Identity Theft Investigation Guide
Freezing your credit and filing a report stops the bleeding, but it does not answer the question every victim eventually asks: who did this, and how? Investigating identity theft is a separate job from preventing it. It means reconstructing how your information was taken, tracing the fraudulent accounts, addresses, and phone numbers the thief opened in your name back toward a real person or ring, and assembling a clean evidence file that police, the FTC, and creditors can actually act on. This guide walks through that investigation, lawfully, from the first suspicious alert to a documented case.
The Short Version
An identity-theft investigation has two halves: documenting how your identity was used, and tracing that use back toward whoever did it. Start by pulling everything the thief left behind — fraudulent account numbers, the addresses and phone numbers they listed, the IP and device fingerprints creditors can disclose to you as a victim. Those breadcrumbs are leads. Many of them resolve, through lawful public-records and skip-tracing work, to a real name, an address history, and the people connected to it. The goal is not vigilante justice; it is a documented, dated evidence file that gives a detective something to charge, the FTC a complete affidavit, and creditors and a civil attorney the facts they need. We build that file; you keep control of how it is used.
Watch: Investigating Identity Theft
How a stolen identity is traced back to a person, lawfully.
Watch Overview
Prevention Is Over. Now You Investigate.
The work that begins after the credit freeze.
Most identity-theft advice stops at the wall: freeze your credit, change your passwords, set fraud alerts. That is essential, and you should do all of it. But it is defense, not investigation. It seals the doors the thief used; it does not tell you who walked through them or how. Once the immediate damage is contained, a very different question opens up, and it is the reason this page exists: can the fraud be traced back to a real person? Surprisingly often, yes.
The reason is simple. To use your identity, a thief had to do things — open an account, ship a card somewhere, list a phone number, give a delivery address, sometimes show up at a counter. Each of those acts leaves a record, and many of those records are disclosable to you as the victim. An identity-theft investigation is the disciplined work of collecting those records, turning the fragments into leads, and following the leads through lawful research until they resolve to a person, an address, and a connection you can hand to law enforcement. This is post-incident investigation and evidence-building, not pre-transaction verification of someone you are about to deal with — a different page for a different moment.
What the Thief Left Behind
Every fraudulent act creates a record you can request.
Fraudulent Accounts
Cards, loans, or utilities opened in your name carry an application address, contact phone, and email the thief controlled.
Shipping Addresses
Goods or replacement cards had to be sent somewhere a person could collect them. That drop address is a lead.
Phone Numbers
The number on a fraudulent application or used to bypass verification often ties to a real subscriber or pattern.
Emails & Logins
The email used to register an account, and the username patterns around it, frequently reappear elsewhere online.
IP & Device Data
Many lenders log the IP and device that submitted a fraudulent application and can disclose it to a victim or to police.
Known-Person Patterns
In many cases the thief is not a stranger — a relative, ex, or roommate who had access. The records often point inward.
None of these fragments is proof on its own. Each is a thread. The investigation is the work of pulling each thread, under the Fair Credit Reporting Act provisions that let a victim request the records of accounts opened in their name, and seeing which ones lead somewhere real.
Three Jobs People Confuse
Investigating theft is not the same as preventing it or verifying someone.
| Task | When It Happens | The Question It Answers | The Output |
|---|---|---|---|
| Identity Verification | Before a transaction | Is this person who they claim to be? | A go/no-go on dealing with someone now. |
| Prevention & Cleanup | Right after discovery | How do I stop the damage and fix my credit? | Freezes, disputes, restored accounts. |
| Theft Investigation This Page | After the damage is contained | Who did this, how, and can I prove it? | A documented evidence file for police and the FTC. |
All three matter, but they are sequential and distinct. You verify before you transact, you contain damage the moment you discover fraud, and you investigate once the fires are out. This page is squarely about the third — the post-incident work of attribution and evidence. If you are still at the “stop the bleeding” stage, do that first; the trail will keep.
How a Lead Becomes a Name
Turning a drop address or burner number into a real person.
The single most useful artifact in most identity-theft cases is an address the thief actually used — the place a fraudulent card was mailed, the delivery address on a stolen-card order, or the address listed on a credit application that is not yours. People are remarkably tied to addresses. A residence resolves, through public records, to current and former occupants, the people associated with them, and an address history that can be walked forward and backward in time. A drop that looks anonymous often turns out to belong to, or sit beside, someone with a real connection to the fraud.
Phone numbers behave the same way. A number used on a fraudulent application or to defeat a one-time passcode can be run through a lawful reverse phone lookup to identify a subscriber, carrier, and line type, and a suspected burner can be approached with the techniques in our guide on identifying a scammer by phone number. Emails and usernames are threads too — a registration email frequently reappears across other accounts, and the pattern around a handle can be followed using the same methods we describe for tracing the person who scammed you. Layer the address result over the phone result over the email result, and a single name often sits where all three overlap.
