A recent cyberattack on Brazil’s banking sector has exposed the profound risks posed by insider threats and social engineering, after hackers stole nearly $140 million from six financial institutions using credentials purchased from a company employee for just $920.
Anatomy of the Breach
The attack targeted C&M, a financial connectivity provider that links banks to Brazil’s Central Bank. According to investigators, João Nazareno Roque, an employee at C&M, was approached by cybercriminals who offered him a modest sum in exchange for his corporate login credentials. Roque ultimately provided access for $920 and performed additional actions within the company’s systems at the hackers’ direction, for which he received a further $1,850.
The hackers exploited Roque’s access to facilitate unauthorized transfers, leveraging the privileged position C&M holds in the country’s financial infrastructure. The breach was not the result of a technical vulnerability, but rather a classic case of social engineering—demonstrating that even the most robust technical defenses can be undermined by human factors.
Laundering the Proceeds
Following the theft, blockchain analysts reported that between $30 million and $40 million of the stolen funds were rapidly converted into cryptocurrencies, including Bitcoin, Ethereum, and Tether, using both traditional exchanges and over-the-counter (OTC) markets across Latin America. This swift conversion has complicated efforts to trace and recover the stolen assets.
Investigation and Response
Roque attempted to conceal his involvement by frequently changing mobile phones, but was apprehended by authorities in São Paulo on July 3, 2025. C&M has since issued a statement emphasizing that its security systems were instrumental in identifying the source of the breach and supporting law enforcement efforts. The company stressed that the incident was not caused by a technical flaw, but rather by the exploitation of an employee.
Brazilian authorities have launched multiple investigations into the heist, though details regarding the identities of the hackers remain undisclosed.
