Risks of Unlicensed Casinos in Spain — Identity Theft & Fraud Data | SINBANCA

Last year, I received a message from a reader in Valencia who had deposited 2,400 euros at an offshore casino over three months. When he hit a 6,000-euro win on a live roulette table and requested a withdrawal, the operator asked for identity documents he had never been asked to provide at registration. He sent them. Two weeks later, the operator asked for additional documents. Then silence. His account was eventually closed with a generic terms-of-service violation notice, and the 6,000 euros — along with his original deposits — were gone. He had no regulatory body to contact, no dispute resolution process, no legal standing in any jurisdiction.

That story is not unusual. It is not even the worst I have heard. In nine years of analysing offshore iGaming, I have documented patterns that repeat across operators, jurisdictions, and years: identity theft through compromised registration data, financial losses with no avenue for recovery, and legal exposure that most players never consider until it is too late. The risks of playing at unlicensed casinos are not hypothetical. They are quantified, documented, and growing. In 2025 alone, 8,675 identity-theft complaints linked to online gambling were filed in Spain — a 12% increase over the previous year. Nearly half of all surveyed players may be operating in the unregulated market, many of them without realising it.

This is not a scare piece. I am not here to moralise about where you put your money. But after years of seeing the same patterns destroy people’s finances and data, I think the least I can do is lay out what the risks actually look like — with numbers, mechanisms, and specifics rather than vague warnings.

Identity Theft: 8,675 Cases and the PACS Protocol

The number that stopped me when I first saw it: 8,675. That is how many identity-theft complaints linked to online gambling the DGOJ recorded in 2025, up 12% from 2024. Behind each complaint is a person who discovered that someone had opened a gambling account in their name, often racking up debts or triggering tax obligations they knew nothing about.

The mechanism is straightforward. Stolen personal data — national ID numbers, addresses, dates of birth — is used to create accounts at online gambling platforms. Betting accounts for 85% of these identity-theft cases, but the casino segment is growing fast, jumping from 7% to 18% of cases in 2025 alone. The shift toward casinos makes sense from a criminal’s perspective: casino accounts process higher individual transactions and attract less pattern-based scrutiny than repeated small sports bets.

What makes this particularly damaging is the intersection with Spain’s self-exclusion system. Over 7,600 people enrolled in the RGIAJ — the national self-exclusion register — had their data used by third parties to open gambling accounts. Think about what that means: someone took the step of formally excluding themselves from gambling, and their identity was then used to do exactly what they were trying to stop. The psychological impact is severe, but the practical consequences are worse. The victim may face tax assessments on «winnings» they never received, or find themselves flagged in financial background checks.

Spain’s response is the PACS protocol — a coordinated system between the DGOJ, law enforcement, and gambling operators designed to identify and remediate identity-theft cases. Raúl Torres, an online gambling legal advisor, has noted that 90% of the problems he sees in Spanish players come from having played at unlicensed casinos, and that the damage is entirely preventable through basic verification. The PACS process works, but it is reactive: it helps after the damage is done. For a more detailed breakdown of how the protocol functions and what steps victims should take, I have written a separate piece on identity theft in online gambling.

The connection to unlicensed casinos is direct. DGOJ-licensed operators are required to verify identity at registration using validated government databases. Offshore operators often skip this step entirely — which is marketed as a feature («no KYC, instant play») but functions as a vulnerability. When an operator does not verify who is opening an account, it cannot detect stolen identities. The account gets created, deposits get processed, and by the time the real person discovers what happened, the money and data are long gone.

Financial Risk: No Dispute Resolution, No Recourse

A colleague of mine likes to say that the moment you deposit at an unlicensed casino, you are no longer a customer — you are a creditor with no security. Harsh, but accurate. The entire financial relationship between player and operator rests on the operator’s willingness to pay, because there is no regulatory mechanism to compel them.

