Cybercrime Threats and Evidence Under the Cybercrime Prevention Act

Introduction

The internet has become a common venue for threats, harassment, intimidation, extortion, blackmail, reputational attacks, and coercive behavior. In the Philippines, these acts may fall under traditional criminal laws, special penal laws, and the Cybercrime Prevention Act of 2012, officially known as Republic Act No. 10175.

The Cybercrime Prevention Act does not make every online wrongdoing a separate crime. Instead, it punishes specific cyber offenses and also recognizes that traditional crimes may be committed through information and communications technology. This is especially important for threats because many threatening acts are still prosecuted under the Revised Penal Code, but the use of computers, social media, messaging apps, email, websites, or other digital systems may bring the conduct within the cybercrime framework.

In practice, a cybercrime threat case often depends on two major questions:

First, what crime was committed? Was it grave threats, light threats, coercion, cyber libel, identity theft, extortion, gender-based online harassment, violence against women, child exploitation, or another offense?

Second, can the evidence prove it? Digital messages are easy to create, delete, edit, fake, forward, or deny. Because of this, evidence preservation and authentication are crucial.

This article discusses cybercrime threats and evidence in the Philippine legal context, with emphasis on the Cybercrime Prevention Act, the Revised Penal Code, digital evidence, investigation, preservation, admissibility, and practical remedies.

I. The Cybercrime Prevention Act in Context

Republic Act No. 10175 was enacted to address offenses committed through computer systems and information and communications technology. It covers offenses such as:

  1. illegal access;
  2. illegal interception;
  3. data interference;
  4. system interference;
  5. misuse of devices;
  6. cybersquatting;
  7. computer-related forgery;
  8. computer-related fraud;
  9. computer-related identity theft;
  10. cybersex;
  11. child pornography-related offenses;
  12. unsolicited commercial communications;
  13. cyber libel;
  14. aiding or abetting cybercrime;
  15. attempt to commit cybercrime;
  16. crimes under the Revised Penal Code and special laws committed by, through, and with the use of information and communications technology.

For threat cases, the most important principle is that traditional crimes may be committed online. A threat sent through Messenger, email, text message, Discord, Telegram, Viber, TikTok, Facebook, X, Instagram, online games, or other digital platforms may still be legally actionable.

II. What Are Cybercrime Threats?

A cybercrime threat is a threat, intimidation, coercive message, blackmail, or harmful communication made through a computer system, mobile device, telecommunications network, internet platform, or electronic medium.

Examples include:

  • “I will kill you when I see you,” sent through Messenger;
  • “Pay me or I will post your private photos,” sent through Telegram;
  • “Withdraw your complaint or I will destroy your business online,” sent by email;
  • “I know where your child studies,” posted publicly with identifying details;
  • “I will hack your account and expose your secrets,” sent through a fake account;
  • “Send money or I will release the video,” sent by text or chat;
  • “I will burn your house,” sent through a group chat;
  • “We will beat you up after class,” posted by classmates in a group page;
  • repeated threats from anonymous accounts;
  • threats to upload intimate images;
  • threats to reveal private information;
  • threats to accuse someone falsely unless they comply with demands.

Not every offensive online statement is a criminal threat. Philippine law examines the wording, intent, context, seriousness, condition, identity of the parties, surrounding circumstances, and effect on the victim.

III. Cybercrime Threats and the Revised Penal Code

The Cybercrime Prevention Act works together with the Revised Penal Code. Many threat-related acts are not called “cyber threats” in the Revised Penal Code, but they may still be punishable when committed online.

A. Grave Threats

Grave threats involve threatening another person with the infliction of a wrong amounting to a crime. The threat may be conditional or unconditional, depending on the form.

Examples:

  • threatening to kill;
  • threatening to inflict serious physical injuries;
  • threatening to burn property;
  • threatening to kidnap;
  • threatening to sexually assault;
  • threatening to destroy property through criminal acts.

When grave threats are sent through a computer system, the use of information and communications technology becomes legally relevant. The threat may be documented through screenshots, chat logs, account information, device records, and platform data.

B. Light Threats

Light threats involve threats of a wrong that may not amount to a grave felony or may be less serious depending on the circumstances. They may still be punishable if the threat causes fear, intimidation, or disturbance.

Examples may include lesser threats of harm, public embarrassment, or acts not rising to the level of grave threats, depending on the facts.

C. Other Light Threats and Alarms

Some threatening or disturbing online acts may fall under lesser offenses if they do not satisfy grave threat elements but still cause alarm, annoyance, or disturbance.

D. Grave Coercion

Grave coercion may arise when a person, through violence, intimidation, or threats, compels another to do something against their will or prevents them from doing something lawful.

Online examples:

  • “Delete your post or I will hurt you.”
  • “Send me money or I will expose your private messages.”
  • “Break up with your partner or I will ruin your reputation.”
  • “Withdraw the case or I will leak your photos.”
  • “Resign from your job or we will destroy you online.”

Threats connected to demands are often examined under coercion, threats, robbery/extortion-related theories, VAWC, Safe Spaces Act, or other laws depending on the circumstances.

E. Unjust Vexation

Unjust vexation may apply when the act causes annoyance, irritation, torment, distress, or disturbance without clearly falling under a more specific offense.

Examples:

  • repeated threatening but vague messages;
  • persistent harassment from multiple accounts;
  • coordinated online intimidation;
  • repeated abusive messages that disrupt peace of mind;
  • malicious online conduct meant to torment the victim.

