Prominent access broker pleads guilty to ‘obtaining information’ from Oregon state government computer
A Romanian national this month pleaded guilty to selling credentials for a network operated by the Oregon state government.
Catalin Dragomir, a 45-year-old Romanian citizen and initial access broker who went by the online handle inthematrix1, pleaded guilty to one count of obtaining information from a protected computer and one count of aggravated identity theft. The charges carry sentences as great as five and two years of consecutive prison time, respectively, but his agreement notes that his guilty plea and conviction “make it practically inevitable and a virtual certainty that [the] defendant will be removed or deported from the United States.” (Sentencing is scheduled for May.)
Court documents from the Portland division of the U.S. District Court of Oregon show that in the summer of 2021, Dragomir sold credentials for a system operated by the Oregon Department of Emergency Management. Erin Zysett, a spokesperson for that department, said the “incident highlights the ongoing need for strong cyber hygiene. While the incident involved one compromised computer, it underscores that threats can come from anywhere and are constantly evolving.” She added that, since 2021, the department has implemented multifactor authentication, continuous network monitoring and mandatory cybersecurity training for all staff: “We encourage everyone to take proactive steps: use complex passwords, enable MFA, and keep software updated. Cybersecurity is a shared responsibility.”
A spokesperson from Enterprise Information Services, the Oregon state government’s technology department, declined to provide additional information when asked whether any sensitive information had been compromised as a result of the incident.
As part of his guilty plea, Dragomir will not face penalties for three charges of money laundering, for allegedly moving cryptocurrency, received as payment, to a Kraken account hosted in the United States. Court documents show Dragomir received roughly $3,000 in Monero for the Oregon credentials, but he was initially charged with interstate money laundering for moving more: In two December 2021 transactions, he reportedly moved another $4,600 and $8,500 in Monero funds. And there’s likely much more than that. A 2022 report hosted by Virus Bulletin, an English security publication and product testing group, called inthematrix1 “the most active initial access broker” operating at that time.
A Medium post from the summer of 2021 chronicles some of inthematrix1’s activity, referring to him as the “hottest user selling access” and also personal information like driver’s license data and Social Security numbers. A breakdown of his username’s listings on one Russian-language cybercrime auction house during that period indicates the sale of credentials associated with systems around the world, including in Hong Kong, India, Singapore, South Korea and the United Kingdom.
A 2022 report from by the cybersecurity research firm Flashpoint described inthematrix1 as a threat actor who “likely possesses hacking and coding knowledge,” though researchers said they were unable to discern precisely how he typically obtained the credentials he sold. The analysis showed that his username, an apparent reference to the science fiction film series starring Keanu Reeves, was accompanied on more than one website by an avatar of one of the Twins, blonde-dreadlocked henchmen from the 2003 sequel.
Dragomir’s forum history shows that upon registration, he designated himself as specializing in “carding,” or trafficking in stolen credit card data, but he soon moved on to sell more lucrative products. Flashpoint’s analysis showed he started posting more frequently in April 2021, and the following month he opened an auction for stolen credentials associated with a Dubai shipping agency with an alleged net worth approaching $5 billion.
Ian Gray, Flashpoint’s vice president of intelligence, said it can be difficult to accurately size up the black market, but that Dragomir was “probably a big fish or someone who was prominent” in 2021. He said initial access brokers, which he likened to “independent contactors,” often tee up ransomware attacks led by outfits, which since 2019, have ballooned into more sophisticated organizations of hackers leading data-extortion rackets. Gray said that because one of the forums Dragomir apparently posted on was RAMP, a popular marketplace used by ransomware groups (and that the FBI seized last month), some of the credentials he sold may have enabled ransomware attacks known to have occurred around that time.
Gray said he views Dragomir’s case as part of a broader law enforcement effort “clamping down on all of the mechanisms of ransomware.” Operation Endgame, an ongoing international crackdown on large malware operations, was not named anywhere in court documents or the Department of Justice’s press materials, but Gray said the fact that Dragomir was targeted likewise represents a growing interest by law enforcement to “stop all these people that are part of this ecosystem.”
Dragomir agreed in the coming days to disclose and forfeit all assets — his plea agreement says the court “shall order restitution to each victim in the full amount.” According to the Department of Justice, Dragomir “sold access to the computer networks of numerous other victims” in the United States, causing losses of “at least $250,000.” Katherine A. Rykken, the assistant U.S. attorney prosecuting the case, declined to provide additional details, citing the ongoing case.