At a DGOJ-licensed casino, a player who believes a withdrawal has been unfairly withheld can file a complaint with the DGOJ, which has the power to investigate, sanction the operator, and require payment. The process is not instant — bureaucracy never is — but it exists. At an offshore casino without a DGOJ licence, that pathway is closed. You can complain to the licensing jurisdiction — Curaçao, Malta, Gibraltar — but those regulators have no obligation to enforce on behalf of players outside their jurisdiction. And if the operator holds no valid licence at all, you are left with consumer protection law in the operator’s country of incorporation, which for many offshore casinos means a shell company in a jurisdiction you cannot practically access.

Operating illegal gambling without a licence in Spain is classified as a «very serious» offence under Ley 13/2011, carrying fines between 1 million and 50 million euros. Mikel Arana, Director General of the DGOJ, has acknowledged the scale of the enforcement challenge. But those fines target operators, not players. The financial risk for the player is not criminal prosecution — it is the simple, unglamorous reality that your money sits in an account controlled by an entity with no legal obligation to return it and no regulator with the power to make them.

The most common scenario I see is the delayed withdrawal. The player requests a payout. The operator requests identity documents that were never required at deposit. The player submits them. The operator requests additional documents, or claims the originals were insufficient, or imposes a «review period» that stretches from days to weeks. Some players give up and keep playing — which is, of course, exactly what the operator wants. Others wait until the operator either pays or stops responding. In the unregulated market, there is no third option.

Chargebacks through credit card issuers or e-wallet providers offer a partial safety net, but they are unreliable. Many offshore operators process deposits through intermediary payment companies, making it difficult for the player’s bank to identify and reverse the transaction. Crypto deposits are irreversible by design. Once you send Bitcoin to an operator’s wallet, there is no mechanism — technical or legal — to recover it without the operator’s cooperation.

The contrast with regulated markets is stark. In the UK, for example, 96.3% of 44.2 million withdrawals on regulated platforms were completed instantly, 3.5% within 24 hours, and only 0.1% took longer than 48 hours. Those numbers reflect a market where the UKGC can revoke licences worth millions if operators play withdrawal games. At unlicensed casinos, there is no equivalent threat — and the withdrawal experience reflects that absence.

Data Security Gaps at Unregulated Operators

Every time you register at an online casino, you hand over data: name, email, date of birth, sometimes government ID, sometimes bank details. At a DGOJ-licensed operator, that data is governed by Spain’s data protection framework (LOPDGDD), the GDPR, and the DGOJ’s own technical standards. There are rules about how it is stored, who can access it, how long it is retained, and what happens in the event of a breach. At an unlicensed operator, those rules do not apply — not because the operator chose to ignore them, but because no regulatory authority has the power to enforce them.

I have reviewed the privacy policies of dozens of offshore casinos over the years. Some have no privacy policy at all. Others have a template copy-pasted from a generic legal document generator, with placeholder text still visible. One operator I audited in 2024 listed a data controller address in London that turned out to be a virtual office service — nobody there had any connection to the casino. The privacy policy was theatre, and the data went wherever the operator decided to send it.

The practical risk is data resale. Player databases from gambling sites are valuable on dark web marketplaces because they contain a combination of identity data, financial information, and behavioural patterns (deposit amounts, frequency, payment methods) that enable targeted fraud. A breached database from a regulated operator is a serious incident that triggers notification requirements and regulatory scrutiny. A breached database from an unlicensed operator is a non-event, because there is no regulatory body to notify and no legal obligation to inform affected players.

Even without a breach, the data handling practices at many offshore operators create risk. Customer support interactions via live chat — where players routinely share account numbers, ID documents, and personal details — are often handled by outsourced teams with varying data security standards. If you have ever sent a photo of your passport to a live chat agent at an unregulated casino, that image exists on a server you cannot audit, managed by a company you cannot contact, in a jurisdiction with no enforceable data protection obligations toward you.

Legal and Tax Exposure for the Player

Here is a question I get asked constantly: can a Spanish player be prosecuted for gambling at an unlicensed site? The short answer is that Spanish gambling law targets operators, not players. Ley 13/2011 criminalises the provision of unlicensed gambling, and the DGOJ’s enforcement actions — 58 sanctions totalling 111 million euros in 2025 alone — are directed at the companies running illegal operations, not the individuals placing bets.

