Romanian Hacker Gets 56 Months for Oregon Government Breach

Key Takeaways

• Catalin Dragomir sold access to Oregon's emergency management network for $3,000 in Bitcoin
• The hacker's activities caused at least $250,000 in losses across more than 10 U.S. victims
• International cooperation between U.S. and Romanian authorities led to extradition and prosecution

Catalin Dragomir, a 46-year-old Romanian national, will spend 56 months in federal prison for breaking into Oregon's emergency management computer network and selling access to the highest bidder. A U.S. federal court handed down the sentence this week after Dragomir pleaded guilty to aggravated identity theft and obtaining information from a protected computer.

The case shows a shift in how governments pursue cybercriminals across borders. Dragomir operated under the alias "inthematrixl" from Constanta, Romania. He likely assumed that distance from U.S. jurisdiction would protect him. It did not.

What Dragomir Did

In June 2021, Dragomir compromised a computer on the network of the Oregon Office of Emergency Management. Rather than exploit the access himself, he turned it into a product. He advertised administrative access to the system on dark web forums, eventually selling it for $3,000 in Bitcoin.

To prove the access was legitimate, Dragomir provided prospective buyers with samples of personally identifiable information pulled from the hacked system. These samples included names, email addresses, dates of birth, and passport numbers. State emergency management agencies typically hold sensitive data on disaster response personnel, volunteers, and sometimes affected residents.

Oregon was not an isolated target. Prosecutors say Dragomir sold access to the networks of nearly a dozen other U.S. organizations. His total criminal activity caused at least $250,000 in losses across all victims.

The Access Broker Model

Dragomir's case illustrates a common pattern in modern cybercrime. Access brokers do not deploy ransomware or steal data themselves. They specialize in initial intrusion, then sell that foothold to other criminals who handle the next phase. This division of labor makes cybercrime more efficient and harder to trace.

For buyers, purchasing access saves time. They skip the reconnaissance and exploitation phases entirely. For sellers like Dragomir, it creates recurring revenue with relatively lower risk than conducting full attacks. The model thrives on dark web marketplaces where reputation systems help buyers verify sellers.

International Cooperation Closed the Gap

Dragomir was arrested in Romania in November 2024. The arrest required coordination among the Justice Department's Office of International Affairs, the Romanian Ministry of Justice, the Directorate for International Law and Judicial Cooperation, and the Romanian Judiciary. He was extradited to the United States in January 2025.

The FBI's Portland Field Office investigated the case. The Justice Department's Computer Crime and Intellectual Property Section prosecuted it. That section has secured court orders returning over $350 million in victim funds since 2020, following convictions against more than 180 cybercriminals.

The Sentence

Dragomir's charges carried a maximum of five years in prison for the computer intrusion count, plus a mandatory consecutive two-year term for identity theft. The court also imposed a potential $250,000 fine and three years of supervised release.

The court ordered Dragomir to forfeit approximately 23 Monero, valued at roughly $8,500. Monero is a privacy-focused cryptocurrency often preferred by cybercriminals because its blockchain obscures transaction details, making funds harder to trace than Bitcoin.

What This Means for Organizations

Government networks remain attractive targets for access brokers. Emergency management systems hold sensitive data and often connect to other state infrastructure. A compromised access point can serve as a stepping stone to larger attacks.

Organizations should assume their network access has value on criminal marketplaces. Monitoring for unauthorized access, implementing multi-factor authentication, and auditing privileged accounts can help detect access-broker activity before a second attacker arrives.

Frequently Asked Questions

What is an access broker in cybercrime?

An access broker is a cybercriminal who specializes in breaking into computer networks and selling that access to other criminals, rather than exploiting it directly. Buyers typically deploy ransomware, steal data, or conduct espionage using the purchased access.

How did Romanian authorities cooperate with U.S. law enforcement?

The Justice Department's Office of International Affairs coordinated with the Romanian Ministry of Justice and the Directorate for International Law and Judicial Cooperation. Dragomir was arrested in Romania in November 2024 and extradited to the U.S. in January 2025.

Why did the hacker use Monero instead of Bitcoin?

Monero's blockchain obscures transaction details, making funds harder to trace than Bitcoin. This privacy feature makes it popular among cybercriminals trying to avoid detection.

What data was exposed in the Oregon government breach?

Dragomir accessed names, email addresses, dates of birth, and passport numbers from the Oregon Office of Emergency Management network. He used samples of this data to prove access legitimacy to potential buyers.

Source: BleepingComputer