This is the same disciplined records method behind any serious financial-crime workup; if you want the broader framework, see our overview of how to investigate fraud. Applied to identity theft, it simply starts from the artifacts the thief left in your name rather than from a business deal gone wrong.
The Investigation, Step by Step
From scattered alerts to a file someone can act on.
Catalog the Fraud
List every account, charge, address, phone, and email that is not yours. Pull your full credit reports and request the underlying application records as the victim.
Extract the Leads
From those records, isolate the usable artifacts — drop addresses, contact numbers, registration emails, and any IP or device data a creditor discloses.
Trace Each Thread
Resolve addresses to occupants and history, numbers to subscribers, and emails to connected accounts through lawful public records and licensed databases.
Build the Evidence File
Assemble a dated, sourced report tying the leads together — ready for a police report, the FTC affidavit, creditor disputes, or a civil claim.
Where Your Evidence File Goes
A good investigation is only useful if someone can act on it.
The point of the investigation is not the thrill of the chase; it is producing something the right parties can use. Start with the FTC’s IdentityTheft.gov, where you file an Identity Theft Report and recovery plan — a complete, fact-rich affidavit is far stronger than a vague one, and the leads you developed go straight into it. That FTC report, paired with a police report, is also the document creditors and the credit bureaus must honor when you dispute fraudulent accounts and demand the underlying records.
From there, the same file does double duty. A local detective can do little with “someone stole my identity,” but a packet that names a likely address, a subscriber behind a number, and a documented connection gives an investigator a place to start and a charge to consider. And if the loss is large enough to justify civil action, your attorney can use the evidence to support claims and, where appropriate, to locate and pursue the responsible party. One disciplined investigation; several places it pays off. We hand you the file and the documentation behind it; the decision of where to take it stays yours.
Who This Helps
Victims and the professionals who support them.
Theft Victims
Answers beyond the credit freeze
Attorneys
Evidence for civil recovery
Fraud Units
Leads packaged for review
Creditors
Documented fraud disputes
Family Cases
When the thief is known
Small Businesses
Business-identity fraud traced
Whatever your role, the obstacle is the same: a stack of fraudulent activity with no name attached. We work the artifacts the thief left in your name, resolve them through lawful records, and deliver a sourced, dated report. We are a skip-tracing and public-records research firm operating under the FCRA, GLBA, and DPPA, not licensed private investigators, and we never use deception or pretexting to obtain information. For a legitimate victim with a real case, a first round of leads typically comes back within 24 hours.
Our Commitment
We trace the fraud committed in your name back toward a real person, lawfully, and hand you a documented evidence file your detective, the FTC, and your creditors can actually use. Public-records research for identity-theft victims since 2004 — no pretexting, no guesswork.
Frequently Asked Questions
Can identity theft actually be traced to a person?
Often, yes. To misuse your identity the thief had to open accounts, ship items, and list contact details, all of which leave records. Drop addresses, application phone numbers, and registration emails frequently resolve, through lawful research, to a real name or a small set of connected people.
How is this different from identity verification?
Verification happens before a transaction and asks whether someone is who they claim to be. An identity-theft investigation happens after the fraud and asks who committed it and how. This page is about the post-incident investigation and the evidence file, not pre-transaction verification.
What information should I gather first?
Pull your full credit reports and list every account, charge, address, phone number, and email that is not yours. As a victim you can request the underlying application records for fraudulent accounts, which is where the most useful leads usually live.
What can a drop address or phone number reveal?
An address used by the thief resolves to current and former occupants, associated people, and an address history. A phone number can be traced to a subscriber, carrier, and line type. Layered together, these leads often converge on a single name.
Do you ever find the thief is someone I know?
It is common. A meaningful share of identity theft is committed by a relative, ex-partner, or someone with household access. The records frequently point inward, which is exactly why a careful, documented investigation matters before any accusation.
What do I do with the evidence file?
File an Identity Theft Report at the FTC’s IdentityTheft.gov and a police report. The same documented leads strengthen creditor and bureau disputes, give a detective a place to start, and support a civil claim if the loss justifies one.
Is this legal, and do you use pretexting?
Yes, it is legal, and no, we never pretext. We are a skip-tracing and public-records firm working under the FCRA, GLBA, and DPPA. We use lawful records and licensed databases only, never deception, and never claim to be licensed private investigators.
How fast can you develop leads, and what do you need?
For a legitimate victim with a documented case, a first round of leads typically comes back within 24 hours. Send the fraudulent addresses, phone numbers, account details, and emails you have catalogued, and we build from there.
Want to Know Who Did This?
We trace the fraud in your name back toward a real person and hand you a documented evidence file for police, the FTC, and your creditors — typically a first round of leads within 24 hours. Contact us to get started.
Start Your Request →
