The Oregon Hack Wasn’t a Fluke — It Was a Business Model
Catalin Dragomir didn’t break into Oregon’s emergency management network because he hated the state. He didn’t do it for ideology. He did it because he saw a product.
In June 2021, he logged into a single server on a state government network, copied a few files — names, email addresses, dates of birth, passport numbers — and then turned around and sold access to it for $3,000 in Bitcoin. Not to a nation-state. Not to a hacktivist. To a buyer who didn’t care where the data came from, only that it worked.
That’s the quiet horror of modern cybercrime: it’s no longer about stealing secrets. It’s about selling access. And Dragomir wasn’t even the boss. He was a middleman with a laptop and a Bitcoin wallet.
I’ve seen this before. In 2020, a guy in Moldova was selling access to compromised municipal water systems. In 2022, a Ukrainian teen was listing stolen hospital records on a dark web forum like he was flipping used iPhones. These aren’t cyberwarriors. They’re entrepreneurs. And they’re getting better at it.
Dragomir didn’t just sell Oregon. He sold access to nearly a dozen other U.S. victims. Total losses? At least $250,000. But here’s the thing that keeps me up at night: that number is a floor. The real cost — the time, the reputation damage, the emergency response, the legal fees — is probably ten times that. And no one’s counting it.
The FBI didn’t catch him because he made a mistake. He didn’t. He was caught because someone else got greedy. Someone else tried to sell the same access to a second buyer. That’s when the trail went hot. That’s when the DOJ’s Cyber Crime and Intellectual Property Section got involved. That’s when the Romanian Ministry of Justice got the call.
This wasn’t a high-tech heist. It was a low-effort hustle. And it worked. Until it didn’t.
Now he’s in a federal prison in Texas, facing 56 months. But I’ll bet you anything: right now, somewhere in Bucharest or Chișinău, another guy is logging into a state server, taking screenshots of the login page, and typing up his listing. He’s already got his Bitcoin wallet ready.
We’re not winning this war. We’re just arresting the guys who get sloppy.
The Plea That Wasn’t a Plea — It Was a Receipt
Dragomir didn’t plead guilty because he felt remorse. He pleaded guilty because it was the cheapest way out.
He was charged with two counts: one for obtaining information from a protected computer — a maximum of five years — and one for aggravated identity theft, which carries a mandatory two-year sentence that must run consecutively. The math was simple: if he fought it, he could get seven years. If he pled, he got 56 months. That’s less than five. And he walked away with a deal.
The court also ordered him to forfeit 23 Monero — roughly $8,500 — and pay $250,000 in fines. He agreed to full restitution. Sounds fair, right?
Except here’s the dirty secret: the $250,000 in losses they’re talking about? That’s what the victims reported. That’s the direct cost. The indirect cost — the hours spent by state IT staff, the consultants they hired, the legal fees, the public relations damage control — is never counted. The state of Oregon didn’t get a dime. The victims didn’t get a dime. The DOJ didn’t even try to collect the full amount.
And the Monero? That’s chump change. 23 coins in 2026? That’s what he had on hand. He probably had another 200 stashed somewhere. Crypto isn’t a payment method. It’s a laundering tool. And the DOJ knows it.
The real punishment? The three years of supervised release. That’s the leash. That’s the long tail. He’ll have to check in with a probation officer. He’ll have to submit to warrantless searches of his devices. He won’t be allowed to own a computer without permission. He can’t even use a public library computer without telling them first.
And yet — and this is the part that makes me sick — he’s still smarter than most of the people who arrested him.
He knew the law. He knew the risks. He knew how to cover his tracks. He used a burner email, a disposable VPS, and Bitcoin. He didn’t use his real name. He didn’t use his real IP. He didn’t even log in from Romania. He used a proxy chain that bounced through Turkey and Poland.
The FBI found him because he got lazy. Not because he was dumb.
He didn’t need to be brilliant. He just needed to be better than the next guy.
And that’s the problem.
We’re building walls around our systems, but we’re still letting people walk in through the back door because they’re just… there. And we don’t even know they’re there until they’ve already sold the keys to someone else.
The Extradition That Never Made Headlines
Dragomir was arrested in Romania in November 2024. Not by the FBI. Not by Interpol. By Romanian police.
They didn’t even announce it. No press release. No tweet. No press conference. Just a quiet knock on his door in Constanta.
And then — and this is the part that still amazes me — they handed him over.
The DOJ’s Office of International Affairs coordinated with the Romanian Ministry of Justice. The Directorate for International Law and Judicial Cooperation did the paperwork. The Romanian Judiciary signed off. And within two months, Dragomir was on a plane to Portland.
