Online Identity Theft in Turkey: Criminal Liability and Compensation Claims

Introduction

Online identity theft in Turkey has become one of the most serious legal risks of the digital era. A person’s identity can now be stolen, imitated or misused through social media accounts, e-mail addresses, mobile phone numbers, online banking credentials, fake websites, forged digital documents, phishing messages, e-commerce accounts, cryptocurrency platforms and personal data leaks. The consequences may be severe: unauthorized loans, fraudulent bank transfers, fake social media profiles, reputational damage, blackmail, unlawful publication of private data, criminal investigations against the wrong person and financial loss.

Turkish law does not regulate online identity theft under one single article titled “identity theft.” Instead, the legal classification depends on the specific conduct. Online identity theft may involve unlawful acquisition or publication of personal data, violation of privacy, unauthorized access to information systems, system interference, qualified fraud, bank or credit card misuse, forgery, threats, blackmail and civil compensation claims.

The Turkish cybercrime framework includes Turkish Penal Code provisions on information systems, personal data and fraud, as well as procedural rules on digital evidence and internet-related measures. The Council of Europe’s cybercrime profile for Turkey identifies Articles 243, 244, 245 and 245/A of the Turkish Penal Code as core cybercrime provisions and notes that cybercrime investigations are directed by the prosecution service with technical support from police authorities.

This article explains online identity theft in Turkey from a practical legal perspective. It covers criminal liability, victim rights, digital evidence, personal data remedies, civil compensation claims and defence strategies.

1. What Is Online Identity Theft?

Online identity theft occurs when a person’s identity, personal data, digital account, name, image, signature, phone number, e-mail address, banking information or other identifying information is unlawfully obtained or used by another person. The purpose may be financial gain, reputation damage, access to private data, impersonation, blackmail, fraud, harassment or concealment of the real perpetrator’s identity.

Online identity theft may take many forms. A fraudster may create a fake social media account using another person’s name and photograph. A hacker may obtain someone’s e-mail password and use it to reset other accounts. A criminal may use another person’s identity information to open a bank account, obtain a SIM card, register on a platform or receive fraudulent payments. A scammer may imitate a lawyer, bank officer, cargo company or public institution to deceive victims. An attacker may use stolen identity documents to pass verification checks on cryptocurrency or investment platforms.

The key legal point is that identity theft is usually not a single act. It is a chain of conduct. The perpetrator may first obtain personal data, then access accounts, then deceive third parties, then transfer money, then hide traces. Each stage may correspond to a different criminal offence.

2. Main Legal Provisions Applicable to Online Identity Theft

Online identity theft in Turkey may involve several provisions of the Turkish Penal Code.

First, personal data offences are highly relevant. Article 135 punishes unlawful recording of personal data. Article 136 punishes unlawful delivery, publication or acquisition of data, with imprisonment from one to four years. Article 137 increases the punishment by half if these offences are committed by a public officer through the influence of public office or by exploiting the advantage of a profession or art.

Second, privacy offences may apply. Article 134 punishes violation of private life and also punishes disclosure of audio-visual recordings relating to private life. This becomes important where identity theft involves private photographs, videos, messages or intimate content.

Third, cybercrime provisions may apply. Article 243 punishes unlawfully entering or remaining in a data processing system. Article 244 punishes hindering or destroying the operation of a data processing system, deleting, changing, preventing access to data, installing data into the system or sending available data elsewhere.

Fourth, fraud and banking offences may become relevant. If stolen identity data is used to deceive a victim or obtain money, fraud or qualified fraud may be discussed. If bank or credit card information is used, Article 245 may also become relevant.

Therefore, an online identity theft case should never be assessed under one provision only. A strong criminal complaint must explain exactly which data was obtained, how it was used, whether accounts were accessed, whether money was taken, whether private information was published and whether third parties were deceived.

3. Personal Data Theft and Turkish Penal Code Articles 135–136

Personal data theft is often the foundation of online identity theft. Names, Turkish identity numbers, passport numbers, addresses, phone numbers, e-mail addresses, signatures, photographs, account passwords, bank information, social media data and identity document copies may all be used to impersonate someone online.

