A major cyberattack has targeted C&M Software, a technology provider connected to Brazil's central banking system, resulting in the theft of approximately $140 million (R$ 800 million). The breach, which occurred on June 30, 2025, involved hackers gaining unauthorized access to the reserve accounts of six Brazilian financial institutions.

The attack specifically targeted C&M Software, a São Paulo-based company that facilitates connections between smaller banks and fintech companies to Brazil's Central Bank infrastructure, including the Pix instant payment system. The Central Bank's internal infrastructure was not directly compromised.

Criminals managed to drain funds from the targeted accounts in under three hours by issuing fraudulent Pix transfer orders while impersonating the affected banks. BMP, a banking-as-a-service provider, was among the most affected, reporting losses exceeding $73.8 million from its central bank reserve account and was the first to file a police report exposing the attack.

Investigations have revealed that the breach stemmed from an internal compromise within C&M Software. An IT operator at C&M, João Nazareno Roque, admitted to selling his corporate credentials to one of the attackers for R$ 5,000. Roque was later paid an additional R$ 10,000 to execute commands inside the system. Instructions were delivered via the Notion platform, and payments were made in physical currency through a courier. Police arrested the 30-year-old at his residence on July 3.

Following the heist, the criminals immediately began converting the stolen reais into cryptocurrency through Latin American over-the-counter (OTC) desks and exchanges. Blockchain analysis indicates that at least $30 million to $40 million was moved into Bitcoin, Ethereum, and Tether (USDT) before authorities could freeze accounts. One wallet containing $49.8 million has since been blocked. Law enforcement is currently tracing the stolen funds and has sent alerts to several exchanges requesting the freezing of crypto assets tied to the case. Some addresses remain under review, and asset recovery efforts are ongoing.

The Central Bank has responded by ordering C&M Software to suspend access temporarily. As of July 3, the company has resumed limited operations under supervision. C&M stated it had implemented "all technical and legal measures" after discovering the intrusion and continues cooperating with authorities. The breach occurred despite Brazil’s banking sector investing heavily in cybersecurity following earlier incidents. BMP has assured clients that sufficient collateral covered the stolen amounts, preventing any customer losses. The central bank confirmed it recovered portions of the diverted funds from regulated entities under its supervision, though recovery efforts remain limited for transfers to non-regulated cryptocurrency exchanges.

This incident is considered the largest digital theft in Brazil's history. Crypto detective ZachXBT shared that this is "one of the most outrageous cases to occur in 2025". Despite the scale of the breach, international media coverage has been limited. In Brazil, the incident has triggered broader discussions on fintech cybersecurity, third-party provider risks, and regulatory oversight.