Hackers stole nearly $140 million from six banks in Brazil by using an employee’s credentials from C&M, a company that offers financial connectivity solutions.
The incident reportedly occurred on June 30, after the attackers bribed the employee to give them his account credentials and perform specific actions that would help their operations.
Insider threat
According to Brazilian media reports, the employee (João Nazareno Roque) sold his corporate credentials to the hackers for roughly $920, granting them access to a confidential system connected to Brazil’s Central Bank.
Roque then executed commands into C&M systems as instructed by the hackers through the Notion collaboration. He received another $1,850 for this.
The C&M employee attempted to conceal his activity and changed mobile phones every 15 days, but he was arrested on July 3 in São Paulo.
The threat actors convinced Roque to participate in the operation after being approached when he was leaving a bar.
This shows the attackers did their research identifying potential weak links in the company, mirroring a similar approach against Coinbase recently, where support agents in India were bribed to siphon out sensitive customer information.
The Brazilian police reportedly are managing three investigations into this large-scale attack but no details about the hackers have been published.
Crypto wallets monitored
Meanwhile, blockchain investigator ZachXBT wrote on Telegram that the attackers have already converted $30-40 million of the stolen money to cryptocurrency such as BTC, ETH, and USDT. They used various exchanges and unlabeled Latin American over-the-counter (OTC) markets.
ZachXBT notes that he is monitoring the threat actors’ wallet addresses and is assisting the authorities in freezing the funds.
In a statement to Brazilian media, C&M emphasized that its systems remain secure, and the attack was only possible through social engineering, not a security flaw.
The company also added that its protection framework played a crucial role in pinpointing the source of the unauthorized access and aiding the police’s investigation.
BleepingComputer has also reached out to C&M about the incident, but a comment wasn’t immediately available.
