In an eight-day window between April 21 and 28, 2026, Brazil registered — almost in editorial silence — a sequence of cyber incidents that, read together, describe a country under crossfire on at least four simultaneous fronts: the international banking system, national retail banking, private education and the digital identity base built around the CPF. Each incident, in isolation, was treated as an administrative event. Covered together, they compose the argument that Brazilian digital infrastructure is operating, in April, in a regime of continuous compromise.
This investigation organizes four cases: the attack on BTG Pactual via DriveWealth, discovered on April 24; the multimillion-dollar diversion at Banco Rendimento, contained on April 21; the claim by the TheGentlemen group against the domain of the Notre Dame de Campinas school, published on April 28; and the "Morgue" leak, which put 251.7 million CPF records linked to the Gov.br portal up for sale. Each case brings a different technical anatomy. But the common denominator is the same, and it is the central point of this text.
Chapter 1 — BTG Pactual, DriveWealth and the fragility of the international chain
BTG Pactual, on the night of Friday, April 24, informed a subset of clients residing outside the United States that there was unauthorized access to personal data through a cyber attack against DriveWealth LLC, its US-based custody partner for international accounts. The attack, according to the statement, occurred at the end of March 2026; the bank was notified by DriveWealth in the week of April 21, and took about 72 hours to prepare communication to clients.
The exposed data, according to BTG: full names, account information and banking identifiers. The bank was emphatic in stating that "no BTG Pactual or our clients' assets or dollar balances were compromised," and announced that account numbers of affected clients will be replaced in the following weeks as a preventive measure. No threat actor was publicly identified.
The point that matters, beyond the operational detail: BTG was not attacked directly. The attack was against a third-party provider operating in the US, providing brokerage and custody services to international clients of the Brazilian bank. This pattern — compromising the big bank by attacking the small partner — is today the dominant operating mode of cybercrime against the elite financial sector. DriveWealth serves dozens of other institutions besides BTG, and last week's news is likely the first of a series of similar disclosures by correspondent banks.
For affected BTG clients, the immediate impact is limited: exposed personal data can be used in targeted phishing, but there is no direct access to funds. The structural impact, however, is greater. The "international account via partner" model — which Brazilian banks offer to private clients for geographic diversification — depends entirely on the security of the foreign provider, over which the Brazilian bank has no direct governance. When that provider is breached, the Brazilian bank inherits the reputational risk without having been able to prevent the technical failure. It is the same supply chain attack pattern we have documented in other contexts — only applied to high-income retail finance.
Chapter 2 — Banco Rendimento and the R$ 100 million diversion contained in hours
On the morning of Tuesday, April 21, 2026, Banco Rendimento identified and contained, on its own initiative, a cyber incident in some of its client access channels. According to investigations published in sequence by specialized outlets in the following days, the attack involved the diversion of approximately R$ 100 million from the bank's operations. The information security team, according to the official statement, acted in the early hours to isolate the threat, recover part of the diverted amount and strengthen protective measures. The case was reported to the competent authorities.
The most relevant and least commented data: the bank recovered most of the diverted value, ending the incident with estimated losses between R$ 20 million and R$ 40 million. In absolute terms, that is money. In relative terms to an attack that could have cost R$ 100 million, it is a reasonably successful defense — sustained by real-time anomaly detection mechanisms and rapid operational response.
Rendimento is, in the context of the Brazilian banking system, a medium-sized institution with a strong presence in exchange and international correspondence. That a bank of this profile would be targeted by an operation that intended to divert nine digits in national currency — and that this operation would be executed with enough time for approximately R$ 60 million to R$ 80 million to be recovered before reaching its destination — suggests that attackers failed to anticipate the speed of reaction. It is a rare case where defensive infrastructure won by reflex, not by preventive design.
The Central Bank, in turn, recorded in 2025 a total of 76 cyber incidents considered "significant" reported by the national financial system — a number 29% higher than in 2024. Data from 2026 is not yet publicly consolidated, but the frequency and magnitude of first-quarter events suggest the final number will exceed that of 2025 by a significant margin.
Chapter 3 — TheGentlemen and the attack on Notre Dame de Campinas school
On April 28, 2026, the threat actor TheGentlemen published on its leak platform — a .onion site where the group discloses victims who refused to pay ransom — a claim of attack on the domain notredamecampinas.com.br, linked to the Notre Dame de Campinas Catholic educational network in São Paulo. Public details about data volume and types of records exposed are, as of the close of this investigation, limited. The case was registered by independent breach monitors, but there is no official confirmation from the educational network about the scope of the incident.
