From Favelas to Port Terminals: How Brazil's Designated Terror Groups Threaten Global Supply Chain Security

The CyberDiplomat

8 min read
Share
From Favelas to Port Terminals: How Brazil's Designated Terror Groups Threaten Global Supply Chain Security
The US terrorist designation of the PCC and Red Command is a law enforcement milestone. But the more urgent security story is how these organizations have turned the world's ports—including those in Europe—into instruments of narco-logistics, and why cyber-physical attacks on port infrastructure are the next frontier.

On June 5, 2026, the United States will formally designate Brazil's two largest criminal organizations—the First Capital Command (PCC) and the Red Command—as foreign terrorist organizations. It is a landmark moment: the first time Brazilian groups have joined the FTO list, placing them alongside cartels from Mexico, Colombia, Ecuador, and Venezuela. The designation brings new financial and legal pressure. It also brings fresh urgency to a question that security analysts have been raising for years: what happens when organizations of this scale develop the capability to attack the infrastructure that keeps global trade moving?

The answer, it turns out, is already happening—and the Port of Antwerp is the clearest case study the world has yet produced of what organized crime can do when it gains access to port logistics systems. Understanding that case, in the context of the PCC and Red Command's now-designated status and their deep entanglement with European cocaine flows, is essential for anyone responsible for securing port infrastructure or regional supply chains.

1993 PCC founded in São Paulo's Taubaté prison

1970s Red Command was founded during Brazil's military dictatorship 16 Latin American FTO designations now active, including PCC and CV

2016PCC–CV alliance collapsed, triggering hemisphere-wide violence

Two organizations, one converging threat

The PCC and the Red Command are different in structure, geography, and operational style—but they share a fundamental characteristic that makes both relevant to port security: they are transnational cocaine trafficking organizations whose supply chains run through the same container shipping networks that move legitimate global trade.

The PCC, founded in 1993 in São Paulo's prisons, has evolved into one of the most sophisticated criminal enterprises in the Western Hemisphere. Its decentralized governance model—organized through specialized units called sintonias—has made it resilient to law enforcement pressure. It maintains active operations throughout Latin America, has forged ties with the Italian mafia and other European criminal networks, and runs extensive money laundering infrastructure through US and European banks. It is, in the language of financial intelligence, a mature transnational criminal enterprise.

The Red Command, older and more territorially anchored, operates differently. Founded in Rio de Janeiro's prisons in the 1970s, it consolidated control through favela governance and direct confrontation with state authority. Its looser franchise structure made it more locally embedded but less globally coordinated than the PCC. Yet in recent years, it has been expanding into cyber-enabled criminal activities—a shift noted explicitly in criminal profile assessments—and has extended its reach into the Amazon basin and tri-border regions that serve as key cocaine transshipment corridors.

"Port infrastructure is not a passive backdrop to organized crime—it is an active target. When criminal networks compromise the systems that move containers, they are not just smuggling drugs. They are demonstrating the capacity to hold global trade to ransom."

Both organizations' cocaine trafficking routes converge on the same chokepoints: Brazilian and Paraguayan ports, Bolivian border crossings, and ultimately the container shipping lanes that feed European import terminals. Which brings us to Antwerp.

The Antwerp blueprint: how organized crime hacks ports

Between 2011 and 2013, Belgian and Dutch authorities uncovered an operation that fundamentally changed how law enforcement—and port security professionals—think about the nexus between organized crime and digital infrastructure. A network connected to Colombian and Dutch traffickers had successfully compromised the IT systems of the Port of Antwerp, one of Europe's busiest container terminals and a primary destination for South American cocaine shipments.

The attack was elegant in its design. Traffickers hid cocaine shipments inside legitimate containers. They then needed to retrieve those containers before port officials could inspect them. The problem: in a modern container terminal, thousands of containers move continuously under the management of complex logistics software—Terminal Operating Systems, or TOS—that track location, assign handling equipment, and generate release codes.

To solve it, the criminal network placed hackers inside the port's IT infrastructure. Using a combination of phishing attacks targeting port employees and physical installation of keyloggers on terminal computers, they gained access to the TOS and could identify the precise location and release codes for their target containers. Corrupt truck drivers would then retrieve the shipments before legitimate handlers arrived—sometimes with hours to spare before customs inspections were scheduled.

