Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on ScamWatchHQ.com →

Executive Summary: The World’s Most Technically Sophisticated Fraud Export Economy

Romania occupies a unique and troubling position in the global fraud landscape. Unlike most cybercrime-producing nations — where fraud is primarily conducted domestically against local victims — Romania has, over three decades, developed and exported a cybercrime infrastructure that targets victims worldwide. The FBI has run dedicated Romanian cybercrime task forces since the early 2000s. The US Embassy in Bucharest once estimated Romanian hackers were stealing $1 billion from Americans annually. And the phenomenon has only grown more sophisticated.

In 2026, Romania’s cybercrime ecosystem has evolved far beyond its Hackerville origins. Today it encompasses organized ATM and point-of-sale skimming cartels operating across Europe, business email compromise (BEC) networks targeting multinational corporations, ransomware affiliate operations connected to Russian criminal infrastructure, and a growing domestic fraud economy victimizing ordinary Romanians. Meanwhile, Romanian government systems face more than 10,000 cyberattack attempts daily — many attributed to Russian threat actors targeting Romania for its NATO membership and its support for Ukraine and Moldova.

Romania is simultaneously a leading producer of cybercrime and a rapidly escalating victim of it.

The Hackerville Origin Story

To understand Romania’s cybercrime landscape in 2026, you have to start in Râmnicu Vâlcea — a quiet mountain city of approximately 100,000 people about three hours north of Bucharest, in the foothills of the Carpathian Mountains. By the early 2000s, it had acquired an extraordinary nickname in law enforcement circles: Hackerville.

The rise of cybercrime in Râmnicu Vâlcea was neither random nor mysterious. After the Romanian revolution and fall of communism in 1989, the country endured years of economic collapse. A generation of technically talented young people — products of Romania’s strong Soviet-era mathematics and engineering education system — found themselves with elite skills and no legitimate economic opportunity to apply them.

The internet arrived in Romania in the mid-1990s. For the technically gifted, it offered something the formal economy could not: access to wealthy foreign victims. Early operations were crude — fake eBay listings selling cars that didn’t exist, collecting Western Union payments from credulous Americans. By the mid-2000s, they had evolved into sophisticated operations involving fake escrow services, counterfeit cheque networks, and phishing campaigns indistinguishable from legitimate institutional correspondence.

The FBI took notice early. Romanian hackers were arrested, tried in US courts, and sentenced to US federal prisons for wire fraud, identity theft, and computer intrusion in numbers that would have seemed incredible for a country of 19 million. Yet the operations continued — because the economic incentives remained, the technical skills were abundant, and the Romanian criminal justice system’s capacity for enforcement was limited.

Romania’s Cybercrime Ecosystem in 2026

ATM and Point-of-Sale Skimming

Romania is the world’s leading source country for ATM skimming operations in Europe. Romanian criminal networks design, manufacture, and deploy skimming hardware — devices attached to ATMs and POS terminals that capture card magnetic stripe data and PINs — across the EU, the UK, the United States, Canada, and Australia.

The sophistication of Romanian-linked skimming hardware has been consistently noted by law enforcement: compact, expertly machined, difficult to detect visually, and increasingly integrated with Bluetooth transmission that allows card data to be collected wirelessly without physical retrieval of the device.

Romanian skimming networks operate with a division of labor: engineers who produce the hardware, teams who deploy it across target cities, and networks who aggregate and monetize stolen card data. The full chain from card compromise to cashout can operate across multiple countries, with Romanian-designed hardware deployed by locally recruited couriers and data sold through Eastern European carding forums.

Europol’s operations against skimming networks in 2024 and 2025 consistently identified Romanian nationals among the most technically capable participants.

Business Email Compromise (BEC)

Romania is among the top five source countries globally for business email compromise fraud — attacks in which criminals impersonate corporate executives, vendors, or partners via email to redirect wire transfers or payment instructions.

Romanian BEC operations are notable for their professionalism. Unlike some BEC networks that rely on volume and opportunism, Romanian-linked operations demonstrate deep research into target organizations: studying corporate structures, understanding approval workflows, timing attacks around known financial activity (quarterly payments, contract renewals, M&A activity), and crafting communications that pass legal and financial scrutiny.

Losses from individual Romanian-linked BEC cases have reached tens of millions of euros. The Romanian National Police’s Cybercrime Directorate (DIICOT) has prosecuted multiple BEC networks in recent years, but the conviction rate relative to the volume of activity remains low.

Ransomware Affiliates

Romania’s cybercriminal infrastructure connects directly to the broader Eastern European ransomware economy. Romanian nationals have been identified as affiliates of major ransomware-as-a-service operations including REvil, Dharma, and more recent groups. The affiliate model — where technical operators provide ransomware infrastructure and Romanian criminals conduct intrusions and deploy the payloads — allows both sides to specialize and maintains operational separation.

