/01BOTH
Lock your eSIM transfer
Carriers have been social-engineered into transferring numbers to attackers. Set a transfer PIN with your carrier. Without it, your phone is one phone call away from belonging to someone else.
Available · Brazil · Portugal · Italy · Spain · Dublin · USA
Where the breach
would make headlines,
I'm the call.
Eighteen years of offensive security across banking, government, media, healthcare and critical infrastructure. Brazil to Europe. Federal-grade trust.
Pentester · Red Team · Open Banking · FAPI · LGPD · GDPR · PCI-DSS
18+
Years operating
30+
Engagements
12+
Banks · public & private
4
Continents · operating + speaking
01 —
In the press
Featured in major Brazilian and international outlets covering cybersecurity, financial fraud and digital investigations.
g1
CNN
VEJA
Folha
Crusoé
UOL
SBTNEWS
Estadão
Metrópoles
Where we were the focus
02 —
Background
Pentester by craft.
Not by certificate.
Since 2007. No hacking course — I watched my first bank get breached and realized the problem wasn't technical, it was about people.
Eighteen years on, the same obsession: find the door before the criminal does. I've operated inside Latin America's largest public bank, on Open Banking platforms, in private banking across Brazil, Portugal, Italy and Morocco, at the world's largest iGaming company and on Europe's payments backbone.
In parallel, I've supported the Federal Police and Civil Police on complex cyber casework, and spoken at the Florida Association of Private Investigators on phishing and web attack tradecraft.
The focus is the same wherever the engagement: where it hurts most, where the adversary is most sophisticated, where the margin for error is zero.
03 —
Sectors I operate in
Eight sectors. One discipline.
Financial sector dominates the engagement count, but the craft is the same across every regulated, high-stakes environment. Where the data has consequence, I've operated.
/01
Banking & finance
Public and private banks, Pix, Open Finance, Open Insurance, FAPI 1.0/2.0, brokerages.
/02
Government & security
Federal Police, Civil Police, treasury, regulators. Casework + offensive assessment.
/03
Media & communications
National press outlets, broadcast networks, publishing platforms. Newsroom-grade pressure.
/04
Healthcare
Hospitals, Santa Casa, regulated institutions. LGPD/GDPR-bound patient data.
/05
Critical infrastructure
Payments backbone, telecom, identity providers. Failure = systemic, not local.
/06
iGaming & payments
Global iGaming platforms. Highest-scale fraud surface in private tech.
/07
Industry & manufacturing
Automotive, atacadista, manufacturing OT/IT crossover environments.
/08
Sports & global events
Olympics, Formula 1, federations. Short window, zero tolerance for failure.
04 —
Selected engagements
Where I helped identify the gaps.
By contractual restriction, descriptions are intentionally generic. Specific vulnerabilities, exploited vectors and audit findings are never published — not here, not on LinkedIn, not on a CV. The list below covers only public contractual relationships.
Banking & financial
BR · PT · IT · MA
Caixa Econômica Federal
Banco BMG
XP Investimentos
Sinqia
Captalys
Paraná Banco
Grupo JMalucelli
COOPERFORTE
BMP
Private banks · Italy
Private banks · Morocco
iGaming & payments
Europe · global
SoftSwiss · iGaming
Stake.com
Jogos Santa Casa · PT
Multibanco · EU backbone
Government & public security
BR
Federal Police
Civil Police
Treasury · Minas Gerais
Healthcare
BR · PT
Santa Casa de Misericórdia
Hospital Lifecenter
CBV · Eye Hospital
Federal Nursing Council
Sports & global events
Global
Rio 2016 Olympics
Brazilian GP · Formula 1
CBF · Brazilian Football Confederation
Industry, media & tech
BR · LATAM
Honda Brasil
Pearson Brasil
Diário do Poder
ACATE
Arab-Brazilian Chamber
FENACOR
Tambasa Atacadistas
IPOG
Place Tecnologia
Kufa Advocacia
Partial list · Active engagements stay confidential until contract end · Clients only published with their consent
05 —
Speaking & investigative support
When the room needs to understand the adversary.
Florida · USA
Florida Association of Private Investigators
Talk on digital threats, cyber investigations and data protection. Focus on phishing, web attacks and forensic evidence chain applied to private investigation.
Brasília · Federal District
Federal Police & Civil Police
Technical support on high-complexity cyber cases — forensic analysis, attack attribution, vector identification and investigative phase support.
06 —
Operating frameworks
Standards that guide every engagement.
