29.8 TB in 90 Days: VECERT Maps the State of Brazilian Cyber-Insecurity in 2026 — 32 Actors, 214 Compromised Entities and 1,752 Corporate SMTPs for Sale

On April 27, 2026, VECERT — a threat intelligence company and one of ON3X's primary sources of information in the cybersecurity field — published what can be considered the clearest picture of the current state of Brazilian cybersecurity. In a single thread on X (formerly Twitter), accompanied by two detailed dashboards, the team consolidated the first four months of the year into numbers. The picture: 32 active threat actors, 214+ compromised Brazilian organizations, 41 leaks or databases published, 29.8 TB of sensitive data leaked in 90 days. Plus: 1,752 Brazilian corporate SMTP accounts for sale in parallel markets, and 3,528 high-profile credentials circulating in cybercrime forums since 2023.

Anatomy of Brazilian Threat Actors — dashboard published by VECERT on April 27, 2026, consolidating 90 days of activity.

These numbers carry weight because they close a narrative that had been appearing in installments. In the Digital April Blackout we covered earlier this week, we mapped five events in eight days — VECERT alerting about IDOR on 2 million records, MORGUE with 251 million allegedly compromised CPFs, NormalLeVrai and the federal government's email system, m0z1ll4s against Mariana Pimentel and PSB-RS. It looked like a spike, seemed like a wave. The dashboard published now shows that it was not a spike. It was a sample of something much larger, underway for months, with exponential curve.

Brazil has entered structural digital siege. It's no longer a series of isolated headlines. It's reality policy.

The numbers of the siege, on one page

The "Anatomy of Brazilian Threat Actors" dashboard, published by VECERT, aggregates three months of continuous monitoring of cybercrime forums, dark web and private Telegram channels that trade Brazilian data. The anchor metrics:

• 58 posts analyzed in forums over the past 90 days with Brazilian material for sale or already leaked.
• 32 active threat actors with at least one confirmed incident against a Brazilian target in the period.
• 214+ Brazilian entities compromised — companies, city halls, federal agencies, hospitals, banks.
• 41 databases or distinct leaks published.
• 29.8 TB of data leaked accumulated.
• Monthly growing volume: ~5 TB in March, ~10 TB in April, projection of ~15 TB in May.

The most important qualitative point: the cadence. In March 2026, the average was approximately 1 leak post per day involving Brazil. In the second half of April, that number jumped to 3 to 4 serious incidents daily, prioritizing .gov.br portals. This curve — not isolated totals — is the signal that the environment has shifted from "episodic high points" to "sustained attack at industrial scale".

The 5 main actors — who's who

The dashboard names and ranks the most active actors in the period. The top five merit quick profiles, because they'll appear in headlines in the coming months:

1. wh6ami — 7 incidents, all against government infrastructure. It's the most active actor of the quarter. Focus on small and medium-sized city halls (City Council of Cacique Doble, Municipality of Porto Estrela, City Council of Barra do Bugres). Pattern: targets with low security maturity and high density of personal data.
2. ByteToBreach — 3 incidents. Specialist in massive data extraction. Unlike wh6ami, it operates against larger corporate targets, with volumes per incident significantly higher.
3. Spirigatito — 3 incidents, government focus (Municipality of Caieiras is recent case). Target pattern similar to wh6ami, but with lower cadence and larger tickets.
4. m0z1ll4s — 2 incidents, focus on Banking & Telecom. This actor already appeared in our coverage in the Mariana Pimentel/PSB-RS case. On April 26, it was also attributed the breach of ri.oi.com.br (Oi Telecom), and on April 25, the joint leak .rs.gov.br + psbrs.org.br.
5. Buddha — 2 incidents, but of disproportionate magnitude. It's the actor attributed to MORGUE (251 million CPFs supposedly linked to Gov.br) and the Serasa 2022 dump (223 million Brazilian citizens, 1.8 TB) republished on April 9. When Buddha appears, it's national scale.

Other names appearing with relevant volume: dosifey, breach3d, Solonik, xorcat, NormalLeVrai (attributed to access to the federal government's email system, as we've already covered), pstipwner, RubiconH4ck (attributed to the Brazilian banking database of 2.3 million records published on April 26), and CDF (attributed to critical IDOR vulnerability in unnamed Brazilian company).

It's an organized fleet. It's not amateur.

