How a Hacker Spent Only $2.7K to Steal $140 Million From Brazilian Banks

Here some ammunition is for proponents of decentralization: hackers have stolen about R $ 800 million ($ 140 million) of Brazilian banks after paying an employee of a technology company only R $ 15,000 ($ 2,760) For his company referencesAccording to law enforcement officials who investigate what they describe as the largest digital robbery in the history of the country.

The attack was targeted C&M softwareA company located in São Paulo that connects smaller banks and fintechs with the central bank infrastructure of Brazil, including the PIX immediate payment system. Six financial institutions experienced unauthorized access to their reserve accounts on 30 June, whereby criminals drain money in less than three hours.

“This is the biggest fraud suffered by financial institutions via the internet,” Paulo Barbosa, the police -detective of São Paulo who leads the investigation, said At a press conference Thursday.

The scheme started in March when criminals João Nazareno Roque approached, an IT operator at C&M, outside a bar near his house. Roque known person To sell his system references in the first instance for R $ 5,000 and then to receive an R $ 10,000 to help make software that made the infringement possible. Police arrested The 30-year-old in his city Jaraguá residence on July 3.

Between 4 and 7 am local time on 30 June, attackers gave fraudulent PIX transfer assignments, while they occur as the affected banks. BMP, a bank-as-a-service provider, was one of the most affected to confirm the losses of More than R $ 400 million ($ 73.8 million) of the reserve account of the Central Bank. The company has submitted the first police report that has uncovered the broader attack.

Criminals immediately started converting the stolen Reais into cryptocurrency through Latin American freely available desks and exchanges. Blockchain -analysis of crypto Sleuth Zachxbt indicates At least $ 30 million to $ 40 million moved to Bitcoin, Ethereum and Tetherum (USDT) before the authorities could freeze accounts. One wallet with R $ 270 million ($ 49.8 million) has since been blocked.

Earlier today, the pseudonymous researcher said via Telegram that he helped researchers to identify and freeze the cryptocurrency addresses that were related to what he described as “one of the most insane cases this year.”

What is PIX and C&M and why were they the target?

PIX, the Instant Payment Platform of Brazil, launched in November 2020, processes billions of transactions monthly and has become the dominant payment method throughout the country. The system makes immediate transfers between banks 24 hours a day, including during the weekend and holidays, where transactions are completed almost immediately.

It is generally assumed because users can link their accounts to known identification data such as their telephone number, E -mail or ID number. PIX also makes QR payments possible and offers various functions that are designed to compete with credit card providers, including options with which users can pay for purchases in installments.

The system works by connecting banks and financial institutions directly via the digital infrastructure of the central bank, so that funds can immediately go between accounts. When a user initiates a PIX transfer, the payment request is led directly by the Central Bank, which verifies the details and authorizes the transaction in real time. This eliminates the delays due to traditional bank transfers, which often took minutes or even hours to erase, so that payments and transfers can be completed within a few seconds, any time of the day.

Other adjacent technologies have been implemented in Brazil, such as banks that can, for example, check the transactions of other banks for credit assessment.

In contrast to earlier attacks on individual PIX users via malware such as Pixpirate, this break operated the infrastructure that connected financial institutions with the Central Bank. The attackers had access to reserve accounts that maintain banks to arrange transactions, rather than customers’ deposits.

“The analyzes performed so far have not identified technical failures or vulnerabilities in the CMSW systems. The incident took place as a result of the unauthorized use of legitimate references. In addition to the employee’s login data, there are indications that other authentication methods can be used. Q&A .

C&M founded in 1992 by Orli Machado, offers messaging services with which about 23 smaller financial institutions have access to the payment systems of Brazil without building their own infrastructure. The role of the company as an intermediary made it an attractive target for criminals who at the same time seek access to multiple banks.

The Central Bank of Brazil ordered C&M to disconnect from all financial infrastructure on 2 July, so that PIX services are temporarily disrupted for various institutions. Banco Paulista reported a “temporary interruption” in immediate payments due to an “external malfunction”, while customers reassure that no personal data or funds were affected.

Federal police director Andrei Passos Rodrigues said that his agency started an immediate investigation into coordination with the state authorities of São Paulo. Researchers investigate whether the attack connects to the advanced cyber criminal networks of Brazil, which often coordinate via telegram and WhatsApp channels.

Roque, the compromised IT operator, said researchers that he communicated with at least four different voices during the attack of 30 June, all sounding like young men. He claimed to have changed mobile phones every 15 days to prevent detection and the other conspirators never met personally outside the first beam.

The infringement took place despite the fact that the Brazilian banking sector invested heavily in cyber security after previous incidents. C&M stated that it had implemented “all technical and legal measures” after discovering the burglary and continues to collaborate with authorities.

BMP insured customers that sufficiently collateral has treated the stolen amounts, which prevented any loss of customers. The Central Bank confirmed that sharing the diverted funds of regulated entities under its supervision has recovered, although recovery efforts are limited for transfers to unregulated cryptocurrency exchanges.

The police continue to analyze devices from Roque’s home while working on identifying other participants. Authorities have established a joint task force with the federal police and the public ministry to trace the cryptocurrency transactions and possibly freeze extra assets.