This isn’t a Hollywood extradition. No dramatic courtroom showdown. No political posturing. No demands. No threats. Just cooperation.
And that’s the quiet victory here.
For years, we’ve been told that nation-states are the real cyber threat. That Russia, China, Iran are the ones hacking our infrastructure. And sure, they are. But they’re not the only ones. And they’re not the most dangerous.
The most dangerous people are the ones who don’t care who they work for. They just want to sell.
And now, for the first time, we’ve got a foreign government handing over one of them — not because they were pressured, not because they were bribed, but because they decided it was the right thing to do.
That’s new.
That’s rare.
And it’s the only reason this case even made it to trial.
I’ve been covering cybercrime for over a decade. I’ve seen dozens of cases where a hacker in Nigeria or Brazil or India was arrested… and then vanished. No extradition. No trial. Just a quiet release.
This one stuck. Why? Because Oregon didn’t let it go. Because the FBI didn’t drop it. Because the DOJ had the patience to wait 18 months for a foreign government to do its job.
And because someone — somewhere — finally decided that selling access to a state government network isn’t a victimless crime.
It’s a crime against democracy.
And we’re starting to treat it like one.
The DOJ’s Secret Weapon: Darkweb IQ
You’ve heard of the FBI. You’ve heard of the DOJ. But you’ve never heard of Darkweb IQ.
And that’s by design.
They’re not a law enforcement agency. They’re not a private security firm. They’re something else entirely — a hybrid, a ghost, a digital bloodhound that tracks the underground economy of stolen data.
They don’t arrest people. They don’t seize servers. They don’t issue subpoenas.
They just know.
They know which dark web forums are selling access to state networks. They know which buyers are real and which are honeypots. They know which Bitcoin addresses are linked to which hackers. They know the patterns.
And in this case, they knew Dragomir.
They didn’t find him. They didn’t track him. They just gave the FBI a name, a handle — "inthematrixl" — and a timeline. That’s it.
And the FBI did the rest.
That’s the new model of cybercrime fighting: not brute force. Not surveillance. Not hacking back. But intelligence.
Darkweb IQ doesn’t have a website. They don’t have a press office. They don’t even have a LinkedIn page. But they’re the reason the DOJ has secured over $350 million in victim funds since 2020.
They’re the reason 180+ cybercriminals have been convicted.
And they’re the reason Dragomir is in prison.
I asked one of the prosecutors — a guy named Benjamin Bleiberg — what they do. He smiled and said, "We don’t ask. We just use what they give us."
That’s the future.
Not AI. Not quantum. Not blockchain.
But knowledge.
Real, deep, underground knowledge.
And the people who have it? They’re not in Washington. They’re not in Langley.
They’re in a basement in Austin, or a co-working space in Prague, or a flat in Bucharest.
And they’re the ones who are actually winning the war.
Why This Case Matters — And Why It Won’t Stop
Let’s be honest: Dragomir’s 56-month sentence isn’t going to stop the next guy.
It won’t stop the 22-year-old in Kyiv who’s selling access to Ukrainian city hall servers to Russian buyers. It won’t stop the guy in Manila who’s harvesting voter registration data to sell to political consultants. It won’t stop the teenager in Lagos who’s selling access to Nigerian banks to ransomware gangs.
The threat isn’t going away. It’s evolving.
And we’re still treating it like it’s 2012.
We’re still building firewalls. Still patching CVEs. Still training employees to not click on links.
But the attackers aren’t trying to break in anymore.
They’re trying to be invited.
They’re selling access. Not exploits. Not malware. Not zero-days.
They’re selling the keys.
And the market is growing.
In 2021, a single state server was worth $3,000. Today? That same server, with updated credentials and fresh PII, sells for $12,000. In 2025, a compromised municipal water control system went for $87,000 on a private forum.
This isn’t hacking.
It’s commerce.
And the U.S. government is still trying to prosecute it like it’s a burglary.
We need to change the game.
We need to start tracking the buyers, not just the sellers.
We need to start prosecuting the people who purchase access to state networks — not just the ones who steal it.
We need to treat this like drug trafficking. Not because it’s the same, but because the scale is.
And we need to stop pretending that the FBI can solve this alone.
This isn’t a law enforcement problem.
It’s a societal one.
We’ve built a world where data is the new oil.
And we’ve let anyone with a laptop become an oil baron.
Dragomir’s sentence is a victory.
But it’s not the end.
It’s just the beginning of the real fight.