Cyber Extortion in Turkey: Legal Consequences of Digital Blackmail and Online Threats

Introduction

Cyber extortion in Turkey is one of the most serious forms of digital crime. It usually occurs when a person uses online threats, private data, intimate images, hacked accounts, business secrets, personal information or digital access as pressure to obtain money, force the victim to do something, prevent the victim from doing something, or continue psychological control over the victim.

In practice, cyber extortion may appear as digital blackmail, sextortion, threats to publish private photographs, ransomware demands, threats to disclose customer data, blackmail through hacked social media accounts, threats to leak business secrets, fake debt collection messages, or coercive messages sent through WhatsApp, Telegram, Instagram, e-mail or anonymous accounts.

Turkish law does not use one single article named “cyber extortion.” Instead, the conduct may fall under several criminal provisions depending on the facts. The most important provisions are Turkish Penal Code Article 107 on blackmail, Article 106 on threat, Article 134 on violation of privacy, Articles 135–136 on personal data offences, and Articles 243–244 on cybercrimes involving unlawful access and interference with data. The Council of Europe identifies Articles 243, 244, 245 and 245/A as part of Turkey’s cybercrime framework, while Law No. 5651 and the Criminal Procedure Code may also become relevant for online content and digital evidence.

This article explains cyber extortion in Turkey from a practical legal perspective. It covers criminal liability, digital blackmail, online threats, sextortion, ransomware-style coercion, private data exposure, digital evidence, content removal, compensation claims, victim protection and defence strategies.

1. What Is Cyber Extortion?

Cyber extortion means using digital tools to pressure, threaten or coerce a victim. The offender may demand money, cryptocurrency, sexual images, silence, withdrawal of a complaint, performance of an act, transfer of company data, resignation from a position, or continuation of a relationship.

Common examples include:

• “Pay me or I will publish your private photos.”
• “Send money or I will send these screenshots to your family.”
• “Withdraw your complaint or I will leak your messages.”
• “Pay cryptocurrency or your company data will be published.”
• “Do what I say or I will share your identity information online.”
• “If you do not respond, I will damage your business reputation.”
• “I hacked your account; pay me to get it back.”

Cyber extortion is legally serious because it attacks the victim’s freedom of decision. The offender does not merely communicate anger or criticism. The offender uses fear, private information, digital control or unlawful pressure to force the victim into a certain conduct.

2. Blackmail Under Turkish Penal Code Article 107

The central provision for cyber extortion is usually Article 107 of the Turkish Penal Code, which regulates blackmail. Article 107 applies where a person forces another person to do something, not to do something, or obtain an unlawful benefit by using pressure connected to something the offender is entitled or obliged to do or not do. The offence is punishable by imprisonment from one to three years and a judicial fine up to five thousand days.

In digital blackmail cases, Article 107 may become relevant when the offender uses online threats to obtain a benefit or force behaviour. For example, if a person threatens to publish private photographs unless the victim pays money, this may constitute blackmail. If a person threatens to disclose private messages unless the victim continues a relationship, Article 107 may also be considered. If a former employee threatens to leak company data unless severance or additional payment is made, the same provision may become relevant depending on the facts.

The key point is coercion. The offender uses a threat or pressure to influence the victim’s will. The demanded act may be financial, personal, professional or emotional.

3. Online Threats Under Turkish Penal Code Article 106

Cyber extortion often includes online threats. Article 106 of the Turkish Penal Code punishes threats against a person’s or relative’s life, physical integrity or sexual immunity with imprisonment from six months to two years. Threats concerning serious property damage or other harm may also be punishable, subject to the legal conditions stated in the article.

In cyber extortion files, Article 106 may apply where the offender sends messages such as:

• “I will kill you.”
• “I know where you live.”
• “I will harm your family.”
• “I will come to your workplace.”
• “I will destroy your business.”
• “I will publish everything and ruin your life.”

The threat does not need to be made face-to-face. A threat sent through WhatsApp, Instagram, Telegram, SMS, e-mail, gaming chat, social media comments or anonymous accounts may still be legally relevant. The essential issue is whether the statement objectively creates fear of harm and whether the victim is targeted.

If the threat is combined with a demand for money or conduct, both Article 106 and Article 107 may need to be evaluated.

4. Sextortion in Turkey

Sextortion is one of the most common and harmful forms of cyber extortion. It usually involves threats to publish intimate images, sexual videos, private conversations or embarrassing personal content unless the victim pays money, sends more images, continues communication, or obeys the offender’s demands.

Sextortion may arise in several ways. The offender may have obtained images during a prior relationship. The offender may have recorded a video call without consent. The offender may have hacked a cloud account. The offender may use fake profiles to trick the victim into sending images. The offender may threaten to send the content to family members, employers, friends or social media followers.

