Yes. In the Philippines, you can start a cybercrime complaint even if you do not yet know the real name of the person behind a dummy account, mobile number, email address, e-wallet account, website, or messaging app. The practical goal is to file a complaint against an unknown person or “John/Jane Doe” respondent, preserve the digital trail before it disappears, and allow the PNP Anti-Cybercrime Group, the NBI Cybercrime Division, prosecutors, and the courts to use lawful processes to identify the suspect. The important limit is this: a criminal case may begin with an unknown suspect, but it cannot successfully proceed to conviction unless the prosecution eventually proves who committed the act and connects that person to the online account or device.

The short answer: yes, but identity still has to be proven

Philippine criminal procedure allows the use of a fictitious name when the accused’s true name cannot yet be ascertained, provided the complaint or information states that the true name is unknown and the true name is later inserted once discovered. This is the legal basis for starting complaints against “John Doe,” “Jane Doe,” or “the person using the Facebook account/profile/number/email known as ___.” (Lawphil)

For cybercrime cases, this is especially important because the first visible “suspect” is often not a real person’s name. It may be:

a Facebook, TikTok, Instagram, X, or Telegram username;
a GCash, Maya, bank, or crypto wallet recipient;
a mobile number used for scam texts or calls;
an email address used for phishing or blackmail;
a website domain or seller page;
an IP address, device identifier, or login record;
a fake marketplace account; or
a hacked account belonging to an innocent person.

So the better way to think about it is: you are not suing the “dummy account.” You are asking law enforcement and prosecutors to investigate the human being or group behind it.

Legal basis for pursuing cybercrime cases against unknown suspects

RA 10175: Cybercrime Prevention Act of 2012

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, punishes several online and computer-related offenses, including illegal access, illegal interception, data interference, system interference, cyber-squatting, computer-related forgery, computer-related fraud, computer-related identity theft, cybersex, child pornography through a computer system, and cyberlibel. (Supreme Court E-Library)

The same law identifies the National Bureau of Investigation (NBI) and the Philippine National Police (PNP) as law enforcement authorities responsible for enforcing the Cybercrime Prevention Act and organizing cybercrime units or centers to handle these cases. (Supreme Court E-Library)

RA 10175 is particularly useful in unknown-suspect cases because it recognizes the importance of subscriber information and traffic data. Subscriber information may include details by which a service provider can establish a subscriber’s identity, while traffic data may include non-content information such as origin, destination, route, time, date, size, duration, or type of service. (Supreme Court E-Library)

Rule on Cybercrime Warrants

The Supreme Court’s Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC, provides the procedure for warrants and related orders involving preservation, disclosure, interception, search, seizure, examination, custody, and destruction of computer data. It supplements the Rules of Criminal Procedure for RA 10175 cases and for crimes committed through information and communications technology.

This matters because private complainants usually cannot simply demand that Facebook, Google, telcos, banks, or e-wallet providers reveal user identity data. Investigators generally need the proper legal process, such as:

Legal process	Practical purpose
Preservation of computer data	Prevents relevant traffic data, subscriber information, or content data from being deleted too soon
Warrant to Disclose Computer Data (WDCD)	Allows law enforcement to require a person or service provider to disclose subscriber information, traffic data, or relevant data
Warrant to Intercept Computer Data (WICD)	Allows court-authorized interception under strict conditions
Warrant to Search, Seize, and Examine Computer Data (WSSECD)	Allows search, seizure, and examination of computer data under a warrant
Warrant to Examine Computer Data (WECD)	Allows forensic examination of a device or system already lawfully obtained

Under the rule, traffic data and subscriber information must generally be preserved by a service provider for at least six months, while content data is preserved for six months from receipt of the preservation order; law enforcement may order a one-time six-month extension.

For disclosure, law enforcement must secure a Warrant to Disclose Computer Data before issuing an order requiring a service provider to submit subscriber information, traffic data, or relevant data within 72 hours from receipt of the order, in relation to a valid complaint officially docketed and assigned for investigation.

