Brazil is reeling from its largest-ever cyber heist after a group of hackers exploited a security weakness in Brazil’s Instant Payment System (PIX), routing over R$1 billion—approximately US$180 million—into Bitcoin and USDT. The attack, accomplished using C&M Software, has started a rapid investigation by the Central Bank of Canada and federal investigative agencies into weaknesses at the intersection of traditional finance and crypto.
Background of the Breach
On Monday evening, criminals used stolen credentials to gain access to C&M Software – an authorized provider that connects banks, fintechs, and payment processors with PIX. C&M Software provides access to reserve accounts held at the Central Bank intended only for interbank settlements.
After gaining access to the reserve account(s), the cybercriminals moved the stolen funds to PIX- enabled cryptocurrency exchanges and OTC desks, exchanged them for Bitcoin and USDT, and attempted to wash the money and obscure the cash trail.
Immediate Institutional Response
PIX-integrated companies such as SmartPay spotted unusual activity early on. The CEO of SmartPay, Rocelo Lopes, recalled identifying unusual transactions at about 00:18 on June 30, and immediately improved validation filters for crypto conversions, stopping the larger transfers and initiating a recovery of funds.
Simultaneously, the Central Bank ordered C&M’s disconnection from the financial infrastructure late Monday. C&M confirmed the intrusion resulted from unauthorized credential use—not internal system flaws—and stated they’re fully cooperating with authorities.
Impact on Financial Institutions
Several financial institutions, including BMP, Bradesco, and Credsystem, had their reserve accounts affected. BMP made it clear that no customers accounts, and no internal funds were in jeopardy, adding they have an ample amount of collateral to neutralize the loss.
However, one bank source initially placed the minimum amount stolen at R$400 million (~US$70 million), with some market insiders speculating total losses could exceed R$800 million to R$1 billion (~US$180 million). The amount remains undetermined pending review.
Crypto’s Role in Complex Laundering
This breach underscores a worrying trend: cybercriminals exploiting crypto’s speed and pseudo-anonymity as an escape route. Stablecoins like USDT, in particular, are favored by illicit actors—a concern flagged by global bodies such as the Financial Action Task Force
Internationally, similar incidents unfolded this year: North Korea’s ByBit hack ($1.46 billion), and a Chinese USD $136 million crypto-laundering ring. Meanwhile, crypto platforms like OKX are facing increased regulatory scrutiny—e.g., a recent $505 million AML settlement.
Steps Being Taken Now
Brazilian authorities are actively coordinating with global partners to trace crypto transactions and freeze assets across blockchain networks. The Central Bank is accelerating the launch of stronger fraud-detection safeguards, including updates to the PIX Refund Mechanism (MED 2.0), to flag and reverse suspicious large transfers.
What Comes Next
Cybersecurity experts are calling for an urgent overhaul of third-party risk policies tied to banking-as-a-service (BaaS) platforms, as well as enhanced KYC/AML practices at crypto exchanges. Regulators are under pressure to balance the PIX system’s rapid innovation with stronger systemic safeguards.
Brazil’s financial ecosystem now faces a pivotal test: restoring public trust, fortifying its digital rails, and working closely with international regulators to prevent future multi millions breaches.
Final Thoughts
This unprecedented hack has shaken Brazil’s financial core, exposing a critical fracture point in modern payment systems enhanced by fintech and crypto integration. With authorities racing to recover funds, reassess protocols, and hold both tech providers and crypto platforms accountable, the incident may reshape future banking and fintech collaboration—without sacrificing innovation.
