Introduction
Malware and spyware crimes under Turkish cybercrime law have become increasingly important as individuals, companies and public institutions rely on digital devices, cloud systems, online banking, mobile applications, e-mail accounts and corporate networks. Malware may be used to steal passwords, monitor communications, encrypt files, access bank accounts, copy personal data, record keystrokes, activate cameras, manipulate systems, send data abroad or control devices remotely. Spyware may be used to secretly monitor a person’s private life, workplace activities, messages, location, photographs or business correspondence.
Turkish law does not regulate every malware act under one single offence named “malware.” Instead, the legal classification depends on the conduct. A malware incident may involve unauthorized access to information systems, system interference, data deletion or transfer, bank card misuse, personal data offences, violation of privacy, blackmail, qualified fraud, prohibited devices or programs, and data breach obligations under Turkish personal data protection law.
The Turkish cybercrime framework includes Turkish Penal Code Articles 243, 244, 245 and 245/A as core provisions. The Council of Europe’s Turkey cybercrime profile identifies Article 243 as illegal access to a computer network system, Article 244 as preventing system functioning and deletion, alteration or corruption of data, Article 245 as misuse of bank or credit cards, and Article 245/A as prohibited devices and programs.
This article explains malware and spyware crimes in Turkey from a practical legal perspective. It covers criminal liability, spyware monitoring, ransomware, keyloggers, Trojan malware, stalkerware, digital evidence, KVKK data breach duties, victim remedies, corporate responsibilities and defence strategies.
1. What Is Malware?
Malware is a general term for malicious software designed to damage, disrupt, monitor, access, steal, manipulate or control digital systems. Malware may enter a device through phishing e-mails, malicious attachments, infected websites, cracked software, fake mobile applications, USB devices, remote access tools, compromised updates or social engineering.
Common malware types include:
Trojan software.
Keyloggers.
Ransomware.
Spyware.
Stalkerware.
Remote access tools.
Credential stealers.
Banking malware.
Botnet malware.
Screen-recording tools.
Clipboard hijackers.
Mobile surveillance applications.
Data exfiltration tools.
In legal terms, the name of the malware is less important than what it does. If malware enters a system without consent, Article 243 may be relevant. If it deletes, changes, transfers or makes data inaccessible, Article 244 may apply. If the software was created, sold, transported, stored or possessed for committing cybercrimes, Article 245/A may become central.
2. What Is Spyware?
Spyware is software used to secretly monitor, collect or transmit information from a device or account. It may record keystrokes, capture screenshots, read messages, monitor calls, access camera or microphone, collect GPS location, copy files, record browsing activity or send personal data to another person.
Spyware may be used in many contexts:
A hacker steals passwords from a victim’s computer.
A spouse or former partner installs stalkerware on a phone.
A company insider monitors confidential correspondence.
A fraudster uses spyware to capture online banking credentials.
An attacker records private images or conversations.
A competitor monitors business communications.
An employee installs monitoring tools on company systems without authorization.
Spyware is legally serious because it can affect privacy, personal data, communications, trade secrets, banking security and personal safety. Depending on the facts, it may involve not only cybercrime provisions but also privacy and personal data offences under the Turkish Penal Code.
3. Unauthorized Access Under Turkish Penal Code Article 243
Article 243 is often the starting point in malware and spyware cases. If malware allows a person to enter, control or remain in a device, account, server, mobile phone, cloud system or corporate network without authorization, the conduct may constitute unlawful access to an information system.
Turkish legal commentary summarizing Article 243 states that a person who unlawfully enters or remains in all or part of an information system may be punished with imprisonment of up to one year or a judicial fine; if data in the system is destroyed or altered as a result of the act, imprisonment from six months to two years may apply. It also notes that unlawfully monitoring data transfers within or between systems by technical means may be punished separately.
This provision is highly relevant to spyware. A perpetrator does not need to physically possess the victim’s device. Remote access through a malicious link, hidden application, compromised password or infected file may be sufficient if the person unlawfully enters or remains in the system.
Examples include:
Installing spyware on a spouse’s phone.
Accessing an employee’s e-mail account through stolen credentials.
Using malware to enter an online banking account.
Monitoring a company server through a remote access Trojan.
Using a keylogger to capture passwords and then entering accounts.
