33,632 Pix Keys Leaked and 251 Million CPFs on the Dark Web: The Map of 4 Incidents in 2026 and Why the BCB Targets Stablecoin While Cadastral Infrastructure Bleeds

In 117 days, the Central Bank of Brazil issued four official communications of Pix key data exposure. 33,632 keys identified in leaks — from Agibank, Public Prosecutor's Office of Goiás, Pefisa, and Credifit. The total brings the system to the 24th incident since launch in November 2020.

In the same period, an agent identified as Buddha listed the MORGUE database for sale on the dark web: 251.7 million records linking CPF, name, parentage, date of birth, and — in part of the cases — date of death. Price: US$ 500 in Bitcoin. The Ministry of Management and Public Services Innovation denied any invasion of Gov.br.

This is the fourth time in twelve months we've written that sentence in different variations. The first was the article on Brazil's Digital April Breach. The second, the cluster Brazil Under Fire, in 8 days of the BTG-Rendimento-Notre Dame-Morgue window. The third, the Dígitro/Guardião case, with 150 Brazilian agencies exposed by the chain. The fourth is this one.

Today's reporting axis is no longer "there was a leak". It's another: why, while the BCB builds the world's most rigorous regulatory apparatus over crypto and self-custodial wallets, national cadastral infrastructure bleeds at the rate of one incident per month — and the regulatory apparatus protecting that infrastructure remains disproportionately lenient?

The Map of 4 Pix Incidents in 2026

Each of the four has different topology. Viewing them in sequence, it becomes visible that the vulnerability is not concentrated — it is distributed.

#1 — Agibank (February): 5,290 keys, 21st incident since 2020

The first 2026 communication came out in February. Cadastral data of 5,290 Pix keys of Banco Agibank customers were exposed. The leak window, according to the Central Bank, was December 26, 2024 to January 30, 2025 — meaning the incident started at year-end and took the full cycle of detection+reporting+publicization to reach the public in February 2026.

This pattern of lag is structural in the BCB's Pix regulation: the notification cycle operates by time windows. The citizen discovers they are exposed 6 to 12 months after the fact. By the rules, this is "late transparency". For the fraud operator, it's eight months without database obsolescence costs.

#2 — Public Prosecutor's Office of Goiás (March 1): 93 records, the type of incident that bothers the most

It happened on March 1: unauthorized access to the system operated by the Public Prosecutor's Office of the State of Goiás. 93 records exposed. Low volume — but the topology is the point.

This is not a case of a fintech with recent infrastructure and a developing security team. It is the system of a constitutional state agency with access to Pix keys of servers and — likely — of investigated parties. The vulnerability was not on the commercial edge of Pix. It was in authorized institutional access.

It is the same pattern we mapped in the Dígitro/Guardião case: the problem is not the citizen using Pix insecurely, it is the state infrastructure for monitoring and processing being the entry point. Pix is the final product. The pipe that delivers Pix to the State leaks first.

#3 — Pefisa/Pernambucanas (March): 28,203 keys leaked for six months without detection

The most serious incident in volume for the year. 28,203 Pix keys from Pefisa — the financing arm of the Pernambucanas group — exposed. The leak window reported by the Central Bank is what is alarming: August 30, 2025 to February 27, 2026. Six continuous months of exposure without internal detection.

Why does this matter? Because the detection cycle, in any reasonable SIEM protocol, operates on a scale of hours to days for access anomalies. Six months indicates that the expected compensatory control was not working, or that the unauthorized access was treated as legitimate during that period.

The Central Bank, in the communication, repeats the formula: "exposed cadastral information does not allow movement of funds". The formulation is technically correct. But direct movement is not the vector — it is the feeding of social engineering operations against the 28 thousand affected people, who now have Pix key data linked to name, account, institution.

#4 — Credifit (announcement on May 12): 46 keys and the first public divergence between BCB and institution

The fourth communication, published on May 12, 2026, refers to an incident that occurred between April 26 and 28, affecting 46 Pix keys under the custody of Credifit Sociedade de Crédito Direto. Small volume. But the story has a new layer.

The BCB characterized the event as "specific failures in Credifit's system". Credifit published a statement contesting: the event, according to the SCD, resulted from "improper use of legitimate credentials obtained outside of Credifit's environment". This is the first public divergence between the BCB and a participating institution over the characterization of a Pix incident.

