Executive Summary

This article presents a detailed analysis of one of the most severe cybersecurity incidents ever to impact Brazil's Payment System (Sistema de Pagamentos Brasileiro – SPB), which occurred in June and July of 2025. The breach was directly linked to C&M Software, a major Information Technology Services Provider (PSTI) for the national banking sector. This incident exposed, for the first time at this scale, the critical role PSTIs play within the financial ecosystem, and how internal vulnerabilities can reverberate systemically, compromising the integrity of financial operations across hundreds of banks and institutions.

The Brazilian Financial System (Sistema Financeiro Nacional – SFN) serves as the infrastructure enabling the circulation of money, credit, and payments throughout the country. It involves the Central Bank, banks, fintechs, credit cooperatives, payment institutions, and specialized technology providers, such as PSTIs. Through the SPB and the Instant Payments System (SPI), the SFN ensures fast, secure, and traceable settlement of fund transfers between institutions, thereby upholding trust and maintaining market functionality.

This cyberattack was facilitated through the compromise of C&M Software’s internal IT environment. A malicious insider—an employee of the PSTI—was recruited by a cybercriminal group and, in exchange for financial compensation, granted privileged access to internal systems, passwords, and sensitive institutional certificates. That access allowed attackers to manipulate the credentials and private keys of several C&M clients, primarily banks and fintechs, including BMP Money Plus. From there, attackers generated fraudulent transactions, signed in proper compliance with SPI's cryptographic and procedural standards, allowing them to be instantly settled by the Central Bank. As these operations were technically valid, they were automatically debited from the reserve accounts of the victim institutions.

Because C&M Software acted as a core technical hub for hundreds of institutions, the breach had a wide-reaching and magnified impact. Not only did BMP Money Plus suffer substantial financial losses, but at least five other institutions were also compromised. The siphoned funds were immediately funneled through accounts held by mules, then quickly transferred to cryptoasset exchanges for conversion into Bitcoin and USDT, effectively complicating their traceability and recovery.

Due to its central role, C&M was at the center of the response efforts: alerted by affected institutions, C&M notified the Central Bank, implemented emergency containment measures, and had its operations within the SPB suspended until robust new controls could be enforced. The incident underscores how shortcomings in governance, privilege management, and certificate protection can result in systemic consequences. This analysis underscores the necessity of key security measures, including behavioral monitoring, automated credential management, just-in-time access control, and strict separation of client secrets to prevent similar events within such a highly interconnected financial environment like the SFN.

‍

1. Introduction

In a financial system built on trust and speed, a single insider can bring the entire network to a halt.
‍

Over the last two decades, Brazil has emerged as a global reference in financial innovation and infrastructure modernization. Its Financial System (SFN) stands out for its level of digital maturity, robust regulatory framework, and ability to integrate multiple market actors, fostering inclusion, efficiency, and large-scale security. One of the latest milestones in this evolution is the Instant Payment System (SPI), which, in tandem with PIX, has positioned Brazil ahead of many global markets in terms of speed and ubiquity of electronic fund transfers.
‍

PIX/SPI has become the financial backbone for transactions involving individuals, businesses, fintechs, and banks, processing billions of transfers with near-immediate settlement across accounts belonging to different institutions. This orchestration is made possible not just by the Central Bank but by a network of specialized providers—the Information Technology Services Providers (PSTIs)—who perform critical functions in clearing, settlement, and interconnection for traditional banks, credit unions, payment institutions, and digital platforms. The advent of open finance has further intensified reliance on these technical intermediaries, expanding both the number and diversity of participants and interfaces within Brazil’s digital financial ecosystem.
‍

However, this growth also brings new and complex challenges. As digitalization progresses and integrations multiply, so too do points of exposure to cyber threats, fraud, governance failures, and supply chain vulnerabilities. With operations distributed across many players—often with unequal security maturity—an isolated breach has the potential to jeopardize the confidentiality, integrity, and systemic availability of services that individuals and businesses rely on daily. Additionally, given the growing use of APIs, outsourced operations, and the sharing of institutional secrets, new attack surfaces are created for insiders, cybercriminals, and advanced persistent threat (APT) actors.
‍