The angle that makes this case relevant to the general thesis of this text is not the volume — which may end up being modest — but the identity of the target and the attacker:
- The target: a Brazilian private educational institution serving children and adolescents. Breaches in the education sector are especially sensitive because they tend to expose data of minors, school health records, financial information of guardians and, in some cases, communications between institution and family. Brazil has not yet rigorously regulated the treatment of minor data in educational context — the LGPD provides the framework, but specific fines and enforcement in the sector remain incipient.
- The attacker: TheGentlemen is today one of the most active ransomware-as-a-service operations in the world. Emerging in mid-2025 as a RaaS that recruits affiliates in underground forums, the group has already publicly claimed more than 320 victims in more than 50 countries, with 240 of the attacks concentrated in the first months of 2026. The operation provides its affiliates with multi-OS lockers for Windows, Linux, NAS and BSD (written in Go) and a dedicated locker for ESXi (in C), in addition to EDR neutralization tools and multi-chain pivot infrastructure.
The technical profile of TheGentlemen is, in other words, that of a mature operator with industrial attack capacity. That the group included a Brazilian educational network in its April calendar — alongside victims of Italian defense, Philippine microelectronics OEM and Moroccan sports retail, all disclosed in the same window — suggests that Brazil has stably entered the portfolio of routine targets of international RaaS. It is no longer isolated incident; it is production flow.
Chapter 4 — Morgue: 251.7 million CPFs and the leak that resurrected the dead
The most serious discovery of the April window came without official announcement, without press briefing, without federal confirmation. A threat actor operating under the pseudonym "Buddha" put up for sale in underground forum a database called "Morgue", containing 251,720,444 CPF records linked to the Gov.br portal — totaling 25.1 GB of data in plain text. To demonstrate authenticity, the seller made available a free sample with 20,000 lines. The discovery was initially reported by VECERT, ON3X's primary editorial source for national cybersecurity.
The volume alone is a historical milestone: it exceeds the 2021 leak of 223 million CPFs, which until then was the largest incident of its kind ever recorded in the country. The number even exceeds the Brazilian living population — because it includes records of deceased persons. The structure of the database itself confirms this: in addition to CPF and Gov.br linkage, fields include affiliation, death status with date, race and city of birth. Brazil has issued CPFs since 1965, and the Morgue leak appears to consolidate decades of records — living, dead and demographic layers that normally would not be accessible to the parallel data market.
The extraction occurred, according to the actor, on March 15, 2025. The public announcement came in April 2026 — a 13-month interval between compromise and disclosure, during which the dataset could have been sold privately, used in directed fraud campaigns or exploited in social engineering operations. Until the close of this investigation, neither the federal government nor the National Data Protection Authority (ANPD) issued confirmation or public statement about the case.
The silence is, in itself, a data point: the ANPD was created in 2018 with explicit mandate to oversee large-scale incidents. Thirteen months between extraction and publication, and still there was no statement. For a citizen whose CPF is probably among the 251 million exposed — which, given the volume, is almost every living adult Brazilian — there is no official guidance on how to verify exposure, nor on what protective measures to take.
The common denominator: attack through outsourcing and obsolescence
The four cases have distinct technical anatomies. BTG was hit via foreign partner. Rendimento, by direct intrusion into client channels. Notre Dame, by a commoditized ransomware-as-a-service operation. Morgue, by extraction from a government database whose exact origin was not confirmed. But two structural threads sew the four together:
Thread 1 — Attack on the indirect perimeter. In three of four cases (BTG, Notre Dame, Morgue), the nominal victim is not the same as the technical victim. BTG was not invaded — DriveWealth was. Notre Dame may not have been the target chosen by name — it may have fallen by TheGentlemen's generic scanning pattern against educational sectors. Morgue did not leak directly from Gov.br — it leaked from some integrator, supplier or intermediary base that has authorized access to records. Brazil today is attacked more through its contractual peripheries than through its defended cores.
This pattern has a technical name — supply chain attack — and a structural name: outsourcing without audit. At each peripheral node that gains access to the parent institution's data without that node's security being conducted to the same standard as the central institution, an entry point is created. And these points multiply faster than governance teams can map.
