In the age of digital infrastructures, Distributed Denial of Service (DDoS) attacks and the use of botnets have become emblematic of modern cybercrime. While these acts are often discussed in technical or operational terms, their legal dimension—particularly under German criminal law—is both sophisticated and rigorous. This article provides a detailed legal analysis of DDoS attacks and botnets, grounded in German jurisprudence and supported by insights derived from current case law and cybercrime reports.
DDoS Attacks as Criminal Acts
Under German law, the core provision addressing DDoS attacks is § 303b of the German Criminal Code (StGB), which penalizes the computer sabotage (“Computersabotage”). This section criminalizes the interference with data processing essential for businesses, government institutions, or public utilities. A typical DDoS attack, where a network of computers overwhelms a target system with excessive traffic, falls squarely within the scope of this norm.
To be punishable, the attack must cause a “significant disruption” in the operation of data processing. This does not require permanent damage or the destruction of data, but rather a functional interruption or system overload. German courts have interpreted even temporary outages—if affecting a sufficiently critical system or causing notable economic impact—as sufficient to meet this threshold.
Notably, the subjective element, i.e., the intent of the attacker, must include awareness of the effect on protected infrastructure and a will to cause the disruption. Cases involving “booter” services or paid DDoS-for-hire schemes, as referenced in public indictments and judgments, highlight that even users of such services may be liable, depending on their awareness and involvement.
The Role of Botnets and § 202a StGB et seq.
Botnets—networks of compromised computers (zombies)—are not merely tools; they can themselves be the subject of criminal liability. The creation, distribution, or use of malware to establish a botnet is prosecutable under §§ 202a, 202b, and 202c StGB, which address the unauthorized access to and interception of data, as well as the preparation of such offenses.
A crucial point is that § 202c StGB criminalizes even the preparation of hacking tools. This includes the development and dissemination of malware or remote access tools used to form or control botnets. German courts have shown a willingness to interpret this provision broadly, especially in cases involving clear commercial intent, such as malware sold for cybercriminal purposes.
Where a botnet is used to launch a DDoS attack, a confluence of criminal norms arises: the attacker may be prosecuted for computer sabotage (§ 303b), unauthorized data access (§ 202a), and the creation of malicious software (§ 202c), possibly in conjunction with § 129 StGB if the operation is part of a criminal organization.
Case Law and Jurisprudence
German case law provides instructive examples. One significant case involved the operator of a large-scale botnet who sold access to it for use in DDoS attacks and phishing campaigns. The court emphasized the commercial motivation and the systematic nature of the conduct in its sentencing, invoking not only § 303b but also § 263a StGB (computer fraud) and § 129 StGB (criminal organization).
Similarly, regional court rulings have dealt with the use of DDoS attacks as a means of coercion (e.g., in ransom schemes targeting online shops). Here, § 240 StGB (coercion) and § 253 StGB (extortion) were applied, illustrating the multiplicity of applicable charges.
Moreover, DDoS attacks that impact systems relevant to public order—such as hospitals or infrastructure—can trigger even aggravated sentencing under § 303b(4), especially if they endanger human life or essential services.
Legal Challenges and Evidentiary Issues
From a procedural standpoint, prosecuting DDoS attacks and botnet-related crimes presents unique challenges. Attribution is notoriously difficult. The distributed nature of attacks, often leveraging international nodes, requires extensive cooperation between law enforcement agencies. Digital forensics must be precise, as courts require high standards of proof for intent and causality.
Nevertheless, Germany’s legal system is equipped with modern tools for such investigations. The Zentralstelle zur Bekämpfung der Internetkriminalität (ZIT) and BKA’s cybercrime units have developed robust capabilities, as reflected in annual reports from the Bundeslagebild Cybercrime.
German criminal law provides a coherent and nuanced framework for addressing DDoS attacks and botnet operations. The blend of general criminal law principles with specialized provisions such as §§ 202a–c and 303b StGB enables a comprehensive legal response. As courts and prosecutors become increasingly cyber-savvy, we can expect a tightening grip on such offenses.
Conclusion
Ultimately, the law does not merely chase cybercrime—it anticipates its evolution, embedding preventive norms that criminalize preparatory acts and enhance liability for organized, commercially motivated conduct. This proactive stance, paired with cross-border enforcement efforts, is essential in an era where digital attacks can cripple infrastructure with a few keystrokes.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025