Romanian Hacker Extradited to US After 17 Years for VoIP Vishing Scheme

Romanian Hacker Extradited to US After 17 Years for VoIP Vishing Scheme

Gavril Sandu, 53, faces up to 30 years in prison for orchestrating a voice-phishing fraud ring that hacked small businesses’ phone systems to steal bank credentials — crimes committed more than a decade and a half ago.

A Romanian national accused of hacking into the VoIP phone systems of small American businesses to conduct large-scale bank fraud has finally arrived on U.S. soil — nearly 17 years after the crimes were committed. Gavril Sandu, 53, was extradited from Romania to the United States on April 30, 2026, and appeared before a federal court in Charlotte, North Carolina, where he was remanded into custody.

The case, which dates back to a fraud operation carried out between May 2009 and October 2010, stands as a striking example of both the enduring reach of American law enforcement and the long shadow that cybercrime can cast over a person’s life. The indictment was handed down in November 2017 — itself seven years after the alleged offenses — and Sandu was only arrested in Romania on January 9, 2026.

How the Scheme Worked

Prosecutors allege that Sandu and his co-conspirators executed a sophisticated but scalable form of fraud known as “vishing” — short for voice phishing. Rather than targeting the banks or financial institutions themselves, the group identified a far softer target: the phone systems of small businesses across the United States.

Small companies running Voice over Internet Protocol (VoIP) systems in that era were notoriously under-secured. Many used off-the-shelf software like Asterisk or FreePBX with default credentials, no firewall protections, and internet-exposed SIP ports — making them easy prey for remote attackers armed with automated scanning tools. Once inside a business’s phone system, the conspirators deployed automated scripts that placed outbound calls to customers of banks and credit unions.

Those calls were designed to impersonate the financial institutions themselves. Victims, seeing what appeared to be a legitimate number on their caller ID, were prompted by an automated voice to enter their debit card numbers and PIN codes — information that was harvested in real time.

Sandu’s Alleged Role: Cards, Cash, and Mule Work

According to the indictment, Sandu’s role went beyond technical access. He allegedly received stolen debit card numbers and PINs from co-conspirators and used that data to manufacture cloned magnetic-stripe cards — physical counterfeits that could be used at ATMs and point-of-sale terminals as if they were the originals.

Sandu also allegedly acted as a “money mule,” personally travelling to ATMs to withdraw cash from victims’ compromised accounts. He would then share a portion of the proceeds with his co-conspirators while retaining a cut for himself — a classic layering technique designed to put distance between the fraud and its architects.

A 17-Year Timeline

• 2009 – 2010 Sandu and co-conspirators allegedly hack small businesses’ VoIP systems across the US, deploying scripts to conduct mass vishing campaigns targeting bank customers.
• November 14, 2017 A federal grand jury in Charlotte, North Carolina, returns a criminal indictment against Sandu, charging one count of conspiracy to commit bank fraud and one count of bank fraud.
• January 9, 2026 Sandu is arrested in Romania following years of international coordination between the DOJ’s Office of International Affairs, the FBI’s Bucharest Law Enforcement Attaché Office, and Romanian authorities.
• April 30, 2026 Sandu is extradited to the United States and transferred into federal custody.
• May 2026 Sandu appears before a U.S. federal judge in Charlotte. He remains in custody and faces a maximum penalty of 30 years in federal prison if convicted.

Why It Took So Long

The nearly two-decade gap between the alleged crimes and extradition is unusual even by the standards of complex international cybercrime cases. International extradition requires treaty agreements, diplomatic coordination, and domestic legal proceedings in the country where the suspect resides — all of which can stall for years. Romania, while an EU member and a country with a US extradition treaty, has its own court review process that must be satisfied before any transfer can proceed.

Reid Davis, Special Agent in Charge of the FBI in North Carolina, acknowledged the timeline but framed it as a deliberate message: “Today’s digital age provides greater opportunity to steal your identity and your money,” he said, adding that the bureau remains committed to pursuing international cyber fraudsters. “Justice has no timeline.”

A Blueprint for Today’s Phone Scam Epidemic

The Sandu case is notable not just as an individual prosecution, but as an early documented example of what has since become an enormous global criminal industry. The fundamental technique — hijacking a legitimate phone system to place spoofed calls that impersonate banks — remains the core mechanic of billions of scam calls made every year.

The tools have evolved dramatically since 2009. Caller ID spoofing services are now commercially available. Artificial intelligence can clone voices in real time with only seconds of audio as a reference. Industrialized scam call centers — some staffed by trafficked workers — operate at scale across Southeast Asia and beyond. But the underlying logic of the Sandu scheme is unchanged: find a trusted communication channel, impersonate an authority, and exploit the moment of confusion to extract credentials.

The prosecution underscores that even a decade-old fraud conviction can carry severe consequences — and that U.S. authorities are willing to invest significant diplomatic resources to see cases through. A federal district court judge will determine any sentence following conviction, taking into account U.S. Sentencing Guidelines and other statutory factors.