Unjust vexation is sometimes used for online harassment cases, but if the facts show a more specific crime, that specific crime may be more appropriate.

F. Blackmail and Extortion-Like Conduct

The Revised Penal Code does not always use the everyday word “blackmail” in the same way laypersons do. In online threat cases, conduct commonly described as blackmail may involve threats, coercion, robbery/extortion theories, unjust vexation, grave coercion, or special laws.

Examples:

  • demanding money in exchange for not posting private photos;
  • demanding sex or reconciliation in exchange for silence;
  • threatening to reveal secrets unless the victim pays;
  • threatening to report false accusations unless demands are met;
  • threatening reputational destruction to force action.

The correct legal classification depends on the threat, demand, property or benefit sought, and relationship between the parties.

IV. Cybercrime Prevention Act: How It Applies to Threats

A. Crimes Committed Through ICT

A key feature of the Cybercrime Prevention Act is that crimes under the Revised Penal Code and special laws may be covered when committed by, through, and with the use of information and communications technology.

This means that a traditional offense may acquire a cybercrime dimension if committed online or through digital means.

For example:

  • grave threats through Facebook Messenger;
  • coercion through email;
  • cyber libel through a social media post;
  • identity theft through fake accounts;
  • fraud through online messaging;
  • sexual extortion through chat apps;
  • VAWC through repeated online harassment;
  • child exploitation through digital platforms.

B. Higher Penalties

The Cybercrime Prevention Act provides that certain offenses committed through information and communications technology may be punished with penalties higher than those provided by the Revised Penal Code or special laws, subject to the provisions of the statute and applicable jurisprudence.

This is one reason online threats are serious. The medium is not just incidental; it may affect jurisdiction, investigation, evidence, and penalty.

C. Aiding or Abetting Cybercrime

A person may incur liability for aiding or abetting cybercrime. In threat cases, this may matter when other persons assist in the online intimidation.

Examples:

  • someone helps create the fake account used to threaten;
  • someone supplies hacked photos used for blackmail;
  • someone encourages or coordinates threats;
  • a person reposts or amplifies threatening content with knowledge and intent;
  • group members help identify the victim’s address for intimidation.

Mere passive viewing is different from active participation. Liability depends on intentional assistance or encouragement.

D. Attempt to Commit Cybercrime

Attempt may be relevant where the offender begins the commission of a cybercrime but does not complete it for reasons other than voluntary desistance. Whether attempt applies depends on the specific cybercrime and facts.

V. Specific Cybercrime Offenses Related to Threat Cases

A. Computer-Related Identity Theft

Identity theft occurs when someone acquires, uses, misuses, transfers, possesses, alters, or deletes identifying information belonging to another person, whether natural or juridical, without right.

In threat cases, identity theft may occur when the offender:

  • creates a fake account using the victim’s name and photo;
  • impersonates the victim to threaten others;
  • uses the victim’s identity to post damaging content;
  • obtains personal information and uses it for intimidation;
  • pretends to be someone else to send threats;
  • uses another person’s account or credentials without authority.

Identity theft often accompanies cyberbullying, extortion, harassment, and reputational attacks.

B. Computer-Related Fraud

Computer-related fraud may apply where a person uses computer systems or data to obtain a benefit or cause damage through fraudulent acts.

In threat cases, this may arise when intimidation is combined with deception, such as fake notices, fake law enforcement emails, fake bank messages, or fraudulent demands.

C. Computer-Related Forgery

Forgery may apply where computer data is inputted, altered, or deleted, resulting in inauthentic data with the intent that it be considered or acted upon as authentic.

Examples:

  • fabricated screenshots used to threaten someone;
  • fake digital documents used for blackmail;
  • altered chat logs used to coerce;
  • fake receipts, IDs, or certifications used in an online threat scheme.

D. Cyber Libel

Cyber libel may occur when defamatory statements are published through a computer system.

Threat cases and cyber libel may overlap when the offender threatens reputational harm and also publishes defamatory accusations.

Examples:

  • “Pay me or I will post that you are a thief,” followed by an actual post;
  • public accusation of a crime without proof;
  • defamatory posts meant to intimidate a complainant;
  • anonymous page posts attacking a person’s honor.

A private threat to defame may be treated differently from actual defamatory publication. Once the accusation is published to third persons, cyber libel may become relevant.

E. Cybersex and Sexual Exploitation-Related Offenses

If threats involve sexual exploitation, intimate images, or coercion for sexual acts online, other serious laws may apply. Cybercrime law intersects with laws on sexual abuse, exploitation, child protection, and gender-based harassment.

Examples:

  • threatening to post intimate photos unless the victim performs sexual acts;
  • coercing a person to engage in online sexual activity;
  • sextortion;
  • using sexual images to control or intimidate;
  • threats involving minors’ sexual images.

If a minor is involved, the matter becomes especially serious and should be handled urgently.

VI. Cyber Threats Under Special Laws

Cybercrime threat cases may also involve special laws outside RA 10175.

A. Violence Against Women and Their Children

If a woman is threatened online by a current or former husband, boyfriend, live-in partner, dating partner, or person with whom she has or had a sexual or dating relationship, the conduct may fall under the Anti-Violence Against Women and Their Children Act.

Online threats may constitute psychological violence, harassment, stalking, intimidation, coercion, or emotional abuse.

Examples:

  • “I will post your private photos if you leave me.”
  • “I will message your employer and ruin you.”
  • “I will take the child away if you do not return.”
  • repeated abusive messages after a breakup;
  • threats to expose private conversations;
  • digital stalking and monitoring.

