No guns. No vaults. Just credentials: How hackers stole 1B reais from Brazil’s central bank

Key takeaways

• Hackers stole over 1 billion reais ($180 million) from the national financial system after buying insider credentials from a C&M Software employee for just 15,000 reais. 

• They exploited Brazil’s Pix and SPB systems to drain institutional reserve accounts in a matter of hours.

• Criminals moved stolen money through Pix-integrated crypto exchanges, OTC desks and swap services.

• The Central Bank disconnected C&M Software, launched investigations and is pushing for stronger KYC/AML, licensing audits and AI-powered fraud detection. 

In a jaw-dropping cyberattack on June 30, 2025, hackers infiltrated Brazil’s national financial infrastructure and stole over 1 billion Brazilian reais ($180 million). 

The attackers breached C&M Software, a key tech provider that connects financial institutions to Brazil’s SPB (Sistema de Pagamentos Brasileiro) and Pix, the country’s instant payments system.

Using stolen credentials allegedly sold by a C&M employee, the hackers accessed reserve accounts of six institutions, including BMP and Credsystem, and initiated a flood of fraudulent transactions. They then scrambled to convert the funds into cryptocurrencies such as Bitcoin (BTC) and Tether’s USDt (USDT) using exchanges, over-the-counter (OTC) desks and Pix-enabled swap services.

Authorities say this is the largest financial system breach in Brazil’s history and one of the most sophisticated uses of crypto in a banking hack globally.

How hackers pulled off the 1-billion-real heist and where the money went

The audacious theft that rocked Brazil’s financial system wasn’t just a digital heist; it was a carefully planned operation that blended insider betrayal, third-party tech vulnerabilities and real-time financial infrastructure.

Here’s exactly how the hackers pulled it off:

Step 1: Insider sells access for just 15,000 reais

According to investigators from Brazil’s federal police, the breach originated at C&M Software, a private company that acts as a technology service provider (PSTI) for banks and fintechs connecting to the SPB (Brazilian Payment System) and Pix, Brazil’s instant payments network.

A C&M employee, later identified as João Nazareno Roque, allegedly sold his internal system credentials to criminals on the dark web for approximately 15,000 reais ($2,700). These credentials gave the attackers access to C&M’s platform, which is used to issue secure financial messages, including PIX and TED transfer instructions.

Step 2: Exploiting SPB messaging infrastructure

Once inside the system, the attackers didn’t target individual bank users. Instead, they went straight for the reserve accounts that financial institutions hold with the Central Bank of Brazil. These accounts are used for interbank settlements, not everyday consumer activity.

Using C&M’s software interface, the hackers impersonated legitimate instructions to initiate a series of fake interbank transactions through the SPB. Over a short period, more than 1 billion reais was illicitly transferred out of the affected institutions’ reserve accounts.

Step 3: Using Pix to move money instantly

The stolen funds were immediately transferred via Pix, which is designed for real-time payments. This allowed the criminals to quickly route the money into dozens, possibly hundreds, of downstream accounts, many of which were connected to crypto platforms, including:

• Crypto exchanges with Pix integration

• Payment gateways

• Crypto swap platforms

• OTC desks operating with minimal Know Your Customer (KYC) requirements.

Because Pix transactions settle within seconds, banks and regulators had almost no time to intervene before the funds left the traditional financial system and entered the digital asset world.

Step 4: Spreading funds through shell and mule accounts

To avoid detection, the hackers fragmented the funds into smaller batches, distributing them across multiple accounts, some of which were fake and others controlled by “mules,” people who sell or rent access to their bank accounts for criminal use.

This move helped create a web of complex financial trails, delaying real-time fraud detection systems and complicating tracking efforts by financial institutions.

Step 5: Blocked, but not fast enough

Thanks to rapid coordination between the central bank, affected banks and crypto companies, several platforms detected unusual transaction patterns. For example:

• SmartPay, a crypto gateway, raised transaction validation filters and blocked multiple attempts to convert large amounts into USDT and BTC.

• Other OTC desks refused to process transactions when suspicious documents were presented or when flagged IPs and wallet addresses attempted to trade.

