Introduction
Cybercrime defence in Turkey requires a combination of criminal law knowledge, digital evidence analysis, technical understanding and procedural strategy. Cybercrime allegations are often based on IP logs, device records, screenshots, bank transactions, server logs, social media accounts, e-mail headers, mobile phone examinations, cloud records, expert reports and statements of complainants. However, digital evidence can be incomplete, misinterpreted, unlawfully obtained or insufficient to prove the accused person’s identity and criminal intent.
Under Turkish law, cybercrime cases may involve several offences under the Turkish Penal Code No. 5237. The most important provisions are Article 243 on unlawful access to information systems, Article 244 on system interference and data manipulation, Article 245 on misuse of bank or credit cards and Article 245/A on prohibited devices or programs. The Council of Europe’s cybercrime profile for Turkey identifies these provisions as part of Turkey’s substantive cybercrime legislation and also notes the relevance of the Turkish Criminal Procedure Code, Law No. 5651 and international cooperation rules.
A suspect or defendant in a cybercrime file should not assume that technical records automatically prove guilt. In many cases, the central defence issues are whether the accused had authorization, whether the alleged access was unlawful, whether the IP address truly identifies the accused, whether the device was shared or compromised, whether the evidence was lawfully collected, whether the expert report is complete and whether the correct legal classification was used.
This article provides a comprehensive legal guide to cybercrime defence in Turkey. It explains common charges, digital evidence challenges, procedural objections, expert report strategies, defence against unauthorized access allegations, defence against system interference allegations, bank card fraud defence, data breach defence and practical strategies for suspects and defendants.
1. Understanding Cybercrime Charges in Turkey
Cybercrime defence begins with identifying the exact charge. The word “cybercrime” is broad and may refer to very different offences. A person may be accused of hacking an e-mail account, deleting company data, transferring customer records, using another person’s credit card, participating in phishing, possessing prohibited software, sharing personal data or disrupting a digital system.
Article 243 of the Turkish Penal Code punishes unlawful access to all or part of an information system or remaining in such system without authorization. Article 244 punishes preventing or disrupting the operation of a system, deleting, altering, making inaccessible, inserting or transferring data. Article 245 addresses misuse of bank or credit cards. UNODC’s database lists Articles 243–245 under Turkish cybercrime legislation concerning acts against confidentiality, integrity and availability of computer data and systems.
The legal strategy changes depending on the charge. In an Article 243 case, the defence may focus on authorization, consent, identity and intent. In an Article 244 case, the defence must also address whether data was actually deleted, altered, transferred or made inaccessible. In an Article 245 case, the defence may focus on cardholder consent, benefit, transaction records, delivery address, bank logs and whether the accused personally used the card.
A strong defence should not treat all cybercrime allegations as the same. The petition should separate each alleged act and test whether the statutory elements are proven.
2. The Presumption of Innocence and Burden of Proof
Cybercrime files often create a psychological disadvantage for suspects because technical terms may make accusations appear stronger than they are. However, the basic principles of criminal law remain unchanged. The prosecution must prove the offence beyond reasonable doubt. The defendant does not have to prove innocence; the prosecution must prove guilt.
This is especially important where evidence is indirect. An IP address may show a connection, but not necessarily who used the device. A bank account may receive money, but that does not automatically prove that the account holder designed the fraud. A phone number may be registered in someone’s name, but another person may have used it. A username may appear in logs, but the password may have been shared, stolen or saved on a device used by multiple people.
The defence should constantly bring the court back to the statutory elements: act, unlawfulness, identity, intent, causation and result. Technical suspicion is not the same as criminal proof.
3. Defence Against Unlawful Access Allegations: TCK Article 243
Article 243 cases usually involve allegations that the suspect entered an e-mail account, social media account, company system, cloud storage, database, mobile application, online banking account or website panel without authorization.
The first defence question is whether access occurred. Sometimes the allegation is based only on the complainant’s assumption. The account may have been accessed by another person, by the complainant’s own device, by an automated service, by a saved session or by an unknown third party.
The second question is whether the access was unlawful. A person may have been authorized to access a system as an employee, contractor, spouse, business partner, social media manager, IT technician or account administrator. Consent may be express or implied, but its scope matters. If the accused had permission to manage a social media account, entry into that account may not be unlawful. If the accused had a company login for work purposes, ordinary work access may not constitute a crime.
The third question is whether the accused had criminal intent. Accidental access, misunderstanding, shared passwords, automatic login, saved browser credentials or system misconfiguration may weaken intent.
