German prosecutors are unable to convict criminals of digital asset theft thanks to a gap in the German Criminal Code (StGB), according to a recent court decision in the jurisdiction.
The loophole was brought to light due to the trial of a man accused of stealing 2.5 million euros ($2.8 million) worth of various digital assets. The unnamed accused had helped the victim create digital asset wallets and gained access to the wallets’ 24-word seed phrase. The accused then transferred the tokens—numbering some 25 million—to their own wallets.
The accused was primarily charged with theft, but escaped conviction because the German Criminal Code defines theft as the ‘taking of another’s movable property, which digital assets are not.
“According to Section 242 of the German Criminal Code (StGB), theft is the ‘taking of another’s movable property,'” according to a translation of the judgment provided by German outlet Heise.
“However, cryptocurrencies such as Bitcoin or Ethereum are not to be regarded as ‘things’ within the meaning of the law, as they do not have a physical, corporeal existence. Instead, they are digital assets, or more precisely, entries in a decentralized blockchain. Theft in the physical sense is therefore conceptually excluded, which rules out the offence of theft from the outset.”
Other potential offenses—such as the unlawful deletion of data—were also rejected by the courts. That requires violating the data rights of a third party, whereas in the cases of digital assets, the German courts considered that only the issuer’s data was being affected.
“The logging of a transaction in the blockchain and the associated data change in the allocation of crypto values is a change made by the network operators and thus by the persons entitled to dispose of the assets themselves,” reads the judgment.
Similar reasoning was used to discount charges of computer fraud.
The result is that the alleged perpetrator—now a millionaire thanks to what can now only legally be described as entrepreneurial spirit—can walk free.
Notably, the conundrum would arise in Germany, which has dedicated cyber laws. The offenses the prosecutors sought to charge the accused with were created especially for the cybercrime context: section 202a criminalizes unauthorized access to protected data, while section 303a criminalizes unauthorized data manipulation, such as erasing or ‘rendering useless’ data. These offences were added to the German Criminal Code in 2007 and were intended to close any remaining loopholes in the digital age.
However, it seems that technology is advancing faster than the Bundestag can close whatever loopholes are created.
Though potential gaps in legislation have often been touted as a risk of embracing digital assets, these gaps have rarely led to such dramatic consequences as this. In effect, authorities in Germany are left scrambling to find alternative charges—as happened in the present case—that might capture the conduct of the accused. In this instance, they failed entirely.
Differing legal conceptions of digital assets
The German approach is a curious one and has led to a perverse outcome, but it does illustrate the myriad ways that digital asset ‘theft’ can be conceptualized under the law.
For example, other jurisdictions have taken a different conceptual approach to the legal status of digital assets: the United Kingdom, for instance, found that assets—such as Bitcoin—quite easily met the definition of traditional property and therefore could be subject to theft under the law.
In 2023, the UK Law Commission commented on this approach in its sweeping review of digital asset laws in the jurisdiction. Referencing a court of appeal decision confirming that Bitcoin is legal property:
“That case has brought a high degree of certainty to the law of England and Wales: it recognizes that crypto-tokens can be things to which personal property rights can relate, that they can be rivalrous and that their characteristics are manifested by the active operation of software.”
This wasn’t necessarily always going to be the conclusion. U.K. law has always been fairly rigid that personal property is split into two categories: things in action and things in possession. A “thing in action” involves property that cannot be physically possessed, such as a debt. A “thing in possession” refers to physical property. Crucially, though the courts have recognized that digital assets attach property rights, it has not been explicit which of these two categories they fall into.
A Bill is currently entering its final stages before the House of Lords which somewhat addresses the issue: the Property (Digital Assets Etc) Bill effectively implements the findings of the U.K. Law Commission in recognizing digital assets’ status as property, but explicitly leaves the conceptual question—whether these assets are things in action, things in possession or form part of a new third category of property—to the courts.
Such flexibility would avoid the unseemly result reached in the German case, but it could also be criticized for lacking rigidity and certainty. Indeed, this deference to the courts may strike some as equally unattractive.
In any case, it seems inevitable that legislators in Germany will draw up new legislation to address this loophole.
Watch: Regulation leads to good uptick for Web3 operators