Remedies may include criminal complaint and protection orders.

B. Safe Spaces Act

The Safe Spaces Act may apply to gender-based online sexual harassment.

Examples:

  • threats to upload sexual photos;
  • unwanted sexual messages;
  • stalking with sexual or gender-based intent;
  • sexist, homophobic, or transphobic harassment;
  • sexualized threats;
  • online humiliation based on gender.

C. Child Protection Laws

If the victim is a child, child protection laws may apply. Threats involving sexual material, coercion, grooming, cyberbullying, or exploitation of minors are treated seriously.

Examples:

  • threatening a child to send nude photos;
  • threatening to expose a minor’s private images;
  • bullying a child online in a way harmful to development;
  • coercing a child through online messages;
  • using a child’s sexual image as blackmail.

D. Data Privacy Act

Doxxing or threats to disclose personal information may implicate data privacy law.

Examples:

  • threatening to post someone’s address;
  • exposing phone numbers, IDs, school, workplace, or family details;
  • publishing private medical or financial information;
  • using personal data to intimidate.

The Data Privacy Act does not cover every online insult, but it may apply when personal information is unlawfully processed, disclosed, or misused.

VII. Forms of Cybercrime Threats

A. Direct Threats

A direct threat expressly states harm.

Examples:

  • “I will kill you.”
  • “I will beat you up.”
  • “I will burn your shop.”
  • “I will kidnap your child.”

Direct threats are easier to understand but still require proof of sender identity, context, seriousness, and receipt.

B. Conditional Threats

A conditional threat depends on the victim doing or not doing something.

Examples:

  • “If you report me, I will hurt you.”
  • “If you do not pay, I will post the video.”
  • “If you leave me, I will ruin your life.”
  • “If you testify, your family will suffer.”

Conditional threats often show intimidation, coercion, extortion-like conduct, or obstruction-related concerns.

C. Implied Threats

An implied threat does not directly say the harmful act but conveys it through context.

Examples:

  • sending a photo of the victim’s house with “Nice place you have.”
  • sending a knife or gun emoji after an argument;
  • repeatedly posting the victim’s location with hostile captions;
  • saying “You’ll regret this” after prior violent conduct;
  • posting “We know where your child studies.”

Implied threats are harder to prosecute but may be actionable if context shows real intimidation.

D. Threats Through Third Parties

A threat may be sent through friends, relatives, coworkers, classmates, or group chats.

Examples:

  • telling a friend to warn the victim;
  • posting threats in a group where the victim will see them;
  • instructing others to message threats;
  • using a group page to intimidate.

Third-party communication may still be relevant if the threat reaches the victim or is intended to intimidate.

E. Anonymous Threats

Anonymous threats are common online. The legal challenge is identifying the offender.

Evidence may include:

  • account profile;
  • URLs;
  • recovery email clues;
  • phone number links;
  • writing style;
  • IP logs obtained through lawful process;
  • device seizure results;
  • witness testimony;
  • admissions;
  • payment trails;
  • metadata;
  • reused usernames;
  • connected accounts.

Victims should not attempt illegal hacking or self-help tracing.

F. Mass or Coordinated Threats

Cyber threats may be coordinated by groups.

Examples:

  • multiple accounts sending threats after a viral post;
  • group chat members planning harassment;
  • online mobs targeting a victim;
  • coordinated doxxing;
  • organized reputational attacks;
  • fandom or political harassment campaigns.

Coordinated conduct may raise issues of conspiracy, aiding or abetting, common intent, or separate liability of participants.

VIII. Threats, Extortion, and Sextortion

A. Extortion-Like Online Threats

Many cyber threat cases involve demands for money, sex, silence, apology, resignation, or withdrawal of complaints.

Examples:

  • “Send ₱10,000 or I will post your photos.”
  • “Meet me or I will expose your messages.”
  • “Withdraw your case or I will hurt you.”
  • “Send another video or I will release the first one.”
  • “Give me your account password or I will tell everyone.”

The legal classification may include grave threats, grave coercion, robbery/extortion concepts, VAWC, Safe Spaces Act, child exploitation laws, unjust vexation, or cybercrime offenses.

B. Sextortion

Sextortion is the use of sexual images, videos, sexual secrets, or threats of sexual exposure to force a person to do something.

It may involve:

  • former partners;
  • fake romantic accounts;
  • online scammers;
  • classmates;
  • coworkers;
  • strangers;
  • organized groups.

If the victim is a minor, the case may involve child sexual abuse or exploitation materials and must be treated as urgent.

C. What Victims Should Do in Sextortion Cases

Victims should:

  1. preserve messages and account details;
  2. avoid sending more photos or money;
  3. stop negotiating if it escalates risk;
  4. report the account to the platform;
  5. seek law enforcement help;
  6. tell a trusted person;
  7. consult counsel if possible;
  8. seek protection if the offender is known and dangerous.

Paying does not guarantee deletion. It may lead to further demands.

IX. Evidence in Cybercrime Threat Cases

Evidence is often the heart of a cybercrime threat case. The issue is not only whether a threat happened, but whether it can be proven in a legally acceptable way.

A. Types of Evidence

Common evidence includes:

  1. screenshots;
  2. screen recordings;
  3. URLs;
  4. chat exports;
  5. emails with headers;
  6. text messages;
  7. call logs;
  8. voice messages;
  9. videos;
  10. photos;
  11. metadata;
  12. device data;
  13. platform account information;
  14. witness statements;
  15. affidavits;
  16. admissions;
  17. payment records;
  18. SIM registration information, where lawfully obtained;
  19. IP logs, where lawfully obtained;
  20. digital forensic reports;
  21. police or NBI cybercrime reports.

