Hungarian real estate firm Otthon Centrum has been hit by a ransomware attack attributed to the Qilin cybercrime group, disrupting operations and raising concerns about potential exposure of internal business systems and client data. The incident lands alongside a separate U.S. case in which Romanian national Catalin Dragomir was sentenced to 56 months in federal prison for breaching Oregon government systems, together underscoring an accelerating wave of cybercrime against both private and public sector targets.
What Happened
Otthon Centrum, one of Hungary's most recognizable real estate brokerages, was added to the Qilin ransomware group's victim roster following a confirmed intrusion that affected its internal systems. The attack caused operational disruption across the firm's services, with Qilin operators following the cartel's standard playbook of encryption coupled with data theft extortion. Full technical details of the breach have not been publicly disclosed, but Qilin's leak site activity signals that exfiltrated data is being staged as leverage against the victim.
In parallel, the U.S. District Court sentenced Catalin Dragomir to 56 months in prison after he was found guilty of unlawfully accessing systems belonging to the Oregon Office of Emergency Management. Dragomir stole sensitive credentials and resold them through online criminal marketplaces, fueling downstream intrusions before law enforcement traced the activity back to him.
What Was Taken
In the Otthon Centrum incident, Qilin's tradecraft suggests attackers exfiltrated a mix of corporate and customer records prior to encryption. Likely categories include internal business documentation, employee data, client contact and identity records tied to property transactions, financial files, and sensitive contractual paperwork. The full volume of stolen data has not been confirmed, and Qilin has not yet published a dump tranche.
In the Oregon case, Dragomir specifically targeted credentials belonging to the Office of Emergency Management. These access tokens were monetized through illicit forums, exposing government-tier identity material to any buyer willing to pay.
Why It Matters
The dual incidents illustrate how ransomware syndicates and individual credential brokers operate as complementary halves of the same threat ecosystem. Qilin continues to evolve into one of the most aggressive ransomware-as-a-service operations of 2026, frequently targeting professional services firms that hold concentrated personal and financial data on customers. Real estate firms are particularly attractive: they aggregate identity documents, payment information, and high-value transaction data, making them prime extortion targets.
The Dragomir sentencing, meanwhile, reinforces that initial access brokering, often the first link in the ransomware kill chain, carries growing prosecutorial weight. Even so, prosecutions lag the volume of activity, and stolen credentials remain a primary entry vector for groups like Qilin.
The Attack Technique
While specifics of the Otthon Centrum intrusion remain undisclosed, Qilin affiliates typically gain initial access through phishing campaigns, exploitation of exposed remote services such as VPN and RDP, abuse of valid credentials purchased from initial access brokers, and known vulnerabilities in edge appliances. Once inside, affiliates move laterally using legitimate administrative tooling, disable endpoint protection, exfiltrate data to attacker-controlled infrastructure, and detonate the Qilin payload across Windows and ESXi environments.
The Dragomir case demonstrates how the credential supply pipeline functions in practice: stolen government access was sold openly, enabling other actors to bypass perimeter defenses entirely.
What Organizations Should Do
- Hunt for Qilin indicators: Review threat intelligence feeds for the latest Qilin hashes, infrastructure, and TTPs, and run retroactive searches across EDR and SIEM telemetry.
- Harden identity perimeters: Enforce phishing-resistant MFA on all remote access, VPN, and administrative accounts, and rotate credentials suspected of exposure on criminal marketplaces.
- Patch edge infrastructure: Prioritize updates for VPN concentrators, firewalls, and remote management appliances that are routinely targeted by ransomware affiliates.
- Segment and protect backups: Maintain offline, immutable backups and validate restoration workflows, since Qilin specifically hunts and destroys recovery infrastructure.
- Monitor for data staging: Alert on unusual outbound transfers, large archive creation, and use of tools such as Rclone, MEGAcmd, and WinSCP often associated with exfiltration.
- Tabletop the extortion scenario: Rehearse executive, legal, and communications response to a double-extortion event so decision-making is not improvised under duress.