Cyber Threat Actor: Catalin Dragomir

Catalin Dragomir, a Romanian national, is a convicted cybercriminal whose activities centered on the unauthorized access and resale of compromised computer networks. His known operations targeted entities within the United States, with a confirmed focus on state government infrastructure, exemplified by the Oregon Emergency Management department. The strategic objective behind his actions was unequivocally financial; he systematically sought to monetize illicit access by advertising it for sale to other criminals. His modus operandi involved gaining persistent network access, then negotiating transactions, typically demanding payment in Bitcoin, such as the $3,000 sum from a prospective buyer for the Oregon network. To demonstrate the validity of his access and facilitate the sale, he provided samples of exfiltrated sensitive data, including employee login credentials, names, email addresses, and Social Security numbers. This pattern of targeting U.S. networks for direct financial profit through access-as-a-service was not isolated, as he also admitted to hacking and selling access to networks of ten other U.S. victims, causing collective losses exceeding $250,000. No public information suggests any affiliation with a state sponsor or a broader criminal consortium; his prosecution and guilty plea describe an individual actor operating for personal gain. The sectors he targeted, while including critical state emergency services, appear to have been chosen for their perceived value and potential access rather than any ideologically driven or espionage-focused campaign, as his actions were confined to theft and resale.

The most publicly documented operation attributed to Dragomir is the June 2021 compromise of the Oregon Emergency Management network. After obtaining administrative credentials, he advertised the network's access for sale, engaged in direct negotiation with a buyer, and repeatedly accessed the system to prove its continued vulnerability. His provision of a specific employee's full personal data, including their Social Security number, highlights a TTP theme of using tangible, high-value data samples as a credibility tool in criminal marketplaces. This incident, combined with his admissions regarding ten other U.S. victims, illustrates a repetitive campaign of network intrusion followed by immediate monetization through underground sales. The legal resolution of his case, including his extradition from Romania, guilty plea to charges of information theft and aggravated identity theft, and agreed restitution, provides a definitive attribution of these specific acts to him. The prosecution's narrative establishes a clear chain of activity from initial compromise through to the attempted sale, underscoring a financially motivated, transactional style of cybercrime reliant on the theft and brokering of access and data. No evidence was presented or is publicly available regarding the use of custom malware, specific exploitation frameworks, or any tools beyond what is implied by standard network intrusion and credential theft techniques. His case remains a clear example of a lone actor exploiting network vulnerabilities for direct financial profit through the cybercrime-as-a-service economy.