As Programme Manager of the iPROCEEDS-2 and CyberSEE projects at the Council of Europe, Dan Cuciurianu plays a leading role in strengthening international cooperation and investigative capacities to combat cybercrime across South-East Europe and Türkiye. Drawing on his experience as a former cybercrime investigator in Romania, he brings a practical, operational perspective to policy and training initiatives aimed at building long-term resilience in the fight against digital threats.

Ahead of the Digital Forensics Conference 2025, where he will moderate a panel discussion, Dan shares insights on cross-border investigations, digital evidence challenges, and the evolving role of capacity-building in cybercrime response.

1. You’ve transitioned from leading cybercrime investigations in Romania to managing regional capacity-building programs at the Council of Europe. How has your field experience shaped the way you approach international cooperation on cybercrime today?

My experience leading cybercrime investigations in Romania has deeply shaped my approach to international cooperation. Working directly with operational teams revealed real challenges, limited cross-border access to data, inconsistent procedures, and the need for swift, coordinated action. To overcome these, I often went beyond my formal duties to connect investigators with foreign counterparts, enabling access to critical evidence and support.

This hands-on experience led me to help establish one of Romania’s first Joint Investigation Teams with Italian authorities, now a common model across Europe, but at the time new and difficult to implement. As the national point of contact for cooperation with major private sector entities, I also learned the importance of clear communication, standardized terminology, and trust between institutions.

These lessons guide my current work managing regional capacity-building programs, such as CyberSEE, where I ensure initiatives are practical and responsive to investigators’ real needs. My focus is on building trusted networks, fostering results-oriented cooperation, and supporting effective use of international instruments such as the Second Additional Protocol (2AP) to the Budapest Convention on Cybercrime.

The 2AP provides new tools for cross-border access to electronic evidence while upholding human rights and data protection standards. Our programs help countries move from commitment to implementation by engaging decision-makers in legislative reform, supporting national working groups, and raising awareness among practitioners and stakeholders. Since 2025, we’ve launched these efforts in Serbia, Albania, Bosnia and Herzegovina, Montenegro, and North Macedonia, strengthening regional frameworks for international cooperation on cybercrime.

2. The iPROCEEDS-2 and CyberSEE projects aim to strengthen responses to cybercrime and electronic evidence across South-East Europe and Türkiye. What are the biggest gaps or challenges you’re addressing in these regions?

South-East Europe and Türkiye face an increasingly complex cybercrime landscape, driven largely by financial motives but also influenced by organised crime and state-sponsored activities. While investment fraud, ransomware, and business email compromise remain dominant threats, there is also a worrying rise in online child sexual exploitation and abuse. The spread of the “crime-as-a-service” model enables even low-skilled actors to launch sophisticated attacks using rented malware, phishing kits, or money laundering networks, further expanding the threat environment.

Major incidents, such as cyber-attacks against critical infrastructure and services, demonstrated how destructive operations can paralyse public institutions. These events underscored the urgent need to bridge the gap between cybersecurity measures and criminal justice responses, ensuring that both preventive and investigative mechanisms work in tandem. In response to these threats, several countries have taken significant steps to strengthen their resilience. Albania, for example, established a National Cybersecurity Agency, with enhanced mandate, resources, technical capacities and strategy. This reflects a broader regional shift toward more structured, coordinated, and capable national responses to cyber threats.

A persistent challenge across the region is tracing and confiscating illicit assets, as criminals increasingly use virtual currencies for ransomware payments, illegal services, and money laundering. While countries like Serbia and North Macedonia have introduced crypto asset regulations, law enforcement still needs stronger skills in blockchain analysis and digital forensics to effectively follow the money.  Through the CyberSEE project, we continue to strengthen investigative and prosecutorial capacities, promote harmonized legal frameworks, and foster closer cooperation between cybersecurity and criminal justice communities. Our goal is to help countries respond to cybercrime with greater speed, precision, and coordinated action, building long-term regional resilience.

3. What’s a challenge in digital forensics that you think is underestimated — and how are you addressing it? 

An underestimated challenge in digital forensics is the increasing difficulty of accessing and analysing electronic evidence due to encryption, anonymisation, and the growth of the cybercriminal underground economy. The rise of darknets and privacy-focused cryptocurrencies enables offenders to act anonymously, while darknet marketplaces make sophisticated tools and services easily available even to those with limited technical skills.

