An examination of the murky past of the man behind Football Leaks, Rui Pinto, reveals a pattern of cybercrime, theft and extortion.

A Hungarian judge ruled on 5 March 2019 to approve the extradition of Rui Pinto, the man behind the Football Leaks website, to his native Portugal to face criminal allegations of personal information theft and extortion. This will not be the first time Pinto finds himself hauled into a Portuguese courtroom facing serious accusations of illegal data access and theft.

Hacking and Theft from Caledonian Bank

In late 2013, a hacker accessed the email servers of Caledonian Bank, an offshore bank in the Cayman Islands. Through this infiltration, the hacker was able to obtain access to thousands of client accounts. On 18 September, $46,857.26 was transferred from a Caledonian client account to a Deutsche Bank Lisbon account. The transfer went unnoticed by both client and bank.

Emboldened, the hacker made a second transfer soon afterwards, in the sum of $310,000 from a different Caledonian account to the same Deutsche Bank Lisbon account. This time, however, alarm bells started ringing and the bank began an internal investigation. Its IT analysis discovered that the transfer was made via an IP address at Universidade do Porto, the Portuguese university attended by Rui Pinto.

The bank filed a criminal complaint alleging theft, fraud and illegitimate access and Pinto soon emerged as the hacker behind these transactions. He returned the second, larger sum but refused to return the first round of stolen cash, bizarrely claiming that he was entitled to it. His lawyer, Anibal Pinto (no relation), eventually reached an out-of-court settlement with Caledonian Bank in order for the criminal complaint to be dropped.

When asked about the Caledonian case by German news outlet Der Spiegel earlier this year, Rui Pinto claimed that he had signed a non-disclosure agreement with the bank and therefore was prevented from discussing it. However, none of the judicial documents mention any non-disclosure clause or agreement, exposing some seeming inconsistencies in Pinto’s story, and a likely attempt to conceal past crimes and misdemeanors. Pinto’s further attempts to explain his actions, arguing that he distrusted the banking system and that his alleged criminal acts were an attempt to investigate and expose the bank, provide startling insights into the mental pathology, and sheer hubris, of Rui Pinto.

Football Leaks Saga: Hacking, Data Theft and Blackmail

Shortly after the Caledonian affair, Pinto moved to Budapest. According to the Portuguese police investigation, in September 2015, Pinto illegally accessed the email accounts of Sporting Clube de Portugal’s board of directors and legal department, and the servers of Doyen Sports Investments Limited.

Following the hack, Pinto opened an email alias under the name of Artem Lubozov and contacted Doyen Sports, threatening to publish confidential documents unless the company paid out up to 1M euros. Pinto even sent his lawyer, Anibal Pinto, to conduct ransom negotiations on his behalf, and the extortion attempt lasted several weeks.

Subsequently, Pinto attempted to backpedal on his demands for a financial payout, absurdly claiming that he was unaware his actions could be characterized as criminal! The idea that Pinto did not understand he was trying to blackmail a private company is quite incredible.

It appears that after his attempted extortion failed, Pinto made the vast bulk of the information he had stolen – over 70 million documents – publicly available. Numerous investigative reports and official inquiries followed, focusing on prominent footballers, clubs and governing organizations. While these famous players and clubs are inevitably in the limelight, the source behind these stories is an alleged criminal who appears to have committed grave cybercrimes dating back many years.

Arrest and Extradition

Investigations into the hacker and his Football Leaks website resumed after email accounts at Sport Lisboa e Benfica were compromised. The hack was again performed Rui Pinto. A European Arrest Warrant was finally issued by Portuguese authorities in January 2019, and Pinto was picked up by Hungarian authorities in Budapest. The warrant lists six major crimes allegedly committed by Pinto: two counts of illegitimate data access; two counts of secrecy violation; one count of offence to a collective entity; and one count of an attempted extortion. Authorities seized computers, hard drives and documents from the alleged criminal’s possessions.

Unsurprisingly Pinto has publicly denied the allegations against him. He has tried – and even had some initial success with the media – to brand himself as a “whistleblower,” exposing corruption in the soccer world. In a savvy move, he hired the French lawyer William Bourdon, who has represented high-profile self-declared whistleblowers such as Julian Assange and Edward Snowden, in efforts to associate himself with the idea of “fighting the good fight”.

These moves should pull the wool over no-one’s eyes, however, and the Hungarian judge was under no illusions when deciding that Pinto must be extradited to Portugal for his alleged crimes. Facing charges of blackmail and theft, this momentous court decision reflects the seriousness of the matter, and the implications it may have for future cybercrime cases.