Crackdown or Control? Turkey's Cyber Reckoning and Its Political Fault Lines

A cascade of catastrophic data breaches, a sweeping new law, and a wave of intelligence operations have reshaped Turkey's digital landscape — but the line between protecting citizens and surveilling them has rarely been harder to find.

The Breaking Point: A Nation's Data, for Sale at $5

For years, the warning signs accumulated quietly. Then, in September 2024, they became impossible to ignore.

Turkey's National Cyber Incident Response Center (USOM) discovered that hackers had uploaded a database of staggering proportions to Google Drive: the personal data of over 108 million Turkish citizens — including deceased individuals — containing national ID numbers, home addresses, mobile phone numbers, marital status, date of birth, and place of birth. All of it, exposed. The breach represented data from virtually every person who had ever been registered with a Turkish government institution, at home or abroad, as well as refugees whose details had been captured in official systems.

The government's response revealed a culture of concealment that had long frustrated security researchers and journalists. When the breach first surfaced in the media, officials denied it. Ali Taha Koc, then head of the Digital Transformation Office, told parliament the leak was "technically impossible." By September, a cabinet minister quietly admitted that "some data was unfortunately obtained" during the COVID-19 pandemic — but insisted it "could not have been prevented." Investigative reporters had already been connecting the dots for two years prior, pointing to pirated software in government facilities being used by criminal networks to access real-time data.

The 108 million record breach was the largest and most visible, but it was not unique. The stolen data was being sold on illicit Telegram channels and dark web markets for as little as $5 per record. Health records from the COVID pandemic had been leaked. The e-Government portal had been compromised. Investigative journalist İbrahim Haskoloğlu had published the national ID information of President Erdogan himself, lifted by hackers from government databases — and was promptly detained for eight days, charged with "illegally obtaining and disseminating personal data," before being acquitted and fleeing Turkey under death threats. The Committee to Protect Journalists noted with some bluntness that Turkey's authorities "should be more concerned with the alleged hacking of government databases than the journalists who are covering it."

This was the backdrop against which Turkey's most significant cyber legislative and institutional overhaul in its history was launched.

The Government's Response: A New Architecture

The Cybersecurity Presidency: Centralisation by Decree

On January 8, 2025, President Recep Tayyip Erdogan signed Presidential Decree No. 177, establishing a standalone Cybersecurity Presidency — reporting directly to the Office of the Presidency. Previously, cybersecurity had been coordinated by the Cybersecurity Department within the Digital Transformation Office, a looser arrangement that critics said had produced four separate national cybersecurity strategies over the preceding decade without translating the paper architecture into operational protection.

The new Presidency was given broad authority: formulate national cybersecurity strategy; oversee cybersecurity across public and private sectors; coordinate incident response; determine which entities qualify as critical infrastructure; and manage standards and certification processes. It was, on paper, a significant institutional leap — a single command authority for Turkey's digital defences. In practice, it took until late October 2025 to appoint a permanent director, raising questions about the pace of operationalisation.

Cybersecurity Law No. 7545: The First Standalone Framework

The legislative piece followed on March 12, 2025, when the Grand National Assembly enacted Cybersecurity Law No. 7545 — passed with 246 votes in favour and 102 against, and entering force upon its publication in the Official Gazette on March 19, 2025. It was, formally, the first standalone cybersecurity law in Turkish legal history.

The law is broad in scope and ambitious in intent. It covers public institutions, professional organisations with public institution status, natural and legal persons, and any entity without legal personality that operates in cyberspace. The definition of cyberspace extends to all information systems and networks connected to the internet or electronic communication networks — sweeping enough to encompass virtually every digital entity in the country.

Key Institutional Structures

The Cybersecurity Presidency's duties, authorities and responsibilities are formalised in the Law. The main functions include preventing cyber threats, making risk analyses, ensuring the implementation of cybersecurity standards, establishing cyber incident response teams (SOMA), and managing standards and certification processes.

The law also establishes a Cybersecurity Board composed of key government officials: the President, Vice President, Minister of Justice, Ministers of Foreign Affairs, Interior, National Defence, Industry and Technology, and Transport and Infrastructure, the Secretary-General of the National Security Council, the head of the National Intelligence Organization (MIT), the President of the Defence Industry, and the head of the Cybersecurity Presidency. The composition is almost entirely of security and executive figures. Notably absent from the Board are representatives from the Personal Data Protection Authority, the Turkish Bar Association, or the Turkish Journalists Association — an exclusion that drew immediate criticism as a signal of the law's priorities.