The case examined in this article offers a stark exemplification of the risks and critical weak points in Brazil’s so-called “chain of trust.” By analyzing a real-life breach involving a central PSTI supporting banks and fintechs, we highlight the root causes, technical and institutional impacts, and practical recommendations to strengthen system resilience, privileged access management, and behavioral security controls within a complex and highly interconnected financial environment.
‍

‍

2. Understanding Brazil’s Financial System

The SFN operates via multiple interconnected components to ensure fast and secure interbank settlements. The Central Bank of Brazil (BACEN) serves as both the top regulator and operator of the Brazilian Payment System (SPB), which includes banks, payment institutions, technology providers (PSTIs), and cryptocurrency exchanges.
‍

Reserve Accounts

A cornerstone of the SPB is the reserve account, maintained by each financial institution with the Central Bank. These accounts power SPI (Instant Payment System), enabling irreversible, real-time transaction settlements via PIX.
‍

Banking-as-a-Service (BaaS)

BaaS platforms like BMP Money Plus enable fintechs, funds, and digital platforms to leverage full banking infrastructure, maintain reserve accounts, and facilitate payments through the SPB.
‍

Role of Exchanges

Cryptocurrency exchanges such as SmartPay and Truther bridge traditional finance and the crypto world, playing an essential role in transaction traceability and regulatory compliance at scale.

‍

3. Incident Description

At 4:00 a.m. on June 30, 2025, a senior executive at BMP Money Plus—a fintech specializing in banking-as-a-service (BaaS) solutions—received an unexpected call from CorpX Bank, alerting him to an unauthorized transfer of R$18 million from BMP’s reserve account. As the person responsible for managing those reserves with the Central Bank, the executive quickly identified that other similarly unauthorized PIX transactions were actively underway at that moment. BMP’s internal team immediately launched containment efforts and, by around 5:00 a.m., officially reported the incident to C&M Software, their critical payment processing service provider.
‍

Initial investigations and information published in the media indicated that the attack originated from an internal compromise at C&M Software—one of the leading PSTIs in Brazil’s Payment System (SPB). An internal facilitator, allegedly motivated by financial gain, provided privileged credentials to cybercriminals and assisted in executing malicious commands within company systems. Possessing privileged access and the digital certificates of C&M’s financial institution clients—including BMP itself and at least five other institutions—the attackers were able to inject fraudulent PIX orders directly into the SPI/SPB infrastructure. Because the transactions were digitally signed using valid institutional certificates, the Central Bank’s core systems processed them as legitimate, immediately debiting funds from the reserve accounts of the victim institutions.
‍

It is estimated that approximately R$400 million was siphoned from BMP’s reserve account alone, with R$160 million later successfully recovered. Following the breach, stolen funds were swiftly transferred to accounts held by third parties at smaller banks and payment institutions, particularly cryptoasset platforms integrated with PIX, including exchanges, gateways, and swap platforms. Most of the stolen funds were quickly converted into USDT or Bitcoin, further complicating traceability. However, in at least one case, an exchange that detected a high volume of suspicious activity froze the settlement and immediately notified BMP, thereby preventing the dispersion of a portion of the stolen funds.
‍

Given the magnitude of the attack and in order to prevent further losses, the Central Bank ordered an emergency suspension of C&M Software’s systems from the SPB—affecting PIX operations across more than 300 financial institutions that relied on its services. Despite the substantial financial damage, BMP Money Plus publicly emphasized that no end-customer funds were affected and that institutional guarantees fully covered the stolen amounts. Meanwhile, the Federal Police, activated by the Central Bank, opened a formal investigation to examine potential crimes such as criminal conspiracy, fraud-related theft, unauthorized system intrusion, and money laundering. The case remains under active investigation.

