{"id":30815,"date":"2025-09-05T13:46:38","date_gmt":"2025-09-05T13:46:38","guid":{"rendered":"https:\/\/blog.lacnic.net\/?p=30815"},"modified":"2025-09-08T13:54:31","modified_gmt":"2025-09-08T13:54:31","slug":"the-perfect-storm-the-largest-cyberattack-on-brazils-financial-system","status":"publish","type":"post","link":"https:\/\/blog.lacnic.net\/en\/the-perfect-storm-the-largest-cyberattack-on-brazils-financial-system\/","title":{"rendered":"The Perfect Storm: The Largest Cyberattack on Brazil\u2019s Financial System"},"content":{"rendered":"\n

By\u00a0Graciela Mart\u00ednez<\/a>, Head of LACNIC CSIRT<\/p>\n\n\n\n

On June 30 this year, Brazil faced the largest cybercrime in its history. C&M Software (CMSW)<\/strong>, a critical financial infrastructure provider authorized by the Central Bank, was compromised by a criminal group that diverted billions of reais<\/strong> through the instant payment system PIX<\/strong>.<\/p>\n\n\n\n

The incident not only highlights the magnitude of the risks associated with the digitalization of the financial system but also exposes the vulnerabilities of the supply chain<\/strong> and the power of social engineering<\/strong> in cyberattacks.<\/p>\n\n\n\n

Timeline<\/strong><\/h2>\n\n\n\n

March 2025<\/strong> \u2013 A junior developer at C&M Software is approached in a bar and agrees to sell his login credentials for R$ 5,000.<\/p>\n\n\n\n

May 2025<\/strong> \u2013 The same employee runs commands in the company\u2019s systems to enable remote access for the attackers.<\/p>\n\n\n\n

June 11, 2025<\/strong> \u2013 The company Monexa Gateway de Pagamentos<\/em> is incorporated, later receiving transfers totaling R$ 45 million during the attack.<\/p>\n\n\n\n

June 30, 2025<\/strong> \u2013 The criminal group launches the operation: hundreds of fraudulent transactions via PIX are carried out in the early hours of the morning.<\/p>\n\n\n\n

July 2, 2025<\/strong> \u2013 The Federal Police open an investigation with the support of the Central Bank.<\/p>\n\n\n\n

Attack Mechanism<\/strong><\/h2>\n\n\n\n

The intrusion vector originated from the misuse of internal credentials, obtained through social engineering targeting a C&M employee.<\/p>\n\n\n\n

Once inside, the attackers mapped the infrastructure of the Corner platform, identifying critical authentication artifacts and shared credentials belonging to client financial institutions.<\/p>\n\n\n\n

The group gained access to private keys and digital certificates required to authorize PIX transactions on behalf of the compromised entities. This allowed them to issue legitimate-looking orders within the Instant Payment System (SPI) without triggering alerts.<\/p>\n\n\n\n

The diverted funds were initially routed into accounts at smaller payment institutions with weaker KYC controls. They were then divided and converted into cryptocurrencies to mask the financial footprint.<\/p>\n\n\n\n

Impact of the Incident<\/strong><\/h2>\n\n\n\n

The exact amount has not yet been confirmed. Preliminary estimates range from USD 80 million to USD 800 million<\/strong>. Even in the lowest scenario, it represents the largest cyber fraud ever recorded in Brazil.<\/p>\n\n\n\n

Operational Impact<\/strong><\/h2>\n\n\n\n

Between June 30 and July 3, several institutions relying on C&M Software were unable to process transactions, creating a chain reaction that affected both businesses and end users.<\/p>\n\n\n\n

The attack undermines confidence in PIX<\/strong> and the broader instant payments ecosystem, while also placing the security of PSTIs<\/strong> (payment service technology providers) authorized by the Central Bank under closer scrutiny.<\/p>\n\n\n\n

Criminal Group Profile<\/strong><\/h2>\n\n\n\n

Evidence points to a Brazilian criminal group, composed of at least five individuals with:<\/p>\n\n\n\n