Internet Frauds

Internet Frauds

2026-05-03

Why a Nineteenth-Century Doctrine of Defective Consent Cannot See the Twenty-First-Century Confidence Game — and Whose Interests That Blindness Quietly Serves

Robert Nogacki  ·  Kancelaria Prawna Skarbiec

Mr. B. is seventy-four. He lives in a midsize city in central Poland, and he has been a widower for eight years. The phone rang on a Wednesday afternoon. The voice on the other end belonged to a woman who introduced herself as a financial-markets analyst at a London investment firm. She spoke in a measured, agreeable tone, with the faint accent of someone whose Polish was excellent but learned, which somehow lent her more credibility than fluent native speech would have. She called every day for the next six weeks. She asked about his grandchildren. She remembered their names. Some evenings she ended a conversation with a small joke and returned to it the following day, like a friend resuming an interrupted thought.

One evening, after a particularly long call, it was Mr. B. who suggested that he invest. She gave him an account number. He transferred five thousand złoty. A week later, the platform’s screen showed fourteen.

His adviser encouraged him to withdraw a little. He did, and the money arrived in his account.

So he transferred more.

Three months later, his life savings were gone. The bank had executed every transfer exactly as instructed. Each one was, in the language of the Polish Payment Services Act, properly authorized. Mr. B. had clicked through the confirmations himself. Of his own free and unconstrained will.

The question a civil lawyer must put to this case sounds, on its face, almost trivial: were the declarations of will Mr. B. made — and every wire transfer is a declaration of will — defective in some way recognized by law? The answer that the Polish Civil Code, in its 1964 phrasing, gives back is unsettlingly evasive. Article 84 speaks of mistake as to the content of a juridical act. Article 86 speaks of the deceitful inducement of mistake. Article 87 speaks of unlawful threat. All three provisions were drafted with a particular world in mind: a world in which the swindler looked his victim in the eye, in which a forged promissory note was slid across a table to be signed, in which a threat took the form of a man standing in a doorway. Mr. B.’s world looks nothing like that. The con artist never saw him. She slid nothing across any table. She threatened nothing. And yet something — something the Civil Code is curiously ill-equipped to name — was done to him.

What follows is an argument I take to be both urgent and uncomfortable: that our civil-law conceptual apparatus for identifying defects of consent has fallen into a state of dramatic mismatch with the technological reality of the twenty-first century.

A century of doctrine and case law has built up an elaborate edifice of suspicion toward victims — an unspoken assumption that mistake is easy to invent, deceit easy to fabricate after the fact, and threats easy to remember into existence once a contract has soured. That suspicion had its reasons. It belonged to a world in which technology did not scale fraud, in which psychological coercion required physical proximity, and in which manipulation was, in essence, an artisanal trade.

It is no longer.

Today manipulation is an industry. And around that industry, as we shall see, an architecture of institutional interests has assembled itself — an architecture with its own quiet reasons to leave the doctrine exactly where it is.

 

The Doctrine We Have

Begin with what we know. Polish doctrine on defects of consent is precise and, within its assumptions, internally coherent. Mistake under Article 84 of the Civil Code requires the cumulative satisfaction of two conditions: it must concern the content of the juridical act, and it must be material both objectively and subjectively. When the declaration is addressed to another person, a third condition enters: the addressee must have induced the mistake, known of it, or been able to detect it without difficulty (with an exception for gratuitous transactions). The Polish Supreme Court has on multiple occasions clarified that mistake is the discrepancy between reality and its reflection in the consciousness of the actor (judgment of January 20, 2017, I CSK 66/16) — and that this discrepancy must bear upon an element of the act, not upon a motive or expectation. The case-law line is rigorous. In its judgment of October 19, 2000 (III CKN 963/98), the Supreme Court refused to recognize as mistake a seller’s belief that the buyer would provide his mother with housing. In its judgment of February 9, 2017 (I ACa 768/16), the Białystok Court of Appeals held that an unmet expectation regarding a contracting party’s future conduct does not constitute mistake. All of this is doctrinally correct, but the rigor has always served one master — it has shielded commerce from easy buyer’s remorse.

Deceit under Article 86 is a qualified species of mistake, in which the legislator has deliberately relaxed the rigor: where mistake is induced by deceit, neither objective materiality nor a connection to the content of the act is required. A causal link between the perpetrator’s conduct and the declaration suffices. Doctrine consistently emphasizes, however, that deceit is intentional, deliberate conduct — and it is precisely this element of guilty mind, this moral reproach, that justifies the relaxation. Negligence does not suffice. When deceit is committed by a third party, the other contracting party must know of it and have failed to disclose. Silence may amount to deceit only where there existed a duty to inform — a duty arising from statute, contract, or principles of social coexistence.

