On April 17, 2026, the Center for Prevention, Treatment and Response to Government Cyber Incidents (CTIR Gov) quietly updated its Recommendation 05/2026. The text, technical and measured, communicated to three hundred federal agencies what part of the Brazilian intelligence underground had already known for months: the source code of the Guardian System — the platform used by more than 150 government and public security institutions for legal interception of voice and data — had been published on the Distributed Denial of Secrets. Along with it, internal databases, additional code repositories and operational files from Dígitro Tecnologia, the Santa Catarina-based company that has operated for nearly five decades what could be described as the nervous system of authorized surveillance of the Brazilian State.
The leak is not new. The initial disclosure on DDoSecrets dates back to September 2025. What changed in April 2026 was institutional acknowledgment. The CTIR Gov, after months treating the case as an internal matter, formalized three CVEs — CVE-2025-4526, CVE-2025-4527 and CVE-2025-4528 — and instructed federal agencies to audit exposed credentials, isolate configuration interfaces from the public internet, and consider compromised any API keys that were in any now-public repository. In other words: the Brazilian State admitted, seven months late, that its primary interception contractor had been entirely compromised.
What is Dígitro — and why it is the single point of failure
Founded in Florianópolis in 1977, Dígitro Tecnologia established itself over the decades as the central supplier of telecommunications and public security intelligence architecture in Brazil. The company's flagship product, launched in the 2000s, is the Guardian Platform — a telephone and data interception system that operates under judicial authorization and which, according to the company's own institutional materials, is deployed in more than 150 government agencies. Federal, civil and military police, public prosecutors' offices, intelligence agencies and courts use Guardian — in different modules and configurations — to conduct what Brazilian law calls telematic interception, and what daily operations call, more simply, "conducting surveillance."
The point that needs to be stated clearly, because it structures all subsequent discussion: Brazil outsourced the technical backbone of its interception activity to a single private company. There is no technological redundancy. There is no vendor diversity. There is no architectural "Plan B" if Guardian, for any reason, ceases to be trustworthy. And what Recommendation 05/2026 from CTIR Gov acknowledges, in bureaucratic language, is that this trustworthiness has been lost — not through misuse, but through the vendor's own failure to protect its intellectual property.
Anatomy of the leak
The set of files published on DDoSecrets includes, according to CTIR Gov's consolidated account and cross-referenced reports from specialized portals, three categories of data:
- Guardian source code and related products — including modules for capture, transcription and indexing of intercepted communications. Exposure of the code allows any actor — state or criminal — to develop specific exploits against installations running binaries derived from this code, or to identify obfuscation mechanisms and backend communication that could be exploited to detect when surveillance is taking place.
- Company internal databases — encompassing client configurations, technical support records and, according to disclosure, administrative data on Dígitro's operations with its public contractors. There is, in the public narrative so far, no indication that the content of specific interceptions was exposed; what leaked is the apparatus, not the recordings.
- Additional code repositories and internal files — which typically means technical documentation, deployment scripts, embedded credentials, API keys and everything else that tends to live, against all best practices, within a corporate repository.
The CTIR Gov was explicit in recommending that any credential, secret or API key that has been in Dígitro's repositories must be considered compromised and rotated immediately. This means, in practice, that hundreds of public agencies spent part of April reviewing integrations, changing passwords and auditing systems that, in theory, had no direct relationship with Guardian — but that shared credentials with the company's environments.
The three CVEs and what they reveal about internal engineering
The identifiers published by CTIR Gov tell, together, an uncomfortable story about the company's security maturity:
- CVE-2025-4526 — plaintext password exposure in the Dígitro NGC Explorer configuration pages due to lack of masking. In 2025, any serious web application masks password fields in administrative interfaces. That this was not standard in a product destined for government clients is, in itself, an indicator of how little security pressure the company had been facing from its contractors.
- CVE-2025-4527 — client-side vulnerability that allows remote extraction of sensitive information. Without public details of the exact vector, but the category suggests that it is possible to obtain privileged data without need for prior authentication, or with minimally broken authentication.
- CVE-2025-4528 — insufficient session expiration, allowing an attacker with elevated privileges to maintain access for prolonged periods without reauthentication. On an interception platform, this is especially sensitive: it means that a compromised administrative session can remain alive, undetected, for days.
The three CVEs, read together, describe a product that aged poorly. Dígitro built Guardian in an era before systematic concern with security in web applications, and — based on what the vulnerabilities suggest — did not conduct an architectural renewal commensurate with the role the product came to have in the state apparatus. The practical consequence is that the leak of the source code transforms these three CVEs into a risk multiplier: now that any researcher or hostile actor can read the code, it is reasonable to expect that other vulnerabilities — unpublished, uncorrected — will come to light in the coming months.
What this means for ongoing investigations
The question that matters, from the perspective of daily Brazilian public security operations, is just one: are ongoing investigations compromised?
The honest answer is: there's no way to know publicly, and perhaps no way to know privately. The leak exposes the apparatus — how Guardian works, how it communicates with capture and backend modules, how it indexes and stores data. It does not expose, as far as is known, the specific contents of ongoing interceptions, nor the list of targets. But with the apparatus in hand, a sufficiently sophisticated hostile actor can:
- Develop detectors that identify, on the target's side, when a communication is being captured by a Guardian installation — effectively inverting the visibility relationship between interceptor and intercepted.
