Central Bank suspends three Pix institutions after million-dollar embezzlement

Soffy and Nuoro Pay were also disconnected from Pix. They participate in Pix in partnership with other institutions. According to the Central Bank, the suspension is to protect the integrity of the payment system and ensure the security of the arrangement, until clarifications about the institutions' involvement are concluded. UOL was unable to locate the companies to comment on the case and the space is open for comments.

Suspension has a maximum duration of 60 days. Article 95-A of Resolution 30 of 2020, the "Pix law", establishes that the BC may "precautionarily suspend, at any time, the participation in Pix of the participant whose conduct is putting the regular functioning of the payment arrangement at risk".

Understand the attack

C&M, the company that was the target of the criminal action, acts as an intermediary between financial institutions and the SPB (Brazilian Payment System), which includes Pix, the BC (Central Bank) instant payment system. It is headquartered in Barueri, in the metropolitan region of the capital of São Paulo.

Initially, the scam was treated by authorities as a hacker attack. However, after the arrest by the Civil Police of a C&M Software employee who confessed to having participated in the embezzlement , the investigation began to indicate that the invasion of the company's system was actually facilitated.

So far, evidence suggests that the incident was the result of social engineering techniques used to improperly share access credentials, and not of failures in CMSW's systems or technology. C&M Software, in a public statement