Football Leaks hacker Rui Pinto managed to hack the investigation in which he was the target, new court documents reveal.
By Nuno Tiago Pinto
READ ALSO: Dirty John: The dark side of Rui Pinto
When the Portuguese authorities began to analyse the hard drives and laptops seized from Rui Pinto in Budapest in early January this year, they knew they had a difficult task. Not only because the amount of data gathered inside the devices was huge, almost 12 terabytes of information, but mostly because it was highly encrypted. And the man behind Football Leaks, sent to pre-trial detention after his interrogation by a judge, had no intention to give them the necessary passwords.
The process began almost immediately after Rui Pinto arrival in Portugal on 21 March. Inside those devices, the investigators were hoping to find evidence linking the man behind Football Leaks to the case that was the basis of the European Arrest Warrant (EAW) issued by the Public Attorney from the Departamento Central de Investigação Penal (DCIAP): the hacking of Sporting Club de Portugal and Doyen Sports Investments Limited servers and the extortion attempt of Nélio Lucas, then Doyen’s CEO. They also knew that they would probably find thousands of documents not related to the EAW. What they didn’t expect was to find strong evidence that Rui Pinto had hacked the emails of the most important members of the Portuguese judicial system, including communications between Joana Marques Vidal, the former Attorney General, and Amadeu Guerra, the previous head of DCIAP, the department that investigates the most complex cases in Portugal, including terrorism, money laundering and corruption.
According to a judicial document issued last month by the public prosecutor in charge of the case, Patricia Barão, the preliminary analysis of Rui Pinto’s hard drives allowed the investigators to determine that the hacker had managed to access the emails of Amadeu Guerra, Pedro Verdelho (head of the cybercrime unit based in the Attorney General headquarters), unidentified members of the Internal Administration Ministry, Public Security Police, FIFA, UEFA, the South America Football Confederation (CONBEBOL), FC Porto, and two law firms. “From the analysis that is being conducted on the computer equipment that was seized there are indications of the presence of many other email inboxes,” the prosecutor wrote. “It was possible to determine that the arguido [a status in the Portuguese judicial system that gives certain rights to the suspects] was able to use offensive software and tools intended to exploit remote access to the victims’ system which he believed could contain elements of interest,” she continued.
“[Rui Pinto] extended his criminal activity over four years, during which he developed an intense activity of gathering information through unauthorised access to computer systems, namely third party electronic mailboxes, with the possible intention of selling it to media organisations or other extortion activities, beyond the one already demonstrated in relation to the legal representative of Doyen.” The number of victims, the prosecutor stated, can reach “several dozens.”
Based on this evidence and on the amount of time necessary to clarify all the facts and the exact proportion of Rui Pinto’s actions – “which was not confined to Sporting and Doyen, nor even to sport entities” – Patricia Barão asked the judge in charge of the case to declare it as highly complex, which would give her more time to investigate.
According to Portuguese law, the Public Attorney must prosecute within six months when someone is in pre-trial detention, which is now the case of Rui Pinto. A time frame that ends in September. However, that period can be extended until a year if the investigation is declared highly complex.
Those six extra months would be spent, according to the judicial document issued by Patrícia Barão, to analyse Rui Pinto’s hard drives, to hear all those who were allegedly hacked but also to ask the Hungarian authorities for an extension of the EAW under which Rui Pinto was detained in Budapest. This procedure will have to be followed in order to broaden the investigation beyond the crimes related to Sporting and Doyen. That’s because, before his extradition, the hacker didn’t dispense the principle of specialty which states that a person can only be prosecuted for the crimes specified in the extradition request: in this case, two for illegitimate access; two for secrecy violation; one for offences; and one for extortion attempt. All related to Sporting C.P. and Doyen Sports Investments.
“They are trying to destroy him”
Rui Pinto’s defence opposed the Public Attorney request, and in early July William Bourdon and Francisco Teixeira da Mota issued a press release in which they accused Portuguese authorities of “judicial harassment.” “The undersigned lawyers denounce the incredible judicial harassment of their client, Mr Rui Pinto,” they wrote, adding that the “detention is disproportionate to the facts that are unlikely to be classified as crimina.l” According to his lawyers, the hacker’s continued detention “is the result of the mobilisation of all those in Portugal worried about their judicial responsibility for the financial crimes revealed by Football Leaks”: clubs, agents and others in the football business. They continue to consider Rui Pinto “a very important European whistleblower” whose revelations made several investigations in different countries into wrongdoings in football possible.
