Hackers allegedly bribed a C&M employee to steal $140 million from six banks in one day

In a bold cyber heist on June 30, an estimated $140 million (R$800 million) was stolen from six Brazilian financial institutions’ reserve accounts through a sophisticated cyberattack targeting C&M Software, a key service provider that connects banks to the Central Bank of Brazil and its PIX system.

At least $30 to $40 million of the stolen funds have since been laundered into Bitcoin, Ethereum, and Tether’s USDT via Latin American over-the-counter (OTC) desks and exchanges, according to on‑chain investigator ZachXBT.

The Central Bank of Brazil heist started as an internal compromise

The hackers reportedly paid a C&M Software employee just R$15,000 (~$2,760) in exchange for corporate login credentials. Armed with those, they deployed social engineering techniques to access the central bank service infrastructure. This allowed them to siphon funds from the reserve accounts of six institutions, including Banco BMF and others, within the same day.

Upon discovery, the Central Bank of Brazil swiftly instructed C&M to sever its connections, effectively isolating the provider from banking systems. The breach led to the temporary suspension of PIX-related services while authorities and internal teams rallied to restore security and prevent wider contagion.

The hack closely follows the pattern of the recent attack on the crypto exchange Coinbase, where customer service agents took bribes to reveal customer information. This led to the breach of over 69,000 accounts, with Coinbase expected to reimburse as high as $400 million to customers.

On-chain sleuth follows the crypto laundering trail

ZachXBT, a leading figure in blockchain forensics, reported he has been actively collaborating with Brazilian law enforcement to track stolen funds and prevent further laundering on-chain.

Public statements from ZachXBT indicate he plans to release the addresses linked to the theft “when it’s okay to share them,” to aid authorities in freezing additional crypto assets.

Brazilian federal investigators have arrested at least one suspect: the C&M employee whose credentials were sold. Authorities have already frozen approximately R$270 million, approximately $55 million in compromised funds.

The Central Bank of Brazil also claims to have reinforced monitoring systems to better detect irregular PIX-related transactions.

Security analysts warn that the attention-grabbing $140 million figure distracts from the larger threat of social engineering. This tactic consistently tops the list of vulnerabilities in the financial sector. Despite technical firewalls and hardened systems, insiders with stolen credentials can render them moot.

The response has moved on to damage control and reputational repair

The attack mirrors recent trends in crypto crime and how proceeds from crimes that didn’t happen on-chain are also funneled into crypto.

In the first half of 2025 alone, industry watchdog CertiK estimated losses from hacks and scams at a staggering $2.5 billion, with most of the incidents happening on the Ethereum network, followed by Bitcoin. The report also showed that wallet compromise and phishing are the leading tools hackers employ for their heists.

Although they have both shared press releases acknowledging the hack and pointing out that investigations are ongoing, neither C&M nor the Central Bank of Brazil has released a detailed public breakdown of the damage. The Central Bank of Brazil has not revealed the details of the financial institutions affected by the hack.

However, insiders reveal ongoing operations to mitigate reputational and customer impact, primarily through customer account security assurances and increased transaction verifications.

The immediate focus for authorities lies in recovering laundered assets and preventing further crypto conversions.

On-chain analysts like ZachXBT now occupy a strategic role in global cyber defense, providing a powerful investigative path into crypto laundering networks.