The month of July could barely have started any worse for some financial institutions in Brazil. On 30 June 2025, C&M Software, a Brazilian company that provides a "bridge" helping the country's central bank connect to local banks, revealed that it had been hacked. 810,306,000 Brazilian reals (approximately US$140 million) were stolen from the reserve accounts of six financial institutions because of the security breach.
In the wake of the attack, which made news headlines in Brazil, the country's Banco Central suspended access to C&M Software's platform for all local banks and institutions. At the same time, it investigated what had gone wrong and contained the damage. On 4 July 2025, the news desk of São Paulo's TV Globo reported that the city's police had arrested an employee of C&M Software. The 48-year-old IT worker João Roque, who worked on backend systems at C&M Software, is alleged to have assisted hackers by selling them login credentials for approximately US$2,700, granting them unauthorized access to sensitive critical systems.[1]
According to police, Roque created a mechanism for the hackers to divert funds. According to TV Globo, Roque claims to have only communicated with cybercriminals via cellphone and did not know them personally. He is said to have changed his mobile phone every 15 days to avoid being tracked.
In a police statement, Roque reportedly claimed that he had first been approached in March 2025 by cybercriminals as he was leaving a São Paulo bar. He claims that later he received instructions via WhatsApp and received payments for his services via a motorcycle courier.
The money ultimately stolen by the hackers was from reserve accounts, used by financial institutions to exchange funds between themselves, rather than those belonging to customers, meaning that the attack should not directly impact members of the public. Further investigations into the attack are ongoing. Brazilian authorities have since frozen US$50 million linked to the incident, and C&M Software says that it is cooperating with the investigation and that it has now brought its platform back online. Attacks like this strongly underline the importance of not just considering your organization’s security, but also the security of your suppliers and the risks that their employees might pose.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.bitdefender.com/en-us/blog/hotforsecurity/employee-arrested-after-brazils-central-bank-service-provider-hacked-for-us-140-million
Comments