Identity Theft Criminal Penalties and Federal Prosecution Overview

Federal and state law treat identity theft as a serious criminal offense, with penalty structures that escalate based on the method of theft, the value of fraudulent transactions, the number of victims, and whether protected populations were targeted. This page maps the criminal penalty framework governing identity theft prosecutions in the United States, covering the statutory provisions enforced by federal agencies, the charging standards applied by the Department of Justice, and the boundary conditions that determine when civil harm becomes criminal liability.

Definition and scope

Identity theft, as defined under 18 U.S.C. § 1028 (Fraud and Related Activity in Connection with Identification Documents) and 18 U.S.C. § 1028A (Aggravated Identity Theft), is the knowing transfer, possession, or use of another person's means of identification without lawful authority, in connection with another enumerated federal offense. The scope of covered "means of identification" is broad — encompassing names, Social Security numbers, account numbers, biometric data, and electronic identification numbers, among other identifiers.

The Identity Theft Enforcement and Restitution Act of 2008 expanded federal jurisdiction by removing the requirement that identity theft cross state lines or involve interstate commerce, enabling prosecution of purely local offenses through federal courts.

Distinct from civil remedies under the FCRA and from identity-theft-laws-federal, criminal prosecution requires proof of intent and connection to an underlying enumerated offense. This distinguishes negligent data handling from criminal identity fraud.

How it works

Federal prosecution under § 1028 and § 1028A proceeds through a structured evidentiary and charging framework. The Department of Justice (DOJ) and its U.S. Attorney's Offices serve as the primary prosecutorial bodies, often coordinating with the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), the Internal Revenue Service Criminal Investigation (IRS-CI), and the Social Security Administration Office of the Inspector General (SSA-OIG).

The charging process follows this general structure:

1. Investigation — Federal agencies identify the offense through victim reports, financial institution alerts, or data breach investigations. The FBI maintains jurisdiction over data-breach-and-identity-theft cases involving federal systems or large-scale fraud schemes.
2. Predicate offense identification — Prosecutors establish the underlying enumerated crime (e.g., wire fraud, bank fraud, passport fraud) to which the identity theft attaches. § 1028A requires that the identity theft occur "during and in relation to" a qualifying felony.
3. Indictment or information — Cases meeting evidentiary thresholds are presented to a grand jury or resolved through information in cooperation scenarios.
4. Sentencing — Federal sentencing follows the U.S. Sentencing Guidelines (USSG), particularly § 2B1.1 (fraud guidelines) and § 2B1.6 (aggravated identity theft), with the court applying enhancements based on loss amount, victim count, and vulnerability of targeted individuals.

Under § 1028A, the aggravated identity theft sentence is a mandatory minimum of 2 years, to be served consecutively — not concurrently — with the sentence for the underlying predicate offense. For offenses involving terrorism, the mandatory minimum increases to 5 years consecutive (18 U.S.C. § 1028A(b)).

Common scenarios

Federal prosecutors pursue identity theft charges across a range of fraud typologies. The most frequently prosecuted categories include:

Tax fraud — Perpetrators file fraudulent federal returns using stolen Social Security numbers. IRS-CI handles these cases; prosecutions often involve tax-identity-theft schemes affecting thousands of victims simultaneously and generating restitution orders in the millions of dollars.

Financial fraud — Stolen account credentials, credit card numbers, or bank identifiers are used to execute unauthorized transactions. These cases intersect with wire fraud statutes (18 U.S.C. § 1343) and bank fraud statutes (18 U.S.C. § 1344), elevating penalty exposure substantially.

Benefits fraud — Social Security benefits, Medicare claims, and government program disbursements obtained through false identities constitute a distinct prosecution category. SSA-OIG and HHS-OIG handle referrals, and government-benefits-identity-theft schemes frequently result in restitution orders under the Mandatory Victims Restitution Act.

Synthetic identity theft — Fabricated identities combining real and fictitious information are prosecuted under § 1028 where the underlying means of identification (e.g., a real Social Security number) belongs to a living person, even if that person was unaware of the account activity.

Criminal identity theft — A perpetrator uses a victim's identity when arrested or cited, causing the victim to acquire a criminal record. These cases may involve obstruction statutes in addition to § 1028.

Decision boundaries

The threshold separating administrative or civil action from federal criminal prosecution turns on four principal factors:

Loss amount — USSG § 2B1.1 applies specific offense level increases keyed to dollar thresholds. Losses exceeding $250,000 trigger substantial upward enhancements; losses above $25 million carry the highest tier adjustments (U.S. Sentencing Commission, Guidelines Manual).

Number of victims — Cases involving 10 or more victims trigger a 2-level enhancement under § 2B1.1(b)(2)(A); 50 or more victims trigger a 4-level enhancement.

Predicate offense type — A § 1028 violation standing alone carries up to 15 years imprisonment; if the offense involves a transfer of identification facilitating a felony drug trafficking or violence offense, the maximum increases to 20 years per count (18 U.S.C. § 1028(b)).

Vulnerable victim status — Targeting victims over age 65 (relevant to senior-identity-theft) or minors triggers a 2-level enhancement under USSG § 3A1.1(b)(1).

State prosecution — addressed separately in state-identity-theft-laws-reference — operates parallel to federal prosecution. Dual sovereignty doctrine permits both federal and state charges to proceed without double jeopardy attachment, meaning a single identity theft event can produce criminal liability in two separate court systems simultaneously.

References

• 18 U.S.C. § 1028 — Fraud and Related Activity in Connection with Identification Documents
• 18 U.S.C. § 1028A — Aggravated Identity Theft
• Identity Theft Enforcement and Restitution Act of 2008, S. 2168, 110th Congress
• U.S. Sentencing Commission — 2023 Guidelines Manual, § 2B1.1 and § 2B1.6
• Federal Trade Commission — Fair Credit Reporting Act
• Department of Justice — Identity Theft Prosecution Resources
• IRS Criminal Investigation — Identity Theft
• Social Security Administration Office of Inspector General — Fraud Reporting