Unlawfully entering a cloud storage account after malware captures login data.
4. System Interference and Data Transfer Under Article 244
Article 244 is central where malware does more than access the system. If malicious software deletes files, changes data, locks accounts, encrypts files, sends data elsewhere, installs new data, disables systems or makes information inaccessible, Article 244 may apply.
Turkish legal summaries of Article 244 state that obstructing or disrupting the proper functioning of an information system may be punished by imprisonment from one to five years, while corrupting, destroying, altering, rendering inaccessible, introducing or transferring data may be punished by imprisonment from six months to three years.
Article 244 is especially relevant to:
Ransomware that encrypts company files.
Spyware that transfers private files to another server.
Malware that deletes logs or documents.
A Trojan that changes bank transfer details.
A remote access tool that blocks the rightful user from a device.
A malicious script that manipulates databases.
Data theft software that sends customer records abroad.
The distinction between Article 243 and Article 244 is important. Article 243 focuses on unlawful access. Article 244 focuses on interference with system operation or data. In many malware cases, both provisions may apply because the malware first enables unlawful access and then transfers or changes data.
5. Prohibited Devices or Programs Under Article 245/A
Article 245/A is particularly important in malware cases. It concerns devices, computer programs, passwords or security codes made or created for committing cybercrimes or other crimes that can be committed by using information systems. The provision punishes manufacturing, importing, shipping, transporting, storing, accepting, selling, offering for sale, purchasing, giving to others or possessing such tools, with imprisonment from one to three years and a judicial fine up to five thousand days.
This article may apply where a person creates, sells, distributes or possesses malware tools for criminal purposes. Examples may include credential stealers, phishing panels, keylogger kits, spyware packages, ransomware builders, botnet control tools, password databases, unauthorized access tools or malware loaders.
However, Article 245/A must be interpreted carefully. Cybersecurity professionals may possess penetration-testing tools, vulnerability scanners, password audit tools or malware samples for legitimate research, incident response or authorized security testing. Therefore, purpose, authorization and context are crucial.
A cybersecurity researcher with written authorization to test a system is in a different legal position from a person selling spyware to capture victims’ passwords. In defence cases, professional context, written authorization, test scope, reports, contracts and lawful purpose become essential.
6. Spyware and Violation of Privacy
Spyware often targets private life. If it records private images, captures intimate messages, monitors conversations, activates camera or microphone, or collects location data, privacy offences may be considered.
The Turkish Penal Code contains provisions protecting privacy and personal data. Article 134 concerns violation of private life, while Articles 135 and 136 concern personal data offences. Article 136 punishes unlawfully delivering, publishing or acquiring personal data.
Spyware may violate privacy even if the collected information is not published. Secret monitoring itself may be unlawful. If the perpetrator later shares private photographs, videos, messages or location data with others, additional offences may arise.
This is common in domestic violence or post-relationship stalking contexts. A former partner may install stalkerware to monitor the victim’s movements, messages and calls. In such cases, cybercrime law, privacy law, personal data law, stalking provisions and protective measures may all need to be evaluated together.
7. Spyware, Stalkerware and Domestic Abuse
Stalkerware is spyware used to monitor an intimate partner, spouse, former spouse or family member. It may be hidden on a mobile phone and may transmit location, messages, photos, call logs, social media activity and microphone recordings.
In Turkey, stalkerware may create several legal issues:
Unauthorized access under Article 243.
Data transfer or system interference under Article 244.
Personal data offences under Articles 135–136.
Violation of privacy under Article 134.
Threat or blackmail if the collected data is used as pressure.
Persistent stalking if the monitoring is part of repeated pursuit.
Protective measures if there is a domestic violence risk.
Victims should take stalkerware seriously. They should avoid immediately confronting the suspected perpetrator if there is a safety risk. The device should be examined carefully, evidence should be preserved, and legal protection should be considered.
8. Keyloggers and Password Theft
A keylogger records keystrokes entered on a device. It may capture e-mail passwords, banking credentials, social media logins, private messages, business secrets and authentication codes. Keyloggers may be installed through malicious files, infected software or physical access to a device.
Keylogger cases may involve:
Article 243 if captured credentials are used to enter accounts.
Article 244 if account data is transferred, altered or deleted.
Article 245 if bank or credit card information is misused.
