C&M Software Hacked $140 Million Stolen From Brazil's Central Bank

On June 30, hackers successfully breached the São Paulo-based software vendor C&M Software, siphoning approximately R$800 million ($140 million) from six reserve accounts connected to Brazil’s central bank. The breach was facilitated by an employee, João Nazareno Roque, who sold his corporate login credentials for R$15,000 ($2,770) and later developed a secondary access tool for an additional R$10,000 ($1,850). This allowed attackers direct access to the vendor’s infrastructure, enabling them to move funds from the reserve accounts held at the Central Bank of Brazil for interbank settlement into commercial bank accounts tied to over-the-counter (OTC) desks and regional exchanges.

Investigators traced unauthorized instructions that moved the funds, and blockchain investigator ZachXBT estimated that between $30 million and $40 million of the stolen funds had already been swapped for major digital assets, including Bitcoin, Ethereum, and USDT. On-chain analysis teams and Brazilian prosecutors are coordinating wallet freezes while attribution work continues.

In response to the breach, the central bank ordered all institutions that routed through C&M to disconnect immediately. The firm was cleared to restore service two days later, with the central bank stating that critical systems remained intact. C&M commercial director Kamal Zogheib confirmed that the attack relied on fraudulent client credentials rather than a code flaw and stated that the firm is cooperating with the Federal Police and São Paulo investigators. BMP, a banking platform provider affected by the raid, reported that only its reserve balance was affected, and customer deposits remained untouched.

Law enforcement officials have frozen R$270 million ($49.8 million) while tracking additional flows and searching for at least four accomplices cited in preliminary warrants. Roque remained in custody in São Paulo as of July 3. Police allege that he rotated his mobile phones every two weeks to avoid being monitored.

Transaction records reviewed by ZachXBT and independent researchers indicate that the attackers structured transfers across multiple exchanges in Brazil, Argentina, and Paraguay, then utilized OTC brokers to settle into crypto within three hours of the initial breach. Sources who prefer to remain anonymous stated that the attackers found it challenging to buy crypto with the stolen money in Brazilian OTC desks, as most of the largest ones raised red flags due to the large amounts. The central bank has not disclosed whether additional vendors will face new connection requirements but signaled that the instant payment rail PIX and reserve account interfaces may receive further controls.

The probe continues under federal supervision, with investigators prioritizing the recovery of funds and identifying the remaining organizers. The central bank's swift response and coordination with law enforcement highlight the importance of robust cybersecurity measures in protecting financial systems from such sophisticated attacks. The incident underscores the need for continuous vigilance and the implementation of stringent security protocols to safeguard against future breaches.

The incident of $140 million theft has triggered broad discussion on fintech cybersecurity, third-party provider risks, and regulatory oversight. While the case remains under investigation, Brazilian officials are targeting to end these cybercrimes altogether.