A Romanian national has been sentenced to prison in the United States after he admitted to selling access to an Oregon state network. The hacker, identified as 45-year-old Catalin Dragomir, was arrested in Romania in November 2024 and extradited to the United States in January 2025. He pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft in February 2025. This week, he was sentenced to 4 years and 8 months in prison, with the judge crediting the two months Dragomir spent in Romanian jail before extradition.

According to the US Department of Justice, Dragomir hacked into the network of an Oregon state government office in June 2021. He then sold access to this and other compromised networks across the United States, ultimately causing losses exceeding $250,000. The Oregonian reported that Dragomir sold access to the Oregon network for $3,000 in Bitcoin, a relatively modest sum for access to a government network that could have been used for further intrusions, data theft, or ransomware attacks. Dragomir admitted to selling information obtained from at least 10 other organizations, and prosecutors described him as “prolific” in his activities. However, Dragomir claimed he had worked for another hacker rather than being the scheme's mastermind, suggesting a hierarchical structure within the cybercriminal ecosystem.

Background of the Hacker and the Operation

Catalin Dragomir’s case is a reminder of the persistent threat posed by international cybercriminals who specialize in compromising networks and selling access to other malicious actors. This business model, often referred to as “initial access brokers,” has become a cornerstone of the modern cybercrime supply chain. These brokers infiltrate organizations – often through phishing, exploiting unpatched vulnerabilities, or using stolen credentials – and then auction or sell that access on underground forums. The buyers are typically ransomware groups, state-sponsored hackers, or other criminal entities who use the foothold to deploy malware, steal data, or disrupt operations.

Dragomir’s activities between June 2021 and his arrest spanned multiple industries, targeting both private companies and government agencies. The Oregon state network breach likely gave him credibility in the underground market, enabling him to attract buyers willing to pay significant sums. While the $3,000 Bitcoin payment for the Oregon access seems small, it reflects the volume of such transactions – even low-cost access can lead to massive downstream damage. The cumulative losses of $250,000 cited by prosecutors may only represent direct financial damages; indirect costs such as system remediation, legal fees, and reputational harm often dwarf these numbers.

Identity theft is a severe component of this case. The aggravated identity theft charge typically involves using another person’s identification without authorization to commit a felony. This suggests Dragomir may have used stolen identities to facilitate his intrusions or to launder proceeds. The charge carries a mandatory minimum sentence of two years, which likely contributed to the overall sentence.

Extranational Collaboration and Legal Proceedings

The extradition of Dragomir from Romania demonstrates the increasing cooperation between US law enforcement and international authorities. The US Department of Justice has been aggressively pursuing cybercriminals abroad, often through mutual legal assistance treaties and close ties with European law enforcement agencies like Europol. Dragomir was arrested just months after the breach came to light, indicating efficient intelligence sharing. His guilty plea in February 2025 avoided a lengthy trial, but the sentencing phase allowed the court to consider the severity of his crimes and his role in the broader cybercrime ecosystem.

Prosecutors argued that Dragomir was not a low-level figure but a “prolific” broker who facilitated numerous attacks. However, his claim that he was merely a subordinate to another hacker raises questions about the true scale of the network he operated in. This is a common defense in cybercrime cases, as many defendants try to downplay their responsibility by pointing to ringleaders who are often based in countries with weak extradition treaties.

Dragomir’s case is not isolated. Another Romanian national, 53-year-old Gavril Sandu, was recently extradited to the United States for his role in a cybercrime scheme dating back 17 years. Sandu’s extradition underscores the long memory of law enforcement and their willingness to pursue cases even after significant periods of time. Such cases serve as a deterrent, showing that cybercriminals cannot simply wait out the statute of limitations by hiding abroad.

Broader Implications for Cybersecurity

The sentencing of Dragomir is part of a broader crackdown on cybercriminals who target critical infrastructure. In recent months, several other hackers have received prison sentences in the US for similar offenses. For instance, a negotiator for the Karakurt ransomware group was sentenced to prison, as were two US security experts who helped a ransomware gang, a hacker involved in DraftKings credential stuffing attacks, and a Dutch port hacker. These cases highlight the variety of cyber threats – from ransomware to identity theft to network intrusions – and the determination of US authorities to seek justice globally.

