On August 29, 2025, Brazilian fintech Sinqia S.A., a subsidiary of Evertec Inc., suffered a major security breach involving Brazil’s real-time payment system, Pix.
According to Evertec’s 8-K filing with the US Securities and Exchange Commission, attackers processed approximately R$710 million (~$140 million USD) in unauthorized transactions affecting two financial institutions using Sinqia’s Pix transaction processing platform.
The breach was detected on the same day and led to an immediate halt in transaction processing. Sinqia followed its incident response protocol and engaged third-party cybersecurity forensic experts. In response, the Banco Central do Brasil (BCB) disconnected Sinqia from the national payments infrastructure, blocking its access until it completes remediation and receives regulatory approval to resume operations.
The breach was initially reported by Brazilian media on August 30, with details suggesting R$380 million was stolen from HSBC and another R$40 million from Artta, a local direct credit institution. Although the initial reports cited a total of R$420 million, Evertec’s filing reveals a higher estimate of R$710 million in fraudulent transactions, indicating the full scope of the breach may have been uncovered during forensic investigation. The BCB has since confirmed it was able to freeze R$350 million, with recovery efforts ongoing.
Sinqia is a key infrastructure provider in Brazil’s financial ecosystem, offering software that connects banks and financial institutions to systems like Pix. While the core Pix infrastructure managed by the BCB was not compromised, the attackers exploited Sinqia’s systems to push fraudulent transactions through the payment network.
According to preliminary forensic analysis, the attack was facilitated through compromised credentials belonging to legitimate IT vendors of Sinqia. These credentials were used to inject unauthorized transactions into the Pix environment. Once discovered, access tied to those credentials was revoked.
The incident appears isolated to Sinqia’s Pix platform, which is used by 24 financial institutions in Brazil. Evertec stated that no other services or products under its broader portfolio were affected, and there’s currently no indication of personal data exposure.
HSBC, the largest institution affected, clarified that its customer accounts and funds were not directly impacted, as the fraudulent transactions occurred within a service provider’s environment. The bank said it had acted swiftly to block suspicious transfers and is cooperating with authorities. Artta issued a similar statement, noting that the attack targeted its settlement accounts with the BCB, not client accounts, and emphasized that it halted outbound transfers as a precautionary measure.
Evertec acknowledged in the filing that financial and reputational damage could be “material,” and the full extent of liabilities remains under review. The company has yet to determine how much of the stolen funds can be recovered or whether insurance coverage will apply.
Sinqia is currently rebuilding its Pix infrastructure in a newly isolated environment with enhanced monitoring and additional security layers. The BCB will need to validate and approve these changes before reconnecting the platform to the national payments network.
Leave a Reply