliminary battle worth raising early to avoid nullities.

Forensic Blockchain Expert Evidence and How a Court Weighs It

In DeFi frauds the decisive evidence is on-chain tracing. The expert report reconstructs the flow of funds from the victims' wallets to their final destination, pinpoints the moment liquidity was withdrawn, documents the interactions with the smart contract and, through address-clustering techniques and analysis of mixers, attempts to attribute control of the wallets. The defence may submit its own expert evidence to challenge the attribution inferences, recalling that control of a private key does not automatically equate to authorship by whoever appears as the registered holder of an exchange account, and that clustering heuristics are probabilistic, not certainties.

The court assesses this material under the rules of sound judicial discretion, requiring traceability, the integrity of the digital evidence, and respect for the chain of custody from the capture of the data to its incorporation into the proceedings. Fertile ground for the defence includes a break in the chain of custody, the lack of adversarial safeguards in obtaining the data, the opacity of the commercial analysis tools used, and the confusion between circumstantial inference and direct proof. A prosecution expert report that is robust technologically may fall short legally if it fails to establish intent, the deception preceding the disposition, or the defendant's actual control over the funds.

Confiscation, Asset Recovery and International Cooperation

The international dimension is inherent to these cases: exchanges domiciled outside Spain, validators and servers across multiple jurisdictions, and funds moving through decentralised protocols. Investigation relies on judicial cooperation instruments such as the European Investigation Order within the Union, and letters rogatory or mutual legal assistance requests towards third States, as well as collaboration with specialised units. Blocking or freezing crypto-assets held on centralised platforms is often the only realistic way to secure funds, because what sits in self-custodied wallets escapes the direct control of any authority.

Confiscation of the proceeds and gains of the offence, governed by Articles 127 and following CP, reaches both the crypto-assets directly obtained and the assets into which they have been transformed, and even allows confiscation of equivalent value where the original assets cannot be located or have disappeared into mixers. For the person under investigation, defending against confiscation is a separate front: contesting the link between the asset and the offence, protecting the rights of good-faith third parties, and opposing precautionary measures over assets that exceed the amount allegedly defrauded. Effective recovery for victims depends on a coordinated strategy of early securing of funds, before they are dispersed irreversibly.

Corporate Criminal Liability and Compliance in Crypto Projects

Where the project is run through a company —a token-issuing entity, a fund, or a development firm— Article 31 bis CP opens the door to the criminal liability of the legal person for offences such as fraud, investor fraud, or money laundering committed for its direct or indirect benefit by its directors or by employees under its supervision. The consequences for the entity range from a fine to dissolution, including the suspension of activities, disqualification, or judicial intervention, alongside the confiscation of corporate gains.

The existence of an organisation and management model suitable for preventing offences, adopted and effectively implemented before the offence was committed, may operate as a ground for exemption or mitigation under paragraphs 2 to 5 of Article 31 bis CP. In the crypto sector, such a model must include real controls over communications to investors, the truthfulness of the whitepaper, management of the project treasury, anti-money-laundering obligations, and the traceability of funds. The defence of the company and that of the individuals may give rise to a conflict of interest, which calls for assessing from the outset the advisability of separate defences and an orderly internal investigation that does not compromise fundamental rights.

Limitation Periods, Plea Agreements and the Boundary with the Civil and Administrative Route

Limitation periods are calculated under Article 131 CP from the maximum penalty for the offence. Fraud under Article 248 and computer fraud under Article 249.1.a, carrying up to 3 years, become time-barred after 5 years; aggravated fraud under Article 250.1 and hyper-aggravated fraud under Article 250.2 become time-barred after 10 years. Money laundering under Article 301 (6 months to 6 years in prison) is time-barred after 10 years, and negligent money laundering under Article 301.3 (6 months to 2 years) after 5 years. Tax fraud under Article 305 (1 to 5 years) is time-barred after 5 years and its aggravated form under Article 305 bis (2 to 6 years) after 10 years. Minor fraud, punished with a fine, is time-barred after 1 year.

At the closing stage, a plea agreement (conformidad) allows the case to be settled with a penalty agreed with the prosecution, usually linked to compensating the victims, which is also a significant mitigating circumstance in these offences; and, where the prison sentence imposed does not exceed two years, the suspension of its execution under conditions may be considered. It is also worth delimiting the boundary with the civil and administrative routes: not every loss in a failed project is a crime, since the risk inherent in any investment and mere breach of contract belong to the civil sphere, while supervision of the crypto-asset market falls to the administrative authority. The defence works precisely along that line, arguing when a matter should be resolved outside the criminal jurisdiction.

balance

Penalties & Consequences: Criminal Defence for DeFi Scams: Rug Pulls, Stablecoins and Bridges

Type / ScenarioCriminal Penalty
Aggravated fraud (Art. 250 CP)Imprisonment 1-6 years for special gravity or multiplicity of victims.
Computer damage (Art. 264 CP)Imprisonment 6 months to 3 years for exploits damaging systems or data.
Criminal organization (Art. 570 bis CP)Imprisonment 4-8 years for leaders; 2-5 years for members. Applicable to teams of repeat rug pullers.

* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.

shield_lock

Defense Strategy: Criminal Defence for DeFi Scams: Rug Pulls, Stablecoins and Bridges

gavel01

Exploit / Offense Differentiation

On the accused side, establish that the conduct is civilly reproachable but criminally atypical.

gavel02

Coordinated International Freeze

For the victim, coordinate criminal action with administrative freezes on USDC/USDT and CEX blockings.

gavel03

Pre-Constituted Expert Evidence

Secure technical expert evidence with forensic custody before smart contracts are migrated or destroyed.

Crypto Fraud Defence: Scams, On-Chain Tracing, MiCA & Asset Seizure

Crypto-related criminal cases combine classical offences — fraud (Arts. 248-250 CP), money laundering (Art. 301 CP), tax fraud (Art. 305 CP) and criminal organisation (Art. 570 bis CP) — with the technical reality of blockchain: pseudonymous wallets, mixers, cross-chain bridges, stablecoins and DeFi protocols. There is no autonomous "crypto offence": prosecutors must fit the facts into an existing criminal type and prove the on-chain flow with admissible expert evidence. Defence therefore demands both criminal-law expertise and independent blockchain forensics.

Penalty Table: Crypto-Asset Offences

OffenceArticleDescriptionPenalty
Basic crypto fraudArts. 248-249Deception inducing the transfer of crypto-assets (fake broker, fake platform)6 months – 3 years
Aggravated fraudArt. 250Special gravity, multiplicity of victims or high amount1 – 6 years
Money laundering with cryptoArt. 301Concealing illicit origin via mixers, bridges or exchanges6 months – 6 years + fine
Crypto tax fraudArt. 305Evaded quota over €120,000 per fiscal year (Form 721)1 – 5 years + fine
Computer damage / DeFi exploitArt. 264Exploit damaging systems or data (smart-contract attack)6 months – 3 years
Criminal organisationArt. 570 bisStructured group running crypto fraud at scale2 – 8 years

Key Defence Strategies

Independent Blockchain Counter-Expert

Chainalysis, Elliptic or TRM tracing graphs are interpretations, not certainties. An accredited own expert can challenge address clustering heuristics, mixer assumptions and the attribution of a wallet to a specific person.

Market Contingency vs. Deception

A loss is not a crime. Many crypto disputes are investment risk, protocol failure or contractual breach — civilly reproachable but criminally atypical. The defence isolates genuine deception (Art. 248) from ordinary market loss.

Good Faith & KYC Diligence

Documented KYC, lawful source of funds, Form 721 reporting and declared capital gains rebut the knowledge element of laundering and fraud. Willful blindness must be proven, not presumed.

Criminal-Tax Bifurcation

Voluntary tax regularisation can activate the Art. 305.4 CP exemption, while the administrative track (CNMV/SEPBLAC) is handled separately from the criminal process, where defences may diverge.

Key Case Law

TS doctrineSufficient deception in digital environments

The Supreme Court accepts that the appearance of a legitimate trading platform or broker can constitute the 'sufficient deception' of Art. 248: the victim's error is measured against the credibility of the staged operation, not against the abstract diligence of an expert investor.

TS doctrineBlockchain tracing as expert evidence

On-chain tracing is valid evidence but subject to expert contradiction. Traceability of a flow to a wallet does not, by itself, prove the intent (dolo) of its holder; the prosecution must still establish knowledge and control.

TS doctrineSelf-laundering and tax fraud in concurrence

Using undeclared crypto gains to make further investments may integrate self-laundering (Art. 301.1) in concurrence with tax fraud (Art. 305), creating double criminal exposure that the defence must dismantle element by element.

gavel

Why Choose Us?

Need a criminal defense lawyer for this type of offense? Here's how we work:

check
Smart Contract Expert ReportAudit of the contract code to establish whether the criminal behavior was structural or the result of an unforeseen exploit.
check
Whitepaper and Team AnalysisVerification of coherence between the project as presented and real execution to establish initial deception.
check
Issuer CooperationContact with Circle (USDC), Tether (USDT) and other issuers to freeze balances in identified wallets.
workspace_premium
+15 Years of ExperienceTeam dedicated exclusively to criminal law before Spanish courts and tribunals.
support_agent
Direct AttentionYour case is handled directly by a senior lawyer of the firm.
Consult My Casearrow_forward

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

call