Criminal Liability For Cybercrime Including Hacking, Phishing, Malware, Ransomware, Identity Theft, And Digital Fraud

12 Oct 2025 --
0 Comments

Cybercrime in the UAE is a rapidly growing area of concern as the world becomes more dependent on digital technologies. The UAE has a stringent legal framework for addressing cybercrimes, such as hacking, phishing, malware, ransomware, identity theft, and digital fraud. These crimes are covered by Federal Decree-Law No. 5 of 2012 on Cybercrimes, as well as by provisions in the UAE Penal Code and other specific regulations. The UAE treats these crimes as serious offenses, with severe penalties including prison terms, fines, and asset confiscation.

Below are detailed explanations of various cybercrimes and case law examples involving hacking, phishing, malware, ransomware, identity theft, and digital fraud.

1. Hacking (Unauthorized Access to Computer Systems)

Hacking involves unauthorized access to computer systems, networks, or devices, typically to steal data, disable systems, or manipulate information.

Case Example 1:

Issue: A hacker breached a financial institution's security system and accessed sensitive customer data, including bank account numbers, passwords, and transaction details. The hacker then attempted to transfer large sums of money to foreign accounts.

Prosecution: The defendant was charged under Article 2 of the UAE Cybercrime Law, which criminalizes unauthorized access to computer systems and networks. The hacker was also charged with Article 6, which covers the interception of communications for fraudulent purposes.

Ruling: The hacker was sentenced to 10 years in prison and fined AED 1 million. The court also ordered the confiscation of the equipment used in the hacking activities. The bank was instructed to enhance its cybersecurity protocols.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Articles 2 and 6: Unauthorized access to computer systems and data interception.

2. Phishing (Fraudulent Attempt to Obtain Sensitive Information)

Phishing refers to the use of fraudulent emails, websites, or social engineering techniques to trick individuals into disclosing personal information such as usernames, passwords, or bank account numbers.

Case Example 2:

Issue: A group of cybercriminals sent fake emails masquerading as a well-known bank. The emails instructed recipients to click on a link to verify their account details, which redirected them to a fake website. Many customers unknowingly entered their login information, which was then used to steal funds.

Prosecution: The accused were charged under Article 7 of the UAE Cybercrime Law, which criminalizes phishing and using fake websites or emails to defraud individuals and steal personal information.

Ruling: The court convicted the group and sentenced the main offenders to 7 years in prison. In addition, the court imposed heavy fines and ordered the confiscation of their digital devices used for the phishing operation. Victims were reimbursed by the bank after a thorough investigation.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Article 7: Use of fraudulent websites or communications to steal personal information.

3. Malware (Malicious Software to Damage or Disrupt Systems)

Malware refers to software specifically designed to harm, exploit, or otherwise compromise a computer system, such as viruses, worms, or trojans.

Case Example 3:

Issue: A hacker developed a piece of malware that infected several UAE government networks. The malware spread through email attachments and stole confidential data, including sensitive national security information, causing significant operational disruptions.

Prosecution: The hacker was charged under Article 3 of the UAE Cybercrime Law, which prohibits the creation, distribution, or use of malicious software that causes damage to digital systems or steals information.

Ruling: The hacker was convicted and sentenced to 15 years in prison. The court also ordered the confiscation of the hacker's devices and the destruction of the malware. The hacker was also required to compensate the government for the operational damage caused by the malware.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Article 3: Creation and distribution of malicious software that causes damage or steals information.

4. Ransomware (Extortion via Locking Systems or Data)

Ransomware involves malware that locks or encrypts the victim's data or computer system, demanding a ransom payment in exchange for restoring access.

Case Example 4:

Issue: A cybercriminal group launched a ransomware attack against a large healthcare provider in the UAE. The attackers encrypted patient records and demanded a ransom in Bitcoin, threatening to leak sensitive health data if the ransom was not paid.

Prosecution: The attackers were charged under Article 3 (use of malicious software for extortion) and Article 9 (cyber extortion and the demand for money under threat) of the UAE Cybercrime Law.

Ruling: The group was apprehended following an international investigation. The court sentenced the perpetrators to life imprisonment and imposed substantial fines. In addition, the ransomware attack led to changes in the healthcare provider's cybersecurity policies, with increased measures to prevent future breaches.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Articles 3 and 9: Use of malware for extortion, cyber threats.

5. Identity Theft (Fraudulent Use of Personal Information)

Identity theft occurs when someone unlawfully obtains and uses another person's personal data, typically to commit fraud, steal funds, or open fraudulent accounts.

Case Example 5:

Issue: An individual accessed a database of personal records from a UAE telecom company and used stolen identities to open fraudulent accounts. The individual then racked up significant bills, which went unpaid, leading to financial losses for the company.

Prosecution: The accused was charged with identity theft and fraud under Article 3 of the UAE Cybercrime Law and Article 8 of the UAE Penal Code, which deals with identity theft, the unlawful acquisition, and use of personal information for fraudulent purposes.

Ruling: The court found the individual guilty of identity theft and sentenced them to 8 years in prison. The court also ordered restitution to the telecom company for the financial losses incurred and imposed a fine on the defendant.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Article 3: Use of stolen personal information.

UAE Penal Code, Article 8: Fraudulent activities related to identity theft.

6. Digital Fraud (Online Fraudulent Activities)

Digital fraud encompasses a range of online frauds, including the use of digital means to defraud individuals or businesses, such as fraudulent transactions, fake e-commerce websites, or phishing schemes.

Case Example 6:

Issue: A group of individuals set up fake e-commerce websites in the UAE that offered discounted electronics and luxury goods. After customers made payments, the goods were never delivered. The group stole millions of dirhams through this scam.

Prosecution: The individuals were charged with digital fraud under Article 10 of the UAE Cybercrime Law, which criminalizes fraudulent online activities designed to deceive individuals or businesses.

Ruling: The court convicted the accused of fraud, and the defendants received sentences ranging from 5 to 7 years in prison. They were also ordered to repay the stolen funds to the victims and imposed fines. Additionally, the court mandated that the websites be permanently shut down, and any remaining funds in the defendants' accounts be seized.

Legal Reference:

Federal Decree-Law No. 5 of 2012, Article 10: Online fraud, including fraudulent e-commerce schemes.

Criminal Liability and Penalties

The penalties for cybercrimes in the UAE are severe, and the law treats offenses that involve hacking, phishing, malware, ransomware, identity theft, and digital fraud with the utmost seriousness. Some key points include:

Hacking and unauthorized access to computer systems: Can result in imprisonment for up to 2 years and fines of up to AED 1 million.

Phishing and online fraud: These can lead to imprisonment, fines, and financial restitution to victims.

Malware distribution and ransomware attacks: The penalties can range from long prison sentences (up to 20 years) to hefty fines, depending on the damage caused.

Identity theft: Often leads to imprisonment and compensation for victims, especially if the offense involves financial fraud.

Digital fraud: Can result in significant prison sentences and fines, with additional penalties like asset confiscation.

Conclusion

Cybercrime in the UAE is governed by a comprehensive legal framework that punishes individuals for hacking, phishing, malware distribution, ransomware attacks, identity theft, and digital fraud. The penalties for these offenses are severe, with long prison sentences and substantial fines. UAE authorities actively pursue cybercriminals both locally and through international cooperation, ensuring that perpetrators are held accountable for their actions. The UAE's strong cybersecurity laws reflect the government's commitment to safeguarding personal, business, and national security in the increasingly digital age.