What does Chinese law say about the theft of digital collections?

Recently, cases of NFT thefts of overseas users have become common. According to public reports, T, the owner of a gallery in New York, wrote in a tweet on December 30 last year (2021) that 15 NFTs in his Ethereum wallet were stolen, with a total value of US$2.2 million. "I was hacked! All my Bored Ape are gone!" he wrote on Twitter.

As newly born things, NFT and virtual currency are controversial in judicial practice. The dispute lies on the one hand whether the theft of NFT can be considered as stolen property, and on the other hand how to apply criminal law when the purpose of the act carried out by the perpetrator using the computer constitutes other crimes.

Due to the current rampant NFT theft and the lack of relevant precedents in the country, today Sister Sa’s team will take this as an opportunity to conduct a legal analysis of the act of stealing NFTs.

Common methods of stealing NFTs

NFTs are stolen because the secret key of the wallet is leaked or the user unknowingly authorizes illegal transfer transactions, which include three specific situations:

1. The user's key is out of the user's control , for example, through cloud storage, uploading key information, or accidentally posting it on public social media, which is the so-called "key touching the Internet".

2. Users log in to fake platforms . When hackers build fake websites and their domain names are similar to those of regular well-known websites, users may not notice the slight changes in the domain name and enter their account and password to log in. After obtaining the key, hackers use smart contracts to steal NFTs.

3. The device storing the key is hacked , for example, the user clicks on a phishing email or document key storage device containing a Trojan, and the hacker uses the Trojan to remotely decrypt the device.

This case mainly involves the third method of crime. In this case, should the hacker who uses a computer network to build a fake website to steal NFTs be convicted of theft or destruction of computer information systems?

Legal Analysis on the Theft of NFTs

Suppose that a Chinese citizen named A encounters a similar situation as the gallery owner T mentioned above, and the NFT of Chinese citizen A is stolen. Then according to China's criminal law, the main crimes suspected of stealing the NFT are theft and destruction of computer information systems .

In judicial practice, most cases of theft of virtual property are convicted and sentenced for the crime of destroying computer information systems. However, the Sajie team believes that, generally speaking, it is more in line with the principle of proportionality between crime and punishment to identify the act of stealing NFTs as theft .

• Disputes over applicable law

Article 264 of the Criminal Law stipulates that theft refers to theft of public or private property in large amounts, or multiple thefts, home thefts, thefts with weapons, and pickpocketing. In the scenario discussed in this article, the perpetrator objectively steals other people's NFTs, and subjectively aims at illegal possession or illegal profit, and the amount is large, which should be considered theft.

At the same time, according to Article 286 of the Criminal Law, the crime of destroying computer information systems refers to the act of deleting, modifying, adding, or interfering with the functions of computer information systems in violation of state regulations, causing the computer information system to fail to operate normally, with serious consequences. In this case, the perpetrator edited phishing emails and remotely interfered with and controlled the computer of the gallery owner T/Xia Jia, which was subjectively intentional and also violated the crime of destroying computer information systems.

Regarding how the law should be applied to those who commit two crimes at the same time, Article 287 of the Criminal Law stipulates that if a computer is used to commit financial fraud, theft, embezzlement, misappropriation of public funds, theft of state secrets or other crimes, he shall be convicted and punished in accordance with the provisions of this Law.

However, there is still no clear conclusion as to whether Article 287 of the Criminal Law stipulates that "conviction and punishment shall be imposed in accordance with the provisions of this Law" refers to conviction and punishment for computer-related crimes or conviction and punishment for crimes committed for purposes such as financial fraud.

There is ambiguity in this provision, and there is no judicial interpretation to clarify it. Therefore, here we try to explore the scope of the definition of this provision and conduct a qualitative analysis of the criminal behavior of intruding into computer information systems and stealing NFTs.

• Academic debate

There are currently two theoretical views. The first view is that this article is a suggestive provision to constrain judicial personnel, that is, it cannot be considered a computer crime simply because the perpetrator uses a computer to commit a crime. Computer crime and substantive criminal behavior are in a means-and-end relationship, and the crime should be convicted according to the substantive crime.

Another view is that the relevant provisions on accomplices, imaginary concurrent crimes, and concurrent punishment for multiple crimes should be accurately understood and applied in light of the specific circumstances of the case . When the crime committed by the perpetrator using a computer simultaneously constitutes a crime endangering the security of computer information systems and other crimes such as financial fraud and theft, the defendant should be convicted and punished for the most serious crime.

• Legal Analysis of the Theft of NFTs

Back to the provisions of the crime of destroying computer information systems, "causing the computer information system to not operate normally" is the result element of this crime. If the perpetrator illegally controls the computer information system for the purpose of theft, but does not affect the normal operation of the computer system, then this behavior may constitute the crime of theft; if the computer information system is destroyed through code, it may constitute a crime of destruction of computer information systems and other crimes, and the more serious crime will be punished. According to this logic, it is more in line with the principle of proportionality between crime, responsibility and punishment.

The key points of the judgment in Guiding Case No. 145 (the case of illegal control of computer information systems by defendant Zhang Moumou and others) issued by the Supreme Court in early 2021 can also serve as a strong argument to support this view.

The basic facts of the case are that since July 2017, the defendant Zhang and others, after prior conspiracy, in order to earn advertising fees for gambling websites, cooperated with each other in a room rented in Kuala Lumpur, Malaysia, to search and screen target servers with protection vulnerabilities, implanted Trojan programs (backdoor programs) into the target servers for control, and then used software such as "Cai Dao" to link to the Trojan program, obtain the backend browsing, adding, deleting, modifying and other operation permissions of the target server, and uploaded static web pages with gambling keywords and automatic jump functions to the target server, increasing the chances of gambling website ads being hit by search engines. As of the end of September 2017, the defendant Zhang and others had linked to a total of 113 target servers implanted with Trojan programs, and some of the website servers were also implanted with advertising web pages containing gambling keywords.

The key points of the judgment pointed out that if a person illegally controls a computer information system by modifying or adding data to the system but does not cause substantial damage to the system functions or prevent it from operating normally, it should not be considered as the crime of destroying a computer information system.

For example, in 2007, Li and four other people, who were the creators and main disseminators of the "Panda Burning Incense" computer virus, used a large number of "zombies" under their control to launch DDOS attacks on the victim's computer information system to demand money, causing the victim's computer information system to be paralyzed and affecting the normal operation of the computer information system. They should be convicted of the crime of destroying the computer information system. However, if hackers secretly steal other people's property and information, and do not cause abnormal operation of the computer information system, and subjectively aim at illegal possession or illegal profit, they should be convicted of theft.

Therefore, if the act of stealing NFTs does not result in the "computer information system being unable to operate normally", then the act meets the constituent elements of the crime of theft.

Final Thoughts

According to the "Notice on Preventing Bitcoin Risks by the People's Bank of China, the Ministry of Industry and Information Technology, the China Banking Regulatory Commission, etc." and the "Announcement on Preventing Token Issuance and Financing Risks by the People's Bank of China, the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, etc.", virtual currency has trading value in the market as a commodity.

Virtual currency is generated by computers through specific calculation methods, which requires labor and economic costs. Most people also obtain virtual currency by transferring it to each other through money as a consideration, that is, virtual currency has economic value , so relevant property crimes can be applied.

Similarly, NFT, as an indivisible virtual commodity, also has economic value and should fall into the category of virtual property. Therefore, if a person steals a large amount of NFT through phishing software for the purpose of illegal possession, it should be considered as theft.