4. Incident Timeline

Below is the timeline of key events related to the incident—from initial compromise to response—based on information available at the time.

• June 30, 2025 – 12:18 AM: Exchanges such as SmartPay and Truther detect unusually high transaction volumes in Bitcoin/USDT and alert executives at financial institutions.
• June 30, 2025 – 4:00 AM: A BMP Money Plus executive is informed of an unusual PIX transfer totaling R$18 million; multiple unauthorized transactions are identified.
• June 30, 2025 – 5:00 AM: BMP executives report the incident to C&M Software.
• June 30, 2025: The Central Bank orders the emergency disconnection of C&M Software from the SPB.
• July 1, 2025: News portal Brazil Journal publishes an in-depth report on the cyberattack.
• July 2, 2025: BMP Money Plus issues an official statement acknowledging the breach.
• July 3, 2025: The Central Bank announces the partial restoration of C&M Software's operations and confirms the arrest of an employee involved in the incident.
• July 4, 2025: Authorities confirm the detention of a staff member suspected of aiding the cybercriminal operation.

5. Technical Analysis of the Incident

The incident that unfolded between June 29 and July 4, 2025, may represent one of the largest systemic frauds ever recorded within Brazil's Payment System (SPB), involving a wide range of actors—from external cybercriminals and internal insiders to financial institutions, technology service providers, and regulatory authorities. Below is a technical, chronological breakdown of the attack’s modus operandi, the mechanisms exploited, the money flow, and institutional responses.

‍

1. Initial Compromise: Insider Threat and Privilege Escalation

The first step in the incident was an internal compromise at C&M Software, an authorized and mission-critical Information Technology Services Provider (PSTI) within Brazil’s financial ecosystem. According to official investigations and media reports, an employee at C&M—referred to here as the "Facilitator"—was recruited by a cybercriminal group. Motivated by financial incentives, the insider shared administrative credentials and, following external instructions, executed strategic commands that enabled the attackers to operate undetected within the company's internal environment.
‍

This privileged access was essential. It allowed the attackers to discover and retrieve cryptographic keys and digital certificates belonging to C&M’s client institutions, enabling the group to digitally impersonate those financial institutions. In many financial environments, inadequate segregation of secrets management (keys, certificates, and credentials) between clients and tech providers makes these attacks exponentially more dangerous.

‍

2. Injection of Fraudulent Orders and Automated Settlement

Once in possession of the original digital credentials and certificates belonging to compromised institutions—particularly BMP Money Plus and at least five others—the attackers began fabricating and injecting PIX payment orders directly into SPI (Instant Payment System) and SPB. Since the digital signatures were valid and the requests followed standard cryptographic formats, the Central Bank’s settlement infrastructure processed and executed them as legitimate. The SPI system, by design, presumes the authenticity of requests from verified participants.
‍

During the night of June 29 to June 30, these operations were carried out in bulk, automated fashion, outside of business hours—when manual oversight tends to be minimal. The reserve accounts of the victim institutions—held with the Central Bank for interbank operations—were systematically debited without triggering any SPI anomalies.

‍

3. Rapid Dispersion and Chain Effect

The next step involved the immediate dispersion of stolen funds. Large amounts—often sent in batches—were moved to "mule accounts" and smaller payment institutions (PIs), many of which featured less stringent KYC, onboarding, and compliance protocols. Funds were then transferred to cryptoasset service providers such as exchanges, OTC platforms, and swap apps. There, they were converted into Bitcoin and USDT and moved to wallets held by the attackers—often split into many small transactions to evade tracing.
‍

This sequence underscores the attackers’ operational sophistication:

• Exploiting supply chain links between the PSTI (C&M) and multiple banks/fintechs;
• Leveraging scripts and automation to submit dozens of transactions in succession;
• Executing the fraud during off-peak operational hours.

