Hackers Steal $140 Million From Brazilian Banks Via Pix System

Hackers orchestrated a sophisticated scheme to steal approximately $140 million from a network of Brazilian banks connected to the country's central banking system. The operation was executed by paying a mere $2,760 to a technology company employee for his corporate credentials. This heist is considered the largest digital theft in Brazil's history, according to law enforcement officials.

The attack targeted C&M Software, a São Paulo-based company that facilitates connections between smaller banks and fintechs to Brazil's Central Bank infrastructure, including the Pix instant payment system. On June 30, six financial institutions experienced unauthorized access to their reserve accounts, with criminals draining funds in under three hours. The scheme began in March when criminals approached João Nazareno Roque, an IT operator at C&M, outside a bar near his home. Roque confessed to selling his system credentials for $5,000 initially, then receiving another $10,000 to help create software that enabled the breach. Police arrested the 30-year-old at his residence on July 3.

Between 4 a.m. and 7 a.m. local time on June 30, attackers issued fraudulent Pix transfer orders while impersonating the affected banks. BMP, a banking-as-a-service provider, was one of the most affected, confirming losses of more than $73.8 million from its central bank reserve account. The company filed the initial police report that exposed the wider attack.

Criminals immediately began converting the stolen reais to cryptocurrency through Latin American over-the-counter desks and exchanges. Blockchain analysis indicates at least $30 million to $40 million moved into Bitcoin, Ethereum, and Tether (USDT) before authorities could freeze accounts. One wallet containing $49.8 million has since been blocked.

Pix, Brazil's instant payment platform launched in November 2020, processes billions of transactions monthly and has become the dominant payment method across the country. The system allows instant transfers between banks 24 hours a day, including weekends and holidays, with transactions completing almost instantly. It has become widely adopted because users can link their accounts to familiar identifiers such as their phone number, email, or ID number. Pix also enables QR payments and offers different features designed to compete with credit card providers, including options that allow users to pay for purchases in installments.

The system works by interconnecting banks and financial institutions directly through the central bank’s digital infrastructure, allowing funds to move instantly between accounts. When a user initiates a Pix transfer, the payment request is routed directly through the central bank, which verifies the details and authorizes the transaction in real time. This eliminates the delays associated with traditional bank transfers, which often took minutes or even hours to clear, enabling payments and transfers to be completed within seconds, any time of day.

Unlike previous attacks targeting individual Pix users through malware, this breach exploited the infrastructure connecting financial institutions to the central bank. The attackers accessed reserve accounts that banks maintain for settling transactions, rather than customer deposits. The analyses conducted so far have not identified any technical failures or vulnerabilities in C&M’s systems. The incident occurred due to the unauthorized use of legitimate credentials. In addition to the employee’s credentials, there are indications that other authentication methods may have been exploited. The company’s quick response was only possible thanks to its robust security architecture.

Founded in 1992, C&M provides messaging services that allow approximately 23 smaller financial institutions to access Brazil's payment systems without building their own infrastructure. The company's role as an intermediary made it an attractive target for criminals seeking access to multiple banks simultaneously. Brazil’s central bank ordered C&M to disconnect from all financial infrastructure on July 2, temporarily disrupting Pix services for several institutions. Banco Paulista reported a "temporary interruption" in instant payments due to an "external failure," while reassuring customers that no personal data or funds were compromised.

Federal Police Director launched an immediate investigation in coordination with state authorities. Investigators are examining whether the attack connects to Brazil's sophisticated cybercriminal networks, which frequently coordinate through Telegram and WhatsApp channels. Roque, the compromised IT operator, told investigators he communicated with at least four different voices during the June 30 attack, all sounding like young men. He claimed to have changed cell phones every 15 days to avoid detection and never met the other conspirators in person beyond the initial bar encounter.

The breach occurred despite Brazil's banking sector investing heavily in cybersecurity following earlier incidents. C&M stated it had implemented "all technical and legal measures" after discovering the intrusion and continues cooperating with authorities. BMP assured clients that sufficient collateral covered the stolen amounts, preventing any customer losses. The central bank confirmed it recovered portions of the diverted funds from regulated entities under its supervision, though recovery efforts remain limited for transfers to non-regulated cryptocurrency exchanges. Police continue analyzing devices seized from Roque's residence while working to identify other participants. Authorities have created a joint task force with the Federal Police and Public Ministry to trace the cryptocurrency transactions and potentially freeze additional assets.