Threat under Article 87 requires unlawfulness and seriousness. Unlawfulness is understood as conflict with the legal order, though doctrine permits a wider reading: it is also unlawful to use a legally permissible means to extract conduct to which the threatening party has no right. Seriousness means that the threat must arouse fear of loss of life, health, freedom, or substantial property damage. The whole construction presupposes — and this is the moment worth pausing on — an identifiable perpetrator and an articulated threat. Someone says something. Someone demands something. Someone menaces with something.

These three institutions share a quality rarely named outright: they are constructed defensively against the victim. The center of gravity in doctrine and case law lies not in making it easy to undo the consequences of declarations made under mistake, deceit, or threat. It lies in restricting that possibility — in protecting commerce against the impulsive withdrawal of parties from their concluded acts, in safeguarding the trust of counterparties. The case-law trajectory of recent decades runs toward tightening, not loosening, the requirements (witness the demand of due diligence on the part of the person invoking mistake).

Caveat emptor as an unspoken but pervasive principle.

 

The World That Has Changed

Meanwhile, the anatomy of fraud has changed. And this must be said plainly: we are not speaking of gradual evolution, of cosmetic refinements to traditional methods. We are speaking of a paradigm shift, an industrial leap in the organization of manipulation.

The most recent empirical research — the analysis of twenty-six leaked training scripts of so-called sha zhu pan operators, published in January 2026 in the Oxford Journal of Cybersecurity by Asyalı, Frank, and Hölzmer, and a separate study published on arXiv in March 2025 by Oak and Shafiq of the University of California, Davis, based on in-depth interviews with twenty-six victims — uncovers a picture that, to a civil lawyer, is at once foreign and familiar. Foreign, because it does not fit the doctrinal categories with which we operate. Familiar, because it describes what we have long suspected but could not see.

Internet fraud is no longer the work of artisans. It is the product of corporations. In compounds in Myanmar and Cambodia, thousands of people — many of them themselves victims of human trafficking — work shifts according to precisely codified scripts, conducting more than a dozen simultaneous conversations with prospective victims in different countries. Specialists are employed: scriptwriters, translators, cultural consultants who tailor the narrative to the region, programmers who build the false investment platforms, deepfake experts who generate, in real time, the video that allows for face-to-face conversation. This is not organized crime in the classical sense.

This is an industry of manipulation whose scale — according to the January 2026 Chainalysis report — exceeds seventeen billion dollars a year, growing faster than any other category of cybercrime; in March 2026, Forbes described the market as resting directly on the infrastructure of human trafficking.

To understand why the victims include educated, accomplished, cautious people — including, as I’ll come to, sitting bank presidents — one has to understand that the techniques deployed in these operations are not the intuitive tricks of nimble swindlers. They are operationalized scientific theories from social psychology and interpersonal communication. The Oxford analysis of the scripts reveals the systematic application of seven specific theoretical frameworks: Goffman’s theory of impression management, Altman and Taylor’s social penetration theory, Bowlby’s attachment theory, Sternberg’s triangular theory of love, Thibaut and Kelley’s interdependence theory, Maslow’s hierarchy of needs, and Deci and Ryan’s self-determination theory. Each theory performs a defined function in the script, and all are arranged in a temporal sequence that is the heart of the doctrinal problem.

The first layer — the foundational one — is the construction of identity. The operator is not an improvised figure. He receives, as the scripts call it, a package: a set of photographs matching a lifestyle narrative, a professional history, fragments of a biography, photographs of supposed relatives, of a supposed apartment, car, and vacations. When the victim grows suspicious, social-media profiles supply confirmation — all fabricated, all apparently active for years. According to Goffman’s theory, which the scripts knowingly invoke, a persuasive identity requires both a front stage (the scene visible to the audience) and a back stage (a supposed private domain to which only the chosen are admitted). The victim shown photographs from a cousin’s private wedding or a sick mother’s hospital room receives a signal: I am close to you, I am letting you into my back stage. That the back stage is also fabricated is one of the harder elements of the distortion to grasp.