The disagreement matters legally. If it was a systemic failure of Credifit, there is an administrative violation and possible sanction. If it was the use of credentials obtained from third parties — as in credential stuffing campaigns similar to the PexRat/Binance case we covered —, Credifit is the victim, not the cause.

What this divergence also signals: the BCB's Pix notification protocol still does not differentiate, in public communication, the root cause. It treats very relevant differences (internal vulnerability vs. credential leaked from third parties) under the same label of "specific failure". The effect on the citizen is the same. The effect on the industry is not.

MORGUE: the parallel black swan of April 18

While the four Pix incidents unfolded at the pace of official communications, on April 18 what could be the largest fiscal identity breach ever circulated in Brazil appeared on the dark web. The agent, identified by the handles Buddha, #bigF, and #Shinigami in the postings, named the database MORGUE — the name is consistent with the content: living records crossed with death records.

The dataset, according to samples distributed by the actor itself and validated by independent analysts, contains:

• 251.7 million records — a number higher than Brazil's population (approximately 213 million), indicating inclusion of deceased persons and multiple records per CPF;
• Structure: CPF, full name, gender, date of birth, parents' names (parentage), and in a significant portion of cases, date of death;
• Attribution suggested by the actor: linkage to the Gov.br portal;
• Price: US$ 500 paid in Bitcoin;
• Promotional hashtags: #Brazil #NationalID #LeakedData.

The Ministry of Management and Public Services Innovation, responsible for Gov.br, officially stated that "there is no record of invasion or leaks in the system". The formulation is literal: it may be true that Gov.br as a portal was not invaded, and it may simultaneously be true that the dataset aggregates information available from multiple sources over the years — Federal Revenue Service bases, civil records, previous leaks, scraping of public databases — rebranded as "Gov.br" for criminal marketing purposes.

Threat intelligence analysts heard by specialized outlets converge on the remix hypothesis: previous leaks reorganized under new branding. Even so, the database is functional. The risk for companies and citizens is the same as an original leak — because the fraud operation that needs CPF+name+parentage+date of birth does not distinguish whether the data came from Serpro in 2021 or from Buddha in 2026.

What MORGUE does, then, is a market operation: place back in active circulation, in an accessible forum, 251 million records that were dispersed in silos.

Common denominator: the cadastre is the vector

The BCB repeats in all four Pix communications: "exposed cadastral information does not allow movement of funds". Technically correct. But direct movement was never the relevant vector.

The cadastre is the operating asset because it enables:

1. Social engineering with apparent legitimacy. The fraud operator knows the Pix key, institution, branch number, and account type. Calls the citizen pretending to be from the bank with data that no stranger should have. Conversion rate goes up.
2. Pig butchering with national origin. The Brazil chapter in Chainalysis 2026 showed that part of Southeast Asian human trafficking operations target Brazil. National cadastral dataset cheapens the segmentation of these centers.
3. Identity substitution in KYC flows. Defensive KYC providers require cadastre+selfie+OCR. Leaked cadastre serves to forge responses in low-friction flows — digital account opening, credit contracting, mobile line activation.
4. Initialization of Pix trojan. GoPix and variants operate on the victim's device after initial contact. That initial contact is more persuasive when the operator calls the victim by full name + last CPF digit.

Cadastral leak is not "low-risk exposure". It is operation input. And when the available base jumps from 5 thousand to 251 million records, the marginal cost of each fraud operation falls.

The BCB's asymmetry: stablecoin under the hammer, Pix inflamed

The most visible contrast of the past twelve months is regulatory. On one side:

• BCB Resolution 561: bans stablecoin and crypto in cross-border payment settlement from October, hits the front where Brazil moves US$ 6-8 billion per month in crypto flow;
• Resolution 521 (Day D on May 4): brings the individual self-custodial wallet into the Central Bank's foreign exchange radar — Annex II-A already provokes constitutional discussion;
• Resolution 519, on PSAV oversight: effectiveness on May 4, integrates with 561 and 521 for a complete encirclement;
• CMN Resolutions 5.298: blocking of prediction markets (Polymarket, Kalshi) with effectiveness also on May 4.

On the other side, the apparatus protecting Pix keys:

• Public communication with 6 to 12 month lag between the event and citizen notification;
• Application of "sanctioning measures" whose transparency on quantum and timing is low;
• Absence of clear typification, in public communication, of root cause (systemic failure vs. credential from third party);
• No public roadmap for hardening national cadastral infrastructure linked to Pix.

