Hackers divert R$800 million from accounts of the Central Bank of Brazil

• Hackers laundered cryptocurrency funds after breach
• Central Bank ordered immediate disconnection of systems
• Police track assets and freeze digital wallets

A cyberattack compromised six interconnected reserve accounts of the Central Bank of Brazil, resulting in the embezzlement of approximately R$800 million (equivalent to US$140 million). The attack originated at C&M Software, a banking solutions provider based in São Paulo, after an employee sold access credentials to the company’s infrastructure.

“The investigation process will be very difficult,” he says @pablo_ortellado about the hacker attack that hit a company that provides banking services and may have caused the diversion of up to R$800 million via Pix. According to him, the criminals used cryptocurrencies as a “gateway to… pic.twitter.com/biwBxPuHXw

— GloboNews (@GloboNews) July 3, 2025

According to investigations by the Federal Police, João Nazareno Roque allegedly sold his corporate login for R$15 and developed an additional access tool for another R$10, allowing hackers to gain access. Using this access, the criminals were able to issue illegal instructions to move funds from the Central Bank's accounts, redirecting the funds to commercial bank accounts associated with over-the-counter brokerages and regional exchanges.

Initial estimates suggest that between $30 million and $40 million was quickly converted into digital assets such as Bitcoin, Ethereum and USDT. The movement was tracked by on-chain analysts, who are collaborating with the Federal Public Ministry in an attempt to block wallets and recover part of the amounts.

In immediate response, the Central Bank ordered all institutions using C&M Software’s services to stop connections. The company was authorized to resume services two days later, with assurances that core systems remained secure. C&M CEO Kamal Zogheib said the incident involved fraudulent customer credentials and was not the result of a technical failure.

The attack also hit the BMP provider, which confirmed that only its reserve balance was affected, with no impact on customer funds. So far, authorities have frozen around R$270 million (US$49,8 million) and are investigating other possible suspects, including four suspects identified in the court orders.

Transaction records indicate that some of the money was transferred to brokerages in Argentina, Paraguay and Brazil and converted into cryptocurrencies through OTC desks within hours of the attack. Authorities continue to monitor flows and are seeking to tighten controls on reserve account interfaces and the PIX instant payment system.