The second layer — the relational — is the systematic construction of intimacy through controlled self-disclosure. Social penetration in Altman and Taylor’s theory has the shape of an onion: the outer layers (occupation, hobbies) yield to deeper ones (family wounds, shameful childhood memories, fears), and finally to the core (the deepest desires and dreads). The Oxford scripts instruct the operator to direct this process — to calibrate his own self-disclosures with precision, to trigger reciprocity (the principle of mutuality in self-revelation), to make the victim feel that the exchange is symmetrical. In reality the exchange is radically asymmetrical: the operator discloses nothing, only reads from a card. At the same time, attachment is calibrated according to Bowlby. Victims who present features of the anxious attachment style — the lonely, the recently widowed, those who have known abandonment — are offered the image of a secure base, a reliable partner who is always available, who always remembers, who never disappoints. It is precisely what they have been missing for years.

The third layer — the motivational — engages only once the previous layers are stable. Here Maslow and self-determination theory enter. The operator is not selling an investment. He is selling self-realization. The victim is not asked whether she wants to make money; she is asked what her dreams are, what she has not yet managed to do in life, what she would like to leave to her children. The operator then presents the investment as the instrument that will let those dreams become real. Self-determination theory holds that durable motivation requires the satisfaction of three needs: autonomy (the sense that the decisions are mine), competence (the sense that I am good at something), and relatedness (the sense that I belong to something with someone). All three are systematically simulated. The victim receives a fake platform displaying her investment successes — she feels competent. The operator asks her opinion, listens to her strategy, offers her a choice between options — she feels autonomous. The whole relationship is wrapped in the narrative of we — she feels she belongs. What she feels is, in reality, a state psychiatry would describe as induced rather than spontaneous.

The fourth layer — the controlling — appears the moment the victim begins to have doubts. Here the script changes register. Intermittent reinforcement is introduced — the variable-schedule reward pattern that behavioral psychology identifies as the strongest known mechanism for building compulsive behavior. The operator alternates warmth and chill, availability and unavailability, praise and small disapprovals. The victim begins to work to return to the warm state, which has become her new emotional baseline. Every withdrawal of money from the platform is psychologically costly — it lets down the partner who has done so much for her. Every deposit is psychologically rewarded — it strengthens the bond. The sunk-cost fallacy emerges: the victim cannot pull back, because pulling back would mean admitting that everything she has devoted herself to for the past months has been an illusion. The mechanism is identical to the one described in the literature on coercive control in domestic violence (Stark, Williamson). The only difference is that here the perpetrator never physically existed.

The fifth layer — the executionary — is the phase in which the victim performs, with her own hands, the acts that destroy her. Because this needs to be understood: in classical fraud, the perpetrator takes the money. Here the perpetrator does not take it — the victim gives it to him, often over many weeks, in hundreds of small transactions, each of them authorized, conscious, voluntary in the technical sense of those words. More than that: the victim often fights the people trying to save her. The bank that calls with a warning is perceived as the enemy — because the “adviser” has already prepared her for this, told her the bank will try to interfere with her opportunity of a lifetime. The child who tries to intervene is perceived as an unwelcome intruder into an intimate relationship. The teller who asks questions about the purpose of a transfer is perceived as bureaucratic obstruction. The Oak and Shafiq interviews with twenty-six victims document this dynamic with precision: the victim, in the name of a relationship that does not actually exist, lies in its defense.

All these layers are long-term. The classical dolus of our legal tradition was a punctual act — the seller assured the buyer the jewels were gold when in fact they were gilt. The contemporary internet fraud unfolds. It unfolds for weeks, months, sometimes a year. In the three-stage model described in the literature — hunting, raising, killing — the request for money itself appears only after a phase in which the swindler does not, for many weeks, breathe a word about any transaction. He builds the relationship. He listens. He remembers birthdays. He sympathizes. He keeps her company. Only when the victim is emotionally bound — when the upper tiers of Maslow’s hierarchy have been satisfied, when the basic needs of autonomy, competence, and relatedness from Deci and Ryan’s theory have been met — does the opportunity appear. Never as a demand. Always as a shared dream.

And one more observation, hard to overlook for anyone who reads the descriptions of the victims in the cited research: these are not people who were short on intelligence. These are people who were short on something else — closeness, recognition, security, the assurance that their lives had not been in vain. The operator of the script does not attack their reason. He attacks their emptiness. And for that, no Civil Code has prepared them.

 

Where the Doctrine Breaks

To see why our conceptual apparatus fails these cases, one has to see precisely where it cracks. Each of the three institutions — mistake, deceit, threat — has its own point of fracture.

