Hackers stole some 800 million Brazilian reals ($140 million) from six reserve accounts linked to Brazil's Central Bank, in one of the largest computer thefts in the country's history.
After gaining access to C&M Software, a São Paulo-based software provider, the breach occurred on 30 June.
The authorities suspect that an inside accomplice made the attack possible. According to reports, a C&M employee, João Nazareno Roque, allegedly sold the company's login credentials for 15,000 Brazilian reals (USD 2,770). He would later also create and sell a backdoor access tool for an additional 10,000 reals ($1,850).
Through this access, the hackers gained full control of C&M's infrastructure. They then sent unauthorised instructions to transfer funds, moving money from the Central Bank's interbank reserve accounts to accounts linked to regional exchanges and over-the-counter (OTC) desks.
According to blockchain investigator ZachXBT, between $30 million and $40 million of the stolen money has already been converted into digital assets such as Bitcoin, Ethereum and USDT. Analysts and on-chain investigators are now collaborating to trace the remaining funds and freeze suspicious wallets.
In response to the breach, the Central Bank of Brazil ordered all institutions using C&M to immediately log off the platform. As no critical systems were compromised, the company was given the green light to resume operations two days later.
Kamal Zogheib, C&M's commercial director, emphasised that the attack involved fake customer credentials and not a technical vulnerability. The company is cooperating with São Paulo law enforcement agencies and the Federal Police.
The banking platform BMP, one of the affected vendors, said that customer deposits were not affected, but only its own reserve account was affected.
Currently, Brazilian authorities are searching for at least four other suspects and have frozen about 270 million reais ($49.8 million). Roque is still detained in São Paulo. According to investigators, he regularly changed phones to evade tracking.
Further investigations revealed that the stolen money was quickly transferred through exchanges in Brazil, Argentina and Paraguay. Large sums were laundered into cryptocurrency through OTC brokers within three hours. Some OTC desks reportedly flagged the suspicious activity, thus preventing the attackers from converting the stolen money within Brazil.
The Central Bank has hinted that stricter security controls may soon be introduced for platforms connected to reserve accounts and the PIX payments system, although no new rules have yet been announced.
The investigation is still ongoing under federal supervision, with the priority being to recover the funds and identify others responsible for the breach.