In a recent interview on the Portuguese network TVI, the lawyer Francisco Teixeira da Mota went as far as saying that this request by the public prosecutor is an attempt to “destroy” Rui Pinto. “It’s very simple. Rui Pinto is preemptively detained on the basis of one crime, which is extortion attempt, the only crime that justifies pre-trial detention. Legally in Portugal, illegitimate access or data breach don’t justify pre-trial detention. Only the extortion attempt does. They are trying to extend it until a year, based on an extortion attempt that occurred four years ago, and those new crimes don’t allow preemptive prison. So they must be together with the extortion attempt case. I mean, the intention is to keep him in jail as much as possible. They are trying to destroy him,” he said.
On 5 July the judge refused the Public Attorney request – not because of the public statements by Rui Pinto’s defence. She agreed that the investigation is, in fact, highly complex, but she also stated that legally, because Rui Pinto didn’t dispense the principle of specialty, she can only declare it as such and broaden the scope of the investigation after and if the Hungarian authorities concede in extending the EAW under which the young hacker was detained.
For now, Patricia Barão’s deadline to prosecute ends in September – and it will be limited to Sporting and Doyen. But even so, the investigation hasn’t stopped, according to the Portuguese weekly paper, Diário de Notícia. The investigators took advantage of Cristiano Ronaldo’s presence in Portugal for the Nations League to discretely ask the Portuguese star to testify as a witness regarding the hacking of his email and the publication of documents related to Kathryn Mayorga, who accused him of rape.
Hacked the investigators
Despite the arguments of Rui Pinto’s lawyers, both courts that reviewed the evidence obtained by the Judiciary Police were unanimous in considering that the man behind Football Leaks should remain in custody until the end of the investigation. The first was the judge that questioned him after his arrival to Portugal in March. At the time it was only disclosed – with no more details – that Rui Pinto was sent to preemptive prison because the court considered that his case fulfilled the three requirements that the law foresees for this measure to be adopted: danger of escape, danger of pursuing his criminal activity and the danger of disturbing the investigation. The second were two court of appeal judges whose recent decision denied the defence appeal to release Rui Pinto.
Following that decision, a 48-page document, judges Calheiros da Gama and Antero Luís shed new light on the evidence obtained by the Judiciary Police. They go as far as saying that Rui Pinto managed to hack the investigation in which he was the target and that all documents published by Football Leaks were obtained through illicit means. The entire document is devastating to Rui Pinto, dismantling one by one the arguments used by the defence to request the end of the pre-trial detention.
In his appeal, Francisco Teixeira da Mota stated that, in the defence’s view, the decision was illegal and only explicable for “reasons beyond the scope of the case.” Then he approached the legal aspects of it. After recalling that from the six crimes the hacker was charged only one could lead to the application of pre-trial detention, the lawyer focused on the argument that at a certain point Rui Pinto “actively and voluntarily gave up” a detail that, in his view, would remove the legal basis for pre-trial detention. “If there are strong indications of attempting to commit a crime of extortion, at the same time there are strong indications of a valid withdrawal from that attempt,” he wrote.
The lawyer also argued that this case doesn’t comply with the three requirements that the law foresees for this measure to be adopted. According to Teixeira da Mota, there is no danger of escape (because there is no evidence that Rui Pinto went into hiding and no reasons why he couldn’t stay at home working with his father), no danger of pursuing his criminal activity (because Rui Pinto admitted in court that he had made a mistake, which he regretted, and also because as a source of Football Leaks he had publicised serious illegalities and collaborated with the French, Dutch and Belgian authorities), nor danger of disturbing the investigation (because the facts occurred three years ago making evidence-tampering impossible). Teixeira da Mota then asked for the pre-trial detention to be replaced for periodic presentations at the police station of Rui Pinto’s father’s area of residence.
The judge started his decision by pointing that at least from 2015 onwards Rui Pinto published in several websites documents related to professional football and that the evidence gathered so far “strongly suggests” that those documents “were obtained by means of undue intrusion into computer systems” of several companies somehow related to professional football. Informations that he [Rui Pinto] “considered the most sensitive and susceptible of exposing certain societies and/or football clubs”. In addition to that, according to the court conclusions, “those elements were used not only do expose eventual improper conduct” but also to “obtain undue personal advantages at the expense of third party assets.”