The point is not too much crypto regulation. It is too little cadastral regulation. And this asymmetry has a perverse distributional cost: the biggest loser is the average Pix user, who is also the citizen without capital to protect themselves against post-leak fraud.

The VECERT mapping we covered in April already brought the number: 32 active threat actors in Brazil in a 90-day window, with 29.8 terabytes of data sold, 214 compromised entities, 1,752 corporate SMTP servers for sale. Buddha is just the actor that made headlines this month. The layer behind it is structural, not punctual.

The ON3X perspective

Three readings for the complete picture: four Pix incidents, MORGUE in parallel, and the regulatory imbalance that sustains the asymmetry.

1. The correct axis for evaluating Pix is not financial movement — it is the cadastre. When the BCB argues in communication that "no sensitive data was exposed", it is applying a definition of sensitivity that stopped at the traditional banking perspective (balance, password, statement). For the modern fraud ecosystem, cadastral data is the first-order asset. While official discourse maintains this definition, the size of the problem will remain underestimated in public communication.

2. The six-month detection window (Pefisa case) is incompatible with the modern exploit pace. The lag between the start of the leak and internal detection by the participating institution is the most serious technical point of the 2026 picture. In any access monitoring protocol operating with median ML baseline, six-month anomalies should trigger alerts. That this does not occur in SDCs, retail finance companies, and even in state MP systems points to capacity gap — not rule gap. Additional regulation without training becomes just words.

3. Aggressive crypto regulation, without corresponding cadastral regulation, generates negative externality. Brazil builds the world's most rigorous MiCA-like apparatus outside Europe for crypto (Resolutions 561+521+519), but maintains national cadastral infrastructure in a regime of recurring incidents. The aggregate effect is opposite to the intended: the citizen is pushed out of formal crypto (where controlled KYC would exist) and kept in an exposed Pix system. Fraud operation benefits both from the leaked cadastre and from the invisibility of informal crypto. The policy of "hammers where you can issue licenses, ignores where you need hardening" delivers the worst of both worlds.

Four incidents in 117 days. 251 million CPFs back in circulation. Twenty-four cases since 2020. And yet the official discourse repeats that "sensitive data was not exposed". The definition of sensitivity needs to be updated — before the fifth communication comes out.

Frequently Asked Questions

How many Pix data breaches happened in 2026?

Four through May 18, 2026. In order: Agibank in February (5,290 keys), Goiás Public Prosecutor's Office on March 1 (93 records), Pefisa/Pernambucanas in March (28,203 keys), and Credifit in announcement of May 12 (46 keys). Total: 33,632 Pix keys exposed, bringing the system to the 24th incident since launch in November 2020.

What is the MORGUE database?

MORGUE is the name given by the agent identified as Buddha (with tags #bigF and #Shinigami) to the database of 251.7 million records linking CPF, full name, gender, date of birth, parentage, and — in part of the cases — date of death. It was listed for sale on the dark web on April 18, 2026 for US$ 500 in Bitcoin. The Ministry of Management and Public Services Innovation denied any invasion of Gov.br, and the prevailing hypothesis among analysts is that it is a remix of previous leaks reorganized under new branding.

Were my data leaked in any of the Pix incidents?

The Central Bank determines that notification to the affected citizen is made exclusively through the application or internet banking of their relationship institution — never by SMS, email, WhatsApp, or phone call. Any contact through these channels claiming a Pix leak is, by default, a scam. Confirm only through your institution's official app.

Does the leak of Pix keys allow moving money from my account?

Not directly. The Central Bank emphasizes in all communications that data protected by banking secrecy — balances, statements, passwords, movements — are not exposed. The real risk is indirect: cadastral data enables social engineering with apparent legitimacy, pig butchering segmentation, fraudulent credit contracting or mobile line activation via identity substitution, and initialization of Pix trojans.

What does Brazil regulate in crypto meanwhile?

The Central Bank built in 2026 a regulatory apparatus combining Resolution 561 (bans stablecoin and crypto in cross-border payment settlement, effective October), Resolution 521 (brings individual self-custodial wallet into the Central Bank's foreign exchange radar, effective May 4), and Resolution 519 (regulates PSAVs and crypto oversight). The contrast with Pix regulation — where the average lag between event and public communication is 6 to 12 months — is the critical axis of asymmetry.