Unscrupulous Hacker Lays Hands on $140 Million from Brazilian Banks after Investing Just $2.7K

Unscrupulous Hacker Lays Hands on $140 Million from Brazilian Banks after Investing Just $2.7K

On June 30, 2025, Brazil experienced one of its largest digital heists in history, with hackers stealing approximately R$800 million ($140 million) from six Brazilian financial institutions. The breach occurred through C&M Software, a technology provider that links these banks with Brazil's Central Bank infrastructure, including the PIX instant payment system.

The attack was facilitated by an insider at C&M Software, João Nazareno Roque, a 48-year-old IT employee who sold his corporate credentials for around R$15,000. Roque communicated with at least four different voices during the attack, all sounding like young men, and claimed to have changed cell phones every 15 days to avoid detection.

The fraudulent transfers went undetected for about two and a half hours. One affected bank, BMP, reported losing roughly $73.8 million but managed to recover about $29.5 million. At least $30–40 million of the stolen funds were laundered by converting them into cryptocurrencies such as Bitcoin, Ethereum, and Tether.

The system works by interconnecting banks and financial institutions directly through the central bank's digital infrastructure, allowing funds to move instantly between accounts. PIX, launched in November 2020, has become the dominant payment method across Brazil, processing billions of transactions monthly. Users can link their accounts to familiar identifiers such as their phone number, email, or ID number, and the system offers features that compete with credit card providers.

C&M Software, based in São Paulo, was ordered to disconnect from all financial infrastructure on July 2, temporarily disrupting Pix services for several institutions. The company has stated it has implemented "all technical and legal measures" after discovering the intrusion and continues cooperating with authorities.

Brazilian authorities continue their investigation to arrest perpetrators and strengthen oversight following the heist. Investigators are working to identify other participants in the attack, having seized devices from Roque's residence. The breach has sparked serious concerns about cybersecurity in Brazil’s financial ecosystem.

Experts note that this incident highlights vulnerabilities in centralized financial infrastructure where insider threats and single points of failure can enable massive breaches. Decentralized technologies could mitigate such risks by distributing access and reducing honeypots of sensitive data and capital.

Brazil's central bank confirmed it recovered portions of the diverted funds from regulated entities under its supervision, though recovery efforts remain limited for transfers to non-regulated cryptocurrency exchanges. BMP, a banking-as-a-service provider, assured clients that sufficient collateral covered the stolen amounts, preventing any customer losses.

The Federal Police Director, Andrei Passos Rodrigues, launched an immediate investigation in coordination with São Paulo state authorities, examining whether the attack connects to Brazil's sophisticated cybercriminal networks. The investigation is ongoing.

1. The stolen funds, estimated at approximately R$800 million, were laundered by converting them into cryptocurrencies such as Bitcoin, Ethereum, and Tether.
2. C&M Software, a technology provider linking Brazilian banks with the Central Bank infrastructure, was the point of breach that led to the digital heist.
3. João Nazareno Roque, an insider at C&M Software, sold his corporate credentials for around R$15,000, facilitating the attack.
4. The general-news about the heist has sparked serious concerns about cybersecurity in Brazil’s financial ecosystem.
5. Experts suggest that decentralized technologies could mitigate vulnerabilities in centralized financial infrastructure, reducing risks like insider threats and single points of failure.
6. BMP, a banking-as-a-service provider, assured clients that sufficient collateral covered the stolen amounts, preventing any customer losses.
7. The Federal Police Director, Andrei Passos Rodrigues, launched an investigation in coordination with São Paulo state authorities, examining whether the attack connects to Brazil's sophisticated cybercriminal networks.
8. Investigators are working to identify other participants in the attack, having seized devices from Roque's residence, and continue to strengthen oversight following the heist.

Read also: