Categories
Uncategorized

The criminal offence of computer fraud – regulation, case law and comparative perspectives

This article explains how Romanian criminal law defines computer fraud, how it interacts with related cybercrime offences and which sanctions you face in practice. It also highlights key case-law and comparative perspectives, helping you and your lawyer assess the strength of the evidence, raise technical objections and build a defence strategy around digital proof.

Introduction: the evolution of cybercrime and the impact of digital fraud

Cybercrime has grown explosively in recent decades, in step with the expansion of the Internet and the digitalisation of the economy. Traditional fraud methods have been adapted to the online environment, generating complex digital fraud schemes with a significant cross-border impact. From simple phishing e-mails to elaborate schemes for diverting electronic payments, offenders use technology to obtain illicit gains and cause substantial loss to victims. Recent data indicate that phishing remains the most common method of initiating cyber-attacks and is the main vector through which offenders obtain initial access to systems or sensitive data[1]. This phenomenon is reflected in global statistics – for example, a Europol report records a phishing network with more than 480,000 victims worldwide, dismantled through international cooperation[2][3]. The economic impact of computer fraud is significant: the amounts illegally obtained by offenders and the losses suffered by individuals, companies and institutions reach billions of euros annually, undermining trust in digital transactions and the security of IT systems.

The evolution of this type of criminality has led authorities to develop specific legal tools to combat digital fraud. While at first offences committed through electronic means were subsumed under classic categories (such as fraud), there are now distinct offences that reflect the specifics of the virtual environment. Romania aligned itself with these trends, introducing cybercrime offences as early as 2003 through Law no. 161/2003 (which transposed the Budapest Convention on Cybercrime) and subsequently incorporating them into the modern Criminal Code (Law no. 286/2009). Thus, computer fraud became a standalone offence designed to protect property and the security of electronic transactions in an increasingly digital society[4][5].

In this context, the present article aims to provide an extensive analysis of the offence of computer fraud, covering the Romanian legal framework (definition, constituent elements, aggravating forms), examples from domestic case law, associated criminal phenomena (such as phishing, spoofing, skimming, Man-in-the-Middle attacks), comparisons with legal solutions in other systems (Germany, France, USA), the role of international bodies involved in combating cybercrime and aspects of international judicial cooperation. We also address practical issues in investigating these acts – the difficulty of identifying perpetrators, proving fraudulent intent, the intersection with special legislation (Law 161/2003 and Law 365/2002) – as well as possible defences or causes that may exclude criminal liability. Finally, we outline current legislative trends (from the implementation of EU directives to the new UN Convention on Cybercrime) and highlight future challenges, while offering some best practices for lawyers dealing with such cases.

Regulation of computer fraud in the Romanian Criminal Code – Art. 249: definition, constituent elements, aggravated forms


Computer fraud is regulated in the Romanian Criminal Code under Art. 249, in the chapter dedicated to frauds committed through IT systems and electronic means of payment. According to the statutory text, the act consists in “the introduction, transmission, modification or deletion of computer data, the restriction of access to such data or the hindering in any way of the functioning of an IT system, for the purpose of obtaining an economic benefit for oneself or for another, if damage has been caused to a person”[6]. In other words, the offence covers unauthorised interference with computer data or systems, carried out with the intention of obtaining an unjust material gain, which results in pecuniary damage.

The constituent elements of computer fraud can be analysed as follows:

  • Material element (the conduct): it may be committed through any of the alternative actions listed by the law: introduction of computer data (inserting false or unauthorised information into a system), transmission of data (for example, sending commands or computer instructions intended to produce a patrimonial effect), modification or deletion of data (altering the integrity of stored information), restricting access to data (illegally blocking, encrypting or password-protecting information, as in ransomware attacks), or hindering the functioning of an IT system (sabotaging, overloading or disrupting a system – for example, through DDoS attacks). What all these methods have in common is their unauthorised character (without right) and their capacity to alter the normal functioning of systems or the integrity of data.
  • Immediate result: the production of patrimonial damage. Computer fraud is therefore a result-based offence – the law requires that damage be caused to someone (natural or legal person). The loss may consist, for instance, in sums of money fraudulently transferred, financial losses resulting from placing fictitious orders, damage caused by unauthorised access to bank accounts, etc. If the act failed to produce the intended damage, it may be classified as an attempt (attempt is punishable for this offence under Art. 252 of the Criminal Code[7]).
  • Mental element: the essential requirement is direct intent qualified by a specific purpose – to obtain an unjust material benefit for oneself or another. In other words, the perpetrator acts with fraudulent intent, seeking a patrimonial gain (usually money or goods) by manipulating computer systems or data. This subjective requirement distinguishes computer fraud from other cyber offences (such as illegal access or alteration of data integrity), which can be committed with different purposes (curiosity, digital vandalism, etc.). If the purpose of obtaining material benefits is absent, the act will not meet the constituent elements of Art. 249 and may instead constitute other offences (for example, data destruction – Art. 362 Criminal Code, or system disruption – Art. 363 Criminal Code).
  • Subjects of the offence: the active subject (perpetrator) can be any person with criminal liability (including, in principle, legal entities if the offence is committed in their interest or on their behalf). Jurisdiction normally lies with ordinary prosecution bodies, but for serious cases (discussed in section 3) jurisdiction may fall to the Directorate for Investigating Organized Crime and Terrorism (DIICOT). The passive subject is the injured party – usually the holder of the damaged assets or the owner of the targeted IT system.

The penalties provided by law emphasise the gravity of the act: Art. 249 of the Criminal Code provides a penalty of imprisonment from 2 to 7 years for consummated computer fraud[6], similar in range to aggravated fraud. The legislator thus punishes these acts relatively severely, taking into account the high social danger of cybercrime. Attempt is also punishable (Art. 252 Criminal Code)[7].

Aggravated forms and relationship with other offences
The Criminal Code does not expressly provide special aggravated versions of computer fraud (such as a separate paragraph for particularly serious consequences). However, there are aggravated cases in practice arising from the application of general rules or from concurrence with other offences:

  • Particularly serious consequences: if computer fraud causes material damage exceeding 2,000,000 lei, the act constitutes “particularly serious consequences” within the meaning of Art. 183 Criminal Code. This constitutes a statutory aggravating circumstance that may lead to an increase in the penalty. The threshold of 2 million lei is also relevant for DIICOT’s jurisdiction – under the law, computer fraud falls under DIICOT’s competence if it caused particularly serious consequences and was committed for the purpose of an organised criminal group[8][9]. Large-scale computer frauds committed by organised groups (e.g. transnational hacker networks stealing huge sums) are therefore normally taken over by DIICOT.
  • Connection with other offences: computer fraud is often committed together with other criminal acts, which aggravates the defendants’ situation through concurrence of offences. It is frequently associated with computer forgery (Art. 325 Criminal Code) – for example, falsifying data or websites as part of the fraud scheme – or with illegal access to an IT system (Art. 360 Criminal Code) – for example, a hacker first accesses a system without right and then modifies data to commit the fraud. In such cases, if the acts are not absorbed into a complex offence, concurrence will be retained and penalties may be combined with an increase. It is worth mentioning that the High Court of Cassation and Justice clarified the relationship between computer fraud and (classic) fraud: in Decision no. 37/2021 (preliminary ruling), the Court held that posting fictitious online ads by which victims are deceived into paying for non-existent goods, without interfering with the functioning of the system or computer data, fulfils the constituent elements of fraud (Art. 244 Criminal Code), not computer fraud[10][11]. In practice, if there is no interference with the IT system but only fraudulent communication (online) that causes loss to someone, the act will be classified as fraud (under the “other fraudulent means” modality in Art. 244 para. (2) Criminal Code), and not as computer fraud. This distinction underlines that computer fraud concerns deception of the machine (manipulating the electronic system), whereas classic fraud remains deception of the person (misleading a human being)[12][11].
  • Organised criminal group: if computer fraud is committed by an organised group (three or more persons structured for the purpose of committing offences), the separate offence of establishing an organised criminal group (Art. 367 Criminal Code) will also be retained, which further worsens the legal situation. In fact, the most complex cyber fraud cases often involve well-organised international networks, with each member having a precise role (for instance, some handle the technical side – creating fake websites, malware, etc., others handle cashing out or laundering the funds). We will see concrete examples in the next section.

In conclusion, Art. 249 Criminal Code provides a robust legal framework for punishing computer fraud, tailored to the particularities of the digital environment. The offence protects both individuals’ property and the security and trust in IT systems and electronic means of payment. The law covers multiple modalities of commission and provides substantial penalties, reflecting a firm criminal policy against cyber-enabled patrimonial crime. As technologies evolve, the legal text has already been adjusted (for example, in 2021 it was amended to include “transmission of computer data” as a modality of fraud[6] in order to transpose Directive (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment). In what follows, we will examine how these provisions are applied in Romanian case law and what concrete types of computer fraud have been investigated by the authorities.

Examples from Romanian case law (DIICOT, High Court of Cassation and Justice, rejust.ro)

To illustrate how courts and prosecution bodies approach the offence of computer fraud, we present several relevant examples from recent case law and practice of specialised bodies:

