Introduction
Turkish Cyber Crimes Law is a rapidly developing area of criminal law, data protection law, internet regulation and corporate compliance. As digital systems become central to banking, e-commerce, public services, healthcare, logistics, communications and social media, cybercrime cases in Turkey are no longer limited to simple hacking allegations. They now involve phishing, ransomware, business e-mail compromise, stolen banking credentials, unauthorized access to databases, social media account takeover, identity theft, illegal data transfer, credit card fraud, malware tools, data breaches and online content offences.
Cybercrime offences in Turkey are mainly regulated under the Turkish Penal Code No. 5237, especially Articles 243, 244, 245 and 245/A. However, cybercrime matters often require a wider legal analysis. Law No. 5651 on internet publications, the Personal Data Protection Law No. 6698, the Criminal Procedure Code, international cooperation rules and the Cybersecurity Law No. 7545 may also become relevant depending on the facts of the case. The Council of Europe’s Octopus Cybercrime Community identifies Turkey’s cybercrime framework as including the Turkish Penal Code, Criminal Procedure Code, Law No. 6706 on International Legal Cooperation in Criminal Matters and Law No. 5651, and lists Articles 243, 244, 245 and 245/A among the core cybercrime provisions.
This article explains the main cybercrime offences and penalties in Turkey, the legal elements of each crime, the role of digital evidence, victim remedies, corporate risks and defence strategies.
1. What Is Cybercrime Under Turkish Law?
Cybercrime under Turkish law can be understood in two main categories. The first category consists of crimes committed directly against information systems. These include unauthorized access to a computer system, disrupting the operation of a system, deleting or altering data, making data inaccessible or transferring data without authorization.
The second category consists of traditional crimes committed through digital tools. For example, fraud may be committed through phishing websites, fake investment platforms or business e-mail compromise. Defamation, threats, blackmail, privacy violations and unlawful disclosure of personal data may also be committed through social media, messaging applications, e-mail or websites.
This distinction is important because the legal classification affects the penalty, competent court, evidence strategy and possible defence. A person who merely enters an account without authorization may be prosecuted under Article 243. A person who deletes company data or disables a server may face Article 244. A person who uses another person’s bank card information may be charged under Article 245. If the conduct involves deception for unlawful gain, qualified fraud provisions may also be considered.
2. Unauthorized Access to Information Systems: TCK Article 243
Article 243 of the Turkish Penal Code criminalizes unlawfully entering all or part of an information system or remaining there without authorization. The basic form of the offence is punishable by imprisonment of up to one year or a judicial fine. If the act is committed against systems that may be used for a fee, the penalty may be reduced by up to half. If data contained in the system is destroyed or altered because of the act, imprisonment from six months to two years may be imposed. Article 243 also criminalizes unlawfully monitoring data transfers within or between information systems by technical means without entering the system, with imprisonment from one to three years.
In practice, Article 243 may apply to unauthorized access to e-mail accounts, social media accounts, cloud storage, corporate databases, customer management systems, online banking panels, employee portals, websites or mobile applications. The offence does not necessarily require financial gain. Entering or remaining in the system unlawfully may be sufficient if the required intent exists.
However, not every access to a system constitutes a criminal offence. The key question is whether the access was unlawful. For example, an employee may have legitimate access to a company system for work purposes. A family member may have been given a password voluntarily. A technician may have entered a system within the scope of a service contract. Therefore, consent, authorization, employment role, contractual scope and previous password sharing may become decisive in Article 243 cases.
A common defence issue is identification. An IP address alone may not always prove who committed the act. Wi-Fi networks may be shared, devices may be used by multiple people, passwords may be compromised and remote access tools may be involved. For this reason, prosecutors and courts often examine log records, device data, user credentials, timestamps, e-mail headers, phone records and forensic reports.
3. System Interference and Data Alteration: TCK Article 244
Article 244 of the Turkish Penal Code regulates more serious conduct involving interference with information systems and data. A person who prevents or disrupts the functioning of an information system may be punished with imprisonment from one to five years. A person who corrupts, destroys, changes or makes inaccessible data in an information system, places data into the system or transfers existing data elsewhere may be punished with imprisonment from six months to three years. If these acts are committed against a bank, credit institution, public institution or public organization system, the penalty is increased by half. If an unlawful benefit is obtained through these acts and the conduct does not constitute another offence, imprisonment from two to six years and a judicial fine up to five thousand days may apply.
