In Brief

• Hackers stole approximately R$800 million ($140 million) from banks connected to Brazil’s central banking system.
• The attack succeeded by paying a C&M Software employee just $2,760 for credentials.
• A portion of the stolen funds ($30 million – $40 million) was laundered through cryptocurrencies like Bitcoin, Ethereum and Tether.

The Breakthrough

Law enforcement officials have identified what they call the largest digital heist in Brazil’s history. Hackers executed the scheme by bribing an IT employee at C&M Software, a São Paulo company that facilitates connections between banks and the Central Bank’s Pix payment network.

Six financial institutions discovered unauthorized access to their reserve accounts at the end of June. Funds were drained within a three-hour window starting June 30.

“This is the biggest fraud suffered by financial institutions through the internet,” said Paulo Barbosa, the São Paulo police detective leading the investigation, according to reports.

The Target: C&M Software & The Pix Network

Unlike attacks typically focused on individual users, the breach exploited C&M Software’s role as an intermediary. The company provides messaging services, enabling smaller banks and fintechs to connect to Brazil’s central bank infrastructure and use the Pix instant payment system.

Pix, launched in November 2020, handles billions of transactions monthly. Its key strength is allowing instant transfers 24/7 by connecting institutions directly via central bank infrastructure.

Brazil’s central bank ordered C&M to disconnect on July 2, highlighting the company’s strategic target nature for criminals seeking access across multiple banks.

Methodology & Aftermath

The scheme began in March, culminating in the June 30 attack. The accused IT operator, João Nazareno Roque, allegedly met potential hackers outside a bar. He confessed to selling his system credentials.

Between 4 a.m. and 7 a.m. local time, attackers issued fraudulent Pix transfers while impersonating affected banks. Payments processed from reserve accounts, not customer deposits.

C&M pointed to “unauthorized use of legitimate credentials” as the vulnerability, not technical system flaws.

The stolen Brazilian Real (BRL) was quickly converted to cryptocurrency through Latin American over-the-counter desks and exchanges. Decrypt reports blockchain analysis shows $30-40M was moved, including $49.8M identified from a single wallet. Law enforcement is working to block and trace these assets.

Multiple institutions reported staggering losses, with a fintech provider losing over R$400 million.