According to reports from blockchain investigator ZachxBT and a local news outlet, the hackers siphoned around $800 million ($140 million) from six spare accounts connected to the Brazilian central bank after violating São Paulo-based software vendor C&M Software on June 30.
According to police, C&M employee João Nazareno Roque sold his corporate login for R$15,000 ($2,770) and later developed an additional R$10,000 ($1,850) secondary access tool, allowing attackers to directly access the vendor’s infrastructure.
The investigators followed fraudulent instructions that transferred funds from a spare account held at the Central Bank of Brazil to commercial bank accounts related to commercial (OTC) desks and regional exchanges for interbank settlements.
Zachxbt estimated that between $30 million and $40 million of stolen funds have already been exchanged for major digital assets, including Bitcoin, Ethereum and USDT.
The chain analysis team and Brazilian prosecutors are coordinating wallet freezes while attribution work continues.
Central Bank and Vendor Response
The central bank ordered all institutions routed through C&M to disconnect immediately after the violation, clearing the company to restore services two days later, saying the critical system remains intact.
Kamal Zogheib, commercial director for C&M, told Reuters that the attack relies on fraudulent client qualifications rather than flaws in the code, confirming the cooperation between federal police and investigators in Sao Paulo.
BMP, a banking platform provider that hit with RAID, told local media that only the reserve balances were affected, and that customer deposits remained touched.
Law enforcement officials frozen 270 million rupees ($49.8 million) while tracking additional flows and searching for at least four accomplices cited in the reserve warrant.
Roque remained in custody in Sao Paulo as of July 3rd. Police allegedly rotated their phones every two weeks to prevent them from being monitored.
Laundry routes through Latin America
Transaction records reviewed by ZACHXBT and independent researchers show that attackers constitute transfers across multiple exchanges in Brazil, Argentina and Paraguay and settle into the code within three hours of the initial violation using an OTC broker.
Sources that prefer to remain anonymous Encryption The attackers found it difficult to buy crypto with money stolen from an OTC desk in Brazil.
Brazilian federal police refused to specify which platforms handled the swap, but said the exchange operator had launched a freezing balance related to the flagged address.
The central bank has not made clear whether additional vendors will face new connectivity requirements, but it has indicated that the Instant Payment Rail PIX and Reserve Account Interface may receive further control.
Investigators will continue under federal oversight, and investigators will prioritize collecting funds and identify remaining organizers.
