DDoS Attacks in Turkey: Criminal Liability for Disrupting Online Services
yazarı lawyerfbc
açık Mayıs 25, 2026

Introduction

DDoS attacks in Turkey are among the most serious forms of cybercrime affecting companies, e-commerce platforms, financial institutions, online service providers, public institutions, media organizations, gaming platforms, SaaS businesses and digital infrastructure operators. A Distributed Denial of Service attack, commonly known as a DDoS attack, aims to overwhelm a website, server, application, network or online service with excessive traffic or requests, causing slowdown, interruption, unavailability or complete service failure.

From a legal perspective, a DDoS attack is not merely a technical incident. It may constitute a criminal offence, cause civil liability, trigger contractual disputes, lead to data protection assessment, create cybersecurity reporting duties and expose companies to reputational damage. If an online service becomes unavailable, customers may lose access, transactions may fail, contractual deadlines may be missed and business operations may be interrupted.

Under Turkish law, DDoS attacks are mainly evaluated under Turkish Penal Code Article 244, which criminalizes preventing or disrupting the functioning of an information system. Article 244 provides that a person who prevents the functioning of a data processing system or renders it useless may be punished with imprisonment from one to five years. The same provision also punishes deleting, altering, corrupting, blocking access to data, introducing data into a system or sending data elsewhere.

This article explains DDoS attacks in Turkey from a practical legal perspective. It covers criminal liability, corporate victim rights, digital evidence, cyber incident response, Cybersecurity Law No. 7545, Law No. 5651 records, civil compensation claims and defence strategies.

1. What Is a DDoS Attack?

A DDoS attack is a coordinated attempt to make an online service unavailable by overwhelming it with excessive traffic, requests or connection attempts. Unlike a simple denial of service attack, a distributed attack usually comes from many different sources. These sources may include compromised computers, infected servers, Internet of Things devices, botnets, proxy networks or cloud-based attack infrastructure.

DDoS attacks may target:

  • websites;
  • online banking systems;
  • e-commerce platforms;
  • public institution portals;
  • gaming servers;
  • media websites;
  • mobile applications;
  • API gateways;
  • DNS infrastructure;
  • payment systems;
  • cloud-hosted services;
  • corporate VPN systems;
  • customer portals.

The goal may be economic harm, political pressure, extortion, revenge, unfair competition, concealment of another cyberattack or disruption of public services. In some cases, DDoS is used as a diversion while attackers attempt unauthorized access, data theft, fraud or malware deployment.

Legally, the key point is that the attacker intentionally prevents or disrupts the proper functioning of an information system. This is why Article 244 of the Turkish Penal Code is usually the central provision.

2. Turkish Penal Code Article 244 and DDoS Attacks

Article 244 of the Turkish Penal Code is the main provision for DDoS attacks. The offence covers preventing the functioning of a data processing system or rendering it useless. A DDoS attack commonly causes exactly this result: the system cannot serve legitimate users, becomes unstable, slows down or stops functioning.

The official English translation of the Turkish Penal Code states that any person who prevents the functioning of a data processing system or renders it useless shall be subject to imprisonment from one to five years. The same article separately punishes deleting, altering, corrupting, barring access to data, introducing data into a system or sending data to another place.

In DDoS cases, the prosecution does not necessarily need to prove that data was stolen or deleted. The core harm is service disruption. If the attack prevents users from accessing a system, interrupts online operations or makes the service unusable, Article 244 may be applicable.

However, if a DDoS attack is combined with data manipulation, unauthorized access or malware activity, additional offences may also be considered. For example, if attackers use DDoS to distract security teams while stealing data, Article 243 on unauthorized access and personal data offences may also become relevant.

3. Is Unauthorized Access Required for a DDoS Offence?

A DDoS attack may be committed without entering the victim’s system. Attackers may simply send overwhelming traffic from outside. This makes DDoS legally different from hacking cases where the offender enters a server or account.

Article 243 of the Turkish Penal Code concerns unlawfully entering or remaining in an information system. Turkish legal commentary summarizing Article 243 explains that unlawful access to all or part of an information system may be punished, and that technical monitoring of data transfers may also be punishable under certain conditions.