But «not prosecuted» does not mean «no legal consequences.» The tax exposure is real and often overlooked. Under Spanish tax law, gambling winnings are taxable income regardless of where the gambling occurred. If you win at an offshore casino, those winnings should be declared on your IRPF tax return under section G2. The problem is documentation. A DGOJ-licensed operator provides clear records of deposits, withdrawals, and net results that you can use for your tax filing. An unlicensed operator may provide nothing, and if they close or you lose access to your account, reconstructing your gambling history for tax purposes becomes impossible.

The estimated volume of unregulated online gambling in Spain reached 231 million euros in 2024, equivalent to 16% of the regulated market. That is a substantial amount of economic activity occurring outside any tax reporting framework. The Agencia Tributaria is increasingly aware of this gap, and the DGOJ has signalled that it monitors payment flows to unlicensed operators — including, as Mikel Arana has stated publicly, cryptocurrency transactions. If the tax authority identifies payments to an unlicensed gambling site and no corresponding income declaration, the player faces potential back taxes, interest, and penalties.

There is also the question of proceeds. If you receive a large transfer from an offshore operator into a Spanish bank account, the bank may flag it under anti-money laundering protocols. Explaining that the money came from gambling at an unlicensed site does not resolve the issue — it raises additional questions about the source and legality of the funds. I have seen players face account freezes and mandatory reporting simply because their bank could not verify the origin of a deposit from an offshore payment processor.

The legal landscape is shifting. The DGOJ has opened a public consultation on amending Ley 13/2011, with submissions open until 22 June 2026. Whether the reform will introduce direct consequences for players who use unlicensed platforms remains to be seen, but the direction of travel is toward stricter enforcement across the entire chain — operators, payment processors, and potentially players themselves.

Script Casinos: How to Spot a Cloned Scam Site

The worst-case scenario is not a licensed offshore casino with slow withdrawals. The worst case is a casino that does not exist in any meaningful sense — a script casino, built from a purchased template, running pirated games, and designed to collect deposits until the complaints pile up, at which point the operator closes the domain and opens a new one.

Script casinos are exactly what the name suggests: ready-made casino websites sold as turnkey packages. For a few hundred dollars, anyone can purchase a complete casino platform — front-end design, game integrations, payment processing, even customer support scripts. The games on these platforms are often pirated copies of titles from major providers, running without authorisation and potentially with modified RTP settings. The licence logos at the bottom of the page are images, not links — they point nowhere because there is no licence behind them.

Spotting a script casino requires looking at the details most players skip. Check the domain age: a casino site registered three months ago is not a «trusted operator since 2018,» regardless of what the About page claims. Run a WHOIS lookup: if the domain registration is hidden behind a privacy service and the site provides no verifiable corporate information, that is a signal. Look at the terms and conditions: script casinos often use template legal text with inconsistencies — references to jurisdictions that do not match the stated licence, or terms copied verbatim from other casino sites. Compare the site’s design to other casinos: if the layout, colour scheme, and game selection are identical to three other sites with different names, you are looking at a template, not an original operation.

The DGOJ blocked 229 portals in 2025, many of which were script casinos or rebrands of previously blocked sites. But blocking is reactive — new domains can be registered faster than regulators can shut them down. The UK Gambling Commission has reviewed over 200,000 URLs linked to unlicensed gambling and removed approximately 100,000, which gives some sense of the scale. For every site that gets blocked, another appears. The only effective defence is the player’s own ability to recognise the pattern before depositing.

None of the risks I have outlined here are theoretical. Every one of them has documented cases, quantified impacts, and identifiable mechanisms. The 231-million-euro unregulated market in Spain is not an abstraction — it is thousands of individual players, each facing some combination of identity exposure, financial vulnerability, data risk, legal ambiguity, and potential fraud. Knowing the specific mechanisms is not the same as being protected from them, but it is the difference between walking into a situation with open eyes and walking in blind.

Contenido creado por el equipo de SINBANCA