  • High Court of Cassation and Justice Decision no. 37/2021 (published in Official Gazette no. 707/2021) – as mentioned above, this preliminary ruling clarified the legal classification of online fraud cases that do not involve interference with IT systems. The case underlying the referral involved a group of defendants who, starting in 2010, posted fictitious sale ads on auction sites (including eBay) and communicated by e-mail with victims, convincing them to pay in advance for non-existent goods. They used a so-called fake escrow system: victims believed their money was held by a safe third party and would be returned if they did not receive the goods, but in reality the funds were directed to accounts controlled by the offenders[13][14]. The legal question was whether this scheme constituted computer fraud (introduction of false computer data – the ads on the site – to obtain a benefit) or fraud. The High Court decided that the act falls under fraud (Art. 244 Criminal Code), because posting ads on a website does not amount to altering the functioning of the IT system or data – the fraud was carried out by deceiving persons, not by an attack on the system[11]. In its reasoning, the Court explained that computer fraud is a complex offence that implies an actual cyberattack, whereas in the case of fake ads we are dealing with a modern form of “classic” fraud committed online. This binding decision unified courts’ practice, which had previously been divergent (some courts had convicted such acts as computer fraud). It is now clear that, for Art. 249 Criminal Code to apply, unauthorised interference with the system or data is required (e.g. inserting malicious scripts, modifying the database, etc.), while the mere use of the Internet as a means of fraudulent communication is classified as fraud[12][11].
  • DIICOT case – computer fraud and fraudulent financial operations (2023): An investigation by DIICOT – Galați Territorial Service, made public in August 2023, shows the complexity of cybercrime groups in Romania. In this case, an organised criminal group created fake websites mimicking the pages of well-known banks and promoted them through search engines so that they appeared at the top of the results[15][16]. More than 40 people accessed these cloned banking websites and entered their credentials (username/password), believing they were logging into the real account, with the data thus being collected by the offenders. Using these credentials, members of the group accessed victims’ real accounts and transferred the money to accounts they controlled, from which they then withdrew cash at ATMs[17][18]. The damage was estimated at over 2.2 million lei and EUR 44,500, and the group operated through specialised tiers – a technical core that created and promoted the fake websites, a “mule” tier that opened intermediate bank accounts for the transfers, and a tier that handled the actual withdrawal of the cash and collection of the profit[19][20]. In this case, DIICOT retained multiple offences: computer fraud in continued form with particularly serious consequences, fraudulent financial operations (Art. 250 Criminal Code), illegal access to an IT system (Art. 360 Criminal Code), computer forgery (Art. 325 Criminal Code), as well as “traditional” offences (establishing an organised criminal group and even drug trafficking, showing that such groups may be polyvalent)[21][22]. This example highlights the fact that in practice, computer frauds are often part of broader criminal schemes that combine cyber means (bank phishing, website cloning) with economic crime elements (money laundering, use of strawmen to open bank accounts, etc.). The case also justifies DIICOT’s involvement: both the total sum exceeded the threshold for particularly serious consequences (2 million lei) and an organised group was involved[8][23].
  • Skimming and card fraud cases: Romania has faced numerous skimming cases since the 2000s (copying card data through devices clandestinely installed on ATMs or POS terminals), followed by fraudulent cash withdrawals. These acts were initially prosecuted either under the old special law (Law 365/2002 – offences repealed in 2014[24][25]) or under the new Criminal Code provisions (Art. 249 – computer fraud, Art. 250 – fraudulent financial operations, Art. 313 of the old Criminal Code – forgery of valuable instruments, etc., depending on when they were committed). A well-known example is the group led by hacker Adrian-Tiberiu O., who between 2009-2011 managed to breach over 200 payment terminals (POS) in the USA – 150 of which belonged to the Subway restaurant chain – and steal data of more than 146,000 cards[26][27]. The offenders remotely installed keylogger-type programs on the stores’ payment systems, capturing card data used by customers[28][29]. The data were then used for unauthorised transactions or sold on the black market. US authorities indicted four Romanians in this case, and two of them (Iulian D. and Cezar B.) pleaded guilty, being sentenced in 2012 to 7 years and 21 months in prison respectively[27][30]. The group leader, Adrian O., was later extradited to the US, where he received a 15-year sentence for conspiracy to commit computer fraud, access-device fraud and wire fraud[31][32]. Although this particular case belongs to US jurisdiction, it is worth mentioning in the context of Romanian practice because it shows the international dimension of the phenomenon – cooperation between Romanian and US authorities was essential (the persons were arrested with the help of the Romanian police and extradited[33][34]). In Romania, many similar skimming groups have been dismantled by prosecutors, with cases going to trial (for example, the “Michael Jackson” case – a card-cloning network that operated in more than 14 countries, whose Romanian members were cumulatively sentenced to dozens of years in prison[35]). Such cases usually involve multiple offences: computer fraud (entering false data on cards or into banking systems), falsification of payment instruments (material forgery of blank cards), fraudulent financial operations (using cloned cards), and establishing an organised criminal group.
  • Decisions available on rejust.ro: The Rejust platform (the case law portal of the Ministry of Justice) contains numerous judgments on computer fraud, confirming the diversity of situations. For example, there are cases concerning fraud against domestic e-commerce platforms: defendants convicted for posting ads on OLX or Okazii for selling non-existent phones or cars and directing buyers to pay online into an account – acts classified as fraud (in line with the HCCJ decision mentioned earlier). Other decisions concern payment-instrument fraud: for instance, cases in which bank employees or external accomplices illegally entered banking IT systems and initiated transfers of funds to accounts they controlled – such acts were classified as computer fraud sometimes combined with abuse of office or illegal access. Case law also highlights evidentiary difficulties: in some rulings, there were extensive discussions over IT expert reports, IP address traceability, identification based on logs, to establish who actually committed the intrusion.

Overall, Romanian case law shows that investigative bodies and courts treat cyber offences with increased seriousness. DIICOT takes over serious cases or those involving organised networks, while ordinary prosecutors deal with smaller-scale or individual cyber frauds. Penalties tend to be consistent, especially when there are multiple victims or large losses – for example, in cases involving damage of hundreds of thousands of euros, courts have frequently imposed effective sentences of 5-7 years’ imprisonment on principal offenders, taking into account mitigating or aggravating factors. A particular aspect: “online fraud” without a technical attack (simple online deception) has in some situations allowed for reconciliation between the parties or more lenient treatment where the damage was fully recovered, whereas in the case of actual computer fraud (Art. 249) the action is initiated ex officio, meaning that reconciliation has no effect (victims can still obtain civil damages, but withdrawing their complaint does not stop the criminal proceedings).

In conclusion, Romanian case law confirms the versatility of computer fraud – from banking phishing to fraud on online platforms to hackers stealing funds from corporate accounts – and underscores the importance of international cooperation and technical expertise in solving such cases. Sanctions match the seriousness of the acts, sending a strong deterrent message to those tempted to exploit technology for illegal gain.

Associated phenomena: phishing, spoofing, skimming, Man-in-the-Middle attacks, fraud on online platforms


Computer fraud manifests itself in a wide variety of forms and methods, many of which have technical names that have already entered everyday language. Below we describe the main associated phenomena and how they fit into the criminal landscape:

  • Phishing – one of the most widespread methods of initiating computer fraud. The term comes from the idea of “fishing” for victims’ confidential data. Offenders send fake messages (e-mails, SMS – so-called smishing, or chat messages – phishing on social media) that appear to come from trusted sources (banks, institutions, well-known companies) and ask the target to disclose sensitive information: authentication credentials, PINs, card numbers, etc. A more sophisticated variant involves creating fake websites that almost perfectly mimic the real website of an institution – the user is deceived and enters data that go directly to the attackers (the case presented in section 3 is a classic example of banking phishing). Phishing can lead to the commission of an actual computer fraud when the attacker uses the obtained data to access the victim’s account and transfer funds (this then becomes the offence under Art. 249 or Art. 250 Criminal Code, as appropriate). Romanian law explicitly punishes these acts – entering false data into a computer system for the purpose of obtaining a benefit is computer fraud, and the use without consent of a payment instrument (e.g. card data obtained through phishing) is the offence under Art. 250 Criminal Code[36]. A practical example: numerous banks in Romania regularly warn clients about phishing e-mail campaigns asking them to “verify their account” or “reset their password” via a link; those who fall into the trap and enter their data risk seeing their accounts emptied by fraudsters. Phishing is consistently identified as the main initial access vector for cybercrime – according to ENISA reports, “phishing is once again the most common initial access vector” used by attackers[1]. Legally, those who create and distribute such deceptive messages and fake sites may be liable for computer fraud (where damage is caused) and computer forgery (for reproducing the logo/identity of the real entity, for example).
  • Spoofing – refers to “forging” the identity of a system or communication. In the context of fraud, spoofing may take several forms: e-mail spoofing (the attacker sends e-mails that appear to come from a legitimate address, e.g. from a company director or business partner – a technique used in Business Email Compromise, where accountants are tricked into wiring funds to fraudsters’ accounts on the basis of falsified e-mails), IP spoofing (sometimes used to hide the traces of illegal access or to hijack communication sessions), caller ID spoofing (phone calls where attackers display the number of a real institution – e.g. claiming to be from a bank or the police – in order to obtain data or payments). Spoofing is therefore a social-engineering tool that facilitates fraud. In itself, spoofing (e.g. falsifying e-mail headers) can be classified as computer forgery (Art. 325 Criminal Code) – “modifying computer data with evidentiary value”, since an e-mail contains data attesting the sender’s identity[37]. However, offenders usually use it as a preparatory step to subsequently commit either fraud (if the victim voluntarily transfers money believing the message is genuine) or computer fraud (if access to a system is gained). For example, in Business Email Compromise (BEC) frauds – which have produced many victims in Romania as well – attackers compromise a manager’s e-mail account or create a very similar one and then send payment instructions to the company’s finance department, urgently requesting transfer of a sum to a specified account (which belongs to the fraudsters). Such acts may be classified as computer fraud (introduction of unauthorised financial commands into the company’s payment system), in concurrence with computer forgery and sometimes illegal system access (if the original e-mail account was hacked).
  • Skimming – the practice of copying data from the magnetic stripe or chip of a bank card, usually by installing illegal devices on ATMs or merchants’ payment terminals. Attackers install a secondary card reader (a skimmer) and often a camera or a fake keypad to capture the PIN. The data are then used to clone cards and withdraw cash fraudulently. Skimming was highly prevalent in the 2000–2010s; currently, with the migration to chip cards and 2FA, its incidence in the EU has decreased but it has not disappeared. Legally, skimming can be classified as follows: installing the device and stealing card data constitutes illegal operations with devices or computer programs (Art. 365 Criminal Code punishes possession or supply of devices designed for committing cyber offences), while cloning cards and cash withdrawals fall under either computer fraud or the specific offence of fraudulent financial operations (Art. 250 Criminal Code) – the use of a payment instrument without the cardholder’s consent[36]. Under the previous Criminal Code, such acts were criminalised in Law 365/2002 (Arts. 24-28, all repealed in 2014[24][25]). In practice, many Romanian skimmers have been caught and convicted either in Romania or in the countries where they operated (e.g. Italy, Spain, USA). An important aspect is that the law also punishes the making or possession of skimming devices: Art. 365 Criminal Code provides imprisonment from 6 months to 3 years for those tools (readers, hardware/software) designed for committing cyber offences. Thus, simply manufacturing a card-copying device, without more, may entail liability. In organised-crime networks, some members usually specialise in building these devices and collecting data, and others in cloning and cash-out. The image below shows an example of improvised devices used to defraud ATMs, seized by authorities in the context of an international cooperation operation[38][39].
  • Man-in-the-Middle (MitM) attacks – a more advanced form of intercepting and modifying communication between two parties (user and server) by an attacker positioned in the middle. In the fraud context, a MitM attack can allow takeover of an online banking session: for example, the victim accesses an authentic website, but the attacker has compromised the network (or is using malware on the victim’s device) and intercepts authentication, managing to inject unauthorised transactions. Or, in the case of unsecured communications, the attacker can intercept messages (including e-mails or web traffic) and insert their own instructions. A concrete scenario: offenders compromise a supplier’s e-mail account and, during legitimate correspondence between victim and supplier, intercept and modify messages so that the bank account in the invoice is replaced with theirs – the victim pays the wrong account (MitM fraud combined with BEC). Legally, these acts may take several forms: illegal interception of data transmission (Art. 361 Criminal Code) – punishing the unlawful capture of transmitted computer data[40], plus, where unauthorised transfers occur, computer fraud or (classic) fraud, as appropriate. MitM attacks are relatively difficult to prove, requiring in-depth IT investigations to identify the point of compromise and the perpetrator. In Romania, there have been cases involving illegal interception of data (including cyber-espionage), and in the financial area MitM-type situations have been encountered in international BEC cases involving Romanian citizens (acting as hackers or as mules for stolen funds).
  • Fraud on online platforms – covers multiple typologies, from fictitious sales on classified-ad websites to scams on auction or marketplace platforms and fraud via social networks. A common example is fraud involving non-existent products: the offender posts an attractive ad (a very low price for a phone, car, etc.), obtains an advance from the buyer and then disappears. As noted above, these acts are usually classified as fraud and require a prior complaint from the victim to be investigated (in the typical form). Also included are phishing-type frauds on e-commerce sites: sending fake links to customers (e.g. a buyer receives a link from the supposed seller directing them to a fake courier/payment page where they enter card data – which then go to the attacker, who uses them for transactions). Romanian classified-ad platforms (OLX, Publi24, etc.) have implemented visible warnings about these practices and cooperate with the police in investigations. Another area is fraud on trading/cryptocurrency platforms: for example, ghost investment sites promising high returns – users deposit funds into a supposed investment account, see fictitious profits displayed on the platform, but when they try to withdraw funds they discover that they cannot, and the scammers disappear with the crypto (investment scam). DIICOT recently investigated such a mega-scam: a fake online investment platform that defrauded more than 100 people of about EUR 4.8 million, promising profits from cryptocurrency trading[41]. These acts may be classified as computer fraud (the platform being falsely presented as real, false data entered regarding balances, etc., to obtain money from victims).