In a pure DDoS case, Article 243 may not always be necessary because the attacker may not “enter” the system. Article 244 is usually stronger because the attack disrupts the functioning of the system. However, if the attacker first compromises servers, installs malware, controls botnet devices or gains unauthorized access to infrastructure, Article 243 may also be evaluated.

Therefore, the legal classification depends on the technical facts:

  • Pure traffic flooding: primarily Article 244.
  • Compromised servers used for attack: possible Article 243 for compromised systems.
  • Botnet malware installation: possible Article 243, Article 244 and Article 245/A.
  • DDoS combined with data theft: Article 244 plus data-related offences.
  • DDoS extortion: Article 244 plus blackmail or threat provisions.

4. DDoS as System Disruption

The most direct legal consequence of a DDoS attack is system disruption. A website may become inaccessible. A mobile application may stop responding. A payment gateway may fail. A customer portal may become unusable. A public service platform may be interrupted.

Article 244 covers this type of harm because the protected legal interest is the proper functioning, reliability and availability of information systems. DDoS attacks target availability. In cybersecurity terminology, availability is one of the core pillars of information security, together with confidentiality and integrity.

A successful criminal complaint should therefore explain the disruption clearly. It should not merely state “we were attacked.” It should show:

  • when the attack started;
  • how long the service was unavailable;
  • which systems were affected;
  • whether customers could access the service;
  • whether transactions failed;
  • whether business operations stopped;
  • whether security teams detected abnormal traffic;
  • what mitigation steps were taken;
  • whether financial loss occurred.

The stronger the evidence of disruption, the stronger the Article 244 analysis.

5. DDoS Against Banks, Public Institutions and Critical Services

DDoS attacks against banks, public institutions, credit institutions, hospitals, municipalities, public portals or critical infrastructure may be treated more seriously. Article 244 includes aggravated consequences where offences are committed against systems of banks, credit institutions or public institutions, and legal commentary also notes aggravated forms for attacks involving public institutions or banking systems.

This distinction is important. A DDoS attack against a small private website may still be a crime, but an attack against a banking system, payment system, public institution portal or critical service may create broader public harm. Such incidents may affect not only the direct victim but also customers, citizens, financial transactions, public service continuity and national cybersecurity.

Companies operating in regulated sectors should treat DDoS incidents as high-risk legal events. Their response may need to include criminal complaint, regulatory reporting, cyber incident notification, customer communication, insurance notification and contractual notices.

6. Cybersecurity Law No. 7545 and DDoS Incidents

Turkey’s cybersecurity framework changed significantly with Cybersecurity Law No. 7545, which entered into force after publication in the Official Gazette on 19 March 2025. The law aims to protect public institutions, individuals and private sector entities against cyber threats and to establish national cybersecurity policies and strategies. Its scope broadly covers public institutions, private legal entities, professional associations and individuals operating in cyberspace.

DDoS attacks are cyber incidents that may fall within this broader cybersecurity governance framework. Depending on the organization’s sector, role and criticality, a DDoS attack may require internal escalation, documentation, cooperation with cybersecurity authorities and compliance review. Commentary on Law No. 7545 emphasizes that it introduced a systematic cybersecurity framework covering public and private sectors, including obligations, administrative structure and sanction mechanisms.

For companies, this means DDoS response should not be limited to technical mitigation. The legal team should assess whether:

  • the incident is reportable;
  • any authority must be notified;
  • the company operates critical infrastructure;
  • customer data or service continuity obligations are affected;
  • internal policies were followed;
  • logs and technical evidence were preserved;
  • a criminal complaint is required.

Cybersecurity Law No. 7545 reinforces the idea that cyber resilience is a legal governance issue, not only an IT task.

7. DDoS and Personal Data Protection

A DDoS attack does not always involve personal data. Many DDoS attacks target service availability without accessing databases or personal records. However, personal data issues may arise in several situations.

First, DDoS may be used as a distraction while attackers attempt unauthorized access or data exfiltration. Second, service logs generated during the attack may contain IP addresses, user identifiers or customer access information. Third, if the attack disrupts systems storing or processing personal data, availability and integrity concerns may arise. Fourth, a DDoS attack may accompany ransomware, phishing or account compromise.

