Cargando...
Contenido
A few years ago, a colleague forwarded me a case that still sticks with me. A schoolteacher in Valencia discovered she owed thousands in gambling taxes on winnings she’d never earned, from accounts she’d never opened, at operators she’d never heard of. Someone had used her national ID number to register on multiple gambling platforms, burned through deposits, and left her to explain to the tax authorities why her fiscal record showed gambling income. She wasn’t a gambler. She’d never placed a bet in her life.
In 2025, Spain recorded 8,675 identity-theft complaints linked to online gambling — a 12% increase over the previous year. That number represents real people dealing with fraudulent accounts, unexpected tax liabilities, and the exhausting process of proving they weren’t responsible. This isn’t a fringe problem. It’s a systemic vulnerability in how gambling accounts are opened, and it disproportionately affects people who have no connection to gambling at all.
How Stolen Identities Are Used to Open Gambling Accounts
The mechanics are depressingly straightforward. Spain’s identity verification for gambling accounts relies on the DNI — the Documento Nacional de Identidad. A DNI number, a name, and a date of birth are often enough to open an account. The stolen data comes from phishing, data breaches, dark web marketplaces, or sometimes from people close to the victim. I’ve reviewed cases where a family member used a relative’s documents, cases where data was harvested from unrelated service registrations, and cases where entire batches of stolen identities were sold to organised groups running coordinated account-opening operations.
Betting accounts make up 85% of identity-theft cases in the gambling sector, but casinos are catching up fast — growing from 7% to 18% of all cases in 2025. The growth on the casino side correlates with the expansion of online casino offerings and the higher deposit volumes casino accounts typically generate. For the criminal, a casino account is more valuable than a betting account because the money can be cycled through games and withdrawn as apparently legitimate winnings — a basic money laundering technique that exploits gaps in operator verification.
What makes this especially damaging is the intersection with self-exclusion. Over 7,600 people enrolled in Spain’s RGIAJ self-exclusion register had their data used by third parties to open gambling accounts. Think about what that means: someone who took the step to exclude themselves from gambling — often because they were struggling with gambling disorder — had their identity hijacked to create the very accounts they were trying to avoid. The self-exclusion register, which was designed to protect vulnerable people, became a vulnerability in itself because the personal data it holds was valuable to fraudsters.
The PACS Protocol: Spain’s Response to Gambling Identity Theft
Spain didn’t ignore this problem — it just took longer than it should have to build a coordinated response. The PACS protocol — Protocolo de Actuación ante la Comunicación de Suplantación — is the DGOJ’s structured process for handling identity-theft complaints in the gambling sector. Raúl Torres, an online gambling legal advisor, has put the scale in stark terms: 90% of the problems seen in Spanish players come from having played at unlicensed casinos, and he considers it entirely preventable if basic verification rules are followed.
The PACS process works in stages. A victim files a complaint with the DGOJ, which then cross-references the complaint against its database of licensed operators. If accounts are found, the DGOJ contacts the operators directly and requires them to freeze the accounts, flag the registration as fraudulent, and provide transaction records. The victim simultaneously files a police report — a denuncia — which creates the legal basis for investigating the identity theft itself.
What PACS does well is coordination. Before the protocol existed, victims had to contact each operator individually, often facing scepticism and bureaucratic resistance. The DGOJ’s involvement cuts through that because operators are legally obligated to respond to the regulator. The protocol also creates a paper trail that tax authorities recognise, which is critical for victims facing unexpected tax liabilities from gambling winnings earned by someone else using their identity.
What PACS does not do is cover unlicensed operators. If the fraudulent account was opened at an offshore casino operating without a DGOJ licence, the protocol has no reach. The DGOJ can’t compel a Curaçao-licensed operator — or an entirely unlicensed one — to freeze an account or hand over records. This is where the broader risk landscape of unlicensed casinos becomes directly relevant to identity-theft victims: the tools that exist to help them work only within the regulated perimeter.
Steps to Check If Your Identity Has Been Misused
I always tell people the same thing: don’t wait for a tax surprise to find out. There are concrete steps you can take right now to check whether your identity has been used to open gambling accounts in Spain.
The DGOJ maintains a registry of licensed operators, and you can contact the regulator directly to request a check of whether any gambling accounts exist under your DNI. This is the most comprehensive check available within the regulated market. If accounts are found that you didn’t open, the PACS protocol kicks in immediately.
Beyond the DGOJ, check your bank and card statements for transactions to gambling operators you don’t recognise. Payment descriptors vary — some are obvious, others use parent company names that don’t immediately suggest gambling. If you spot unfamiliar transactions, your bank can provide merchant category codes that reveal whether the payment went to a gambling operator. The RGIAJ self-exclusion register is another checkpoint: you can verify whether someone has enrolled you without your knowledge, or whether your existing enrolment data has been accessed or modified.
For tax purposes, your annual draft tax return from the Agencia Tributaria will show gambling-related income in section G2. If figures appear there that don’t match your actual gambling activity — or if you see gambling income and you’ve never gambled — that’s the clearest sign of identity theft. Don’t amend the return yourself; file the denuncia first and then work with the Agencia Tributaria to correct the record with the police report as supporting documentation.
Prevention is harder than detection. Short of never sharing your DNI — which is impractical in Spain, where it’s required for everything from phone contracts to gym memberships — the best protection is monitoring. Regular checks of your tax data, banking activity, and DGOJ registry status catch problems early, before they compound into legal and financial complications that take months to unravel.
FAQ
How can you find out if someone has opened a gambling account in your name in Spain?
Contact the DGOJ directly to request a check of all gambling accounts registered under your DNI number. You can also review your annual draft tax return from the Agencia Tributaria for unexpected gambling income in section G2, and check bank statements for unrecognised transactions to gambling operators. If fraudulent accounts are found, the DGOJ’s PACS protocol coordinates the response across licensed operators.
What is the RGIAJ self-exclusion register and can identity thieves bypass it?
The RGIAJ is Spain’s national self-exclusion register for gambling. People who enrol are blocked from opening accounts at DGOJ-licensed operators. However, in 2025, over 7,600 self-excluded individuals had their personal data used by third parties to open accounts — meaning identity thieves exploited the data rather than bypassing the register itself. The register does not protect against account openings at unlicensed operators, which don’t check it.