Quick overview

---

Law enforcement officials are investigating what they are calling the biggest digital heist in Brazilian history, where hackers stole about $140 million from Brazilian banks after paying a technology company employee only R$15,000 ($2,760) for his corporate credentials.

A São Paulo-based company called C&M Software, which connects fintechs and smaller banks to the Pix instant payment system and other Central Bank infrastructure in Brazil, was targeted. Criminals gained unauthorized access to the reserve accounts of six financial institutions.

Paulo Barbosa, the São Paulo police detective leading the investigation, stated at a press conference Thursday that “this is the biggest fraud suffered by financial institutions through the internet.”

The plot began when thieves approached João Nazareno Roque, an IT operator at C&M, outside a bar near his home in March.

Roque admitted to initially selling his system credentials for R$5,000, then receiving an additional R$10,000 to help develop the software that enabled the breach.

Police arrested the 30-year-old at his home in City Jaraguá. The attackers pretended to be the impacted banks and issued fake Pix transfer orders on June 30, local time.

Banking-as-a-service provider BMP was among the most affected, confirming losses exceeding R$400 million ($73.8 million) from its central bank reserve account. The company filed the first police report revealing the extent of the wider attack.

Criminals quickly used Latin American over-the-counter desks and exchanges to convert the stolen reais into cryptocurrency. Blockchain analysis by crypto expert ZachXBT shows that before authorities could freeze accounts, at least $30–40 million had been transferred into Bitcoin, Ethereum, and Tether (USDT). The R$270 million ($49.8 million) held in one wallet has since been blocked.