On Wednesday, July 2, 2025, in just two and a half hours, Brazil experienced the most serious cyberattack in its financial history. The PIX payment system, used by millions every day, crashed, and the Central Bank's digital platforms were also compromised.
It all began with an intrusion into C&M Software, a company authorized by the Central Bank that connects small banks and fintechs to the main systems of the national banking system. That breach was the gateway to one of the most sophisticated attacks the country has ever faced.
Pix was launched in 2020 as a major initiative by the Central Bank of Brazil to make people's lives easier. Its goal was clear: to make payments faster, simpler, and more accessible. It operated 24/7, with no fees, and with just a few clicks you could transfer money anywhere. In a short time, it became the most widely used payment method in the country, leaving behind traditional transfers, cards, and even classic bank slips. By 2025, 82% of the population was using it, and it was handling more than 42 billion transactions per year.
But what is interesting (and what almost no one sees) is that Pix is not an app per se, but rather a kind of “network of networks.” Behind its simplicity lies a complex ecosystem that relies on authorized intermediaries, such as C&M Software, which are responsible for connecting smaller banks and fintechs to the Central Bank's central system.
And it was precisely this weak point that the attackers exploited. The hackers managed to break into C&M Software's systems and from there accessed the reserve accounts. These accounts are key to the financial system: they are used by banks and other institutions to guarantee liquidity and operate directly with the Central Bank, for example, when they make loans or invest in government securities.
According to the São Paulo Civil Police, at least six financial institutions were affected. The amount stolen exceeds 800 million reais (about $148 million), although official figures are still under review. BMP alone, a company that does not serve the public directly but offers financial technology services to other companies (known as Banking as a Service or BaaS), suffered losses of 541 million reais (almost $100 million).
In addition to BMP, Brazilian media outlets such as Valor Econômico report that other victims include Credsystem and Banco Paulista, although the Central Bank has not yet published an official list or confirmed the total amount stolen.
The hackers did not break in by brute force. It all started much more subtly: they convinced an employee of C&M Software to hand over key credentials. He was not someone with an important technical position, but he had access to what they needed. In exchange for 15,000 reais, he gave them the key to enter the system. It was that simple.
Once inside, the attackers moved through the network like ghosts. They spent several days exploring, collecting access points, testing internal routes, and gathering information. All without raising suspicion or setting off any alarms. They knew what they were doing and were clear about where they wanted to go.
The ultimate goal was clear: the reserve accounts that banks hold at the Central Bank. These accounts are essential for Pix transactions between institutions. The hackers used administrator credentials to empty them without directly touching customer accounts. But the blow was devastating for the banks involved.
After stealing the funds, they transferred them to “laranja” accounts (third-party accounts used as mules) and from there moved them to cryptocurrencies. They used Pix as part of the laundering process, demonstrating how well they knew the system. Some of the money was recovered thanks to the Special Return Mechanism (MED), but so far the Central Bank has not disclosed specific figures.
Although the Central Bank has not provided a complete list, it is known that at least six institutions were affected:
BMP, which confirmed unauthorized access to its reserve accounts.
Banco Paulista, which had to temporarily disconnect from the Pix system.
Credsystem, Banco Carrefour, and Credufes, which also reported disruptions.
To contain the damage, the Central Bank decided to disconnect several entities as a preventive measure, causing massive service failures and disruptions for hours.
Read more: Ingram Micro Suffers Cyberattack Caused by SafePay Ransomware
The attack on the Pix system was not magic or pure luck on the part of the hackers. It was made possible by a combination of oversights, lack of controls, and underlying errors that, until now, no one had taken very seriously.
1. There were no clear limits within the Central Bank: While private banks do have caps and alerts to prevent unusual movements, the Central Bank of Brazil had no effective limits on so-called reserve accounts. This allowed the attackers to move hundreds of millions of reais without triggering any automatic alarms. There was literally no brake.
2. Too much trust in poorly monitored intermediaries: C&M Software was one of nine operators authorized to connect banks to the Pix system. It played a key role, but the worrying thing is that it was not subject to strict audits or robust security controls. In other words, they gave the keys to the system to someone without checking whether they had secure locks.
3. The error was not technical, it was human: This attack was not based on software failures or technological breaches. It was a cultural and organizational failure. There were no well-defined protocols for managing access privileges or preventing social engineering attacks. At the end of the day, a single worker with no cybersecurity training ended up opening the door.
Pix is synonymous with modernity and efficiency. But this case makes it clear that the faster and more automated a system is, the more exposed it is if there is no good security and governance foundation behind it. What we celebrate as “progress” can become a risk if it is not done wisely.
As in other famous attacks (such as SolarWinds), the weak point was not the heart of the system, but one of the suppliers that no one was watching. It is a reminder that the security of an entire network can depend on the smallest and most invisible link.
Although some of the stolen money was recovered, the most damaging aspect was the loss of confidence in the security of the system. And that, in the financial world, is more difficult (and more expensive) to rebuild than any stolen funds.
This attack on the Pix system was not just a digital breach. It was an event with structural, institutional, and cultural impact. It highlights an uncomfortable truth: the speed with which we are digitizing everything is far ahead of our ability to govern it well.
It is not just about having fast and cheap tools. It is about making them secure, auditable, and resistant to threats that are becoming increasingly sophisticated.
The big lesson is not technological. It is strategic: if we do not invest in strengthening our institutions and regulations, every new tool becomes a potential threat.
And there is one key point that we cannot leave out: user education and awareness. Because no matter how robust a system is, if people do not know how to protect their data, recognize a scam attempt, or act on a suspicion, the risk remains. Digital security is not only the responsibility of banks or the state; it is also a collective task that begins with the conscious use of technology.
Digital transformation has great potential, but that potential can only be realized if we all (institutions, companies, and citizens) understand that security is not an add-on, but an essential part of progress.