OWASPTop 10 · ASVS · WSTG
MITRE ATT&CKTactics · Techniques
PTESPenetration Testing Standard
NIST800-115 · CSF
PCI-DSSPayments · card data
GDPR · LGPDPrivacy · personal data
OSSTMMOpen Source Security Testing
ISO 27001SOC 2 · CIS Controls
07 —
Operating stack
The tools I actually use.
Recon & OSINTMapping · enumeration
NucleiRengineAmassRecon-ngSublist3rTheHarvesterShodanCensysMaltegoGobusterNikto
ExploitationWeb · network · auth
Burp SuiteMetasploitSQLmapNoSQLMapHydraHashcatJohn the RipperCrackMapExecResponderMimikatzBloodHoundEmpireCobalt Strike
Defense, monitoring & forensicsBlue team · response
WiresharkSnortSuricataZeekSplunkElasticGraylogArkimeYARAVolatilityAutopsyRadare2GhidraCyberChef
Cloud & DevSecOpsAWS · Azure · GCP
AWSAzureGCPKubernetesDockerTerraformAnsibleCodeQLSonarQubeBanditSemgrepOpenAPIOAuth · JWTFAPI 1.0/2.0
08 —
Where I am
Five bases. One operational time zone.
PT · Portugal
Porto
European base. Coordination hub for clients across the continent.
BR · Brazil
Brasília
Origin and Brazilian base. LATAM operations and federal-sector engagements.
IT · Italy
Rome
Italian private banking and Mediterranean coverage.
ES · Spain
Vigo
Spain and Galicia coverage. Iberian operation jointly with Portugal.
MA · Morocco
Casablanca
Private Moroccan banking and Maghreb coverage.
09 —
Let's talk
Thirty minutes. No SDR. No funnel.
You explain the scope. I explain if it fits. Direct conversation with the operator — not a salesperson.
WhatsApp · Brazil
+55 61 99638-5018
Phone · Portugal
+351 913 680 875
Email
douglaslopesweb@gmail.com
LinkedIn
/in/douglaslopesweb
Direct booking
30-minute slot. Video or voice. English, Portuguese, Spanish or Italian.
Can't see the calendar? Open in new tab.
10 —
Latest sites hit by hackers
The hackers aren't slowing down.
Real-time ransomware victim disclosures from ransomware.live for the United States.
- Loading latest disclosures…
Disclaimer. I'm not responsible for this list. ransomware.live aggregates public claims posted by attackers on leak sites and forums. The information may or may not be true — sometimes attackers exaggerate, sometimes victims haven't confirmed publicly. Treat as situational awareness, not as legal record.
11 —
Hardening brief · Mobile 2026
Nine field defenses your IT team didn't put in the deck.
Tactical, current, opinionated. Picked from real engagements — not a 2018 Slideshare. iOS · Android · both.
/02iOS
Turn on Stolen Device Protection
iOS 17.3+. Forces Face ID for sensitive changes even at "trusted" locations. Defeats the stolen-phone-plus-shoulder-surfed-PIN attack that drains accounts in 90 seconds.
/03BOTH
Drop SMS for 2FA
SMS rides on SS7 — designed in the 80s, still trivially intercepted by anyone with telco access. Use TOTP (Aegis, Raivo, 2FAS) or, better, passkeys.
/04iOS
Disable USB while locked
Settings → Face ID & Passcode → USB Accessories OFF. Blocks forensic extraction tools (Cellebrite, GrayKey) when the phone is plugged in while locked.
/05Android
Audit Accessibility services
Malware lives in Accessibility. Once granted, it reads every screen, types every key, dismisses every prompt. Settings → Accessibility → review monthly. Revoke anything you don't recognize.
/06iOS
iMessage Contact Key Verification
iOS 17.2+. Detects when a contact was MITM-replaced server-side. Critical for executives, lawyers, journalists. Off by default — turn it on with anyone you trade sensitive data with.
/07BOTH
Forget unused Wi-Fi networks
Phones broadcast probe requests for every network they remember. Karma-style attackers spoof "linksys" or "Starbucks Wi-Fi" and your phone joins silently. Forget what you don't use.
/08BOTH
Switch to passkeys, not passwords
FIDO2/WebAuthn. Private key lives in the secure enclave, never transmitted. Phishing-immune by design. Apple, Google, Microsoft and major banks support them — start with the bank.
/09BOTH
Carry a charge-only cable
Public USB ports = juice-jacking surface. Airports, hotels, conferences. A €4 USB data-block adapter or a charge-only cable kills the attack. Use one whenever you're not at home.
Updated 2026-04 · This list rotates as the threat surface shifts