Under Turkish law, sextortion may involve multiple offences:

• Blackmail under Article 107.
• Threat under Article 106.
• Violation of privacy under Article 134.
• Unlawful publication or acquisition of personal data under Article 136.
• Unauthorized access under Article 243 if an account was hacked.
• System interference or data transfer under Article 244 if data was copied or moved.

This multi-layered structure is important because the criminal complaint should not be limited to one label. It should explain how the images were obtained, what threat was made, what demand was made, whether the content was published, and whether any account was hacked.

5. Violation of Privacy and Private Images

Cyber extortion frequently involves private images, videos, voice recordings, messages or intimate information. Article 134 of the Turkish Penal Code protects private life and may apply where a person unlawfully records, obtains, discloses or publishes private-life content.

A crucial point is that consent is limited. A person may have voluntarily shared an image with one person, but this does not mean consent to public distribution. A private image sent within a relationship cannot be lawfully used as a weapon after the relationship ends. Similarly, a private message screenshot cannot automatically be published online without legal consequences.

If private images or videos are already published, the victim should preserve evidence immediately and seek urgent legal remedies. In many cases, quick removal or access blocking is as important as criminal punishment.

6. Personal Data Offences and Doxxing

Cyber extortion may involve personal data. The offender may threaten to publish identity numbers, home addresses, phone numbers, workplace details, family information, financial data, medical data, private messages or customer data. This is often called doxxing.

Under Turkish law, personal data offences are regulated under Articles 135 to 140 of the Turkish Penal Code. The Personal Data Protection Law No. 6698 also states that crimes concerning personal data are subject to Articles 135 to 140 of the Turkish Penal Code. Article 136 punishes unlawfully delivering, publishing or acquiring personal data.

If an offender says, “Pay me or I will publish your address and identity information,” the case may involve both blackmail and personal data offences. If the data is actually published, the criminal exposure may become more serious. If the data was obtained from a hacked system or company database, cybercrime provisions may also apply.

7. Cyber Extortion Through Hacked Accounts

A common cyber extortion scenario is account takeover. The offender hacks a social media account, e-mail account, cloud account or business page and then demands payment to return access or avoid publication of private data.

This may involve Article 243, which punishes unlawful access to an information system, and Article 244, which punishes system interference, data deletion, data alteration, data transfer or making data inaccessible. Article 244 is especially relevant where the offender changes passwords, blocks the rightful user’s access, transfers files, deletes messages or publishes content from the hacked account.

For example, if an Instagram account is hacked and the hacker demands money to return it, the file may include unlawful access, system interference and blackmail. If the hacker uses the account to deceive followers into sending money, qualified fraud may also become relevant.

Victims should preserve login alerts, password change e-mails, recovery messages, suspicious device information, messages from the hacker, cryptocurrency wallet addresses, IBAN numbers and screenshots of unauthorized posts.

8. Ransomware and Corporate Cyber Extortion

Cyber extortion is not limited to individuals. Companies may be targeted through ransomware and data leak threats. A ransomware group may encrypt company data and demand cryptocurrency. In more advanced attacks, the group may also steal company files and threaten to publish customer records, contracts, employee files or trade secrets.

In Turkey, ransomware-style extortion may involve:

• Article 243 if systems were unlawfully accessed.
• Article 244 if systems were disrupted or data was made inaccessible.
• Article 107 if payment is demanded through coercive threats.
• Personal data offences if customer or employee data is obtained or published.
• KVKK data breach obligations if personal data is affected.

Where processed personal data is obtained by others through unlawful methods, Turkish data protection practice requires breach assessment and notification duties. The Personal Data Protection Board’s Decision No. 2019/10 requires controllers to document personal data breaches and notify the Board without delay, with the 72-hour interpretation widely applied in breach practice.

For companies, ransomware is therefore not only an IT issue. It is a criminal law, data protection, corporate governance, insurance and contractual risk.

9. Digital Evidence in Cyber Extortion Cases

Digital evidence is the foundation of cyber extortion investigations. Victims should preserve all available evidence before deleting messages, blocking accounts or changing devices.

Important evidence includes:

• WhatsApp, Telegram, Instagram, SMS or e-mail messages.
• Screenshots showing username, date, time and platform.
• Voice messages.
• E-mail headers.
• Cryptocurrency wallet addresses.
• IBAN numbers and bank account details.
• Phone numbers.
• Fake profile URLs.
• Private image publication links.
• Login alerts and account recovery e-mails.
• IP or device information if available.
• Ransom notes.
• Server logs in corporate cases.
• Witness statements from persons who received the threatened content.

Screenshots are useful but may not be enough alone. Whenever possible, original messages, URLs, e-mail headers, platform notifications and bank records should also be preserved. If content is visible online, a notarial determination or technical preservation method may strengthen the evidence.

