Brazil's Digital Black April: From 251 Million CPFs in MORGUE to Federal Government Email — Why the Month Became a Crisis and CTIR Gov Just Reacted

April was cruel to Brazil's digital landscape. In just over eight days — between April 17 and 25, 2026 — the country accumulated allegations of compromise involving, combined, more than 253 million personal records, the federal government's email system, two .gov.br domains and a political party acronym. At least five different actors — Buddha, NormalLeVrai, CDF, m0z1ll4s team and others unnamed — put up for sale or exposed, on the dark web and in Telegram groups, data ranging from ministerial mailing lists to 251 million CPFs allegedly extracted from Gov.br.

The result is a wave that started diffuse and became, by April 25, grave enough for CTIR Gov — the Government Center for Prevention, Treatment and Response to Cyber Incidents — to publish Recommendation 05/2026, advising federal agencies to "double access controls" on critical systems. It's the institutional equivalent of admitting something is out of control.

What this "Black April" of Brazil's digital space exposes is not a lack of regulation. It's imbalance. While the Central Bank turns on, on May 4, the currency surveillance regime for all international crypto operations — and while the CMN blocks 27 prediction market platforms on the same date — the State's own digital infrastructure, in the month before the regulatory shift, is allegedly leaking in cyber crime forums.

The timeline of Brazil's Black April

Five events consolidate the month:

• April 17-18 — Federal government email system allegedly compromised. Actor NormalLeVrai publishes on social media excerpt of a Power BI report named "2025 State Present", along with mailing lists and institutional notifications. The April 18 tweet accumulates 150.4 thousand views before the media cycle picked up the case.
• April 18 — The VECERT Threat Intelligence platform issues alert about the database named MORGUE: 251.7 million CPF records allegedly linked to Gov.br, for sale on the dark web for US$ 500 in bitcoin. The actor is identified as Buddha; the alleged access would have occurred on March 15.
• April 19 — The Ministry of Management and Innovation in Public Services, responsible for Gov.br, officially denies the leak, stating that "there is no record of invasion" in the system.
• April 24 — VECERT publishes new alert: actor CDF offers, in cyber crime forums, exploit of critical IDOR vulnerability (Insecure Direct Object Reference) in unnamed Brazilian company, with potential to exfiltrate approximately 2 million customer records. As of publication, there is no public identification of the company or confirmation of the incident.
• April 25 — VECERT alerts about the m0z1ll4s team group, claiming to have exfiltrated +102 thousand records from two domains: marianapimentel.rs.gov.br (municipal city hall) and psbrs.org.br (Brazilian Socialist Party of Rio Grande do Sul). Status: download links were made available by attackers; leak has not yet been officially confirmed by affected entities.

The picture is more serious than the sum of its parts. Because each of these events, in isolation, would be news. Concentrated in eight days, they became pattern.

The MORGUE case: 251 million CPFs for US$ 500 in bitcoin

The alert of greatest magnitude came on April 18. According to VECERT, actor Buddha put up for sale on the dark web a database named MORGUE — a grim reference to the purpose of the files for identity fraud. The set, of approximately 25.1 GB, would contain 251.7 million CPF records, allegedly extracted from databases linked to the Gov.br portal.

The fields described by the actor himself and validated by VECERT in partial samples include:

• Full name
• Gender
• Date of birth
• Parentage (names of parents)
• Race (self-declared in public systems)
• City of birth
• In part of the records: date of death

The asking price — US$ 500 in bitcoin for the complete dump — is absurdly low for a database of this size, and precisely for that reason is considered by VECERT a commodification price: the actor is not trying to maximize profit per sale; is distributing the dataset quickly among multiple buyers before the subject cools or the original source is remediated.

The Ministry of Management and Innovation in Public Services, in a note on April 19, categorically denied that the Gov.br system had been invaded. The official line is that "there is no record of invasion or leaks in the system". VECERT kept the alert active, citing the granularity of the data as compatible with structured public databases — without necessarily pointing to Gov.br as sole source (it could be, in theory, aggregation of earlier public databases combined with new access to some government layer).

