How Hackers Stole $140 Million from Brazilian Banks for Just $2,760
In a staggering digital heist, hackers managed to steal approximately R$800 million ($140 million) from a network of Brazilian banks connected to the country’s central banking system. The attack, considered the largest cyber-fraud in Brazil’s history, was orchestrated by paying just R$15,000 ($2,760) to an employee at C&M Software, a São Paulo-based tech company linking smaller banks and fintechs to Brazil’s Central Bank infrastructure, including the instant payment system, Pix.
The Scheme Unfolded
- The hacker group approached João Nazareno Roque, an IT operator at C&M, and bought his system credentials.
- Roque also helped develop software that enabled the breach. He was arrested on July 3.
- On June 30, between 4 a.m. and 7 a.m., attackers impersonated banks and issued fraudulent Pix transfers, draining funds within hours.
Impacted Institutions and Immediate Effects
- Six financial institutions experienced unauthorized access to their reserve accounts.
- BMP, a banking-as-a-service provider, lost more than R$400 million ($73.8 million) from its central bank reserve account.
- Banco Paulista and other banks experienced temporary service interruptions but reported no direct customer losses.
Laundering the Stolen Funds via Cryptocurrency
- The criminals laundered approximately $30 to $40 million of the stolen money through cryptocurrencies like Bitcoin, Ethereum, and Tether using Latin American OTC desks and exchanges.
- Authorities managed to freeze a wallet holding nearly R$270 million ($49.8 million).
- Blockchain investigator ZachXBT is assisting law enforcement in tracking and freezing illicit crypto addresses related to the heist.
Why C&M and Pix Were Targeted
- Pix is Brazil’s instant payment platform, processing billions of transactions monthly with near-instant fund transfers.
- C&M Software provides connectivity between smaller financial institutions and the central banking system, making it a prime target to access multiple banks at once.
- The breach exploited legitimate employee credentials, not a technical vulnerability in C&M’s systems.
Ongoing Investigation and Security Measures
- Brazilian Federal Police and São Paulo authorities launched a joint task force to investigate the cybercrime network, which operates via platforms like Telegram and WhatsApp.
- Investigators are analyzing devices seized from Roque’s residence and tracing cryptocurrency flows.
- The Central Bank has recovered some stolen funds and continues efforts to track and freeze illicit assets.
- BMP assured customers that collateral covered stolen funds, avoiding direct losses.
This incident underscores the vulnerabilities inherent in centralized banking infrastructures and highlights how insiders and social engineering remain critical risks. It also illustrates the increasing role of cryptocurrencies in laundering stolen assets and the challenges regulators face in recovering them.
