Inside Exilio404: Brazil's Underground Cybercrime Scene
Exilio404 is a Portuguese-language dark web forum that emerged in May 2025 and now hosts thousands of posts on carding, phishing, malware and money mule operations targeting Brazil. This blog examines the forum's most active content categories, from "contas laranjas" mule accounts exploiting Pix to discussions of the SORVEPOTEL WhatsApp malware. It explains why regional forums like Exilio404 matter as an intelligence source for organizations exposed to the Brazilian threat landscape.
Published July 17, 2026

Executive Summary
Exilio404 is a Portuguese-language dark web forum monitored by KELA that serves as a regional hub for Brazilian cybercriminal activity, fraud discussions, and offensive cybersecurity content. Operating on the Tor network and structured similarly to mainstream discussion platforms, the forum hosts approximately 5,000 posts, 15,200 replies, and 14,900 comments generated by more than 3,100 registered users. This level of activity indicates an active and engaged community since the forum reappeared following a police seizure on May 2, 2025.
The forum’s relevance is closely tied to Brazil’s position as the largest economy in Latin America and one of the region’s most important digital markets. Brazil’s large population, extensive use of online banking, mature e-commerce sector, Pix instant payment system, and broad adoption of online platforms create a large attack surface for cybercriminals. In this context, Brazilian identity data, financial accounts, corporate credentials, and government-related access are valuable assets that can support scams, phishing, account takeover, and other fraud operations.
KELA’s analysis found that Exilio404 facilitates discussions across a broad range of illicit topics, including hacking, malware, phishing, DDoS attacks, carding, cryptocurrency abuse, data leaks, and money mule operations. The forum’s structure encourages collaborative interaction, with users frequently exchanging questions, tutorials, operational advice, and technical support. Based on observed activity, many participants appear to possess low-to-medium technical sophistication, using the forum as a learning environment to improve their offensive capabilities and adapt existing cybercriminal methods to Brazilian targets.
Financially motivated crime is one of Exilio404’s strongest themes. KELA identified extensive discussions related to stolen credit cards, phishing schemes, online gaming and betting fraud, and the acquisition of “contas laranjas”, money mule accounts used to facilitate Pix transfers and other illicit financial activity. This activity also aligns with broader trends observed across Brazilian cybercriminal communities. Beyond Exilio404, KELA collected nearly 250,000 Telegram messages related to the buying, selling, and use of “contas laranjas” for financial fraud, highlighting the scale and importance of mule-account activity in the local threat landscape. Exilio404 therefore provides valuable insights into how fraud-enabling services, and operational practices circulate across Portuguese-language underground spaces.
For threat intelligence teams, Exilio404 represents a valuable regional intelligence source rather than merely a niche dark web forum. Monitoring the forum can help identify early signals of activity affecting Brazilian companies, public-sector entities and financial institutions. It can also support detection of localized fraud trends, emerging techniques and the adaptation of global cybercriminal tactics to Brazil’s digital ecosystem.
Overall, Exilio404 provides unique visibility into the evolution of Portuguese-language cybercriminal activity targeting Brazil. While the forum does not appear to be dominated by highly sophisticated actors, its collaborative nature, fraud-focused content, and connection to local monetization methods make it a useful source for understanding practical cybercrime activity in Brazil. For KELA, continued monitoring of Exilio404 and similar communities supports a broader understanding of regional cybercrime ecosystems, the localization of threat actors and the risks most relevant to organizations operating in Brazil.
What Is Exilio404?
Exilio404 is a Brazilian dark web forum that serves as a meeting point for Portuguese-speaking cybercriminal actors, fraudsters, and users interested in offensive cyber activity. While the forum remains relatively under-documented in public reporting, its content provides visibility into part of Brazil’s underground cybercrime ecosystem. The forum is notable since it reflects local cybercriminal interests, including leaked data, malware-related discussions, spam and DDoS tools, phishing, carding, tutorials, credential lists, and hacking conversations. Forums like Exilio404 can offer early insight into threats that are specifically targeted at Brazilian users, companies and public institutions.
Exilio404 emerged on May 2, 2025 following the takedown of 'Respostas Ocultas,' one of Brazil's largest onion-based forums. Brazilian Federal Police investigations reportedly linked the platform to an individual accused of distributing materials promoting terrorist activities on the dark web.
Exilio404 currently operates in a manner similar to traditional discussion platforms such as Reddit or Quora. The forum's content is predominantly in Portuguese and covers a wide range of topics, including cybersecurity, hacking, technology, and general discussions.
Key Types of Content Observed on Exilio404
The forum features a wide range of content categories, with some of the most notable including Hacking, Data Leaks, Dark Web Activity, Cryptocurrency, Black Market, and Doxing. Within these sections, users engage in discussions, buy and sell services or data, and share knowledge related to cybercrime, fraud schemes, and other illicit activities. The platform facilitates the exchange of techniques, tools, and operational guidance that can be used to conduct various forms of cyber-enabled crime.