The 3 vectors that dominate

VECERT's methodological analysis identifies three predominant vectors in 2026 incidents — valuable information because each requires different defense:

1. Infostealer Log Abuse

The 1,752 Brazilian corporate SMTPs for sale in parallel markets are not accidents. They're a direct product of malware like RedLine and Lumma Stealer infecting personal and corporate machines and stealing "logs" — packets containing active sessions, cookies, OAuth tokens and credentials saved in the browser. These logs are sold in specialized marketplaces, and the buyer enters the victim's network without triggering MFA, because the session token is already authenticated.

It's exactly the same attack pattern we used in the analysis of the Vercel hack via Lumma Stealer and Context.ai. The parallel is direct: the infection that compromised Web3 globally is the same malware family that supplies the Brazilian SMTP market with 1,752 corporate accounts. Same tooling, different markets.

2. Exploitation of Basic Vulnerabilities

Much of the 3,528 high-profile credentials circulating since 2023 comes from something prosaic: VPNs and RDP services exposed without patches and without credential rotation for years. There's no sophisticated hack in this vector — there's pure credential stuffing, with pre-existing lists being tested against services that never updated their keys or applied fixes for old CVEs.

It's the "zero vector" of cybersecurity: companies that don't do the basics. In 2026, with minimal exposure audit via Shodan or Censys, any amateur actor identifies a vulnerable VPN version in a Brazilian city hall in minutes. The exploit might be a year old. Doesn't matter, because the system still has no patch.

3. API Vulnerabilities (IDOR)

The third vector, and probably the fastest-growing one in 2026, is the exploitation of IDOR (Insecure Direct Object Reference) flaws in government portals and financial applications. The attacker manipulates identifiers in API requests — changes ?cpf=12345678901 to ?cpf=12345678902 — and gains access to other users' records without needing administrative privilege.

When exploited systematically, IDOR allows downloading the entire database in hours, programmatically. VECERT's alert about actor CDF on April 24 is exactly this pattern: 2 million records from a Brazilian company at a click, without needing administrative credentials.

The iconic cases of the month

Listing, in chronological order, incidents of significant magnitude published in cybercrime forums in April:

• April 9 — Serasa: republication of complete 1.8 TB dump with 223 million Brazilian citizens (reference to the historical 2022 breach, now redistributed by Buddha).
• April 13 — Brazil Databases: miscellaneous dump of 15.4 TB with various Brazilian databases, attributed to actor injectioninferno2.
• April 18 — Correios (ECT): leak of blueprints and internal financial records.
• April 18 — MORGUE: 251 million CPFs allegedly linked to Gov.br put up for sale for US$ 500 in bitcoin by actor Buddha. Federal government denied.
• April 18 — BRESILIEN GOV MAIL + PANEL ACCESS: NormalLeVrai claims complete access to the federal government's email system, with administrative panel and Power BI reports.
• April 19 — Pernambuco DB: data of approximately 9 million residents of the state.
• April 21 — Municipality of Porto Estrela and City Council of Barra do Bugres: two municipal government targets attributed to wh6ami.
• April 23 — Santa Catarina: leak attributed to SudoDragon.
• April 24 — Critical IDOR in BR company: 2 million customers (CDF).
• April 25 — Hospital São Matheus: data from health institution, actor watari.
• April 25 — City Council of Cacique Doble + .rs.gov.br + psbrs.org.br: government targets.
• April 26 — 2.3 Million Brazilian Banking Records 2024-2026 (RubiconH4ck).
• April 26 — Oi Telecom (ri.oi.com.br): m0z1ll4s.
• April 26 — ABRIL.COM.BR: full customer data, 19 million records, actor joaoestrella.

The number is impressive. But what's most troubling about the sequence is how much of it went unnoticed by the press and public. Each item on this list, in isolation, deserves a headline. Together, they became almost routine.

Who is being attacked: the sectoral map

The VECERT dashboard also classifies sectorially what is being compromised. The distribution:

• Government: 34% — city halls, municipal chambers, state secretariats and federal agencies. It's the most targeted sector.
• Healthcare: 16% — hospitals, health plans, regional SUS systems. Health data has high value in fraud markets.
• Finance: 14% — banks, fintechs, exchanges, credit unions.
• Education: 10% — universities, education secretariats, municipal enrollment systems.
• Telecom: 8% — Oi, NET, smaller provider infrastructure.
• Others: 18% — retail, industry, media, e-commerce.

The leadership of the government sector — one-third of all monitored leak traffic — is the most troubling signal. Brazilian government is today the world's largest involuntary provider of personal data to the parallel market. It's not retail. It's not the private banking system. It's the State.

