Generative AI Fraud: Deepfakes, Vishing and Impersonation
Criminal defense and prosecution of fraud perpetrated with generative AI: deepfakes, cloned voice (vishing), automated CEO fraud, deepnudes and digital evidence manipulation.
Last updated:
The New Frontier
Generative AI has multiplied the sophistication and volume of digital fraud. Image, video and audio models allow creating hyper-realistic deepfakes, cloning voices with minutes of audio, generating indistinguishable false documentation and automating social engineering at scale. Deepfake and cloned-voice fraud has multiplied in Spain in recent years.
This is the macro landing of our family. For specific topics see deepfake challenge, voice cloning vishing, sexual deepfakes, algorithmic expert evidence and AI digital evidence.
Most Widespread Typologies
- Non-consensual sexual deepfake.
- Deepnudes.
- CEO fraud with cloned voice.
- Targeted vishing.
- Real-time video call deepfake.
- Evidence manipulation.
- Identity impersonation for opening bank accounts.
- Romantic scam with synthetic avatar video.
Legal Framework
The Criminal Code already allows these conducts to be prosecuted: non-consensual distribution of intimate images —including synthetic ones— through offenses against privacy (Art. 197.7 CP) and moral integrity (Art. 173 CP); aggravated fraud (Arts. 248 and 250 CP) when especially sophisticated means are used; and civil-status usurpation (Art. 401 CP). A reform introducing a specific offense for sexual deepfakes and reinforcing synthetic-content labeling is also in progress. Regulation EU 2024/1689 (EU AI Act) imposes on generative AI providers obligations of transparency and identifiable watermark marking.
Digital Evidence
Expert challenge of synthetic content is the key defense piece. Forensic markers include: spectral artifact analysis in audio, lighting and blinking inconsistencies in video, absence of subtle physiological markers, metadata and EXIF analysis, and comparison with known models. We work with generative AI forensic experts in each case.
Our AI Methodology
We apply a five-phase protocol: immediate forensic capture; technical expertise with two independent experts; procedural defense adapted to type and jurisdiction; content removal through platform coordination and AEPD; patrimonial recovery in financial fraud with preventive seizure order.
Penalty Chart
| Type / Scenario | Criminal Penalty |
|---|---|
| Sexual deepfake (Arts. 197.7 and 173 CP) | Non-consensual distribution of intimate images, including synthetic ones, is prosecuted as an offense against privacy and moral integrity. |
| Aggravated fraud (Arts. 248 and 250 CP) | 1 to 6 years' imprisonment when cloned voice or deepfake is used in CEO fraud exceeding €50,000. |
| Identity impersonation (Art. 401 CP) | 6 months to 3 years' imprisonment for civil status usurpation. |
| Privacy offense (Art. 197 CP) | 1 to 4 years' imprisonment when there is personal data discovery or distribution. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Our Defense Strategy
Urgent 72h action
Capture, rapid expert analysis and distribution blocking in first 72h, key to limit damage.
Private prosecution
Appearance as private prosecution to drive investigation and obtain seizure order.
Ex delicto civil claim
Moral and patrimonial damages claim within the same criminal procedure.
AEPD coordination
Parallel claim before AEPD for illicit personal data processing, with autonomous sanction.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.