What is known about the hacker attack that affected Pix

Instant payments operation was interrupted for security reasons after criminals diverted R$1 billion from accounts linked to the Central Bank. Deposits from individuals were not affected. A hacker attack against a Brazilian company that provides technology services to financial institutions, C&M Software, diverted around R$1 billion deposited in reserve accounts held at the Central Bank (BC) and led to the temporary interruption of the instant payments service Pix.

This makes the attack already considered the largest of its kind ever carried out against Brazilian financial institutions. The information comes from the website Brazil Journal, which revealed the case. See what is known so far about the criminals' actions.

What does C&M Software do?

C&M Software mediates information and connects financial institutions to the Brazilian Payment System (SPB), which includes the Pix environment.

In practice, the company allows small institutions that do not have their own means of connecting to the Pix ecosystem, for example, to offer the service to their customers.

According to the newspaper O Globo, the company makes this connection with 22 banks, cooperatives and credit societies.

How did the attack happen?

The attack occurred in the early hours of last Monday (30/06), but was only reported to the Central Bank the following day. On Wednesday, the Federal Police opened an investigation to investigate the crime. The initial suspicion is that there was theft through fraud, hacking of a computer device, money laundering and formation of a criminal organization.

Criminals used leaked credentials from C&M customers, such as login and password, to access the company's systems.

In an interview with the newspaper Folha de São Paulo, the CEO of fintech SmartPay said that the service was used by criminals to convert the diverted funds into cryptocurrencies.

After detecting an atypical movement in the purchase of digital currencies such as Bitcoin, the fintech blocked operations and reversed part of the funds.

So far, BC employees interviewed by Folha de São Paulo believe that around 2% of the embezzled amounts have been recovered.

Does a hacker attack affect customers' accounts?

Deposits from individuals were not affected by the attacks. The amounts accessed by the criminals were in so-called reserve accounts. These are where funds from the financial institutions themselves are deposited to comply with legal requirements of the Central Bank.

These accounts are mandatory and exist to control banking operations and ensure the liquidity of the financial system. Institutions use them to make transfers between banks, for example, as in the case of instant payments. In other words, the amounts do not belong to individual customers, but to the banks themselves.

Why was Pix affected?

In order to stop the criminals from operating, the Central Bank shut down C&M and the affected institutions' access to the Brazilian Payment System. As a result, banks linked to the technology company had Pix operations temporarily suspended for security reasons, which meant customers were unable to access the service.

Which financial institutions were affected?

So far there is no official information on how many institutions were affected, but initial reports indicate that at least six providers had resources diverted.

Among them is BMP, a financial services provider that describes itself as "the bank behind the fintech boom" in Brazil. According to the company, six institutions had their reserve accounts accessed.

"The attack exclusively involved funds deposited in its reserve account at the Central Bank. The institution has already adopted all applicable operational and legal measures and has sufficient collateral to fully cover the impacted amount, without prejudice to its operations or its commercial partners," the company said in a statement.

Another institution that confirmed the attack was Banco Paulista, which has thousands of clients, including medium and large companies. The bank reported a temporary interruption in its Pix service, stressing that customer accounts remained safe.

What does C&M Software say?

In a statement, C&M Software reported having been a "direct victim" of a hacker attack, which included the "misuse of customer credentials" to attempt to fraudulently access the company's systems and services.

"For legal advice and in respect of the confidentiality of the investigations, C&M will not comment on details of the process, but reinforces that all of its critical systems remain intact and operational and that the measures provided for in the security protocols have been fully implemented," the company highlighted.

Analysts believe that if there is proof of a security breach at the company, it will be responsible for returning the funds to its customers.

gq/cn (Agency Brazil, ots)