248 million citizens for $1,300—or roughly 6,750 reais
No coração do Estado brasileiro, onde os registros de uma nação inteira são guardados como memória coletiva, um grupo criminoso chamado Buddha afirma ter extraído e posto à venda os dados pessoais de 248 milhões de brasileiros — vivos, mortos e estrangeiros — diretamente da base da Receita Federal. A análise técnica preliminar sustenta a autenticidade da alegação, e o preço pedido, pouco mais de mil dólares, revela o quanto a intimidade de um povo pode ser reduzida a mercadoria. O que está em jogo não é apenas a privacidade individual, mas a confiança nas instituições que prometem guardar o que há de mais sensível na vida de cada cidadão.
- Um grupo criminoso oferece à venda 1,08 bilhão de registros individuais de brasileiros por apenas US$ 1.300 — um preço que torna a exposição de uma nação inteira acessível a qualquer criminoso com cartão de crédito.
- A análise técnica de amostras confirmou dígitos verificadores válidos, tabelas de referência idênticas aos padrões oficiais e volume de dados coerente com os registros reais da Receita Federal, tornando difícil descartar a autenticidade da violação.
- O grupo Buddha afirma que a extração ocorreu em 2026 por meio de um sistema desatualizado da Receita Federal — e que a vulnerabilidade ainda permanece aberta, sugerindo que o pior pode ainda estar por vir.
- Com um único número de CPF, qualquer comprador do banco de dados poderia montar o perfil completo de uma vítima: endereço, telefone, e-mail, nome da mãe e vínculos familiares — transformando o vazamento em uma ferramenta de fraude e extorsão sem precedentes.
- A Receita Federal confirmou que investiga o caso, mas ainda não autenticou oficialmente a violação, deixando o país suspenso entre a incerteza institucional e a evidência técnica esmagadora.
Na quarta-feira, o grupo criminoso Buddha anunciou em um fórum ilegal a venda de registros pessoais de 248 milhões de brasileiros, alegando tê-los extraído diretamente da Receita Federal. Em conversa exclusiva com o TecMundo, os criminosos afirmaram que os dados eram atuais até 2019 e não provinham de vazamentos anteriores. A Receita Federal confirmou que abriu investigação.
O material oferecido era impressionante em escopo: além de CPFs e CNPJs, incluía endereços, vínculos familiares, e-mails, telefones e informações tipicamente restritas a sistemas internos, como nomes de mães e logs de consulta. Descomprimido, o conjunto ocuparia cerca de 78,7 gigabytes distribuídos em 24 arquivos SQLite — um formato que permite buscas e cruzamentos livres por qualquer comprador.
A análise técnica de amostras reforçou a credibilidade da alegação. Todos os CPFs e CNPJs testados apresentaram dígitos verificadores válidos. As tabelas de referência — 27 estados, 89 classificações empresariais, 241 países — correspondiam exatamente aos padrões oficiais. O volume total era coerente com os registros conhecidos do cadastro brasileiro, abrangendo 5.501 municípios e números de telefone com DDDs todos válidos.
Os criminosos disseram ter explorado um sistema desatualizado da Receita em 2026, sem revelar o método, e alertaram que a vulnerabilidade permanecia aberta. Distinguiram este vazamento de um incidente anterior chamado MORGUE — uma recompilação de dados de 2025 — afirmando que este novo conjunto vinha de fonte oficial e era, portanto, inédito em organização e completude.
O risco era imediato: com um único CPF, qualquer pessoa com acesso ao banco de dados poderia reconstituir o perfil completo de uma vítima. O conjunto estava à venda por US$ 1.300. Ao fechar esta edição, a Receita Federal ainda não havia confirmado oficialmente a violação — mas o peso das evidências técnicas apontava para o maior vazamento de dados pessoais da história brasileira.
On Wednesday, a criminal group calling itself Buddha announced it had stolen and was selling the personal records of 248 million Brazilians. The offer appeared in an illegal online forum, claiming to include 1.08 billion individual data entries extracted directly from Brazil's Federal Revenue Service. The criminals told TecMundo, in an exclusive conversation, that the information was current through 2019 and had not been recycled from previous breaches. The tax authority confirmed it was investigating.