Article 136 if personal data is unlawfully acquired or transferred.
Article 245/A if the keylogger tool is created, distributed or possessed for criminal purposes.
Keylogger evidence may include malware files, antivirus alerts, forensic reports, suspicious processes, browser history, system logs, credential theft indicators and unauthorized login records. In a criminal complaint, it is important to explain not only that malware existed, but also what data was captured and how it was used.
9. Ransomware as Malware Under Turkish Law
Ransomware is malware that encrypts, locks or blocks access to data and then demands payment, usually in cryptocurrency. It may affect individuals, companies, hospitals, schools, law firms, factories and public institutions.
Under Turkish law, ransomware may involve:
Unauthorized access under Article 243.
System disruption and making data inaccessible under Article 244.
Blackmail if payment is demanded.
Personal data offences if data is copied or published.
KVKK breach notification duties if personal data is affected.
Cybersecurity Law obligations depending on the organization and sector.
Article 244 is particularly relevant because ransomware commonly makes data inaccessible and disrupts system operation. If the attacker also exfiltrates data and threatens publication, the legal file becomes more serious.
Companies should not treat ransomware as merely a technical incident. It is also a criminal law, data protection, cybersecurity governance and civil liability issue.
10. Banking Malware and Financial Cybercrime
Banking malware is designed to steal online banking credentials, alter transaction details, intercept SMS codes, record screens, manipulate payment pages or redirect money transfers. It may operate on computers or mobile devices.
Legal consequences may include:
Qualified fraud if deception is used to obtain money.
Unauthorized access to banking systems under Article 243.
Data transfer and system interference under Article 244.
Misuse of bank or credit cards under Article 245.
Prohibited malware tools under Article 245/A.
Personal data offences if identity or banking data is stolen.
In online banking fraud cases, victims should preserve bank notifications, SMS codes, transaction records, device alerts, suspicious applications, phishing messages and login logs. A criminal complaint should request bank records, IP logs, device identifiers, transaction history and recipient account movements.
11. Malware and Personal Data Breaches Under KVKK
Malware frequently causes personal data breaches. If malware accesses, copies, transfers, encrypts or publishes personal data processed by a data controller, the Personal Data Protection Law No. 6698 may be triggered.
Under KVKK Article 12, data controllers must take necessary technical and organizational measures to prevent unlawful processing of personal data, prevent unlawful access and ensure protection of personal data. If processed personal data is obtained by others through unlawful means, the controller must notify the data subject and the Personal Data Protection Board within the shortest time.
The Personal Data Protection Board’s Decision No. 2019/10 interprets the notification period to the Board as without delay and no later than 72 hours after the controller becomes aware of the breach; if notification cannot be made within 72 hours, reasons for delay should be attached, and information may be provided gradually where all details cannot be provided at once.
This is critical for companies infected by spyware, ransomware, credential stealers or data exfiltration malware. The company must assess whether personal data was affected, what categories of data were involved, how many individuals were affected, whether special category data was included, and whether notification is required.
12. Malware and Cybersecurity Law No. 7545
Turkey’s Cybersecurity Law No. 7545 entered into force after publication in the Official Gazette on 19 March 2025. The law aims to protect public institutions, individuals and private sector entities from cyber threats and establishes broader national cybersecurity policies and strategies; its scope applies broadly to public institutions, private legal entities, professional associations and individuals operating in cyberspace.
Malware incidents may therefore have significance beyond criminal law and KVKK. Depending on the organization, sector and incident type, cybersecurity incident reporting, cooperation with competent authorities, audit readiness and technical-administrative cybersecurity measures may become relevant.
For companies, this means malware response should include:
Technical containment.
Evidence preservation.
KVKK breach assessment.
Criminal complaint assessment.
Cybersecurity Law compliance review.
Vendor and insurance notification.
Internal governance documentation.
The strongest response is coordinated. IT teams should not work separately from legal, compliance and management teams.
13. Digital Evidence in Malware and Spyware Cases
Digital evidence is the foundation of malware and spyware investigations. Malware is often invisible to ordinary users, and the legal file must prove what happened, how it happened, what data was affected and who may be responsible.
Important evidence may include:
Malware samples.
Antivirus alerts.
Endpoint detection records.
Device forensic images.
Process logs.
Network traffic logs.
