Hackers siphoned about R$800 million ($140 million) from six reserve accounts connected to Brazil’s central bank after breaching São Paulo-based software vendor C&M Software on June 30, according to blockchain investigator ZachXBT and reports from local news outlets.
Police said C&M employee João Nazareno Roque sold his corporate login for R$15,000 ($2,770) and later developed a secondary access tool for an additional R$10,000 ($1,850), giving attackers direct access to the vendor’s infrastructure.
Investigators traced unauthorized instructions that moved funds from the reserve accounts held at the Central Bank of Brazil for interbank settlement into commercial bank accounts tied to over-the-counter (OTC) desks and regional exchanges.
ZachXBT estimated that between $30 million and $40 million of the stolen funds had already been swapped for major digital assets, including Bitcoin, Ethereum, and USDT.
On-chain analysis teams and Brazilian prosecutors are coordinating wallet freezes while attribution work continues.
Central bank and vendor response
The central bank ordered all institutions that routed through C&M to disconnect immediately after the breach and cleared the firm to restore service two days later, stating that critical systems remained intact.
C&M commercial director Kamal Zogheib told Reuters that the attack relied on fraudulent client credentials rather than a code flaw and confirmed cooperation with the Federal Police and São Paulo investigators.
BMP, a banking platform provider hit in the raid, told local media that only its reserve balance was affected, and customer deposits remained untouched.
Law enforcement officials have frozen R$270 million ($49.8 million) while tracking additional flows and searching for at least four accomplices cited in preliminary warrants.
Roque remained in custody in São Paulo as of July 3. Police allege that he rotated his mobile phones every two weeks to avoid being monitored.
Laundering route through Latin America
Transaction records reviewed by ZachXBT and independent researchers indicate that the attackers structured transfers across multiple exchanges in Brazil, Argentina, and Paraguay, then utilized OTC brokers to settle into crypto within three hours of the initial breach.
Sources who prefer to remain anonymous told CryptoSlate that the attackers found it challenging to buy crypto with the stolen money in Brazilian OTC desks, as most of the largest ones raised red flags due to the large amounts.
Brazil’s Federal Police declined to specify which platforms processed the swaps but said exchange operators have begun freezing balances tied to flagged addresses.
The central bank has not disclosed whether additional vendors will face new connection requirements but signaled that the instant payment rail PIX and reserve account interfaces may receive further controls.
The probe continues under federal supervision, with investigators prioritizing the recovery of funds and identifying the remaining organizers.
The post Hackers steal $140M from Brazilian central bank reserve accounts via partner breach appeared first on CryptoSlate.
