ABT - Issue 2025-01-08
ABT. Threats that are not necessarily Advanced or nation-state, that are Persistent and very Brazilian.
January 8, 2025.
Hello subscribers and welcome. Happy 2025!
This is the first edition of Advanced Brazilian Threat. Yes, ABT is a dad joke with APT. Thank you for subscribing to my newsletter.
This week was very slow in news articles and papers, as in any first week of the year. When I thought I would have nothing to write about, Fantastico, a still very popular and influential weekly TV show that airs on Sunday evening, ran a story on a Brazilian cyber crime shop that was taken down by local law enforcement.
I was lucky to find exactly what I would like to write about in this first edition: Brazilian threats that rarely cross the borders of Brazilian Portuguese, but are essential for a proper understanding of local cyber threats in the global context.
Joint police operation arrests the administrator of Brasil Store marketplace
In December 11, 2024, Sao Paulo and Rio de Janeiro police (Policia Civil) arrested [1, 2, 3 video only 11:20 minutes] Paulo César Gomes da Silva Dutra, 33, the administrator of Brasil Store, a cyber crime marketplace in a joint operation. Dutra was detained in Rio das Ostras, RJ, and then transferred to São José do Rio Preto, SP. According to Diário da Região, this arrest was part of Operation Lotter.
In January 8, 2025, Federal Police (PF) launched Operation Falsarius, with intersection with the operation mentioned before. It was found that Mr. Dutra was the leader, but not the only individual involved in the cyber criminals training, personal data and cards selling.
Dutra, also known as Banucha Gomes or Professor do Golpe Digital (cyber crime professor), made more than R$ 1,5 million (BRL) a month from paid users of his platform, Brasil Store. The store was based on a website, with supporting Telegram and Whatsapp channels, contacts and groups.
Before proceeding the the details revealed by Globo TV, it is good to explain some local cyber crime terminology to foreigners.
Cadastro de Pessoas Físicas (CPF) is the unique tax ID of every Brazilian citizen. The last two digits, sometimes separated by an hyphen, are generated by an algorithm and used for instant verification of a valid CPF. Another important ID is Registro Geral (RG), the second and primary ID of a citizen after Birth Certificate. Currently, both IDs are being merged into a new ID: Carteira de Identidade Nacional (CIN). In this merging process that should take until 2032, new IDs will be gradually issued. CIN IDs are the same as CPF.
Lara, from Brazilian portuguese Laranja or Orange, is a lingo for checking account in other person's name used for receiving and sending transfers and making payments.
Trampo is a Brazilian slang for job. In this context, it can be interpreted as campaign
The website offered more than 10.000 cloned banking cards and more than 50.000 registered users. Banucha offered some packages:
Lara + Debit Card for R$1.600,00 (BRL)
Kitbico - “Bico” Kit including checking account ready to use, credentials for online local online retail and a cloned card. You can call it a Persona package. This it is comprised of third party personal information (mainly RG national ID and CPF tax ID), photo, and other personal information. This was the flagship service offered on Brasil Store.
Lara accounts are used for receiving money transfers in various types of cyber crime. The personal information used for opening those Lara checking accounts and asking for cards is not necessarily obtained illegally. There is a market for rented checking accounts, individuals who rent accounts for illegal operations in exchange for a fee. Many of those individuals are trying to make an extra income by renting accounts, while others are real victims of identity theft.
According to Brazilian Federation of Banks (Febraban) and Quod, 10 million legitimate CPF are suspected to be involved in various types of crime, including but not limited to Lara. Quod observed certain patterns in the CPFs used for opening this Lara accounts:
São Paulo (SP), Rio de Janeiro (RJ) and Fortaleza (CE) - all state capitals - are the main cities.
Other smaller towns are also involved Imperatriz (MA), Mogi das Cruzes (SP) and São Gonçalo (RJ).
Most individuals are between 18 and 25 years old.
Indicators
For those of you interested in indicators to deep dive yourself in your own platforms, here are the basics:
Primary domain brasilcc[.]site, first seen in September 5, 2023 and currently taken down.
Secondary domain of Brasil Store ecosystem, brasilbuscas[.]info. In this website, a different type of content was offered: credit bureau queries, PII. Domain first seen in January 1, 2024 and currently taken down.
Telegram https://t[.]me/banuchaofc, https://t[.]me/ClubeVelhaGuarda
Instagram @banuchagomesofc, @painelbrasilbuscas
Whatsapp https://chat.whatsapp[.]com/EjAhgEl6hiT5eaGAYWs54s
Facebook https://www.facebook[.]com/groups/342163228345759
Brazil in the global context of cyber crime - exporting criminals and crime fighters
Before I close today’s edition, a bit of a stretch to December 26. Ivo Peixinho, Brazil Federal Police (PF) expert allocated in INTERPOL Cybercrime Unit in Singapore since 2022, was featured in a Valor Econômico newspaper interview in December 26. Valor is one of the most important financial newspapers in Brazil.
In that interview, Peixinho talked about the role of Brazilian cyber crime in global cyber crime, among other topics. Unlike many researchers still think, Brazil is not a synonym of low complexity malware anymore.
One important thing we see, including in Brazil, is international expansion. Bank fraud in Brazil, which is very common, was very localized. Criminals in Brazil would attack Brazil itself. But starting in 2019, we started seeing criminals in Brazil committing bank fraud in other countries. In January, for example, there was an operation, Grandorero, involving Brazil and Spain. Brazil had the criminals and Spain had the victims. They were attacking banks in Spain. In this case, the criminals needed fronts in Spain. But today, with this digital checking accounts, the trend will be criminals to start attacking in other countries without needing anyone there.
This is it for today. In following editions, I expect to bring you at least three articles taken from news articles and papers from the previous two weeks, always involving Brazilian cyber crime.
Did you find mistakes or just would like to report something for the next edition? Reach out to me over Substack or @ronaldotcom at Blue Sky.