Firewall logs.
Command-and-control server indicators.
Suspicious IP addresses.
File hashes.
Registry changes.
Mobile application installation records.
Permission logs.
Screenshots.
Keylogger files.
Ransom notes.
Wallet addresses.
Phishing e-mails with headers.
Unauthorized login records.
Cloud audit logs.
Forensic reports.
Evidence must be preserved before cleaning the device. Removing malware may be necessary for safety, but if done without forensic preservation, important evidence may be lost. In serious cases, forensic imaging and hash verification should be considered.
14. Criminal Complaint Strategy for Victims
A criminal complaint for malware or spyware should be detailed and technically structured. It should not merely state “my phone was hacked” or “there is spyware.” It should explain the suspicious symptoms, affected systems, suspected access, data affected, damage suffered and available evidence.
A strong complaint should include:
Victim identity information.
Affected device, account or system.
Timeline of suspicious activity.
How the malware or spyware was discovered.
Forensic findings, if available.
Suspicious applications or files.
Unauthorized login records.
Data copied, deleted or transferred.
Private images, messages or personal data affected.
Banking loss, if any.
Threats or blackmail, if any.
Suspected persons and motive, if known.
Requests for device examination.
Requests for IP, platform, bank or telecom records.
Legal qualification under Articles 243, 244, 245/A and related provisions.
If the spyware was installed by a known person, such as a former partner, employee or contractor, the complaint should explain the relationship, access opportunity and motive.
15. Corporate Malware Incidents and Internal Investigations
Companies may face malware incidents through phishing, employee negligence, insider conduct, vendor compromise or external attacks. A corporate malware incident may involve trade secrets, customer records, employee data, financial documents, legal correspondence and business continuity.
A company should immediately:
Isolate affected systems.
Preserve logs and malware samples.
Avoid formatting devices before forensic preservation.
Identify affected accounts.
Check whether data was exfiltrated.
Assess personal data impact.
Review whether customer or employee data was affected.
Notify legal and management teams.
Evaluate KVKK notification duties.
Consider criminal complaint.
Review vendor involvement.
Document all response steps.
Internal investigations must be lawful and proportionate. If employee devices or e-mails are examined, privacy and data protection principles should be considered. The company should avoid uncontrolled searches that may create separate legal issues.
16. Spyware in Employment and Workplace Monitoring
Employers may use monitoring tools for legitimate security and business purposes, but secret spyware-style monitoring creates legal risk. Workplace monitoring must be transparent, proportionate, necessary and linked to legitimate business purposes. Employees should be informed through policies and notices.
A company-owned device does not give unlimited authority to activate microphones, record private messages or track employees outside lawful scope. Excessive or secret monitoring may create privacy, personal data and labour law problems.
Lawful cybersecurity monitoring is different from spyware abuse. For example, logging access to a company server for security purposes may be legitimate, while secretly recording an employee’s private messages through hidden spyware may be unlawful.
17. Defence Strategies in Malware Allegations
A person accused of malware or spyware crimes may face serious criminal consequences. Defence strategy depends on the alleged role: developer, seller, possessor, user, installer, account holder, employee, contractor or cybersecurity professional.
Possible defence arguments include:
The accused did not install the malware.
The device was used by another person.
The malware was part of lawful cybersecurity testing.
There was written authorization for penetration testing.
The software is dual-use and not criminal by itself.
There is no proof of criminal purpose under Article 245/A.
There is no evidence that data was accessed, transferred or deleted.
The accused did not control the command-and-control server.
The forensic report is incomplete.
The evidence was obtained unlawfully.
The alleged victim consented to monitoring.
The case is an employment or family dispute, not cybercrime.
In Article 245/A cases, purpose is critical. A penetration-testing tool in the hands of an authorized security consultant is not the same as spyware sold for stealing passwords. Contracts, scope letters, reports and professional context may be decisive.
18. Expert Reports and Forensic Challenges
Malware cases often depend on expert reports. However, expert reports may be incomplete or technically weak. A report should identify the malware, explain its function, determine whether it was active, assess whether data was transferred, analyze timestamps, identify persistence mechanisms, review logs and consider alternative explanations.
Objections may be based on:
Failure to examine the original device.
No forensic image.
No hash verification.
No malware function analysis.