Identity spoofing on social platforms has also generated numerous frauds: for example, romantic scams on Facebook/Tinder where the fraudster impersonates someone else and later asks for money under various pretexts. These social-engineering frauds are essentially fraud offences, but the means used (the Internet) and the anonymity complicate investigation. The Romanian Police (including through the Cybercrime Unit) warns about these schemes and participates in international enforcement networks (such as INTERPOL’s HAECHI operations against online fraud). In 2024, a global INTERPOL operation (HAECHI V) resulted in more than 5,000 arrests and the recovery of USD 180 million, targeting exactly phishing, romantic scams, fake investments and business e-mail compromise[42]. Romania actively participated in these efforts, with both victims and offenders involved in cross-border schemes.

In conclusion, computer fraud does not appear in isolation, but in conjunction with a variety of techniques and phenomena specific to the digital environment. Phishing, spoofing, skimming, MitM attacks, platform frauds – all are tools or methods through which offenders commit either the offence of computer fraud or related offences. Knowledge of these phenomena is essential for legal practitioners: both for accurate legal classification (e.g. when it is computer fraud vs. when it is fraud) and for identifying evidentiary means (IT expert reports, server logs, CCTV footage at ATMs, etc.). Moreover, public awareness of these modus operandi contributes to prevention – a substantial part of fraud could be avoided through digital hygiene (checking message sources, avoiding disclosure of sensitive data, using two-factor authentication, etc.[43]).

Comparative law: approaches in Germany, France, USA (legislation, sanctions, prosecution models)


Computer fraud is a global phenomenon, and national laws approach this offence in a broadly similar way, although there are terminological and systemic differences. Below we briefly examine how “computer fraud” is regulated in several reference jurisdictions – Germany, France, and the United States – highlighting both similarities with the Romanian model and local specificities.

Germany: The German Criminal Code (Strafgesetzbuch – StGB) expressly provides for the offence of “Computerbetrug” (computer fraud) in §263a StGB. The German text is very similar to the Romanian one and was in fact one of the sources of inspiration at European level. According to §263a para. (1) StGB, “whoever, with intent to obtain for himself or for a third person an unlawful material benefit, causes damage to the property of another by influencing the result of a data processing operation by improperly designing the program, using incorrect or incomplete data, unauthorised use of data or by any other unauthorised influence on the course of processing, shall be punished with imprisonment of up to 5 years or a fine.”[44]. We can see familiar elements: unauthorised input or manipulation of data leading to an unjust financial result. The maximum penalty is 5 years (slightly lower than under Romanian law, which provides a maximum of 7 years). However, German law provides aggravating circumstances in §263 (classic fraud) that apply mutatis mutandis: for example, if the damage exceeds a certain threshold or if the act is committed by an organised group, it may be classified as a “particularly serious case” with penalties of up to 10 years[45]. A particularity of German law is that it criminalises the preparation of computer fraud separately: §263a para. (3) StGB punishes with up to 3 years’ imprisonment anyone who creates or supplies computer programs intended to commit such an offence[46]. In practice, writing financial malware (e.g. keyloggers, banking trojans) becomes an offence even if it has not yet been used – a provision intended to discourage the development of hacking tools. In Germany, many computer fraud cases involve cybercrime rings tried for large-scale card fraud (skimming) or online fraud (phishing). German authorities cooperate intensively within Europol on such networks (for example, joint operations with the Romanian police in skimming cases). The German Code, like the Romanian one, was amended in 2021 to implement Directive (EU) 2019/713 – so offences involving fraudulent use of non-cash means of payment are also punished.

France: The French Criminal Code does not use the term “computer fraud” as such, but includes a set of offences in Title II – “Attacks on automated data processing systems” (Arts. 323-1 et seq. Criminal Code) that cover illegal access, unauthorised stay in a system, data alteration and system disruption. In French law, “escroquerie” (fraud) remains the main offence for unlawfully obtaining a patrimonial benefit by misleading a person (Art. 313-1 Criminal Code), and this applies to online situations without technical interference (similar to the distinction drawn by the Romanian High Court). For situations where system integrity or data are compromised to commit fraud, French prosecutors combine the IT offences in Art. 323 with fraud or forgery, as appropriate. For example, Art. 323-3 Criminal Code provides that the fraudulent introduction of data into an IT system or the fraudulent modification/deletion of existing data is punishable by 5 years’ imprisonment and a EUR 75,000 fine[47]. This offence applies to any unauthorised manipulation of data – whether the aim is sabotage or obtaining a gain. If a person is also deceived in order to obtain a benefit, prosecutors may also charge “escroquerie”, but in practice when the technical element prevails they rely on Art. 323. France also criminalises “forgery of means of payment” (in another title, concerning forgery of payment instruments), covering card cloning and their fraudulent use – a field regulated by the transposition of EU directives. A noteworthy point: France punishes attempt and complicity in these IT offences in the same way as consummated acts, and courts frequently impose complementary penalties (for example, banning the exercise of IT-related professions in cases of abuse of function).

As regards the prosecution model: France, like Romania, has specialised units (e.g. OCLCTIC – Central Office for Fighting Crime related to Information and Communication Technologies) and participates in joint investigation teams in Europe. Sanctions applied in major cases are similar numerically to those in Romania (5-7 years for large-scale frauds, sometimes more for concurrence of offences). A well-known example: in a VAT “carousel” fraud involving Bitcoin (MTIC), tried in Paris, defendants – including Romanian citizens – received sentences of more than 7 years.

United States: In the US, cybercrime legislation exists both at federal and state level. The federal framework law is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, which defines several criminal acts related to unauthorised access to computer systems and fraud via computers. CFAA was adopted in 1986 and later amended, starting from the need to address acts that did not fit well under traditional mail fraud or wire fraud offences[48][49]. CFAA provides that it is an offence to intentionally access a protected computer without authorisation (a concept that includes governmental, financial, or interstate commerce systems) for the purpose of obtaining information, causing damage, or committing fraud. For example, 18 U.S.C. 1030(a)(4) criminalises “knowingly and with intent to defraud, accessing a protected computer without authorisation or exceeding authorised access, and by means of such conduct furthering the intended fraud and obtaining anything of value” – language very similar to a computer-fraud definition[50]. The US system does not have a direct equivalent of Art. 249 Criminal Code as a single number, but often combines Section 1030 with wire fraud (18 U.S.C. §1343) in online fraud cases and with aggravated identity theft (18 U.S.C. §1028A) where another person’s data are used.

Regarding penalties, the US regime tends to be harsher: federal cyber offences can be charged as felonies with penalties starting at 5 years and going up to 10-20 years for serious cases or repeat offenders. Moreover, federal sentencing guidelines, based on the amount of loss and number of victims, can significantly increase the length of sentences. There are concrete examples: two Romanian hackers convicted in the US in 2018 for infecting tens of thousands of computers with banking-malware (the Bayrob case) received cumulative sentences of 20 and 18 years’ federal imprisonment respectively[51]. In that case, they were charged with more than USD 4 million in fraud, conspiracy and money laundering. Another example, mentioned earlier: the Subway POS-attack group – the leader (Adrian O.) received 15 years and his accomplice 7 years in the US[31][27], considerably higher sentences than they likely would have received in Europe for USD 10 million in damage (multiple counts were cumulatively charged: computer fraud, wire fraud, access device fraud). The US approach is also characterised by extensive use of international cooperation: foreign offenders are often extradited to be tried in the US if victims or affected systems are American. Romania has a long record of such extraditions, due both to the Budapest Convention (judicial cooperation) and the bilateral partnership with US authorities. For instance, Romanian hacker “Guccifer” (Marcel L.) – known for illegally accessing the accounts of US officials – was extradited and sentenced in Virginia to 52 months in prison for computer fraud and identity theft.

One challenge in the US system has been defining the limits of “unauthorised access”: only in 2021 did the Supreme Court (Van Buren v. United States) interpret the CFAA narrowly, limiting its application to genuinely unauthorised access (and not to cases where someone has lawful access but misuses it). Thus, similar interpretive debates arise everywhere – how to distinguish computer fraud from abuse of office or from mere contractual breaches?

