Skip to main content
Sign in
C&M Software1 decision on this page

Audit log

Every state-changing event for C&M Software: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-16 03:55:59Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 420,042,428
    sig
    2F4asBYYPqSt…CUsXutBQexplorer ↗
    hash
    9zTVo9jAuqtt…qPY8jXA2sha256 → base58
    verifying row…full verify ↗
    canonical bytes (4437 B) ▸
    {"actor":"system:backfill","investigation_id":"a132d4e6-35f4-483d-b123-6b95661f2842","kind":"publish","page_slug":"cm-software","published_at":"2026-05-16T03:55:59.195Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"C&M Software","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"C&M Software (also styled CMSW) is a Brazilian financial technology company authorized by the Banco Central do Brasil to provide connectivity between smaller financial institutions and Brazil's national payment infrastructure, including the PIX instant-payment system. On June 30, 2025, hackers exploited credentials sold by an insider employee to drain approximately R$800 million (roughly USD 140–148 million) from reserve accounts of at least six financial institutions, in what became Brazil's largest recorded banking cyberattack. A portion of the stolen funds—estimated at USD 30–40 million—was subsequently laundered through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT, with on-chain investigator ZachXBT playing a central role in tracing and partially freezing the laundered assets.","timeline":[{"date":"2025-03-01","event":"João Nazareno Roque, a C&M Software IT employee, is allegedly approached outside a São Paulo bar by an unidentified individual who demonstrates knowledge of his employer and begins the social engineering recruitment process.","source":"","source_url":"https://www.technadu.com/tragic-fall-from-electrician-to-it-c-suite-aspirations-end-as-employee-gets-arrested-for-selling-credentials/602034/"},{"date":"2025-06-30","event":"Between 12:18 AM and 7:00 AM, attackers use insider credentials and stolen digital certificates to inject fraudulent PIX payment orders into Brazil's SPI, draining an estimated R$800 million (USD 140–148 million) from reserve accounts of at least six financial institutions. The Banco Central orders emergency suspension of C&M's SPB connections.","source":"","source_url":"https://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/"},{"date":"2025-07-01","event":"Media disclosure begins. Brazilian courts begin freezing accounts; approximately R$160 million reported recovered in initial freeze actions. ZachXBT begins publicly tracing converted crypto funds.","source":"","source_url":"https://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/"},{"date":"2025-07-03","event":"João Nazareno Roque arrested by São Paulo Civil Police. He confesses to selling credentials for approximately R$15,000 in two installments and enabling remote system access. Police identify at least four hackers involved.","source":"","source_url":"https://therecord.media/brazil-police-arrest-worker-theft"},{"date":"2025-07-04","event":"CoinDesk reports that hackers laundered USD 30–40 million of the stolen funds through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT. ZachXBT publicly describes his investigation and collaboration with Brazilian law enforcement.","source":"","source_url":"https://www.coindesk.com/business/2025/07/04/hackers-behind-usd140m-brazil-banking-heist-turn-to-crypto-to-launder-their-loot"},{"date":"2025-07-04","event":"ZachXBT announces that USD 5 million in crypto has been frozen through cooperation with Binance, Bitso, Bybit, Tether, and Chainalysis. He publicly criticizes Circle for allegedly refusing to cooperate with the investigation.","source":"","source_url":"https://coinedition.com/zachxbt-slams-circle-brazil-heist-investigation/"},{"date":"2025-11-22","event":"DragonForce ransomware group lists C&M Software on their dark-web leak site, claiming to have exfiltrated 393.92 GB of sensitive financial infrastructure data. Ransom deadline set for November 29, 2025. Researchers note the data may be recycled from the June 2025 compromise.","source":"","source_url":"https://botcrawl.com/cm-software-data-breach/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision cd8220e4-917e-41da-b1e1-74c9f4356ca2
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.