Cyber Extortion Under Chinese Criminal Law
Overview of Cyber Extortion in China
Legal Framework
Criminal Law of the PRC:
Article 274 (Robbery/Extortion): Used for traditional extortion, including threats of property damage.
Article 287 (Fraud): Can apply if cyber extortion involves deceiving victims for financial gain.
Cybersecurity Law (2017) and E-commerce Law:
Criminalizes unauthorized access, ransomware, and threats via digital platforms.
Key Elements of Cyber Extortion:
Threatening harm (to person, property, or data) through cyber means.
Demanding property, money, or benefits.
Use of technological tools to intimidate or coerce.
Trends
Increasing use of ransomware, phishing, and DDoS attacks for extortion.
Courts treat cyber extortion seriously, with aggravated penalties for organized or cross-border cases.
Case 1: Liu Case (Beijing, 2014 – Ransomware Attack)
Facts:
Liu deployed ransomware on a company’s network, encrypting files and demanding 500,000 RMB for decryption.
Company reported to police; investigation traced Liu’s IP and devices.
Legal Reasoning:
Court applied Article 274 (extortion) and considered digital threat as equivalent to physical coercion.
Evidence: logs, encrypted files, communication messages.
Outcome:
Liu sentenced to 8 years imprisonment; property confiscated.
Significance:
Early case recognizing cyber threats as extortion under Criminal Law.
Established precedence for treating ransomware as serious criminal act.
Case 2: Zhang Case (Shanghai, 2015 – Online Threats for Money)
Facts:
Zhang sent threatening emails to small businesses claiming to release sensitive information unless paid.
Targeted 12 companies; collected 300,000 RMB.
Legal Reasoning:
Court treated the case as cyber extortion with multiple victims.
Amount involved, repeated threats, and organized approach were aggravating factors.
Outcome:
Zhang sentenced to 6 years imprisonment; full restitution ordered.
Significance:
Courts consider scale, repetition, and number of victims to enhance sentencing.
Case 3: Wang Case (Guangdong, 2016 – Phishing and Ransom)
Facts:
Wang sent phishing emails to employees of a corporation, obtained login credentials, and demanded ransom.
Attempted to extort 2 million RMB.
Legal Reasoning:
Evidence included logs, IP tracing, and emails.
Court classified the crime under Article 274 and 287: extortion combined with cyber fraud.
Outcome:
Wang sentenced to 10 years imprisonment; accomplices 5–7 years.
Significance:
Combined cyber fraud and extortion are treated as aggravated cybercrime.
Demonstrates courts recognize complex, technologically sophisticated schemes.
Case 4: Chen Case (Zhejiang, 2017 – DDoS Threat)
Facts:
Chen launched repeated DDoS attacks on an e-commerce platform, threatening downtime unless paid 1 million RMB.
Platform reported to authorities; attacks traced to Chen.
Legal Reasoning:
Court emphasized the economic impact on multiple businesses.
Applied Articles 274 (extortion) and 285 (damage to computer systems).
Outcome:
Chen sentenced to 9 years imprisonment; fines and restitution ordered.
Significance:
DDoS as extortion tool recognized in Chinese criminal jurisprudence.
Damage to digital infrastructure considered aggravating factor.
Case 5: Li Case (Beijing, 2018 – Ransomware on Public Institution)
Facts:
Li deployed ransomware on a university’s server, threatening to leak student data unless paid 800,000 RMB.
Authorities quickly tracked cryptocurrency payments.
Legal Reasoning:
Court considered public interest harm due to educational institution.
Applied Article 274; aggravating factors: repeated offense, victim type.
Outcome:
Li sentenced to 12 years imprisonment; digital assets confiscated.
Significance:
Public institutions targeted in cyber extortion → heavier penalties.
Emphasizes protecting sensitive data as national and social interest.
Case 6: Huang Case (Guangxi, 2019 – Cross-Border Cyber Extortion)
Facts:
Huang collaborated with foreign hackers to extort multiple Chinese companies via ransomware.
Total demand: 5 million RMB; actual payments: 1.2 million RMB.
Legal Reasoning:
Court treated cross-border cyber extortion as particularly serious.
Coordination with international authorities ensured tracking and arrests.
Outcome:
Huang sentenced to 15 years imprisonment; accomplices 7–10 years.
Significance:
Cross-border cybercrime → maximum penalties.
International cooperation recognized as crucial in prosecution.
Case 7: Zhao Case (Sichuan, 2020 – Cryptocurrency Extortion)
Facts:
Zhao threatened companies with public data leaks unless paid in cryptocurrency.
Used VPNs to hide identity; blockchain tracking helped authorities.
Legal Reasoning:
Court applied Articles 274 and 287: cyber extortion + cyber fraud.
Cryptocurrency payments considered equivalent to property transfer.
Outcome:
Zhao sentenced to 10 years imprisonment; assets confiscated.
Significance:
Recognizes cryptocurrency as property for extortion purposes.
Shows courts adapting to emerging digital tools in crime.
Key Observations
Severity of Punishment
Large-scale or repeated cyber extortion → 8–15 years or more.
Minor, single-victim cases → 4–6 years.
Aggravating Factors
Number of victims.
Economic loss and damage to digital infrastructure.
Cross-border coordination.
Targeting public institutions.
Technological Adaptation
Ransomware, phishing, DDoS, and cryptocurrency considered in sentencing.
Digital evidence (IP logs, blockchain records) critical.
Legal Principles
Cyber extortion treated similarly to traditional extortion but with technology aggravating factor.
Cooperation, confession, and restitution may mitigate sentence slightly.
RELATED Blog
comments