B. Screenshot Evidence

Screenshots are commonly used but may be challenged.

A good screenshot should show:

  • full message or post;
  • account name;
  • username or handle;
  • profile photo;
  • date and time;
  • platform;
  • URL if applicable;
  • surrounding conversation for context;
  • sender and recipient;
  • reactions, comments, or shares if relevant.

Screenshots should not be edited, filtered, or cropped in a way that removes context.

C. Screen Recording

Screen recording is often stronger than a screenshot because it can show navigation from the profile or chat list to the threatening content.

A good screen recording may show:

  • opening the app or browser;
  • going to the account profile;
  • opening the threatening message or post;
  • scrolling through the conversation;
  • showing the URL;
  • showing date and time;
  • showing account details.

D. URLs and Links

URLs are important for posts, profiles, pages, groups, and websites. Even if a post is deleted, the URL may help identify what was posted and where.

Victims should copy:

  • post URL;
  • profile URL;
  • page URL;
  • group URL;
  • comment URL;
  • image or video URL where available.

E. Chat Exports

Some platforms allow chat export. Chat exports may include timestamps, sender names, media files, and message history. Exported chats should be preserved in original format.

F. Email Headers

For email threats, the visible email body is not enough. Full email headers may help trace routing, sender servers, timestamps, and authentication results. Victims should preserve the original email and avoid forwarding only screenshots.

G. Metadata

Metadata may include information such as:

  • date created;
  • date modified;
  • sender;
  • device;
  • location data;
  • file properties;
  • camera information;
  • message IDs;
  • IP addresses;
  • server logs.

Metadata can be lost when files are compressed, forwarded, uploaded to social media, screenshotted, or edited.

H. Device Evidence

Phones, laptops, tablets, and storage devices may contain original evidence. A victim should avoid deleting messages, clearing cache, factory resetting, or altering files before evidence is preserved.

I. Witness Evidence

Witnesses may testify that they saw the threat, received the message, were part of the group chat, or know the identity of the account user.

Witnesses can be important when the offender denies ownership of the account.

J. Admissions

Admissions may be powerful evidence. These may include:

  • apology messages;
  • statements like “I was angry when I sent that”;
  • settlement messages;
  • voice notes;
  • posts admitting control of the account;
  • messages to third parties.

X. Rules on Electronic Evidence

The Philippines recognizes electronic evidence. Electronic documents, messages, and digital records may be admissible if properly authenticated and relevant.

A. Electronic Documents

Electronic documents may include emails, chat messages, text messages, social media posts, digital photos, videos, logs, databases, and other electronically stored information.

B. Authentication

Authentication means proving that the electronic evidence is what the presenting party claims it to be.

For example, if a complainant presents a screenshot of a threat, they must be able to establish:

  • where it came from;
  • who took the screenshot;
  • when it was taken;
  • what device was used;
  • whether it accurately reflects the message;
  • how the account is linked to the respondent;
  • whether the conversation is complete or selective.

C. How Electronic Evidence May Be Authenticated

Electronic evidence may be authenticated through:

  1. testimony of the person who created, received, or captured it;
  2. testimony of a witness who saw the content online;
  3. distinctive characteristics of the account or message;
  4. admission by the offender;
  5. metadata;
  6. platform records;
  7. device examination;
  8. forensic analysis;
  9. circumstantial evidence connecting the account to the accused;
  10. comparison with known communications.

D. Best Evidence Considerations

Original electronic files are usually better than printed screenshots. However, printouts may still be used if properly identified and authenticated. The original source, device, file, or platform record should be preserved whenever possible.

E. Chain of Custody

Chain of custody refers to the documented handling of evidence from collection to presentation. It is especially important for forensic evidence.

A proper chain of custody may document:

  • who collected the evidence;
  • when it was collected;
  • from what device or source;
  • how it was copied;
  • how it was stored;
  • who accessed it;
  • whether it was altered;
  • how it was transferred to investigators or court.

Weak chain of custody may allow the defense to question reliability.

XI. Common Problems With Digital Evidence

A. Deleted Posts

Online threats may be deleted quickly. Victims should preserve evidence before reporting or confronting the offender.

B. Edited Screenshots

Edited screenshots may be challenged. Victims should preserve originals and avoid adding highlights, circles, captions, or cuts to the only copy.

C. Cropped Messages

A cropped screenshot may omit context. Full conversation history may be needed to understand whether the message was a threat, joke, argument, quotation, or response.

D. Fake Accounts

The offender may deny ownership of the account. Evidence must connect the account to the person.

Possible links include:

  • phone number;
  • email address;
  • profile photos;
  • mutual contacts;
  • admissions;
  • writing style;
  • reused usernames;
  • login records obtained lawfully;
  • device evidence;
  • witnesses;
  • transaction records.

E. Shared Devices

If several people use the same phone, computer, or account, identifying the actual sender may be harder.

F. Hacked Accounts

A respondent may claim that the account was hacked. Investigators may examine login alerts, IP records, device history, platform notices, recovery email, password changes, and surrounding circumstances.

G. Deepfakes and Manipulated Media

Threats may involve fake images, edited videos, or manipulated audio. Forensic examination may be needed.

H. Context Collapse

A statement that appears threatening in isolation may have different meaning in context. Conversely, a statement that appears vague may be threatening when prior history is considered.