Article 244 is highly relevant in cases involving ransomware, server attacks, deletion of business records, unauthorized transfer of databases, website defacement, manipulation of software systems, blocking access to platforms, changing customer data or destroying digital evidence.
The difference between Article 243 and Article 244 is significant. Article 243 focuses on unlawful access or remaining in a system. Article 244 focuses on damage, disruption, alteration, transfer or inaccessibility. If a former employee logs into a company e-mail account without permission, Article 243 may be discussed. If the same person deletes client records, transfers commercial data or blocks the company’s access to its own system, Article 244 may become relevant.
For victims, the first practical step is evidence preservation. Companies should avoid restarting, formatting or modifying compromised systems before forensic steps are taken. Server logs, firewall logs, access records, cloud activity reports, e-mail headers, endpoint data, user authorization records and backup status should be preserved immediately.
For suspects, the defence should test whether the alleged act actually caused the claimed system disruption or data alteration. It should also examine whether the accused had authorization, whether the logs are technically reliable, whether the system had pre-existing vulnerabilities and whether any third-party access is possible.
4. Misuse of Bank or Credit Cards: TCK Article 245
Article 245 is one of the most common cybercrime-related provisions in Turkey. It regulates the misuse of bank or credit cards and is frequently applied in cases involving stolen card information, card-not-present transactions, phishing, fake payment pages, ATM skimming and unauthorized online purchases.
The offence may occur in three main forms. First, using another person’s bank or credit card without consent to obtain a benefit is punishable by imprisonment from three to six years and a judicial fine up to five thousand days. Second, producing, selling, transferring, purchasing or accepting fake bank or credit cards linked to other people’s bank accounts is punishable by imprisonment from three to seven years and a judicial fine up to ten thousand days. Third, using a fake or falsified bank or credit card to obtain benefit is punishable by imprisonment from four to eight years and a judicial fine up to five thousand days.
Article 245 cases are often evidence-heavy. The investigation may involve bank transaction records, IP addresses, delivery addresses, merchant information, POS records, camera footage, phone numbers, SMS verification logs, device information, cargo records and account movements. If the transaction was online, the prosecution may try to connect the suspect to the order, device, phone number, bank account or delivery point.
Victims should immediately notify their bank, block the card, object to unauthorized transactions, preserve SMS and e-mail notifications, take screenshots and file a criminal complaint. Delay may make it harder to freeze transactions or identify the perpetrator.
Defence strategies may include arguing that the accused did not conduct the transaction, did not obtain the benefit, did not control the device or account, or that their identity, address, phone number or bank account was misused by third parties. In many cases, technical and banking evidence must be evaluated together.
5. Prohibited Devices or Programs: TCK Article 245/A
Article 245/A criminalizes certain preparatory acts relating to cybercrime tools. If a device, computer program, password or security code is specifically designed or created for committing cybercrime offences or other crimes that can be facilitated through information systems, the person who manufactures, imports, sends, transports, stores, accepts, sells, offers for sale, purchases, gives to others or possesses such tools may be punished with imprisonment from one to three years and a judicial fine up to five thousand days.
This provision may apply to malware kits, phishing panels, credential-stealing tools, carding software, password lists prepared for unlawful use, unauthorized access tools or other instruments created for committing cybercrimes.
However, this area must be interpreted carefully. Many cybersecurity tools can be used for legitimate purposes, such as penetration testing, vulnerability assessment, forensic analysis, malware research or security audits. The decisive issue is usually purpose and authorization. A cybersecurity professional working under a written contract and within a defined testing scope is in a different legal position from a person who secretly stores or sells malware tools for criminal use.
For companies and cybersecurity consultants, written authorization is essential. A lawful penetration test should clearly define the target systems, testing period, permitted methods, prohibited actions, reporting duties, data handling rules and confidentiality obligations.
