C&M Software Pix heist (Brazil, 2025)

A junior developer at C&M Software — a Central Bank-authorized provider of Pix instant-payment connectivity — was paid roughly R$5,000 to hand over credentials. Attackers used the access to drain approximately R$800 million ($148 million) from reserve accounts at six Brazilian financial institutions in 2.5 hours.

In June 2025, C&M Software (CMSW) — a São Paulo–based provider authorised by Brazil's Central Bank to connect smaller banks and fintechs to the Pix instant-payment system — was breached in what is now the largest financial-system cyberattack in Brazilian history. Over the course of about 2.5 hours, attackers drained nearly R$800 million (~$148 million USD) from reserve accounts at six financial institutions.

What happened

The intrusion did not begin with a zero-day. It began in a bar: members of a Brazilian criminal group approached a junior developer at C&M Software in person and paid him roughly R$5,000 (~$1,000 USD) to sell his login credentials. He also agreed to run a small set of commands inside C&M's systems to enable persistent remote access for the attackers.

With that foothold, on 30 June 2025 the criminals launched hundreds of fraudulent Pix transactions targeting the reserve accounts that C&M-connected banks hold at the Central Bank — the highest-trust accounts in the Brazilian payment system. They moved the funds, on the order of R$800 million, through a fast-moving chain of receiving accounts and into cryptocurrency.

Brazil's Central Bank responded by suspending C&M Software's connection to the SPB the next day, halting Pix through its platform for every downstream institution.

Impact

~R$800 million ($148M) moved from reserve accounts at six financial institutions in 2.5 hours.
Approximately R$160 million recovered through rapid coordination with cryptocurrency exchanges.
C&M Software's SPB connectivity suspended, breaking Pix availability for every client that depended on it.
Several arrests of Brazilian nationals; the operation was assessed as a domestic criminal group with at least five members who had deep, professional-grade knowledge of the Brazilian Payment System.

Why it matters

The fastest payment systems in the world — Pix, India's UPI, Europe's instant SEPA — are designed to settle in seconds. That same speed compresses an attacker's heist window from days to minutes. C&M Software shows the other consequence: the security of a national payment rail depends not just on the central bank's own systems, but on every connectivity vendor in the chain, including the one whose junior developer can be turned for R$5,000.

Timeline

June 1, 2025

A criminal group identifies and approaches a junior developer at C&M Software in a bar; the developer agrees to sell login credentials for approximately R$5,000.

June 30, 2025

Attackers run commands inside C&M Software to enable remote access; hundreds of fraudulent Pix transactions are launched over roughly 2.5 hours, draining ~R$800 million ($148M) from reserve accounts at six financial institutions.

July 1, 2025

Brazil's Central Bank suspends C&M Software's connection to the Brazilian Payment System (SPB), halting Pix operations through its platform across all client institutions.

July 1, 2025

Investigators trace approximately R$160 million laundered through cryptocurrency exchanges; rapid coordination recovers a portion of the stolen funds.

2025-Q3

Brazilian federal authorities arrest several members of the criminal group, identifying it as a domestic operation of at least five individuals with deep SPB expertise.

Sources

blog.lacnic.nethttps://blog.lacnic.net/en/the-perfect-storm-the-largest-cyberattack-on-brazils-financial-system/

bankinfosecurity.comhttps://www.bankinfosecurity.com/hackers-grab-130m-using-brazils-real-time-payment-system-a-29352

segura.securityhttps://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/

globalgovernmentfinance.comhttps://www.globalgovernmentfinance.com/brazil-central-bank-financial-system-security-pix-cyberhacks/

Related incidents

RansomwareContainedAugust 31, 2025

Jaguar Land Rover global production halt (Scattered Lapsus$ Hunters, 2025)

A cyberattack on Britain's biggest carmaker forced JLR to shut down its global IT network and halted vehicle production in the UK, China, Slovakia, India, and Brazil for five weeks — now considered the most economically damaging cyber incident in UK history.

Victim: Jaguar Land Rover
Loss: $2.40B

OtherUnknownApril 15, 2025

Leak at Hertz

name contact details date of birth driver's license credit card passport

Victim: Hertz

OtherUnknownMarch 20, 2025

Leak at Intersport

3.4 million transaction number invoice number PayPal reference number transaction code start date / end date of the transaction debited or credited transaction gross amount of the transaction payer account number buyer's username delivery and billing address user ID first and last name, payment source loyalty card number

Victim: Intersport

Supply chainstolenFebruary 21, 2025

Bybit cold wallet heist

Lazarus operators substituted the implementation contract during a routine Safe multisig transaction, draining ~$1.5 billion in ETH and staked-ETH derivatives from Bybit's Ethereum cold wallet — the largest single cryptocurrency theft in history.

Victim: Bybit
Loss: $1.50B