Despite those efforts, an estimated 270 million reais was frozen, but hundreds of millions more were believed to have been successfully laundered through crypto and cross-border transfers before authorities could respond.

Did you know? In February 2025, the North Korean-linked Lazarus Group executed a record-breaking hack on the Bybit exchange, stealing approximately $1.5 billion. Within just 48 hours, nearly $160 million of the stolen funds was already routed through mixers, decentralized exchanges and crosschain bridges to obscure its origin.

Central bank’s response and legal protections

The Central Bank of Brazil (Banco Central do Brasil) acted swiftly following the attack:

• Ordered C&M Software’s disconnection from the SPB/Pix system

• Launched a coordinated investigation with the federal police and São Paulo’s civil police

• Implemented emergency security protocols to protect other institutions.

Brazil’s central banking laws, especially Resolution No. 4,658/2018, which governs cybersecurity in financial institutions, require banks and third-party providers to:

• Implement risk management policies

• Report incidents to the Central Bank

• Maintain disaster recovery and data protection mechanisms.

C&M, as a licensed service provider, was subject to these regulations. The failure to detect insider compromise may lead to sanctions or suspension. This has sparked debate on whether third-party fintechs should be more tightly audited and included in the central bank’s direct supervision regime.

Did you know? In November 2024, hackers stole approximately 62 billion Ugandan shillings ($16.8 million) from the Bank of Uganda, redirecting funds to overseas accounts in Japan and the UK. Local authorities managed to recover over half of the stolen amount, and investigations uncovered collusion by insiders within the central bank.

Is crypto regulated in Brazil?

Yes, cryptocurrency is regulated in Brazil, and its adoption has been growing rapidly. Here’s how the regulatory landscape and adoption trends shape up:

Brazil’s crypto legal framework

Brazil enacted Law No. 14.478 in December 2022, also known as the “Legal Framework for Virtual Assets.” The law:

• Legitimized cryptocurrencies as recognized financial assets

• Assigned the Central Bank of Brazil (BCB) the authority to license and regulate virtual asset service providers (VASPs)

• Updated criminal and financial codes to include virtual assets under fraud, financial system crime and anti-money laundering laws.

Following the law, a decree in June 2023 officially granted the BCB regulatory oversight over exchanges, custodians and other VASPs.

Under current rules, VASPs must:

• Register with and obtain a license from the BCB

• Apply strict KYC and Anti-Money Laundering (AML) procedures

• Segregate client assets and protect user data

• Report suspicious transactions to authorities.

Rapid crypto adoption

Brazil ranks among the top countries worldwide for cryptocurrency adoption:

• The 2024 Chainalysis Global Adoption Index placed Brazil 10th globally (eighth in centralized services, 10th in retail volume).

• A 2025 estimate suggests there are 31.9 million Brazilian crypto users, nearly 15% of the population.

• A YouGov survey from early 2025 found that 15% of Brazilians would consider switching completely to crypto-based banking.

Stablecoins, especially USD-backed tokens, have seen major use, making up 90% of crypto flow. This is mainly due to remittances and cross-border payments.

And in 2024 alone, Brazil’s net stablecoin imports surged 60.7%, outpacing prior full-year levels and totaling nearly $13 billion by September.

Did you know? Brazil is the first country in the world to launch a spot exchange-traded fund (ETF) that directly tracks the current price of XRP (XRP) while also preparing to launch a Brazilian real-backed stablecoin on Ripple’s XRP Ledger.

What comes next for Brazil’s financial and crypto sectors?

In the wake of the 1-billion-real breach, Brazil’s financial authorities are likely to push for a multi-pronged reform strategy, including:

• Mandatory multi-factor authentication for all SPB-connected services

• Independent audits of PSTI (third-party service providers) like C&M Software

• Tighter crypto regulation enforcement, particularly for OTC and Pix-enabled platforms

• Establishment of a real-time fraud detection framework with AI-assisted alerts.

The incident has also led to renewed discussions in Congress around expanding the central bank’s authority to enforce regulations on fintechs and non-bank financial institutions.

Brazil has one of the fastest-growing crypto user bases in the world, and this hack may serve as the trigger for building a more robust and secure digital financial infrastructure.