How a Hacker Spent Only $2.7K to Steal $140 Million From Brazilian Banks

Here’s some ammo for decentralization advocates: Hackers stole approximately R$800 million ($140 million) from Brazilian banks after paying a technology company employee just R$15,000 ($2,760) for his corporate credentials, according to law enforcement officials investigating what they describe as the largest digital heist in the country’s history.

The attack targeted C&M Software, a São Paulo-based company that connects smaller banks and fintechs to Brazil’s Central Bank infrastructure, including the Pix instant payment system. Six financial institutions experienced unauthorized access to their reserve accounts on June 30, with criminals draining funds in under three hours.

“This is the biggest fraud suffered by financial institutions through the internet,” Paulo Barbosa, the São Paulo police detective leading the investigation, said at a press conference Thursday.

The scheme began in March when criminals approached João Nazareno Roque, an IT operator at C&M, outside a bar near his home. Roque confessed to selling his system credentials for R$5,000 initially, then receiving another R$10,000 to help create software that enabled the breach. Police arrested the 30-year-old at his City Jaraguá residence on July 3.

Between 4 a.m. and 7 a.m. local time on June 30, attackers issued fraudulent Pix transfer orders while impersonating the affected banks. BMP, a banking-as-a-service provider, was one of the most affected, confirming losses of more than R$400 million ($73.8 million) from its central bank reserve account. The company filed the initial police report that exposed the wider attack.

Criminals immediately began converting the stolen reais to cryptocurrency through Latin American over-the-counter desks and exchanges. Blockchain analysis from crypto sleuth ZachXBT indicates at least $30 million to $40 million moved into Bitcoin, Ethereum, and Tether (USDT) before authorities could freeze accounts. One wallet containing R$270 million ($49.8 million) has since been blocked.

The pseudonymous investigator said earlier today via Telegram that he has been helping investigators identify and freeze the cryptocurrency addresses associated with what he described as “one of the most insane cases from this year.”

What is Pix and C&M and why were they targeted?

Pix, Brazil’s instant payment platform launched in November 2020, processes billions of transactions monthly and has become the dominant payment method across the country. The system allows instant transfers between banks 24 hours a day, including weekends and holidays, with transactions completing almost instantly.

It has become widely adopted because users can link their accounts to familiar identifiers such as their phone number, email, or ID number. Pix also enables QR payments and offers different features designed to compete with credit card providers, including options that allow users to pay for purchases in installments.

The system works by interconnecting banks and financial institutions directly through the central bank’s digital infrastructure, allowing funds to move instantly between accounts. When a user initiates a Pix transfer, the payment request is routed directly through the central bank, which verifies the details and authorizes the transaction in real time. This eliminates the delays associated with traditional bank transfers, which often took minutes or even hours to clear, enabling payments and transfers to be completed within seconds, any time of day.

There have been other adjacent technologies implemented in Brazil, like banks being able to monitor other bank’s transactions for credit rating, for example.

Unlike previous attacks targeting individual Pix users through malware like PixPirate, this breach exploited the infrastructure connecting financial institutions to the central bank. The attackers accessed reserve accounts that banks maintain for settling transactions, rather than customer deposits.

“The analyses conducted so far have not identified any technical failures or vulnerabilities in CMSW’s systems. The incident occurred due to the unauthorized use of legitimate credentials. In addition to the employee’s credentials, there are indications that other authentication methods may have been exploited. The company’s quick response was only possible thanks to its robust security architecture,” C&M said in an official Q&A .

Founded in 1992 by Orli Machado, C&M provides messaging services that allow approximately 23 smaller financial institutions to access Brazil’s payment systems without building their own infrastructure. The company’s role as an intermediary made it an attractive target for criminals seeking access to multiple banks simultaneously.

Brazil’s central bank ordered C&M to disconnect from all financial infrastructure on July 2, temporarily disrupting Pix services for several institutions. Banco Paulista reported a “temporary interruption” in instant payments due to an “external failure,” while reassuring customers that no personal data or funds were compromised.

Federal Police Director Andrei Passos Rodrigues said his agency launched an immediate investigation in coordination with São Paulo state authorities. Investigators are examining whether the attack connects to Brazil’s sophisticated cybercriminal networks, which frequently coordinate through Telegram and WhatsApp channels.

Roque, the compromised IT operator, told investigators he communicated with at least four different voices during the June 30 attack, all sounding like young men. He claimed to have changed cell phones every 15 days to avoid detection and never met the other conspirators in person beyond the initial bar encounter.

The breach occurred despite Brazil’s banking sector investing heavily in cybersecurity following earlier incidents. C&M stated it had implemented “all technical and legal measures” after discovering the intrusion and continues cooperating with authorities.

BMP assured clients that sufficient collateral covered the stolen amounts, preventing any customer losses. The central bank confirmed it recovered portions of the diverted funds from regulated entities under its supervision, though recovery efforts remain limited for transfers to non-regulated cryptocurrency exchanges.

Police continue analyzing devices seized from Roque’s residence while working to identify other participants. Authorities have created a joint task force with the Federal Police and Public Ministry to trace the cryptocurrency transactions and potentially freeze additional assets.