Jurisdiction of Philippine courts

RA 10175 gives Regional Trial Courts jurisdiction over cybercrime cases. Jurisdiction may exist when any element of the offense was committed in the Philippines, when a computer system wholly or partly situated in the Philippines was used, or when damage was caused to a person or entity who was in the Philippines at the time. (Supreme Court E-Library)

The Rule on Cybercrime Warrants also provides venue rules. Criminal actions for cybercrime offenses may be filed before the designated cybercrime court where the offense or any element was committed, where any part of the computer system used is situated, or where the damage occurred. Certain cybercrime courts in Quezon City, Manila, Makati, Pasig, Cebu, Iloilo, Davao, and Cagayan de Oro have special authority to issue warrants enforceable nationwide and outside the Philippines.

For service providers or persons located outside the Philippines, service of warrants and court processes is coursed through the DOJ Office of Cybercrime in line with international instruments and agreements.

Common cybercrime cases that may start with an unknown suspect

Many real-world cybercrime complaints in the Philippines begin with incomplete identity information. Examples include:

Situation	Possible legal basis
Fake online seller takes payment and disappears	Computer-related fraud under RA 10175; possible estafa under Article 315 of the Revised Penal Code
Someone creates a dummy account using your name/photos	Computer-related identity theft under RA 10175; possible Data Privacy Act issues
Your account is hacked and used to message friends for money	Illegal access, identity theft, fraud, or data interference under RA 10175
Anonymous person posts defamatory statements online	Cyberlibel under RA 10175 in relation to Articles 353 and 355 of the Revised Penal Code
Unknown person threatens to leak private photos	Depending on facts, possible grave threats, coercion, unjust vexation, anti-voyeurism, child protection, VAWC, or cybercrime violations
Phishing link steals your login credentials	Illegal access, misuse of devices, identity theft, or fraud under RA 10175
Scam texts or calls use rotating SIM numbers	Possible fraud, identity theft, spoofing, SIM Registration Act issues, and other cybercrime-related offenses

For cyberlibel, the Supreme Court in Disini v. Secretary of Justice held that cyberlibel under RA 10175 incorporates libel under Article 355 of the Revised Penal Code when committed through a computer system or similar means. The Court also discussed the elements of libel: defamatory imputation, publication, identification of the person defamed, and malice. (Supreme Court E-Library)

A practical warning: cyberlibel cases against unknown accounts often require more work than victims expect. It is not enough that the post is insulting. The complaint must show that the post identifies the offended person, contains a defamatory imputation, was published, and can be traced to the author. Disini also drew an important distinction between the original author of an allegedly libelous post and people who merely receive or react to it. (Supreme Court E-Library)

Step-by-step guide: how to file a cybercrime complaint when the suspect is unknown

1. Preserve the evidence before it disappears

Do this immediately. Accounts get deleted, usernames change, messages are unsent, and transaction histories may become harder to retrieve.

Save:

screenshots showing the full conversation, not just selected lines;
the profile URL, page URL, post URL, email address, username, handle, or account ID;
mobile numbers, e-wallet numbers, bank account numbers, crypto wallet addresses, tracking numbers, and reference numbers;
dates and times, preferably with the phone or computer clock visible;
transaction receipts, bank statements, e-wallet confirmations, delivery records, and order confirmations;
email headers for phishing or blackmail emails;
screen recordings showing how you accessed the account, post, or conversation;
the original device where the messages were received, if possible.

Avoid editing, cropping, annotating, or filtering the evidence file. You can create separate marked copies for explanation, but keep the originals.

This matters because cybercrime investigations and court proceedings rely heavily on integrity and chain of custody. Under the Rule on Cybercrime Warrants, seized or examined computer data is deposited with the issuing court with an inventory and details such as hash values, manner of acquisition, device information, and names of law enforcement personnel who accessed the data.

2. Report urgent scams immediately

If money was transferred, report to your bank, e-wallet provider, card issuer, or remittance platform right away. Ask for a reference number, ticket number, or written acknowledgment.

For online scams, the government’s Inter-Agency Response Center hotline 1326 is used for reporting scams and other online fraud concerns. Government reports describe it as a 24/7 hotline linked to the CICC, DICT, NTC, NPC, PNP, and NBI enforcement channels. (Philippine News Agency)

This step is separate from the criminal complaint. It may help preserve funds, flag accounts, or generate records useful for the investigation.