CASE STUDY · ANTWERP 2011–2013

The anatomy of a port cyberattack

Criminal networks used phishing and physical keyloggers to penetrate Antwerp's Terminal Operating System. Once inside, they could track container locations and retrieve release codes in real time—allowing corrupt drivers to extract cocaine shipments before customs inspection. The operation ran undetected for two years. Belgian and Dutch police eventually dismantled it through a joint operation. The method has since been replicated at ports in Rotterdam, Barcelona, and across Latin America.

The operation ran for approximately two years before Belgian and Dutch police dismantled it. When they did, they found not just a drug trafficking scheme but a template—one that has since been replicated at ports in Rotterdam, Barcelona, Hamburg, and across Latin American terminals including Santos, the largest port in South America and a primary PCC operational zone.

Santos, the PCC, and the digitization of narco-logistics

The Port of Santos handles approximately 35% of Brazil's total trade volume. It is also one of the most documented entry and exit points for PCC cocaine shipments moving toward Europe. The organization's sophistication—the same decentralized sintonias structure that makes it resilient to law enforcement—maps directly onto the operational requirements of container port exploitation.

The PCC does not need centralized command to run a port infiltration operation. It needs corrupted dock workers, access to container tracking information, and relationships with the trucking and logistics contractors who operate inside terminal boundaries. All three are well within the organization's established operational capabilities in the Santos corridor.

What the Antwerp model added—and what makes the FTO designation's timing significant—is the cyber dimension. Port infiltration operations that once relied entirely on human insiders can now be augmented by digital access to Terminal Operating Systems, customs documentation platforms, and the scheduling software that governs container handling. The Red Command's documented move into cyber-enabled criminal activities suggests that this evolution is already underway among Brazilian criminal organizations.

PORT INFRASTRUCTURE ATTACK VECTORS — FROM PHYSICAL TO DIGITAL

  • Insider recruitment among dock workers, crane operators, logistics contractors, and customs agents
  • Phishing and spear-phishing campaigns targeting Terminal Operating System (TOS) users
  • Physical installation of keyloggers on shared terminals in port administrative buildings
  • Compromise of customs documentation and manifest systems to alter or obscure cargo declarations
  • Manipulation of container positioning data to redirect shipments before inspection windows
  • Ransomware attacks on port operators to create operational chaos and enable shipment retrieval during disruption
  • Targeting of trucking and logistics company systems to generate legitimate-looking release authorizations
  • Social engineering of port authority personnel with access to scheduling and inspection systems

The European exposure: Rotterdam, Hamburg, Barcelona

Europe's major container ports are the destination end of the PCC and Red Command's trafficking routes—and they have spent the past decade discovering, to considerable alarm, how deeply those routes rely on digital exploitation of port systems.

Rotterdam, the largest port in Europe, has been the subject of multiple investigations into organized crime infiltration of its logistics systems. Dutch authorities have documented cases of corrupt insiders providing container location data and release codes to criminal networks in exchange for payments—a direct replication of the Antwerp model. The Serious Crime Taskforce established by the Port of Rotterdam Authority in recent years reflects an acknowledgment that the problem is structural, not episodic.

Barcelona has faced similar pressures, with Spanish prosecutors documenting multiple cases of cocaine shipments extracted from the terminal using insider access to port logistics software. Hamburg—Germany's primary container port—has been subject to investigations into organized crime corruption of port workers, with German authorities estimating that criminal networks maintain active networks of paid informants across the terminal's workforce.

"The same decentralized, resilient structure that makes the PCC nearly impossible to decapitate through arrests is precisely what makes it capable of sustaining long-term, distributed operations inside port infrastructure across multiple continents."

What connects these European cases to the PCC and Red Command FTO designations is not speculation—it is documented operational history. European law enforcement has traced cocaine shipments through Santos and other Brazilian ports to arrivals in Antwerp, Rotterdam, and Barcelona. The criminal networks facilitating those shipments are the same organizations that the US has now designated as foreign terrorist entities.

