Skip to content
Social engineeringContained

C&M Software Pix heist (Brazil, 2025)

A junior developer at C&M Software — a Central Bank-authorized provider of Pix instant-payment connectivity — was paid roughly R$5,000 to hand over credentials. Attackers used the access to drain approximately R$800 million ($148 million) from reserve accounts at six Brazilian financial institutions in 2.5 hours.

Victim
C&M Software (Pix payment infrastructure provider)
Loss
$148.0M

In June 2025, C&M Software (CMSW) — a São Paulo–based provider authorised by Brazil's Central Bank to connect smaller banks and fintechs to the Pix instant-payment system — was breached in what is now the largest financial-system cyberattack in Brazilian history. Over the course of about 2.5 hours, attackers drained nearly R$800 million (~$148 million USD) from reserve accounts at six financial institutions.

What happened

The intrusion did not begin with a zero-day. It began in a bar: members of a Brazilian criminal group approached a junior developer at C&M Software in person and paid him roughly R$5,000 (~$1,000 USD) to sell his login credentials. He also agreed to run a small set of commands inside C&M's systems to enable persistent remote access for the attackers.

With that foothold, on 30 June 2025 the criminals launched hundreds of fraudulent Pix transactions targeting the reserve accounts that C&M-connected banks hold at the Central Bank — the highest-trust accounts in the Brazilian payment system. They moved the funds, on the order of R$800 million, through a fast-moving chain of receiving accounts and into cryptocurrency.

Brazil's Central Bank responded by suspending C&M Software's connection to the SPB the next day, halting Pix through its platform for every downstream institution.

Impact

  • ~R$800 million ($148M) moved from reserve accounts at six financial institutions in 2.5 hours.
  • Approximately R$160 million recovered through rapid coordination with cryptocurrency exchanges.
  • C&M Software's SPB connectivity suspended, breaking Pix availability for every client that depended on it.
  • Several arrests of Brazilian nationals; the operation was assessed as a domestic criminal group with at least five members who had deep, professional-grade knowledge of the Brazilian Payment System.

Why it matters

The fastest payment systems in the world — Pix, India's UPI, Europe's instant SEPA — are designed to settle in seconds. That same speed compresses an attacker's heist window from days to minutes. C&M Software shows the other consequence: the security of a national payment rail depends not just on the central bank's own systems, but on every connectivity vendor in the chain, including the one whose junior developer can be turned for R$5,000.

Financial impact

Reported costs in USD

Total reported loss
148.0M
USD · $148,000,000
  • Business loss$148.0M

Timeline

  1. A criminal group identifies and approaches a junior developer at C&M Software in a bar; the developer agrees to sell login credentials for approximately R$5,000.

  2. Attackers run commands inside C&M Software to enable remote access; hundreds of fraudulent Pix transactions are launched over roughly 2.5 hours, draining ~R$800 million ($148M) from reserve accounts at six financial institutions.

  3. Brazil's Central Bank suspends C&M Software's connection to the Brazilian Payment System (SPB), halting Pix operations through its platform across all client institutions.

  4. Investigators trace approximately R$160 million laundered through cryptocurrency exchanges; rapid coordination recovers a portion of the stolen funds.

  5. Brazilian federal authorities arrest several members of the criminal group, identifying it as a domestic operation of at least five individuals with deep SPB expertise.

Sources

  1. blog.lacnic.nethttps://blog.lacnic.net/en/the-perfect-storm-the-largest-cyberattack-on-brazils-financial-system/
  2. bankinfosecurity.comhttps://www.bankinfosecurity.com/hackers-grab-130m-using-brazils-real-time-payment-system-a-29352
  3. segura.securityhttps://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/
  4. globalgovernmentfinance.comhttps://www.globalgovernmentfinance.com/brazil-central-bank-financial-system-security-pix-cyberhacks/

Related incidents

Social engineeringContained

Leak at Google

In August 2025, Google confirmed that a Salesforce CRM instance holding contact data for small-business Google Ads prospects was breached by ShinyHunters (UNC6040) via a vishing attack, exposing roughly 2.55 million records of business names, emails and phone numbers.

Victim
Google
Records
2.5M
Data breachResolved

Descomplica data breach (2021)

In March 2021, the Brazilian EdTech company Descomplica suffered a data breach which was subsequently posted to a popular hacking forum. The data included almost 5 million email addresses, names, the first 6 and last 4 digits and the expiry date of credit cards, purchase histories and password…

Victim
Descomplica
Records
4.8M