The blackmail, the details
To support these conclusions, Calheiros Gama lists the evidence gathered by the investigation, some of which were unknown so far. The first is the exact date in which Rui Pinto created the email address used to try to blackmail then Doyen CEO Nélio Lucas and the one used by the Football Leaks platform. “On 25 September 2015, Rui Pinto created the email address email@example.com with the intention of making contact with third parties without being identified. Then, on 29 September 2015, he created the account firstname.lastname@example.org through the IP address 126.96.36.199 with the intention of disseminating content related to the sport phenomenon. Both accounts were accessed using the TOR network, completely anonymising who accessed it,” the document reads.
It went on describing the messages sent to Nélio Lucas, in early November 2015, under the alias Artem Lobuzov, which led to the request of a “generous donation” between 500.000 euro and one million euro in exchange for the elimination of all the data in his possession. Otherwise, the entire documents would be revealed.
Both in his interrogation and during the interviews he gave before his arrival to Portugal, Rui Pinto guaranteed that he never had the intention to receive any amount but simply to verify the documents authenticity and also understand the value that Nelio Lucas would concede them. That’s the reason why, the hacker stated, he proposed a sum which he considered unrealistic and excessive.
However, the court considered that these claims are all but credible. “The way in which Rui Pinto approached the offended Nélio Lucas, which perfectly fit in a standard of normality in the accomplishment of this type of crime takes away any credibility of this version,” the document states. The first reason is the original email sent to Nélio Lucas. After “indicating specific contracts, loans and business” and what he considered “tricks” like payment delays to some clubs, the opening of a bank account almost without documents, documents signed with retroactive dates the hacker ended up writing: “All this and more can appear online, and soon thereafter through the European press (certain French, Italian and Spanish newspapers have already requested a partnership to disclose information). Surely you do not want that, do you? But we can talk…” the hacker wrote to Nélio Lucas.
The thread of emails was viewed by the judge as irrefutable evidence that Rui Pinto tried to blackmail the businessman. He then quotes another message: “Since we started talking, I stopped publishing issues related to Doyen. The only exception was the letter sent by Sporting about the Rojo case, just to keep the media circus going. At this point in time, I even did you a favour, Sporting president lost all national and international credibility. As for the technical and legal issues, we can handle this in more detail among lawyers, sign a NDA [non-disclosure agreement] for example, but we will see to that at the proper time”.
According to the decision, the secrecy suggested by Rui Pinto reveals an “awareness of illegality” of his actions just like the need for the payment be made secret, under an NDA, through a “legitimate-looking business, in particular through an alleged service contract, as was later to be proposed.”
Following his complaint to Portuguese authorities, and following the Judiciary Police instructions, on 8 October 2015, Nélio Lucas informed Rui Pinto that he had managed to find a lawyer. On that same day, according to the judicial file, the hacker contacted the lawyer Anibal Pinto informing him about his plan to ask between 500.000 and one million euro in exchange for keeping certain documents to himself. “Anibal Pinto accepted to collaborate with Rui Pinto” and both “agreed that the part that would fit Anibal Pinto” if they succeeded “would be 300 000 euro.” When this decision went public, the lawyer denied such agreement.
The judge went on and concluded that Rui Pinto’s claims that he asked an “unrealistic amount of money” and just wanted to confirm the documents authenticity weren’t credible. Due to his intrusion, he knew that Doyen moved several million euro per year and that the documents were originals – that’s the reason why he published several of them in early October 2015.
Following the timeline established by the court, when Rui Pinto realized that Nélio Lucas had no intention to pay him, he started publishing the Doyen documents. He did so from 4 November 2015 until 22 April 2016. “There are no doubts that there was an extortion attempt,” wrote Calheiros da Gama.
On the following pages, the judge analysed the defence’s argument that at a certain point Rui Pinto gave up. Quoting several higher court decisions, Calheiros da Gama explained that it is not enough if someone decides to stop a crime “for strategic reasons or fear of third party intervention. It has to be a voluntary decision, spontaneous and personal.” And that was not the case because at the time the suspect argues that he quit, “it was impossible to proceed with the crime.”