6. Cyber Fraud and Technology-Enabled Fraud
Cyber fraud is not limited to Articles 243–245/A. In many cases, the conduct may also constitute fraud under the Turkish Penal Code. Phishing, fake investment websites, fake e-commerce pages, impersonation of banks, fake cargo messages, fake lawyer or public officer messages, social engineering and business e-mail compromise may be assessed as fraud if deception is used to obtain unlawful benefit.
Cyber fraud cases often involve multiple legal classifications. For example, a phishing attack may involve unauthorized access, unlawful acquisition of personal data, misuse of bank cards and qualified fraud. A fake e-commerce website may involve fraud, consumer law issues, personal data processing and access blocking measures. A ransomware attack may involve system disruption, data alteration, extortion and personal data breach consequences.
The correct classification depends on the concrete facts. Turkish criminal law does not punish labels such as “phishing” or “ransomware” in the abstract. It punishes legally defined acts. Therefore, a strong criminal complaint or defence must connect the digital behaviour to the exact statutory elements of the relevant offence.
7. Personal Data Crimes and KVKK Dimension
Cybercrime cases frequently involve personal data. Identity information, telephone numbers, e-mail addresses, customer lists, financial data, passwords, IP addresses, health records, employee records and private communications may all be personal data depending on the circumstances.
The Personal Data Protection Law No. 6698 provides that crimes concerning personal data are subject to Articles 135 to 140 of the Turkish Penal Code. It also provides administrative fines for certain data protection violations, including failure to fulfil data security obligations.
In addition, under Article 12(5) of Law No. 6698, where processed personal data is obtained by third parties through unlawful means, the data controller must notify the affected data subject and the Personal Data Protection Board within the shortest time.
This means that a cyberattack against a company may create parallel consequences. The attacker may face criminal liability, while the company may be examined from a data protection perspective if it failed to take adequate technical and organizational measures. In serious incidents, the company may need to conduct forensic investigation, notify the authority, inform affected persons, review security measures and manage possible compensation claims.
8. Cybersecurity Law No. 7545 and Corporate Compliance
Turkey’s cybersecurity framework has become broader with Cybersecurity Law No. 7545. The law entered into force following its publication in the Official Gazette on 19 March 2025 and aims to strengthen national cybersecurity, protect public institutions, individuals and private sector entities from cyber threats and establish comprehensive policies and strategies.
The law’s purpose includes identifying and eliminating current and potential threats against elements of Turkey’s national power in cyberspace, reducing the effects of cyber incidents, protecting public institutions, professional organizations, real and legal persons and organizations without legal personality against cyberattacks, and regulating the Cyber Security Board. Its scope includes public institutions, professional organizations with public institution status, real persons, legal persons and organizations without legal personality operating or providing services in cyberspace.
For companies, this development is important because cybersecurity is no longer only a technical IT matter. It is also a legal compliance and governance issue. Businesses operating in sectors such as finance, energy, telecommunications, healthcare, logistics, software, cloud services, e-commerce and critical infrastructure should treat cybersecurity as a board-level risk.
A proper compliance structure should include incident response plans, access control policies, logging procedures, employee training, vendor security clauses, data breach response protocols, penetration testing documentation, backup policies and legal review mechanisms.
9. Digital Evidence in Turkish Cybercrime Cases
Digital evidence is central in cybercrime investigations. The most important evidence may include IP logs, server logs, firewall records, user account activity, device images, mobile phone extractions, browser history, e-mail headers, cloud activity records, domain registration data, bank transactions, cryptocurrency wallet movements, screenshots and messaging records.
However, digital evidence must be collected lawfully and technically correctly. Screenshots may be useful, but they are often not enough on their own. Screenshots can be challenged because they may be edited, taken out of context or lack metadata. Therefore, screenshots should be supported by platform records, notarial determinations where appropriate, expert reports, log files, official bank records or provider responses.
For companies, chain of custody is critical. If employees manually alter systems during an internal investigation, the defence may later argue that the evidence is unreliable. For suspects, digital evidence should be tested for technical consistency. Time zone differences, dynamic IP addresses, shared networks, VPN use, malware infection, remote access and incomplete logs may change the evidentiary assessment.
10. Victim Rights in Cybercrime Cases in Turkey
Victims of cybercrime may file a criminal complaint before the public prosecutor’s office. Depending on the incident, the complaint may request identification of suspects, preservation of logs, examination of devices, bank record collection, freezing of suspicious transactions, search and seizure, expert examination and access blocking or content removal.