Article 135 of the Turkish Penal Code punishes unlawful recording of personal data. Article 136 punishes unlawfully delivering data to another person, publishing data or acquiring data through illegal means. These provisions are particularly important where the offender collects identity documents, stores passwords, publishes private information online or transfers personal data to scammers.

For example, if a person obtains a victim’s identity card image and uses it to open fake platform accounts, Article 136 may be relevant. If someone publishes another person’s phone number, address and identity information online to expose or harass them, personal data offences may arise. If a former employee exports customer identity information and gives it to third parties, both personal data offences and corporate data breach issues may be relevant.

A criminal complaint should clearly list the personal data involved. It should also explain how the victim discovered the theft, where the data was used, whether the data was published, whether third parties received it and whether any financial or reputational damage occurred.

4. Fake Social Media Profiles and Impersonation

One of the most common forms of online identity theft is creating fake social media profiles. The perpetrator may use the victim’s name, photograph, professional title, workplace, personal images or contact information. The fake account may be used to deceive friends, damage reputation, send insulting messages, request money, publish private content or harass the victim.

Under Turkish law, fake social media impersonation may involve multiple offences. If the fake profile contains personal photographs and identity information, personal data offences may apply. If the fake account is used to publish private content, privacy offences may arise. If the account is used to request money from others, fraud may be relevant. If the perpetrator accessed the victim’s real account before creating the fake profile, Article 243 on unauthorized access may also apply.

Victims should preserve screenshots, account URLs, profile names, messages sent by the fake account, follower or friend requests, payment requests and any content posted. It is important to record the URL of the fake account, because screenshots alone may not be sufficient to identify the account later.

Where the fake profile harms reputation or personal rights, content removal and access blocking strategies may also be considered. Law No. 5651 regulates access blocking and content removal in Turkey; legal commentary notes that access blocking and removal of content are regulated under that law and may protect rights in situations such as attacks on personal rights or prevention of crimes.

5. Identity Theft Through Phishing

Phishing is a common method of identity theft. The victim may receive an SMS, e-mail or message appearing to come from a bank, cargo company, public institution, e-commerce platform, social media provider or employer. The link may direct the victim to a fake page where they enter identity information, passwords, card details, verification codes or account credentials.

Once the attacker obtains the data, they may access accounts, make bank transfers, open fake accounts, reset passwords, purchase goods, apply for services or commit fraud against third parties.

In such cases, the legal classification may include qualified fraud, unauthorized access, personal data offences and bank card misuse. If the victim was deceived into entering data, fraud provisions may be relevant. If the attacker then entered an account, Article 243 may apply. If the attacker changed passwords, transferred data or blocked access, Article 244 may apply. If card information was used, Article 245 may be added.

Victims should preserve the phishing message, the fake URL, screenshots of the page, bank records, verification SMS messages, e-mail notifications and any platform warnings. They should not delete the original message, because metadata may be important.

6. Unauthorized Access to E-Mail and Social Media Accounts

Identity theft frequently begins with unauthorized access to an e-mail or social media account. E-mail accounts are especially dangerous because they may be used to reset passwords for banking, shopping, cloud storage, social media and business platforms.

Article 243 of the Turkish Penal Code punishes unlawful access to a data processing system or remaining there. Article 244 becomes relevant if the offender changes data, prevents access, deletes messages or transfers data elsewhere.

For example, if an attacker enters a victim’s e-mail account and reads messages, Article 243 may apply. If the attacker changes the recovery address, deletes security notifications, downloads files or sends the victim’s data to another account, Article 244 may also apply. If the attacker uses the e-mail account to impersonate the victim and request money, fraud provisions may become relevant.

Victims should immediately change passwords, secure recovery e-mails, enable two-factor authentication and preserve login alerts. A criminal complaint should request platform access records, IP logs, device information and account change history.