 

Mistake: a discrepancy with a reality that is not there

The classical definition of mistake assumes the existence of an objective reality with which the actor’s mental representation can be compared. The victim believes the jewelry is gold; objectively, it is gilt. The victim believes the property is buildable; objectively, it is not, owing to hidden infrastructure (Supreme Court, June 9, 2006, IV CSK 169/05). In a romance-investment fraud, however, the situation is qualitatively different. Mr. B. is not mistaken about any element of the juridical act in the classical sense. When he executes the transfer, Mr. B. knows exactly how much money he is transferring, to what account, in what currency. The content of the declaration corresponds to his intent. Falsa demonstratio non nocet — he has confused nothing.

Mr. B.’s mistake concerns something else: it concerns the entire existential context in which he is making the decision. He is convinced of the existence of an adviser who does not exist. Of a firm that does not exist. Of a platform on which his funds are not, in fact, being invested. Of a relationship that does not exist. That his money is multiplying, when it is in fact disappearing. Each of these convictions falls, in the imprecise language of commentators, within the category of mistake as to motive, expectation, or circumstances preceding the act. Doctrine has consistently refused to recognize such mistakes as legally relevant.

Here, however, a paradox arises that needs a name: the case-law line excluding mistake as to motive was developed in situations where courts shielded commerce from the casual undoing of contracts after expectations went unmet. I was counting on the property’s being rezoned — that is a forecast, not a mistake. But I was convinced that the person I was speaking with existed — that is not a forecast. That is a fundamental, verifiable, factual conviction about the state of the world at the moment the act was performed. Doctrine has not sharply distinguished between these two situations because it has never needed to. A world in which someone pretends, on an industrial scale, to exist is a new world.

 

Deceit: an omission with no one to attribute it to

With deceit, the case is at first glance easier. All the elements of Article 86 seem to be satisfied: there is intentional conduct, there is intent, there is a causal link to the declaration. And yet.

The first difficulty: who has performed the deceit? In the classical construction of Article 86 § 1, deceit is the conduct of the other party to the juridical act. But the other party to Mr. B.’s wire transfer is the bank — which not only did not commit deceit, but knew nothing of the surrounding context. The actual perpetrators of the deceit, the actual beneficiaries, are third parties within the meaning of Article 86 § 2. For that provision to operate, the other party — the bank — would have to have known of the deceit. It did not.

And here arises the second difficulty, considerably deeper. Doctrine and judicature consistently repeat that an omission may be regarded as deceit only where there existed a duty to inform. Does a bank have a duty to inform a client that he is probably falling victim to fraud? The classical answer: no, the bank is neither the police nor an investigator. But that classical answer was formulated in a time when the bank did not have the tools it has today. A modern bank antifraud system — based on machine learning, behavioral analytics, transaction profiling — detects patterns typical of authorized push-payment fraud with considerable precision. Mr. B.’s bank almost certainly knew that the transactions were atypical. Atypical patterns — transfers to a previously unknown beneficiary, amounts significantly outside the client’s historical profile, escalating transfer values, a client in an elevated-risk age bracket — these are precisely the signals on which antifraud systems are calibrated.

The question to put to doctrine, then, is this: in 2026, with respect to an elderly client of stable transactional profile who suddenly begins making transfers to new beneficiaries on foreign accounts, does a bank’s duty to inform not simply arise from principles of social coexistence? And if it does — then the bank’s silence in the face of a pattern flagged by its antifraud system as highly suspicious is an omission that, on a generous reading of Article 86 § 2, might be recognized as complicity in deceit. The point is not to manufacture new duties by civilist oracle. The point is to recognize that the content of the existing duty to inform — flowing from contractual loyalty, from Article 354 of the Civil Code, from market standards (ABA, FCA), from PSD2 and its Polish implementation — has evolved together with technological capacity.

 

Threat: coercion that requires no one to threaten

The hardest case conceptually is Article 87. The classical threat presupposes an articulated demand under sanction of harm. But in internet fraud we observe a phenomenon researchers describe as weaponized emotion — emotion turned into an instrument. The victim is induced to act not by a direct threat but by precisely engineered emotional states: fear of rejection by her “partner,” fear of losing the “opportunity of a lifetime,” shame at admitting that her first investment was small, guilt toward the “adviser” who “has already lent me her own money.”

The fraud scripts, as the Oxford Journal of Cybersecurity analysis shows, deliberately escalate emotional pressure to a level functionally equivalent to threat — with the difference, however, that no explicit demand is made.

Is this threat within the meaning of the Civil Code? On the classical reading — certainly not. All the elements are missing: the unlawful demand, the articulated menace, the identifiable perpetrator applying coercion. But if the ratio legis of Article 87 is the protection of decisional freedom from distortion by external compulsion — then the victim who withdraws her retirement savings in a state of six-month psychological dependence on a trained operator of a manipulation script is in a state of distorted decisional freedom no less than the person threatened with physical violence. Here doctrine faces a choice: either uphold the classical reading at the cost of conceding that Article 87 does not protect against modern forms of psychological compulsion, or update its understanding of unlawful threat to encompass instrumentalized emotional states produced industrially.

