Hacker attack could result in losses exceeding R$1 billion and more victims
The São Paulo Civil Police estimates that the losses caused by the hacker attack on the company C&M Software could exceed R$1 billion, as more financial institutions report losses related to the case.
The information was confirmed by delegate Paulo Eduardo Barbosa, responsible for the Cyber Crimes Division (DCCiber), in a report by Valor Econômico .
According to the published survey, six affected companies were initially identified. Among the known cases, the losses of R$541 million suffered by BMP Money Plus, R$104 million by another bank, and R$49 million by a third institution stand out. According to Barbosa, other institutions are likely involved, but, for fear of reputational damage, they choose not to notify the police, especially when the losses are smaller.
The Central Bank has been providing support to the investigation, albeit without involving a dedicated technical team. According to the police chief, the current phase involves tracking the embezzled funds and analyzing the computers used by former C&M employee João Nazareno Roque, suspected of facilitating the attack. He was temporarily arrested, and after the initial five-day period, the court authorized the conversion of his arrest to preventive detention.
The investigation also has support from the Public Prosecutor's Office. So far, approximately R$15 million converted into crypto assets has been frozen. Police are seeking to identify the group responsible for enticing the C&M employee. While the possibility of international connections has not been ruled out, Barbosa believes those responsible are mostly Brazilian, using companies in the name of "front men," with the true beneficiaries living abroad.
The case was transferred to the 1st Court of Tax Crimes, Organized Crime, and Money Laundering in São Paulo. The Civil Police continue to analyze the evidence obtained and do not rule out further arrests in the coming weeks.
Another line of investigation is being overseen by the Federal Police in Brasília, which is trying to track down at least 140 accounts that received the embezzled funds.
What was the hacker attack against financial institutions like?The São Paulo Civil Police reported that the hacker attack on C&M Software—a company that connects banks to the Pix system—was the largest of its kind ever recorded in Brazil. The attack occurred after João Nazareno Roque, then an employee of the company, sold his password and access to the system for R$5,000 to a criminal group.
Days later, he executed malicious commands within the system in exchange for another R$10,000. With this access, the hackers were able to issue fake transfer orders on behalf of financial institutions, such as BMP bank, which alone reported losses of R$541 million. Initially, it was believed that at least six financial institutions were affected, and the total losses could exceed R$1 billion.
The fraudulent orders originated from C&M's system—which is not involved in the criminal scheme—and diverted funds from settlement accounts held with the Central Bank. The company stated in a statement that the attack occurred through social engineering techniques and not due to technical flaws in its systems. Police continue to investigate the involvement of other individuals in the scam, including members of the group that recruited Roque.
gazetadopovo