7. Online Identity Theft and Financial Fraud

The most damaging identity theft cases often involve financial fraud. Stolen identity information may be used to open accounts, receive funds, apply for loans, conduct online purchases, access internet banking, register SIM cards or create cryptocurrency exchange accounts.

If identity theft is used to deceive a person, bank, platform or company into transferring money or providing services, fraud or qualified fraud may be relevant. If the offender uses another person’s bank or credit card information, Article 245 may apply. If personal data is used to bypass verification systems, personal data offences may also apply.

The victim should act immediately. Banks should be notified, accounts and cards should be blocked, transaction objections should be filed and all records should be preserved. A criminal complaint should include IBAN details, recipient account information, transaction dates, messages, phone numbers, e-mail addresses, platform IDs and identity documents used in the fraud.

Money recovery depends heavily on speed. If funds remain in an account, legal measures may be more effective. If funds are withdrawn, transferred through multiple accounts or converted into cryptocurrency, tracing becomes more difficult.

8. Identity Theft Using Phone Numbers and SIM Cards

Phone numbers are central to modern identity systems. Many banks, platforms and social media services use SMS verification or two-factor authentication. If a criminal obtains control of a victim’s phone number, they may reset passwords, approve transactions or access accounts.

SIM-related identity theft may involve forged documents, fraudulent SIM replacement, social engineering or misuse of personal data. The legal analysis may include personal data crimes, fraud, forgery, unauthorized access and banking offences depending on the facts.

Evidence may include telecom records, SIM replacement documents, store camera footage, identity documents used, SMS verification logs, bank transaction records and platform login alerts. Victims should contact the telecom operator immediately and request written records of SIM changes or suspicious activity.

9. Identity Theft and Forged Digital Documents

Online identity theft may involve forged digital documents. A perpetrator may use another person’s identity card image, passport, signature, tax document, diploma, power of attorney, company document, invoice or bank statement. These documents may be manipulated and submitted to platforms, banks, employers, public institutions or private companies.

Depending on the document and use, forgery offences may arise in addition to personal data crimes and fraud. If the forged document is used to obtain financial benefit, open accounts or deceive third parties, fraud may also be considered.

In practice, victims should obtain copies of the forged documents where possible, identify where they were submitted, preserve correspondence and request official records from the relevant platform or institution.

10. Corporate Identity Theft

Identity theft does not only affect individuals. Companies may also be impersonated online. A fraudster may create a fake website using a company’s trade name, logo, address, tax information or employee names. Fake e-mails may be sent in the company’s name. Fraudsters may issue fake invoices, redirect payments, create fake social media accounts or pretend to be company representatives.

Corporate identity theft may create serious legal and reputational harm. It may lead to customer fraud, supplier disputes, loss of trust, trademark issues, unfair competition, cybercrime complaints and content removal requests.

Companies should preserve fake domains, e-mail headers, fake invoices, screenshots, customer complaints, bank account details and phone numbers used by the fraudsters. They may need to file criminal complaints, send notices to hosting providers, request content removal, warn customers and review cybersecurity controls.

11. Digital Evidence in Online Identity Theft Cases

Digital evidence is decisive in identity theft cases. Important evidence may include:

• Screenshots of fake profiles.
• URLs of fake accounts or websites.
• E-mail headers.
• SMS and WhatsApp messages.
• Bank transaction records.
• Identity documents used by the perpetrator.
• Platform account records.
• Login alerts.
• IP records.
• Device information.
• Phone numbers.
• SIM replacement records.
• Cargo delivery records.
• Marketplace advertisements.
• Cryptocurrency wallet addresses.
• Notarial determinations where appropriate.
• Expert reports.

The Council of Europe’s Turkey cybercrime profile notes that the National Cybercrime Department may support investigations and forensic work where technology is a significant factor, and that urgent measures related to traffic data and computer searches may be conducted on the basis of judicial authorization under Article 134 of the Criminal Procedure Code.

Victims should avoid deleting messages or resetting devices before preserving evidence. Screenshots are helpful, but original records, metadata, URLs, headers and platform notifications are stronger.