I. Anonymous Messaging Apps

Some platforms make tracing difficult. Still, account patterns, device evidence, admissions, and platform cooperation may help.

XII. Preservation of Computer Data

The Cybercrime Prevention Act recognizes preservation of computer data. Preservation is important because digital records may be deleted, overwritten, or lost.

Preservation may involve requiring relevant service providers or persons to keep traffic data, subscriber information, or content data for a period authorized by law.

For private victims, the practical lesson is simple: act quickly. Screenshots alone may not be enough if platform data is later needed.

XIII. Disclosure, Search, Seizure, and Examination of Computer Data

Law enforcement authorities may seek lawful processes for disclosure, search, seizure, and examination of computer data. These processes are subject to legal requirements and safeguards.

In cyber threat cases, investigators may need:

  • subscriber information;
  • traffic data;
  • IP logs;
  • account registration details;
  • login history;
  • device records;
  • content data;
  • stored messages;
  • cloud data;
  • seized phones or computers.

Private parties should not hack, intercept, or unlawfully access accounts to obtain evidence. Illegally obtained evidence may create legal problems and expose the victim to countercharges.

XIV. Traffic Data Versus Content Data

In cybercrime investigations, it is useful to distinguish traffic data from content data.

A. Traffic Data

Traffic data refers to data showing the communication’s origin, destination, route, time, date, size, duration, or type of service. It does not necessarily include the substance of the message.

Examples:

  • IP address logs;
  • login time;
  • sender and receiver routing information;
  • device or session data;
  • metadata showing when communication occurred.

B. Content Data

Content data refers to the actual substance of the communication.

Examples:

  • the threatening message itself;
  • images sent;
  • voice notes;
  • video content;
  • email body;
  • chat content.

Content data is more sensitive and generally requires stricter legal process.

XV. Jurisdiction and Venue

Cybercrime cases often raise jurisdiction issues because the victim, offender, platform, and servers may be in different places.

In the Philippines, jurisdiction may depend on:

  • where the offender acted;
  • where the victim received the threat;
  • where the harmful effects occurred;
  • where the device was used;
  • where the complainant resides;
  • where the post was accessed;
  • where the evidence is located;
  • whether the offender or victim is in the Philippines.

Cybercrime has a cross-border character. A threat may be sent from abroad to a victim in the Philippines or from the Philippines to someone abroad. International cooperation may be needed in some cases.

XVI. Filing a Cybercrime Threat Complaint

A. Immediate Steps

A victim should:

  1. preserve evidence;
  2. avoid deleting messages;
  3. take screenshots and screen recordings;
  4. save URLs and account details;
  5. identify witnesses;
  6. stop direct engagement if unsafe;
  7. report to platform if content must be removed;
  8. seek police or NBI assistance for serious threats;
  9. consult counsel if possible.

B. Where to Report

Depending on the facts, reports may be made to:

  • Philippine National Police cybercrime units;
  • National Bureau of Investigation cybercrime offices;
  • local police;
  • prosecutor’s office;
  • barangay, for limited matters;
  • school or employer;
  • women and children protection desks;
  • data privacy authority for personal data issues;
  • social media platform reporting channels.

For serious threats to life, sexual exploitation, child abuse, domestic violence, or extortion, law enforcement should be approached promptly.

C. Documents to Prepare

A complaint may include:

  • complainant’s affidavit;
  • screenshots;
  • screen recordings;
  • URLs;
  • printouts of posts or chats;
  • copy of IDs;
  • device information;
  • witness affidavits;
  • proof of ownership of affected accounts;
  • proof of relationship between parties;
  • proof of harm;
  • medical or psychological records if relevant;
  • demand letters or prior warnings;
  • platform reports;
  • any admissions by offender.

XVII. Drafting the Complaint-Affidavit

A strong complaint-affidavit should be factual, chronological, and specific.

It should state:

  1. who the complainant is;
  2. who the respondent is, if known;
  3. relationship between complainant and respondent;
  4. platform used;
  5. account names, usernames, URLs, and identifiers;
  6. exact threatening words or conduct;
  7. date and time of each threat;
  8. how the complainant received or saw the threat;
  9. why the complainant believes the respondent sent it;
  10. witnesses who saw the threat;
  11. harm suffered;
  12. evidence attached;
  13. action requested.

Avoid exaggeration. The affidavit should let the evidence speak clearly.

XVIII. Proving Identity of the Offender

One of the hardest parts of cybercrime threat cases is proving who controlled the account.

Evidence of identity may include:

  • respondent’s real name on the account;
  • profile photo;
  • personal details;
  • unique username;
  • phone number or email associated with account;
  • respondent’s admission;
  • prior conversations;
  • same writing style;
  • references only the respondent would know;
  • matching schedule or location;
  • witnesses who saw respondent use the account;
  • device seizure results;
  • IP logs obtained by authorities;
  • payment records;
  • SIM or account registration data;
  • recovery email or linked accounts.

Proof beyond reasonable doubt is required in criminal cases. Suspicion alone is not enough.

XIX. Proving the Threat Itself

The prosecution must show that the words or conduct amount to a legally punishable threat or related offense.

Relevant factors include:

  • exact wording;
  • seriousness;
  • conditional demand;
  • prior history;
  • ability to carry out threat;
  • relationship between parties;
  • repeated conduct;
  • victim’s reasonable fear;
  • surrounding circumstances;
  • whether the threat was communicated to the victim;
  • whether the statement was a joke, hyperbole, or actual intimidation;
  • whether there was a demand for money, sex, silence, or action.