Obligations on Critical Infrastructure and Private Sector

The law imposes stricter cybersecurity obligations on sectors deemed critical — finance, healthcare, energy, and telecommunications — including implementation of advanced security protocols and regular cybersecurity audits. All organisations must report cyber incidents to the Cybersecurity Presidency within a specified timeframe; failure to report carries heavy penalties.

The Information and Communication Technologies Authority (BTK) has been granted extended powers to monitor and intervene in cybersecurity incidents and can mandate immediate security measures for organisations deemed vulnerable. Critical infrastructure operators must comply with sector-specific codes of practice.

Administrative fines for non-compliance range from 1 million to 10 million Turkish lira for entities that fail to fulfil duties and responsibilities under the law. If required approvals from the Presidency are not obtained, fines rise to between 10 million and 100 million Turkish lira.

Criminal Penalties: Severe and Targeted

The criminal sanctions introduced are among the most severe in Turkey's digital legal history:

• Cyberattacks against national cyber infrastructure: 8–12 years' imprisonment
• Disseminating or selling data obtained through such attacks: 10–15 years' imprisonment
• Abuse of powers or causing data breaches through failure to protect critical infrastructure: 1–3 years' imprisonment
• Obstruction of inspectors or withholding information: 1–3 years plus judicial fine
• Operating without required approvals: 2–4 years plus judicial fine
• Breach of confidentiality obligations: 4–8 years' imprisonment
• Disclosing personal data obtained through cyberspace breaches: 3–5 years' imprisonment

These are penalties designed to deter, and in some cases to intimidate. The law also increases sentences by one-third if the offence is committed by a public official, by one-half if committed by multiple persons, and by up to double if committed within an organised crime group.

Turkey also operates as a Party to the Budapest Convention on Cybercrime, providing a framework for international mutual legal assistance and preservation requests that interacts with the new domestic architecture.

The Crackdown: Operations in the Field

The legal architecture was matched by an escalating programme of operational enforcement, primarily through the National Intelligence Organization (MIT), which has emerged as the central actor in both cybercrime enforcement and what the government characterises as counter-espionage.

MIT's Wave of Cyber Operations

Throughout 2024 and 2025, MIT conducted a series of high-profile cybercrime and cyber espionage operations:

In August 2024, MIT dismantled an international cyber espionage network with global connections, arresting 11 suspects in coordination with the Ankara Chief Public Prosecutor's Office and the National Cyber Incident Response Center (USOM). The network was found to be sharing stolen personal data with entities including terrorist organisations.

In October 2024, Turkish authorities arrested nine people linked to a global cyber espionage network accused of sharing stolen personal data with organised crime rings that used the information to blackmail citizens — including adolescents and children.

In May 2025, MIT caught seven foreign nationals red-handed in Istanbul, operating fake mobile base stations to send fraudulent SMS messages impersonating public institutions and telecom operators. The equipment was supplied by a Chinese national operating an electronics business in Istanbul. The suspects had entered Turkey in March 2025, acquired GSM lines under false identities, and operated rental vehicles containing fake cell towers across Istanbul, Izmir, Bursa and Yalova.

In September 2025, MIT dismantled one of the country's largest online fraud networks, targeting an organised group running sophisticated e-commerce scams.

In October 2025, a simultaneous Istanbul-centred operation, conducted jointly by MIT, MASAK (Financial Crimes Investigation Board), and the Gendarmerie, arrested 10 of 12 suspects from a group defrauding citizens by impersonating MIT, the Post and Telegraph Organization (PTT), and the Fast Pass System (HGS) using malicious Android applications. The operation seized cryptocurrency wallets, cash, and digital materials.

In November–December 2025, further cyber-related operations included what MIT's 2025 annual report described as the first arrests under Cybersecurity Law No. 7545, along with actions to shut down websites hosting illegally obtained personal data.

In December 2025, MIT launched a major operation detaining four suspects accused of cyber espionage through illegal access to sensitive data from public institutions — part of the broader counter-espionage mandate that the 2025 MIT annual report framed as responding to growing geopolitical uncertainty.

By year-end, more than 1,200 fraudulent websites linked to cyber fraud schemes had been shut down throughout 2025.

The Political Dimension: Security as a Double-Edged Instrument

To assess Turkey's cybersecurity crackdown purely on its technical merits would be to miss the more consequential story. Every major element of the new legal and institutional framework — the Cybersecurity Presidency reporting to Erdogan, the composition of the Cybersecurity Board, the criminal provisions targeting data disclosure, the intelligence-led enforcement model — carries a distinct political valence.