Other jurisdictions: Many countries have adopted provisions inspired either directly by the Council of Europe Cybercrime Convention (which requires criminalisation of “computer-related fraud”) or by EU directives. For example, Italy regulates computer fraud in Art. 640-ter Criminal Code (introducing or modifying data/computer systems for unjust profit, punishable by up to 6 years, aggravated to 7-15 years if committed against the state). Spain includes it in Arts. 248-249 Criminal Code as a variant of fraud.

We can conclude that: (i) Legal definitions are essentially similar – all require unauthorised manipulation of a system or data, with the aim of obtaining an unjust gain and causing damage; (ii) Penalties typically range between 5 and 10 years’ maximum, with the possibility of aggravation in cases of massive losses or organised groups (and in the US, sentences can be much higher due to cumulative charges); (iii) Prosecution practice – states increasingly cooperate through bodies such as Europol, Eurojust, FBI, INTERPOL, forming joint investigation teams and surrendering suspects to states where they can be prosecuted more effectively. For example, Germany cooperates with Romania in Joint Investigation Teams (such as the RO-UK JIT in 2025 for ATM fraud[52][53]), France has issued European Arrest Warrants for Romanian citizens involved in online fraud committed on French territory, and the US cooperates through MLATs and extradition proceedings (sometimes indicting Russian or Chinese hackers in absentia as a deterrent).

Another point is that the US approach inspired the creation of our offences but also triggered debates on protecting research and ethical hacking. While European law (including Romania) generally provides that authorised actions or testing with the owner’s consent are not offences, the CFAA wording has been criticised as too broad. The recent UN treaty (see section 6) revived the debate on protecting ethical hacking from abusive interpretations. For example, Microsoft has stressed that definitions of cyber offences should include an explicit criminal intent requirement, to avoid inadvertently criminalising cybersecurity experts testing systems[54].

In conclusion, comparative law shows a general trend towards harmonisation in the field of computer fraud: most states have equivalent offences, influenced by international instruments (CoE Convention, EU directives). Differences lie mainly in sentencing severity and practical application (e.g. US – harsh penalties, many extraditions; Europe – focus on judicial cooperation and prevention). For a Romanian lawyer, familiarity with approaches in other countries is particularly useful in cross-border cases: understanding German or French law, for instance, may be crucial when representing a client investigated by those authorities for a computer fraud committed from Romania.

Relevant international bodies: Europol, ENISA, INTERPOL, OECD, UNODC – reports and statistics


Combating computer fraud goes beyond the borders of any one state, so international and regional organisations play a crucial role in coordinating efforts, shaping policy and providing expertise. Below we review the main such bodies and their contributions (including some relevant statistics):

  • Europol – the EU Agency for Law Enforcement Cooperation – hosts the European Cybercrime Centre (EC3), dedicated to combating cybercrime, including computer fraud and payment-card fraud. Europol publishes the annual IOCTA report (Internet Organised Crime Threat Assessment), which identifies major trends and threats. Recent IOCTA reports have highlighted that online financial fraud remains among the most lucrative forms of cybercrime, facilitated by tools such as phishing-as-a-service, banking trojans and networks of money mules. For example, Europol coordinated operations against an industrial-scale phishing network with over 480,000 victims globally (a case dismantled together with Ameripol)[2][3]. It has also supported targeted actions against card fraud (e.g. “Carding Action” operations – hundreds of arrests). In addition to reports, Europol provides member states with information-sharing systems (SIENA), incident databases and experts who can analyse financial flows and blockchain data to trace stolen funds. A notable example: Europol participated in a joint Romania–Moldova investigation into laundering phishing proceeds, providing data analysis and sending an analyst on site[55][56]. This support helped uncover over 30 victims and losses of EUR 20 million in that case[57][58].
  • ENISA (European Union Agency for Cybersecurity) – an EU agency focusing on cybersecurity, with a technical and policy-oriented role. ENISA publishes the annual Threat Landscape report, which also covers threats related to digital fraud. According to ENISA Threat Landscape 2023, phishing and business e-mail compromise remain the main threats to the financial sector, and cybercriminals are diversifying their methods, including through the use of artificial intelligence to generate more convincing fraudulent content (e.g. fake e-mails or voice messages)[59][60]. ENISA also provides statistics: in 2022–2023, more than 2,500 significant cyber incidents were recorded in the EU, a considerable share (around 10%) relating to fraud and online scams (including phishing)[61]. ENISA also organises EU-wide exercises (Cyber Europe) that include large-scale fraud scenarios to train joint responses. For lawyers, ENISA’s role is indirect – its technical recommendations can influence standards of due diligence in data security (for example, if a bank does not implement security measures recommended by ENISA and falls victim to fraud, civil liability may arise).
  • INTERPOL – the International Criminal Police Organization – operates globally, facilitating police cooperation among 195 countries. It also has a cybercrime division. INTERPOL regularly coordinates global operations against cyber-enabled fraud – one such example being Operation HAECHI V (2024), involving 30 countries including Romania and targeting seven types of online fraud (voice phishing/vishing, romance scams, sextortion, investment fraud, online gambling scams, BEC, etc.)[42][62]. The results were impressive: over 5,500 people arrested worldwide and about USD 180 million in stolen assets recovered[42]. Another operation, “First Light 2024”, targeted scam call-centres (including “Windows support” scams), leading to the seizure of USD 257 million and dozens of arrests[63]. INTERPOL also issues Police Notices – for example, Violet Notices for new cybercrime modus operandi, informing member states about emerging fraud patterns. One example: in 2020, INTERPOL issued a global warning about the rise in COVID-19-related frauds (online sales of non-existent medical products, COVID-themed phishing, etc.). For Romania, cooperation via INTERPOL has helped capture fugitives involved in online fraud who had fled to distant countries.
  • OECD (Organisation for Economic Co-operation and Development) – although not a law-enforcement agency, OECD addresses economic policy and thus the security of the digital economy. OECD has published studies on the economic impact of online fraud and consumer protection in the digital age. An OECD report indicates that older consumers are often more vulnerable to online scams, with more than 50% of fraud losses in some countries coming from people over 60[64]. OECD also promotes best practices for securing digital payments: it recommends that member states educate consumers, strengthen authentication security (e.g. the PSD2 strong customer authentication standard), and encourage information-sharing on incidents between banks and authorities. OECD maintains statistical data on economic crime, where computer fraud is an emerging category. Its role in this context is mainly in shaping public policy – for example, Romania can design national strategies inspired by OECD guidelines for preventing and combating cyber fraud (involving consumer-protection authorities, data-protection authorities, etc.).
  • UNODC (United Nations Office on Drugs and Crime) – the UN office dealing with drugs and crime has extended its mandate to cybercrime, particularly by helping developing countries build capacity. UNODC published a global study on cybercrime in 2013, estimating that annual losses caused by cyber offences amounted to hundreds of billions worldwide, and highlighting significant under-reporting (many online frauds go unreported due to lack of trust in authorities, victims’ shame, or because they are small and scattered). UNODC now runs the Global Programme on Cybercrime, providing technical and legal assistance across regions (including Eastern Europe). Notably, under UN auspices a new cybercrime convention (UN Anti-Cybercrime Treaty) was negotiated and opened for signature at the Hanoi Conference in October 2025[65]. This convention aims to strengthen international cooperation and set common standards, including offences such as computer fraud, payment-instrument counterfeiting, ransomware attacks, etc. According to official communications, around 70 countries signed the new UN Cybercrime Convention in 2025, marking an important step towards a unified global framework[66]. The treaty must be ratified by at least 40 states to enter into force[67]. Romania, an active participant in the negotiations, will likely sign and ratify the convention, thereby strengthening legal tools to request and provide legal assistance to other states in computer fraud cases (complementing the Budapest Convention).

Besides these entities, Eurojust should also be mentioned (discussed in section 7 on judicial cooperation) which, although it does not publish statistical reports as such, supports concrete cases and releases press communiqués reflecting trends (e.g. an increasing number of joint teams set up for cryptocurrency fraud, showing that the phenomenon is expanding in that area).

Global statistics on computer fraud are difficult to centralise comprehensively, but a few benchmarks stand out: a report by the FBI’s Internet Crime Complaint Center (IC3) indicates that in 2022 over 800,000 cybercrime complaints were filed, with reported losses exceeding USD 10 billion – with investment fraud, business e-mail compromise and tech-support scams generating the highest losses. In Europe, European Commission estimates show that fraud related to non-cash payments caused annual losses of about EUR 1.8 billion (based on 2019 data underlying Directive 2019/713). OECD has suggested that the real figure may be higher, as not all incidents are reported by financial institutions for fear of reputational damage.

In summary, international bodies provide both crucial knowledge and data on the evolution of computer fraud and operational mechanisms for combating it (joint teams, expert networks, money-tracing capabilities). For legal practitioners, their reports offer valuable context – for example, to demonstrate to a court how sophisticated an attack is (invoking that a similar modus operandi has been noted by Europol in a report) or to argue for certain measures (e.g. extended confiscation, based on international recommendations to decapitalise criminal networks). These organisations also emphasise human-rights protection in cybercrime investigations – an essential aspect, especially in discussions about new surveillance powers (many voices – UN, OECD – stress that fighting online fraud must not involve sacrificing privacy or freedom of expression[68][69]).

In conclusion, the fight against computer fraud has a strong international dimension, and familiarity and cooperation with specialised bodies are becoming integral to any effective strategy for countering such offences.

International cooperation: OLAF, Eurojust, extradition warrants and cross-border investigations


The cross-border nature of cyber offences – where offender, victim, servers and funds may all be located in different jurisdictions – often makes international cooperation the only way to investigate and prosecute effectively. This section outlines several key mechanisms and institutions through which states cooperate in computer-fraud cases, including the role of OLAF and Eurojust, as well as extradition procedures and joint investigation teams.

