Insider Received $920 for Role in $140 Million Heist on Brazilian Banks
Hackers stole approximately $140 million from six Brazilian banks after bribing an insider at C&M, an IT firm that develops systems connecting financial institutions with Brazil’s Central Bank.
The breach occurred on June 30, 2025, when attackers exploited the login credentials of João Nazareno Roque, a C&M employee. In exchange, Roque was initially paid just $920 to hand over access—and later received an additional $1,850 for executing a series of actions that facilitated the fraud.
How the Heist Unfolded
According to Brazilian media reports, the hackers approached Roque near a bar and convinced him to participate in the scheme. Once onboard, Roque carried out instructions—allegedly delivered via Notion, a collaboration platform—directly within C&M’s systems.
With insider access, the attackers infiltrated a confidential system connected to Brazil’s Central Bank, enabling them to initiate fraudulent transactions across multiple institutions.
Despite efforts to conceal his involvement—including switching mobile phones every 15 days—Roque was arrested in São Paulo on July 3, 2025.
Impact on Brazil’s Financial System
The breach primarily affected PIX, Brazil’s widely used instant payment system, which serves more than 76% of the population. Authorities confirmed that one of the compromised institutions alone suffered $100 million in losses.
Brazilian police are conducting three separate investigations into the heist. So far, no information has been released about the identity or location of the hackers.
Follow the Money: Crypto Laundering in Progress
Blockchain investigator ZachXBT reported that the attackers have already laundered between $30 million and $40 million in stolen funds. The money was converted into Bitcoin (BTC), Ethereum (ETH), and Tether (USDT) via a mix of cryptocurrency exchanges and unregulated Latin American OTC platforms.
Company Response: No Technical Breach
In a press statement, C&M emphasized that its systems remain secure and that the attackers succeeded solely through social engineering—not because of any technical vulnerabilities.
“The attack did not involve a breach of our infrastructure,” the company stated. “Our defense systems were instrumental in identifying the unauthorized access and assisting authorities in the investigation.”