‍

4. Timeline of Actions, Detection, and Response

🕛 June 30, 2025 – 12:18 AM: Initial Detection by Exchanges
SmartPay and Truther exchanges were the first to detect suspicious activity. Their monitoring systems flagged abnormal transaction volumes and unusual purchases of Bitcoin/USDT made via PIX, triggering alerts to internal compliance teams and associated financial institutions.
‍

🕓 June 30, 2025 – 4:00 AM: BMP Executives Flag the Incident
Prompted by exchange alerts and transaction analysis, a BMP Money Plus executive was contacted by a CorpX Bank representative regarding an extraordinary PIX transfer of R$18 million originating from BMP. This kicked off an internal audit that revealed several unauthorized SPI transactions debiting BMP’s reserve account.
‍

🕔 June 30, 2025 – 5:00 AM: Incident Escalation
BMP formally notified C&M Software, reporting the breach and requesting urgent assistance from the provider responsible for part of the institution’s interbank infrastructure. By this point, the breadth of the attack suggested a systemic compromise affecting multiple C&M clients.
‍

⚠️ June 30, 2025: Regulatory Response — Central Bank Intervention
With converging reports from exchanges, BMP, and other affected financial institutions, the Central Bank was officially notified of a potential systemic breach. As an emergency measure, it ordered the precautionary suspension of C&M Software’s connections to SPB—halting PIX operations across all institutions that interfaced through its platform. This action aimed to prevent further fraud and maintain system liquidity, despite triggering operational interruptions for hundreds of banks, fintechs, and payment entities.
‍

📰 From July 1, 2025 Onward: Public Disclosure, Analysis, and Partial Recovery
In the days that followed, national media widely covered the breach, and official statements from BMP, C&M Software, and the Central Bank confirmed that no end-user funds had been affected. BMP reported that, of the R$400 million initially stolen, approximately R$160 million had been recovered through rapid collaboration with crypto exchanges, court orders, and financial tracing efforts.
‍

Later, the Central Bank authorized the partial reactivation of C&M’s services—only after new control mechanisms and stricter access segregation were implemented. Amid the ongoing investigation, authorities confirmed the identification and arrest of the "facilitator", the insider who enabled the breach. The Federal Police continues to investigate charges related to unauthorized access, banking fraud, and money laundering.

‍

5. Operational Roles Across the Attack Chain

• Cybercriminals: Strategized and executed the attack, exploiting both human and technical vulnerabilities. Used automation to scale operations and reduce execution time.
• Insider (Facilitator): Served as the human vulnerability, granting "legitimate" access to core systems. Illustrates the danger of excessive privilege and lack of behavioral monitoring.
• C&M Software (PSTI): Due to the absence of strong access segregation and behavioral controls, acted as the point of compromise that exposed its entire client base.
• Victim FIs: Banks and fintechs whose reserve accounts were debited, suffering direct financial loss and reputational impact.
• SPI/SPB: The infrastructure processed all digitally signed payment orders as expected—highlighting the limitations of automated controls against insider-originated attacks.
• Mule Accounts / Payment Institutions (PIs): Weak onboarding and due diligence processes made them attractive channels for laundering and dispersing stolen funds.
• Exchanges: A key positive aspect—proactive exchange-based compliance systems successfully detected, contained, and reported portions of the fraud, helping reduce total impact.

Below, you'll find a step-by-step visualization of the incident flow:

6. MITRE ATT&CK Mapping

The attack on C&M Software’s environment demonstrates a well-defined chain of techniques documented in the MITRE ATT&CK Framework (Enterprise v17). Mapping these techniques supports threat hunting, incident response, and the enhancement of internal security controls across financial institutions and PSTI providers.
‍

Below, we highlight the main tactics and techniques involved, referencing specific examples from the 2025 incident.

7. APT Groups: Exploratory Assessment

It is important to highlight that, as of now, none of the groups listed below have any confirmed connection to the attack under investigation. These references are intended primarily to inform threat intelligence efforts and assist in shaping strategic defense planning.
‍

Although there has been no formal attribution to any internationally recognized Advanced Persistent Threat (APT) groups, the technical analysis of the attack on C&M Software reveals multiple operational similarities with campaigns previously carried out by sophisticated threat actors. These actors vary in motivation, technical breadth, and focus—often targeting critical financial infrastructures.
‍

The purpose of this mapping is to help place the Brazilian incident within the context of global cyber threat trends, supporting the early identification of attack patterns and contributing to more proactive and intelligence-driven defense strategies.