10. Criminal Complaint Strategy for Victims

A criminal complaint for cyber extortion should be detailed, chronological and evidence-based. The complaint should clearly explain:

• Who the victim is.
• How the offender contacted the victim.
• What threat was made.
• What demand was made.
• Which platform or account was used.
• Whether private images or data were involved.
• Whether the content was already published.
• Whether any account was hacked.
• Whether money was paid.
• Whether bank accounts, crypto wallets or phone numbers were used.
• Whether the offender is known or anonymous.
• Which evidence is attached.

The complaint should request investigation under relevant provisions, including Articles 106, 107, 134, 136, 243 and 244 where applicable. It should also request urgent preservation of platform records, identification of IP logs, bank account records, telecom records, device examination and content removal steps where necessary.

In cyber extortion, speed matters. Digital accounts may disappear, usernames may change, messages may be deleted, funds may be transferred, and private content may spread quickly.

11. Should the Victim Pay the Blackmailer?

Victims often ask whether they should pay. Legally and practically, payment is risky. Payment does not guarantee that the offender will delete the content or stop threats. In many cases, payment encourages further demands. The offender may ask for more money, threaten again, or publish the content anyway.

Instead of paying immediately, the victim should preserve evidence, avoid emotional replies, secure accounts, notify trusted persons if necessary, file a criminal complaint and seek urgent removal or access blocking if private content is online.

Where there is an immediate safety risk, the victim should also consider protective measures and emergency law enforcement support. The correct response depends on the facts, but paying without legal strategy often makes the situation worse.

12. Content Removal and Access Blocking Under Law No. 5651

If private images, personal data, defamatory content or blackmail material are published online, criminal investigation alone may not be enough. The victim may need urgent removal or access blocking.

Law No. 5651 regulates internet publications and certain access blocking procedures. Article 9/A is particularly important for violations of privacy of private life. Current English legal materials explain that Article 9/A allows a person whose privacy is violated through internet content to apply for access blocking, and the measure is designed to operate quickly in privacy-related cases.

In cyber extortion cases involving intimate images, private videos, private messages, home address exposure or sensitive private information, Article 9/A may be a critical remedy. However, evidence should be preserved before removal is requested. If the content disappears without documentation, the criminal case may become harder to prove.

13. KVKK Issues in Corporate Cyber Extortion

Where cyber extortion involves company-held personal data, the Personal Data Protection Law becomes relevant. For example, a former employee may threaten to publish customer data. A ransomware group may threaten to leak employee files. A hacker may demand money after copying patient records from a clinic.

In these situations, the company must assess whether personal data has been obtained by unauthorized persons. The Board’s Decision No. 2019/10 requires controllers to document breaches, and breach notification must be considered without delay. If notification cannot be made within the expected timeframe, reasons for delay should be recorded and explained.

The company should also preserve forensic evidence, identify affected data categories, contain the incident, review whether special category data is involved, assess notification to affected persons and prepare a criminal complaint.

14. Civil Compensation Claims

Cyber extortion may cause serious material and moral damages. Victims may claim compensation depending on the facts.

Material damages may include:

• Money paid to the blackmailer.
• Financial loss due to fraud.
• Costs of account recovery.
• Legal expenses.
• Technical forensic expenses.
• Reputation management costs.
• Business interruption losses.
• Customer loss in corporate cases.

Moral damages may arise from fear, humiliation, anxiety, reputational harm, violation of privacy, exposure of intimate images, family pressure or psychological trauma.

A criminal investigation may support a civil compensation claim, but civil liability still requires proof of unlawful act, damage and causal connection. Therefore, victims should document all harm carefully.

15. Cyber Extortion Against Businesses

Businesses may face cyber extortion through ransomware, stolen customer data, leaked trade secrets, fake negative campaigns, hacked social media accounts or threats from former employees.

Examples include:

• A former employee threatens to publish customer lists.
• A hacker threatens to leak accounting records.
• A ransomware group threatens to publish contracts.
• A social media account is hacked and payment is demanded.
• A competitor-linked person threatens to release confidential pricing data.
• A person threatens to publish false accusations unless paid.

Companies should respond with a coordinated plan: preserve evidence, involve legal counsel, isolate affected systems, assess KVKK obligations, notify insurers if applicable, avoid uncontrolled communication with the attacker, and prepare criminal and civil remedies.

16. Former Employees and Digital Blackmail

Former employee extortion can be especially sensitive. A former employee may possess customer lists, documents, passwords, internal correspondence or personal data. If the employee threatens to disclose this information unless the company pays money or gives additional benefits, Article 107 may be relevant. If the employee accessed systems after termination, Article 243 may also apply. If data was copied, transferred or deleted, Article 244 and personal data offences may be considered.

