David Silva Ramalho in an interview with Advocatus on how AI is transforming cybercrime

David Silva Ramalho, coordinating associate in the criminal, regulatory offences and compliance team at Morais Leitão, was interviewed by Advocatus, where he addressed the growing challenges of cybercrime, particularly in the context of Artificial Intelligence (AI) developments.

The lawyer highlighted that AI possesses all the elements to become the greatest threat in the coming years: it is accessible, sophisticated, anonymous, and highly effective at manipulating human behaviour.

In the interview, David Silva Ramalho explained that cybercrimes can be divided into two main categories: those that can only be committed in a digital environment (such as hacking, malware dissemination and ransomware) and those that can also occur digitally (such as fraud, extortion, or defamation). He also emphasised that, despite an increase in reported cases, the actual scale remains underestimated, as most attacks never reach the authorities' attention.

He stressed that courts face structural limitations when dealing with this type of crime, as judges are not required to have technical training in cybercrime. In many instances, decisions are based on incorrect or outdated interpretations of digital realities, which may compromise the fairness of legal rulings.

One of the most critical issues raised by David Silva Ramalho was the obsolescence of Portugal’s Cybercrime Law, which has remained unchanged since 2009. The absence of updated concepts, the lack of a clear legal definition for concepts such as “ethical hacking,” and the challenges posed by decentralised organisations and smart contracts are just some of the legislative gaps the lawyer identifies as urgently needing reform.

On the impact of new technologies, the lawyer was unequivocal: Artificial Intelligence is increasingly being used by cybercriminals in various ways—from generating deepfakes and personalised phishing attacks to sophisticated schemes for stealing crypto-assets and manipulating automated systems. These methods are particularly effective in social engineering attacks, where the security breach lies in human behaviour rather than technical systems.

Regarding corporate liability in the event of data breaches, David Silva Ramalho noted that criminal liability is rare, but companies may be held accountable under regulatory or civil law, especially when there is a failure to implement adequate security measures or comply with data protection obligations.

He further argued that an effective response to cybercrime rests on four key pillars: robust technical systems, continuous staff training, internal compliance policies, and well-defined incident response plans. He underlined that a strong cybersecurity culture within organisations is just as important as the technological tools employed.

Finally, he addressed the difficult balance between privacy and criminal investigation, criticising proposals to introduce backdoors in encrypted systems and instead advocating for equipping authorities with the appropriate legal and technical means to operate in digital environments—without undermining citizens’ fundamental rights.

Read the full interview here.

(the interview is in portuguese only)