It's the classic ambiguity of modern incident: government denies, actor claims, and procedural truth will only emerge, if it emerges, in months or years.

The federal government attack: NormalLeVrai and the "2025 State Present"

The incident that started the wave — chronologically the first — was the leak attributed to actor NormalLeVrai. On April 18, the actor published on social media screenshots and samples claiming to have complete administrative control of Brazil's federal government email system. The compromised assets described:

• Complete email system — emails and their attachments, including administrative panel.
• Internal Power BI reports, highlighting a document named "2025 State Present" — apparently a compilation of institutional indicators.
• Internal mailing lists.
• Institutional notifications dated April 18, 2026.

The original tweet, already with over 150 thousand views, shows what appears to be an administrative interface in Portuguese with EJA (Youth and Adult Education) elements — suggesting that the compromised system may be linked to the Ministry of Education or some other government agency with shared government email system.

To date, there is no official statement from the federal government confirming or denying the incident. The institutional silence contrasts with the speed of denial in the MORGUE case — which may indicate both that the NormalLeVrai case is under active investigation and that the type of alleged compromise is difficult to dismiss quickly.

The other cases: 2 million IDOR and the double target in Rio Grande do Sul

On April 24, VECERT's alert about actor CDF identified, in cyber crime forums, an offer of active exploit of a critical IDOR vulnerability (Insecure Direct Object Reference) in unnamed Brazilian company, with a database of approximately 2 million customers.

IDOR is one of the most underestimated vulnerabilities in the OWASP Top 10. Instead of breaking authentication, the attacker simply manipulates identifiers in URLs or API requests — changing ?user_id=123 to ?user_id=124 and gaining access to user 124's data without needing a password. When exploited systematically, it allows downloading the entire database in hours, programmatically.

The profile of the exposed data described by the actor — names, emails, documents, purchase history — suggests e-commerce or fintech. VECERT, in the note, classified the risk as "goldmine for identity theft actors", given the 2 million potential victims and low technical complexity of exploitation.

On April 25, the last alert — about the m0z1ll4s team group. The targets: the municipal city hall of Mariana Pimentel, in Rio Grande do Sul (marianapimentel.rs.gov.br), and the Brazilian Socialist Party of Rio Grande do Sul (psbrs.org.br). Alleged volume: +102 thousand records exfiltrated, with download links provided by the attackers themselves for "validation".

The political angle is potentially sensitive. Lists of affiliates, contacts, campaign strategies, internal communication — material that, in an election year, becomes ammunition. The current status is "not officially confirmed", but VECERT considered the links valid enough to issue an alert with high level.

The institutional response: CTIR Gov Recommendation 05/2026

The government response came in the form of Recommendation 05/2026 from CTIR Gov, published on April 25. The document advises federal agencies to:

1. Double access controls on critical systems — mandatory multi-factor authentication on all administrative portals, without exception.
2. Audit logs from the last 90 days for anomalous patterns, with specific focus on nighttime accesses, foreign IPs and massive exfiltration.
3. Review permissions of administrative accounts and remove legacy accesses from suppliers that have already ended their contracts.
4. Validate configurations of public APIs to reduce exploitation surface of IDOR and similar vulnerabilities.
5. Report incidents to CTIR Gov within 72 hours, per federal incident response policy.

It's the first time this year that CTIR Gov has published a recommendation of this scale — and the timing, three days after the MORGUE case and hours after the m0z1ll4s alert, leaves little doubt about the institutional trigger.

It's worth noting that, according to the latest survey, the federal government recorded a record 3,253 data leak incidents in 2024. Recommendation 05/2026 is an attempt to apply brakes to an upward curve — but without budget or staff capacity, recommendation becomes just paper.

The regulatory irony of May 4

The most uncomfortable point of the narrative is not with the actors. It's with the calendar.

On May 4, 2026 — nine days from now — Brazil enters the most ambitious phase of its history in digital surveillance over the private sector. On that date:

• Every cross-border crypto operation becomes mandatory to report to the Central Bank, with amount, purpose, counterparty and country.
• 27 prediction market platforms — Polymarket, Kalshi and company — become formally blocked by the CMN and Anatel.
• SPSAVs must prove economic capacity, reputation and AML structure to continue operating.