  • OLAF (European Anti-Fraud Office) – the EU body tasked with protecting the Union’s financial interests, investigating fraud affecting the EU budget (EU funds, customs evasion, smuggling, etc.). Although OLAF is less concerned with computer fraud per se, it is relevant where digital means are used to defraud EU funds. A possible example: an organised group hacks the IT systems of an agency managing EU funds and diverts payments (a computer fraud causing damage to the EU budget), in which case OLAF may become involved. OLAF cooperates closely with national authorities and the European Public Prosecutor’s Office (EPPO). To date, there have not been many high-profile cases of cyberattacks on EU funds, but OLAF has warned that as fund management becomes increasingly digital, new risks arise – e.g. fraud using electronic payment instruments to access EU money, or digital forgery of documents in online grant applications. OLAF can conduct administrative investigations and recommends cases for national prosecution. In our context, OLAF is more of an indirect cooperation actor, providing anti-fraud expertise.
  • Eurojust – the EU Agency for Criminal Justice Cooperation – is extremely important in complex cross-border cases, such as many computer-fraud cases. Eurojust facilitates the setting up of Joint Investigation Teams (JITs) and coordinates execution of European Arrest Warrants or European Investigation Orders. For example, in June 2025 Eurojust assisted a joint Romania–Moldova operation against a network laundering phishing proceeds, by establishing and funding a JIT[70][71]. Through cross-border cooperation, simultaneous searches were carried out in 44 locations in both countries, identifying dozens of victims across Europe and damage of about EUR 20 million[72][58]. Eurojust facilitated not only the legal side (JIT agreement, resolving jurisdictional issues) but also synchronised the action day. Another case, in July 2025: Eurojust coordinated Romanian and UK authorities’ actions against an ATM-fraud network (discussed earlier, with EUR 580,000 stolen in the UK). Here, Eurojust assisted in preparing the action day in Romania and in sharing evidence, while Europol provided analytical support[73][52]. As a result, several suspects were arrested in Romania and 8 defendants in the UK, making this a notable example of integrated judicial and police cooperation[74][75].

Eurojust also plays a vital role in avoiding jurisdictional conflicts: in global computer-fraud cases, several states may have jurisdiction (e.g. offender is Romanian, victims in Germany, servers in the Netherlands). Eurojust facilitates agreements on case allocation – for instance, the country with the largest damage may take over prosecution and others may transfer their cases. For lawyers, Eurojust offers a transparent channel for communication with foreign authorities, which can speed up, for example, evidence-gathering or hearing foreign witnesses.

  • Extradition / European Arrest Warrants (EAWs): Traditional extradition and modern instruments such as the EAW are frequently used in computer-fraud cases. As an EU member state, Romania applies the European Arrest Warrant in relation to other member states – a simplified judicial procedure with strict deadlines, whereby a wanted person is surrendered for prosecution or for serving a sentence. For example, if a Romanian citizen commits computer fraud in Germany (say, a phishing scheme harming German citizens) and flees to Romania, German authorities issue an EAW based on a domestic arrest warrant, and the competent Romanian Court of Appeal will examine it and is very likely to order surrender, since the offence has an equivalent in the Romanian Criminal Code and no mandatory refusal grounds apply (computer fraud is an offence in both states). Such surrenders are already common. Similarly, Romania has issued EAWs towards other states – for instance, members of carding groups who moved abroad were brought back for prosecution. One example: in 2022 Romanian authorities issued an EAW for a hacker who had fled to Italy after committing computer fraud; he was arrested by the Carabinieri and surrendered.

In relation to non-EU states, traditional extradition based on bilateral or multilateral treaties is used. Romania’s relationship with the US is particularly active: due to the 2007 Extradition Treaty, many Romanian suspects in computer-fraud cases have been extradited to the US. The procedure involves the Ministry of Justice and the courts (usually the Bucharest Court of Appeal, which checks the legal conditions). An example already mentioned: the extradition of the Subway network hacker – Oprea was extradited at the US’s request[33]; similarly, in 2021 another Romanian hacker, S. Becheru, was extradited to Texas to face charges of selling millions of stolen card numbers[76]. Extradition is based on the principle of dual criminality – the acts must be offences in both states (in our cases, computer fraud and related offences clearly are). In addition, assurances are required that life imprisonment or the death penalty will not be applied (the US usually provides such assurances, although long sentences can still follow).

  • Joint Investigation Teams (JITs): As mentioned, JITs are the instrument through which two or more countries appoint mixed teams of prosecutors and officers to work together on the same case, directly sharing information and evidence without the bureaucracy of traditional mutual legal assistance. In the EU, JITs are supported (including financially) by Eurojust. In computer-fraud cases, they are increasingly used, as suspects are often geographically dispersed. Romania has participated in numerous JITs: for example, the Bakovia JIT with Spain, which dismantled a Romanian-Spanish money-mule network laundering phishing proceeds; a JIT with Italy in an EU-wide card-skimming case; a JIT with the US (under a joint task-force model) in the Bayrob case. The advantage of a JIT is that it allows simultaneous action (coordinated searches in all countries involved, leaving no time for suspects to erase traces) and rapid data-sharing (e.g. a server seized in one country can be analysed immediately and the information used by the team in another).
  • Evidence-gathering cooperation (European Investigation Order, letters rogatory): In the absence of a JIT, evidence from abroad is obtained through mutual-assistance procedures. In the EU, the European Investigation Order (EIO) allows direct requests for investigative measures in another member state (e.g. search of a hosting provider’s premises in another country, disclosure of data by a service provider). Outside the EU, letters rogatory under the Cybercrime Convention (which contains specific provisions for speedy data-sharing) are used. For example, if an IP address from Russia appears in a Romanian computer-fraud case, Romanian authorities may send, under the Convention or via INTERPOL, a request to Russia to identify the subscriber – though cooperation with countries such as Russia or China is often difficult for political reasons. Cooperation with Western states is, however, good: Romania has made extensive use of bilateral agreements with the US to obtain traffic and content data from US companies (Microsoft, Google, Facebook) in online-fraud cases.
  • Issues and solutions: International cooperation is not without its challenges. Legal differences – for example, countries that do not recognise certain offences or have very strict data-protection regimes – may complicate evidence-gathering. For instance, in some countries traffic-metadata retention is limited, so if Romania requests IP data older than 6 months, they may no longer exist. Another problem is jurisdiction over cloud data: if data relevant to a fraud are stored on servers on another continent, MLAT cooperation is needed, which can be slow. New tools, including the forthcoming UN convention, aim to streamline these procedures.

For defence lawyers in cross-border computer-fraud cases, international cooperation is a double-edged sword: on the one hand, it brings in strong evidence from across the world; on the other, it offers opportunities for challenging the proceedings if legal safeguards were not observed (e.g. contesting extraditions on human-rights grounds, as in cases of hackers surrendered to states with harsh regimes; or challenging the legality of evidence obtained from another state without proper authorisation).

An example: if a Romanian client is extradited to the US, lawyers may negotiate a plea bargain, bearing in mind that US penalties are high, potentially in exchange for cooperation to secure the extradition of others. Conversely, if a foreign national is tried in Romania, issues such as translating foreign evidence and hearing foreign witnesses (via videoconference) arise. Eurojust often assists in arranging these practical details.

In conclusion, international cooperation is essential in combating computer fraud given the globalisation of such offences. Institutions like Eurojust, OLAF, INTERPOL, and legal tools such as extradition and joint investigation teams, enable authorities to overcome geographic obstacles. Romania is fully integrated in these mechanisms – as evidenced by numerous successful cases where cybercriminals have been brought to justice through joint efforts. From a legislative perspective, it is notable that new initiatives (for example, the UN Cybercrime Convention signed in 2025[66]) will provide even more levers for global cooperation, which is a significant advantage in pursuing networks operating from third countries.

Practical issues: identifying perpetrators, proving intent, relationship with Law 161/2003 and Law 365/2002


Investigating and prosecuting computer-fraud offences raises a number of practical and legal challenges due to the technical nature and relative novelty of this field. We discuss below some frequently encountered issues: the difficulty of identifying perpetrators online, proving fraudulent intent, and how the Criminal Code offence interacts with earlier special legislation (Law 161/2003, Law 365/2002).