In Article 243 defence, the lawyer should collect employment documents, access authorization records, messages showing consent, password-sharing evidence, IT policies, termination dates, system logs and any proof that the accused had a lawful reason to access the system.
4. Defence Against System Interference Allegations: TCK Article 244
Article 244 allegations are more serious because they involve disruption of system operation or interference with data. The prosecution may claim that the defendant deleted files, changed passwords, transferred data, inserted malicious code, blocked access, disrupted a server or made data inaccessible.
The defence should not accept broad technical allegations without proof. It must ask:
Was the system actually disrupted?
Which data was allegedly deleted, altered or transferred?
When did the alleged act occur?
Which account performed the act?
Who controlled that account at the relevant time?
Was the data restored from backup?
Was there a technical failure unrelated to the accused?
Was the accused authorized to perform maintenance, migration, deletion or backup operations?
Could another user have caused the same result?
Are logs complete and reliable?
Article 244 requires more than dissatisfaction with a technical outcome. A company may lose data because of poor backup practices, system error, expired software, vendor problems, ordinary maintenance or accidental deletion. To convict under Article 244, the prosecution must prove intentional unlawful interference.
In many files, the best defence is correct legal classification. If the evidence shows only access but no proven deletion, alteration, transfer or disruption, the charge should not be treated as Article 244. It may be Article 243 at most, or it may not be a crime at all if authorization existed.
5. Defence in Bank and Credit Card Misuse Cases: TCK Article 245
Article 245 cases may involve unauthorized card use, online card transactions, fake payment pages, card-not-present purchases, contactless payments, ATM withdrawals, delivery of goods to suspicious addresses or use of counterfeit cards.
The defence should examine whether the accused actually used the card or obtained benefit. Bank records alone may not prove personal use. The investigation should identify the merchant, delivery address, IP address, phone number, e-mail address, device information, recipient of goods and whether the accused received or benefited from the transaction.
Common defence arguments include:
The cardholder gave consent.
The accused did not perform the transaction.
The address was shared by multiple people.
The phone number was registered but used by someone else.
The IP address does not identify the accused.
The accused did not receive the goods.
The accused’s bank account was used without knowledge.
The accused was deceived as a money mule.
There is no proof of intent or benefit.
In online card fraud cases, the defence should request merchant records, cargo delivery records, CCTV, 3D Secure logs, bank authentication records, phone records and platform account data. Without these, the evidence may be incomplete.
6. Defence Against Prohibited Device or Program Allegations: TCK Article 245/A
Article 245/A concerns prohibited devices, programs, passwords or security codes designed or used for committing cybercrime or other offences through information systems. This article can be sensitive because many cybersecurity tools may have both lawful and unlawful uses.
A penetration tester, cybersecurity researcher, IT auditor or system administrator may possess tools that could be misinterpreted. The decisive issue is purpose, authorization and context. A tool used under a written penetration-testing contract is very different from a tool used to steal credentials or commit phishing.
The defence should collect:
Cybersecurity employment records.
Penetration testing contracts.
Scope documents.
Client authorization.
Professional certifications.
Reports prepared by the accused.
Tool usage logs.
Evidence of lawful research or audit activity.
Absence of unlawful deployment.
The defence should argue that possession of technical tools is not enough by itself. The prosecution must prove that the tools were created, obtained, possessed or used for the criminal purpose described by law.
7. Digital Evidence Is Not Automatically Reliable
Digital evidence may appear objective, but it can be wrong, incomplete or misleading. Logs may be missing. Timestamps may use different time zones. IP addresses may be dynamic. Devices may be shared. Accounts may be compromised. Screenshots may be edited. Malware may perform actions without the user’s knowledge. Remote access tools may allow third-party control.
Therefore, cybercrime defence must challenge digital evidence scientifically. The defence should avoid general statements such as “I did not do it” only. Instead, it should identify technical weaknesses and request additional investigation.
Key questions include:
Was the original data preserved?
Was a forensic image taken?
Were hash values calculated?
Was the chain of custody documented?
Were logs complete?
Were time zones checked?
Was the IP address matched with port information where necessary?
Was the device examined for malware?
Was the account accessed by multiple devices?
Was the evidence obtained within the scope of judicial authorization?
Was the expert report based on original records or screenshots?
These questions can determine the outcome of the case.
8. CMK Article 134 and Search of Digital Devices
In Turkish criminal procedure, digital evidence collection from computers, computer programs and computer records is regulated under Article 134 of the Criminal Procedure Code. UNODC’s text of Article 134 states that, during seizure of computers or computer records, all data in the system shall be copied, and that a copy of the copied data may be given to the suspect or counsel upon request, with the exchange recorded and signed.