3. File with the NBI Cybercrime Division or PNP Anti-Cybercrime Group

You may file with either the NBI Cybercrime Division or the PNP Anti-Cybercrime Group. The NBI Citizens’ Charter for investigative assistance to victims of computer crimes states that the service is available to the general public, involves filing a complaint or request for investigation, preliminary interview, sworn statements or affidavits, and supporting documents. It lists no fee for the initial NBI Cybercrime Division process and indicates an initial processing time of about 1 hour and 10 minutes for the chartered front-end steps, not the entire investigation. (National Bureau of Investigation)

The PNP has also directed cybercrime complaints to the PNP ACG eComplaint channel or the appropriate ACG contact route. (www.foi.gov.ph)

4. Write the complaint against the unknown person clearly

Your complaint should not simply say, “I want to sue a scammer.” It should identify the unknown suspect using all available digital identifiers.

A useful wording is:

Respondent: The person or persons using, controlling, or benefiting from the Facebook account/profile/page named “,” with profile URL “,” using mobile number “,” email address “,” GCash/Maya/bank account “___,” whose true name and address are presently unknown.

Include a chronological narrative:

How you encountered the account, post, message, website, or offer.
What the unknown person represented to you.
What you did because of those representations.
What money, data, reputation, safety, or account access you lost.
What evidence links the account, number, wallet, email, or website to the criminal act.
What steps you already took with banks, e-wallets, platforms, telcos, or agencies.

5. Ask investigators about preservation and disclosure

In practice, time is critical. Many platforms retain logs only for limited periods, and even where the law provides preservation periods, investigators still need to act quickly.

Ask the assigned investigator whether the case can support:

a preservation request or order;
a WDCD for subscriber information or traffic data;
coordination with banks, e-wallets, telcos, or platforms;
forensic examination of your device;
referral to the prosecutor for case build-up or preliminary investigation.

The WDCD application must state essential facts such as the probable offense, relevance and necessity of the data, persons or entities whose data is sought if available, a particular description of the data, place and method of disclosure if available, and other information showing probable cause.

6. Understand that platform data does not automatically prove guilt

Subscriber data, SIM registration data, IP logs, or e-wallet account information may identify leads, but they are not always conclusive.

For example:

a SIM may be registered under one person but used by another;
a bank or e-wallet account may belong to a “money mule”;
a hacked account may be controlled by someone other than the registered owner;
an IP address may point to a shared Wi-Fi network, VPN, office, dormitory, café, or household;
a fake ID may have been used during onboarding;
a foreign platform may produce limited records.

This is why investigators usually look for corroboration: login patterns, withdrawal footage, delivery addresses, device seizures, admissions, repeated transactions, links among accounts, and witness statements.

7. Wait for case build-up, prosecutor action, and possible court filing

A cybercrime complaint often goes through:

Stage	What usually happens
Initial report	Complaint is received, evidence is reviewed, and the matter is assessed
Case build-up	Investigator gathers more digital, financial, or platform evidence
Cybercrime warrants or requests	Law enforcement seeks preservation, disclosure, search, seizure, or examination authority when justified
Prosecutor evaluation	Prosecutor determines whether the evidence supports filing charges
Filing in court	If sufficient, an information is filed in the proper court
Trial	The prosecution must prove the accused’s identity and guilt beyond reasonable doubt

The first visit to an agency may be quick, but the full investigation can take weeks or months, especially when the case involves foreign platforms, multiple e-wallets, banks, telcos, cryptocurrency, or suspects outside the Philippines.

Required documents and evidence

Bring both printed copies and digital copies when possible.

Requirement	Practical notes
Valid government ID	Passport, driver’s license, UMID, PhilID, PRC ID, or other accepted ID
Complaint-affidavit	A sworn written statement narrating the facts in chronological order
Screenshots and printouts	Include URLs, usernames, timestamps, and full conversation context
Original device	Phone, laptop, or tablet where messages, emails, or transactions are stored
Transaction records	Bank slips, e-wallet receipts, remittance records, crypto transaction hashes
Platform reports	Confirmation emails or ticket numbers from Facebook, Google, TikTok, GCash, Maya, banks, etc.
Proof of account ownership	Emails, login notices, account recovery records, phone number ownership documents
Witness affidavits	From people who saw the posts, received scam messages, or participated in transactions
Company documents	For corporate complainants: SEC documents, secretary’s certificate, board authority, representative’s ID
Foreign documents	Affidavits or SPAs executed abroad may need consular notarization or apostille, depending on where they are signed

