Brazil Bank Heist: Insider Bribery Leads to $140M Theft from 6 Banks Via C&M Fintech Firm
Hackers have stolen nearly $140 million from six Brazilian banks by exploiting the credentials of an employee at C&M, a company responsible for maintaining financial connectivity between commercial banks and the Central Bank of Brazil. The incident, which occurred on June 30, was the result of a meticulously orchestrated attack involving the bribery of an insider.
According to Brazilian media reports, the perpetrators gained access to C&M’s restricted systems—linked directly to the Central Bank—after persuading one of the company’s employees, João Nazareno Roque, to sell his corporate credentials for approximately $920. Later, Roque also carried out specific instructions delivered through the Notion platform, for which he received an additional $1,850. These actions enabled the attackers to infiltrate the internal infrastructure and execute the unauthorized transfer of funds.
In an attempt to cover his tracks, Roque reportedly changed mobile phones every two weeks. Nevertheless, his activities were eventually discovered, and he was apprehended by police on July 3 in São Paulo. Investigators believe he was coerced into participating in the scheme as he left a bar—suggesting the hackers had been deliberately profiling and targeting vulnerable employees, a strategy reminiscent of the recent Coinbase incident, where Indian customer support staff were similarly bribed.
The investigation in Brazil is unfolding along three parallel tracks, though authorities have yet to disclose any details about the hackers’ identities.
Meanwhile, new information has emerged regarding the movement of the stolen funds. Blockchain analyst ZachXBT reported that the attackers had already laundered between $30 million and $40 million into cryptocurrency, utilizing Bitcoin, Ethereum, and Tether. These transactions were funneled through a web of exchanges and anonymous over-the-counter (OTC) platforms across Latin America. ZachXBT also confirmed that he is actively tracking the attackers’ wallets and assisting law enforcement in freezing their assets.
In an official statement to Brazilian journalists, C&M emphasized that the breach was not due to any vulnerability in their software. Rather, the incident stemmed entirely from social engineering tactics—specifically, the manipulation of an employee. The company also noted that its internal security systems swiftly detected the unauthorized access and relayed the necessary information to the authorities.
Despite the magnitude of the heist, critical details remain undisclosed—such as the specific mechanisms of the transactions, the identities of the affected banks, and the ultimate destinations of the stolen funds. The police have yet to release further information, and C&M has so far issued only general statements.