Hacking, scams and crypto-asset losses

Let us set the starting point precisely, because two opposite —and both mistaken— simplifications circulate about crypto losses. Neither is every economic loss arising from the ecosystem automatically deductible as a capital loss, nor are we faced with a vacuum in which everything depends on an open assessment. Today there is useful doctrine: ruling V1828-24 provides support for cyber-scams with an unknown perpetrator, and V1098-20 remains the reference where what actually remains is a claim against a third party or a platform.

Cyber-scam with an unknown perpetrator: the criterion of V1828-24

V1828-24 is valuable because it moves the debate from abstraction to a very recognisable case: the economic loss arising from a cyber-scam in which there is no identified solvent debtor against whom to assert a claim. Where the perpetrator cannot be identified, no claim arises in favour of the injured party; what occurs is, conceptually, a capital loss.

The classification the DGT sets is precise and worth retaining. As it does not arise from the transfer of an asset, that loss is included in the general base of IRPF —not the savings base—, under Articles 45 and 48 of the Personal Income Tax Act. And it is subject to a condition the ruling stresses: to have tax effect, the loss must be substantiated, since Article 33.5.a) excludes the recognition of unproven losses. The burden of proof falls on the taxpayer, and it will be the management and inspection bodies that assess the evidence provided.

Here too, simplification should be avoided. The ruling does not turn any technical incident, send error, undocumented hack or loss of access into an automatically deductible tax loss. Its value lies in recognising that, where there are substantiated facts and a genuine capital loss, the system does not require the case to be treated as a dead end.

Failed platforms and insolvency: when what remains is a claim

When a platform collapses, suspends withdrawals or enters insolvency, the legal situation may be very different from a pure cyber-scam. In many of those cases the taxpayer has not immediately lost all economic rights: what they retain is a claim, a right to restitution or an insolvency-proceeding expectation against the entity or the insolvency estate.

That is where V1098-20 remains valuable, because it recalls that non-payment or failure to return at maturity does not, on its own, generate an automatic capital loss. The key is to determine when that claim can be considered uncollectible for tax purposes, under the timing rule of Article 14.2.k) of the Personal Income Tax Act (which allows the loss to be recognised where certain circumstances arise, such as a haircut in a refinancing or insolvency agreement, or the lapse of one year from the start of judicial proceedings aimed at collection without it having been satisfied). In an FTX-, Celsius- or similar-type scenario, the loss should not be taken as realised in full on the day of the collapse if there are insolvency proceedings or a potential recovery: the correct course is to analyse whether a claim survives and, where appropriate, when it can be deemed uncollectible.

Loss of the seed or the private key: a serious grey area

The loss of the seed phrase, the passphrase, the device or exclusive technical access to a wallet is one of the most real problems for the self-custodied bitcoiner and, at the same time, one of the worst-resolved areas. The tax recognition of this loss should not be presented as a closed administrative criterion. The economic irrecoverability may be total —the asset still exists on the chain, but is inaccessible forever—, and yet its tax classification is not clearly resolved by a specific and directly applicable binding ruling.

In the current state of the doctrine, this point must be treated as a serious grey area. There are arguments for defending a capital loss in extreme and duly proven cases, but there is no sufficient basis to present that conclusion as an automatic rule.

The evidentiary dimension: without evidence there is no defensible loss

In all these cases, evidence is decisive. For a hack, a cyber-scam or a theft it is necessary to assemble a minimum set of evidence: the police or judicial report, the communications with the platform, the on-chain traceability of the funds leaving, the purchase history allowing the acquisition value to be substantiated and, where applicable, the documentation of the insolvency proceedings or the civil claim. With failed platforms it is also advisable to distinguish between the blocked balance, the percentage recovered and the part finally unrecoverable. The difference between a defensible loss and an unprovable assertion usually lies precisely here.