A single angry remark may be treated differently from repeated targeted threats with specific details.

XX. Proving Receipt or Publication

For threat offenses, it is usually important that the threat was communicated to the victim or intended to reach the victim.

For cyber libel, publication to third persons is essential.

Evidence may include:

  • message seen status;
  • reply of the victim;
  • notification records;
  • testimony of the victim;
  • group chat membership;
  • witnesses who saw the post;
  • comments and reactions;
  • shares;
  • public accessibility of the post;
  • platform logs.

XXI. Preservation Checklist for Victims

A victim should preserve:

  • original phone or device;
  • screenshots;
  • screen recordings;
  • URLs;
  • usernames and profile links;
  • message IDs, if available;
  • timestamps;
  • full conversation context;
  • media files in original format;
  • email headers;
  • names of witnesses;
  • platform reports;
  • evidence of emotional or financial harm;
  • any proof linking account to respondent.

Do not rely on memory. Write a timeline immediately.

XXII. Evidence Checklist for Law Enforcement or Counsel

A more formal evidence packet may include:

  1. incident timeline;
  2. complainant affidavit;
  3. printed screenshots;
  4. electronic copies on USB or storage media;
  5. screen recordings;
  6. URLs in a separate list;
  7. account profile printouts;
  8. witness affidavits;
  9. proof of account ownership;
  10. proof of respondent identity;
  11. medical or psychological documents;
  12. prior police or barangay reports;
  13. platform responses;
  14. device information;
  15. forensic preservation request, if needed.

Organizing evidence helps investigators and prosecutors understand the case quickly.

XXIII. Role of Digital Forensics

Digital forensics may be needed when:

  • screenshots are disputed;
  • messages were deleted;
  • fake accounts were used;
  • devices were seized;
  • metadata is important;
  • files may have been altered;
  • hacking is alleged;
  • identity of sender is contested;
  • child exploitation material is involved;
  • large volumes of data must be reviewed.

Digital forensic work may include extraction, hashing, imaging, metadata analysis, log review, deleted file recovery, account correlation, and report preparation.

XXIV. Hashing and Integrity

Hashing is a technical method used to verify that a digital file has not changed. A hash value is like a digital fingerprint of a file. If the file changes, the hash changes.

In cybercrime evidence, hashing may be used for:

  • copied chat exports;
  • images;
  • videos;
  • forensic device images;
  • downloaded web pages;
  • email files;
  • evidence archives.

Hashing is especially useful where the defense may claim evidence was altered.

XXV. Chain of Custody for Digital Evidence

A chain-of-custody record may include:

  • description of evidence;
  • source device or account;
  • date and time collected;
  • person who collected it;
  • method of collection;
  • storage medium;
  • hash values;
  • transfer history;
  • persons who accessed it;
  • final presentation in court.

For ordinary complainants, a simple evidence log is useful:

Evidence Source Date Captured Captured By Notes
Screenshot of Messenger threat Victim’s phone Date/time Victim Shows respondent profile
Screen recording of Facebook post Victim’s phone Date/time Victim Shows URL and comments
Email with full header Gmail account Date/time Victim Threat to publish photos

XXVI. Common Defenses in Cybercrime Threat Cases

A respondent may argue:

  1. “I did not send the message.”
  2. “My account was hacked.”
  3. “The screenshot is fake.”
  4. “The complainant edited the conversation.”
  5. “It was a joke.”
  6. “It was an expression of anger, not a real threat.”
  7. “The message was taken out of context.”
  8. “The complainant provoked me.”
  9. “There was no demand or intimidation.”
  10. “The complainant was not actually afraid.”
  11. “The account does not belong to me.”
  12. “Someone else had access to my device.”
  13. “The evidence was illegally obtained.”
  14. “The complaint was filed too late.”
  15. “The statement is protected speech.”

Good evidence preparation anticipates these defenses.

XXVII. Illegal Evidence Gathering to Avoid

Victims must avoid unlawful methods. Do not:

  • hack the offender’s account;
  • guess passwords;
  • install spyware;
  • secretly access someone’s phone;
  • impersonate law enforcement;
  • fabricate chats;
  • edit screenshots;
  • threaten the offender;
  • post the offender’s private information;
  • distribute intimate images as “proof”;
  • create fake accounts to entrap without legal guidance;
  • intercept private communications illegally.

A victim can become a respondent if they commit cybercrime while trying to gather evidence.

XXVIII. Platform Reports and Takedown

Social media and messaging platforms may remove threatening content if it violates platform rules.

However, platform takedown is not the same as a legal case.

Before requesting takedown:

  1. preserve screenshots;
  2. save URLs;
  3. take screen recordings;
  4. identify witnesses;
  5. download or export data if possible.

After takedown, keep platform confirmation emails or case numbers.

XXIX. Threats Against Public Officials, Journalists, Activists, and Professionals

Threats may have additional public-interest implications when directed at:

  • journalists;
  • public officials;
  • lawyers;
  • judges;
  • prosecutors;
  • teachers;
  • doctors;
  • business owners;
  • activists;
  • witnesses;
  • complainants.

Threats intended to silence reporting, testimony, complaints, or public participation may involve additional legal and institutional concerns. Evidence should show the connection between the threat and the protected activity.

XXX. Cyber Threats in Domestic and Family Disputes

Online threats commonly arise from family conflict, custody disputes, breakup cases, inheritance disputes, and marital separation.

