How a Hacker Spent Only $2.7K to Steal $140 Million From Brazilian Banks

Here are some ammunition for decentralization advocates: hackers stole approximately R 800 million dollars ($ 140 million) from Brazilian banks after paying an employee of a technological company of only $ 15,000 ($ 2,760) For his corporate credentialsAccording to the Law Implementation Officer who investigated what they describe as the largest digital robbery in the history of the country.

The attack was targeting C&M softwareA company headquartered in São Paulo, which connects smaller banks and Fintechs with the Infrastructure of the Central Bank of Brazil, including a PIXa payment system. Six financial institutions experienced an unauthorized approach to their spare accounts on June 30, and criminals exhausted funds in less than three hours.

“This is the biggest fraud that financial institutions have suffered online,” Paulo Barbosa, a police detective São Paula leading an investigation, said At a press conference on Thursday.

The scheme began in March when the criminals approached João Nazaren Roque, an IT operator at C&M, in front of the bar near his house. Prudent recognized Selling credentials for their system for at the beginning of $ 5,000 and then received another R $ 10,000 RAS to create a software that enabled violation. Police arrested 30-year-old in his town of Jaraguá residence on July 3.

Between 4 in the morning and 7 o’clock local time on June 30, the attackers issued false Pix transfer orders while falsely representing the affected banks. BMP, a banking service provider, was one of the most pronounced, confirming losses More than $ 400 million ($ 73.8 million) from a central bank account. The company filed an initial police report that exposed the wider attack.

The criminals immediately began to convert the stolen reactions into the crypto currency through Latin American tables and exchange. Blockchain analysis from Crypto Sleuth Zachxbt denotes At least $ 30 million to $ 40 million was transferred to Bitcoin, Ethereum and Tether (USDT) before the authorities could freeze the bills. Since then, one wallet containing USD $ 270 million has been blocked ($ 49.8 million).

The pseudonym investigator said earlier today through telegrams to help investigators identify and freeze the KRIPTO currency addresses associated with what he described as “one of the craziest cases from this year.”

What is Pix and C&M and why were they targeted?

Pix, a Brazilian platform for the current payment launched in November 2020, processes billions of transactions a month and has become a dominant payment method throughout the country. The system allows instant transfers between banks 24 hours a day, including weekends and holidays, and transactions ended almost immediately.

It has become widely accepted because users can relate their accounts to famous identifiers such as their phone number, E -Ap or number ID. PIX also enables the payments of QR -Ai offers different features designed to compete with credit card providers, including options that allow customers to pay shopping in installments.

The system is to interconnect banks and financial institutions directly through the central bank’s digital infrastructure, allowing means to move immediately between the account. When the user starts PIX transfer, the payment request is directed directly through the central bank, which confirms the details and authorizes the real -time transaction. This eliminates delays associated with traditional banking transfers, which often lasted a few minutes or even hours to clean themselves, allowing payments and transfers to end within a few seconds, at any time of the day.

There were other adjacent technologies that were implemented in Brazil, such as banks that can monitor, for example, transactions of other credit rating banks.

Unlike previous attacks that target individual PIX users through malicious software such as Pixpirate, this violation used infrastructure that connects the financial institutions with the central bank. The attackers have accessed spare accounts that banks maintain to resolve transactions, not customers’ deposits.

“The analyzes conducted so far have not established any technical failures or vulnerability in CMSW systems. The incident occurred due to the unauthorized use of legitimate credentials. In addition to employees’ credentials, there are indications that other methods for verification are. Questions and answers .

They founded them in 1992, Orli Machado, C&M, provides messaging services that allow approximately 23 less financial institutions to approach Brazil’s payment systems without the construction of their own infrastructure. The role of the company as a mediator made him an attractive goal of criminals seeking access to multiple banks at the same time.

The Brazilian Central Bank ordered C&M to discover from all financial infrastructure on July 2, temporarily disrupting PIX services for several institutions. Banco Paulist reported a “temporary interruption” in current payments for “external failure”, while assured the customers that personal information or funds were not threatened.

Federal Police Director Andrei Passos Rodrigues said his agency has launched a direct investigation into coordination with the São Paulo state authorities. Investigators are investigating whether an attack on Brazilian sophisticated cyber -criminal networks, which are often coordinated through telegrams and whatsApp channels.

Roque, a compromised IT operator, told investigators that he had communicated with at least four different votes during the June 30 attack, and all sound like a young man. He claimed that he had changed his cell phones every 15 days to avoid discovering and never personally encountered other conspirators outside the initial meeting.

The violation happened despite the Brazilian banking sector, which largely entered cyber security after earlier incidents. C&M stated that he spent “all technical and legal measures” after discovering the invasion and continues to cooperate with the authorities.

BMP assured the clients that enough collateral was covered by stolen amounts, preventing any buyer losses. The central bank has confirmed that it has drawn parts of redirected funds from regulated entities under its control, although the efforts on recovery remain limited to transfers to unregulated cryptocurrency exchange.

Police continue to analyze devices seized from Roque’s residence while working to identify other participants. Authorities have created a joint working group with a federal police and public ministry to find the cryptocurrency transactions and potentially froze additional property.