According to information from CNN Brasil, the PF (Federal Police) and the BC (Central Bank) are investigating a cyberattack against C&M Software, a technology service provider responsible for intermediating communication between financial institutions and the BC.
According to a note sent by the Central Bank to the press, the agency determined the disconnection of institutions’ access to infrastructures operated by C&M. The BC is still assessing the dimension of the attack and emphasizes that it was not a target.
There is still no information about the exact value of the cyber heist. According to sources heard by specialized media portals, there are indications that the figures may reach R$ 1 billion, potentially becoming the largest cyberattack in the history of the Brazilian financial system. However, this information has not yet been confirmed.
One of C&M’s clients, BMP, a Banking-as-a-Service (BaaS) provider, issued an official statement informing that its connection infrastructure was partially compromised and that Pix services were temporarily interrupted. BMP also informed that no client was impacted or had their resources accessed, and that the issue is being handled with maximum priority by all affected institutions.
According to information investigated by the portal Cointelegraph Brasil, the threat actor began moving the stolen amounts to different cryptocurrency providers that operate with Pix, with the intent to purchase USDT and Bitcoin. During this movement, one of the providers identified the atypical volume of transactions, blocked the operations, and notified BMP.
Still according to the portal, other cases of transaction flow were identified in additional companies in the sector. Rocelo Lopes, creator of the self-custody wallet Truther and CEO of SmartPay, confirmed the atypical flow of movements on both platforms in the early hours of June 30th, having raised the validation filters on USDT and Bitcoin purchases. According to his statement to the portal, the high amounts were returned to the involved institutions at the same time. The amounts were not disclosed to protect the companies, and he made himself available to assist the authorities with the investigations.
Given the severity of the incident, we have reinforced our monitoring routines in financial sector client environments. We recommend that companies review third-party integrations, increase vigilance over atypical transactions — especially those involving Pix and crypto assets — and validate authentication procedures in critical services.
We continue to closely monitor the case and will keep this statement updated as new information is confirmed by the authorities and institutions involved.