The groups outlined below demonstrate common Tactics, Techniques, and Procedures (TTPs) seen in supply chain compromises, banking intrusions, ransomware campaigns, and money-laundering-driven data exfiltration:

‍

Notable Examples

• Plump Spider – Known for leveraging the Clop ransomware, this group has been involved in systemic attacks on global financial institutions. Its operations often combine supply chain compromise, large-scale data and confidential information exfiltration, and laundering of proceeds via cryptoasset mixer services.
• TA505 – Specializes in malspam-driven campaigns, frequent use of Cobalt Strike for post-exploitation, and targeted attacks on banks and fintechs. Notable for its ability to rapidly convert and disperse illicit funds.
• FIN7 / Carbanak – With an established reputation for social engineering and persistent access to banking environments, FIN7 is known for extended campaigns that leverage legitimate infrastructure and internal credentials to facilitate stealthy data exfiltration and fund diversion.
• LAPSUS$ – Gained notoriety for its highly visible and theatrical attacks on major enterprises, with a particular focus on social engineering, privileged access acquisition, and the public exposure of stolen data. While the group is not a direct fit for this incident, which centers on financial operations, some alignment remains in terms of initial access and insider exploitation tactics.

‍

8. Mitigation Strategies

Given the context and the vulnerabilities exposed by the incident, we propose a set of mitigation measures focused on behavioral security, automated credential management, and strong governance across the digital supply chain:

• Behavioral Analytics: Real-time detection of anomalous privileged access; automatic blocking based on deviation patterns, with correlation by geolocation, time of access, and other indicators.
• Just-in-Time Access: Grant privileged access strictly for specific tasks or timeframes, thereby reducing exposure windows to insider threats.
• Credential Rotation (triggered by anomalous behavior): Credentials are automatically refreshed or revoked upon detection of any suspicious activity.
• Secrets and Token Management for APIs and Supply Chain: Deployment of secure vaulting tools to safely isolate and manage third-party integrations and secrets.
• Certificate Management and Rotation: Continuous monitoring and automated renewal of digital certificates used in critical financial operations.
• Third-Party Access Control: Implementation of Zero Trust policies for partners, with strict onboarding and offboarding processes.

Reference Architecture: A recommended visual design illustrating an integrated security model for PSTIs, financial institutions, and the Central Bank (suggested as a flowchart or architecture diagram).

‍

9. Conclusion

The attack that impacted C&M Software and multiple institutions connected to Brazil’s Payment System (SPB) underscores the critical role of behavioral cybersecurity and credential control in safeguarding financial ecosystems. This event exposed significant weaknesses in privileged access management, particularly within trust relationships between financial institutions and their technology service providers. It clearly demonstrates that traditional paradigms—relying solely on logical perimeters, firewalls, and network segmentation—are insufficient to defend against insider threats, supply chain compromise, and sophisticated attacks enabled by the misuse of valid credentials and seemingly legitimate but unauthorized operations.
‍

The incident revealed that insider actions, improper certificate usage, and the absence of behavioral monitoring allowed fraudulent activity to flow through automated systems without triggering alarms across various points in the chain. Additionally, it reinforced the importance of traceability, real-time threat intelligence, and collaborative defense among key ecosystem players including fintechs, banks, exchanges, and regulatory bodies.
‍

From the lessons learned, the following mitigation strategies stand out:

