ABT - Issue 2025-02-05
News about Brazilian hackers USDoD and Vermelho, Facebook Marketplace used for selling credit cards, Bluetooth pins against phone theft, another rogue cell phone tower delivering Smishing.
This edition of Advanced Brazilian Threat covers two weeks since last issue, 2025-01-22. Analysis cut-off date: February 4, 2025.
Facebook Marketplace as a platform for selling cloned cards
On January 24, 2025, Agência Lupa reported the use of Facebook Marketplace as a platform for selling cloned cards, among other illegal products. Lupa is an enhanced fact-checking agency that has a partnership with Universo Online (UOL) and Revista Piauí, a monthly magazine.
Several advertisements for cloned cards, sold from as little as R$25 per unit, were spotted on Facebook's Marketplace. In one of the cases identified by the report, the seller offered cloned cards in different categories, from food vouchers to credit cards with higher limits, such as Platinum and Black. The advertisement also promised to provide the owner's personal details, such as full name and CPF. Another advertisement offered the cloned cards with the promise of helping the buyer get out of the red, by offering the credit available on these cards for purchases and paying off debts.
Three days after the article was published, Meta began removing posts associated with it. Meta was contacted by Lupa to clarify the reason for the penalty and to comment on the complaints, but did not hear back.
TIM Block Pin, yet another attempt to detain cell phone pick pockets
Operator TIM has launched the TIM Block Pin app [1,2], which comes with a pin - hence the name Block Pin - that connects via Bluetooth to the smartphone. If the phone moves away from the pin, the platform locks the phone's screen and applications. In addition, the pin sounds an alert when it is moved away from the phone.
The system is yet another attempt to curb cell phone theft, which both feeds the trade in illegally obtained devices and allows access to device data, and with multiple attacks. These are not exactly cybercrimes, but they occupy a place between conventional street crime and cybercrime because they involve unlocking techniques, exploitation and social engineering.
The app was tested over the weekend of January 25, at Festival de Verão concert in Salvador, Bahia. It is very common for cell phones to be stolen in large crowds in Brazil. TIM's intention was to test the system in a kind of smaller Carnaval.
The initiative joins the Federal Government's Celular Seguro BR program and initiatives by the cell phone and operating system manufacturers themselves (Apple IOS, Google Android). In May 2024, Google announced Theft Protection for Android. For more information, follow the guidelines available in Android Help (Protect your personal data against theft).
Anatel and Sao Paulo Police dismantle another Smishing scheme
On January 23, the National Telecommunications Agency (Anatel) - the Brazilian FCC - and the São Paulo Civil Police served a search and seizure warrant on an apartment in the South Zone of São Paulo city, near the Eusébio Matoso bridge (Marginal Pinheiros). This is an important financial center of the city. The investigations were launched after a complaint of harmful interference from a major cell phone operator.
Two unidentified individuals were arrested in the operation. They were operating equipment for sending SMS (Short Message Service) messages with the aim of applying scams and fraud to bank accounts and credit cards.
I don't live in São Paulo, but I think I would leave my cell phone at home, or at least turned off and well hidden, if I were walking across the Eusébio Matoso Bridge. In 2023, Marcus Tavolari, the landlord of a building in the same area, decided to install two signs warning pedestrians about cell phone thefts.
This is the third case in six months. In July 2024, one case became notorious - a Jeep Renegade with a similar, but mobile, installation was found driving around the upscale neighborhoods of São Paulo. This recent operation was an orchestrated intelligence effort - spectral monitoring, drones and drive-testing with the Agency's state-of-the-art equipment. If you're one of those who likes to criticize Brazilian institutions, here's an example for you to see that you're wrong and show it to your friends abroad.
The message is clear for foreigners just visiting the country or selling threat protection. This is not a place for amateurs, ask help from security specialists with boots on the ground.