12. Criminal Complaint Strategy for Victims

A criminal complaint for online identity theft should be clear, chronological and evidence-based. It should explain:

• Which identity information was stolen.
• How the victim discovered the theft.
• Where the data was used.
• Whether accounts were accessed.
• Whether fake profiles or websites were created.
• Whether money was taken.
• Whether third parties were deceived.
• Whether private data was published.
• Which suspects are known or suspected.
• Which evidence should be collected urgently.

The complaint should request investigation under relevant provisions, including personal data offences, unauthorized access, system interference, fraud, bank card misuse, privacy offences, forgery and other applicable offences.

It should also request collection of bank records, platform logs, IP records, hosting information, telecom records, device evidence and camera footage where relevant. In urgent cases, the complaint should request preservation of digital evidence before it disappears.

13. Victim Rights Under Personal Data Protection Law

If identity theft involves unlawful processing of personal data by a data controller, the victim may also have rights under the Personal Data Protection Law No. 6698. Data subjects have rights including requesting information about processing, knowing third parties to whom personal data has been transferred, requesting correction of incomplete or inaccurate data, requesting erasure or destruction under legal conditions and claiming compensation for damage arising from unlawful processing.

Data controllers must also take necessary technical and organizational measures to provide an appropriate level of security, including preventing unlawful processing, preventing unlawful access and ensuring protection of personal data. If processed data is obtained by others unlawfully, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

The Turkish Personal Data Protection Authority explains that the Board interprets the “shortest time” for breach notification as no later than 72 hours after the controller becomes aware of the breach.

Therefore, if identity theft occurred because a company failed to protect personal data, the victim may consider both criminal complaint and KVKK-based remedies.

14. Compensation Claims for Online Identity Theft

Online identity theft may cause both material and moral damages. Victims may seek compensation depending on the facts.

Material damages may include:

• Money stolen from bank accounts.
• Unauthorized card transactions.
• Loans or debts created through identity misuse.
• Costs of restoring accounts.
• Legal and notarial expenses.
• Cybersecurity and forensic expenses.
• Business losses.
• Reputation management costs.
• Losses caused by fake orders or fake contracts.

Moral damages may arise where identity theft causes distress, fear, humiliation, reputational harm, violation of privacy, exposure of private information or loss of social trust.

A compensation claim must show unlawful conduct, damage and causal connection. If the claim is against the direct perpetrator, the criminal file may support the civil case. If the claim is against a company, bank, platform or data controller, the claimant must show the legal basis of responsibility, such as inadequate security, unlawful data processing, breach of contract or negligence.

15. Claims Against Data Controllers

If a company’s poor security allowed identity data to be stolen, affected persons may consider claims against the data controller. The KVKK framework requires data controllers to take appropriate technical and organizational measures and provides data subjects with the right to claim compensation for damage arising from unlawful processing.

For example, if a company stores identity documents without adequate security and those documents are leaked, victims may argue that the company failed to protect their data. If stolen identity documents are then used for fraud, causation and foreseeability will become central issues.

The company may defend itself by showing that it implemented appropriate security measures, responded quickly, notified authorities where necessary, investigated the incident and took remedial steps. Therefore, documentation is important for both claimants and defendants.

16. Content Removal and Access Blocking

Identity theft often involves online content: fake profiles, fake advertisements, fake websites, private photographs, identity documents or defamatory posts. Victims may need urgent removal of this content to stop ongoing harm.

Law No. 5651 is the central internet publication law in Turkey. Access blocking may include domain-name blocking, IP blocking, URL-based blocking and similar methods, and the law contains mechanisms for removal of content and access blocking in different situations.

However, the legal route depends on the type of content and current procedural framework. For identity theft victims, the practical strategy may include platform complaints, criminal complaint, notice to hosting providers, requests for preservation of logs, content removal applications and civil injunctions where appropriate.

Urgency is critical. Fake websites may disappear quickly, but harm may continue through copied content or repeated accounts. Victims should preserve evidence before requesting removal.

