The accused asked to be released and could face up to 6 years in prison

Veltri spent a week in prison domiciliary and, after the revocation of that benefit, he was transferred to a police station in the City of Buenos Aires, where He is still there because there is no space to refer him to a prison..

“I come to request that the nullity of the same be declared and that the immediate freedom of my client be ordered,” his lawyer wrote in a presentation made before Federal Court No. 7, in charge of Sebastian Casanello.

In the appeal itself, the defense explains what was the central argument that the judge used to toughen Veltri’s situation. According to the document, Casanello considered that there was a “risk of hindering the investigation” because the accused “contacted the witnesses to influence their statement,” and that is why he revoked the house arrest and moved forward with preventive detention.

In parallel, Justice has already blocked him an embargo for 910 million pesosa figure that the defense itself used to argue that there is already a strong asset restriction. The strategy seeks to dismantle that decision with a proposal for nullity. He maintains that the preventive detention was ordered ex officio by the judge, without an express request from the prosecution or the complaint, something that, according to the document, is not permitted by the Federal Criminal Procedure Code. In addition, he emphasizes that the resolution did not set a specific period for the arrest.

Veltri’s lawyers also appealed the resolution and asked that, if he is not released, at least they restore house arrest or impose a less burdensome measure, such as a electronic anklet. Furthermore, he requested the dismissal of the accused, maintaining that there is not enough evidence to sustain the accusation against him.

According to sources from the flag airline, the case came to light when “maneuvers carried out on the mileage purchasing system of the AR Plus program” were detected with the aim of “improperly modifying the amount to be paid and the number of miles credited.” Veltri, who had worked for Mercado Libre and the local cybersecurity company Strike, managed to buy an equivalent of 500 thousand dollars in miles and only paid 200 thousand Argentine pesos.

The exploitation of the vulnerability was, within the world of computer security, relatively simple: Veltri altered the source code of the page when purchasing miles and, instead of bouncing, the request was validated by the airline.

It is a more common type of failure than it seems, with a history that reached media throughout the country in 2020, when a hacker managed to change the price of the dollar in Nation Bank to buy currencies at a lower price. This does not stop it from attracting attention: it is a very big oversight for a company the size of Aerolíneas Argentinas, classified as “papelón” among sources in the local cybersecurity sector.

For this reason, Veltri could face a scenario with a maximum sentence of up to six years in prison.

The alleged system alteration occurred between December 2023 and January 2025: Veltri would have had more than a year to abuse the system. The figure that Justice analyzes is that of “computer system manipulation”incorporated into the Penal Code in 2008 within article 173, paragraph 16. It is, in simple terms, a criminal offense designed for cases in which someone alters or intervenes in a system to obtain an undue benefit.

“It is the type of crime designed for cases in which someone manipulates a system to obtain an undue benefit,” explains the lawyer specializing in computer crimes Pablo Palazzi. In this case, the hypothesis is that the airline systems were manipulated to generate or credit miles fictitiously and thus issue unpaid tickets.

In the file, one of the points that most complicates the accused is the traceability of the operations. According to Palazzi, the evidence appears “quite obvious”: the tickets were used without any real payment, and many of the operations were associated with their own name, credit card and close environment. In addition, there are third-party beneficiaries (friends and family, as La Nación published, who traveled with those miles) who were also registered, which expands the scope of the case.

Regarding the defense strategy, one of the possible arguments is that everything was due to a system error. But this approach has a clear limit in criminal law, warns Palazzi: “It is not a justification that the page had an error. If someone leaves the door of a dealership open and I go in to take a car, it does not exempt me from fraud, I am stealing a vehicle,” he summarizes. “The central point is the intention, because if the person knew that he was not entitled to that benefit, taking advantage of the failure does not exempt him from guilt,” he says.

The case could also open a civil front, because Aerolíneas Argentinas can take action against the company in charge of the system’s security, called Valtech, if it considers that there were security failures or negligence in the standards applied. “What is striking is not the error that the system had, since many companies have these failures. What is truly incredible is that the error was there for more than a year and no internal warning was triggered: without turning around, it is a total shame for Aerolíneas Argentinas because it cost him half a million dollars,” said a hacker consulted by Clarion.

Veltri could face, if the case progresses, up to six years in prison. However, in a first conviction scenario, it would most likely be that the sentence would be suspended if it was less than three years, as allowed by article 26 of the Penal Code. The case even has another possible path, which would be resolved through a suspension of the evidentiary trial (probation): there would be no effective sentence, but the accused would have to comply with rules of conduct for a certain period, perform community tasks and offer some form of economic reparation.

“He is a young kid with no criminal record, so it is likely that, even if convicted, the sentence will actually be light,” they said in the hallways of Comodoro Py. “What yes, You may be asked to return the half million dollars for which he had the trips,” they added, in what would be a very compromising scenario for the defendant’s finances.

On a legal level, the situation Veltri is in is not free either. Even if he did not end up in prison, the process would leave its mark: the prosecution remains in the record for years and can have a concrete impact on personal and work life. “Even if it is a non-violent crime, companies look at these records,” warns Palazzi.

Within the world of hacking there is a practice known as Bug Bounty: official programs in which companies (and even governments) pay hackers to find and report vulnerabilities. Many airlines have these systems (United, Lufthansa, LATAM, among others) and reward users who report problems to them.

It is worth clarifying two issues: first, that Aerolíneas Argentinas does not have a rewards program and part of Veltri’s argument is that the problem had already been reported but the vulnerability had not been patched.

And second, that airlines in general tend to have more problems of this type than is believed: in 2024, two Argentine hackers showed in Eco partythe largest hacker conference in Latin America, how reservations could be altered only with the last name and reservation number of a passenger.

An Argentine hacker, who asked not to be identified, sums it up like this: “Several years ago, the Bug Bounty did not exist and hackers did not have a legal framework to ‘search for things’ if they were not properly hired by the company. The concept came to put an end to that problem.”

“What this kid did is ridiculous: I once entered an airline’s employee management system and they rewarded me with 500 thousand miles. In this case we are talking about more than 16 million miles, in perspective, what was taken is crazy,” he points out, warning that “It was obvious that the chip was going to jump.”

The specialist also describes that not all companies handle the issue in the same way. Some have active reward systems while others only accept unpaid reports, under schemes called Vulnerability Disclosure Program (VDP). “There are companies that do not pay directly. That also influences how the community moves,” he explains.

In parallel, he warns about a gray area within the ecosystem itself: researchers who look for flaws in companies that do not have active programs and then try to negotiate a reward. “I see many colleagues doing that and I totally disagree. It sounds a bit extortionate to me,” he says.

Meanwhile, Veltri is not the only one investigated but there are 50 others involved who would have benefited from these operations for more than a year. But the only one who is detained is him.

The case will continue with a hearing to address the nullity claim. Afterwards, prosecutor Guillermo Marijuán must issue a ruling on preventive detention and prosecution, and the file could be submitted to the Federal Chamber to review the defense’s appeal.