- Map the network architecture and integration points with telecommunications operators, identifying where traffic is diverted for analysis.
- Develop specific exploits that, combined with lateral access to the networks of contracting agencies, would allow exfiltration of archived interception contents — which would be a qualitative escalation over what has already leaked.
None of this is guaranteed, and none of this has occurred publicly. But the possibility exists, and the risk calculation that each Brazilian public agency now needs to make is structural: is it worth continuing to use Guardian while the codebase is public? The operational answer, absent alternatives, will be "yes" — because replacing an interception system deployed across 150 agencies is not a matter of months, it is a matter of years. But the admission that one is operating with a product whose security has been, at minimum, compromised should be at the center of any honest discussion of the case.
Official silence
Until the close of this analysis, on April 29, 2026, there is no official statement from any federal public security authority about the leak. The Federal Police, state and federal Public Prosecutors' offices, intelligence agencies and the Ministry of Justice and Public Security itself maintain, in relation to the Dígitro case, what can be described as a strategy of denial by omission. Dígitro itself, although it has published institutional materials reaffirming its commitment to "national sovereignty in data traffic" — a phrase used in press text published on the company's website in 2026 — has not issued, to date, a specific statement acknowledging the scope of the leak and detailing the measures taken.
The CTIR Gov, within the federal government, did what was technically appropriate: documented the CVEs, issued concrete recommendations, instructed credential rotation. But CTIR Gov does not have the mandate to publicly discuss operational impact on investigations, nor to impose architectural replacement of Guardian. That is a debate that would need to be conducted by political bodies — Congress, the Ministry of Justice, the National Council of Justice (which regulates interception use in the judiciary) — and that, so far, none of them have initiated.
For a country that likes to speak of "digital sovereignty" in official discourse, the Dígitro case is the consistency test. Digital sovereignty is not having a national company provide the system; it is having a national system whose security does not depend on a single vendor whose source code is now on a public website.
The parallel with recent coverage
The Dígitro case does not arrive in isolation. Throughout April 2026, ON3X has mapped a sequence of incidents that, read together, describe a Brazil — and a global crypto/cyber ecosystem — under simultaneous pressure on multiple fronts. The VECERT investigation published on April 27, which mapped 32 threat actors and 29.8 TB of exposed Brazilian data in 90 days, already indicated that the national public sector operates in a state of continuous compromise. The Vercel incident on April 25, which forced hundreds of Web3 projects to rotate API keys, showed the same supply chain attack pattern — just applied to the hosting layer of the crypto world. And the Lazarus campaign against crypto executives via macOS, documented on April 23, shows that sophisticated state actors are calibrating their social engineering for specific corporate targets.
The common thread between Dígitro, Vercel, VECERT and Lazarus is the same: concentration of trust in single integration points. When a single vendor — whether of interception, hosting, corporate communication — dominates a vertical and their security is breached, the entire ecosystem built upon it inherits the failure. It is the architectural problem that ON3X has already pointed out in the cross-chain context of the DeFi cluster of April 28: single points of trust outside audit reach. In the case of Dígitro, the single point is the apparatus of Brazilian State interception.
The ON3X perspective
Three takeaways to close:
1. Brazilian digital sovereignty is, today, an arrangement of single vendors. The State outsources interception to Dígitro, government hosting to a small set of providers, digital identity to Gov.br (which also concentrates attack surfaces, as the Morgue leak of 251 million CPFs evidences). The rhetoric of sovereignty presumes architectural diversity; operational practice is the opposite. Until there is a deliberate policy of redundancy — multiple vendors, auditable open code, internal development capacity — any compromise of a single link brings down the entire dependent apparatus.
2. CTIR Gov's late acknowledgment is the symptom, not the problem. Seven months between disclosure on DDoSecrets and Recommendation 05/2026 were not time for technical investigation — they were time for institutional hesitation about how to make the case public without amplifying it. The consequence is that hundreds of public agencies operated, for months, with credentials and configurations that were already compromised. The lesson is structural: Brazil needs a mandatory rapid incident disclosure regime affecting state vendors — something analogous to what the SEC introduced for listed companies in 2023, but aimed at the public sector supply chain.
3. The Dígitro case is the strongest argument that exists in favor of public code audit in sensitive state systems. The paradox is that, precisely because Guardian operates under secrecy, its security was impossible to validate from outside — and when the code leaked, everyone discovered, at the same time, that Dígitro had not conducted the internal audits one would expect from a product of this scale. Critical state systems should be subject, at minimum, to code audits by independent third parties, with publication of executive summaries. Operational secrecy over who is being investigated is legitimate; architectural secrecy over how the system works is merely security through obscurity — a strategy that, as Dígitro has just demonstrated, fails catastrophically when obscurity evaporates.
Brazil exited April with an uncomfortable balance sheet: the state's cyber apparatus is exposed, the financial sector was hit in sequence (BTG Pactual via DriveWealth, Banco Rendimento, related leaks), and the national digital identity database had 251 million records put up for sale. Each of these incidents has its own dynamics. But they share a diagnosis: the country built, over two decades, critical digital infrastructure without investing in the redundancy and audit architecture that such criticality demands. The bill is arriving — not in a single dramatic event, but in monthly installments.