Simply put
- Hackers managed to steal $140 million from a network of Brazilian banks linked to the central banking system.
- The scheme was orchestrated by compensating employees at a tech firm with just $2,760 for their credentials.
- They funneled part of the stolen money through cryptocurrency, using Bitcoin, Ethereum, and Tether.
In what law enforcement describes as Brazil’s largest digital heist, hackers nearly swiped R$800 million (around $140 million) after shelling out R$15,000 ($2,760) to tech company employees for their corporate qualifications.
The attack targeted C&M Software, a company in São Paulo that connects smaller banks and fintechs to Brazil’s central bank systems, including the PIX instant payment service. On June 30, six financial institutions faced unauthorized access, with fraudsters spending the funds in just three hours.
“This is the largest fraud incident that financial institutions have faced online,” remarked Paulo Barbosa, a detective leading the investigation, during a press conference on Thursday.
The scheme kicked off in March when criminals approached C&M’s IT operator, João Nazareno Roque, outside a local bar. Initially, he sold his system credentials for about $500. Then, he received another R$10,000 to assist in creating software for breaches. He was arrested on July 3 at his home in Jalagua, at 30 years old.
Between 4 AM and 7 AM on June 30, the attacker issued unauthorized PIX transfer commands while masquerading as the affected bank. BMP, which provides banking as a service, was one of the hardest hit, with confirmed losses of over $400 million (approximately $73.8 million) from a central bank spare account. The company filed a police report revealing the broader attack.
Almost immediately, the criminals began converting stolen Reais into cryptocurrency, working through exchange desks in the U.S. Blockchain analysis from Zachxbt shows that at least $30-$40 million was moved to Bitcoin, Ethereum, and Tether before authorities could intervene to freeze the accounts. One wallet containing R$270 million (about $49.8 million) has been blocked.
An anonymous investigator stated on Telegram that they are assisting authorities in identifying and freezing cryptocurrency addresses tied to what they deemed “one of the craziest cases of the year.”
What are PIX and C&M and why were they targeted?
PIX, an instant payment platform launched in Brazil in November 2020, handles billions of transactions monthly and has become the leading payment method in the country. Users can transfer funds instantly between banks, even on weekends and holidays, with near-instant transaction completion.
The popularity emerges from the ability to link accounts with familiar identifiers like phone numbers and emails, along with features that compete with credit card offerings, such as QR payments and installment purchase options.
This system links banks and financial institutions directly via the central bank’s digital infrastructure, allowing for seamless fund transfers. When initiating a PIX transfer, requests are verified and approved in real time, eliminating the lag typical of conventional bank transfers.
Unlike prior attacks aimed at individual PIX users via malware, this breach targeted the infrastructure connecting financial institutions to the central bank, exploiting access to a spare account designated for transaction resolution rather than client deposits.
Preliminary analyses have not identified any technical flaws or vulnerabilities in CMSW’s systems. The breach seems to stem from the misuse of legitimate credentials, possibly including multiple layers of authentication.
C&M, founded in 1992 by Orli Machado, provides messaging services that allow around 23 smaller financial institutions to access Brazilian payment systems without the need for their own infrastructure. This intermediary role has made the company a tempting target for criminals looking to access multiple banks at once.
Following the incident, Brazil’s central bank ordered C&M to disconnect from all financial infrastructures on July 2, leading to interruptions in PIX services across several institutions. Banco Paulista reported a “temporary interruption” of immediate payments due to “external failures,” assuring customers that their funds and personal data were secure.
Federal Police Chief Andrey Passos Rodriguez indicated that his agency is collaborating with São Paulo authorities to initiate an immediate investigation. They are exploring possible connections to Brazil’s sophisticated cybercrime networks.
Roque, the IT operator involved, communicated through at least four different voices during the June 30 attack, claiming all sounded youthful. He admitted to changing phones every fortnight to avoid detection and stated he had never met any other co-conspirators face-to-face, aside from the initial bar encounter.
This breach occurred despite substantial investments in cybersecurity across the Brazilian banking sector following previous incidents. C&M has claimed to have implemented all necessary technical and legal measures and continues to work with authorities after unearthing the intrusion.
BMP has reassured clients that their collateral sufficiently covers the stolen amounts to prevent losses. The central bank has confirmed that recovery efforts are limited due to transfers to unregulated cryptocurrency exchanges, although some funds have been retrieved from regulated entities.
Authorities remain busy analyzing devices taken from Roque’s residence while working to identify additional participants. They have set up a joint task force with federal police and civil authorities to track cryptocurrency transactions and freeze more assets.
