Online Identity Theft Lawyers: Criminal Defense & Private Prosecution
When someone impersonates you online. Defense of the accused and protection of digital impersonation victims
Last updated:
Online Identity Theft: The Invisible Crime
The online identity theft is a rapidly expanding criminal category that is reconducted to several types of the Spanish Criminal Code depending on the specific conduct: civil-status usurpation (Art. 401 CP), computer fraud (Arts. 248-250 CP), unlawful access to systems (Art. 197 bis CP), discovery and revelation of secrets (Art. 197 CP), document forgery (Arts. 390-399 CP) and, where applicable, offences against honour (Arts. 205-216 CP). Consolidated Supreme Court case-law has precisified the contours of Art. 401 CP: it requires effective usurpation of another person's civil status with intent and capacity to produce harm or spurious benefit, not the mere occasional use of a name. As criminal lawyers specialising in cybercrime, we offer defence of the accused and private prosecution of the victim with specialised forensic computer expertise.
The typical modalities are diverse and constantly sophisticate. The creation of fake social media profiles using the real victim's name, photographs and data to impersonate them on Instagram, Facebook, LinkedIn, X or TikTok. Catfishing on dating apps (Tinder, Bumble, Grindr) through invented or stolen identities. Financial identity fraud: applications for quick loans, microcredits, bank accounts, credit lines or cards with the victim's stolen documentation. The contracting of services (telephone, energy, rentals, vehicles) in third parties' names. SIM swapping to take control of the phone number and bypass 2FA mechanisms. Corporate impersonation through domain typosquatting, cloned websites, spoofed emails and executive deepfakes. And doxing with impersonation: publication of the victim's personal data together with fake accounts to harass them.
The penalties depend on the applicable type. Civil-status usurpation under Art. 401 CP carries prison from 6 months to 3 years. If the impersonation is used to commit computer fraud (Arts. 248-250 CP), penalties rise to 1-6 years' prison and fine; when criminal organisation or group concurs, up to 8 years. Document forgery (Art. 392 CP in official/commercial document) carries prison from 6 months to 3 years and fine. The unlawful access to accounts (Art. 197 bis CP) sanctions with 6 months to 2 years. In real concurrence, penalties accumulate, frequently reaching figures above 6 years' effective prison. To custodial penalties are added civil liability for moral and patrimonial damages (including content removal, payment of fraudulently contracted services, reputational repair) and, in corporate cases, criminal liability of the instrumental legal entity (Art. 31 bis CP).
The technical defence and private-prosecution strategy articulate several lines. When representing the impersonation victim, we execute urgent precautionary measures: judicial order of content removal to the platform in 24-48h under Art. 13.2 LSSI and EU GDPR 2016/679; identification of the impersonator through orders to Meta, Google, X, ByteDance, Microsoft or ISPs; precautionary freezing of fraudulent bank accounts; blocking of credit lines opened in the client's name; and articulation of criminal complaint with private prosecution. When defending the investigated, we articulate the atypicality of the fictional profile not usurping real identity, the parody or satire under freedom of expression (Art. 20 SC), the mistake of fact on the ownership of credentials or documents used, and the expert challenge of forensic attribution of IP, device and material authorship.
In current forensic practice we observe exponential growth in online identity-theft proceedings, especially linked to financial frauds with documentary impersonation, SIM swapping to drain crypto wallets, corporate deepfakes in CEO-fraud operations, romantic catfishing with derivation to crypto investment scam, and impersonation of executives on professional social networks. EU Regulation eIDAS2 (2024/1183) on European digital identity, EU GDPR 2016/679, Organic Law 3/2018 on Data Protection, Regulation DSA EU 2022/2065 on Digital Services and Organic Law 1/2025 on Justice Service Efficiency have transformed the regulatory framework. At Alonso Sala, we tackle each file with certified forensic computer experts, coordinated management with platforms and authorities, and urgent procedural articulation.
Impersonation Methods
Fake Social Media Profiles
Creating accounts with another person's photos and name on Instagram, Facebook, X, LinkedIn. Art. 401 CP.
Catfishing (Dating Apps)
Fake identity on Tinder/Bumble for emotional deception, sextortion, or money extraction.
Financial Identity Fraud
Applying for loans, opening bank accounts, or contracting services with someone else's documents.
Corporate Typosquatting
Registering domains similar to known brands to create fake scam or phishing websites.
Why Alonso Sala for Online Identity Theft?
- securityUrgent fake profile removal: judicial order in 24-48h.
- securityImpersonator tracking through platform orders (Google, Meta, X).
- securityReporting and private prosecution before Madrid Courts.
- securityDefense of the accused: parody, lack of intent, fictional profile.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Identity Theft FAQs
Is creating a fake social media profile a crime?expand_more
What's the difference between civil and criminal identity theft?expand_more
My Instagram/WhatsApp was hacked, is it a crime?expand_more
What is 'catfishing'?expand_more
Can someone steal my identity to get a loan?expand_more
What should I do if someone impersonates me online?expand_more
Is using someone else's ID a crime?expand_more
Can the impersonator be tracked?expand_more
What is the penalty for identity theft?expand_more
Are companies victims of identity theft?expand_more
Looking for an Online Identity Theft Lawyer in Spain?
As a national cybercrime firm, we offer criminal defense and private prosecution in online identity theft, catfishing, account hacking, and financial identity fraud cases.
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.