Companies should have strong offboarding procedures. Access should be revoked immediately, shared passwords should be changed, devices should be collected, and data downloads before termination should be reviewed. Clear confidentiality and IT policies make later legal action stronger.

17. Defence Strategies in Cyber Extortion Allegations

A person accused of cyber extortion may face serious criminal consequences. Defence strategy should examine each element carefully.

Possible defence arguments include:

• No threat was made.
• The message was taken out of context.
• The accused did not demand unlawful benefit.
• The accused did not control the account that sent the messages.
• The account was fake or hacked.
• The screenshots are incomplete or manipulated.
• The alleged private data was not obtained by the accused.
• There was no intent to coerce.
• The dispute is civil or commercial, not criminal.
• The accused had lawful possession of the data.
• The evidence was obtained unlawfully.
• The complainant filed after deleting relevant context.

In digital cases, identity is often disputed. The prosecution must prove that the accused personally controlled the account, phone number, device, wallet or bank account used in the extortion. Suspicion is not enough for conviction.

18. Online Threats, Free Speech and Criminal Boundaries

Not every angry online message is cyber extortion. Turkish law must distinguish between criminal threats, blackmail, insult, harsh criticism, emotional arguments, commercial disputes and lawful warnings.

For example, saying “I will file a lawsuit” is generally different from saying “Pay me or I will publish your private images.” A lawful warning to exercise a legal right may not be blackmail by itself. However, using private data, false accusations or unlawful pressure to force payment or conduct may cross the criminal boundary.

Context is therefore essential. Courts and prosecutors evaluate the wording, relationship between parties, demanded benefit, seriousness of the threat, whether private data was used, whether the offender had unlawful intent and whether the victim’s freedom of decision was affected.

19. Practical Checklist for Victims

A victim of cyber extortion in Turkey should act quickly:

1. Do not delete messages.
2. Take screenshots showing date, time, account and platform.
3. Save original messages and e-mails.
4. Preserve URLs of published content.
5. Do not send more private images.
6. Do not pay without legal assessment.
7. Secure e-mail and social media accounts.
8. Change passwords and enable two-factor authentication.
9. Preserve bank or crypto payment demands.
10. Identify phone numbers, IBANs and wallet addresses.
11. File a criminal complaint.
12. Request urgent platform and IP records.
13. Seek access blocking if private content is online.
14. Notify the company or institution if corporate data is involved.
15. Seek psychological and legal support if the threat is severe.

This structured approach helps protect both the victim’s safety and the criminal file.

20. Practical Checklist for Companies

A company facing cyber extortion should:

• Preserve server logs, e-mails, ransom notes and messages.
• Isolate affected systems if hacking is involved.
• Identify whether personal data is affected.
• Assess KVKK notification duties.
• Preserve evidence before restoring systems.
• Review whether former employees or vendors are involved.
• Avoid informal negotiations without legal strategy.
• Notify cyber insurance providers if applicable.
• Prepare a criminal complaint.
• Consider civil injunctions if trade secrets are threatened.
• Prepare internal and external communication carefully.
• Review cybersecurity and access control weaknesses.

Corporate cyber extortion can escalate quickly. A weak first response may lead to lost evidence, missed notification deadlines and reputational damage.

21. Why Legal Assistance Is Important

Cyber extortion cases require urgent and careful legal action. Victims may be under emotional pressure, companies may face operational crisis, and suspects may face serious criminal charges based on digital evidence.

A Turkish cybercrime lawyer can assist with:

• Criminal complaint preparation.
• Evidence preservation.
• Content removal and access blocking.
• KVKK breach assessment.
• Coordination with forensic experts.
• Bank and cryptocurrency evidence.
• Civil compensation claims.
• Protective measures.
• Defence against extortion allegations.
• Expert report objections.
• Digital evidence challenges.

The most effective strategy combines criminal law, digital evidence, data protection, internet law and civil remedies.

Conclusion

Cyber extortion in Turkey is a serious legal issue involving digital blackmail, online threats, sextortion, hacked accounts, ransomware demands, private data exposure and corporate data leak threats. The main legal provisions include Turkish Penal Code Article 107 on blackmail, Article 106 on threat, Article 134 on privacy, Articles 135–136 on personal data offences, Article 243 on unlawful access and Article 244 on system interference.

For victims, the key steps are fast evidence preservation, account security, criminal complaint, content removal where necessary and careful documentation of harm. For companies, cyber extortion requires incident response, forensic preservation, KVKK assessment and coordinated legal action. For suspects, the defence must focus on identity, intent, context, authenticity of evidence and whether the statutory elements of blackmail or threat are actually proven.

Cyber extortion is not merely an online argument. It is coercive conduct that may attack privacy, dignity, property, reputation, commercial security and freedom of decision. Turkish law provides multiple criminal, civil and digital remedies, but successful action depends on speed, evidence and correct legal classification.