Hackers Steal $140 Million From Brazil’s Central Bank Via Software Vendor

Hackers successfully siphoned approximately R$800 million ($140 million) from six reserve accounts linked to Brazil’s central bank. The breach occurred on June 30 after attackers infiltrated São Paulo-based software vendor C&M Software. The unauthorized access was facilitated by an employee of C&M, João Nazareno Roque, who sold his corporate login credentials for R$15,000 ($2,770) and later developed a secondary access tool for an additional R$10,000 ($1,850). This allowed the attackers to gain direct access to the vendor’s infrastructure.

Investigators traced unauthorized instructions that moved funds from the reserve accounts held at the Central Bank of Brazil for interbank settlement into commercial bank accounts tied to over-the-counter (OTC) desks and regional exchanges. The stolen funds were then swiftly converted into major digital assets, including Bitcoin, Ethereum, and USDT, with estimates suggesting that between $30 million and $40 million of the stolen funds had already been swapped for these assets.

In response to the breach, the central bank ordered all institutions that routed through C&M to disconnect immediately. The firm was cleared to restore service two days later, with the central bank stating that critical systems remained intact. C&M’s commercial director, Kamal Zogheib, confirmed that the attack relied on fraudulent client credentials rather than a code flaw and assured cooperation with the Federal Police and São Paulo investigators. BMP, a banking platform provider affected by the raid, reported that only its reserve balance was impacted, with customer deposits remaining untouched.

Law enforcement officials have frozen R$270 million ($49.8 million) of the stolen funds while tracking additional flows and searching for at least four accomplices cited in preliminary warrants. Roque remained in custody in São Paulo as of July 3, with police alleging that he rotated his mobile phones every two weeks to avoid being monitored.

Transaction records indicate that the attackers structured transfers across multiple exchanges in Brazil, Argentina, and Paraguay, utilizing OTC brokers to settle into crypto within three hours of the initial breach. Sources reported that the attackers faced challenges in buying crypto with the stolen money in Brazilian OTC desks due to the large amounts raising red flags. Exchange operators have begun freezing balances tied to flagged addresses, and the central bank has signaled potential further controls on the instant payment rail PIX and reserve account interfaces.

The probe continues under federal supervision, with investigators prioritizing the recovery of funds and identifying the remaining organizers. On-chain analysis teams and Brazilian prosecutors are coordinating wallet freezes while attribution work continues. The central bank has not disclosed whether additional vendors will face new connection requirements but has indicated that further controls may be implemented to enhance security measures.