The blocked Pix entities were Transfeera, Soffy, and Nuoro Pay

The invasion of C&M Software's systems, classified by authorities as the largest hacker attack against banks in the country's history, continues to affect the operations of Brazilian companies.

On Saturday (5), the Central Bank suspended three Pix institutions suspected of having received diverted funds in the attack on C&M Software. The blocked entities were Transfeera, Soffy, and Nuoro Pay, according to information from CNN.

The blocking of Pix for these three Pix institutions aims to protect the integrity of the payment system until the investigations into the diversion of resources from the financial system are completed. The Central Bank's plan is also to ascertain whether the three companies are related to the attack estimated to have diverted R$ 800 million from eight entities that used the systems of C&M Software.

Transfeera confirmed that the Pix functionality was suspended on its platform but communicated that its other services continue to operate normally. Fintechs Soffy and Nuoro Pay have not yet commented.

Recall the case

C&M Software, a company that connects smaller banks and fintechs to the infrastructure of the Central Bank of Brazil, was the target of a major hacker attack on June 30. The invaders gained access to the reserve accounts held at the Central Bank of eight institutions that used C&M Software's services, diverting around R$ 800 million in less than three hours.

"This is the largest fraud suffered by financial institutions online," said Delegate Paulo Barbosa, responsible for the investigation by the Civil Police of São Paulo, at a press conference.

The scheme began in March when criminals approached João Nazareno Roque, an IT operator at C&M, at a bar near his home. He was arrested on Thursday at his residence in the Jaraguá neighborhood of São Paulo and confessed to selling his credentials for R$ 5,000 initially and receiving another R$ 10,000 to help create the software that enabled the invasion.

Between 4 AM and 7 AM on June 30, the invaders issued fraudulent transfer orders via Pix, impersonating the affected institutions. BMP, a banking-as-a-service company, was one of the most affected, confirming losses of over R$ 400 million from its reserve account at the Central Bank.

The company was the first to file a police report, revealing the attack on a larger scale. The criminals immediately began converting part of the stolen money into cryptocurrencies through over-the-counter desks and exchanges.

A blockchain analysis conducted by the well-known crypto investigator ZachXBT indicates that at least $30 million to $40 million was converted into Bitcoin, Ethereum, and Tether (USDT) before authorities managed to freeze the accounts. A wallet containing R$ 270 million ($49.8 million) has already been blocked.