Carding and Other Types of Financial Fraud
Exilio404 features extensive discussions related to carding, phishing, and other fraud schemes. KELA has collected multiple forum posts, along with a significantly larger number of user responses, involving the offering and solicitation of credit cards, inquiries about how and where to use stolen card data, and discussions regarding methods for monetizing cloned cards.
According to the forum itself, "CC" (credit card-related activity) is one of the platform's most active and prominent discussion topics, highlighting the central role that financial fraud plays within the community.
Exilio404 user offering stolen credit card data | KELA Platform
Moreover, numerous posts have been collected involving offers and requests related to fraud across a variety of platforms, including scams targeting online gaming and betting services. Of particular note are discussions surrounding money mule operations, with hundreds of users expressing interest in obtaining anonymous or third-party accounts to facilitate financial transactions through Pix, Brazil's instant payment system operated by the Central Bank of Brazil.
These discussions frequently revolve around acquiring, renting, or leveraging accounts to receive and transfer funds, reflecting the role of mule networks in enabling fraud, money laundering, and other illicit financial activities.
A small sample of forum posts advertising the sale and purchase of bank accounts for use as money mules
This phenomenon of so-called "contas laranjas" (orange accounts) used as money mule accounts represents one of the most significant fraud schemes observed within Brazilian cybercrime. Beyond the activity observed on Exilio404, data collected through the KELA platform identified nearly 250,000 Telegram messages in which threat actors expressed interest in acquiring, selling, or utilizing these accounts.
In many cases, this underground market operates under a “Mule-as-a-Service” model, whereby more sophisticated actors acquire or manage large inventories of accounts and subsequently rent, lease, or sell access to other criminals. These accounts are commonly used to receive, transfer, and launder funds obtained through fraud, scams, account takeovers, and other illicit activities, often leveraging Brazil's Pix instant payment infrastructure to move funds rapidly, previously reported by KELA CIC.
As an example, a forum user stated that he has contacts who purchase bank accounts in large quantities and invited anyone interested in joining the scheme to contact him privately.
Forum user offering contacts for bulk purchases of bank accounts and inviting others to join the scheme
In another post, a user asked how to obtain stolen accounts, and another responded with recommendations on maintaining OPSEC through VPNs and explained how some banks detect these parameters to block such accounts. In this context, the threat actor advised creating accounts with fintechs, which tend to be less strict when enforcing KYC verifications.
Malware-Related Activity
A few months ago, researchers identified SORVEPOTEL, a self-propagating malware campaign primarily targeting users in Brazil through the WhatsApp messaging platform. Unlike conventional malware focused on data theft or ransomware deployment, SORVEPOTEL is designed to maximize rapid distribution by exploiting trusted communications and automated propagation mechanisms.
The malware has been observed spreading across Windows environments through phishing messages containing malicious ZIP attachments. Notably, victims are instructed to open the attachment on a desktop device.. Once executed, the malware leverages WhatsApp Web to automatically distribute itself to additional contacts, generating large volumes of spam messages that frequently result in the suspension of compromised WhatsApp accounts.
The day after major cybersecurity media outlets reported on the malware, a forum user claimed to be analyzing it and shared alleged IP addresses, open ports, URLs, and API endpoints allegedly found as part of the malware infrastructure. While the authenticity of the exposed data could not be independently verified, the post highlights how the forum hosts discussions related to malware actively affecting Brazil.
User claiming to have IoCs of the SORVEPOTEL malware
Additionally, users on the forum have been observed offering Malware-as-a-Service (MaaS) solutions and sharing tutorials on how to embed malware into files. The forum’s collaborative structure encourages a strong question-and-answer dynamic, allowing users to exchange technical knowledge, seek assistance, and discuss offensive cyber techniques.
.
User claiming to be a SOC analyst advertising malware development services
Tools for Mass Spam Attacks, Phishing and DDoS
The forum contains numerous discussions involving users interested in conducting large-scale spam campaigns for phishing purposes.
In the example below, a beginner-level user requests assistance from the community to learn about methods for carrying out spam attacks, illustrating how the forum facilitates the exchange of knowledge and guidance related to malicious activities.
User on Exilio404 asking how to do spamming attacks | KELA Platform
Forum exchanges where users share tutorials on fraudulent techniques, including spam campaigns and DDoS attacks, alongside internal discussion about translation | KELA Platform
Additionally, users have been observed seeking advice on phishing strategies, including discussions on attack methods, delivery mechanisms, and techniques for improving the effectiveness of phishing campaigns.
User making an inquiry about phishing in the Exilio404 forum | KELA Platform
Discussions regarding DDoS attacks within the forum's hacking section cover a wide spectrum, ranging from users inquiring about execution techniques and sharing instructional resources or tools, to individuals boasting about attacks they have personally orchestrated. In one of these posts, a user claimed to have carried out a DDoS attack against the Thames Valley Police department in the United Kingdom, and expressed fear of being discovered since they did not use a VPN.
