The authors of the present article analyze the criminal legislation of eight foreign countries (the United States, the United Kingdom, Nigeria, France, Finland, Estonia, Russia, China) as well as Lithuania in order to discuss and compare the criminalization aspects of online identity theft. Online identity theft is a rather new phenomenon and dangerous not only to separate individuals but to the whole society. It is concerned with the violation of consumer protection rules, security and privacy and anti-spam rules, etc. Online identity theft is a global problem, and this leads to the discussions whether it should be criminalized or not. The analysis is focused on the Three-Phase Model of online identity theft: obtaining identity-related information (phase 1), interaction with identity-related information (phase 2) and the use of the identity-related information in relation to a criminal offence (phase 3). The authors analyze whether in the countries under investigation online identity theft is treated as a criminal act or separate phases of it are considered as constituent elements of common crimes such as unlawful access to data, fraud, forgery, etc. only.