If personal data is unlawfully obtained by others, the Turkish Personal Data Protection Law may require breach assessment and notification. Therefore, a company should not automatically conclude that “DDoS is not a KVKK matter.” Instead, it should examine whether any confidentiality, integrity or availability impact affected personal data.

A careful internal assessment should ask:

  • Was any personal data accessed during the incident?
  • Was the DDoS accompanied by unauthorized login attempts?
  • Did attackers exploit the attack to enter systems?
  • Were logs preserved and reviewed?
  • Were customer accounts affected?
  • Did the incident cause loss or corruption of personal data?
  • Is there any evidence of exfiltration?

If the answer suggests personal data compromise, KVKK obligations must be evaluated separately.

8. Law No. 5651 and Traffic Data

Law No. 5651 is relevant to internet actors, hosting providers, access providers and traffic data obligations. The law and related commentary indicate that hosting providers are required to retain traffic data for their services for a legally determined period and to ensure accuracy, integrity and confidentiality of that information.

In DDoS cases, traffic data can be important evidence. Logs may show attack sources, timestamps, request patterns, user-agent strings, abnormal traffic volumes, targeted URLs, botnet signatures or proxy infrastructure. However, DDoS attacks often involve spoofed addresses, compromised devices and distributed infrastructure, making attribution difficult.

Victim companies should preserve their own logs quickly and request relevant records through legal channels where third-party providers are involved. Hosting providers, cloud providers, CDN providers, DDoS mitigation vendors and internet service providers may all hold important evidence.

9. Digital Evidence in DDoS Cases

Digital evidence is central to DDoS investigations. A criminal complaint without technical evidence may be too weak. The victim should preserve and organize the evidence before logs are overwritten.

Important evidence may include:

  • web server logs;
  • firewall logs;
  • load balancer logs;
  • CDN records;
  • cloud provider alerts;
  • DDoS mitigation reports;
  • network traffic captures;
  • SIEM alerts;
  • IDS/IPS alerts;
  • DNS logs;
  • API gateway logs;
  • system performance records;
  • bandwidth usage charts;
  • customer complaint records;
  • screenshots showing service unavailability;
  • incident response timeline;
  • communications with hosting or CDN providers;
  • ransom or extortion messages if any;
  • financial loss documentation.

Technical reports should explain the attack in a way that a prosecutor or court can understand. The report should define the attack type, time period, affected systems, service impact and evidence showing abnormal traffic.

10. Criminal Complaint Strategy for DDoS Victims

A criminal complaint for a DDoS attack should be clear, technical and legally classified. It should not merely state that “our website was attacked.” It should explain why the attack constitutes disruption of an information system under Article 244.

A strong complaint should include:

  • identity of the victim company or institution;
  • affected domain, server, application or service;
  • date and time of attack;
  • duration of service disruption;
  • type of attack, if known;
  • traffic volume and abnormal patterns;
  • logs and technical reports;
  • customer or transaction impact;
  • financial damage;
  • mitigation costs;
  • suspected IP ranges or infrastructure;
  • suspected persons, if any;
  • ransom or threat messages, if any;
  • request for investigation under Article 244;
  • request for provider records;
  • request for preservation of traffic data;
  • request for expert examination;
  • request for international cooperation if foreign infrastructure is involved.

If the attack affected a bank, public institution or critical service, this should be emphasized. If the DDoS was accompanied by extortion, data theft or unauthorized access, those facts should be added under separate headings.

11. DDoS Extortion

DDoS extortion occurs when attackers threaten to launch or continue a DDoS attack unless the victim pays money, usually in cryptocurrency. The attackers may first launch a short demonstration attack and then send a demand. This conduct may involve Article 244 and blackmail or threat-related offences.

For example, a message saying “Pay us Bitcoin or your service will remain offline” is not only a technical attack. It is coercive conduct designed to obtain unlawful benefit. The victim should preserve all messages, wallet addresses, e-mail headers, chat logs and attack timestamps.

DDoS extortion should be handled carefully. Payment does not guarantee that the attack will stop. Attackers may demand more money or attack again. The victim should preserve evidence, involve legal counsel, notify technical mitigation providers, consider criminal complaint and assess insurance and regulatory obligations.