For Filipinos or foreigners abroad, Philippine consulates commonly notarize affidavits and other documents for use in the Philippines, and documents notarized by a Philippine Embassy or Consulate generally do not need a separate apostille. Another route is local notarization followed by apostille from the competent authority of the foreign country, if that country is part of the Apostille Convention. (Philippine Consulate Melbourne)

Special issues for foreigners and Filipinos abroad

A foreigner may file a cybercrime complaint in the Philippines if the facts connect the offense to Philippine jurisdiction. Examples include:

the victim was in the Philippines when the damage occurred;
the scammer used a Philippine bank, e-wallet, SIM, address, or platform account;
part of the computer system used was in the Philippines;
the offender is a Filipino national;
the harmful content targeted a person or business in the Philippines;
the transaction, delivery, or payment was connected to the Philippines.

RA 10175 expressly recognizes jurisdiction where any element occurred in the Philippines, where a computer system wholly or partly situated in the Philippines was used, or where damage was caused to a person or entity in the Philippines. (Supreme Court E-Library)

If the complainant is abroad, the usual practical options are:

execute a complaint-affidavit before a Philippine Embassy or Consulate;
execute the affidavit before a local notary and have it apostilled if applicable;
appoint a representative in the Philippines through a Special Power of Attorney;
preserve and send digital evidence in original format, not only screenshots;
remain available for interviews, clarification, or testimony if the case proceeds.

Common mistakes that weaken unknown-suspect cybercrime complaints

Relying only on cropped screenshots

A cropped screenshot may show offensive words or a payment request, but it may not prove authorship, account control, timing, or context. Always preserve the full thread, URL, profile details, transaction trail, and original files.

Deleting the conversation after taking screenshots

Deleting the source message may make forensic validation harder. Keep the original message, email, chat, or app data if it is safe to do so.

Failing to capture URLs and account identifiers

Names and profile photos can change. URLs, profile IDs, email headers, transaction reference numbers, and wallet addresses are often more useful than display names.

Publicly accusing the suspected real person too early

It is tempting to post the alleged scammer’s name online, but this can create a separate defamation, harassment, privacy, or mistaken-identity problem, especially if the visible account was hacked or the financial account was only a mule account.

Assuming SIM registration automatically identifies the criminal

RA 11934, the SIM Registration Act, requires end-users to register SIMs before activation. (Lawphil) But a registered SIM does not automatically prove that the registered person personally committed the crime. Investigators still need evidence tying the suspect to the specific message, transaction, device, or account.

Waiting too long

Cybercrime cases are time-sensitive. Service provider logs, CCTV recordings, withdrawal records, IP logs, and account activity can become unavailable. Report promptly and ask for preservation.

Confusing platform takedown with criminal prosecution

Reporting a Facebook post, TikTok account, Telegram channel, or fake website may help remove content, but platform takedown is not the same as a criminal case. Criminal prosecution requires a complaint, evidence, investigation, prosecutor action, and eventually court proceedings.

How strong does the evidence need to be?

At the complaint stage, you do not need to prove guilt beyond reasonable doubt. But you need enough facts and documents to show that:

a cybercrime or related offense appears to have been committed;
you were the victim or offended party;
the unknown account, number, website, email, wallet, or device is connected to the offense;
the requested data is relevant and necessary;
there is a realistic path to identifying the person responsible.

At trial, the burden becomes much higher: the prosecution must prove the accused’s guilt beyond reasonable doubt. That includes proving identity, not merely proving that a fake account existed.

Practical timeline

Step	Typical timing	Notes
Evidence preservation by victim	Same day	Do this before reporting if possible, but do not delay urgent bank/e-wallet reports
Bank/e-wallet/platform incident report	Same day to a few days	Fast reporting may help flag accounts or preserve records
NBI/PNP initial complaint intake	Same day to several days	NBI’s chartered front-end process lists no fee and about 1 hour and 10 minutes for initial assistance steps
Case build-up	Weeks to months	Depends on complexity, number of platforms, and availability of records
Preservation/disclosure process	Days to months	Local providers may be faster; foreign platforms usually take longer
Prosecutor evaluation	Months in many cases	Docket congestion and need for supplemental evidence can affect timing
Court proceedings	Months to years	Depends on arrest, arraignment, evidence, witnesses, motions, and court calendar

Frequently Asked Questions

Can I file a cybercrime case if I only know the Facebook account?