Examples:

  • threats to take children;
  • threats to expose private marital issues;
  • threats to post intimate photos;
  • harassment of relatives;
  • threats to file false cases;
  • public shaming posts;
  • coercion to return to relationship.

These may involve VAWC, threats, coercion, cyber libel, unjust vexation, or civil protection remedies.

XXXI. Cyber Threats in Business and Employment

Cyber threats may arise in workplace and commercial disputes.

Examples:

  • former employee threatening to leak confidential data;
  • employer threatening public humiliation;
  • customer threatening false viral posts unless refunded;
  • competitor using fake accounts to intimidate;
  • extortion through negative reviews;
  • threats to hack company systems;
  • threats to expose trade secrets;
  • harassment in company chat groups.

Remedies may include criminal complaints, civil damages, labor complaints, injunction, data protection measures, and internal discipline.

XXXII. Cyber Threats Involving Hacking

Threats to hack may be coupled with actual illegal access.

Examples:

  • “I will hack your Facebook.”
  • “I already have your password.”
  • “I will delete your files.”
  • “I will leak your database.”
  • “I will lock your system unless you pay.”

If the offender actually accesses systems without authority, additional cybercrime offenses may apply, such as illegal access, data interference, system interference, misuse of devices, fraud, or extortion-related conduct.

Evidence may include:

  • login alerts;
  • password reset emails;
  • access logs;
  • IP addresses;
  • device notifications;
  • changed account settings;
  • deleted files;
  • ransom notes;
  • malware indicators;
  • forensic reports.

XXXIII. Ransomware and Corporate Threats

Ransomware is a form of cyber extortion where attackers encrypt or steal data and demand payment.

Legal issues may include:

  • illegal access;
  • data interference;
  • system interference;
  • computer-related fraud;
  • extortion;
  • data privacy breach;
  • corporate reporting obligations;
  • preservation of logs;
  • incident response;
  • law enforcement coordination.

Companies should preserve evidence before wiping systems and should document incident response steps.

XXXIV. Cyber Threats and Data Breaches

A threat may involve personal data or confidential information.

Examples:

  • “I will release your customer database.”
  • “I will post your employees’ IDs.”
  • “I will expose your medical records.”
  • “I copied your files and will publish them.”

Legal concerns may include cybercrime, data privacy, breach notification, contractual liability, employment liability, and civil damages.

Organizations should preserve logs, identify affected data, secure systems, and seek legal and technical assistance.

XXXV. Remedies Available to Victims

Depending on the facts, victims may pursue:

A. Criminal Complaint

For threats, coercion, cyber libel, identity theft, hacking, extortion, child exploitation, sexual harassment, VAWC, or related offenses.

B. Civil Action

For damages, injunction, reputational harm, emotional distress, privacy invasion, or business injury.

C. Protection Orders

Especially for VAWC, stalking, harassment, or domestic abuse situations.

D. Administrative Complaint

For students, employees, professionals, public officials, or persons subject to institutional discipline.

E. Platform Takedown

For immediate removal or restriction of threatening content.

F. Data Privacy Complaint

If personal data was unlawfully disclosed, misused, or threatened to be exposed.

G. Workplace or School Action

For threats involving employees, students, faculty, or organizational systems.

XXXVI. Remedies for Respondents Falsely Accused

A person falsely accused of cybercrime threats may also have remedies.

Possible steps include:

  • preserve their own evidence;
  • avoid contacting the complainant if it may be misinterpreted;
  • secure account login records;
  • check for hacking evidence;
  • obtain witnesses;
  • respond through counsel;
  • avoid public counterattacks;
  • prepare counter-affidavit;
  • consider legal remedies for false accusations, malicious prosecution, or defamation where appropriate.

A respondent should not delete accounts or messages, as this may be viewed negatively.

XXXVII. Practical Guide for Victims

Step 1: Assess immediate safety

If the threat involves physical harm, location tracking, weapons, stalking, children, or domestic violence, treat it as urgent.

Step 2: Preserve evidence before anything else

Take screenshots, screen recordings, URLs, and account details. Save original files.

Step 3: Stop feeding the offender

Do not argue endlessly. Threateners often seek reaction or control.

Step 4: Identify the legal category

Ask whether the case involves:

  • threats;
  • coercion;
  • extortion;
  • cyber libel;
  • identity theft;
  • sexual harassment;
  • VAWC;
  • child exploitation;
  • doxxing;
  • hacking;
  • data breach.

Step 5: Report to the proper authority

Use law enforcement for serious threats, cybercrime offices for digital threats, school or employer channels for institutional cases, and platform tools for takedown.

Step 6: Seek support

Threats can cause fear and trauma. Mental health support, family support, and legal support can all matter.

XXXVIII. Practical Guide for Lawyers and Complainants

A well-prepared cybercrime threat complaint should include:

  1. theory of the offense;
  2. exact legal classification;
  3. clear timeline;
  4. identity theory for respondent;
  5. complete evidence packet;
  6. authentication plan;
  7. proof of receipt or publication;
  8. proof of harm;
  9. preservation requests;
  10. witness affidavits;
  11. device and account details;
  12. explanation of context.

Avoid filing vague complaints that simply say “cybercrime” or “online harassment.” The complaint should identify the acts and match them to legal elements.

