diff --git a/backend/src/graphql/resolver/TransactionResolver.ts b/backend/src/graphql/resolver/TransactionResolver.ts
index 3c540b1f6..04f636b5a 100644
--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@@ -323,6 +323,7 @@ export class TransactionResolver {
     }
 
     // TODO this is subject to replay attacks
+    // --- WHY?
     const senderUser = getUser(context)
 
     // validate recipient user
diff --git a/backend/src/graphql/resolver/util/findUserByIdentifier.ts b/backend/src/graphql/resolver/util/findUserByIdentifier.ts
index df932e544..dd4f9a775 100644
--- a/backend/src/graphql/resolver/util/findUserByIdentifier.ts
+++ b/backend/src/graphql/resolver/util/findUserByIdentifier.ts
@@ -4,6 +4,8 @@ import { validate, version } from 'uuid'
 
 import { LogError } from '@/server/LogError'
 
+import { validAliasRegex } from './validateAlias'
+
 export const findUserByIdentifier = async (identifier: string): Promise<DbUser> => {
   let user: DbUser | undefined
   if (validate(identifier) && version(identifier) === 4) {
@@ -27,8 +29,12 @@ export const findUserByIdentifier = async (identifier: string): Promise<DbUser>
     }
     user = userContact.user
     user.emailContact = userContact
+  } else if (validAliasRegex.exec(identifier)) {
+    user = await DbUser.findOne({ where: { alias: identifier }, relations: ['emailContact'] })
+    if (!user) {
+      throw new LogError('No user found to given identifier', identifier)
+    }
   } else {
-    // last is alias when implemented
     throw new LogError('Unknown identifier type', identifier)
   }
 
diff --git a/backend/src/graphql/resolver/util/validateAlias.ts b/backend/src/graphql/resolver/util/validateAlias.ts
index dcea7824c..3afc9c7d0 100644
--- a/backend/src/graphql/resolver/util/validateAlias.ts
+++ b/backend/src/graphql/resolver/util/validateAlias.ts
@@ -3,6 +3,8 @@ import { User as DbUser } from '@entity/User'
 
 import { LogError } from '@/server/LogError'
 
+export const validAliasRegex = /^(?=.{3,20}$)[a-zA-Z0-9]+(?:[_-][a-zA-Z0-9])*$/
+
 const reservedAlias = [
   'admin',
   'email',
@@ -24,9 +26,7 @@ const reservedAlias = [
 export const validateAlias = async (alias: string): Promise<boolean> => {
   if (alias.length < 3) throw new LogError('Given alias is too short', alias)
   if (alias.length > 20) throw new LogError('Given alias is too long', alias)
-  /* eslint-disable-next-line security/detect-unsafe-regex */
-  if (!alias.match(/^[0-9A-Za-z]([_-]?[A-Za-z0-9])+$/))
-    throw new LogError('Invalid characters in alias', alias)
+  if (!alias.match(validAliasRegex)) throw new LogError('Invalid characters in alias', alias)
   if (reservedAlias.includes(alias.toLowerCase())) throw new LogError('Alias is not allowed', alias)
   const aliasInUse = await DbUser.find({
     where: { alias: Raw((a) => `LOWER(${a}) = "${alias.toLowerCase()}"`) },