Brazilian President and Ministers’ Telegram Accounts Hacked via Voicemail

This week, Brazilian authorities arrested four hackers accused of breaching over 1,000 Telegram accounts. The suspects are Danilo Cristiano Marquez (33), Walter Delgatti Neto (30), Judy Gustavo Henrique Elias Santos (28), and Suelen Priscilla de Oliveira (25), who is Santos’s wife.

Among the victims were high-ranking government officials, including President Jair Bolsonaro, Justice Minister Sergio Moro, and Economy Minister Paulo Guedes. Other politicians, such as Congresswoman Joice Hasselmann, also reported being targeted.

According to local media, the hackers used compromised accounts to send spam messages with malicious links to the victims’ contacts. The group also specifically targeted local politicians, reportedly stealing their private messages.

Brazilian authorities claim that some of these stolen messages were given to journalists at The Intercept after the Justice Minister’s Telegram account was hacked on June 5, 2019. The Intercept later published conversations between Moro and prosecutor Deltan Dallagnol, who was involved in Operation Car Wash—one of Brazil’s largest anti-corruption investigations. This operation led to numerous arrests, including major business leaders, politicians, and former President Luiz Inácio Lula da Silva, who was sentenced to 12 years in prison.

The controversy lies in the fact that, at the time of the conversations, Sergio Moro was the judge overseeing Lula da Silva’s case, while Dallagnol was the lead prosecutor. Previously, Moro had cultivated an image of impartiality, but the leaked chats showed him instructing prosecutors on how to better and more quickly charge the former president, even advising on anti-Lula propaganda strategies.

After the leak, Moro claimed there was nothing improper in the messages and that he had only offered a few suggestions to the prosecutor. The Intercept’s founder, Glenn Greenwald, stated that their source denied any connection to the Telegram hacks and that the publication received the data a month before the Justice Minister reported the breach.

How the Telegram Accounts Were Hacked

The four arrested hackers were detained on a temporary five-day warrant and have not yet been formally charged. Investigators say they found about 600,000 Brazilian reais (around $160,000 USD) in one suspect’s bank account, which the suspect could not explain.

The hacking technique, now widely discussed in global media, was detailed in a court document related to the arrests. This method was first described in 2017 by researcher Ran Bar-Zik, who initially demonstrated it on WhatsApp. A year later, security expert Martin Vigo adapted the technique for services like Facebook, Google, Twitter, WordPress, eBay, and PayPal, presenting his findings at Defcon. The same approach works just as effectively on Telegram.

The attack exploits the fact that most instant messengers allow users to receive one-time access codes via SMS or voicemail. Users who have voicemail enabled and have not changed the default voicemail password (often “0000” or “1234”) are at risk.

Bar-Zik noted that if a phone line is busy or if the user doesn’t answer three consecutive calls, the one-time code is sent to the user’s voicemail, where it can be easily retrieved.

According to Brazilian authorities, the hackers installed Telegram on their devices but entered the phone numbers of well-known politicians instead of their own. They then requested authentication via voicemail and simultaneously called the victims’ phones to ensure the one-time code would be sent to voicemail. Using VoIP to spoof the victims’ numbers, they accessed the voicemail with the default password, retrieved the code, and linked the victims’ Telegram accounts to their own devices—gaining full access to messages and account history.