Brazilian authorities are investigating a cyberattack that resulted in the theft of hundreds of millions of reais from financial institutions connected to the country’s Central Bank. The breach, described by officials as the largest digital heist in Brazil’s history, targeted C&M Software, a company that provides banking infrastructure services to smaller institutions using the Pix instant payment system.
The attack occurred on June 30 and lasted less than three hours, during which criminals drained more than 800 million reais (around $140 million USD) from reserve accounts. These accounts are used by financial institutions to settle payments through the Central Bank, and were accessed via credentials stolen from João Nazareno Roque, an IT operator employed by C&M.
Roque was arrested on July 3 at his home in São Paulo. According to police, he admitted to selling his system credentials for roughly 15,000 reais (about $2,760 USD) and later assisting hackers in developing software that helped bypass security controls. Roque claimed he communicated with the group behind the attack through phone calls and online chats, changing his phone regularly to avoid detection.
Authorities say the stolen funds were quickly moved into cryptocurrencies including Bitcoin, Ethereum, and Tether. Investigators have blocked approximately 270 million reais linked to the fraud, but believe much of the money was laundered through over-the-counter crypto exchanges across Latin America.
The Pix system, introduced by Brazil’s Central Bank in 2020, has become the country’s most popular method for transferring money. It allows instant payments between users at any time of day and has been adopted by over 75% of the population. Its popularity and central role in Brazil’s economy make it a high-value target for cybercriminals.
Unlike past incidents involving individual users or malware, this breach focused on the infrastructure connecting banks and payment services to Pix. C&M Software, the intermediary that enabled access to Pix for institutions lacking their own connectivity, became the entry point for the attackers.
Police believe Roque’s credentials were used to issue fake Pix transactions on behalf of multiple banks. The banking-as-a-service provider BMP was among the hardest hit, reporting losses of over 400 million reais. However, the company emphasized that no customer funds or internal balances were compromised, and that sufficient collateral was in place to absorb the loss.
Brazil’s Central Bank ordered C&M to suspend connections to its systems following the breach. The company has since cooperated with law enforcement and stated that the attack was not due to internal technical flaws, but rather unauthorized use of valid credentials.
A joint task force involving federal and state authorities has been launched to trace digital footprints and freeze assets associated with the attack. Meanwhile, cybersecurity experts are urging financial institutions to reassess their third-party risks and reinforce controls over remote access systems.
As investigations continue, officials have expressed concern over the growing capabilities of criminal groups using social engineering and cryptocurrency laundering to bypass traditional defenses. The case has raised new questions about how to secure the digital infrastructure that supports modern banking systems.
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