• Continuous Behavioral Analytics: Monitor privileged user behavior in real time, generating alerts and automated blocks when anomalies are detected—such as unusual access times, organizational changes, or abnormal geolocation data.
• Just-in-Time Access & Least Privilege: Minimize the time during which sensitive credentials remain active. Grant access strictly for specific tasks and timeframes, with comprehensive logging and traceability.
• Credential Rotation Triggered by Anomalies: Implement mechanisms for the automatic replacement of passwords, tokens, and certificates whenever suspicious behavior is detected—preventing persistence or reuse of compromised access.
• Secure Management of Secrets, Tokens, and Digital Certificates: Centralize the lifecycle control, usage auditing, and periodic renewal of these assets—especially across integrations between financial institutions, PSTIs, and APIs—to mitigate leakage and misuse risks.
• Zero Trust Policies and Tight Third-Party Controls: Define robust procedures for granting, monitoring, and revoking access to partners, vendors, and external teams. Ensure consistent due diligence and oversight.
  ‍

Ultimately, the case highlights that operational resilience, rapid intelligence sharing, transparent communication, and the integration of technical and procedural controls are foundational pillars for the systemic defense of the national financial environment in the face of evolving and sophisticated threats.

Speak to Our Experts
To learn how Segura® can support your organization in behavioral cybersecurity, privileged access management, and fraud-resistant architecture, contact us for a personalized strategic assessment.

‍

Resources

• https://g1.globo.com/sp/sao-paulo/noticia/2025/07/04/ataque-hacker-quem-e-suspeito-de-entregar-acesso-ao-sistema-que-liga-bancos-do-PIX.ghtml
• https://www.infomoney.com.br/brasil/ataque-hacker-afeta-infraestrutura-de-empresa-ligada-ao-PIX-prejuizo-supera-r800-mi/
• https://www.linkedin.com/pulse/incidente-cibern%C3%A9tico-de-caracter%C3%ADsticas-complexas-desviou-valores-avjuf/?trackingId=uN0Xaz4aTmyfxIVqCfWCvA%3D%3D
• https://medium.com/@thiago_28988/plump-spider-an%C3%A1lise-t%C3%A9cnica-e-estrat%C3%A9gica-de-um-grupo-de-amea%C3%A7a-avan%C3%A7ada-contra-o-setor-6afdd0fd8b3b
• https://blog.quimerax.com/entenda-o-suposto-vazamento-de-16-bilhoes-de-credenciais-o-que-realmente-aconteceu-segundo-nossa-equipe-de-cti/
• https://br.cointelegraph.com/news/hackers-steal-r-1-billion-from-the-central-bank-of-brazil-s-reserve-account-and-convert-it-into-bitcoin-and-usdt
• https://www.reuters.com/world/americas/brazils-cm-software-hit-by-cyberattack-central-bank-says-2025-07-02/
• https://g1.globo.com/economia/noticia/2025/07/04/ataque-hacker-recursos-desviados.ghtml
• https://tiinside.com.br/en/03/07/2025/empresa-alvo-de-ataque-hacker-volta-a-operar-com-autorizacao-do-bc/
• https://valorinternational.globo.com/markets/news/2025/07/02/hackers-steal-r400m-in-attack-on-PIX-connected-fintech.ghtml
• https://www.coindesk.com/business/2025/07/04/hackers-behind-usd140m-brazil-banking-heist-turn-to-crypto-to-launder-their-loot
• https://www.linkedin.com/posts/quimerax_hackers-roubaram-r-1-bilh%C3%A3o-da-conta-de-activity-7346212530903511043-R6Wu
• https://valorinternational.globo.com/markets/news/2025/07/02/hackers-steal-r400m-in-attack-on-PIX-connected-fintech.ghtml
• https://www.axur.com/pt-br/ (Report)
• https://g1.globo.com/sp/sao-paulo/noticia/2025/07/04/policia-civil-prende-em-sp-suspeito-envolvido-em-ataque-hacker-contra-o-banco-central.ghtml
• https://g1.globo.com/sp/sao-paulo/noticia/2025/07/04/preso-por-ataque-ao-sistema-financeiro-vendeu-senha-a-hackers-por-r-15-mil-e-trocava-de-celular-a-cada-15-dias.ghtml