In financial cybercrime, victims should act quickly. Banks should be notified immediately, cards and accounts should be blocked, transaction objections should be filed and all evidence should be preserved. In privacy or personal data cases, victims may also consider KVKK applications, civil compensation claims and urgent content removal requests.
If the cybercrime involves online publications, such as leaked private images, identity data, defamatory content or fake websites, Law No. 5651 mechanisms may be used together with criminal proceedings. Criminal prosecution may punish the perpetrator, but content removal and access blocking may stop the ongoing harm.
11. Defence Strategies in Turkish Cybercrime Cases
Cybercrime defence requires both legal and technical analysis. The defence should not only deny the allegation but also examine whether the statutory elements of the offence are actually present.
Common defence arguments include lack of unlawful access, existence of consent, employment-based authorization, shared password use, absence of criminal intent, unreliable IP matching, multiple users on the same network, device compromise by malware, incomplete logs, lack of causal link between the accused and the alleged act, and incorrect legal classification.
For example, if the accused entered a system but did not delete, alter or transfer data, Article 244 may be excessive. If the accused merely possessed a cybersecurity tool for legitimate professional reasons, Article 245/A may not apply without proof of criminal purpose. If the accused’s phone number or bank account was used by others, the prosecution must still prove personal participation and intent.
A technical expert opinion may be decisive. In many cybercrime files, the legal result depends on whether logs actually prove access, whether timestamps match, whether the device belongs to the accused and whether the alleged data transfer can be technically verified.
12. Penalty Assessment and Aggravating Factors
Cybercrime penalties in Turkey vary depending on the nature of the act, the target system, the result and whether an unlawful benefit was obtained. Unauthorized access may lead to a lighter penalty, while system disruption, data destruction, bank card misuse and fake card use carry more serious imprisonment risks.
Aggravating factors may include targeting banking systems, credit institutions or public institutions, obtaining unlawful benefit, causing significant damage, using fake cards, acting with multiple persons, using malware, affecting personal data or causing widespread harm.
It is also important to assess whether multiple offences arise from one course of conduct. A single cyber incident may involve unauthorized access, data alteration, personal data crimes, fraud, blackmail and card misuse. In such cases, rules on concurrence of offences and the most severe applicable penalty must be carefully evaluated.
13. Corporate Cybercrime Risks
Companies in Turkey face cybercrime risks from both external attackers and insiders. External risks include ransomware, phishing, fake invoice fraud, domain spoofing, DDoS attacks, customer data theft and supplier impersonation. Internal risks include unauthorized access by employees, deletion of files after termination, transfer of customer lists, misuse of administrator credentials and unlawful monitoring of employees.
Corporate victims should immediately secure evidence, isolate affected systems, notify legal counsel, communicate with banks or service providers, assess KVKK obligations and avoid public statements before the facts are clarified.
Companies may also become legally exposed if they fail to implement adequate security measures, ignore known vulnerabilities, do not maintain logs, fail to notify data breaches or conduct internal investigations in a way that violates employee privacy or data protection rules.
Conclusion
Turkish Cyber Crimes Law covers a wide range of digital offences and penalties. Article 243 criminalizes unauthorized access to information systems. Article 244 punishes system interference, data destruction, alteration, transfer and disruption. Article 245 regulates misuse of bank and credit cards. Article 245/A criminalizes prohibited cybercrime tools. In addition, fraud, personal data crimes, privacy offences, Law No. 5651 remedies, KVKK obligations and Cybersecurity Law No. 7545 may also become relevant.
Cybercrime cases in Turkey require fast and careful action. Victims must preserve digital evidence, notify relevant institutions and file well-structured complaints. Companies must treat cybersecurity as a legal compliance issue, not merely an IT concern. Suspects and defendants must challenge digital evidence technically and legally, especially where identity, authorization, intent or causation is uncertain.
In the digital age, cybercrime investigations are won or lost through evidence. A successful legal strategy depends on correctly identifying the offence, preserving electronic records, interpreting technical findings and applying Turkish criminal law with precision.
Yanıt yok