Dígitro calls it "apparently limited scope." CTIR Gov calls it an attack that "hits the company''s technological core." One of them is wrong — and the data favors CTIR Gov. On April 8, 2026, 3.39 TB leaked on DDoSecrets: databases, source code, and internal files from the company that builds Guardião, the lawful interception platform for voice, data, and WhatsApp used across all 27 Brazilian states. We analyzed the case and the signal is clear: the blueprint of state surveillance is on the internet, and the company that built it treats the fact as a detail.
The scale: 3.39 TB and the surveillance blueprint
The numbers are what terrify. According to CTIR Gov, 3.39 TB of data leaked on April 8, 2026 via DDoSecrets — databases, source code, and internal files from Dígitro. The company develops Guardião, a lawful interception platform for voice, data, and WhatsApp, present in all 27 states and 150+ government institutions, according to CTIR Gov. Dígitro claims that "9 in 10 security agencies" use the platform — self-reported, with no independent verification.
Dígitro is a Strategic Defense Enterprise, certified by the Ministry of Defense. The breach does not hit an ordinary company — it hits a link in the national security supply chain. When the source code of a lawful interception platform goes public, it is no longer a corporate failure. It is a sovereignty failure. The attacker does not need to exploit a zero-day; they just need to read the code.
What exposed source code enables — and why it matters
According to CTIR Gov, the exposure of Guardião''s source code enables white-box analysis of the interception architecture, backdoor identification, development of countermeasures to evade lawful interception, and creation of targeted exploits against the 150+ institutions using the platform. Any actor with an interest in bypassing interception now has 3.39 TB to study — not for hours, but indefinitely.
There is a subtler and perhaps more severe legal consequence. Defense lawyers can challenge the integrity of any evidence produced by Guardião. If the source code is public, there is no way to prove that the version that generated the evidence was the same one in production — or that it contained no backdoors. Every case that depends on lawful interception becomes subject to challenge. The breach does not merely compromise technology; it compromises the chain of evidence that underpins criminal cases across the country.
CVE-2025-4528: when two scores diverge
The disclosed CVEs affect NGC Explorer — the administrative interface — not Guardião or UNA. CVE-2025-4528 received 9.8 Critical under NIST v3.1 and 5.3 Medium under CVSS v4.0. Both scores matter. According to NIST, the severity is critical; according to CVSS v4.0, it is medium. The divergence is not academic — it defines patching priority and incident response resource allocation. A team looking only at CVSS v4.0 might treat the CVE as medium; one looking at NIST v3.1 treats it as critical. In lawful interception infrastructure, prudence demands treating it as critical.
The vulnerabilities were fixed in version 3.48.22. But according to VulDB, Dígitro "did not respond at all" to the vulnerability disclosure. Silence is not a response. When a lawful interception vendor ignores coordinated disclosure, the problem is not only technical — it is governance. A vendor that does not respond to disclosure does not deserve trust to generate evidence.
7 weeks of silence and "backups pre-2022"
It took 7 weeks for Dígitro to issue a public statement. The company claimed the breach involved "backups pre-2022." No evidence was presented that production systems were not compromised. "Backups pre-2022" is a claim, not proof.
We have seen this pattern before. When a company says only old backups were affected but does not allow independent audit, the claim carries no weight. In security, absence of evidence is not evidence of absence — especially when the attacker had access to 3.39 TB. Dígitro is a Strategic Defense Enterprise. The standard of transparency should be higher, not lower. Seven weeks of silence on a source code leak of lawful interception infrastructure is not a response — it is evasion.
Same week, same disease
The Dígitro breach did not happen in a vacuum. In the same week, we saw Defesa Civil using a CPF as a password — unchanged for 10 years, with no MFA. FortiBleed exposed 309 credentials across government and judiciary. TCU ordered a review of an AWS contract over data sovereignty. Distinct incidents, same disease: deficient credential hygiene, lack of MFA, data sovereignty treated as a secondary concern.
The pattern is structural. It is not one negligent company — it is an ecosystem where security is reactive, not preventive. When the blueprint of state surveillance leaks and the response is "apparently limited scope," the problem is not the leak. It is the culture that allowed it.
Conclusion
The blueprint of state surveillance is on the internet. The company that built it says it is minor. The agency that monitors threats says it hit the core. While these two argue, any actor with an interest in evading interception has 3.39 TB to study. At Tech86, we help institutions audit critical infrastructure, rotate compromised credentials, and review the integrity of systems that underpin evidence. Before the next leak exposes what should be sovereign.