  • Identifying perpetrators: The relative anonymity offered by the Internet is cybercriminals’ greatest ally. In a computer-fraud investigation, law-enforcement authorities must determine who is actually behind the keyboard. Offenders often mask their electronic identity: they use VPN networks, proxy servers, the dark web, e-mail addresses and domains registered with fake details, payments made via hard-to-trace cryptocurrencies. A classic problem is IP attribution: the fact that an attack originates from a certain IP address does not guarantee identification of the person, especially when an open Wi-Fi network or a botnet of compromised computers is used. Furthermore, when the investigation leads to a bank account where stolen funds were sent, we often find that the account holder is a “money mule” (for example, a recruited student renting out his/her account for small commissions) and not a high-ranking member of the group. Identifying perpetrators therefore requires complex analytical work: correlating multiple pieces of the puzzle – IT logs, CCTV (ATMs, post offices where parcels with fraudulently purchased goods are picked up, etc.), linguistic traces in e-mail communications, covert online monitoring of hacking forums. Once suspects are identified, gathering evidence often involves digital searches: seizing computers/phones and conducting forensic examinations to find incriminating data (wallet files, lists of stolen cards, chats, malware programs). In many cases, without access to the offender’s device it is difficult to prove direct involvement in the attack. Special investigative techniques are also used: in some situations, undercover agents infiltrate clandestine forums and gain suspects’ trust to obtain real-world identity information. In an international case, for example, FBI agents operated a carding forum for months (Operation Carder Profit) and collected data on dozens of hackers, including some Romanians. From a judicial perspective, the challenge is ensuring all such techniques comply with legal requirements, otherwise evidence can be challenged (e.g. online interceptions must be authorised; digital searches must respect court warrants, otherwise evidence may be excluded).
  • Proving intent (subjective element): Computer fraud, as an intentional offence with a special purpose, requires proof that the defendant acted “with intent to obtain an unjust material benefit”. Perpetrators are often very young, perhaps IT students, who invoke all sorts of excuses: “I accessed the system just to test its security”, “it was a joke/curiosity, I did not mean to steal money”. Unlike classic fraud, where intent clearly emerges from deceitful acts, in computer fraud it can sometimes be more difficult to demonstrate the plan if the money was not actually taken. Suppose a hacker modifies a loyalty-points database in an online store, increasing their credit. If caught before using the credit, they might claim they never intended to use it, although the typical nature of their action suggests otherwise. In practice, intent is inferred from circumstances: the nature of actions (e.g. masking identity, using malware designed to steal passwords strongly implies a fraudulent purpose), potential benefits (if the modification would have yielded a gain, it is logical that this was the intent) and, where available, statements or communications. For example, chats between hackers may clearly show discussions such as “we will steal this much from account X” – direct proof of intent. More complicated is insider involvement: an IT employee of a company may argue that running a script that blocked the system was not meant to cause loss. Here expert evidence is crucial – a technical report can establish whether the action could realistically be accidental or clearly required knowledge and intent. Another aspect: given that this is a result-based offence (requiring damage), intent at the attempt stage must also be proved convincingly where no loss occurred (e.g. through records showing that the suspect planned to steal funds). Finally, claims of “security testing” are usually undermined by lack of consent – if someone wanted to test a system, they would need the owner’s agreement; otherwise it is clearly an unauthorised action aimed at some benefit.
  • Relationship with Law 161/2003: This framework law – also known as the law on ensuring transparency in the exercise of public dignities and preventing corruption – introduced in Title III (Arts. 35-61) the first cybercrime offences in Romania, implementing the 2001 Budapest Convention. Basically, Law 161/2003 supplemented the old 1969 Criminal Code with offences such as illegal access to systems, computer forgery, computer fraud, etc. Thus, computer fraud and fraudulent financial operations were initially regulated in Arts. 42 and 44 of Law 161/2003, with content almost identical to that of the current Criminal Code[77]. When the new Criminal Code (Law 286/2009) came into force on 1 February 2014, cybercrime offences were fully incorporated (Arts. 360-365 Criminal Code corresponding to Title VII of Law 161/2003). Law 187/2012 (implementing the new Criminal Code) repealed those provisions of Law 161/2003 that duplicated the Code[24][25]. Therefore, Law 161/2003 no longer contains substantive criminal offences; they are now in the Criminal Code. Nevertheless, Law 161/2003 remains relevant for procedural and organisational provisions (e.g. articles concerning DIICOT’s competence, international cooperation, definitions of technical terms at the time). It also contains chapters on preventing cybercrime (awareness campaigns, obligations for certain institutions to secure systems). In court, explanatory memoranda and preparatory documents of Law 161/2003 may still be invoked to interpret concepts in the Code – for instance, the notion of “material benefit for another” may be clarified by reference to the Convention and Law 161. Overall, Law 161/2003 was the initial special law in this field, but its criminal-law role has passed to the Criminal Code.
  • Relationship with Law 365/2002 (E-commerce): Law 365/2002 initially contained a criminal chapter (Chapter VIII) dedicated to offences relating to electronic payment instruments and identification data. Essentially, in the early 2000s, before the Criminal Code was updated, Romania introduced these offences in a special law to cover card-cloning and card-transaction fraud (in line with Council Framework Decision 2001/413/JHA). Articles 24-28 of Law 365/2002 punished, among others: forging an electronic payment instrument, possessing equipment for that purpose, making financial operations with stolen/fictitious instruments, accepting fraudulent transactions, etc.[78][24]. In 2014, as with Law 161/2003, these articles were repealed upon entry into force of the Criminal Code (via Law 187/2012)[79], as the Code took over their substance in Arts. 250, 250^1, 251 Criminal Code[80][81]. For instance, the offence of “fraudulent financial operations” in the Code (Art. 250) essentially corresponds to Art. 25 of Law 365 (using someone else’s card without consent)[36]. Likewise, Art. 250^1 Criminal Code, introduced in 2021, expanded incriminations to cover possession of instruments obtained through offences and production of devices – in fact going beyond the old law. At present, Law 365/2002 (republished) regulates civil/commercial aspects of e-commerce, without criminal provisions (Chapter VIII appears as repealed). Practitioners sometimes still refer to “Law 365” out of habit, but any reference to its criminal content must now be redirected to the Criminal Code. A practical aspect: many older DIICOT indictments (pre-2014) charged defendants under Law 365 offences; during trial, as the law was repealed, courts reclassified them under Art. 250 Criminal Code and corresponding provisions, applying the more lenient law where applicable (generally, penalties remained similar in range).
  • Other problems of multiple classification: Computer fraud sometimes intersects with Law 8/1996 (copyright) – for example, a hacker stealing software and selling it commits essentially a copyright infringement for profit. Classification is separate, but debates may arise on concurrence vs. absorption. Similarly, Law 362/2018 (on security of network and information systems – NIS Directive transposition) contains administrative-sanction provisions for operators of essential services – although not criminal, it interacts with cybercrime: an operator that fails to secure a system and falls victim to fraud may face regulatory penalties.
  • Evidentiary and procedural issues: A specific problem is ensuring the integrity of digital evidence. For a digital item (log, file, message) to be admissible, investigators must show it has not been altered – they use hashing procedures and maintain chain of custody. If the defence proves any compromise of integrity, the evidence can be challenged. Another difficulty is the large volume of data – in a fraud case with thousands of victims, servers may store terabytes of information. Identifying the relevant data and presenting it in an intelligible form to the court is not easy. A further challenge is judges’ technical knowledge: cases are highly technical, so IT expert reports become key tools for translation. It is important that lawyers can ask the right questions of experts (e.g. can we conclusively establish that action X was carried out by user Y? Could the detected script have run accidentally?). Competence issues also arise: if computer fraud is committed by a group, jurisdiction lies with the Tribunal (due to the organised-crime element), whereas individual cases go to the District Court. Disputes have arisen over DIICOT’s competence – as noted, DIICOT is competent only if there are particularly serious consequences plus an organised group[8]; otherwise ordinary prosecutors handle the case. Establishing the amount of damage is therefore essential: if initially it appears to be under 2 million lei, the case may start locally, but if later losses are found to exceed that amount, it is transferred to DIICOT. This happened in phishing cases with many victims: initially, each victim reported small local losses – appearing as minor offences; once it became clear there was a network and the total was large, DIICOT consolidated everything into one complex case.
  • Grounds for non-punishment: Strictly speaking, the law does not provide any special grounds for non-punishment for computer fraud (such as, for example, Art. 290 Criminal Code for bribery – self-reporting by the bribe-giver). However, some situations may lead to the exclusion of criminal liability: (i) Withdrawal of complaint – does not apply here, as prosecution is ex officio. (ii) Reconciliation – the Criminal Code does not list computer fraud among the offences subject to reconciliation (unlike simple fraud, which requires a prior complaint and allows reconciliation under Art. 244 para. (1) Criminal Code[82]). As a result, parties cannot “reconcile” in a way that extinguishes the proceedings. However, if the defendant fully covers the damage and the victim forgives them, the court may consider this in sentencing (e.g. by applying judicial mitigating circumstances). (iii) Minimal participation or lack of fault: if it is proven that a person accused was merely an unwitting instrument (for example, their bank account was used without their knowledge – naïve mule), proceedings may be discontinued for lack of mens rea. (iv) Attempt – not a ground for non-punishment, as attempt is punishable for computer fraud[7], but prosecutors may decide to discontinue proceedings under the principle of prosecutorial opportunity (Art. 318 Criminal Procedure Code) for low-danger cases (applied sparingly in practice).
  • Possible defences: Defence lawyers in such cases employ various technical and legal arguments. One is contesting causation: e.g. if the IT system was vulnerable due to the owner’s negligence (failure to update software), the defendant may argue that their action did not directly “cause” the damage and that the victim’s negligence enabled it – although this does not exonerate the offender, it may be invoked to argue for a lower sentence (victim’s contribution to damage). Another defence is questioning the material element – e.g. in the 2021 HCCJ case, defendants argued that posting ads does not constitute “introduction of computer data” under Art. 249 (and the Court agreed, reclassifying to fraud)[12]. Restrictive interpretation of the legal text can thus be a defence: showing that the concrete act does not fit the typicity of computer fraud. For example, if someone runs a script that slows a system without aiming for material benefit, it may be classified as disruption (Art. 363 Criminal Code), not computer fraud – leading to different penalties. Defence may also target the legality of evidence: where a digital search exceeded the warrant (e.g. officers accessed accounts not covered by the court order), evidence may be excluded. This has occurred in cases where online interceptions were not properly authorised.

In summary, the Romanian justice system has built up significant experience in tackling these issues. Specialised prosecutors and judges have emerged (especially within DIICOT), case law has consolidated (supported by HCCJ decisions such as the one discussed), and legal tools have been updated (through transposition of recent EU directives). The ongoing challenge is adapting to offenders’ evolving methods – addressed in the conclusions regarding future trends. For the defence, computer-fraud cases demand close collaboration with technical experts to understand and potentially undermine technical accusations, and require knowledge of both domestic law and applicable international conventions, as cross-border elements are often present.

Possible defences and grounds for non-punishment


In the previous section on practical problems, we already touched on certain aspects of possible defences and situations that might exclude criminal liability. Here we summarise the main substantive defence strategies in computer-fraud cases, as well as potential grounds for non-punishment (absolute defences) or analogous situations.

Defence strategies:

  • Denial of involvement and contesting identification: A basic defence is for the defendant to deny being the real perpetrator and to claim that investigators misidentified him/her. For instance, they may assert that someone else used their internet connection (or computer) without their knowledge to commit the fraud – a sort of electronic alibi. The defence tries to cast doubt on whether the offence has been correctly attributed to the client: was it based solely on an IP address? Who else had access to that IP? Could the seized device (phone/computer) have been compromised and used as a proxy? If reasonable doubt arises, the in dubio pro reo principle may lead to acquittal. In practice, such defences can succeed when technical evidence is indirect or incomplete. Defence lawyers often hire independent IT experts to re-analyse logs and determine whether the data could indicate another user. However, where the prosecution presents strong evidence – e.g. transactions immediately followed by cash withdrawals by the defendant at ATMs captured on camera – it becomes difficult to challenge identification.
  • Absence of fraudulent purpose: The defence may acknowledge the defendant’s technical actions but deny any fraudulent intent. They may claim that it was an unauthorised experiment, a security test, a joke and that the defendant did not intend to obtain a benefit. This line of defence targets the subjective element – if successful, it may lead to reclassification into a less serious offence or even removal from criminal liability (if no damage was intended). Courts are, however, generally sceptical, especially where circumstances suggest otherwise. For example, if the defendant transferred funds from the victim’s account to their own and claims “I just wanted to test if it works, I was going to put them back”, this is unlikely to be believed. If a system is accessed but no funds are touched, the discussion is more nuanced: illegal access (Art. 360 Criminal Code) may be retained instead of fraud. Defence might attempt to show that the accused behaves more like a “white-hat” (ethical hacker) who exceeded boundaries out of zeal rather than greed. Without a legal framework to protect such actions (like a penetration-testing contract), the person will still be liable for illegal access, but escaping the computer-fraud charge substantially reduces exposure.
  • Absence or restitution of damage: If no loss occurred, the defence may ask the court to find that the offence elements are not met (computer fraud requires that “damage be caused”[83]). In such a scenario, if the defendant is caught before any loss occurs, they should be liable only for attempt (which is punishable but typically carries lower penalties). The defence may even argue for triviality (de minimis) if the loss is zero or negligible, though this is rarely accepted in offences with high potential harm. Where damage did occur but the defendant fully and promptly made good the loss (e.g. repaid the stolen funds), counsel will emphasise this at trial, not as a ground for impunity (which does not exist here) but as a strong mitigating factor: either reclassification to a milder offence or significant reduction of the sentence. Another possibility: some offences (not computer fraud, but e.g. simple fraud) may be extinguished by reconciliation. If the facts can be reclassified as fraud (in line with the 2021 HCCJ decision) and the victim agrees, reconciliation can end proceedings[84][82]. This may become a deliberate defence strategy: lawyers seek reclassification to fraud and then promote reconciliation (which also explains why many defendants hurry to repay damage, hoping the victim will withdraw their complaint). For computer fraud, however, reconciliation is not legally possible; in such cases, reparation of damage helps only at sentencing.
  • Procedural exceptions and nullities: A vigilant defence will look for any errors in the way evidence was obtained. For example, if a digital search exceeded the mandate (e.g. investigators looked into files outside the authorised scope), exclusion of that evidence can be requested. Or, if the surveillance authorisation for technical monitoring did not sufficiently describe the facts justifying interception. In recent years, Constitutional Court decisions have led to exclusion of some interceptions carried out by the intelligence services under now-invalidated protocols, though in cybercrime cases SRI is usually not involved (those decisions mainly concerned national-security cases). Still, if a case involves SRI cooperation (e.g. cyberattacks affecting critical infrastructure), defence may challenge the competence of the agency that collected evidence. Another point: translation of foreign documents – in cross-border cases, defence may argue that some evidence lacking official translation should not be used.
  • Procedural flaws in extradition: Where a defendant has been extradited, defence will check compliance with the speciality principle (they may only be tried for the offences for which they were surrendered). If prosecutors attempt to add new charges, counsel will invoke violation of the treaty. Conversely, where the defendant is tried in absentia abroad, they may challenge whether they were properly summoned, etc.