The intersection of Romanian cybercrime with Russian state-adjacent criminal infrastructure is a recurring theme in law enforcement intelligence. While Romania itself is a NATO member and broadly Western-aligned, the cybercrime underground operates across these political boundaries.

Domestic Fraud Surge

While Romania’s international cybercrime reputation dominates the narrative, the country has also seen a dramatic surge in domestic fraud targeting Romanian citizens. DIICOT reported closing over 1,600 cybercrime cases in 2022 — a figure that has continued to grow — with pending cases above 4,000 and rising.

Domestic fraud in Romania is driven by:

  • Investment fraud and fake trading platforms targeting Romanians pursuing financial security amid economic uncertainty
  • Romance scams with Romanian victims increasingly targeted by foreign criminal networks
  • Social media fraud — counterfeit goods, non-delivery, and fake giveaway scams on Facebook and Instagram
  • Impersonation fraud — criminals posing as tax authorities, police, or banks to extract payments or credentials

The State as Target: 10,000 Daily Attacks

Romania’s NATO membership, geographic position on the Black Sea, and its active support for Ukraine and Moldova have made it a priority target for Russian state-sponsored and state-adjacent cyber operations.

Romanian Defense Minister Angell Tîlvăr stated publicly that Romanian government systems face more than 10,000 cyberattack attempts every day — making it one of the most persistently targeted NATO members in Eastern Europe. The attacks range from DDoS operations against government websites, to spear-phishing campaigns targeting government employees and military personnel, to sophisticated intrusion attempts against critical infrastructure.

The dual nature of Romania’s cybercrime landscape — a significant producer and increasingly a victim — creates a complex policy environment. The same technical talent pipeline that produced Hackerville’s criminal class also supplies Romania’s growing cybersecurity industry, with companies like Bitdefender (founded in Bucharest in 2001) emerging as globally recognized threat intelligence and antivirus providers.

Primary Scam Types Targeting Romanians

Investment fraud: Fake trading platforms, cryptocurrency scams, and social media investment promotions are the leading high-value fraud category. Losses per victim are significant, particularly among Romanians in the EU diaspora who have accumulated savings working abroad.

Telecom fraud and call center scams: Romania has documented networks of fraudulent call centers targeting both Romanian and foreign victims, impersonating banks, utility companies, and government agencies.

E-commerce fraud: Non-delivery, counterfeit goods, and fake online marketplaces — particularly on social media platforms — are the highest-volume fraud type by complaint volume.

Job offer fraud: As with much of Eastern Europe, fake employment offers — both domestic and targeting Romanians abroad — are used to extract processing fees and personal document copies.

Law Enforcement Response

Romania’s primary cybercrime prosecution body is DIICOT (Directorate for Investigating Organized Crime and Terrorism), which has developed significant cybercrime prosecution capability through cooperation with Europol, the FBI, and other international partners. Joint operations with US authorities in particular have resulted in the extradition of Romanian cybercriminals to face US federal charges.

Romania is also a member of the Joint Cybercrime Action Taskforce (J-CAT) hosted by Europol, and participates in coordinated operations targeting ransomware infrastructure, phishing networks, and carding forums.

The structural challenge remains: Romania’s cybercrime output significantly exceeds its domestic enforcement capacity. Cases are prosecuted selectively; the most technically sophisticated operators are rarely the ones arrested.

Protecting Yourself

For businesses operating in or with Romania:

  • Implement strict wire transfer verification protocols — all payment redirection requests should require voice confirmation via independently verified phone numbers
  • Train finance staff to recognize BEC attack patterns, particularly requests that create urgency or bypass normal approval chains
  • Be alert to skimming attacks at ATMs in Romanian cities and across Europe — inspect card readers before use, prefer contactless payment, and monitor card statements

For individuals:

  • Treat unsolicited investment opportunities from online contacts or social media with categorical scepticism
  • Verify any employment offer that requires advance payment of fees, document copies, or bank details before a signed contract
  • Use chip-and-PIN or contactless for all card transactions; avoid inserting cards where skimming risk is elevated

Key Statistics

MetricFigure
Daily cyberattack attempts on Romanian government10,000+
DIICOT cybercrime cases closed (2022)1,614
DIICOT pending cases4,000+
Romania’s position in World Cybercrime IndexTop tier for technical fraud / data theft
Economic crime as % of GDP~2.5%
Primary targets of Romanian BEC operationsEU, US, UK corporates

Romania is not simply a cybercrime origin story. It is an active, evolving, technically sophisticated export economy for fraud — and understanding its structure is essential for any organization operating in Europe or globally.