On June 30 this year, Brazil faced the largest cybercrime in its history. C&M Software (CMSW), a critical financial infrastructure provider authorized by the Central Bank, was compromised by a criminal group that diverted billions of reais through the instant payment system PIX.
The incident not only highlights the magnitude of the risks associated with the digitalization of the financial system but also exposes the vulnerabilities of the supply chain and the power of social engineering in cyberattacks.
July 2, 2025 – The Federal Police open an investigation with the support of the Central Bank.
Attack Mechanism
The intrusion vector originated from the misuse of internal credentials, obtained through social engineering targeting a C&M employee.
Once inside, the attackers mapped the infrastructure of the Corner platform, identifying critical authentication artifacts and shared credentials belonging to client financial institutions.
The group gained access to private keys and digital certificates required to authorize PIX transactions on behalf of the compromised entities. This allowed them to issue legitimate-looking orders within the Instant Payment System (SPI) without triggering alerts.
The diverted funds were initially routed into accounts at smaller payment institutions with weaker KYC controls. They were then divided and converted into cryptocurrencies to mask the financial footprint.
Impact of the Incident
The exact amount has not yet been confirmed. Preliminary estimates range from USD 80 million to USD 800 million. Even in the lowest scenario, it represents the largest cyber fraud ever recorded in Brazil.
Operational Impact
Between June 30 and July 3, several institutions relying on C&M Software were unable to process transactions, creating a chain reaction that affected both businesses and end users.
The attack undermines confidence in PIX and the broader instant payments ecosystem, while also placing the security of PSTIs (payment service technology providers) authorized by the Central Bank under closer scrutiny.
Criminal Group Profile
Evidence points to a Brazilian criminal group, composed of at least five individuals with:
- Advanced knowledge of the Brazilian Payment System (SPB).
- Technical capabilities to manipulate certificates and credentials.
- Resources to plan the operation over several months.
- At this stage, the involvement of foreign actors or hacktivists has been ruled out: the crime was clearly financially motivated.
Structural Factors That Made the Attack Possible
Dependence on critical third parties (PSTIs): centralization of keys and certificates in external providers.
Expanded attack surface: multiple financial institutions connected to the same platform.
Weak internal controls: overly privileged credentials and lack of continuous monitoring.
Weak KYC at smaller institutions: enabling money laundering and the dispersion of funds.
Strategic Recommendations
A key step in preventing incidents like this is to proactively strengthen defenses. This includes segmenting internal networks, enforcing strict privilege controls — always applying the principle of least privilege — and ensuring frequent rotation and secure management of credentials and certificates.
It is also advisable to build advanced detection and response capabilities, supported by real-time monitoring and event correlation within Security Operations Centers (SOCs) and CSIRTs.
Threat intelligence should also be incorporated, with access to specialized sources on financial fraud and proactive hunting models to identify anomalous activities in third-party providers.
When it comes to the supply chain, periodic audits are essential, along with the enforcement of mandatory cybersecurity standards and more rigorous contractual controls governing the storage and use of digital certificates and other critical assets.
Finally, it is essential to invest in staff awareness and ongoing training. Programs should be designed specifically for executives, technical teams, and end users, so that each group receives information relevant to its responsibilities. In parallel, periodic awareness campaigns help keep vigilance high against threats like phishing, social engineering, and ransomware, reinforcing a strong security culture across the institution.
Conclusions
The C&M Software case represents a turning point in Brazil’s financial cybersecurity.
It shows that risk does not stem solely from technical vulnerabilities, but also from the potential exploitation of insiders, fragile links in supply chains, and poor management of critical credentials.
Such a sophisticated and systemic attack makes it imperative to rethink the prevailing reliance on external providers. True resilience will depend on risk segmentation, rigorous control measures, and the continuous adoption of updated security standards.
Source: The full report by Bttng Apura is available here.