This provision is central to defence. If a computer, phone, hard drive, server or digital record was seized or copied without compliance with procedural safeguards, the defence may raise unlawful evidence objections. The defence should examine whether there was a valid judicial decision, whether the search was based on concrete suspicion, whether evidence could be obtained by another method, whether copying was properly performed, whether the suspect or counsel received a copy when requested, and whether the device was returned when legally required.
A procedural violation does not automatically decide every case, but it may seriously affect admissibility and reliability. In cybercrime defence, CMK Article 134 should be analyzed carefully in every file involving device seizure, forensic imaging or digital extraction.
9. Chain of Custody and Forensic Integrity
Chain of custody means the documented history of evidence from collection to court. In digital evidence, chain of custody is essential because data can be easily altered, copied or deleted.
The defence should request documentation showing:
Who collected the device or data.
Where and when it was collected.
Whether it was sealed.
Whether a forensic image was created.
Which software was used.
Whether hash values were calculated.
Who accessed the evidence.
Where the evidence was stored.
Whether the original data remained unchanged.
Whether the expert examined original data or a copy.
If chain of custody is weak, the defence may argue that the evidence cannot be trusted. For example, if a company’s IT employee copied files before the police arrived, changed metadata or failed to document the process, the defence may challenge authenticity. If screenshots were submitted without original platform data, the defence may challenge manipulation risk.
10. IP Address Defence
Many cybercrime allegations rely heavily on IP address records. However, an IP address usually identifies an internet connection, not necessarily the individual user. A household Wi-Fi network may be used by family members, guests or neighbours. A workplace network may be used by dozens or hundreds of employees. Public Wi-Fi may be used by unknown persons. VPNs, proxies, TOR and remote access tools may hide the real user.
The defence should examine:
Was the IP address static or dynamic?
Was the correct date and time used?
Was the time zone correct?
Was the port number necessary and recorded?
Who had access to the network?
Was the modem secure?
Was Wi-Fi shared?
Was there CCTV or device evidence?
Was the accused’s device actually identified?
Could malware or remote access explain the activity?
An IP record may be a starting point for investigation, but it should not be treated as conclusive proof of guilt without supporting evidence.
11. Shared Device and Shared Account Defence
Cybercrime allegations often involve shared devices or accounts. A family computer, office laptop, company tablet, shared e-mail account, shared social media account or business software login may be used by multiple people.
If the prosecution relies on account activity, the defence should ask whether the accused personally performed the action. If the login credentials were known by several employees, the prosecution must prove which person used them. If a company failed to assign individual user accounts and used shared administrator passwords, attribution becomes difficult.
The defence should request evidence such as device assignment records, employee schedules, CCTV, login device fingerprints, keyboard language settings, browser history, account recovery logs, file metadata and messages showing who controlled the account.
12. Malware, Remote Access and Device Compromise
A defendant may be accused based on activity from their device. However, the device may have been compromised. Malware can send data, log keystrokes, open remote sessions, transfer files or use the device as part of a botnet. Remote access tools can allow another person to control a computer.
The defence should request forensic examination for:
Malware traces.
Remote desktop logs.
Unauthorized remote access tools.
Suspicious scheduled tasks.
Unknown administrator accounts.
Browser credential theft.
Unusual network connections.
Antivirus alerts.
System event logs.
Persistence mechanisms.
If the device was not examined for compromise, an expert report may be incomplete. In serious cases, an independent technical opinion can be essential.
13. Challenging Screenshots and Chat Records
Screenshots are common in cybercrime files, especially in social media hacking, threats, fraud, phishing and personal data cases. However, screenshots are weak if unsupported. They may be edited, cropped, fabricated or taken out of context.
The defence should ask:
Is there original platform data?
Is the URL visible?
Is the username identifiable?
Are dates and times visible?
Was a notarial determination made?
Were messages exported from the original device?
Was the phone examined?
Can the platform confirm the content?
Are there missing messages before or after the screenshot?
Did the complainant alter or delete any messages?
Screenshots may support suspicion, but they should not be the only basis for conviction unless authenticity and context are established.
14. Expert Report Objections
Cybercrime cases often rely on expert reports. However, expert reports may be incomplete, overly general, technically weak or based on insufficient data. The defence should not accept an expert report merely because it uses technical language.
Effective objections should be specific. The defence may argue that the expert did not examine the original device, did not verify hash values, did not analyze malware possibility, did not check time zone differences, did not identify the user behind the account, did not compare logs, did not address defence questions, or exceeded the expert’s field.
The defence may request:
An additional expert report.
A new expert panel.
Examination of original data.
