Criminal Lawyers in Hacking & Intrusion Defense
Criminal Lawyers in Defense against accusations
Last updated:
Specialist Defense in Hacking & Intrusion Crimes
The offence of unlawful access to computer systems, regulated in Art. 197 bis of the Spanish Criminal Code (introduced by Organic Law 1/2015 in compliance with the Budapest Convention and Directive 2013/40/EU on attacks against information systems), protects the security and confidentiality of computer systems and data. It is the so-called "computer trespassing" and sanctions both access and mere unauthorised permanence in a system, regardless of whether damage is caused, data are extracted or any benefit is obtained. Consolidated Supreme Court case-law has precisified the contours of the type: it requires breach of security measures, unauthorised access and intent in the conduct. As criminal lawyers specialising in computer offences, we articulate the defence with specialised forensic computer expertise.
The typical modalities are varied and constantly sophisticated. Access by credential breach through brute force, dictionary, prior phishing, social engineering, or use of keys leaked in data breaches. Access by vulnerability exploitation (zero days, SQL injection, cross-site scripting, buffer overflow, vulnerabilities in outdated components). Improper use of legitimate credentials after termination of employment or partnership (ex-employees accessing with their non-revoked keys, separated partners maintaining access). The unlawful permanence in systems initially accessed legitimately when authorisation has been lost (Art. 197 bis.2 CP). The unauthorised pentesting and so-called "white hat hacking" which, despite its research or educational purpose, integrates the criminal type without prior contractual authorisation. And access to third-party protected WiFi networks through key cracking.
The penalties under Art. 197 bis CP are graduated. The basic type (access by breaching security measures) carries prison from 6 months to 2 years. The unlawful permanence in the system after losing authorisation is sanctioned with the same penalty (Art. 197 bis.2 CP). When access results in discovery of secrets, the type combines with Art. 197.1 CP, raising penalties to 1-4 years' prison; if the data are disclosed or transferred, penalties rise to 2-5 years (Art. 197.3 CP). In aggravated cases (vulnerable victims, especially protected secrets, profit purposes), penalties may reach 5 years' prison. For companies, criminal liability of the legal entity is foreseen (Art. 31 bis CP). It also frequently concurs with computer damage (Art. 264 CP), computer fraud (Art. 248 CP), revelation of trade secrets (Arts. 278-280 CP) or money laundering.
The technical defence articulates several complementary lines. First, the absence of security measures: if the system was exposed without password, with default credentials (admin/admin) or without basic encryption, the typical element of "breach of security measures" is missing, excluding the type under Art. 197 bis CP. Second, the express or tacit authorisation: pentesting contracts, bug-bounty programmes, legitimately retained credentials, or lax usage policies may constitute sufficient authorisation. Third, the absence of intent: accidental access (link click, unintentional redirection), or reasonable belief of authority exclude intent. Fourth, the expert challenge of forensic attribution: logs, IPs and temporal correlations presented by the prosecution are frequently vulnerable to specialised technical counter-expertise demonstrating alternative explanations (Tor/VPN use, IP spoofing, shared devices). Fifth, the voluntary cooperation with the owner and absence of harm in ethical-hacking cases, as highly qualified mitigating factors.
In current forensic practice we observe exponential growth in hacking and computer-intrusion proceedings, especially linked to labour conflicts with ex-employees, ransomware attacks on companies, personal account hacking in couple-relationship contexts, attacks on critical infrastructures and industrial cyber-espionage operations. Directive NIS2 (EU 2022/2555) on cybersecurity, Regulation DORA EU 2022/2554 on digital operational resilience, Organic Law 1/2025 on Justice Service Efficiency and recent case-law from the Supreme Court and the National High Court on organised cybercrime have hardened the institutional framework. At Alonso Sala, we tackle each file with certified forensic computer experts (CISSP, CEH, OSCP), articulate technical counter-expertise to challenge attribution and build technically solid and procedurally aggressive defences.
Hacking Defense Services
Our hacking and intrusion offense specialists develop digital forensics and formulate solid defenses to rebut the accusation, addressing issues such as lack of intent, preexisting system vulnerability, or authorized access.
Defense Strategies
- check_circleAbsence of Security Measures: If the system was open or with default passwords ("admin/admin"), we argue that there was no security "breach", a necessary element of the offense.
- check_circleTacit Authorization: Common in labor or partner conflicts. If the user had legitimate keys and they were not formally revoked, there is no illicit access.
Why Alonso Sala for Hacking?
Illicit system access. Technical-legal mastery of vulnerabilities, pentesting, and forensic attribution
- securityForensic computer experts for log analysis and digital behavior evidence.
- security'Open door' defense: absence of security measures as cause of atypicality.
- securityTacit authorization strategy in labor conflicts (credentials not revoked).
- securityWhite hat hacking experience: no harm + company collaboration.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
FAQs
Is it a crime if there was no password?expand_more
What if I guessed the password because it was '1234'?expand_more
What is 'ethical hacking'?expand_more
If I entered but didn't steal or delete anything, is there a crime?expand_more
An ex-employee used their old credentials to log in, is it a crime?expand_more
What is the penalty for this crime?expand_more
Is accessing someone else's WiFi without permission a crime?expand_more
Does ethical hacking require authorization?expand_more
Is breaching a system to prove it is insecure a crime?expand_more
Can companies report hacking attempts that did not succeed?expand_more
Looking for a Hacking & Intrusion Defense Lawyer in Spain?
As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Hacking & Intrusion Defense case with the urgency and technical rigor it requires from day one.
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.