Build It and They'll Come: How Fraud Co-Evolves with Digital Infrastructure
Part 2 of 2. Part 1 covered the history of digital identity in Brazil and the data infrastructure that made industrial-scale fraud possible. This piece examines why fraud doesn't attack weak systems, but good ones, and what that means for every country building digital public infrastructure today.
There is a pattern in Brazil's fraud history that becomes visible only in retrospect. Every major expansion of digital infrastructure, for example: pix, frictionless onboarding, facial biometrics, WhatsApp as a communication layer etc, was followed, with a lag of months to a few years, by a wave of fraud that used that infrastructure as its primary instrument. This is not a coincidence. And it is not, as it might first appear, an argument against building digital infrastructure.
It is an argument for understanding what great infrastructure actually attracts.
Fraud Doesn't Attack Weak Systems. It Attacks Great Ones.
The common intuition about fraud is that it exploits gaps like poor security, weak verification, careless institutions. And that's true at the margins. But the most consequential fraud in Brazil over the past two decades didn't happen at the margins. It happened at the center of the most successful infrastructure the country built. See, for example, Pix.
Pix processes more than R$36 trillion in transactions annually. It works for everyone across income levels, device types, and levels of digital literacy. It is fast, reliable, and genuinely transformative for financial inclusion. It is also the preferred instrument for extracting value from social engineering fraud, because its most valuable property: instantaneity, is equally valuable to a fraudster as to a legitimate user.
There’s also the WhatsApp case. The app connected Brazil across every social and economic boundary. It is the channel where people communicate with those they trust most. A key factor helped it defeat SMS and other chat apps: WhatsApp was offered as zero-rated, meaning its use did not count against users’ data plans, and it came embedded in most internet packages in Brazil. Today, it is one of the primary channels through which social engineering fraud is delivered, precisely because of that convenience and trust.
Lastly, biometrics made digital onboarding more secure than what came before. They also gave the market a false confidence in a single signal, and created a concentrated target for generative AI to attack.
The pattern is consistent: fraud doesn't attack the weakest point in the system. It attacks the most valuable one. And the most valuable points are always where the most successful infrastructure lives.
Co-Evolution, Not Cat and Mouse
The usual framing for fraud versus security is "cat and mouse": a chase in which defenders respond to attackers, attackers adapt, defenders respond again. That framing implies a sequence: fraud happens, security catches up.
What Brazil's experience actually illustrates is something more intertwined than that. Fraud and digital infrastructure are not chasing each other. They are co-evolving. Each developing in response to the other, in a continuous feedback loop where neither side is purely reactive. When Pix launched, fraud operators didn't wait to see if it was useful. They began adapting their operations to it almost immediately, because anyone capable of reading the infrastructure's design properties could see, in advance, that instantaneity plus mass adoption was a near perfect fraud instrument. The fraud wave that followed wasn't a response to Pix. It was a parallel development, running on the same timeline.
The same dynamic played out with digital bank onboarding. As banks competed to reduce friction, fraud operators competed to exploit the reduced friction. The laranjas account market expanded in direct proportion to the ease of account opening. The infrastructure and its exploitation developed together.
This is what complex systems theorists call co-evolution: two systems adapting to each other continuously, where each improvement on one side creates selective pressure for a corresponding improvement on the other. It is the same dynamic that governs predator and prey in biological systems, or offense and defense in military technology. Neither side wins permanently. Both sides get more sophisticated.
The implication is important: you cannot build your way out of this problem after the fact. Once infrastructure is embedded and operating at scale, the fraud ecosystem that has adapted to it is also embedded. You can improve defenses incrementally, but you are always adapting to an ecosystem that adapted to your infrastructure while you were building it.
The Absent Voice at Every Design Table
How does a country build extraordinary digital infrastructure and consistently fail to anticipate the "bad actors acting" that follows?
Well, the teams that build payment systems are optimizing for transaction volume, uptime, and accessibility. The teams that build onboarding flows are optimizing for conversion rates and user experience. The teams that build identity infrastructure are optimizing for interoperability and coverage. These are all legitimate goals, and the people pursuing them are skilled at what they do. What is almost never present at these design tables, with equal standing, is adversarial thinking, the discipline of asking, before deployment, "who else benefits from this, and how?"
Security teams are typically consulted on implementation, not on design. Fraud teams are typically called in after launch, when the patterns become visible. Regulators typically respond to what has already happened, not to what the infrastructure makes possible.
The result is a consistent pattern: inclusion first design, security as an afterthought, fraud as incident. Build the highway. Watch the accidents. Add the guardrails.
The highway analogy is deliberate. When governments build roads, they don't wait for fatalities to decide on lane markings, speed limits, and crash barriers. Those are design parameters, built in from the start, because engineers understand that faster movement creates faster failure modes. The cost of retrofitting safety into existing infrastructure is orders of magnitude higher than building it in.
Digital infrastructure hasn't developed that discipline yet, anywhere in the world. But the countries building and exporting digital public infrastructure today have an opportunity to develop it. Brazil's experience is, in this sense, a gift to everyone who comes after, if they're willing to read it carefully.
What Security-by-Design Actually Means
Security by design is not a constraint on inclusion. It is a condition for inclusion that lasts.
The practical difference is in when and how security is integrated into the design process. In the current model, security is a gate, like a checklist applied before launch, focused on known threats, after the fundamental design decisions have already been made. I call it the dashboard model. In a security by design model, adversarial thinking is a design input, present from the earliest architecture decisions, asking not only "does this work?" but "what does this make possible that we haven't intended?"
For a payment system, that means asking: what happens to fraud rates when settlement is instant and irreversible? (Pix was irreversible in the begining. It took them some time to fix it). What mechanisms exist to interrupt a transaction that looks anomalous before it completes? What is the recoverable state when a fraud event occurs, and who bears the cost? These are not security questions layered on top of a payment system. They are design questions about what kind of payment system to build.
For an identity infrastructure, it means asking: what is the attack surface created by centralizing biometric data in a state database? What happens when that data is leaked, and it will leak, and is there a remediation path? What signals, beyond a document match at onboarding, constitute ongoing assurance that the person transacting is who they say they are?
For a data governance framework, it means asking: what are we making possible by collecting and aggregating this data? Who else, with access to this data, legitimately or not, benefits from its existence?
None of these questions prevent good infrastructure from being built. They make the infrastructure more durable.
The International Stakes
Brazil is not alone in this challenge, but it is ahead of most countries in having lived through it. The fraud ecosystem Brazil is navigating today is the one that other countries, particularly those currently deploying instant payment systems, digital identity frameworks, and mass financial inclusion programs; will face within the next decade.
India's UPI, the digital payment systems being built across Africa and Southeast Asia, the identity infrastructure projects backed by development banks globally.... All of these are being built with the same primary optimization: access. All of them will attract the same secondary consequence: fraud ecosystems that co evolve with their success.
The question is not whether that co evolution happens. It will: data leaks, and adoption is king. The question is whether the institutions building this infrastructure treat security as a design parameter from the beginning, or whether they repeat the pattern: build first, respond later, retrofit under pressure.
Brazil's story is a case study in what happens when adversarial thinking arrives late to a design process that moved fast. The ambition was right. The inclusion was real. The infrastructure works. What IS missing and what every subsequent DPI project has the opportunity to include from day one, IS the discipline of asking, at each bifurcation point: who else is going to walk through this door we're building, and are we ready for them?
Yasodara Córdova thinks and builds at the intersection of digital identity, fraud ecosystems, privacy, security and why systems break in ways nobody planned for. She has developed work with Harvard University, the World Bank, W3C, the World Economic Forum, and SXSW, among others.