Malware analysis.
IP and port verification.
Timeline reconstruction.
Hash verification.
Analysis of account access history.
Comparison of bank, phone and device records.
Clarification of ambiguous technical findings.
In complex cases, a private technical opinion may help the lawyer prepare effective objections.
15. Intent as a Core Defence Issue
Most cybercrime offences require intent. The prosecution must prove that the defendant knowingly and willingly committed the unlawful act. Technical activity alone may not prove intent.
For example, an employee may download files as part of work. A person may access an account because the password was voluntarily shared. A technician may use a cybersecurity tool under a service contract. A user may click a link without knowing it is malicious. A bank account holder may receive money without knowing it came from fraud.
The defence should focus on the defendant’s purpose and state of mind. Evidence of lawful purpose may include contracts, employment duties, prior consent, messages, invoices, task instructions, service tickets, e-mails, company policies and ordinary work practice.
Where intent is not proven, conviction should not be based on suspicion.
16. Authorization and Consent Defence
Authorization is one of the strongest defence arguments in cybercrime cases. Many disputes arise in business, family, employment or partnership relationships where access was once permitted.
Examples include:
A social media manager accessing a company account.
An employee using a CRM system.
A spouse using a shared e-mail password.
An IT contractor entering a client server.
A business partner using a shared cloud folder.
A software developer maintaining a platform.
The defence should prove the scope of authorization. If access was permitted for the relevant time, system and purpose, Article 243 may not apply. If data operations were part of authorized work, Article 244 may not apply.
However, authorization is not unlimited. The defence should avoid overclaiming. It should show why the specific act was within the specific permission granted.
17. Distinguishing Civil Disputes from Cybercrimes
Not every digital dispute is a crime. Many cybercrime complaints arise from employment conflicts, commercial disagreements, unpaid software invoices, social media management disputes, family arguments, partnership breakdowns or customer complaints.
A software developer may disable services because of a contractual dispute. A company may accuse a former employee of stealing data when the employee only retained files needed for unpaid wage claims. A business partner may access a shared account during a commercial conflict. A card transaction may be disputed but previously authorized.
The defence should argue civil nature where appropriate. Criminal law should not be used as pressure in contractual disputes unless statutory crime elements are clearly present.
18. Money Mule Defence in Cyber Fraud Cases
In phishing and online fraud files, suspects may be accused because money entered their bank account. Some account holders knowingly assist fraud. Others are deceived by fake job offers, commission promises or requests to “receive and forward payment.”
The defence should examine:
Who contacted the accused?
What explanation was given?
Did the accused know the criminal source?
Did the accused keep commission?
How quickly was money withdrawn?
Were there communications with organizers?
Did the accused report suspicious activity?
Was the accused young, inexperienced or exploited?
Did the accused benefit significantly?
Being a bank account holder is not automatically the same as being a fraudster. The prosecution must prove knowledge and intent.
19. Defence in Personal Data Cybercrime Cases
Cybercrime allegations often include personal data offences under Turkish Penal Code Articles 135 and 136. Article 136 punishes unlawfully delivering, publishing or acquiring personal data, while Article 137 increases punishment where the offence is committed by abusing public office or professional advantage. The KVKK also states that Articles 135 to 140 of the Turkish Penal Code apply to crimes concerning personal data.
The defence should ask:
Is the data personal data?
Was it lawfully obtained?
Was there consent or legal basis?
Was the data already public?
Was the accused authorized to process it?
Was the transfer required by work duties?
Was the data anonymized?
Was there criminal intent?
Was the evidence collected lawfully?
In corporate cases, a former employee may be accused of data theft. The defence should examine whether the files were personal work documents, public information, non-personal commercial data or data the employee was authorized to access.
20. Defence Against Corporate Cybercrime Allegations
Corporate cybercrime cases often involve former employees, IT staff, salespersons, contractors or managers. The company may allege that the defendant copied customer data, deleted files, changed passwords or accessed systems after termination.
The defence should obtain:
Employment contract.
Job description.
IT authorization records.
Company access policies.
Termination date and notice.
Device assignment records.
Logs showing who accessed what.
Evidence of shared passwords.
E-mails instructing the defendant to perform tasks.
Proof of ordinary business purpose.
Evidence that company systems were poorly managed.
If the company used shared accounts, failed to revoke access, lacked policies or altered logs during internal investigation, the defence may challenge both unlawfulness and attribution.
21. Unlawful Evidence Objections
Turkish criminal procedure does not allow convictions based on unlawfully obtained evidence. In cybercrime cases, unlawful evidence issues may arise where private accounts are accessed without authorization, devices are searched without proper judicial decision, employee communications are examined beyond lawful limits, or digital data is copied without procedural safeguards.