17. Defence Strategies in Identity Theft Allegations

Online identity theft allegations may also affect persons wrongly accused. A person may be suspected because their bank account received money, their phone number was used, their IP address appears in logs or a fake account was linked to their e-mail. These indicators may be important, but they do not automatically prove guilt.

Defence strategies may include:

• The accused did not obtain or use the victim’s identity data.
• The bank account was used by another person.
• The accused was deceived as a money mule.
• The phone number was registered but not controlled by the accused.
• IP evidence is insufficient to identify the user.
• The device was shared or compromised.
• The accused had lawful consent or authorization.
• There is no proof of fraudulent intent.
• The alleged fake account was not created by the accused.
• Screenshots are unsupported and unverifiable.
• Digital evidence was obtained unlawfully.
• The case is a civil dispute, not criminal identity theft.

In identity theft cases, the prosecution must prove conduct, intent and connection to the accused. Digital traces should be examined carefully and not treated as automatic proof.

18. Practical Checklist for Victims

A victim of online identity theft in Turkey should act quickly:

1. Preserve all evidence before deletion.
2. Take screenshots with URLs and timestamps.
3. Save original e-mails with headers.
4. Keep SMS and chat messages.
5. Notify banks and block cards or accounts.
6. Change passwords and enable two-factor authentication.
7. Contact telecom operators if SIM misuse is suspected.
8. Report fake profiles to platforms.
9. Warn contacts if fraud is ongoing.
10. File a criminal complaint with evidence.
11. Request collection of logs and bank records.
12. Consider KVKK applications if a data controller is involved.
13. Seek content removal or access blocking if harmful content is online.
14. Document financial and moral damages.
15. Monitor for new fake accounts or further misuse.

The first hours and days are important because digital logs, platform records, camera footage and bank movements may become harder to obtain later.

19. Preventive Measures Against Identity Theft

Individuals and companies can reduce identity theft risks through preventive measures.

Individuals should use strong passwords, enable two-factor authentication, avoid suspicious links, avoid sharing identity documents unless necessary, watermark identity document copies where appropriate, monitor bank accounts, secure e-mail recovery options, avoid using the same password on multiple platforms and be cautious with investment or cargo links.

Companies should minimize personal data collection, store identity documents securely, restrict access to customer data, use encryption, maintain log records, train employees, conduct vendor due diligence, prepare incident response plans and comply with KVKK security obligations.

Identity theft prevention is not only a technical issue. It is also legal risk management.

20. Why Legal Assistance Is Important

Online identity theft cases can be complex. A victim may need criminal complaint, bank objections, content removal, KVKK application, civil compensation claim and digital forensic support at the same time. A company may need to handle data breach notification, customer communication, internal investigation and criminal complaint. A suspect may need technical defence against weak digital attribution.

A Turkish cybercrime lawyer can assist with evidence preservation, criminal complaint drafting, legal classification, urgent applications, platform and provider requests, compensation claims, KVKK remedies and defence strategy.

The strongest legal strategy is usually interdisciplinary. Criminal law, data protection law, civil liability, internet law and digital forensics must be evaluated together.

Conclusion

Online identity theft in Turkey is a multi-layered legal problem. It may involve personal data offences under Articles 135 and 136 of the Turkish Penal Code, privacy violations under Article 134, unauthorized access under Article 243, system interference under Article 244, fraud, bank card misuse, forgery, blackmail and civil compensation claims.

For victims, fast action is essential. Evidence must be preserved, banks and platforms must be notified, criminal complaints must be detailed and online content must be removed where possible. If a company or data controller failed to protect personal data, KVKK remedies and compensation claims may also be considered.

For defendants, the key issues are identity, intent, authorization and reliability of digital evidence. A bank account, phone number or IP address may be part of the case, but it does not automatically prove personal guilt.

In the digital age, identity is one of the most valuable personal assets. When identity is stolen online, Turkish law provides criminal, civil and data protection remedies. Effective protection depends on speed, evidence, correct legal classification and a carefully structured legal strategy.