USDoD, who leaked billions of records, had his own data exposed
On February 1, 2025, Luan Barbosa Gonçalves (33), known on BreachForums (BF) underground forum as USDoD, had his own data leaked on X (Twitter). The information comes from Felipe Payão, a Brazilian journalist who in August 2024 revealed to the public that USDoD is Brazilian, based on a Crowdstrike report he received. On October 16, 2024, the Federal Police (PF) launched Operation Data Breach, in which Gonçalves was arrested in Belo Horizonte/MG.
USDoD was also known as Equation Corp and Netsec, depending on the community. In addition to being responsible for leaking data from several notorious organizations in the United States, Gonçalves was responsible for two publications of data sales by the Federal Police, on May 22, 2020 and February 22, 2022. Gonçalves should not have provoked PF, as interstate and international cyber crime is in the mission statement of this very capable police force.
The data was leaked by @vxdb X profile, which shared images obtained from a Minas Gerais Civil Police system and translated into English using an automatic translator. It's ironic that someone who had leaked so much data has had his own data leaked, especially the criminal record and the mug shot.
I recommend reading the first article by Payão, who enriched the data obtained from the report with his own analysis and Open-source Intelligence (OSINT). I also recommend reading the article by Brian Krebs, who also profiled this threat actor.
PGR asks for conviction of Hacker de Araraquara
Another notorious Brazilian hacker was recalled this week. On January 31, 2025, the Attorney General's Office (PGR) asked for the conviction of Walter Delgatti Neto, who went by the nickname Vermelho but became known in the media as Hacker de Araraquara. Delgatti is accused of attacking a system of the National Council of Justice (CNJ). Former federal deputy Carla Zambelli (PL party São Paulo) also had her conviction requested, but in the role of intellectual author, according to the PGR.
Araraquara, in São Paulo state, is the hometown of Delgatti. It means Where the Sun lives in Tupi, one of native-brazilian languages. Many hard to pronouce Brazilian names have native-brazilian origin - try to pronounce Araraquara, Anhanguera or Ibirapuera.
Delgatti was on the spotlight in 2019 when he was the target of the Federal Police's Operation Spoofing. With the help of Thiago Eliezer, he breached the Telegram accounts of judge Sérgio Moro, Deltan Dallagnol and other Operation Car Wash prosecutors and provided the data obtained to the Brazilian branch of the investigative newspaper The Intercept. The series of reports was called Vaza Jato.
The Telegram accounts were breached using simple yet effective TTP (Tactics, Techniques, and Procedures). The cell phone number associated with the Telegram account received a call. While a number receives a call, it is unable to receive new calls. When accessing Telegram web browser client, it was possible to login by requesting an access code by voice. Telegram's systems would call the number - if it was busy, the access code would be dictated by a synthesized voice. The attackers forced the access code to be sent to the number's mailbox by calling the number and then used a voice over IP (VoIP) service to forge calls from the number itself. At the time of the attacks, the mobile operator's mailbox could be accessed by the number itself with no PIN whatsoever. This TTP caused changes at operators and even at Telegram, which introduced additional security controls.
It was to be expected that a hacker who provided leaked data in Edward Snowden style (to the same journalist Glenn Greenwald), had the nickname Vermelho (red), unleashed a process that caused the gradual dismantling of Operation Car Wash (then a pride among right parties) and its members, the suspicion of former judge Sérgio Moro and the annulment of former president Lula's convictions in 2021, which made his candidacy in 2022 possible, would have an orientation towards left-wing. That was not the case. Delgatti's motivation seems to have always been notoriety, which was once again evident in his request to be transferred to the Prison of the Famous following the PGR's request for his conviction.
Delgatti was approached on other occasions by representatives of right-wing political parties. Between the end of 2022 and the beginning of 2023, he was approached by Mrs. Zambelli, according to the PGR, to generate an environment of demoralization of Brazilian justice and voting system. The invasion of CNJ system was part of this context.
Did you have any idea that hacking was one of the reasons of the return President Lula for his third term? This is why I started writing: there is so much to know about Brazilian style cyber crime and threats.
Found mistakes or just would like to report something for the next edition? Reach out to me over Substack or @ronaldotcom at Blue Sky.