Grounds for non-punishment / absolute defences:

The Criminal Code does not provide specific grounds for non-punishment for cyber offences. For example, there is no provision stating that “an author of computer fraud who voluntarily restores systems and returns unlawfully obtained funds is not punishable”, as exists in some other offences (e.g. self-reporting in bribery, restitution before prosecution in embezzlement). Such provisions might be considered de lege ferenda, but currently do not exist. Therefore, only the general grounds in the General Part may apply:

  • Lack of culpability: if the act occurred without intent and not even through gross negligence – in practice, difficult to imagine for computer fraud, which is inherently intentional. Theoretically, a virus created by someone else that runs on your computer and steals funds without your knowledge – in that case, you are not the active subject (it is as if someone used your house for crime without your knowledge).
  • Mistake of fact or law: where the defendant genuinely believed they had the right to act (mistake of fact, hard to argue here) or believed the data belonged to them – highly unlikely. Mistake of law (e.g. “I didn’t know it was illegal to modify data if I don’t actually take money”) does not exonerate by principle.
  • Force majeure or duress: where someone is forced under serious threat to commit a cyberattack, there may be a ground for non-punishment (absolute physical coercion excludes the act, moral coercion may render it non-imputable if the threat is serious, under Art. 26 Criminal Code). In practice, very rare: a hacker threatened at gunpoint to transfer funds from a victim’s account; if real, he would not be criminally liable.
  • Reparation of damage: as noted, not a formal ground for non-punishment (it does not extinguish liability), but in practice some prosecutors may opt to discontinue prosecution (Art. 318 Criminal Procedure Code) if the act has low gravity and the damage is fully repaired. For example, a student who stole 500 lei via a small hack and repaid the money might receive only a warning through a non-prosecution solution. This is not non-punishment in the strict sense (an administrative warning remains), but avoids conviction.
  • Special cases: in other cyber offences (e.g. child pornography), there is a specific ground for non-punishment where a person holds such material solely to report it (Art. 374 para. (4) Criminal Code). No similar rule exists for computer fraud – but if a security researcher discovers a vulnerability and minimally exploits it to demonstrate it to the company and then reports it in good faith, ideally they should not be punished. However, there is no explicit legal protection for good-faith security research. This is a subject of international debate: the new UN convention has been criticised for not sufficiently protecting ethical hackers[54]. In practice, such researchers may hope for prosecutorial discretion or for authorities not to press charges where they acted immediately to remediate and reported properly.

In conclusion, although computer fraud does not benefit from specific statutory grounds for non-punishment, the conduct of investigations and trials still offers avenues to mitigate or avoid liability in particular cases: at the prosecution stage (discretion in minor cases, especially where damage is repaired), at the classification stage (reclassification to milder offences enabling reconciliation, as clarified by the 2021 HCCJ decision[85]), and at sentencing (suspended sentences for defendants who fully repaired damage and cooperated). Defences succeed where they can highlight a break in the evidentiary chain or a mismatch between the alleged act and the legal norm.

For lawyers, defending computer-fraud cases requires a mix of solid legal knowledge, technological understanding and creative argumentation. Invoking HCCJ Decision no. 37/2021 is now an important tool: where the client’s conduct resembles online fraud more than hacking, counsel will emphasise this to seek reclassification (reducing maximum penalties and possibly opening the way to reconciliation under Art. 244 para. (1) Criminal Code). Lawyers can also negotiate early (as the law provides for plea-bargain-type agreements) so that cooperating clients receive reduced sentences – practices similar to US plea bargains are emerging in Romania via plea agreements (Art. 480 Criminal Procedure Code), although DIICOT tends to use them sparingly in serious and complex cases (but they exist, especially for mules who plead guilty and receive suspended sentences in exchange for testimony against network leaders).

Ultimately, the best “defence” remains prevention – ideally, potential offenders should be made aware that the apparent benefits of cyber fraud are not worth the risk of severe criminal penalties and reputational ruin. Lawyers can contribute to prevention through legal education (seminars, articles like this), explaining where the line lies between legal hacking and crime and what consequences apparently “invisible” online acts may have.

Conclusions: legislative trends, future challenges and good practices for lawyers


Computer fraud stands at the intersection of technological progress and the inherent vulnerabilities of the digital society. In closing this analysis, we can draw some general conclusions and outline future perspectives, both legislative and practical, together with recommendations for practitioners:

Legislative and criminal-policy trends: The Romanian legislator has shown proactivity in updating the legal framework. Amendments to the Criminal Code by Law 207/2021 – extending definitions to cover virtual means of payment and introducing new offences (Art. 250^1 Criminal Code on possession/distribution of stolen means of payment and fraud devices) – demonstrate capacity to adapt to emerging threats (e.g. cryptocurrency criminality, wallet fraud, etc.)[81][86]. Legislation is likely to continue evolving. EU directives will remain a key driver: current debates at EU level concern extending liability of digital service providers where their services facilitate fraud (e.g. obligations on platforms to flag suspicious transactions, similar to AML regimes). The upcoming ePrivacy Regulation and future legislation on European digital identity may affect how fraud is investigated (balancing data access needs with privacy). Globally, adoption of the UN Cybercrime Convention (2025) will be a defining moment: Romania will need to ratify it and implement any additional obligations. For instance, the convention might require explicit criminalisation of new types of conduct (distinct cryptocurrency fraud, SIM-swapping fraud), which the Romanian legislator would then incorporate. Domestically, we may see greater emphasis on preventive measures: either legislatively or through guidelines, cybersecurity standards for key sectors (banking, utilities) may be imposed – failure to comply could be penalised (if not criminally, at least with severe administrative fines). Law 362/2018 already provides heavy penalties for operators of critical IT infrastructure who fail to implement adequate security measures. Another direction is enhancing cooperation tools: the EU’s e-evidence mechanism (enabling authorities to obtain data stored abroad directly from service providers) would simplify fraud-related evidence-gathering and is under development.

Future challenges: Cybercriminals continually adjust their methods. Anticipated challenges include:

  • Abuse of new technologies: Generative AI is already used to craft far more convincing phishing e-mails and to generate fake voices or videos (deepfakes). For instance, a deepfake of a CEO’s voice can be used to convince an employee to make a wire transfer (such audio-fraud cases have already occurred). These scenarios raise attribution issues (who created the deepfake?) and may require legislative response (criminalisation of deepfake use for fraudulent purposes, obligations on tech companies to detect and flag deepfakes). The Internet of Things (IoT) – more and more connected devices may be compromised and used in fraud (e.g. attackers gaining access to a smart-car payment system making fuel payments). Legislation will have to keep pace with definitions and protection mechanisms for such instruments.
  • Virtual currencies and decentralised finance: Cryptocurrencies have become the preferred currency for many offenders. Typical frauds include rug-pulls (fraudulent crypto projects disappearing with investors’ money), scam ICOs, NFT thefts, etc. The Criminal Code already defines “virtual currency”[87], so conceptually we are prepared. In practice, tracing these funds remains a technological challenge. Authorities invest in blockchain-analysis tools, and cooperation with exchanges is crucial. We can expect tighter regulation of crypto platforms, including user identification obligations (eroding anonymity for significant transactions). For lawyers, this entire field is new and complex – requiring specialisation and understanding of both blockchain technology and the legal framework (e.g. application of money-laundering offences to crypto-mixers).
  • Attacks on critical infrastructure: Where computer fraud targets strategic systems (energy grid, national banking system), consequences can be overwhelming. The line between ordinary criminality and national security becomes blurred. The Romanian state must be prepared both legislatively (possible harsher penalties for acts affecting critical infrastructure – e.g. special aggravated variants) and operationally (joint police-intelligence teams, incident-response centres – CERT.RO integrated). Law 1/2023 on cyber security and defence already gives the intelligence services a role in preventing and responding to major cyberattacks.
  • Education and resilience: A transversal challenge is public and corporate education. Many frauds succeed because human factors are the weak link (e.g. employees clicking on malicious links, users not checking e-mail sources). While not strictly a legal issue, it carries legal implications in terms of liability: companies can be held administratively or civilly liable if they fail to educate their staff and thereby enable losses (e.g. a bank customer harmed by fraud might seek compensation if the bank failed to issue adequate warnings). Corporate criminal liability is also relevant: where a senior employee commits computer fraud in the interest of the company, the company itself can be prosecuted under Art. 135 Criminal Code. We may see future cases where IT companies face criminal investigation for knowingly developing or selling fraud tools (we already have examples of spyware companies indicted in other contexts).

