Cybercrimes in Spain: Computer Fraud, Unauthorized Access, and Digital Offenses (Criminal Code)

Cybercrimes in Spain: Legal Framework and Forensic Practice

Cybercrime has become one of the fastest-growing criminal phenomena in Spain. According to the Ministry of Interior, over 375,000 ICT-related criminal offenses were recorded in 2024, a 26% increase over the previous year. Computer fraud accounts for 87% of cybercrimes, followed by unauthorized system access and offenses against privacy.

For criminal lawyers, cybercrimes present specific challenges: the volatility of digital evidence, the cross-border nature of offenses, and criminal classifications that have evolved significantly with the 2010 and 2015 Criminal Code reforms.

Computer Fraud (Art. 248.2 Criminal Code)

Basic Offense

Art. 248.2 classifies as fraud the obtaining of economic benefit through:

"computer manipulation or similar artifice that achieves the unconsented transfer of any patrimonial asset to the detriment of a third party"

Key Elements

1. Computer manipulation: Any alteration, intervention, or unauthorized use of computer systems (phishing, malware, credential spoofing)
2. Unconsented transfer: The patrimonial shift must occur without the holder's will
3. Intent to profit: Intention of economic benefit for oneself or a third party
4. Third-party damage: Effective economic harm

Penalties

Common Modalities

• Phishing: Identity spoofing via email, SMS (smishing), or phone (vishing) to obtain banking credentials
• Card fraud: Cloning (skimming), unauthorized use of card data (carding)
• Business Email Compromise (BEC): Intercepting business communications to redirect payments
• CEO fraud: Impersonating an executive to order fraudulent transfers
• SIM swapping: Duplicating SIM cards to intercept banking authentication codes

Unauthorized System Access (Art. 197 bis Criminal Code)

Criminal Type

Art. 197 bis.1 punishes with 6 months to 2 years imprisonment anyone who:

"by any means or procedure, breaching the security measures established to prevent it, and without proper authorization, accesses or facilitates access to all or part of an information system"

Key Elements

1. Breaching security measures: Merely accessing an unprotected system is insufficient
2. Lack of authorization: Access must be illegitimate
3. Information system: Any device or set of devices that stores, processes, or transmits electronic data

Transmission Interception (Art. 197 bis.2)

Punished with 3 months to 2 years imprisonment for intercepting non-public data transmissions (sniffing, man-in-the-middle attacks).

Computer Damage (Art. 264 Criminal Code)

Basic Offense (Art. 264.1)

6 months to 3 years imprisonment for anyone who seriously deletes, damages, deteriorates, alters, suppresses, or makes inaccessible third-party data, programs, or electronic documents.

Computer Sabotage (Art. 264 bis)

6 months to 3 years imprisonment for attacks against system availability: DDoS attacks, system disabling, serious operational disruptions.

Aggravated Forms (Art. 264.2)

2 to 5 years imprisonment when affecting critical infrastructure, committed within a criminal organization, or causing significant economic damage.

Digital Privacy Offenses

Non-Consensual Sexting (Art. 197.7)

3 months to 1 year imprisonment for distributing intimate images obtained with consent but shared without authorization.

Child Grooming (Art. 183 ter)

1 to 3 years imprisonment for contacting a minor under 16 through technology and proposing to arrange a meeting, accompanied by material acts toward approach.

Territorial Jurisdiction

The Jurisdictional Challenge

Cybercrimes present a specific territorial competence challenge: the perpetrator may be in one country, the server in another, and the victim in a third.

Attribution Criteria

Spain ratified the Budapest Convention in 2010. It is the primary international instrument for harmonizing cybercrime types and enabling cross-border digital evidence requests.

Digital Evidence: Collection and Validity

Fundamental Principles

Digital evidence in Spanish criminal proceedings is subject to:

1. Legality (Art. 11.1 LOPJ): Evidence obtained in violation of fundamental rights is void
2. Authenticity: Evidence must be proven unmanipulated (hash, chain of custody)
3. Integrity: The chain of custody must document the entire collection and storage process

Technological Investigation Measures (Arts. 588 bis a - 588 octies LECrim)

Organic Law 13/2015 introduced a comprehensive framework:

Digital Chain of Custody

• Forensic cloning of the original device (bit-by-bit image)
• Cryptographic hash (SHA-256) of the forensic copy
• Intervention report with detailed device description
• Secure storage with access control
• Complete documentation of every person accessing the evidence

Corporate Criminal Liability

Since the 2015 Criminal Code reform, legal entities can be criminally liable for cybercrimes committed by their employees or directors (Art. 31 bis).

An effective compliance program can exempt the legal entity from criminal liability (Art. 31 bis.2), or at least mitigate it.

Conclusion

Cybercrimes demand dual specialization from criminal lawyers: mastery of computer criminal types in the Criminal Code and technical understanding of digital evidence and its chain of custody. The cross-border dimension adds procedural complexity requiring knowledge of the Budapest Convention and international cooperation mechanisms.

Lexiel gives you instant access to all cybercrime criminal types, Supreme Court case law on digital evidence, and the Budapest Convention -- with citations verified against official sources.

Try Lexiel free for 14 days ->