The Disinformation Provision: Silencing the Messenger

The most contested provision of Cybersecurity Law No. 7545 is one that criminalises "producing or disseminating false content suggesting a data breach," punishable by two to five years in prison.

The government's stated rationale is preventing public panic — a not entirely unreasonable concern when data breach reporting is sometimes used to manipulate financial markets or destabilise institutions. But the practical effect of such a provision in Turkey's media environment is different. Researchers, civil society actors, and journalists who report on government data breaches must now calculate whether their reporting could expose them to prosecution for spreading "disinformation," even when the data they are reporting on subsequently proves to be genuine. As Ziyahan Albeniz, a journalist and cybersecurity researcher, observed: "Even before this law, we witnessed a journalist being detained over reporting a data breach only for the information in question to later be implicitly confirmed." That journalist was Haskoloğlu. The law effectively codifies the practice that his detention illustrated.

"In practice, the greatest risk is this: such regulations may push well-intentioned researchers, journalists, and civil society actors into silence out of fear," Albeniz said. "From my perspective, this provision prioritises the protection of institutional reputation over the protection of citizens."

This is not a theoretical concern. In April 2026, Reporters Without Borders (RSF) strongly condemned Turkey's use of digital censorship against exiled journalists, documenting that at least five reporters were targeted online in 2025 through censorship of their social media accounts in Turkey, with four facing potential prison sentences under prosecutions that RSF described as unjust — including charges of undermining national security used to suppress online reporting by journalists in exile.

The Directorate's Data Powers: Who Watches the Watchers?

The Cybersecurity Presidency has been granted the authority to store and monitor IT system logs and data across public institutions and critical infrastructure providers, assess whether such data constitutes a criminal offence, and share relevant findings with authorities. The law stipulates that personal data or commercial secrets obtained under these powers should be deleted, destroyed, or anonymised when the reasons for accessing them no longer exist — a provision critics note is self-policing, with no independent oversight mechanism.

A separate report by Nordic Monitor revealed that Turkish police and intelligence already hold extensive access to citizens' private data through HTS (Historical Traffic Signal) records — mobile phone location data — that has been used in political cases, including the prosecution of Istanbul Mayor Ekrem Imamoglu, who was arrested in March 2025. Prosecutors cited HTS records placing phones near those of other suspects; defendants argued that connecting to the same cell tower in crowded urban districts is routine. Courts accepted the evidence.

The Istanbul Data Breach Probe: Cyber Law as Political Weapon?

The most politically charged application of the new cybersecurity framework came in October 2025, when prosecutors launched an investigation into an alleged data breach involving the Istanbul Metropolitan Municipality's "Istanbul Senin" mobile application. The probe, led by the Istanbul Chief Public Prosecutor's Organised Crime Investigation Bureau, alleged that personal data and location information of 4.7 million users of the app were unlawfully transferred to two foreign countries, and that data from 3.7 million users was put up for sale on the dark web. Separately, ballot box data from 11 million citizens was allegedly processed and disclosed outside the system.

Fifteen suspects were detained; six were formally arrested. The investigation was framed by prosecutors as targeting an organised crime network — but was explicitly linked to Mayor Imamoglu, the main opposition's presidential candidate who has been in detention since March 2025 on corruption and bribery charges he and his supporters say are politically motivated. The cyber data probe became one more legal instrument in an investigation that opposition parties characterise as a judicially-orchestrated political campaign.

The episode illustrates what independent analysts have described as a structural ambiguity at the heart of Turkey's cyber governance: a system where the tools of cybersecurity enforcement — data access powers, criminal penalties, intelligence operations — are controlled by a government with demonstrated willingness to deploy legal instruments against political opponents.

Four Strategies, Persistent Gaps

Turkey has produced four separate national cybersecurity strategies over the past decade. Each has identified the same structural problems: fragmented governance, weak public-private coordination, inadequate incident response culture, insufficient skilled workforce. Each has proposed reforms. The gap between strategy and practice has persisted.

A cybersecurity consultant interviewed by Balkan Insight summarised the systemic challenge: "Most organisations can buy the tools they need, and the number of skilled professionals is increasing. The real challenges, in my view, are more about governance, culture, and how different actors in the ecosystem coordinate with each other."