Good practices for lawyers: Lawyers handling cybercrime cases should adopt several best practices:

  • Acquiring digital skills: It is essential for lawyers to understand technical jargon and how systems work. Basic cybersecurity training or close collaboration with IT experts is advisable. An informed lawyer can ask the right questions of experts and identify gaps in the prosecution’s technical reasoning.
  • Ensuring data confidentiality: When working with digital evidence (e.g. receiving a forensic copy of a hard drive for defence analysis), lawyers must ensure that data are not disseminated, respecting both professional secrecy and any court-imposed conditions (some judges require confidentiality undertakings before releasing large datasets, especially where they include personal data of many victims).
  • Multidisciplinary approach: Computer-fraud cases may require expertise in criminal law, criminal procedure, international law, data protection (if third-party data are requested, GDPR applies), banking law (e.g. understanding SEPA/SWIFT regulations). A team combining these specialisations can be ideal. For example, in an extradition case, a specialist in international criminal procedure is needed; in cases with 100 civil parties, an expert in damages is useful.
  • Negotiation and alternative solutions: Where possible, counsel should consider the option of admitting guilt or repairing damage before trial. In many online fraud cases, if the defendant is a first-time offender and repays the stolen funds, a suspended sentence via plea agreement may be achievable (if the prosecutor agrees). It is always important to weigh what is best for the client – a full trial with 50/50 chances or a certainty of a reduced sentence in exchange for a confession. In cases with multiple victims, mediation (where applicable, although in ex officio offences it cannot extinguish proceedings) can still mitigate consequences (if all victims are compensated, courts may go below the minimum sentence).
  • Keeping up to date: This field evolves rapidly – new fraud typologies appear (e.g. scams on crowdfunding platforms, polymorphic malware for credential theft). Lawyers must monitor national case law (e.g. via rejust), relevant foreign decisions and specialised publications to understand trends. Participating in conferences (Cyberlaw, National Institute of Magistracy courses on digital evidence, etc.) is also beneficial.

Overall, Romania has a robust, EU-harmonised legislative framework for tackling computer fraud, but the real battle is in practice, where offenders constantly innovate. Supported by international bodies and increasingly sophisticated technical expertise, the justice system is catching up – more and more fraud networks are uncovered and punished, sending a deterrent message. The challenge is maintaining this balance: continuously updating the law, training specialists (digital investigators, IT-savvy prosecutors and judges) and ensuring close global cooperation.

For lawyers – whether prosecuting or defending – computer fraud is a dynamic and demanding field, where casework forces one to understand both the offender’s mindset and the machine’s logic. Ultimately, good professional practice also includes ethics: advising clients towards lawful solutions (e.g. companies to fix security breaches; talented young hackers to use their skills in cybersecurity rather than fraud) and contributing, through our work, to strengthening trust in the digital environment. In an increasingly digital world, lawyers play a key role in upholding the rule of law and legality online, ensuring that those who commit computer offences are held accountable under the law and that the rights of all parties involved are respected.

Selective bibliography / cited sources: Romanian Criminal Code (Arts. 249, 250, 360-366); Law 161/2003; Law 365/2002; High Court of Cassation and Justice Decision no. 37/2021 (preliminary ruling)[10][11]; Portal Legislativ – amendments by Law 207/2021[88]; Eurojust press releases[2][38]; DIICOT communiqués / news on relevant cases[89][26]; ENISA reports[1]; ZicLegal – DIICOT competence[90]; UNODC, Europol – statistical data and trend analyses[66][68]. (All sources were accessed and verified in November 2025.)

[1] ENISA Threat Landscape 2023 report points to surge in ransomware …
https://industrialcyber.co/threat-landscape/enisa-threat-landscape-2023-report-points-to-surge-in-ransomware-rise-in-supply-chain-attacks-persistent-ddos-threats/

[2] [3] [55] [56] [57] [58] [70] [71] [72] Eurojust assists in operation in Romania and Moldova against laundering phishing fraud proceeds | Eurojust | European Union Agency for Criminal Justice Cooperation
https://www.eurojust.europa.eu/news/eurojust-assists-operation-romania-and-moldova-against-laundering-phishing-fraud-proceeds

[4] Frauda informatică – definiție, exemple și pedepse | Avocat Iliescu
https://avocatiliescu.ro/frauda-informatica-definitie-si-pedepse-art-249-cod-penal/

[5] [37] [40] [43] Infracțiunile informatice: Ce spune legea despre hacking, phishing sau fraudă online | Adrian Țapu – Cabinet de avocat
https://tapu.ro/ro/infractiunile-informatice-ce-spune-legea-despre-hacking-phishing-sau-frauda-online/

[6] [80] [81] [83] [86] [87] [88] LEGE 207 21/07/2021 – Portal Legislativ
https://legislatie.just.ro/Public/DetaliiDocument/244841

[7] [36] CODUL PENAL 17/07/2009 – Portal Legislativ
https://legislatie.just.ro/Public/DetaliiDocumentAfis/109855

[8] [9] [23] [90] Infracțiuni ce intră în competența DIICOT – Direcția de Investigare a Infracțiunilor de Criminalitate Organizată și Terorism | ZIC Legal
https://zic.legal/infractiuni-competenta-diicot/

[10] [11] [12] [13] [14] [85] DECIZIE 37 07/06/2021 – Portal Legislativ
https://legislatie.just.ro/Public/DetaliiDocument/244415

[15] [16] [17] [18] [19] [20] [21] [22] [89] DIICOT: Grup infracțional, cercetat pentru infracțiuni informatice care au creat site-uri false asemănătoare cu ale unor unități bancare; peste 40 de persoane vătămate – Financial Intelligence
https://financialintelligence.ro/diicot-grup-infractional-cercetat-pentru-infractiuni-informatice-care-au-creat-site-uri-false-asemanatoare-cu-ale-unor-unitati-bancare-peste-40-de-persoane-vatamate/

[24] [25] [79] LEGE 365 07/06/2002 – Portal Legislativ
https://legislatie.just.ro/Public/DetaliiDocument/37075

[26] [27] [30] Doi hackeri români, condamnaţi la închisoare după ce au păgubit cu 10 milioane de dolari restaurantele Subway din SUA | adevarul.ro
https://adevarul.ro/stiri-interne/evenimente/doi-hackeri-romani-condamnati-la-inchisoare-dupa-645269.html

[28] [29] [31] [32] [33] [34] Office of Public Affairs | Two Romanian Nationals Sentenced to Prison for Scheme to Steal Payment Card Data | United States Department of Justice
https://www.justice.gov/archives/opa/pr/two-romanian-nationals-sentenced-prison-scheme-steal-payment-card-data

[35] [51] Sentință Record: Hackeri Români, Condamnați La 110 De Ani De …
https://www.libertatea.ro/stiri/sentinta-record-hackeri-romani-condamnati-la-110-de-ani-de-inchisoare-1736733

[38] [39] [52] [53] [73] [74] [75] Action against ATM fraud in Romania and UK stopped by joint investigation team with Eurojust assistance | Eurojust | European Union Agency for Criminal Justice Cooperation
https://www.eurojust.europa.eu/news/action-against-atm-fraud-romania-and-uk-stopped-joint-investigation-team-eurojust-assistance

[41] USD 439 million recovered in global financial crime operation
https://www.interpol.int/en/News-and-Events/News/2025/USD-439-million-recovered-in-global-financial-crime-operation

[42] INTERPOL financial crime operation makes record 5,500 arrests …
https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-financial-crime-operation-makes-record-5-500-arrests-seizures-worth-over-USD-400-million

[44] [45] [46] Section 263a
https://sherloc.unodc.org/cld/en/legislation/deu/german_criminal_code/special_part_-_chapter_twenty-two/section_263a/section_263a.html

[47] La cybercriminalité – Sécurité des systèmes d’information de l’académie de Strasbourg
https://ssi.ac-strasbourg.fr/referentiels/le-juridique/les-themes/la-cybercriminalite/

[48] [49] Computer Fraud and Abuse Act – Wikipedia
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

[50] Computer Fraud and Abuse Act (CFAA) | 18 U.S.C. 1030
https://www.thefederalcriminalattorneys.com/federal-computer-hacking

[54] [66] [67] [68] [69] Around 70 countries sign new UN Cybercrime Convention—but not everyone’s on board | Malwarebytes
https://www.malwarebytes.com/blog/news/2025/10/around-70-countries-sign-new-un-cybercrime-convention-but-not-everyones-on-board

[59] [64] AI’s Impact on Digital Fraud and Financial Crime – OECD.AI
https://oecd.ai/en/incidents/79762

[60] AI-Driven Online Scams Cause Widespread Financial Harm – OECD.AI
https://oecd.ai/en/incidents/2025-11-04-af24

[61] 11th Edition of the ENISA Threat Landscape Report 2023: Top …
https://www.cm-alliance.com/cybersecurity-blog/11th-edition-of-the-enisa-threat-landscape-report-2023-top-findings

[62] Operation HAECHI VI seized $439M from global cybercrime rings
https://securityaffairs.com/182576/cyber-crime/operation-haechi-vi-seized-439m-from-global-cybercrime-rings.html

[63] USD 257 million seized in global police crackdown against … – Interpol
https://www.interpol.int/en/News-and-Events/News/2024/USD-257-million-seized-in-global-police-crackdown-against-online-scams

[65] UN Convention against Cybercrime opens for signature in Hanoi …
https://unis.unvienna.org/unis/en/pressrels/2025/uniscp1190.html

[76] COURT DOC: Romanian Extradited to the United States, Charged …
https://flashpoint.io/blog/usa-vs-becheru/

[77] DECIZIE 68 29/09/2021 – Portal Legislativ
https://legislatie.just.ro/Public/DetaliiDocument/250575

[78] ARTICOLUL 27 Legea 365/2002 comertul electronic Infracţiuni …
https://legeaz.net/legea-365-2002-comertului-electronic/articolul-27-infractiuni-savarsite-in-legatura-cu-emiterea-si-utilizarea-instrumentelor-de-plata-electronica-si-cu-utilizarea-datelor-de-identificare-in-vederea-efectuarii-de-operatiuni-financiare

[82] cum se probează şi când te poţi împăca cu partea vătămată
https://blog.procese-avocat.ro/inselaciunea-alte-infractiuni-patrimoniale-cum-probeaza-cand-poti-impaca-partea-vatamata/

[84] Inselaciune, impacare cu partea vatamata – Răspunsuri Avocatnet.ro
https://www.avocatnet.ro/forum/discutie_560689/Inselaciune-impacare-cu-partea-vatamata.html