The dataset being offered for sale was staggering in scope and detail. According to the criminals, it contained not just identification numbers but also company information, addresses, family relationships, and contact details. When decompressed, the material would occupy roughly 78.7 gigabytes, split across 24 SQLite database files—a format that would allow any buyer to organize and search the records however they wished. To prove their claims, the group provided a sample of about 100 rows from each of the 24 databases.
If authentic, the breach would touch every living Brazilian citizen, plus deceased persons and foreigners holding Brazilian tax identification numbers. TecMundo shared all collected material directly with the Federal Revenue Service.
A preliminary technical analysis suggested the breach was real. In a sample of 50 records, every CPF and CNPJ number contained valid check digits that passed official validation tests. The reference tables in the dataset matched Federal Revenue Service standards exactly: 27 states, 12 registration statuses, 32 qualifications, 89 business classifications, four company size categories, and 241 countries. The overall scale was coherent with known Brazilian registry numbers—248.8 million CPFs, 41.6 million CNPJs, and records from 5,501 municipalities. Every phone number area code was valid according to Brazil's telecommunications regulator. The data also contained information supposedly restricted to internal systems: mothers' names, internal query logs, email addresses, and phone numbers.
The criminals claimed the extraction happened in 2026 through exploitation of an outdated Federal Revenue Service system. They did not explain their attack method but said the vulnerability remained open and that this system was not even their most critical compromise. They distinguished this breach from an earlier incident called MORGUE, which they described as a repackaged collection of 251 million people's data from 2025 that took 13 months to announce. This new dataset, they argued, came from an official source and therefore offered unprecedented organization and completeness. While personal data from millions of Brazilians had leaked in other incidents over the years, never before had it been consolidated into a single, searchable collection.
The danger was immediate and concrete. Any criminal with a database reader could now cross-reference a complete victim profile using only a CPF number. A single search would reveal address, email, phone number, family relationships, and much more. To demonstrate the scope, the Buddha member shared an image of the complete TB_PESSOA_FISICA database file showing 248.9 million rows.
At the time of publication, the entire dataset was listed for sale at $1,300—roughly 6,750 Brazilian reais. The Federal Revenue Service had not yet confirmed the breach's authenticity, so the case remained technically unverified. But the technical evidence was substantial, and the implications were staggering. What happens next depends on whether the government can confirm what appears to be the largest personal data exposure in Brazilian history.
Notable Quotes
The extraction occurred in 2026 through exploitation of an outdated Federal Revenue Service system, and the access to the vulnerability remains active.— Buddha criminal group member, in exclusive statement to TecMundo
The material is not part of a recycled data package, unlike the MORGUE case, and comes directly from an official source.— Buddha criminal group member
The Hearth Conversation Another angle on the story
Why would a criminal group bother talking to a journalist about this? Wouldn't they want to stay invisible?
They're advertising. The whole point is to sell the data. By talking to TecMundo, they're building credibility with potential buyers. They're showing they have the goods and they're willing to prove it.
The sample they provided—how much does that actually prove?
Quite a bit, technically. Every CPF and CNPJ number has a built-in checksum. You can't just make those up. And the reference tables matching official standards? That's not something a criminal could easily fake. It suggests they really did pull this from the actual system.
They said the vulnerability is still open. Doesn't that mean they could steal more?
Yes. They said this system isn't even their most critical compromise. That's the terrifying part—this might be just one of several breaches they've already accomplished.
For $1,300, anyone could buy this. What happens then?
That's when the real damage spreads. Right now it's contained to whoever buys it. But once it's in the wild, it becomes a tool for identity theft, fraud, extortion, blackmail. A criminal can look up anyone's complete profile with just their CPF.
Why did they mention the MORGUE case?
To distance themselves. They're saying MORGUE was recycled data, old stuff repackaged. They want buyers to know this is fresh, direct from the source, more valuable. It's a sales pitch.