In a jaw-dropping breach of trust and security, hackers stole an estimated $140 million (roughly R$800 million) from six Brazilian banks after bribing an IT employee for a mere $2,700. The cyberattack, which occurred on June 30, 2025, targeted C&M Software, a key intermediary that links banks to the Central Bank of Brazil and its popular PIX instant payment network.
The digital robbery began when the attackers paid João Nazareno Roque, a 48-year-old IT technician at C&M Software, to hand over his corporate login credentials. With those, the hackers gained access to the infrastructure connecting financial institutions to the Central Bank’s reserve systems. The attack impacted six banks, including Banco BMF and others, and was executed on the same day.
A Plot Hatched Over Drinks
According to Brazilian media reports, Roque was first approached by the cybercriminals outside a São Paulo bar in March. What began as a casual approach turned into a high-stakes operation. Police say Roque was paid R$5,000 (around $920) for handing over his corporate login and password for the company C&M.
He later received another R$10,000 (around $1,850) that was paid in R$100 notes to carry out specific commands within the system. This enabled the hackers to carry out their theft undetected.
Roque allegedly communicated with the cybercriminals only via cellphone, while attempting to evade detection by frequently changing phones every 15 days. Also, his payment was reportedly delivered through motorcycle couriers. Despite the precautions, he was arrested by São Paulo police on July 3, 2025.
Not A Technical Flaw But A Human One
C&M Software emphasized that the breach did not stem from a vulnerability in its systems but was the result of social engineering—manipulating a trusted insider into helping attackers gain access to systems and processes rather than breaking through firewalls—to divert funds from institutional reserve accounts.
Once inside the system, the hackers siphoned money from reserve accounts—used by financial institutions to move funds among themselves—rather than from individual customer accounts. While no individual customer accounts were affected, the scale and speed of the attack have alarmed cybersecurity experts and financial regulators alike.
Immediate Fallout And Response
As soon as the breach was discovered, the Central Bank of Brazil ordered C&M Software to disconnect from all banking systems. PIX-related services were briefly suspended as a security precaution.
Brazilian authorities have reportedly frozen about $55 million (R$270 million) in stolen funds and arrested Roque. A portion of the stolen money—between $30 million and $40 million—has already been laundered into cryptocurrency—including Bitcoin (BTC), Ethereum (ETH), and Tether (USDT)—using Latin American crypto exchanges and unregulated OTC markets, according to blockchain investigator ZachXBT.
ZachXBT, known for his work tracking crypto-based crimes, is now working with Brazilian law enforcement to trace the laundered assets tied to the heist and freeze the stolen funds where possible.
What’s Next?
C&M Software claims its systems are now back online and that CMSW’s protection structure was decisive in identifying the origin of the improper access and isolating the breach quickly.
“So far, the evidence suggests that the incident was the result of the use of social engineering techniques to improperly share access credentials, and not of failures in CMSW’s systems or technology. We would like to emphasize that CMSW was not the origin of the incident and remains fully operational, with all of its products and services functioning normally,” C&M said in a statement.
Meanwhile, the Central Bank says it has strengthened oversight on PIX transactions and is working closely with investigators to trace and recover more funds.