The defence should raise unlawful evidence objections clearly and early. The objection should identify the evidence, explain how it was obtained, state the violated procedural rule or right, and request exclusion from the file.
Examples include:
Private e-mail obtained by hacking.
Phone examined without proper authorization.
Computer copied without CMK Article 134 safeguards.
Employer accessing private messages outside policy and necessity.
Screenshots obtained through unlawful account access.
Evidence exceeding the scope of the search decision.
A strong objection must be concrete. General objections are usually less effective.
22. International Evidence and Platform Records
Many cybercrime cases involve foreign platforms such as social media companies, e-mail providers, cloud services, cryptocurrency exchanges or hosting providers. Evidence may be stored abroad, and Turkish authorities may need international cooperation.
The defence should examine whether foreign platform records were obtained properly, whether they are complete, whether they identify the user or only an account, whether timestamps are clear, and whether the records need interpretation.
If foreign evidence is missing, the defence may argue that the investigation is incomplete. If the prosecution relies only on domestic assumptions without platform confirmation, this may weaken the case.
23. Practical Defence Checklist for Suspects
A suspect in a cybercrime investigation should act carefully:
Do not delete files, messages or devices.
Do not contact the complainant aggressively.
Preserve evidence of authorization or consent.
Save contracts, e-mails and messages.
Identify who else used the device or account.
Record employment duties and access permissions.
List possible witnesses.
Do not give technical explanations without preparation.
Request counsel before statement.
Ask for copies of digital evidence where legally available.
Request expert examination where necessary.
Raise unlawful evidence objections.
Challenge incomplete logs and unsupported screenshots.
Prepare a clear timeline.
Cybercrime statements can be decisive. A poorly prepared statement may create contradictions that later harm the defence.
24. Practical Defence Checklist for Lawyers
A lawyer defending a cybercrime case in Turkey should examine:
Exact charge and statutory elements.
Whether the act is Article 243, 244, 245, 245/A or another offence.
Whether access was authorized.
Whether intent is proven.
Whether identity is proven.
Whether IP evidence is sufficient.
Whether the device was shared.
Whether malware or remote access is possible.
Whether CMK Article 134 was followed.
Whether chain of custody is documented.
Whether expert report is complete.
Whether screenshots are supported.
Whether platform records are available.
Whether personal data allegations are properly classified.
Whether the case is civil rather than criminal.
Whether additional expert report is needed.
Whether unlawful evidence objections should be raised.
Whether appeal grounds are preserved.
This structured review prevents the defence from becoming reactive and general.
25. Appeal Strategy in Cybercrime Convictions
If a cybercrime conviction is issued, appeal strategy should focus on legal and evidentiary weaknesses. Common appeal grounds include insufficient reasoning, failure to prove identity, reliance on IP address alone, incomplete expert report, failure to examine original digital evidence, unlawful evidence, incorrect legal classification, failure to address authorization, failure to evaluate intent and lack of causal connection.
For example, if the first instance court convicted under Article 244 without proving data deletion, alteration, transfer or system disruption, the appeal should emphasize misclassification. If the conviction relies only on screenshots, the appeal should challenge authenticity and completeness. If the court ignored defence requests for additional expert examination, this may be a serious procedural issue.
Appeal petitions should be technical but readable. The court must understand why the digital evidence does not legally prove the offence.
Conclusion
Cybercrime defence in Turkey requires more than general denial. It requires precise analysis of statutory elements, digital evidence, procedural safeguards, technical attribution, expert reports, intent and authorization. Turkish Penal Code Articles 243, 244, 245 and 245/A regulate different cybercrime categories, and each requires a different defence strategy. CMK Article 134 is central where computers, devices and digital records are searched, copied or seized.
For suspects and defendants, the most important issues are whether the alleged act occurred, whether the accused personally committed it, whether access was unlawful, whether intent is proven, whether digital evidence is reliable and whether the correct legal classification was used. IP addresses, screenshots, bank records and logs can be important, but they are not automatically conclusive.
For lawyers, cybercrime defence must combine criminal procedure, digital forensics, data protection law, employment or commercial context and technical expert review. A strong defence challenges weak assumptions, demands lawful evidence, tests expert conclusions and shows alternative explanations.
In Turkish cybercrime practice, the difference between suspicion and proof is often hidden inside technical details. Effective defence brings those details into the legal framework and ensures that no person is convicted unless every element of the alleged cybercrime is proven lawfully, clearly and beyond reasonable doubt.
Yanıt yok