Massive $140 Million Cyber Heist: How Hackers Outwitted Brazilian Banks

In a shocking betrayal of trust and security, hackers orchestrated a stunning cyber heist, stealing an estimated $140 million (approximately R$800 million) from six Brazilian banks. The attack, which occurred on June 30, 2025, was made possible after they bribed an IT employee with a mere $2,700. The targeted entity was C&M Software, a vital link that connects banks to the Central Bank of Brazil and its popular PIX instant payment network.

The digital crime spree began when the attackers successfully bribed João Nazareno Roque, a 48-year-old IT technician at C&M Software, to surrender his corporate login credentials. With this access, the hackers infiltrated the infrastructure that connects financial institutions to the Central Bank’s reserve systems. The operation affected six banks, including Banco BMF, all executed on the same fateful day.

A Deceptive Encounter at a Bar

As reported by Brazilian media, Roque was initially approached by the cybercriminals outside a bar in São Paulo back in March. What began as a casual conversation quickly escalated into a high-stakes scheme. Authorities revealed that Roque was compensated with R$5,000 (around $920) for providing his corporate login and password for C&M Software.

He later received an additional R$10,000 (about $1,850), delivered in R$100 notes, to execute specific commands within the system, enabling the hackers to carry out their theft without raising alarms.

To communicate with the cybercriminals, Roque reportedly used a cellphone, frequently changing devices every 15 days to avoid detection. Payments were delivered via motorcycle couriers. Despite these attempts to evade capture, he was arrested by São Paulo police on July 3, 2025.

A Human Error, Not a Technical Flaw

C&M Software clarified that the breach was not due to a vulnerability in their systems. Instead, it was a case of social engineering—manipulating a trusted insider to facilitate unauthorized access, rather than breaching firewalls. The hackers diverted funds from institutional reserve accounts rather than individual customer accounts. Although no customer accounts were compromised, the scale and rapid execution of the attack have raised alarms among cybersecurity experts and financial regulators.

Immediate Repercussions and Response

Upon discovering the breach, the Central Bank of Brazil promptly ordered C&M Software to disconnect from all banking systems, leading to a temporary suspension of PIX-related services as a precautionary measure.

Brazilian authorities have frozen approximately $55 million (R$270 million) in stolen assets and apprehended Roque. A significant portion of the stolen funds, estimated between $30 million and $40 million, has already been laundered into cryptocurrencies—such as Bitcoin (BTC), Ethereum (ETH), and Tether (USDT)—using Latin American crypto exchanges and unregulated OTC markets, according to blockchain investigator ZachXBT.

ZachXBT, renowned for tracing crypto-related crimes, is collaborating with Brazilian law enforcement to locate the laundered assets linked to this heist and to freeze any remaining stolen funds.

What Lies Ahead?

C&M Software has announced that its systems are back online and asserted that their protective measures played a crucial role in identifying the source of the unauthorized access and isolating the breach swiftly.

“The evidence indicates that this incident resulted from social engineering tactics used to improperly share access credentials, rather than any failures within CMSW’s systems or technology. We want to stress that CMSW was not the origin of this incident and remains fully operational, with all products and services functioning normally,” C&M stated.

Meanwhile, the Central Bank has intensified its oversight of PIX transactions and is actively collaborating with investigators to trace and recover additional funds.