Man who gave hackers access to Pix scam received R$15,000; see step by step of the crime

The C&M Software employee who provided access to the hackers who carried out the attack that could amount to billions in illegal transfers in a Pix scam told the São Paulo Civil Police that he received R$15,000 to facilitate the criminals' entry into the systems. The act is considered by authorities to be the largest cyber financial crime ever recorded in Brazil.

There are currently at least two investigation fronts: one led by the Civil Police of São Paulo and another by the Federal Police, with an investigation opened in Brasília.

The 48-year-old man, shortly after confessing to the crime and being arrested on Thursday night (3), is being accused of passing on access credentials to hackers who invaded the system of the company where he worked. This company connects banks and fintechs and credit operators to carry out operations such as TED and Pix.

Police identified that the attack was carried out in the early hours of June 30, resulting in a diversion that could range from R$800 million to R$1 billion. Investigators point out that at least six of the 22 companies served by C&M were harmed.

The suspect, who does not have a lawyer at this time, reported having been approached by criminals in a bar near his home, where he initially received R$5,000 and then another R$10,000 to provide the data that allowed the criminals to access the computer systems. The police did not explain when this occurred.

The investigation indicates that the scam involved the use of credentials from a company accustomed to moving large financial volumes, which initially prevented the transactions from raising suspicions.

Criminals took less than three hours to make transactions

The fake orders for the scam via Pix were executed in sequence, from 4:30 am to 7 am on the 30th and were only identified after exceeding the historical pattern of daily transactions.

Police Chief Renan Topan, from the State Department of Criminal Investigations (Deic), of the Civil Police of São Paulo, stated during an interview on the morning of this Friday (4) that, despite its severity, the scam did not cause direct damage to the Central Bank, the national financial system or Pix users. The Central Bank has not yet communicated whether it has also opened an internal investigation to seek more details about the fraud.

The police are now focusing their efforts on analyzing the cell phones and computers seized from the suspect in order to identify the others involved and recover the embezzled funds. The arrested suspect reportedly told the police that there were at least four people involved, but investigators have not ruled out the existence of a much larger, integrated network with expertise in this type of action. The arrested man could be charged with criminal association and theft.

Step by step of the scam via Pix

The ongoing investigations reveal a step-by-step process of the crime. The police did not specify the date on which the 48-year-old man was first approached by the criminals, but he stated that he had only had personal contact with one of the people, when he received part of the money. The other negotiations always took place over the phone. The crime is believed to have occurred in the following order:

Approach to C&M employee

An IT operator, an employee of the technology company C&M Software, was approached by criminals in a bar. The fraudsters already knew where he worked and initially offered him R$5,000 to provide access credentials to the company's systems. He later received an additional R$10,000 to provide more details about the company's internal operations.

Misuse of credentials for transactions via Pix

With the passwords in hand, the hackers accessed the internal environment of C&M, which connects several institutions to the Brazilian Payment System (SPB), including Pix. With valid and official credentials, the attackers managed to impersonate legitimate institutions and initiated mass transfers through Pix, especially from the account of one of the companies, BMP, which alone had losses confirmed by the police of R$541 million.

Execution of fraudulent transactions

The transactions took place in the early hours of June 30, from 4:30 a.m. to 7:00 a.m. They were sequential operations, with falsified Pix orders issued as if they came from BMP and other operators, moving funds quickly and in high volumes. The activity initially went unnoticed because the company, by its nature, already operated with high transfer volumes.

Disconnection and reaction

After noticing unusual movements on the morning of the 30th, C&M set up an emergency containment group and reported the incident to the Central Bank, which ordered the company to be immediately disconnected from its systems. This caused the temporary suspension of Pix operations in some institutions.

Destination of resources and conversion into crypto assets

Some of the embezzled funds were allegedly transferred to cryptocurrency platforms. One of these transactions was intercepted by a company that identified an unusual attempt to purchase R$100,000 and blocked the transaction, alerting the financial institution.

Arrests and investigations into the Pix scam

The IT technician from C&M Software was the only one arrested so far. The arrest took place in São Paulo. He confessed to his involvement, but claimed not to know the others involved. Cell phones and computers were seized and the Civil Police continue to investigate the fate of the funds. So far, around R$270 million has been frozen, in addition to R$15 million located in crypto assets.

Positioning of C&M and the Central Bank

C&M claims that it was not the origin of the attack and that its systems remain intact, pointing out that the incident was the result of social engineering (psychological manipulation) and not a technological failure. The Central Bank stated that its systems were not compromised and that C&M has no direct contractual relationship with the agency, acting only as a service provider to financial institutions.

The investigation is also ongoing with the Federal Police monitoring around 140 accounts used for the transfers. The police forces must now focus on identifying other members of the scheme and trying to recover the remaining amounts embezzled.

See note from the company C&M

C&M Software informs that it continues to proactively collaborate with the competent authorities in the investigations into the incident that occurred in July 2025.

From the very beginning, all applicable technical and legal measures were adopted, keeping the company's systems under strict monitoring and security control.

CMSW's robust protection structure was crucial in identifying the source of the improper access and contributing to the progress of ongoing investigations.

So far, evidence suggests that the incident was the result of the use of social engineering techniques to improperly share access credentials, and not of failures in CMSW's systems or technology.

We would like to emphasize that CMSW was not the source of the incident and remains fully operational, with all its products and services functioning normally.

Out of respect for the work of the authorities and the confidentiality required for the investigations, the company will maintain discretion and will not make any public statements while the procedures are ongoing. CMSW reaffirms its commitment to the integrity, transparency and security of the entire financial ecosystem of which it is a part - principles that guide its ethical and responsible actions throughout its 25-year history.