I don't believe this has been tested in the courts.

But I don't see much difficulty in convincing a court that this fits the definition of theft in some jurisdictions.

In the UK: "Theft is defined by section 1 of the 1968 Act as dishonestly appropriating property belonging to another with the intention of permanently depriving the other of it."

A brief explanation of each of those terms is given, and I don't see any particular problems related to this being cryptocurrency. The point that "smart contracts allow what the code says and nothing else matters" does not fit with the dishonesty interpretation that "The owner would agree to their taking it if they knew about it".

https://www.cps.gov.uk/legal-guidance/theft-act-offences

In traditional courts? Yep, it's a crime because there is clear damage being done to the victims. As simple as that.

This isn't a case where there was a flaw in a smart contract. This is a case where they straight up hacked servers and stole keys from them.

Even exploiting a flaw in a smart contract is theft as long as it is clearly an exploit.

As far as I know, this hasn't been tested in court. Even if true, this goes completely against the idea of "the code is law."

It probably depends on the jurisdiction, and if they interpret the smart contract as a computer program, and have hacking laws they can apply, or as an actual autonomous contract that is legally valid. Both seem like plausible interpretations, but I think the former is more natural/likely for the typical judge.

The attacker gained control of 5 validator nodes. This is as clearcut as hacking and theft charges can get.

One could make the same argument of any computer system where the security wasn't as tight as one could hope.

"But judge, they never patched their $software to the latest version, so technically the software allowed me to dump the contents of the IMAP server"

Intents matter. If you commit a crime ("Stealing" is a crime), it doesn't matter if you did so via software, contracts, smart contracts, blockchain or else. A crime is a crime is a crime.

Real world analogues can be useful for thinking about these situations: would the mob be able to steal your money and avoid charges because they got five of their guys hired by your bank to approve the deal? (Or redirected a phone line, faked letters, etc.?)

The answer is no because there’s a clear victim, and this wasn’t taking advantage of a mistake like e.g. a casino game which didn’t have the right formula but rather clearly subverting the safeguards built into the system. In the real world, no judge is going to look at that and say “well, that’s what the code did. Nothing we can do about it even though everyone knows it’s theft!” and a jury isn’t going to believe you “accidentally” broke separate safeguards on multiple systems.

That’s just the basic stuff which would have been true a century ago. In this case you’d also want to think about the relevant laws wherever they are based — for example, the U.S. CFAA bans use of a computer contrary to how the owner intends you to use it. Even if this wasn’t so clear cut, I’d expect them to successfully argue that knowingly subverting an oracle would meet that threshold since you clearly knew how the system was intended to work.

I'm not a lawyer. It appears that part of this heist involved hacked keys. That aspect would be straightforwardly illegal I would imagine.

this wasn’t a smart contract exploit, it was a stolen keys exploit. Very different, flat out theft rather than exploiting “code is law” (and almost certainly an inside job).

Legally CFAA criminalizes unauthorised access of systems even if they were available and unauthenticated.

If you are not supposed to have access and you accessed it is a crime. This is why whitehat work is also dangerous legally unless you have been invited in.

Here obviously the attackers accessed a private environment and stole the keys so yes it is a crime

intent means a lot. the intent is clear: to deprive ownership of something.

If code is law this is perfectly legal.

I suppose in the real world intent would matter a lot.

That is exactly the reason why "code is law" is such an absurd concept. A piece of code alone will never be able to tell you what its initial intention was.