What the FTO designation changes—and what it does not

The US designation of the PCC and Red Command as foreign terrorist organizations carries meaningful legal and financial consequences. US persons are prohibited from providing material support to designated entities. Financial institutions must screen transactions and freeze assets. The designation enables prosecution under anti-terrorism statutes that carry heavier sentences than conventional organized crime charges.

For the port security community, however, the designation's most significant effect may be indirect: it formally elevates the threat these organizations represent in the calculus of government agencies and private operators who have, until now, treated them primarily as law enforcement problems rather than national security ones. That framing shift has practical consequences for how resources are allocated, how intelligence is shared, and how port operators engage with government counterparts.

What the designation does not change is the underlying capability of either organization. The PCC's sintonias continue to operate. The Red Command's territorial networks in Rio's favelas and the Amazon remain intact. The cocaine routes through Santos and across the Atlantic continue to flow. The cyber-enabled infiltration techniques documented at Antwerp and elsewhere remain available to any criminal network with the resources and motivation to deploy them.

A framework for port cyber-physical security

The convergence of transnational organized crime, cocaine trafficking through container shipping, and digital exploitation of port logistics systems demands a response that operates simultaneously at the technical, organizational, and diplomatic levels.

At the technical level, port Terminal Operating Systems remain chronically under-secured relative to the value of what they protect. Legacy systems with poor access controls, shared credentials, and minimal logging are common even in major European terminals. The minimum viable security posture for any port handling significant South American cargo volumes should include multi-factor authentication for all TOS access, continuous monitoring of container location queries for anomalous patterns, network segmentation between administrative and operational systems, and regular third-party penetration testing.

At the organizational level, the insider threat problem demands as much attention as the technical one. The Antwerp operation succeeded not because the hackers were sophisticated—the initial compromise used basic phishing—but because corrupt insiders provided physical access and operational intelligence that amplified the digital attack. Pre-employment screening, ongoing behavioral monitoring, and anonymous reporting systems for suspicious colleague behavior are as important as firewalls.

RECOMMENDED SECURITY MEASURES FOR HIGH-RISK PORT ENVIRONMENTS

  • Multi-factor authentication mandated for all Terminal Operating System access, including contractor accounts
  • Anomaly detection on container location queries — unusual access patterns are an early indicator of insider threat
  • Network segmentation isolating cargo management systems from administrative and public-facing networks
  • Mandatory pre-employment vetting and periodic re-screening for all personnel with TOS access
  • Joint law enforcement intelligence-sharing protocols between port authorities, customs agencies, and national security bodies
  • Regular joint exercises simulating cyber-physical attack scenarios involving law enforcement and port operators
  • Real-time container movement reconciliation — flagging discrepancies between scheduled and actual container retrievals
  • Diplomatic coordination between origin and destination port authorities on high-risk shipment corridors

At the diplomatic level, the FTO designation creates new leverage for international coordination. The designation allows the US to press partner governments—including Brazil, Belgium, the Netherlands, Spain, and Germany—to treat port security as a shared national security priority rather than a purely commercial or customs matter. Joint task forces that combine financial intelligence, cybersecurity capability, and port authority access are more effective than any single agency working alone.

The trajectory ahead

The PCC and Red Command did not become hemisphere-scale criminal enterprises by standing still. They adapted—from prison gangs to street-level traffickers to transnational organizations with European banking relationships and documented cyber capabilities. The Antwerp operation was documented in 2013. In the thirteen years since, both organizations have grown more sophisticated, more global, and more digitally capable.

The Red Command's move into cyber-enabled criminal activities, noted in its current criminal profile, is a signal worth taking seriously. An organization that once relied on territorial control and physical confrontation is developing digital tools. An organization with the PCC's administrative sophistication and European criminal partnerships has the resources to invest in those tools at scale.

Port infrastructure sits at the intersection of everything these organizations need: physical access to global shipping, digital systems that can be exploited for operational advantage, workforce vulnerabilities that enable insider threats, and the structural complexity that makes comprehensive security genuinely difficult. The FTO designation is a useful legal instrument. It is not a security solution.

The containers keep moving. So do the organizations that have learned to move with them.

Read more