5-7-2025 – Cybercriminals executed Brazil’s largest digital banking heist by paying a technology company employee just $2,760 for system credentials, then stealing $140 million from multiple banks within three hours on June 30.
The attack targeted C&M Software, a São Paulo firm that connects smaller banks to Brazil’s central banking infrastructure, including the Pix instant payment system. Six financial institutions saw their reserve accounts drained between 4 a.m. and 7 a.m. local time as attackers issued fraudulent transfer orders while impersonating the affected banks. BMP, a banking-as-a-service provider, confirmed losses exceeding $73.8 million from its central bank reserve account.
Police arrested 30-year-old IT operator João Nazareno Roque on July 3 after he confessed to selling his corporate credentials. The scheme began in March when criminals approached Roque outside a bar near his home, ultimately paying him $5,000 initially and another $10,000 to help create software enabling the breach. At least $30 million to $40 million of the stolen funds moved into Bitcoin, Ethereum, and Tether through Latin American crypto exchanges before authorities could freeze accounts, according to blockchain investigator ZachXBT.
Brazil’s central bank ordered C&M to disconnect from all financial infrastructure on July 2, temporarily disrupting Pix services for several institutions. Authorities have established a joint task force to trace cryptocurrency transactions and identify additional participants in what investigators call the country’s biggest internet-based financial fraud.