The KVKK (Personal Data Protection Authority) fined over 16,000 organisations a combined 503 million Turkish lira by August 2024 — but primarily for failing to register with VERBIS (the data controller registry), not for security failures. The incentive structure penalises administrative non-compliance more readily than genuine security negligence.

"Another challenge is the habit of treating audits as a 'box-ticking' exercise," said the consultant. "When documentation becomes the main focus, it's hard to understand an organisation's real security posture."

The Threat Landscape: What Turkey Is Actually Facing

Setting aside the political dimensions, Turkey faces a genuinely severe cyber threat environment that provides real justification for stronger regulatory architecture.

Group-IB's Threat Intelligence platform identified 59 significant cyberattacks targeting Turkish organisations in the first nine months of 2025 alone — distinct, confirmed, human-operated campaigns, not automated scans. These primarily affected government, military, education, and media. In 2024, Turkey ranked among the top 10 jurisdictions globally for compromised hosts, with nearly 80,000 incidents providing cybercriminals direct gateways for ransomware attacks.

Ransomware attacks on Turkish businesses rose substantially in 2024–2025, with Q4 2024 seeing a significant spike compared to the previous quarter. Finance remained the most targeted sector, with phishing campaigns targeting mobile banking, SMS-based fraud, and vishing attacks through fake investment platforms. Healthcare systems and hospital information management systems saw increased attack attempts. DDoS attacks and data exfiltration hit public institutions in the first quarter of 2025.

Externally, MIT's 2025 annual report referenced operations linked to Israel's Mossad, Iran's IRGC intelligence, and a China-linked cyber espionage network — reflecting Turkey's complex geopolitical position as both a NATO member and a regional actor with relationships across multiple adversarial actors in the broader Middle East and Eurasian theatre.

What the Framework Gets Right — and Where It Falls Short

What works: The consolidation of fragmented cybersecurity oversight under a single Cybersecurity Presidency is organisationally sound. The criminal penalty regime for attacks on national critical infrastructure is robust. The mandatory incident reporting framework, if enforced consistently, addresses a genuine gap. Turkey's Budapest Convention membership provides international cooperation tools. The BTK's expanded powers to mandate immediate security measures for vulnerable organisations are appropriate given the pace of threat escalation.

What concerns analysts:

The absence of independent oversight for the Cybersecurity Presidency's data access and monitoring powers creates accountability gaps. A body that can access logs and data across government systems, with the authority to share findings with law enforcement, requires independent judicial or parliamentary oversight mechanisms that the current framework does not clearly establish.

The criminalisation of reporting on data breaches — even with the "false content" qualifier — creates a chilling effect on the security research and journalism community that is essential to identifying genuine vulnerabilities. Turkey's consistent pattern of shooting the messenger when government data failures are exposed undermines the credibility of the new framework's stated commitment to transparency.

The Cybersecurity Board's composition, dominated by security and executive officials with no civil society, data protection, legal, or press representatives, reflects a security-first conception of cybersecurity that risks producing policies attentive to state security but neglectful of citizen data rights.

The compliance culture remains oriented toward documentation rather than genuine resilience. The real test of Law No. 7545 will be whether it changes security practices in Turkish government databases, or merely adds another layer of paperwork to the same insecure systems.

Conclusion: A Necessary Reckoning with the Wrong Priorities

Turkey's cyber crackdown emerged from a genuine crisis. The exposure of 108 million citizens' personal data was not a minor breach or a technical footnote — it was a systemic failure of state data governance that left virtually every Turkish citizen's personal information buyable on a Telegram channel. The political class's initial response — denial, minimisation, and the prosecution of the reporter who exposed it — made that failure worse.

The institutional and legislative response of 2025 is, in structural terms, the right architecture: a standalone law, a dedicated presidency, serious criminal penalties, mandatory reporting, and sector-specific security standards. The operational response — MIT's sustained campaign against cybercrime networks, fake base stations, and data trafficking rings — has produced tangible results.

But the dual-use character of the new powers is undeniable. The same surveillance infrastructure that tracks cyber espionage networks tracks political opponents. The same criminalisation provisions that might deter genuine data traffickers might silence the journalist who next discovers that a government database has been compromised. The same Cybersecurity Presidency that is supposed to protect citizen data reports directly to the President and sits atop a governance structure with no independent check.

Turkey's cyber challenge is not simply technical. It is also political: how to build a digital security architecture that protects citizens from external threats without becoming an instrument of control by the state over its own people. The crackdown of 2024–2025 has answered one part of that question with some force. The other part remains dangerously unaddressed.