It's State surveillance over private digital flows, executed with institutional speed and firmness. And it is, in itself, a defensible regulatory agenda. But it coexists, awkwardly, with the finding that, in the month immediately prior to the shift, the Brazilian State itself has active allegations of federal email compromise, alleged leaking of 251 million CPFs and two .gov.br domains in cyber crime forums.

The competence contrast is not a detail. It's the point. When the State demands from exchanges, fintechs and private companies the level of digital hygiene that it itself cannot maintain in its own infrastructure, the political legitimacy of the regulatory regime comes into question. Not on the legal plane — Resolution 5.298 and BCB Resolutions 519/520/521 are valid and will be complied with. On the moral and technical plane: how does the BC guide SPSAV to assemble world-class AML while the federal government's email system allegedly circulates as direct download on Telegram?

The real risk for the citizen and for the crypto investor

For the average Brazilian, the operational risk of these leaks is direct and has three layers:

• Classical identity theft. With name, CPF, parentage and date of birth, one opens a bank account, contracts credit, registers a company in someone else's name. The MORGUE case, if confirmed, restocks the fraud market for years.
• Targeted phishing. Federal government mailing lists, PSB-RS lists, data from the company hit by IDOR — all of this becomes input for personalized phishing campaigns, with high conversion rate. Combined with techniques like Lazarus's Mach-O Man hitting crypto execs via fake Zoom, sophistication is exponential.
• Brazilian combo. The GoPix trojan, active since 2026, specialized in defrauding Pix and stealing local crypto wallets. With detailed personal data in the attacker's hands, social engineering is devastating — the scammer knows father's name, city, age, purchase pattern. The victim receives a call that seems legitimate, and falls for it.

For the crypto investor specifically, the scenario is particularly delicate. KYC on Brazilian exchange includes CPF, full name, document photo and selfie. If these databases leak — and the Brazilian ecosystem has already faced deepfake against biometric KYC — the attacker can recreate complete identity and try to access the victim's account on other platforms, or open fake accounts in their name.

It's not theory. The combo has already been documented by VECERT in previous cases like the PexRat dossier on 1.5 million Binance users and the Kraken case with 5.3 million records in private groups. The difference in 2026 is the domestic scale and the speed.

The ON3X perspective

Three readings to close.

One: Brazil's problem in 2026 is not lack of regulation. It's lack of execution. The regulatory framework entering into force on May 4 is advanced in international comparison. What is lacking is the State's technical and budgetary capacity to apply itself to itself the same standards it will demand from the private sector. Recommendation 05/2026 is symptom, not solution.

Two: state-scale incidents affect the crypto ecosystem more than it appears. Every Brazilian exchange operates under LGPD and has sensitive customer data. When the national threat environment rises — actors like Buddha, NormalLeVrai and CDF active simultaneously, leaked identity market flooding forums — exchanges, fintechs and SPSAVs are forced to invest in defense far above what regulation nominally requires. Anyone who doesn't will be the next headline. The regulatory cost of legally operating crypto in Brazil in 2026 includes this implicit defense margin that nobody put in the original business plan.

Three: citizens need to start from the premise that their data has already leaked. It's not alarmism — it's mental hygiene. Somewhere, in some dark web dump, your combination of name + CPF + email is already available for less than US$ 500. Operating your digital life with that premise changes behavior: unique passwords per service, MFA via hardware key on critical accounts, credit monitoring activated, doubled attention to contacts through channels that seem too legitimate. The privilege threat of "this won't happen to me" cost dearly to millions of Brazilians in the Black April of 2026 — and will cost more to anyone who ignores the lesson.

What's worth monitoring in the coming weeks: whether the Federal Police open a specific operation on the April incidents, whether ANPD manifests with administrative penalty, and whether the federal government admits, even partially, any of the contested leaks. In any of the three scenarios, Recommendation 05/2026 ceases to be paper and becomes operating policy — with effects on every digital sector in Brazil, regulated or not.