A Romanian national has been sentenced to 4 years and 8 months in a US federal prison for selling unauthorized access to an Oregon state government network. The case highlights the persistent threat of international cybercriminals targeting public sector infrastructure and the growing coordination between US and European law enforcement agencies.

The Defendant and His Crimes

Catalin Dragomir, 45, was arrested in Romania in November 2024 and extradited to the United States in January 2025. He pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft in February 2025. The sentencing took place this week in a US district court, with the judge crediting the two months Dragomir spent in Romanian custody before his extradition.

According to the US Justice Department, Dragomir infiltrated the network of an Oregon state government office in June 2021. He then sold access to this compromised network—along with access to other breached US systems—for payment in Bitcoin. The total losses attributed to his activities exceeded $250,000. The Oregonian reported that the specific access to the Oregon network was sold for $3,000 in Bitcoin.

Dragomir admitted to selling information obtained from at least 10 other organizations. Prosecutors described him as a “prolific” hacker, though he claimed he was an employee of another cybercriminal rather than the mastermind of the scheme. This assertion has not been corroborated by authorities, and it remains unclear whether further arrests are anticipated.

Background: Romanian Cybercrime Networks

Romania has long been a notable hub for cybercrime, with a number of high-profile hackers originating from the country. The nation’s strong technical education system and relatively low cost of living have sometimes been exploited by criminal enterprises seeking skilled programmers and social engineers. Dragomir’s case fits a pattern of Romanian nationals who target government, financial, and healthcare systems in the United States and Western Europe.

In a related but separate case, another Romanian national, 53-year-old Gavril Sandu, was recently extradited to the United States for his role in a cybercrime scheme that took place 17 years ago. Sandu’s case underscores the long arm of US law enforcement and the willingness of Romanian authorities to cooperate in extraditions. The extradition treaties and mutual legal assistance agreements between the two countries have been instrumental in bringing suspects like Dragomir to justice.

Modus Operandi: How Dragomir Operated

While the Justice Department has not released full technical details of Dragomir’s methods, typical approaches in such cases involve brute-forcing weak passwords, exploiting unpatched vulnerabilities in web applications, or using phishing campaigns to steal credentials. Once inside the Oregon network, Dragomir likely established persistence through backdoors or remote access tools, allowing him to maintain access and resell it to other criminals or state-sponsored actors.

The sale of network access is a thriving underground economy. Dark web marketplaces and encrypted messaging apps enable hackers to advertise “access” to compromised systems—often with screenshots as proof—for prices ranging from hundreds to tens of thousands of dollars depending on the target’s sensitivity. The Oregon network, as a state government system, likely contained personally identifiable information (PII) of citizens, employee records, and perhaps even law enforcement or financial data.

Dragomir’s ability to compromise at least 10 other organizations suggests he had a systematic methodology. He may have used automated scanning tools to identify vulnerable systems, then leveraged initial access to pivot laterally within those networks. The $250,000 loss figure likely includes costs of incident response, forensic investigation, system restoration, and credit monitoring for affected individuals.

Legal Proceedings and Sentencing

Dragomir was charged in the US while still in Romania, and an international arrest warrant was issued. Romanian police, working with the FBI, apprehended him in November 2024. He was then extradited after a brief legal challenge. In court, he entered a guilty plea under a plea agreement that likely reduced his potential sentence. The maximum penalty for obtaining information from a protected computer is 5 years, and aggravated identity theft carries a mandatory 2-year consecutive sentence. The final sentence of 4 years and 8 months—56 months—reflects both the seriousness of the crimes and the cooperation of the defendant.

During sentencing, the judge acknowledged the time already served in Romania. The prosecution emphasized the significant financial harm and the breach of public trust inherent in hacking a government network. The defense argued that Dragomir was not a primary beneficiary of the scheme and had limited resources. Ultimately, the court imposed a sentence that balances deterrence with the specific circumstances of the case.

In addition to imprisonment, Dragomir will likely face supervised release and may be ordered to pay restitution. The exact terms of his post-prison supervision were not detailed in initial reports.

Broader Implications for Cybersecurity

The Dragomir case serves as a stark reminder that state and local government networks remain vulnerable to cyberattacks. Many such entities operate with limited cybersecurity budgets, outdated software, and insufficient training for employees. The Oregon network breach underscores the need for continuous vulnerability assessments, multi-factor authentication, and robust network segmentation to limit the damage of a successful intrusion.

Federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have repeatedly advised state and local governments to adopt best practices, including implementing the CISA’s Known Exploited Vulnerabilities Catalog (though we cannot link, we can reference general guidance). The case also highlights the importance of international cooperation. The extradition of Dragomir from Romania demonstrates that cybercriminals cannot easily hide behind borders.

Furthermore, the sale of network access is a key enabler of ransomware attacks, data breaches, and espionage. By selling access to the Oregon network, Dragomir potentially allowed other malicious actors to conduct further attacks. This symbiotic relationship between initial access brokers and downstream attackers is a growing concern. Law enforcement agencies worldwide are increasingly targeting these brokers as a way to disrupt the cybercrime ecosystem.

For organizations, the lesson is clear: protecting the perimeter is no longer sufficient. Internal monitoring, user behavior analytics, and incident response plans are essential. The Oregon government likely incurred significant costs beyond the reported $250,000, including potential ransom demands or extortion attempts if attackers leveraged the access for a ransomware deployment. Fortunately, in this case, there is no public indication that ransomware was deployed.

Related Cases and Trends

Dragomir’s sentencing follows a series of high-profile cybercrime convictions in the United States. In recent months, a Karakurt ransomware negotiator was sentenced to prison, two US security experts were sentenced for helping a ransomware gang, a DraftKings hacker was sentenced, and a Dutch port hacker was also imprisoned. These cases show that law enforcement is aggressively pursuing cybercriminals at all levels of the criminal hierarchy.

The Romanian connection also appears in other notable cases. For example, in 2018, Romanian hacker Octavian Pandaru was extradited to the US for stealing trade secrets from a US company. In 2020, a Romanian national was sentenced for a ransomware attack targeting a US hospital. The repeated involvement of Romanian nationals in US cybercrime cases suggests a need for awareness and prevention efforts within Romania itself, including education and economic opportunities to deter young people from turning to cybercrime.

The US Department of Justice has also emphasized the importance of reporting cyber incidents. Victims are encouraged to contact the nearest FBI field office or submit a complaint to IC3. The Dragomir case might have been identified through proactive monitoring or a tip from a victim organization. The coordinated response by Romanian and US authorities serves as a model for future international cybercrime investigations.

In summary, the sentencing of Catalin Dragomir marks the end of a long investigation but also highlights the ongoing challenges in securing government networks against determined adversaries. The 4 years and 8 months he will serve in a US prison sends a message that selling access to US government systems carries severe consequences. However, the underground market for network access continues to thrive, and many similar hackers remain at large. Organizations must remain vigilant, and international law enforcement partnerships must continue to strengthen to stem the tide of cybercrime.

Source: SecurityWeek News