XXXIX. Practical Guide for Organizations

Organizations facing cyber threats should:

  1. preserve logs immediately;
  2. isolate affected systems if needed;
  3. avoid destroying evidence during cleanup;
  4. record incident timeline;
  5. preserve ransom notes or threat emails;
  6. collect email headers;
  7. identify affected accounts;
  8. change credentials carefully;
  9. coordinate legal and IT response;
  10. assess data privacy obligations;
  11. notify affected parties if legally required;
  12. report to authorities when appropriate;
  13. document all decisions.

XL. Frequently Asked Questions

1. Is an online death threat punishable in the Philippines?

Yes, it may be punishable if it satisfies the elements of grave threats or another offense. The use of online platforms may bring it within the cybercrime framework.

2. Is a threat sent by private message a cybercrime?

It may be, depending on the content and applicable offense. A private message may not be libel if not published to a third person, but it may still be a threat, coercion, harassment, VAWC, or other offense.

3. Are screenshots enough?

Screenshots may help, but they are stronger when supported by URLs, screen recordings, original messages, witness testimony, account details, metadata, and authentication.

4. What if the offender deletes the message?

If evidence was preserved, deletion does not automatically defeat the case. Platform or device records may still exist, but prompt action is important.

5. Can an anonymous account be traced?

Sometimes. Tracing may require lawful requests, platform cooperation, device evidence, IP logs, admissions, or circumstantial evidence. Victims should not hack accounts.

6. What if the offender says it was only a joke?

Context matters. Courts and prosecutors will consider wording, relationship, prior conduct, seriousness, specificity, and whether the victim reasonably felt threatened.

7. Can a threat to post private photos be a crime?

Yes. It may involve threats, coercion, VAWC, Safe Spaces Act violations, privacy violations, or child exploitation laws if a minor is involved.

8. Can I file directly with the prosecutor?

Depending on the offense and local practice, complaints may be filed with law enforcement or the prosecutor. Cybercrime offices may help preserve and investigate digital evidence.

9. Can I post the offender’s name online to warn others?

Be careful. Public accusations may expose the victim to cyber libel or privacy claims if not handled properly. Legal reporting is safer.

10. What should I do first after receiving a threat?

Preserve evidence, assess immediate safety, avoid retaliation, and report to the proper authority if the threat is serious.

XLI. Sample Evidence Preservation Format

A victim may prepare a simple incident log:

Date/Time Platform Account/Person Threat Evidence Saved Witnesses
April 1, 2026, 8:15 PM Messenger Juan D. / profile URL “I will kill you” Screenshot, screen recording Maria, Ana
April 2, 2026, 9:00 AM Facebook Post Fake account URL Posted victim’s address Screenshot, URL Public comments
April 3, 2026, 11:30 PM Telegram username Demanded money Chat export None

This kind of log helps show pattern, chronology, and seriousness.

XLII. Sample Complaint-Affidavit Outline

A complaint-affidavit may be organized as follows:

  1. Personal details of complainant;
  2. Identity of respondent, if known;
  3. Relationship and background;
  4. Description of account or platform used;
  5. Chronological narration of threats;
  6. Exact quoted threatening messages;
  7. How complainant received or saw the messages;
  8. Why complainant believes respondent is responsible;
  9. Effects on complainant;
  10. Evidence attached;
  11. Witnesses;
  12. Request for investigation and prosecution;
  13. Verification and signature.

The affidavit should attach copies of digital evidence and identify who captured each item.

XLIII. Sample Cease-and-Desist Concepts

In non-emergency cases, a victim may consider a written demand asking the offender to:

  • stop sending threats;
  • stop contacting the victim;
  • delete harmful posts;
  • preserve evidence;
  • refrain from reposting;
  • issue a written apology;
  • compensate for damages;
  • communicate only through counsel.

However, direct demands may be unsafe in domestic violence, extortion, stalking, or serious threat situations. In those cases, reporting to authorities may be better.

XLIV. Cybercrime Threats and Responsible Digital Conduct

People should remember that online statements can become evidence. Deleting a post does not always erase responsibility. Screenshots, archives, platform logs, witnesses, and device records may remain.

Responsible conduct includes:

  • not threatening harm even in anger;
  • not using fake accounts to intimidate;
  • not sharing private information;
  • not forwarding threatening content;
  • not joining online mobs;
  • not using intimate images as leverage;
  • not posting accusations without legal basis;
  • not hacking or accessing accounts;
  • not retaliating with threats.

Conclusion

Cybercrime threats in the Philippines are legally serious. A threat made through Messenger, Facebook, email, text, social media, gaming platforms, or other digital channels may be prosecuted under traditional laws such as grave threats, light threats, grave coercion, unjust vexation, cyber libel, identity theft, fraud, or other offenses. When committed through information and communications technology, the Cybercrime Prevention Act may affect the case, the penalty, the investigation, and the treatment of evidence.

The strength of a cybercrime threat case depends heavily on evidence. Victims should preserve screenshots, screen recordings, URLs, chat exports, email headers, device data, witness statements, and proof connecting the account to the offender. They should avoid editing evidence, retaliating online, hacking accounts, or relying only on memory.

The proper remedy depends on the facts. Serious threats to life or safety should be reported promptly. Threats involving intimate partners may involve VAWC remedies and protection orders. Gender-based sexual threats may fall under the Safe Spaces Act. Threats involving minors may trigger child protection laws. Doxxing and misuse of personal information may raise data privacy issues. Corporate threats may involve cybersecurity, data breach, and forensic response.

The essential rule is this: online threats are not harmless merely because they are digital. Philippine law can treat them as real threats, real crimes, and real evidence—provided the acts are properly documented, authenticated, and matched to the correct legal remedy.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login