 

Why Doctrine Cannot Keep Up

One could ask whether existing doctrine isn’t simply sufficient — whether cases like Mr. B.’s shouldn’t be handled through the criminal track (Article 286 § 1 in conjunction with Article 294 § 1 of the Penal Code) and the funds recovered from the perpetrators in criminal proceedings using the instrument of Article 46. The answer is twofold. First — the perpetrators are in Myanmar. Criminal proceedings, which nominally exist, in practice do not result in any recovery of funds. Second — and this is more fundamental — the question is not how the victim recovers her money. The question is whose money it is in the civil-law sense. Is this money the client effectively disposed of (in which case the relationship with the bank is closed), or is it money in respect of which the declaration of will was defective (in which case a possibility opens up for avoidance, restitution, and possibly damages claims)?

And here we return to the central observation: doctrine on defects of consent has been built defensively against victims for a hundred years because classical victims were relatively easy to identify, and their claims relatively easy to falsify. A court could meaningfully ask: would a reasonable person in your position have made this mistake? Could you have detected the deceit without difficulty? Were you really afraid? These questions presuppose a model of the victim as an actor who actively assesses the situation and ought to exercise due diligence. Our Civil Code, in the Roman-Germanic tradition, writes the requirement of diligentia patris familias into the heart of the institution.

Empirical research on contemporary fraud, however, shows something lawyers generally do not want to see: susceptibility to manipulation is not a function of the victim’s intelligence or experience. Among the victims of romance-investment fraud are economics professors, bank presidents (witness the case of Shan Hanes, president of Heartland Tri-State Bank in Kansas, who executed eleven transfers totaling $47.1 million — the bank’s money, not his own — drove the institution into bankruptcy, and was sentenced to two hundred and ninety-three months of incarceration, roughly twenty-four and a half years), engineers, doctors, and lawyers. Operators applying scientifically developed persuasion techniques are capable — given enough time — of inducing a state of deep manipulation in practically anyone who meets their target criteria.

The consequence for doctrine is serious. The standard of the reasonable person who would not have done this — fundamental to the objective materiality of mistake — ceases to be a meaningful criterion. Because, statistically, reasonable people do this. Not because they are unreasonable. Because they stand opposite an adversary commanding informational and technological superiority of a kind against which individual human vigilance is insufficient. The question is no longer: would a reasonable person have done this? The question is: did the infrastructure of the system — banks, platforms, regulators — perform its share of the work?

 

The Economy of Interests Around a Defensive Doctrine

Here something must be said that remains unspoken in Polish civilist discourse, though every advocate handling fraud-victim cases sees it. A doctrine that is defensive toward victims does not maintain itself by the inertia of tradition alone. It maintains itself because around it has assembled an architecture of property interests with a structural stake in its persistence. And before any doctrinal updating is proposed, one has to see who profits from things as they stand.

Begin with the most obvious thing, though it is rarely named. Victims of pig-butchering investment fraud, in a strikingly high proportion, do not transfer only their own savings. The killing phase of the script presupposes escalation — once the victim has transferred everything in her savings account, the operator does not let go. A still bigger opportunity appears, the last chance to enter this project, a special offer for our most loyal investors. The operator, in his role as adviser, suggests a specific path: a consumer loan, a mortgage against real estate, a loan secured on the apartment. From the victim’s perspective this is rational — given the guaranteed rate of return shown on the fake platform, the cost of servicing the loan is negligible. From the bank’s point of view, this is one of the most profitable kinds of borrower in existence: a pensioner with a clean credit history, owning valuable real estate, of an age at which she does not negotiate terms or compare offers.

From the bank’s perspective — and I mean an honest bank, acting in conformity with the letter of the law — this loan is the ideal product. A high origination fee, an attractive interest rate (because the client does not negotiate), low default risk (because the mortgage security on the real estate substantially exceeds the loan amount). When it turns out the victim has become a victim of fraud and cannot service the installments, the second stage of the business model engages: collections.

Collections are, in the Polish system, a powerful and highly profitable mechanism. Default interest accrues per the contract; legal-handling costs reach several thousand złoty per month; enforcement-proceeding costs burden the debtor. After a year or two of proceedings, the debt has grown by tens of percent above the original sum. Collections firms — often the bank’s long-standing partners — receive flat-fee and success-fee compensation. Eventually the property is sold at enforcement auction; the bank recovers principal with interest, the collections firm its fee, the auction buyer the property at a price substantially below market.

