Hackers laundered about R$ 230 million of the stolen funds using Bitcoin, Ethereum, and Tether, according to a blockchain specialist investigator.
Here’s an argument in favor of decentralization: hackers stole approximately R$ 800 million (US$ 140 million) from Brazilian banks after paying a technology company employee only R$ 15,000 (US$ 2,760) for their corporate credentials, according to authorities investigating what they consider the largest hack targeting banks in the country's history.
The attack targeted C&M Software, a São Paulo-based company that connects smaller banks and fintechs to the infrastructure of the Central Bank of Brazil, including the Pix instant payment system. On June 30, six financial institutions experienced unauthorized access to their reserve accounts, with criminals draining the funds in less than three hours.
‘This is the largest fraud suffered by financial institutions over the internet,’ stated delegate Paulo Barbosa, responsible for the investigation by the Civil Police of São Paulo, at a press conference.
The scheme started in March when criminals approached João Nazareno Roque, an IT operator at C&M, in a bar near his home. Roque confessed to having sold his credentials for R$ 5,000 initially and received another R$ 10,000 to help create the software that enabled the invasion. The police arrested the 30-year-old man yesterday (3) at his home in the Jaraguá neighborhood.
Between 4 AM and 7 AM on June 30, the invaders issued fraudulent transfer orders via Pix, posing as the affected institutions. BMP, a banking-as-a-service company, was one of the hardest hit, confirming losses of more than R$ 400 million from its reserve account at the Central Bank. The company was the first to file a police report, revealing the larger-scale attack.
The criminals immediately began converting the stolen reais into cryptocurrencies through over-the-counter desks and brokers in Latin America. A blockchain analysis conducted by the well-known crypto investigator ZachXBT indicates that at least US$ 30 million to US$ 40 million were converted into Bitcoin, Ethereum, and Tether (USDT) before authorities could freeze the accounts. A wallet containing R$ 270 million (US$ 49.8 million) has already been blocked.
The pseudonymous investigator stated today, via Telegram, that he is helping investigators identify and freeze cryptocurrency addresses associated with what he described as 'one of the craziest cases of the year.'
What are Pix and C&M, and why were they targeted?
Pix, the instant payment platform launched in November 2020, processes billions of transactions per month and has become the leading payment method in Brazil. The system allows instant transfers between banks 24 hours a day, including on weekends and holidays, with almost immediate settlement.
Its broad adoption is due to the possibility of linking accounts to familiar identifiers, such as phone number, email, or CPF. Pix also allows payments via QR Code and offers functionalities that compete with credit card operators, like installment payments.
The system works by interlinking banks and financial institutions directly to the Central Bank's digital infrastructure, allowing funds to move instantly between accounts. When a user initiates a transfer via Pix, the request is sent directly to the Central Bank, which validates and authorizes the transaction in real-time. This eliminates the delays of traditional bank transfers, allowing payments in seconds at any time of the day.
There are also complementary technologies in Brazil, such as monitoring transactions between banks for credit assessment.
Unlike previous attacks that targeted individual Pix users with malware like PixPirate, this invasion exploited the infrastructure connecting financial institutions to the Central Bank. The invaders accessed the reserve accounts that banks maintain for transaction settlement — not customer deposits.
‘The analyses conducted so far have not identified technical failures or vulnerabilities in CMSW's systems. The incident occurred due to the unauthorized use of legitimate credentials. In addition to the employee's credentials, there are indications that other authentication methods were also exploited. The company's quick response was only possible thanks to its robust security architecture,’ stated C&M in an official Q&A statement.
Founded in 1992 by Orli Machado, C&M provides messaging services that allow around 23 smaller financial institutions to access Brazil's payment systems without needing to build their own infrastructure. The company's role as an intermediary made it an attractive target for criminals seeking simultaneous access to multiple banks.
The Central Bank of Brazil ordered C&M to disconnect from the entire financial infrastructure on July 2, temporarily interrupting Pix services for several institutions. Banco Paulista reported a 'temporary interruption' in instant payments due to an 'external failure', but assured customers that no personal data or funds were compromised.
The Director-General of the Federal Police, Andrei Passos Rodrigues, stated that the corporation initiated an immediate investigation in coordination with the authorities of the state of São Paulo. Investigators are analyzing whether the attack is linked to sophisticated cybercriminal networks in Brazil, which often organize through channels on Telegram and WhatsApp.
Roque, the compromised IT operator, told investigators that he spoke with at least four different voices during the attack on June 30, all sounding like young men. He stated that he changed his phone every 15 days to avoid being tracked and that he never met the other conspirators in person, except for the first meeting at the bar.
The invasion occurred despite the Brazilian banking sector's robust investments in cybersecurity following previous incidents. C&M stated that it implemented 'all technical and legal measures' after detecting the invasion and continues to cooperate with authorities.
BMP assured customers that the stolen amounts were covered by sufficient guarantees, preventing losses to users. The Central Bank confirmed that it has recovered part of the diverted funds through regulated entities under its supervision, although recovery efforts are more limited in the case of transfers to unregulated foreign cryptocurrency exchanges.
The police continue to analyze the devices seized at Roque's home while trying to identify others involved. Authorities have created a joint task force with the Federal Police and the Public Prosecutor's Office to track cryptocurrency transactions and possibly freeze new assets.