12. DDoS and Unfair Competition

Some DDoS attacks may be linked to commercial rivalry. For example, an e-commerce platform may be attacked during a major sale period, a gaming server may be disrupted during a tournament, or a competitor’s online booking platform may be targeted during peak demand.

If evidence suggests that a competitor or commercial actor commissioned or benefited from the attack, civil and unfair competition claims may become relevant in addition to criminal proceedings. However, such allegations require strong evidence. A mere suspicion that a competitor benefited is not enough.

Relevant evidence may include:

  • timing of the attack;
  • prior threats;
  • suspicious communications;
  • commercial disputes;
  • sudden customer diversion;
  • digital links to a competitor;
  • witness statements;
  • payment records to attack services;
  • forensic findings.

A company may pursue compensation if it proves unlawful conduct, damage and causal connection.

13. Civil Compensation Claims

DDoS attacks can cause significant material damage. A victim may claim compensation from the perpetrators or responsible parties if they are identified.

Possible damage items include:

  • lost sales;
  • service interruption losses;
  • customer refunds;
  • contractual penalties;
  • DDoS mitigation expenses;
  • emergency IT support costs;
  • forensic investigation costs;
  • reputational repair expenses;
  • lost advertising spend;
  • SLA breach costs;
  • loss of business opportunity;
  • overtime and crisis management expenses.

Civil claims require proof of damage and causation. The victim should document losses from the beginning. Accounting records, customer cancellation records, service availability reports, invoices for mitigation services and expert calculations may be necessary.

14. Corporate Incident Response

A company facing a DDoS attack should act quickly but also preserve evidence. A practical response should include:

  • activate the incident response team;
  • notify hosting, cloud or CDN provider;
  • implement DDoS mitigation;
  • preserve logs before rotation;
  • record the attack timeline;
  • identify affected services;
  • document customer impact;
  • check for parallel intrusion attempts;
  • review whether personal data was affected;
  • assess Cybersecurity Law obligations;
  • notify cyber insurer if applicable;
  • prepare criminal complaint;
  • communicate carefully with customers if service disruption is public;
  • conduct post-incident review.

The most common mistake is focusing only on technical recovery and forgetting legal evidence. Once logs are overwritten, attribution and proof become much harder.

15. DDoS Against E-Commerce Platforms

E-commerce businesses are attractive DDoS targets because downtime directly causes revenue loss. A DDoS attack during a campaign, launch, holiday sale or payment period may cause substantial commercial damage.

For e-commerce victims, the complaint should document:

  • number of failed transactions;
  • cart abandonment data;
  • payment failures;
  • customer complaints;
  • revenue comparison with ordinary periods;
  • campaign costs wasted;
  • service downtime reports;
  • mitigation expenses;
  • reputational harm.

If customer accounts or payment systems were targeted at the same time, additional cybercrime and personal data analysis may be required.

16. DDoS Against Public Institutions

DDoS attacks against public institutions may cause public service disruption. If citizens cannot access an e-government-style service, municipality system, public announcement portal, hospital appointment system or public information platform, the harm may extend beyond the institution itself.

Article 244’s aggravated approach to public institution systems makes the legal seriousness clear. Public institutions should preserve technical evidence, coordinate with relevant cybersecurity authorities, document service disruption and file criminal complaints where appropriate.

Public institutions should also be careful about public communication. They should explain service interruption accurately without revealing technical vulnerabilities that could assist attackers.

17. Attribution Problems in DDoS Cases

DDoS attribution is difficult. Attack traffic may come from thousands of compromised devices across many countries. IP addresses may belong to innocent third-party devices infected by malware. Attackers may use proxy services, botnets, cloud servers or spoofed addresses.

This creates legal challenges. A list of source IP addresses does not automatically identify the attacker. Investigators must determine whether those addresses are merely compromised devices or controlled infrastructure. Additional evidence may be needed, such as:

  • command-and-control server data;
  • payment records for attack services;
  • threat messages;
  • account registrations;
  • hosting provider records;
  • cryptocurrency wallet tracing;
  • communications between suspects;
  • malware analysis;
  • seized device evidence.

For defence, attribution problems are central. A person should not be convicted merely because traffic came from an IP address connected to them unless the prosecution proves knowing participation and control.

18. Defence Strategies in DDoS Allegations

A person accused of conducting or participating in a DDoS attack may face serious criminal consequences. Defence strategy depends on the alleged role.

