322/68 Thursday, September 4, 2025
Evertec Inc., a major fintech and payment processing company in Latin America and the Caribbean, disclosed that on August 29, 2025, its Brazilian subsidiary Sinqia S.A. was compromised in a cyberattack. Hackers gained access to Pix, the Central Bank of Brazil’s real-time payment system, and attempted to carry out unauthorized transactions totaling more than $130 million USD. The incident was reported to the U.S. Securities and Exchange Commission (SEC).
Upon detecting the anomaly, Sinqia immediately halted Pix transaction processing and engaged external cybersecurity experts to investigate. The attack targeted transactions between two financial institutions, with local media speculating about HSBC’s involvement. However, the bank confirmed that neither customer funds nor data were affected. Evertec stated that a portion of the stolen funds has already been recovered, though the exact amount has not been disclosed.
Investigations revealed that the attackers accessed Pix using stolen credentials from an IT vendor account, which enabled them to infiltrate Sinqia’s systems. The Central Bank of Brazil has temporarily suspended Sinqia’s Pix access until sufficient evidence and assurances of security are provided. Evertec confirmed that no personal data was leaked and that the impact was limited strictly to the Pix environment. Nevertheless, the company acknowledged that the financial and reputational damage could be severe, given that Pix is Brazil’s most widely used payment system and a frequent target of Android banking malware.
