Catalin Dragomir a 45-year-old Romanian citizen and initial access broker who went by the online handle inthematrix1, pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft.
His agreement notes that his guilty plea and conviction “make it practically inevitable and a virtual certainty that the defendant will be removed or deported from the United States.” (Sentencing is scheduled for May.)
Court documents from the Portland division of the U.S. District Court of Oregon show that in the summer of 2021, Dragomir sold credentials for a system operated by the Oregon Department of Emergency Management.
Dragomir advertised “admin access” to a network that included three servers and 50 computers connected to the state’s emergency management department, according to federal prosecutors.
He negotiated a $3,000 Bitcoin sale and provided a buyer with screenshots of a state employee’s personal information, including the employee’s name, date of birth, Social Security number and email address. The sale took place on June 16, 2021.
The sale of personal logins could allow unauthorized users to install ransomware or commit cyberattacks.
Erin Zysett, a spokesperson for that department, said the “incident highlights the ongoing need for strong cyber hygiene. While the incident involved one compromised computer, it underscores that threats can come from anywhere and are constantly evolving.”
She added that, since 2021, the department has implemented multifactor authentication, continuous network monitoring and mandatory cybersecurity training for all staff: “We encourage everyone to take proactive steps: use complex passwords, enable MFA, and keep software updated. Cybersecurity is a shared responsibility.”
Court documents show Dragomir received roughly $3,000 in bitcoin for the Oregon credentials, but he was initially charged with interstate money laundering for moving more: In two December 2021 transactions, he reportedly moved another $4,600 and $8,500 in Monero funds. And there’s likely much more than that. He was mainly active in the Exploit forum and RAMP forum.

A 2022 report hosted by Virus Bulletin, an English security publication and product testing group, called inthematrix1 “the most active initial access broker” operating at that time.(source: https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Script-kiddy-on-the-deep-and-dark-web-looks-serious-But-empty-suit.pdf)
A Medium post from the summer of 2021 chronicles some of inthematrix1’s activity, referring to him as the “hottest user selling access.” He was also known for selling personal information like driver’s license data and Social Security numbers, but a breakdown of his username’s listings on one Russian-language cybercrime auction house during that period indicates the sale of credentials associated with systems around the world, including in Hong Kong, India, Singapore, South Korea and the United Kingdom.
Dragomir’s forum history shows that upon registration, he designated himself as specializing in “carding,” stolen credit card data, but he soon moved on to sell more lucrative products. Flashpoint’s analysis showed he started posting more frequently in April 2021, and the following month he opened an auction for stolen credentials associated with a Dubai shipping agency with an alleged net worth approaching $5 billion.
Ian Gray, Flashpoint’s vice president of intelligence, said it can be difficult to accurately size up the black market, but that Dragomir was “probably a big fish or someone who was prominent” in 2021.
Gray said he views Dragomir’s case as part of a broader law enforcement effort “clamping down on all of the mechanisms of ransomware.” Operation Endgame, an ongoing international crackdown on large malware operations, was not named anywhere in court documents or the Department of Justice’s press materials, but Gray said the fact that Dragomir was targeted likewise represents a growing interest by law enforcement to “stop all these people that are part of this ecosystem.”
Dragomir agreed in the coming days to disclose and forfeit all assets — his plea agreement says the court “shall order restitution to each victim in the full amount.” According to the Department of Justice, Dragomir “sold access to the computer networks of numerous other victims” in the United States, causing losses of “at least $250,000.” Katherine A. Rykken, the assistant U.S. attorney prosecuting the case, declined to provide additional details, citing the ongoing case.
Editors note: An interesting thing I noticed in this was the fact that a security firm is thanked by law enforcement
Romanian National Pleads Guilty to Selling Access to Networks of Oregon State Government Office and Other U.S. Victims
https://www.justice.gov/opa/pr/romanian-national-pleads-guilty-selling-access-networks-oregon-state-government-office-and
“The Department of Justice also thanks Darkweb IQ for its assistance with the investigation.”
DarkWebIQ is a security firm which boasts of their operators being embedded directly into the ecosystem, “intercepting sales, validating offers, and “rerouting the outcome”. No noise. “No dashboards. Just real humans negotiating inside the economy of cybercrime. We don’t stop the attack after impact. We kill the deal before it becomes a breach.”
This leads me to believe security firms break laws that law enforcement cannot in a kind of grey area of the law. The 3000$ Bitcoin sale may have been what an undercover buyer asked to pay in which allowed the transaction to be tracked which led to this data broker being caught.