A Romanian national has been sentenced to prison in the United States after pleading guilty to hacking into an Oregon state government network and selling unauthorized access for cryptocurrency. The case highlights the persistent threat of international cybercriminals targeting critical government infrastructure and the ongoing efforts of US law enforcement to bring offenders to justice across borders.

The Crime and Sentencing

Catalin Dragomir, 45, was arrested in Romania in November 2024 and extradited to the United States in January 2025. He appeared before a federal court where he pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft in February 2026. This week, a judge sentenced him to 4 years and 8 months in prison, crediting him for the two months he served in Romanian custody prior to extradition.

The charges stem from a June 2021 intrusion into the network of an Oregon state government office. Dragomir exploited vulnerabilities to gain unauthorized access and then sold that access to other malicious actors. According to the US Justice Department, he offered the Oregon network foothold for $3,000 in Bitcoin. Additionally, he admitted to selling access to at least ten other compromised networks across the United States, causing total losses exceeding $250,000.

Identity Theft and Computer Intrusion

The aggravated identity theft charge indicates that Dragomir used stolen personal identifying information during or in relation to the computer fraud. Such charges carry mandatory minimum consecutive sentences, adding to the severity of the penalty. Prosecutors described Dragomir as a “prolific” hacker, though he argued that he was merely an intermediary working for a more sophisticated cybercriminal mastermind. The court found the evidence sufficient to impose a substantial sentence.

Identity theft remains a cornerstone of many cybercrime operations, as stolen credentials enable attackers to move laterally within networks, escalate privileges, and maintain persistence. In this case, Dragomir’s activities likely involved harvesting login credentials from compromised systems and selling them on underground forums frequented by ransomware groups, data brokers, and nation-state actors.

International Extradition and Cooperation

The successful extradition of Dragomir underscores the strong cooperation between US and Romanian law enforcement agencies. Romania has become a notable hub for cybercriminal activity, with many individuals indicted in the United States for hacking, financial fraud, and identity theft. The country’s legal framework has evolved to allow efficient extradition, and Romanian authorities have demonstrated willingness to arrest and transfer suspects to face US charges.

Another recent case involves Gavril Sandu, a 53-year-old Romanian who was extradited to the United States for his role in a cybercrime scheme that occurred 17 years ago. Sandu is accused of participating in a conspiracy that defrauded US victims through phishing and malware campaigns. The long delay in bringing Sandu to justice illustrates the persistence of law enforcement and the challenges of prosecuting crimes that cross borders and span years.

These cases are part of a broader trend: Romanian hackers have been linked to some of the most damaging cyber operations, including ransomware attacks, credential theft, and business email compromise. The US Department of Justice has prioritized pursuing such individuals, often offering rewards for information leading to their arrest.

The Mechanics of Selling Network Access

Dragomir’s business model—breaking into networks and then selling that access—is a common activity in the criminal underground. Known as “initial access brokers,” these hackers specialize in penetrating organizations and then auctioning or directly selling the access to other criminals. The buyers may be ransomware gangs, state-sponsored groups, or data thieves who use the foothold to deploy malware, steal sensitive information, or launch further attacks.

The Oregon state network breach likely provided a gateway to other government systems, employee credentials, or citizen data. The sale price of $3,000 in Bitcoin is relatively low, suggesting that the access may have been considered moderate value, perhaps because the network was not highly sensitive or because the buyer was expected to expand the breach. Nonetheless, the aggregate losses of over $250,000 reflect the downstream damage caused by multiple sales and subsequent intrusions.

Law enforcement agencies have increasingly targeted initial access brokers as a choke point in the cybercrime ecosystem. By disrupting the supply of compromised credentials and network access, they aim to reduce the overall volume of attacks. Operations such as the takedown of the Genesis Market and the disruption of the BreachForums platform have shown that focused efforts can force cybercriminals to change tactics.

Broader Implications for Cybersecurity

The case of Catalin Dragomir serves as a reminder that government networks remain attractive targets for adversaries seeking to undermine public trust and disrupt essential services. State and local governments often have limited cybersecurity budgets and may lack the advanced defenses found in federal agencies. This makes them vulnerable to sophisticated attackers who can identify and exploit weaknesses.

Organizations can learn from this incident by implementing multi-factor authentication, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and providing security awareness training to employees. However, even the best defenses can be circumvented if a motivated hacker finds a way in. The role of international cooperation in arresting and prosecuting offenders is therefore critical.

The United States has been active in extraditing cybercriminals from countries such as Romania, Ukraine, Russia, and Nigeria. However, extradition from countries without bilateral treaties or with adversarial relations remains a major challenge. In such cases, law enforcement relies on alternative methods, including sanctions, travel bans, and public naming of indicted individuals.

Identity theft, a core component of Dragomir’s crimes, continues to plague millions of Americans each year. The Federal Trade Commission reported over 1.1 million identity theft complaints in 2023, with government documents or benefits fraud being a significant category. Each breach that exposes personal information can lead to long-term consequences for victims, including financial loss, credit damage, and emotional distress.

Career of a Cybercriminal

While few details about Dragomir’s background have been publicly disclosed, his activities suggest a high level of technical skill and familiarity with underground markets. He likely began his criminal career by participating in carding forums or selling stolen credentials before graduating to network intrusions. The fact that he claimed to work for a more sophisticated hacker indicates that cybercrime has become a hierarchical enterprise, with managers controlling resources and directing operations.

Romania has produced numerous cybercriminals who have been extradited to the United States. For example, the notorious “Guccifer” (Marcel Lehel Lazar) was a Romanian hacker who infiltrated the email accounts of US officials and celebrities. More recently, members of the “Fin7” hacking group, which included Romanian citizens, were prosecuted for stealing millions of credit card numbers from US businesses. These cases highlight the importance of sustained prosecution as a deterrent.

As technology evolves, so too do the methods of hackers. Cloud infrastructure, Internet of Things devices, and artificial intelligence present new attack surfaces that savvy criminals are quick to exploit. Law enforcement agencies must continuously adapt, using advanced forensic tools and international partnerships to keep pace.

The sentence handed to Dragomir sends a clear message that selling access to US networks will result in severe punishment, even if the perpetrator resides abroad. It also demonstrates that the Department of Justice, along with agencies such as the FBI and Secret Service, is committed to pursuing cybercriminals no matter where they hide.

Source: SecurityWeek News