Hackers stole over R$1 billion (approximately $180 million) from Brazil’s central banking reserves this week in the country’s largest-ever financial cyberattack. The breach targeted C&M Software, an authorized service provider for Brazil’s payment infrastructure, allowing attackers to siphon funds from reserve accounts of at least six financial institutions including Bradesco and BMP. The stolen funds were rapidly converted to Bitcoin and USDT through cryptocurrency exchanges and OTC desks before authorities could intervene.
Attack Mechanism and Entry Point
C&M Software’s compromised APIs served as the attack vector. Hackers exploited valid client credentials to access Brazil’s Instant Payment System (PIX), which handles interbank settlements. This granted unauthorized access to:
• Reserve accounts held directly at Brazil’s Central Bank
• Fund transfer protocols between financial institutions
• Real-time transaction processing systems
The breach represents a sophisticated hybrid attack: traditional banking infrastructure was compromised, while cryptocurrency provided the exit ramp for stolen funds.
Crypto Conversion and Tracing Efforts
Upon theft, hackers immediately routed funds to crypto platforms:
1. Stablecoin focus: Primary attempts to convert stolen reais into USDT
2. Bitcoin secondary: Smaller portions moved to Bitcoin
3. Platform responses: Exchanges like SmartPay detected “atypical movements” and froze suspicious transactions within minutes
Blockchain analytics firms are now tracing cross-chain transactions, though the exact amount successfully laundered remains unknown. Federal Police confirmed the involvement of cryptocurrency OTC desks in the money-laundering phase .
Institutional Impact and Responses
| Institution | Response | Status |
| Central Bank of Brazil | Disconnected C&M from financial systems | Ongoing forensic investigation |
| C&M Software | Called itself “direct victim of criminal action” | Systems remain operational with enhanced security |
| BMP | Confirmed no end-client funds affected | Using collateral to cover losses |
The attack exclusively targeted interbank settlement accounts, leaving consumer accounts untouched. BMP emphasized sufficient collateral exists to cover the stolen amount without operational impact .
Regulatory Implications
This heist highlights critical vulnerabilities at the intersection of traditional finance and crypto:
• Stablecoin risks: FATF’s recent warnings about criminal use of USDT proved prescient
• Infrastructure vulnerabilities: Third-party service providers as weak links in payment chains
• Global pattern: Follows similar hybrid attacks in China ($136M) and North Korea ($1.46B)
Brazilian authorities are coordinating with international agencies to freeze assets across blockchain networks while reviewing fintech security protocols, particularly for PIX-integrated services.
