Deepfakes & AI Crimes: Criminal Defense in the Digital Era
When AI becomes a weapon. Specialized criminal defense in deepfakes, voice cloning, and AI Act compliance
Last updated:
Deepfakes & AI: The New Criminal Law Frontier
The offences committed through deepfakes and generative artificial intelligence integrate an emerging criminal category that the Spanish Criminal Code does not classify as an autonomous figure, but that is effectively prosecuted by reconducting it to several classical types depending on the specific conduct: offences against privacy and one's own image (Art. 197.7 CP) in non-consensual pornographic deepfake cases; offences against minors (Art. 189 CP) when the victim is under age; impersonation of civil status (Art. 401 CP) in digital-impersonation cases; computer fraud (Art. 248 CP) in CEO-fraud-type operations with cloned voice; insults and calumny (Arts. 205-210 CP) in defamatory deepfakes; and, where applicable, hate offences (Art. 510 CP). Consolidated Supreme Court doctrine on digital evidence and forensic expertise provides criteria applicable to AI-generated audiovisual material.
The typical modalities are diverse and rapidly sophisticate. Non-consensual pornographic deepfakes: overlay of a real person's face on sexual material, frequently linked to ex-partner revenge, sextortion or school cyberbullying. AI voice cloning for CEO fraud (AI vishing), calls impersonating family members in false emergencies (grandchild/virtual-kidnapping scam), or calls to banking institutions. The generation of pornographic images of minors via AI, even without a real victim, integrates the offence under Art. 189 CP after the reform. The manipulation of judicial evidence via deepfakes purporting to prove non-existent conversations or conducts. The use of AI to generate mass phishing, polymorphic malware and personalised social-engineering campaigns. And algorithmic discrimination in AI systems deployed without the safeguards required by the AI Act.
The penalties depend on the applicable type according to the specific conduct. Non-consensual pornographic deepfakes on adults (Art. 197.7 CP) carry prison from 3 months to 1 year or fine; when specific aggravating factors concur, they can reach more severe penalties. Deepfakes involving minors (Art. 189 CP) carry prison from 1 to 5 years, expandable to 9 years in qualified cases, together with registration in the Central Sex Offenders Register and lifetime ban on working in contact with minors. Fraud with cloned voice (Arts. 248-250 CP) carries 1 to 6 years' prison. Civil-status impersonation (Art. 401 CP) sanctions with 6 months to 3 years' prison. To custodial penalties is added the administrative liability for breach of the AI Act (EU Regulation 2024/1689), with fines up to EUR 35 million or 7% of annual global turnover.
The technical defence and private-prosecution strategy articulate several lines. When representing the victim, we execute specialised forensic computer expertise to certify the deepfake nature of the material and, in parallel, manage the urgent removal of content on social media and search engines through DMCA/GDPR claims and, where applicable, judicial precautionary measures. We request from the court removal orders, identification of originating IPs and precautionary blocking of accounts. When defending the investigated, we articulate the questioned authenticity of the material through forensic counter-expertise examining visual artefacts, metadata, temporal consistency, audio spectrogram and generative-model fingerprints; the absence of intent in artistic, parody or educational use cases covered by freedom of expression; and the challenge of the digital chain of custody when the material presented by the prosecution lacks hash, time-stamp or adequate expert traceability.
In current forensic practice we observe sustained growth in proceedings linked to deepfakes and generative AI. The EU Regulation 2024/1689 (AI Act) on artificial intelligence and Organic Law 1/2022 on the integral guarantee of sexual freedom have transformed the regulatory framework, requiring platforms to implement removal protocols for synthetic content. At Alonso Sala we tackle each file as a specialised technical-legal matter: we coordinate forensic computer experts, computer-vision experts and AI Act compliance consultants, with the urgency, discretion and scientific rigour these matters require.
AI Crime Typologies
Non-consensual Deepfakes
Fake pornographic videos, AI revenge porn, sextortion. Arts. 197.7 and 189 CP.
Voice Cloning (AI Vishing)
CEO fraud with cloned voice, fake bank calls, advanced social engineering.
AI-Generated Malware
AI for phishing generation, polymorphic malware, and attack automation.
Algorithmic Discrimination
AI discriminating by race, gender, or age → criminal liability of the owner.
AI ACTEU Artificial Intelligence Act
The AI Act (EU Regulation 2024/1689) is the world's first comprehensive AI legislation. It classifies AI systems into four risk levels and establishes transparency, human oversight, and impact assessment obligations. Non-compliance can result in fines up to €35 million.
Social scoring, subliminal manipulation
Biometrics, justice, employment, credit
Deepfakes, chatbots, voice synthesis
Spam filters, games, assistants
Why Alonso Sala for Deepfakes & AI?
- psychologyForensic experts specialized in deepfake detection (artifacts, metadata, spectral analysis).
- psychologyCEO voice cloning fraud experience: defense and private prosecution.
- psychologyAI Act compliance: corporate AI system auditing.
- psychologyDefense in deepfake pornography cases: urgent content removal and criminal prosecution.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Deepfakes & AI FAQs
Is creating a deepfake a crime in Spain?expand_more
Do pornographic deepfakes carry prison sentences?expand_more
What is the 'CEO fraud' with AI-cloned voice?expand_more
Can a deepfake be used as forensic evidence?expand_more
What does the EU AI Act say?expand_more
Is using ChatGPT to write phishing emails a crime?expand_more
What liability do companies using AI face?expand_more
How is a deepfake detected in court?expand_more
Can autonomous vehicles create criminal liability?expand_more
What if an AI discriminates or generates illegal content?expand_more
Looking for a Deepfakes & AI Crimes Lawyer in Spain?
As a pioneering firm in tech crimes, we offer specialized criminal defense in deepfakes, AI voice cloning, and EU AI Act compliance. We act with the urgency and technical knowledge these cases demand.
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.