According to the court decision, when Rui Pinto sent an email to Nélio Lucas saying that he was “no longer interested in receiving one cent”, he was not only aware that the Judiciary Police was looking for him, but he had also accessed parts of the investigation: “I have in my possession a copy of a document written by your lawyer authenticated by the Judiciary Police and sent to Yandex,” Rui Pinto wrote in an email dated 17 October 2015. For the judge, the facts are clear: the hacker knew he was under investigation but he continued with his plan anyway. “I’ll be honest with you, Yandex may even cooperate with Doyen off the record and give the traffic data, but it won’t go beyond that. Finding the origin is virtually impossible. So I hope your lawyer won’t make me waste my time,” he wrote in an email. “Rui Pinto completely trusted his anonymity strategy, and didn’t assumed as serious or real the possibility of the Judiciary Police being able to identify him,” the judge concluded.
And according to the judicial document, he wasn’t far from the truth. His plan only failed because his lawyer ended up denouncing him when he met Nélio Lucas at a Pans/Company restaurant on a motorway stop outside Lisbon. The report issued by the Judiciary Police (whose agents were on the spot) is clear: throughout the meeting “Anibal Pinto mentioned some of his client’s physical characteristics and qualities, stating that he was a young man, in his twenties, living abroad, with a college education (describing him as ‘brilliant’) and that he represented him in another criminal inquiry in Porto. That inquiry was related to the illegitimate access of accounts in a Cayman Island Bank in which he had managed to perform high value illicit transfers.”
In the following weeks, Rui Pinto and Anibal Pinto became aware that the hacker’s identity had been revealed. The investigators visited his father and sister at home and asked his neighbours about him in the process of trying to find where he was. “The explanation that Rui Pinto gave up because he was following his lawyer’s advice is not compatible with the proofs gathered. On the contrary: all the evidences indicate that he executed acts of extortion and stopped after he realised the authorities were looking for him,” the judge concluded.
Regarding the three requirements foreseen by the law to maintain someone in pre-trial detention, Calheiros da Gama also considered all of them applicable. Regarding the danger of escape, the judge questioned: “If his intentions were to cooperate with the authorities to reveal the alleged football-related crimes he identified, why didn’t he, voluntarily, offer his assistance clarifying that he had committed no crime, and that he aided the disclosure of other crimes?”
Tricked the GPS on his phone
He went on revealing another unknown detail: “If he wasn’t in hiding (…) why did he let his identification documents expire?” According to the information gathered by the Judiciary Police, Rui Pinto’s ID card expired in 2017. At the time of his detention he had no legal residence in Hungary and the local authorities had no registry of his presence in the country. The hacker was only located in Budapest because his stepmother mentioned over the phone that she was going to visit him with his father.
The court even quoted his own statements to support the conviction that the danger of escape was real. Referring to an article published by Der Spiegel on 28 February 2106, (Wanted Man – A Visit with A Football Leaks Creator) the judge noted that in that story Rui Pinto revealed he had installed an App that tricked his phone’s GPS, indicating that his location coordinates were near the North Pole.
As for the danger of pursuing his criminal activity, Calheiros da Gama considered that there is a real danger of Rui Pinto might continue doing what he has been doing: accessing confidential information and demanding money to keep it private. “His actions cannot be qualified as being motivated by altruistic goals and intended solely for the public good,” the document reads. For the judge it is clear: “Such actions, through the use of computer means, has to be considered similar to an unauthorized physical entry into an office or residence” to “collect private documents in those locations, a situation whose illegality would have never raised any doubt.”
Beyond that, in the judge’s view, Rui Pinto shows a sentiment of “total impunity”: in his statements to the press he presents himself as a whistleblower; on his Facebook posts he defies the authorities (‘catch me if you can’); and in his interviews in Budapest he showed a total lack of regret for what he has done.
Regarding the danger of disturbing the investigation, Calheiros da Gama noted that, in the past, Rui Pinto was able to obtain information regarding the investigation in which he was the main suspect, something he might do again if he was released. The court also considered that he could try to destroy files that might be stored in virtual clouds or even hack the investigation to destroy evidence. Just like he accessed dozens of email inboxes.
*Nuno Tiago Pinto is a Portuguese reporter working for the news magazine Sabado.