Every participant in this cascade, with the exception of the victim, exits the transaction in a better property position than the one in which it began.

And here the question must be put — the question Polish civilistics does not want to ask: who would have an economic interest in stopping this cascade? The bank earns at every stage. The collections firm earns at every stage. The bailiff earns at every stage. The auction buyer earns at the end. The court collects fees. The state collects civil-act tax. There is no participant in this cascade with a structural interest in recognizing that the original declarations of will were defective — because every such recognition would entail an obligation of restoration, correction, and possibly restitution. And all those involved have long since allocated those funds in their budgets.

This is the context in which doctrine on defects of consent is interpreted, and the context that academic civilistics ought no longer to ignore. The judge hearing a case against a bank does not operate in a theoretical vacuum. He operates in an environment in which the case-law line tightening the requirements of defects of consent generates legal predictability for the largest market actors — banks, insurers, financial institutions — and for the law firms that serve them. Victims cannot organize a doctrinal line. Victims are dispersed, unorganized; each loses her case individually and disappears from the system. The bank, winning successive cases, accumulates not only profits but interpretive capital. With each victory, doctrine tightens further; each subsequent victim has it harder still.

A second area of property interests, equally significant, concerns the infrastructure through which the victims’ funds actually leave the system — Bitcoin ATMs, the kiosks that convert cash into cryptocurrencies, present in Poland in 2024 in the hundreds and rising. This is the point at which civilist doctrine meets the reality of organized crime directly and inelegantly.

The February 2021 report of the New Jersey State Commission of Investigation, based on the analysis of three hundred ATMs operated by thirty entities — and still one of the most rigorous documents on the subject — produced findings worth transposing to the Polish context. First: nearly three quarters of the operators studied in New Jersey allowed transactions based solely on a mobile phone number, with no identity verification. Second: more than a third of the operators had not registered with the federal financial-intelligence unit (FinCEN), as the law required. Third: the average transaction fee at the ATMs ran from eight to twenty-four percent — a multiple of the fees on regulated exchanges. Fourth — and this is the most important — the investigation revealed direct ties between the ATM operators and individuals with multiple convictions for financial crimes, including one operator with seven prior fraud convictions who, on release from prison, returned immediately to the business. The scale of the problem has since been confirmed by federal supervision: in August 2025, FinCEN issued a notice (FIN-2025-NTC1) citing the New Jersey findings as the basis for new AML obligations on ATM operators.

From the perspective of investment-fraud economics, the logic of this infrastructure is obvious. The operator of a manipulation script needs a tool through which the victim — often elderly, often unfamiliar with technology — converts złoty into cryptocurrency sent to the perpetrators’ wallet. The Bitcoin ATM serves the function ideally: the victim physically appears at the kiosk, cash is fed in note by note, and the transaction is irreversible within seconds. More important still — the transaction fee, in the low double digits and sometimes above twenty percent, far exceeding the fees of regulated cryptocurrency exchanges, functions in effect as a fee for not asking questions. According to the latest FBI IC3 report for 2025, the average loss for a victim of cryptocurrency fraud was $62,604, with about 18,600 victims losing more than $100,000 each; in the same period, total American losses to cryptocurrency fraud reached $11.4 billion, with the ATM operator collecting a percentage in the low double digits of every deposit transaction. The economics of this link in the chain speak for themselves.

The Polish Financial Supervision Authority has consistently signaled the risks associated with Bitcoin ATMs, and the Polish market structurally reproduces the pathologies identified in the New Jersey report: fragmentation of operators, absence of real identity verification at smaller transactions, inconsistency of AML practices, locations in retail outlets without any operator oversight. From the standpoint of doctrinal analysis, however, what matters is not the phenomenon itself — what matters is that the infrastructure through which victims’ funds leave the Polish financial system is, in significant part, infrastructure structurally connected to organized crime. Not that every ATM operator is a criminal — that would be a simplification. The point is that in an industry in which a substantial portion of operators do not perform AML obligations, and some have documented ties to financial crime, every Bitcoin ATM functions as a potential laundering node for proceeds of crime. This is not a hypothesis — it is a state of affairs empirically documented by supervisory authorities in three jurisdictions (the United States, the United Kingdom, and Australia) and not accommodated by any other interpretation.

