Hacking, scams and crypto-asset losses
Let us set the starting point precisely, because two opposite —and both mistaken— simplifications circulate about crypto losses. Neither is every economic loss arising from the ecosystem automatically deductible as a capital loss, nor are we faced with a vacuum in which everything depends on an open assessment. Today there is useful doctrine, and it is worth reading along the axis that truly orders it: whether or not the perpetrator of the scam is identifiable. Ruling V1828-24 provides support for cyber-scams with an unknown perpetrator, where no claim arises; V1098-20 and, more recently, V1134-25 (27 June 2025) address the reverse, the situation where the perpetrator or debtor is identifiable and what actually remains is a claim against a third party or a platform.
Cyber-scam with an unknown perpetrator: the criterion of V1828-24
V1828-24 is valuable because it moves the debate from abstraction to a very recognisable case: the economic loss arising from a cyber-scam in which there is no identified solvent debtor against whom to assert a claim. Where the perpetrator cannot be identified, no claim arises in favour of the injured party; what occurs is, conceptually, a capital loss.
The classification the DGT sets is precise. As it does not arise from the transfer of an asset, that loss is included in the general base of IRPF —not the savings base—, under Articles 45 and 48 of the Personal Income Tax Act, a basis that ruling V1828-24 itself makes explicit. And it is subject to a condition the ruling stresses: to have tax effect, the loss must be substantiated, since Article 33.5.a) excludes the recognition of unproven losses. The burden of proof falls on the taxpayer, and it will be the management and inspection bodies that assess the evidence provided.
Here too, simplification should be avoided. The ruling does not turn any technical incident, send error, undocumented hack or loss of access into an automatically deductible tax loss. Its value lies in recognising that, where there are substantiated facts and a genuine capital loss, the system does not require the case to be treated as a dead end.
Failed platforms and insolvency: when what remains is a claim
When a platform collapses, suspends withdrawals or enters insolvency, the legal situation may be very different from a pure cyber-scam. In many of those cases the taxpayer has not immediately lost all economic rights: what they retain is a claim, a right to restitution or an insolvency-proceeding expectation against the entity or the insolvency estate.
That is where V1098-20 remains valuable. Its facts matter: the ruling resolved an investment in cryptocurrency channelled in 2019 through a company resident in Cyprus, in which the investor considered himself defrauded and, together with other affected parties, brought a criminal complaint. The DGT did not find a currently computable loss, and the reason is the one to retain: a claim survived against an identifiable debtor, and none of the circumstances of Article 14.2.k) that allow the loss to be recognised was yet present. Non-payment or failure to return at maturity does not, on its own, generate an automatic capital loss; the key is to determine when that claim can be considered uncollectible for tax purposes, under the timing rule of Article 14.2.k) of the Personal Income Tax Act (which allows the loss to be recognised where certain circumstances arise, such as a haircut in a refinancing or insolvency agreement, or the lapse of one year from the start of judicial enforcement proceedings aimed at collecting the claim without it having been satisfied). That same logic —a claim exists and the loss is recognised only when it becomes uncollectible— is the one that, by analogy, should be transposed to scenarios of platforms that suspend withdrawals or enter insolvency, of the FTX, Celsius or similar type, even though the ruling did not directly resolve an insolvency case. Here too the loss should not be taken as realised in full on the day of the collapse if there are insolvency proceedings or a potential recovery: the correct course is to analyse whether a claim survives and, where appropriate, when it can be deemed uncollectible.
This logic is not new. The DGT had already applied it to a pure crypto case in V1979-15, of 25 June 2015 —bitcoins deposited with a platform that lent them out at interest and whose administrator, citing a “theft”, stopped returning them—, concluding that the depositor keeps a claim and that the loss is recognised only once that claim becomes judicially uncollectible, included in the general base. There is, therefore, a ten-year doctrinal line, from V1979-15 to V1134-25, built on the same axis: while the claim survives, there is no recognisable loss.
It is worth warning of a point often overlooked. The DGT, in V1134-25 (27 June 2025) —a ruling rendered, admittedly, on a non-crypto scam but whose criterion is fully transposable—, clarifies that a criminal proceeding for fraud, the usual report or complaint in these cases, is not equivalent to the claim-enforcement proceeding required by the third sub-paragraph of Article 14.2.k). On its own, that criminal proceeding neither starts the one-year period running nor enables the loss to be deducted. It is a distinction worth keeping to, because many injured parties only file a report or complaint and may wrongly believe that the mere lapse of a year is enough.
One qualification, so as not to attribute to the rulings more than they say. Once that claim becomes uncollectible and the loss can be recognised, we take the view that it is likewise included in the general base, on the same basis as in a scam with an unknown perpetrator: it does not arise from the transfer of an asset. That said, it should be noted that V1098-20 dealt only with the timing of recognition and did not rule on the integration base; the conclusion as to the general base rests, for that part, on the general rules of Articles 45 and 48 LIRPF, not on the ruling itself.
Loss of the seed or the private key: a serious grey area
The loss of the seed phrase, the passphrase, the device or exclusive technical access to a wallet is one of the most real problems for the self-custodied bitcoiner and, at the same time, one of the worst-resolved areas. The tax recognition of this loss should not be presented as a closed administrative criterion. The economic irrecoverability may be total —the asset still exists on the chain, but is inaccessible forever—, and yet its tax classification is not clearly resolved by a specific and directly applicable binding ruling.
In the current state of the doctrine, this point must be treated as a serious grey area. There are arguments for defending a capital loss in extreme and duly proven cases, but there is no sufficient basis to present that conclusion as an automatic rule.
The evidentiary dimension: without evidence there is no defensible loss
In all these cases, evidence is decisive. For a hack, a cyber-scam or a theft it is necessary to assemble a minimum set of evidence: the police or judicial report, the communications with the platform, the on-chain traceability of the funds leaving, the purchase history allowing the acquisition value to be substantiated and, where applicable, the documentation of the insolvency proceedings or the civil claim. With failed platforms it is also advisable to distinguish between the blocked balance, the percentage recovered and the part finally unrecoverable. The difference between a defensible loss and an unprovable assertion turns precisely on that evidence.
- V1828-24 — a cyber-scam with an unknown perpetrator (with no identifiable claim) constitutes a capital loss not arising from a disposal, included in the general base and conditional on its substantiation (Article 33.5.a LIRPF).
- V1979-15 (25 June 2015) — the crypto origin of the criterion: bitcoins deposited with a platform that stopped returning them; a claim survives and the loss is recognised only once it becomes judicially uncollectible, in the general base (Articles 45 and 48 LIRPF).
- V1098-20 — where a claim against a platform or third party survives, non-payment does not generate an automatic loss: regard must be had to its tax uncollectibility.
- V1134-25 (27 June 2025) — rendered on a non-crypto scam but with a fully transposable criterion: where the perpetrator of the scam is identifiable there is a claim, and the loss is recognised only when it becomes uncollectible for tax purposes (Article 14.2.k); an ongoing criminal proceeding is not equivalent to the enforcement proceeding required by the third sub-paragraph.
Applicable legislation: Articles 33.1, 33.5.a), 14.2.k), 45 and 48 LIRPF.