Yes. You can file a complaint identifying the respondent as the unknown person using or controlling that Facebook account. Include the profile URL, screenshots, full message history, timestamps, and any connected phone numbers, email addresses, payment accounts, or other identifiers. The case becomes stronger if investigators can obtain platform, telco, or financial records linking the account to a real person.

Can the police or NBI trace an IP address?

They may be able to seek traffic data, subscriber information, or other records through lawful processes, but an IP address alone is often not enough. It may lead to a household, office, café, VPN, shared network, or service provider record. Investigators still need corroborating evidence connecting a person to the account or device.

Can I personally subpoena Facebook, Google, Telegram, or TikTok?

In ordinary criminal investigation practice, private complainants do not simply obtain confidential subscriber or traffic data by personal request. For cybercrime cases, law enforcement generally proceeds through preservation requests, cybercrime warrants, court processes, and, for foreign service providers, coordination through the DOJ Office of Cybercrime or applicable international cooperation channels.

Is a screenshot enough to file a complaint?

A screenshot may be enough to start a report, but it is rarely enough by itself to finish a strong criminal case. Preserve the original messages, URLs, email headers, transaction receipts, device data, account recovery notices, and platform reports. Courts and investigators care about authenticity, integrity, and chain of custody.

Can I file cyberlibel against an unknown dummy account?

Yes, but cyberlibel complaints require careful evidence. You must show the defamatory statement, publication, identification of the person defamed, malice where required, and a path to identifying the author. Under Disini, cyberlibel under RA 10175 is tied to libel under the Revised Penal Code when committed through a computer system. (Supreme Court E-Library)

What if the account was deleted?

You can still file, but you should gather whatever remains: screenshots, URLs, cached links, email notifications, witness screenshots, transaction records, and platform report numbers. Investigators may still seek preservation or disclosure if enough identifiers remain, but deletion makes the case harder.

Can I file from abroad?

Yes, if the case has a Philippine connection. You may need a sworn complaint-affidavit executed before a Philippine Embassy or Consulate, or a locally notarized and apostilled affidavit where applicable. A representative in the Philippines may also be authorized through a Special Power of Attorney.

Should I file with the NBI or PNP ACG?

Either may receive cybercrime complaints. The NBI Cybercrime Division and PNP Anti-Cybercrime Group both handle cybercrime investigations under RA 10175. In urgent scam situations, also report to your bank, e-wallet, platform, and the 1326 hotline.

Will the case be dismissed just because the suspect is unknown?

Not automatically. Unknown-suspect complaints are possible. The problem arises if, after investigation, the evidence still cannot identify the person responsible or cannot prove the elements of the offense. A criminal case needs a real accused who can be charged, arraigned, tried, and linked to the act.

Can the case proceed if the suspect is outside the Philippines?

It can, if Philippine jurisdiction exists and the evidence supports the charge. However, service of processes, obtaining foreign platform records, extradition, mutual legal assistance, and actual arrest can be slow and complicated. The DOJ Office of Cybercrime is the central authority for international mutual assistance and extradition matters related to cybercrime under RA 10175. (Supreme Court E-Library)

Key Takeaways

Yes, cybercrime complaints can be started against unknown suspects in the Philippines.
Use “John Doe,” “Jane Doe,” or a description such as “the person using the account/number/email/wallet ___ whose true identity is unknown.”
The visible account is only the starting point; the case must eventually identify and prove the real person behind it.
Preserve evidence immediately: URLs, full screenshots, original messages, receipts, email headers, device data, and transaction records.
The NBI Cybercrime Division and PNP Anti-Cybercrime Group are the main law enforcement routes for RA 10175 complaints.
Cybercrime warrants allow lawful preservation, disclosure, interception, search, seizure, and examination of computer data.
Foreign platforms and offshore suspects create delays, but Philippine law provides mechanisms for international cooperation.
Screenshots help start the case, but strong cybercrime prosecution usually requires authenticated digital evidence, subscriber or traffic data, financial records, and corroboration.
Report financial scams quickly to banks, e-wallets, platforms, and the 1326 hotline, while also preparing the formal criminal complaint.
The earlier you preserve evidence and file a properly documented complaint, the better the chance of identifying the unknown suspect.