No timeline reconstruction.
No analysis of remote access possibility.
No proof connecting the accused to the malware.
Incomplete review of logs.
Unsupported assumptions about intent.
Failure to distinguish lawful tools from malware.
A strong legal strategy may require a private technical opinion to challenge or supplement official forensic findings.
19. Civil Compensation Claims
Malware and spyware incidents may cause material and moral damages. Victims may seek compensation depending on the facts.
Material damages may include:
Stolen money.
Account recovery costs.
Device repair or replacement.
Forensic investigation expenses.
Business interruption losses.
Data recovery costs.
Legal expenses.
Ransom payments, if made.
Loss of customers.
Moral damages may arise from privacy violation, fear, humiliation, exposure of private images, psychological distress, reputational harm or domestic abuse-related monitoring.
Companies may also claim damages against employees, contractors, vendors or attackers who caused the malware incident. Civil claims require proof of unlawful conduct, damage and causation.
20. Practical Checklist for Individual Victims
An individual who suspects spyware or malware should:
Avoid confronting the suspected perpetrator if safety risk exists.
Preserve suspicious messages and links.
Take screenshots of unusual activity.
Do not delete suspected spyware immediately before evidence is preserved.
Change passwords from a clean device.
Enable two-factor authentication.
Check active sessions on e-mail and social media accounts.
Review unknown applications and permissions.
Contact the bank if financial data may be affected.
Seek technical examination.
File a criminal complaint where appropriate.
Request protection measures if stalking or domestic abuse is involved.
Preserve evidence of threats, blackmail or privacy violations.
Safety should come first. In domestic abuse contexts, device cleaning may alert the perpetrator, so legal and safety planning may be necessary.
21. Practical Checklist for Companies
A company facing a malware incident should:
Activate the incident response team.
Isolate affected systems.
Preserve logs and malware samples.
Record the discovery time.
Identify affected systems and accounts.
Check whether personal data was affected.
Assess KVKK notification duties within the 72-hour framework.
Review Cybersecurity Law obligations.
Notify cyber insurer if applicable.
Preserve phishing e-mails with headers.
Check lateral movement and data exfiltration.
Conduct forensic imaging where necessary.
Prepare a criminal complaint if crime is suspected.
Review employee or vendor involvement.
Document all remediation steps.
Update policies and security controls.
A disciplined response can reduce damage and strengthen the company’s legal position.
22. Prevention Measures Against Malware and Spyware
Individuals and companies can reduce malware risk through preventive measures:
Use strong passwords.
Enable multi-factor authentication.
Avoid suspicious links and attachments.
Install applications only from trusted sources.
Keep software updated.
Use endpoint protection.
Disable unnecessary macros.
Back up data securely.
Restrict administrator privileges.
Train employees against phishing.
Monitor suspicious logins.
Use mobile device management in corporate environments.
Review app permissions.
Encrypt sensitive data.
Segment networks.
Maintain incident response plans.
Prevention has legal value. If a company later faces regulatory or civil claims, evidence of reasonable technical and organizational measures may support its defence.
Conclusion
Malware and spyware crimes under Turkish cybercrime law may involve multiple legal provisions. Article 243 may apply where malware enables unlawful access to an information system. Article 244 may apply where malware deletes, alters, transfers or makes data inaccessible. Article 245/A may apply to prohibited devices, computer programs, passwords or security codes created or possessed for committing cybercrimes. Depending on the facts, privacy offences, personal data offences, bank card misuse, qualified fraud, blackmail and stalking provisions may also be relevant.
For victims, the most important steps are evidence preservation, account security, technical examination, criminal complaint and urgent protective measures where privacy or safety is at risk. For companies, malware incidents require coordinated cybersecurity response, KVKK breach assessment, Cybersecurity Law compliance review, forensic preservation and possible criminal complaints. For suspects and defendants, the key issues are intent, authorization, tool purpose, forensic reliability, lawful cybersecurity activity and whether the evidence truly connects them to the alleged malware conduct.
Malware and spyware cases are technically complex. A hidden application, suspicious login or malicious file may be the beginning of a serious criminal investigation, but it must be legally classified with precision. Effective legal strategy in Turkey requires cooperation between cybercrime lawyers, forensic experts, data protection professionals and cybersecurity teams.
Yanıt yok