Cyber Incident Victim: Oregon State Emergency Management Department
Date:
Jun 2021
Location:
United States of America
Summary
A Romanian hacker obtained access to the network of Oregon's emergency management department, advertised admin access for sale, negotiated a $3,000 Bitcoin payment, and accessed the network multiple times to demonstrate its legitimacy. He provided a prospective buyer with samples of personal data, including an employee's login credentials, name, email address, and Social Security number. He also hacked into and sold access to networks of ten other US victims, causing over $250,000 in losses. After being arrested in Romania and extradited to the US, he pleaded guilty to information theft and aggravated identity theft, agreed to pay full restitution, and faces up to seven years in prison, a fine of up to $250,000, and one year of supervised release.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2021, Romanian national Catalin Dragomir illicitly obtained access to the computer network of an Oregon state government office, specifically targeting the state’s emergency management department. Following this initial compromise, Dragomir advertised his administrative access to the network for sale, ultimately negotiating a transaction valued at $3,000 to be paid in Bitcoin. To demonstrate the validity of his unauthorized access to a prospective buyer, he repeatedly entered the compromised network on multiple occasions. During these proof-of-concept accesses, he extracted and provided samples of sensitive personal data, which included an employee’s login credentials, full name, email address, and Social Security number. This act of data exfiltration was a core component of his sales pitch, directly violating the privacy of state employees. The incident was not isolated, as court documents later revealed Dragomir’s involvement in hacking and selling access to the networks of ten other victims within the United States. The financial impact of his criminal campaign, including the Oregon breach, was quantified in court filings as causing at least $250,000 in losses to the affected entities.
The legal response to the intrusion began with Dragomir’s arrest in Romania in November 2024, culminating in his extradition to the United States in January 2025. In May 2024, prior to his extradition, a U.S. grand jury had indicted him on five counts of obtaining information from a protected computer, along with charges of aggravated identity theft and money laundering. By February 2026, Dragomir entered a guilty plea in a U.S. court, admitting specifically to information theft and aggravated identity theft related to the Oregon network and other victims. As part of his plea agreement, he consented to pay full restitution to all individuals and organizations harmed by his actions. The scheduled sentencing for May 26, 2026, carries a potential penalty of up to seven years in federal prison, comprising a five-year term for the information theft charge and a mandatory consecutive two-year sentence for the aggravated identity theft conviction. Additionally, he faces a maximum fine of $250,000 and a period of one year of supervised release following any incarceration. The U.S. Department of Justice publicly announced the guilty plea, framing it as a resolution to a case that involved the trafficking of unauthorized access to a critical state government system.