250/68 Wednesday, July 9, 2025
A group of hackers has stolen more than $140 million USD from six banks in Brazil by exploiting the credentials of an employee at C&M, a financial connectivity solutions provider. The incident occurred on June 30, when attackers tricked a C&M employee into handing over login information and executing specific commands that enabled system access. The employee reportedly received an initial payment of around $920 USD and an additional $1,850 USD for running commands inside the system.
Local media reports identified the employee as João Nazareno Roque, who admitted to selling his login credentials to the attackers. This allowed the hackers direct access to systems linked with Brazil’s central banking infrastructure. Roque was instructed via the Notion platform and attempted to cover his tracks by changing his mobile phone every 15 days. He was arrested on July 3 in São Paulo. Reports indicate the hackers initially approached him outside a bar, highlighting a calculated and targeted approach—similar to the Coinbase case in which a support staff member in India was bribed to leak customer data.
Meanwhile, well-known blockchain investigator ZachXBT revealed on Telegram that the attackers have already converted between $30 to $40 million of the stolen funds into cryptocurrencies like BTC, ETH, and USDT through various platforms, including unnamed OTC markets in Latin America. ZachXBT is currently tracking the associated wallets and collaborating with authorities to freeze the assets.
C&M issued a statement confirming that its systems remain secure, emphasizing that the incident was not due to any technical vulnerability but rather a result of human error and social engineering. The company stated that its security framework played a key role in detecting the abnormal access and supporting the ongoing police investigation. Brazilian authorities are currently investigating at least three related cases, though the identities of the attackers have not been officially disclosed.