Thread 2 — Old data resurfacing as current assets. Morgue was extracted in March 2025, sold in April 2026. The Kraken case — which VECERT documented on April 13 — involved 5.3 million records that appeared to be recycled data from previous exposures, repackaged as "new" leak for extortion purposes. The phenomenon is the same: data that should have been discarded, rotated or neutralized remains active in the parallel market, resurfacing in monetization cycles that range from months to years after original extraction.
The consequence is that the "remediation" of a leak — changing passwords, rotating tokens, monitoring fraud — has a much longer window of effectiveness than assumed. A CPF, unlike a password, cannot be rotated. Once exposed, it is exposed forever. And the parallel market for Brazilian data, fed by exposures accumulated since 2021 — when the leak of 223 million marked the beginning of this era — has sufficient material today for fraud operations, social engineering and identity theft that will extend throughout the decade.
What connects the four cases with what we have already covered
This sequence does not arrive in an editorial vacuum. On April 27, ON3X published VECERT's investigation that mapped 32 threat actors and 29.8 TB of exposed Brazilian data in 90 days, contemplating 214 compromised entities and 1,752 corporate SMTPs for sale. Morgue, BTG and Rendimento are all direct expansions of that inventory — now with names, numbers and timestamps. And on April 29, ON3X separately documented the breach at Dígitro Tecnologia, which exposed the Guardião System source code and affected more than 150 federal agencies that depend on the company for court-authorized phone interception.
Read together — VECERT, Dígitro, BTG, Rendimento, Notre Dame, Morgue — these cases form an April panel that has no direct precedent in Brazilian cybersecurity history. Not in the isolated volume of each incident, but in the density of the window: six significant events in just over 30 days, crossing all major sectors of the formal economy (financial, government, education, state suppliers).
International context helps calibrate interpretation. The Lazarus campaign against crypto executives via macOS, which we documented on April 23, and the DeFi hack cluster we covered in "Cross-Chain Bled" on April 28, show that the same type of systemic pressure hitting Brazil is hitting specific sectors of the global crypto-finance ecosystem. The difference is structural: the crypto sector, even in crisis, has the capacity for public audit (open-source code, detailed post-mortems, independent technical communities). The Brazilian public sector and most of the traditional financial sector do not have this muscle — they operate in defensive secrecy, with minimalist disclosure and slow accountability.
The ON3X perspective
Three readings to close:
1. Brazil needs a mandatory and rapid incident disclosure regime for the public and banking sectors. The ANPD has existed for seven years and still has not imposed a notification pace compatible with exposure speed. The SEC requires material disclosure in 4 business days for listed companies. The European Union, via NIS2, requires initial reporting in 24 hours for significant incidents in the critical sector. Brazil today operates in an elastic window ranging from "a few days" in the financial sector to "never" in the public sector. The Morgue case — 13 months between extraction and publication, without official note — is the extreme example of the problem. Without a legal deadline for mandatory notification, the citizen is the last to know.
2. Outsourcing without audit is the dominant vector, and requires architectural response. Brazilian banks operating international accounts via foreign partners need to build contracts with continuous audit clauses, verifiable minimum security standards and regime of immediate notification. Companies operating critical services for the State — like Dígitro — need to be subject to code audits by independent third parties, with publication of executive summaries. The LGPD does not reach that far. It would need to exist a complementary regulatory framework for the critical sector supply chain.
3. Defense worked at Banco Rendimento — and that is the only good news in the window. The Rendimento case shows that real-time anomaly detection, combined with rapid operational response, is still capable of neutralizing a significant portion of an attack even when the adversary is already inside. The attack intended to take R$ 100 million; it left with R$ 20 to R$ 40 million. Not victory — contained damage. But it is the best result in the window, and the only one that offers a replicable model for other institutions. The lesson is not that the system is secure; the lesson is that response speed matters more than prevention when prevention has already failed. And response speed requires investment in team, in tools and in incident simulation processes — exactly what most Brazilian institutions delay until the moment when it is already too late.
April closes with Brazil more exposed than it entered. May begins with Central Bank Resolution 519 making mandatory, starting on the 4th, the reporting of international crypto operations — an additional layer of visibility that adds regulatory pressure without solving the underlying structural problem. The question that every Brazilian institution — public or private — needs to answer now is not "were we attacked?" but rather "when and how will we discover that we were?". The delay between the event and recognition, in all four cases covered here, was the difference between contained damage and consolidated damage.