Attacks on Pix rekindle distrust about the security of the Brazilian system

A series of hacker attacks has rekindled suspicions about the security of Brazil's financial system. In at least two of them, the payment accounts of institutions that connect banks to the Central Bank's Pix system were hacked. It is estimated that nearly R$2 billion was misappropriated.

In early July, criminals stole an estimated amount of over R$1 billion. At the end of August, another R$710 million was stolen. Following these attacks, there were at least two more in September, but none of them managed to divert funds related to Pix.

The succession of attacks led the Central Bank to announce, on Friday (5), a series of measures to strengthen the security of the financial system and Pix. Among them, a limit of R$15,000 for TEDs and Pix from payment institutions that do not have authorization from the BC and for those that use information technology service providers (PSTIs) to carry them out.

The BC also stipulated a minimum of R$15 million in cash for accreditation of service providers to the system and brought forward the deadline for payment institutions to request authorization from December 2029 to May 2026, among other initiatives (learn more here ) .

Experts interviewed by Gazeta do Povo before the Central Bank announced the measures assess that the system did not become more vulnerable over time, but that existing breaches were noticed by criminals and were not remedied, encouraging new hacking attempts.

Juan Ferrés, an economist and partner at Teros, a business automation platform, claims there's a vulnerability in the messaging process that connects Pix, allowing these attacks. According to the entrepreneur, this vulnerability stems from the way institutions structure their controls and authentication mechanisms.

"It's not enough to rely solely on a password or two-factor authentication; it's necessary to adopt a more robust layer of security, with dedicated VPNs, data encryption, digital signatures, and multiple validation steps that ensure the integrity of transactions, in addition to checking balance coverage," he says.

He further explains that many transactions, especially account settlements, don't need to be settled instantly—Pix transactions typically take ten seconds to complete. For this reason, institutions can and should define usage scenarios for these transactions to facilitate the creation of more secure processes and prevent attacks.

"The two recent attacks exploited this very flaw in Pix, where the attackers identified that it was possible to directly attack the reserve accounts and took advantage of this vulnerability," he said.

Even after the attack, the system remained vulnerable

For Pedro Magalhães, a partner at Pixley, a cryptocurrency payments fintech, the attack on C&M in early July revealed persistent flaws – and the system has not been strengthened since.

In the entrepreneur's view, the second attack , carried out on August 29 against Sinqia, probably followed the same pattern as the previous one, taking advantage of the breach in the Pix system.

The repetition, he says, not only demonstrates that the vulnerabilities have not been fixed, but also that there are possibly other attacks already planned in parallel.

Two credit fintechs were targeted by attacks on the Pix system

In the space of three days, two fintechs were targeted in attacks against the Pix system. On Tuesday (2), the market was alerted about an attack against Monetarie . In total, R$4.9 million were allegedly diverted, of which R$4.7 million was recovered on the same day.

Initially, the criminals allegedly attempted to exploit the same vulnerability in the Pix system. After having their access blocked, their strategy was to migrate to the TED transfer messaging system, where they were able to carry out the diversions.

The market was promptly alerted to block transfers originating from Monetarie, reinforce continuous monitoring of all financial transactions, and increase the level of authentication and surveillance across all payment systems.

On Thursday (4), criminals again targeted the Pix system of an unnamed fintech. Even though there was no misappropriation of funds or data theft, the attack suspended the generation of Pix query codes by the target company.

Identify criminals to prevent new Pix attacks

According to Pedro Magalhães of Pixley, identifying and punishing the hackers responsible for the diversions is crucial to preventing further attacks. "They are rarely discovered, which maximizes the reward," he says.

He also assesses that, in fact, there is a certain negligence on the part of companies that make this type of connection, from the lack of access control with a higher security index to the use of best practices for digital key custody.

Lack of regulation is not the problem

In Teros' view, the issue isn't a lack of regulation. He explains that adjustments to the current model are needed, as the Central Bank has, over time, created several regulatory frameworks with highly fragmented uses.

"This reduced barriers to entry, which was positive for stimulating innovation and competitiveness, but it also opened up space for poorly prepared and, in some cases, malicious agents to operate within the system," he assesses.

In the businessman's opinion, the solution lies in requiring more robust minimum standards. He believes that the excessive fragmentation of the system, in which many payment institutions (PIs), some even unregulated, act as custodians of funds, is unsustainable.

Open Finance now operates in a safer environment

Ferrés states that the necessary technical adjustments aren't very sophisticated. He cites, for example, what already occurs in the Open Finance environment, which operates with more robust standards than those currently used for reserve account messaging.

Open Finance, also called the Open Financial System, is a Central Bank initiative that allows a customer's financial data to be shared between different institutions.

According to Ferrés, Open Finance requires a more open and interoperable environment, which demands a minimum scale and consolidated security standards, as well as encouraging the consolidation of payment institutions.

The model features, for example, a Central Messaging Point (CMP), which monitors transactions in real time, verifying the sender and recipient. "This model enables centralized locking and ensures greater visibility into the flow, significantly reducing the risk of attack," he states.