User claiming to have carried out a DDoS attack against the United Kingdom police
Other users then mentioned that they had probably relied on botnets to carry out these types of attacks.
Recommendations for Defenders
The activity observed on Exilio404 points to a set of practical priorities for organizations exposed to the Brazilian threat landscape.
Harden Pix and payment fraud controls.
The scale of "contas laranjas" trading, on the forum and across nearly 250,000 related Telegram messages, means financial institutions and fintechs should treat mule account detection as a core control, not an edge case. Monitor for rapid pass-through behavior, newly opened accounts receiving high transaction volumes, and clusters of accounts sharing device or network fingerprints.
Review onboarding and KYC friction, especially at fintechs.
Forum users explicitly recommend fintechs as the softer target for opening mule accounts. Institutions with streamlined digital onboarding should reassess where identity verification can be strengthened without breaking the customer experience.
Prepare for WhatsApp-borne threats.
SORVEPOTEL demonstrates that trusted messaging platforms are an active malware distribution channel in Brazil. Include WhatsApp-themed lures in phishing awareness training, restrict execution of files delivered through messaging web clients on corporate devices, and alert on unusual WhatsApp Web activity.
Assume carding data is in circulation.
With credit card trading among the forum's most active topics, card issuers and merchants should maintain aggressive monitoring for testing patterns, small-value authorization probes, and card-not-present anomalies tied to Brazilian BINs.
Treat low sophistication as volume, not safety.
Many Exilio404 participants are learning rather than leading, but a large population of low-to-medium skill actors sharing tutorials produces a high volume of commodity attacks: spam campaigns, basic phishing, and opportunistic DDoS. Baseline defenses, rate limiting, and DDoS mitigation coverage matter precisely because these attacks are cheap to attempt.
Extend intelligence collection to regional, non-English sources.
Threats targeting Brazil are discussed first in Portuguese. Organizations relying only on English-language sources will see local fraud trends and tooling late. Monitoring communities like Exilio404 provides earlier visibility into how global techniques are adapted to Brazilian targets.
FAQs for Exilio404
What is Exilio404?
Exilio404 is a Portuguese-language dark web forum operating on the Tor network that serves as a hub for Brazilian cybercriminal activity, fraud discussion, and offensive cybersecurity content. It is structured similarly to mainstream discussion platforms such as Reddit or Quora.
When did Exilio404 appear?
The forum emerged on May 2, 2025, following the takedown of Respostas Ocultas, one of Brazil's largest onion-based forums, which Brazilian Federal Police investigations reportedly linked to an individual accused of distributing material promoting terrorist activity.
How large is the Exilio404 community?
The forum hosts approximately 5,000 posts, 15,200 replies, and 14,900 comments generated by more than 3,100 registered users, indicating an active and engaged community since its emergence in May 2025.
What kind of content is discussed on the forum?
Content spans hacking, malware, phishing, DDoS attacks, carding, cryptocurrency abuse, data leaks, doxing, and money mule operations, alongside tutorials and technical support exchanged between users.
What are "contas laranjas"?
"Contas laranjas" (orange accounts) are money mule accounts acquired, rented, or sold to receive and transfer illicit funds, frequently through Pix, Brazil's instant payment system. Hundreds of Exilio404 users have expressed interest in obtaining them.
How big is the money mule market beyond the forum?
Beyond Exilio404, nearly 250,000 Telegram messages have been observed in which threat actors expressed interest in acquiring, selling, or using mule accounts, in many cases under a Mule-as-a-Service model where actors manage large account inventories and rent access to other criminals.
What is SORVEPOTEL and why does it appear in the report?
SORVEPOTEL is a self-propagating malware campaign targeting Brazilian users through WhatsApp, spreading via phishing messages with malicious ZIP attachments and using WhatsApp Web to distribute itself to victims' contacts. The day after media coverage broke, an Exilio404 user claimed to be analyzing the malware and shared alleged infrastructure details, though the authenticity of that data could not be independently verified.
How sophisticated are the forum's users?
Based on observed activity, many participants show low-to-medium technical sophistication and use the forum as a learning environment, exchanging questions, tutorials, and operational advice to improve their capabilities against Brazilian targets.
Why does a Brazil-focused forum matter to organizations elsewhere?
Brazil is Latin America's largest economy and one of its most important digital markets, and forum activity is not strictly domestic; in one case a user claimed responsibility for a DDoS attack against the Thames Valley Police in the United Kingdom. Regional forums also show how global cybercriminal tactics are localized, which is relevant to any organization with Brazilian operations, customers, or suppliers.
How can threat intelligence teams use insight from Exilio404?
Monitoring the forum can surface early signals of activity affecting Brazilian companies, public-sector entities, and financial institutions, and supports detection of localized fraud trends, emerging techniques, and the adaptation of global tactics to Brazil's digital ecosystem.













