Brazil’s financial system has been rocked by a major security breach after C&M Software, the firm linking the Central Bank to domestic lenders, confirmed that attackers siphoned roughly $140 million from reserve accounts.
According to local media, the incident began when a C&M employee allegedly sold his login credentials to criminals for around $2,700. Using the compromised access, the hackers infiltrated C&M’s systems and initiated fraudulent transfers affecting six financial institutions.
Blockchain investigator ZachXBT reported that between $30 million and $40 million of the stolen funds were quickly converted into Bitcoin, Ethereum, and Tether, then laundered through Latin American crypto exchanges and over-the-counter desks.
The breach underscores the persistent vulnerability of centralized banking infrastructure, where insider threats can trigger devastating financial losses.
Fraudulent Pix Transfers and Rapid Crypto Conversions
The plot traces back to March, when attackers first approached João Nazareno Roque, an IT operator at C&M, offering cash in exchange for his credentials and later additional payment to help develop malicious software.
In the early hours of June 30, the group issued a wave of fraudulent Pix payment orders while posing as legitimate banks. BMP, a banking-as-a-service platform, confirmed that it lost more than $73 million from its reserve account alone, making it the hardest-hit institution.
Authorities moved to freeze assets, managing to block at least one wallet holding nearly $50 million. However, much of the funds had already been exchanged into crypto.
“This is one of the most insane cases from this year,” ZachXBT wrote on Telegram, adding that he was actively assisting investigators in mapping the flows of stolen funds.
Authorities Race to Recover Stolen Funds
C&M said it has implemented emergency measures and is cooperating fully with authorities. The company emphasized it had “taken all technical and legal steps” since discovering the breach, while Brazil’s central bank confirmed that some funds have been recovered from regulated institutions.
BMP reassured customers that the losses were covered by collateral reserves, avoiding any direct impact on client deposits.
Investigators are continuing to analyze seized electronics from the suspect’s residence and are working to identify additional conspirators. A joint task force has been established among the Federal Police, the Public Ministry, and forensic blockchain analysts to trace remaining cryptocurrency transactions and pursue recovery of the stolen assets.
Quick Facts
- Hackers stole about $140 million from Brazil’s central bank-linked accounts using insider credentials.
- Over $30 million was converted into crypto before authorities intervened.
- Police have arrested one suspect and are expanding the investigation to track additional accomplices.