The legal consequence is twofold. First — the ATM that takes a twenty-percent commission from a transaction by a victim directed there by a fraud operator is a beneficiary of the deceit in the economic sense, regardless of whether it satisfies the criteria of Article 86 § 2 in the classical reading. Second — financial institutions intermediating the path of the victim’s funds to the ATM (banks handling cash withdrawals, banks holding the operators’ accounts, entities intermediating in cryptoasset trade) form an institutional chain in which every link generates revenue from the same transaction whose cost is the complete economic annihilation of the victim. And in every one of those links, the relevant management bodies know — because they read the industry statistics, the FATF, Chainalysis, and Europol reports — that a non-trivial portion of the turnover generated within their own institutions comes from precisely these schemes.

The question to put to civilist doctrine, then, fully and clearly, is this: in the face of such a distribution of property interests, is the present defensive interpretation of defects of consent neutral? Or is it, rather, in an unintended but structurally efficient way, an instrument for protecting this cascade? Because one must be aware: every interpretation that does not allow a pig-butchering victim to undo the legal consequences of a transfer authorized under the influence of six months of manipulation is an interpretation that maintains a state of affairs in which the bank keeps its commission, the law firm its collection fee, the ATM operator its transaction surcharge. Doctrine need not want this. But this is what it does.

 

A Proposed Doctrinal Update

I do not propose amending the Civil Code. I propose something harder — a revaluation of how doctrine and case law interpret the existing provisions in the context of contemporary fraud. Four directions strike me as particularly urgent.

 

Expanding the concept of mistake to include “existential mistake”

Doctrine should develop a category of existential mistake — mistake concerning not an element of the juridical act but a fundamental state of the reality in which the act is performed. If the victim is convinced of the existence of a person, an institution, a platform, a relationship — and none of these exist — that is a mistake qualitatively different from mistake as to motive. The boundary, I concede, is delicate and requires doctrinal refinement. But the difference between I was counting on the lot’s being rezoned (a forecast) and I was counting on the existence of the person with whom I was conversing (a factual conviction verifiable at the moment of the act) is a qualitative difference doctrine can — and should — name.

 

Updating the scope of financial institutions’ duty to inform

It must be recognized that the bank’s duty to inform the client — flowing from contractual loyalty, from Article 354 of the Civil Code, from PSD2 — has evolved together with the institution’s technological capacities. A bank that has antifraud systems and detects a high-risk pattern but takes no proportionate intervention with respect to a client in an elevated-vulnerability group commits an omission that, in defined circumstances, may fall within the hypothesis of Article 86 § 2 or constitute a basis for contractual liability. The common law has gone through this evolution earlier — the English case of Philipp v. Barclays Bank UK plc [2023] UKSC 25, though it ultimately rejected the bank’s liability on the facts of the case, opened the way for the Quincecare duty in a new formulation (see also the Slaughter and May commentary), recognizing that a bank’s duty of care toward a client is a dynamic concept. Polish doctrine can and should follow this path — not by copying common-law solutions but by using them as material to rethink the scope of the duty under Article 354 and the loyalty flowing from the bank-account contract. A loan taken out by a pig-butchering victim under the influence of weaponized manipulation — at a time when the bank possessed a transactional pattern indicating high fraud risk — calls for a separate, equally urgent reflection: is the loan agreement concluded in such circumstances not, in fact, defective in a way doctrine ought to name?

 

Recognizing weaponized psychological compulsion

In interpreting Article 87, doctrine should take account of the fact that psychological compulsion may be brought about by methods that do not consist in articulated threat. Six months of manipulation conducted to a script grounded in scientific theories of persuasion is functionally equivalent to compulsion — and if the ratio legis of Article 87 is the protection of decisional freedom, the interpretation should encompass these cases as well. I understand the doctrinal resistance — the concept of unlawful threat has a settled meaning. But if we keep it in its classical shape, we must at the same time say openly: Article 87 does not protect against psychological manipulation applied industrially. That is more honest than pretending it does.

 

Recalibrating the standard of due diligence on the part of the victim

The hardest doctrinal proposal. The standard of due diligence that, in current case law, excludes invocation of mistake when one signs a document without reading it requires recalibration. The due diligence of a reasonable person in 1994 meant something different from what it means in 2026 — not because people have grown stupider but because the informational and technological asymmetry between the citizen and the perpetrator of fraud has grown several-fold. The standard ought to be updated in a way that takes account of the actual adversary the victim faces — and what a reasonable person can do in this concrete context, and what she cannot. This does not, of course, mean every aggrieved party should be able to walk away from the consequences of her act with ease. It means the question of diligence ought to be put proportionately to the real difficulty of recognizing the manipulation.

 

The Counterarguments That Cannot Be Dismissed

Each of the above proposals can be met with serious objections, and intellectual honesty demands that they be articulated.

First — the security-of-commerce argument. The easier it is to undo a declaration of will, the less stable juridical acts become, and the higher the transaction costs borne by all market participants. This is the classical argument, and it does not lose force. The reply: a doctrinal update need not mean a mass opening of the gate to undoing acts. It can mean the precise carving out of a category of weaponized industrial manipulation — a category whose recognizable features (multi-month grooming-engagement, scripted communication, fake transactional platform, patterns typical of organized syndicate activity) distinguish it from the classical careless consumer.

Second — the personal-responsibility argument. A society that releases individuals from the consequences of their own decisions demoralizes them and encourages carelessness. It is a liberal argument, right-leaning in the classical sense. The reply: the point is not to release from responsibility. The point is the adequate recognition of when an individual has actually made a decision and when her decisional capacity has been distorted to a degree civil law has traditionally recognized as relevant. Article 82 of the Civil Code (lack of awareness or freedom) has long protected against considerably subtler forms of distortion than industrial six-month manipulation.

Third — the reverse-risk argument. If banks become liable for recognizing authorized push-payment fraud, they may begin refusing to execute transactions that are legal and desirable, paralyzing commerce. This argument was raised in the United Kingdom when the Contingent Reimbursement Model was introduced and proved empirically overstated — banks found a balance between warnings and the throughput of transactions, and victims began to be better protected. The Polish banking system has the competence to find this balance if it is required to.

Fourth — the separation-of-civil-and-criminal argument. One can argue that the problem of internet fraud is a criminal and regulatory problem, not a civil one, and that the attempt to stretch civil institutions onto a new reality leads to the distortion of the system. This is a methodologically serious objection. The answer is, however, practical: criminal law, however indispensable, does not answer the question of who bears the economic risk of an event in the relations between the victim and the intermediating institutions. That question is answered only by civil law. If we deny civil law the right to evolve in the face of new phenomena, we condemn victims to economic annihilation even when the system’s infrastructure could have helped them.

 

Toward a Doctrine That Sees

Mr. B. sits across from me in the office and cannot explain how it happened. I am not stupid, he says, after a long pause, as if he had to push it away from himself before saying anything else. I know it sounds stupid, but she really existed. And there is the whole case. From the perspective of present doctrine, he is saying something that cannot be transposed into a legal argument. From the perspective of the doctrine I am proposing, he is saying something that has meaning, and that civil law is capable of naming.

Polish civil law has the intellectual and instrumental resources to meet the challenge of contemporary fraud. It has Articles 84 and 86, which on the right interpretation will encompass existential mistake and the informational omissions of institutions. It has Article 87, whose ratio legis permits the recognition of weaponized psychological compulsion. It has Article 354 and contractual loyalty, from which flows an institutional duty toward the client proportionate to its technological capacities. It has Articles 415 and 417 for cases in which a systemic omission caused harm. All these tools exist. What is lacking is one thing: the doctrinal decision to use them this way rather than the way they have been used.

Doctrine should also keep its humility. It is not the case that the classical mistrust of victims of mistake, deceit, and threat was unjustified — it had its historical reasons and served the stability of commerce. Nor is it the case that the proposals presented here are a final solution; they call for years of doctrinal work, refinement in case law, and calibration against concrete fact patterns. But it is the case that doctrine’s incapacity in the face of Mr. B.’s case is an incapacity that may not be prolonged by further judgments repeating the formula about the unmet preconditions of Article 84 § 1, second sentence. Because every such judgment is not merely the loss of one concrete client. It is a quiet declaration that civil law does not see the world it lives in — nor the property interests organizing themselves around its blindness.

And civil law that does not see ceases to be law. It becomes archaeology — and, what is worse, archaeology useful to those who know how to make use of it.

Topical publications

The Same Trick Twice
2026-05-02

The Same Trick Twice

How Poland’s financial system spent twenty years perfecting the art of never learning from its mistakes In the spring of…

read more
Event Contracts – The Casino That Pretends to Be a Stock Exchange
2026-05-02

Event Contracts – The Casino That...

A man in his thirties sits down at his laptop, opens an app whose logo could pass for a brokerage’s,…

read more
Cyberspace Has a Return Address 📬 
2026-05-01

Cyberspace Has a Return Address 📬 

The Patrick Schmitz case and the unraveling of a familiar fantasy In December of 2020, on an encrypted messaging app,…

read more
See more publications