An IT operator employed by C&M Software, a firm that bridges financial institutions to Brazil's Central Bank infrastructure, has been arrested for selling his access credentials to hackers, enabling a coordinated cyberattack that siphoned off roughly 800 million reais (about $140 million USD) from six financial institutions.
The suspect, João Nazareno Roque, 48, was arrested by São Paulo's Cybercrime Police Division on July 4 in the City Jaraguá neighborhood. Investigators allege that Roque, who had recently transitioned into a junior back-end development role at C&M, sold his login credentials for R$5,000 ($900) and later accepted an additional R$10,000 ($1,800) to carry out further technical actions on behalf of the threat actors. The attack was first publicly confirmed on July 3, after C&M reported that operations had resumed with Central Bank authorization, though the scale of compromise downstream remained unknown at the time.
Roque's recruitment allegedly began in March when he was approached outside a São Paulo bar by an unidentified man who appeared to know details about his work at C&M. Shortly afterward, he received a WhatsApp call offering payment for his credentials. Following the initial transaction, the hackers directed Roque to create a Notion account through which they delivered operational instructions. Roque proceeded to execute remote commands from his personal computer, according to his police testimony. To evade detection, he claims he rotated phones biweekly and maintained only mobile contact with the attackers.
C&M Software acts as an intermediary for smaller banks that lack direct infrastructure to connect with national financial systems like PIX. The company emphasized in a public statement that no technical breach occurred in its systems. Instead, it attributed the incident to engineering social tactics used to obtain Roque's corporate credentials. C&M says it has been cooperating with authorities from the outset and implemented containment and monitoring protocols that helped trace the intrusion's origin.
The financial impact of the breach is among the most significant in Brazil's digital banking history. Blockchain researcher ZachXBT reported that approximately $30–40 million of the stolen funds were converted into Bitcoin, Ether, and Tether (USDT), and then laundered through over-the-counter exchanges and regional crypto platforms, complicating asset recovery efforts.
Authorities in Brazil are treating the breach as part of a broader, sophisticated cyber operation, with three parallel investigations ongoing, though not many details have been disclosed about those yet.
Leave a Reply