.png)
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
.svg)
.svg)
.svg)
In the early hours of June 30th, Brazil experienced the largest cyberattack in its financial system’s history. Official sources confirmed that at least R$550 million (approximately 100 million USD) was stolen. Some unofficial estimates already suggest losses could reach R$2.75 billion (around 500 million USD). Surprisingly, this massive breach was not caused by a vulnerability in the system, but rather by a simple human failure: an employee willingly shared his login credentials with cybercriminals.
Brazil’s payment system includes a modern, fast, and free platform called PIX. This platform allows individuals and businesses to transfer money instantly using identifiers such as email addresses, phone numbers, or national tax IDs (CPF/CNPJ). The Central Bank of Brazil manages this system, which oversees financial stability, controls reserve accounts of institutions, and regulates access to the national payments infrastructure.
C&M Software, a financial integration provider founded in 1992, serves as a key intermediary between financial institutions and Brazil’s Central Bank infrastructure. Unfortunately, the breach originated within this company. A junior developer named João Nazareno Roque was allegedly approached by hackers and agreed to share his credentials in exchange for approximately R$5,500 (around 1,000 USD).
With access to the environment, the attackers observed the system’s infrastructure and architecture for several days. Later, in exchange for an additional R$11,000 (approximately 2,000 USD), the junior developer executed a series of commands at the hackers’ request. These commands did not trigger the attack directly but prepared the environment in a way that later allowed the cybercriminals to carry out the operation successfully.
Through this setup, the attackers gained access to reserve accounts belonging to companies that are clients of C&M Software, including BMP, which publicly reported a loss of R$550 million (around 100 million USD). The stolen funds were transferred during the early morning hours and quickly converted into cryptocurrency to cover the attackers’ tracks.
The attack is currently under investigation, and the perpetrators remain unidentified. However, this event offers several important lessons for the global cybersecurity and financial community.
This cyberattack is a stark reminder that even national-level institutions can fall victim to simple but devastating forms of cybercrime. Credential protection, access restriction, and employee training are not optional; they are essential pillars of a modern security strategy.
As organizations worldwide continue to adopt digital solutions, it is critical that they take a security-first approach. After all, even the most sophisticated system can collapse when one weak password opens the wrong door.