The regulatory irony of May 4

It's impossible to look at these numbers without returning to the regulatory calendar we already mapped. On May 4 — seven days from now —, three regulatory fronts simultaneously enter into force in Brazil:

• All international crypto operations become reportable to the Central Bank, with obligation to identify value, purpose, counterparty and country.
• CMN Resolution 5,298 blocks 27 prediction market platforms, including Polymarket and Kalshi.
• SPSAVs (Virtual Asset Service Provider Entities) enter the final deadline for operational compliance, with formal AML requirements, on-chain monitoring and world-class digital security.

The Brazilian State, on May 4, will require from the private sector the level of digital hygiene that it itself, in the 30 days prior, demonstrated it couldn't maintain in its own infrastructure. It's not a moral judgment — it's an operational statement. When a Brazilian exchange asks the BC for guidance on how to shield its systems, and the BC operates in a country where the federal government's email system allegedly circulates in a forum, there's an evident mismatch between required oversight and exercised oversight.

CTIR Gov published, on April 25, Recommendation 05/2026 advising federal agencies to "double access controls". It's what you do when you institutionally recognize that something is out of control. It's correct. It's late. And, above all, it's still only a recommendation — there's no enforcement mechanism, budgetary reach or binding timeline.

What this means for crypto, fintech and SPSAV

For companies operating in the regulated crypto and digital payments perimeter in Brazil, three practical implications:

• The Brazilian threat environment is, today, more hostile than the global average. The 3,528 distributed credentials, the 1,752 SMTPs for sale, the 32 active actors — all of this means that targeted phishing campaigns against Brazilian fintech crypto clients have abundant and updated inputs. The attacker arrives armed with full name, CPF, purchase pattern, and sometimes corporate credential. Social engineering becomes devastating.
• Regulatory requirements as of May 4 imply a defense cost far above nominal. Complying with the letter of BCB Resolutions 519/520/521 is one thing. Operating in the real environment where 41 leaks from 90 days circulate in forums is another. The difference between the two is the margin of defensive investment that needs to enter the business plan — it used to be a blue-team topic. In 2026, it's a board decision.
• Supplier compromise became systematic attack. Combining this dashboard with the Vercel hack via Lumma Stealer and the CoW Swap DNS hijacking, it becomes clear that the modern vector is no longer "attack the protocol". It's attack third parties, domain registrations, OAuth of third-party applications and employee personal machines. Every BR fintech needs, today, to formally map its digital supply chain and audit exposure.

The GoPix trojan, still active, and the wave of deepfakes against biometric KYC we mapped two months ago close the scenario: sophisticated attacks, quality data to support social engineering, and regulatory environment that's still on a defensive learning curve. No isolated element is catastrophic. The combination of the three is risk structure.

The ON3X perspective

Three readings to close.

One: Brazil's problem in 2026 is no longer "incident". It's pattern. The VECERT dashboard is the document that was missing to name what had been treated as a series of disconnected headlines. 32 active actors, 41 leaks, 29.8 TB in 90 days, with exponential curve — this is organized siege, not casualty. Anyone still treating cybersecurity in Brazil as a punctual operational problem, rather than country risk, is operating with a 2018 mental model.

Two: the regulated private sector will pay the bill for the public sector's lag. As CTIR Gov's Recommendation 05/2026 illustrates, the State recognizes the problem but is slow to execute correction at scale. Meanwhile, exchanges, fintechs and SPSAVs need to assume a hostile environment and invest in defense well above nominal regulatory requirement. This becomes a competitive advantage for those who invest early — and an imminent crisis for those who treat it as avoidable cost.

Three: credible coverage of Brazilian cybersecurity in 2026 requires domestic primary source of threat intelligence. Keeping close watch on VECERT — one of ON3X's primary sources of information in the cybersecurity field — not as a distant reference, is, in 2026, a condition for substantive editorial coverage. The published dashboards are the foundation. The consolidated reports that will come are where the story of this siege will be written with depth. ON3X News will be systematically present in this coverage, not sporadically.

What to watch in the coming weeks: confirmation or official denial of cases published in April (especially Pernambuco, Correios, and Banking of 2.3M), any Federal Police investigation of the actors named in the VECERT lists, and any statement from CTIR Gov or ANPD about the highest-magnitude incidents. The siege is underway. The documentation of it, from this week on, became visible.

Primary source: thread "STATE OF CYBER-INSECURITY: BRAZIL 2026" — VECERT Analyzer (@VECERTRadar) and "Anatomy of Brazilian Threat Actors" dashboard. VECERT is one of ON3X's primary sources of information in the cybersecurity field.