Possible defence arguments include:

  • the accused did not control the attack infrastructure;
  • the accused device was compromised by malware;
  • the IP address belongs to a shared network;
  • the accused did not intend to disrupt the system;
  • the traffic was legitimate load testing;
  • there was authorization for stress testing;
  • the system failure was due to poor infrastructure, not an attack;
  • logs are incomplete or unreliable;
  • timestamps are inconsistent;
  • the accused did not send extortion messages;
  • the evidence was obtained unlawfully;
  • Article 244 elements are not proven.

If the case involves authorized penetration testing or stress testing, written authorization is critical. Legal commentary on penetration tests notes that consent and scope matter, and that exceeding consent may create criminal risk.

19. Authorized Load Testing vs. Criminal DDoS

Not every high-traffic test is a crime. Companies may conduct authorized load testing, stress testing or penetration testing to assess resilience. The legal difference is consent, scope and purpose.

A lawful test should have:

  • written authorization;
  • defined target systems;
  • time limits;
  • traffic limits;
  • emergency stop procedure;
  • responsible persons;
  • reporting obligations;
  • no hidden data access;
  • no excessive impact outside scope.

If a tester exceeds the authorized scope and disrupts unrelated systems, criminal and civil liability may arise. Therefore, cybersecurity professionals should document authorization carefully before performing any load or stress test.

20. Preventive Measures for Companies

Companies can reduce DDoS risk through technical and legal preparation.

Recommended measures include:

  • DDoS mitigation service;
  • CDN and traffic filtering;
  • scalable cloud architecture;
  • rate limiting;
  • web application firewall;
  • DNS resilience;
  • redundancy and failover;
  • incident response plan;
  • log retention policy;
  • vendor escalation contacts;
  • cyber insurance review;
  • crisis communication plan;
  • contractual SLA review;
  • backup access channels;
  • periodic stress testing with written authorization;
  • employee training;
  • legal evidence preservation procedure.

Prevention is not only technical protection. It strengthens the company’s legal position if it later claims damages or responds to regulatory questions.

21. Practical Checklist for DDoS Victims

A victim of a DDoS attack in Turkey should:

  1. Preserve logs immediately.
  2. Record the start and end time of the attack.
  3. Contact hosting, cloud or CDN provider.
  4. Obtain technical incident reports.
  5. Document service unavailability.
  6. Preserve customer complaints and transaction failures.
  7. Check whether unauthorized access occurred simultaneously.
  8. Assess whether personal data was affected.
  9. Assess Cybersecurity Law obligations.
  10. Notify cyber insurer if applicable.
  11. Preserve ransom or threat messages.
  12. Calculate financial damage.
  13. File a criminal complaint under Article 244.
  14. Request provider records and expert examination.
  15. Review prevention and mitigation measures after the incident.

This structured response helps both technical recovery and legal enforcement.

Conclusion

DDoS attacks in Turkey are serious cyber incidents that may create criminal, civil, regulatory and corporate consequences. The main criminal provision is Turkish Penal Code Article 244 because DDoS attacks directly prevent or disrupt the functioning of information systems. Article 243 may also become relevant if attackers unlawfully access systems, compromise infrastructure or use malware-controlled devices. If the attack involves extortion, data theft, personal data exposure or banking systems, additional offences and legal duties may arise.

For victims, the most important steps are immediate mitigation, evidence preservation, technical reporting, criminal complaint and damage documentation. For companies, DDoS readiness should be part of corporate cybersecurity governance under the broader framework created by Cybersecurity Law No. 7545. For public institutions, banks and critical service providers, the legal and operational stakes are even higher.

For suspects and defendants, the key issues are intent, attribution, control of infrastructure, reliability of logs, lawful authorization and whether Article 244 elements are truly proven. DDoS investigations are technically complex, and source IP addresses alone may not be enough to establish personal guilt.

In Turkey’s digital economy, online service availability is a legal asset. When a DDoS attack disrupts that availability, Turkish law provides criminal and civil remedies. Effective legal action requires speed, technical evidence, correct legal classification and coordinated cooperation between lawyers, cybersecurity experts, service providers and company management.

Categories:

Genel

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button