Encryption, though essential for privacy, poses a major obstacle for law enforcement by limiting lawful interception and forensic access to crucial data. Combined with the use of virtual currencies such as Bitcoin or Monero, tracing illicit transactions and identifying perpetrators becomes increasingly complex. In South-East Europe, these challenges can slow investigations and reduce the effectiveness of prosecutions.

Strengthening the capacity to secure evidence from computer systems, whether related to cybercrime or any other form of crime, for use in criminal proceedings is crucial to ensuring a criminal justice response that is both effective and consistent with human rights and rule-of-law standards. Facilitating access to specialised training and cooperation frameworks at the European and international levels, including technical courses through training institutions such as police academies, along with building stronger partnerships with the private sector, particularly the cybersecurity industry and academia, are key to addressing this challenge.

4. You’ve led joint investigation teams for major international operations like RESIDENT, COLD LAKE, and BRUNO. What lessons did you take from those operations that inform your current policy and training work?

The main lesson I took from those international operations is that success in combating cybercrime is never achieved in isolation, it depends on strong partnerships, mutual trust, and the ability to combine expertise across jurisdictions and sectors. Equally important, training must have a practical, hands-on component that mirrors real investigative challenges. This principle guides my work at the Council of Europe, where we design capacity-building activities that promote collaboration and real-world learning. I believe that the only thing that truly matters in our activities is the extent to which they lead to new partnerships and joint actions against cybercriminals.

One example is the Underground Economy Conference, hosted annually at the Council of Europe in Strasbourg. It brings together around 500 experts from over 70 countries, law enforcement officers, cybersecurity professionals, financial institutions, private industry, and academia. The conference is a unique platform where practitioners share experiences from recent operations, discuss challenges and results, and explore emerging tools and technologies. It has become a global hub for strengthening public-private partnerships and triggering new operations against cybercrime.

Another example is the CyberGames, first held in Kuala Lumpur in May 2025. What began as a regional initiative has grown into a global event, with 140 participants from 50 countries competing in realistic team challenges that simulate ransomware investigations, OSINT-based attribution, forensic imaging, and cryptocurrency tracing. These exercises foster cooperation, strengthen practical skills, and promote the use of Budapest Convention tools. Building on this success, we will continue to expand the Cyber Games and other practical initiatives through 2026 and 2027, helping practitioners worldwide enhance their investigative capabilities and international cooperation on cybercrime and electronic evidence.

5. As someone who’s been both on the front lines and now in a regional leadership role, what advice would you give to countries trying to modernize their justice systems to better handle digital evidence and transnational cybercrime?

Modernizing justice systems to address digital evidence and transnational cybercrime requires an integrated approach spanning legal frameworks, operational structures, technical capacities, and cross-sector cooperation. At the legal level, countries must update cybercrime and electronic evidence legislation to align with international standards and EU priorities. This ensures authorities can effectively pursue emerging threats, including ransomware, illegal cryptocurrency use, AI-enabled crime, and darknet-based operations, while maintaining human rights and rule-of-law compliance.

From an operational perspective, tackling serious cybercrime increasingly requires specialized, team-based models. Complex investigations often face 3 primary challenges: attributing actors within anonymized infrastructures, de-anonymizing criminal platforms (including ToR and other darknet environments), and tracing illicit financial flows. To address these, investigative teams should be structured around 4 specialized roles. Team leaders or cyber managers coordinate between frontline investigators and senior decision-makers, guide strategic operations, and act as executive contacts for international partners. Investigators focus on attribution, identifying high-value targets, affiliates, and crime-as-a-service networks. Forensic experts conduct technical analysis, including reverse engineering malware, mapping criminal infrastructures, de-anonymizing communications, and collecting admissible digital evidence. Financial investigators trace cryptocurrency transactions, reconstruct laundering chains, and link illicit proceeds to criminal operations.

Capacity-building requires flexible, hands-on training in digital forensics, OSINT, malware analysis, network mapping, and cryptocurrency tracing, embedded into police and prosecution academies and continuous professional development programs. Strong collaboration with the cybersecurity industry, academia, and private sector actors is essential, supported by regular operational exchanges to maintain trust and facilitate intelligence sharing. International mechanisms, including Joint Investigation Teams, Europol operational agreements, and coordinated cross-border meetings, enhance information exchange, provide real-time operational support, and enable complex transnational investigations.

By combining specialized roles, advanced technical training, integrated operational models, legal harmonization, and multi-level cooperation, justice systems can effectively investigate, attribute, and prosecute cybercrime, secure digital evidence, and maintain relevance in global investigative networks.