According to local media, this may be the largest hack ever perpetrated against the Brazilian banking system. Attackers leveraged USDT and bitcoin to cash out through exchanges and crypto institutions, using instant payment systems such as Pix.
Brazilian Banking System Exploited: Attackers Cash out Using Crypto
The Brazilian banking system has faced what might be the largest attack ever perpetrated against several of its institutions. On Tuesday, local media reported that C&M, a company that provides financial software to several large financial institutions in Brazil, including Bradesco, the second-largest bank in the country, had been attacked.
The unidentified party exploited a vulnerability in C&M’s software that allowed it to take control of several accounts linked to BMP, a banking-as-a-service provider. This allowed them to take millions of reais from institutions like Bradesco and Credsystem, another institution that provides credit card services.
While the Central Bank of Brazil acknowledged the attack happened and has disconnected C&M’s access to the system, there have been no official reports detailing the actual losses caused by this exploit.
Sources report that losses could reach up to 1 billion reais (over $180 million), which would already be out of the reach of these institutions, as hackers took quick action to move these funds outside the system using Pix, the Brazilian instant payment system.
To this end, the attackers took advantage of the popularity of this payment system and directed the stolen funds to several cryptocurrency exchanges supporting this feature to launder the funds. Part of the money was exchanged through these Brazilian platforms for bitcoin and Tether’s USDT.
Rocelo Lopes, CEO of Smartpay, criticized the vulnerability of the Brazilian banking system, which lacks the needed guardrails to stop this kind of attack in its tracks.
In statements offered to Brazil Journal, he stressed:
The heart of the problem is in the messaging. If they don’t change this, it will happen again, and other institutions will have problems. It really strikes me that there were no security protocols in place to stop this.
