Prosecutor's Office indicts hacker for stealing R$479 million via Pix transfers

The São Paulo Public Prosecutor's Office has reported to the courts systems operator João Nazareno Roque, identified as the hacker who executed a sophisticated criminal scheme to consummate the theft of R$479.3 million from Banco BMP's settlement account through fraudulent electronic transfers via the PIX system.

According to the accusation, Roque took advantage of his professional status and privileged access to the company's internal systems.

The scam was carried out between June 22nd and 30th. Criminal prosecutor Rafael Adeo Lapeiz highlights that the operator violated the security mechanism and stole, for himself and third parties, through an electronic device connected to the computer network, with violation of the security mechanism and use of malicious software, R$479.3 million, owned by Banco BMP Instituição de Pagamento S.A.

C&M Software, the prosecutor notes, is a company responsible for the technical intermediation of transactions between Banco BMP and the Central Bank. According to Lapeiz, the defendant executed a sophisticated criminal scheme.

Roque was temporarily arrested by the São Paulo Civil Police and confessed to his participation in the fraud in exchange for a commission of R$15,000.

The prosecutor requested that the hacker's temporary detention be converted into pretrial detention. He highlighted the severity of the crime, the magnitude of the damage caused, and the evidence of repeated criminal activity, arguing that the criminal investigation is appropriate, given the concrete risk of destroying electronic evidence.

Lapeiz also sees risks that, once free, the hacker could interfere with systems and communication with other members of the criminal organization who have not yet been identified.

It also argues that Roque's preventive custody will ensure the application of criminal law, considering that the defendant has not yet received his share of the promised amounts, which would increase his ability to escape.

“Precautionary custody is essential to break the criminal organization's communication system and ensure the effective identification of all those involved,” argues the prosecutor.

Lapeiz requested that the case be forwarded to the 1st Court of Tax Crimes, Organized Crime, and Money Laundering of the Capital. He agreed to the police's request to open a separate investigation into the crime of criminal association.

“The measure is justified by the complexity of the criminal operation, which involved multiple agents in different areas (intellectual, operational and financial), as well as by the need to individualize the conduct and deepen the investigations to identify the other participants,” the prosecutor noted.

In his understanding, the investigative division meets the principles of administrative efficiency and procedural economy, avoiding procedural turmoil and allowing for the appropriate criminal prosecution of all those involved.

The prosecutor rules out the possibility of a plea bargain with Roque. "Despite the defendant's first offense, a non-prosecution agreement is not feasible. Therefore, the minimum sentence for qualified theft exceeds the maximum limit set forth in Article 28-A, caput, of the Code of Criminal Procedure, which establishes the possibility of a plea bargain only for offenses with a minimum sentence of less than four years."

“Furthermore, the concrete gravity of the incident, involving losses of almost half a billion reais and a violation of professional duty, makes the application of the decriminalizing institute inappropriate,” warns Lapeiz.

The complaint highlights that, according to Kevin Venâncio SantAna, Operations Coordinator at C&M Software, the functions assigned to Roque were limited to customer service and monitoring the applications running the software that performs all the operations provided by the company, such as PIX transfers, TEDs and bill payments.

“It is worth noting that the company did not perform any type of programming, limiting itself to maintaining the system, being able to restart the system in cases of crashes or errors and perform minor maintenance,” notes the prosecutor.

According to him, João Nazareno Roque, as well as all other employees and young apprentices, carried out exactly these basic operational procedures, without having the authorization or technical competence to insert programming codes or execute advanced commands on the company's machines.

“Thus, the execution of malicious scripts by the accused completely exceeded his legitimate functional attributions, constituting a clear violation of internal protocols and improper use of his privileged access to the systems,” the complaint states.

The prosecutor reports that on June 27, external agents, using the gateway created by the defendant, installed a VPN (Ligolo Proxy) in the system, masking data traffic and preparing the infrastructure necessary to carry out fraudulent transfers.