Organizations continue to struggle with preventing initial access breaches. Simple measures like multi-factor authentication (MFA), regular patching, employee training, and network segmentation can reduce the risk of an initial compromise. However, many government agencies and small businesses still lack these fundamentals. The Oregon state network breach likely occurred due to a vulnerability or a credential theft that could have been prevented with stronger security controls. The aftermath includes not only the direct costs but also the need for additional investment in cybersecurity, which can strain state budgets.

The use of Bitcoin for payment in this case is typical of cybercriminal transactions. Cryptocurrencies offer pseudonymity, making it difficult for law enforcement to trace money flows. However, blockchain analysis has advanced significantly, and agencies like the IRS and FBI now routinely track Bitcoin transactions through public ledgers. This capability may have contributed to the identification and arrest of Dragomir.

Identity Theft and Its Consequences

Aggravated identity theft, one of the charges Dragomir pleaded guilty to, carries a mandatory minimum sentence of two years in federal prison. Identity theft can have devastating effects on victims, ranging from financial loss to emotional distress. In cybercrime contexts, stolen identities are often used to create fake accounts, apply for loans, or even perpetrate further fraud. The extradition and conviction of Dragomir sends a clear message that using stolen identities to facilitate network intrusions will not be tolerated.

Victims of identity theft spend months or years repairing their credit and clearing their names. In Dragomir’s case, the victims likely include individuals whose credentials were used to access the Oregon network, as well as organizations that purchased access from him. The full extent of the harm may never be fully quantified, but the court’s decision to impose a substantial sentence reflects the seriousness of the offense.

The Romanian hacker’s claim of being a pawn in a larger operation raises questions about the hierarchy of cybercriminal enterprises. Many large-scale hacking groups operate with a division of labor, where some members specialize in initial access, others in exploitation, and others in monetization. Dragomir’s role as an access broker placed him in the upper-middle tier of this ecosystem. Even if he was not the mastermind, his actions directly enabled ransomware attacks and data breaches that likely caused millions of dollars in damages.

Law enforcement agencies continue to dismantle these networks by targeting key individuals like Dragomir. In addition to extradition, they use undercover operations, informants, and technical surveillance to identify and apprehend suspects. The successful prosecution of Dragomir is a testament to these efforts, but it also highlights the ongoing challenge of cybercrime, which often originates from countries with limited law enforcement capacity or political will to cooperate.

The Oregon state government has likely implemented significant security upgrades since the breach. Such incidents often serve as wake-up calls for public sector organizations, which are frequent targets due to their large amounts of sensitive data and sometimes limited budgets. The Hacking of the Oregon network illustrates the vulnerability of state and local governments, which often lack the sophisticated cybersecurity teams that federal agencies possess.

As international cooperation improves, more cybercriminals like Dragomir will face justice. However, the demand for network access remains high, and new brokers will inevitably emerge. The only long-term solution is for organizations to harden their defenses, adopt zero-trust architectures, and invest in threat detection. Meanwhile, citizens should be aware that their personal information can be used to fuel these attacks, and they should take steps to protect their own digital identities.

The sentence of 4 years and 8 months may seem short given the potential damage, but it is within the typical range for such offenses. The court also considered the time Dragomir served in Romania, reducing the overall US prison term. He may be eligible for early release for good behavior, but his conviction will have lasting consequences, including a permanent criminal record in the United States and likely a ban on reentry after deportation. For a Romanian national, this is a severe penalty that will hinder his future prospects.

In the meantime, the case of Gavril Sandu shows that old crimes can catch up with offenders. Sandu’s extradition for a scheme from 2007 demonstrates that the US will pursue cybercriminals regardless of how much time has passed. This should serve as a deterrent to those who think they can hide in plain sight.

Cybersecurity experts often say that the best way to prevent such breaches is to assume that a network is already compromised and to design defenses accordingly. The Dragomir case is a textbook example of why this mindset is necessary. By selling access to the Oregon network, Dragomir enabled potential attackers to bypass external defenses entirely. Organizations must therefore focus on internal segmentation, threat hunting, and rapid incident response.

Finally, the broader cybercrime landscape continues to evolve. The availability of initial access brokers like Dragomir has made it easier for even low-skilled hackers to launch sophisticated attacks. This market-driven approach to cybercrime is a major challenge for law enforcement, as it separates the technical aspects of an attack from the financial ones. Prosecuting brokers like Dragomir disrupts the supply chain, but it is only one piece of the puzzle. Combating cybercrime will require ongoing cooperation between public and private sectors, as well as public education to reduce the viability of phishing and credential theft.

Source: SecurityWeek News