Verify a decision

{"actor":"system:backfill","investigation_id":"a132d4e6-35f4-483d-b123-6b95661f2842","kind":"publish","page_slug":"cm-software","published_at":"2026-05-16T03:55:59.195Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"C&M Software","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"C&M Software (also styled CMSW) is a Brazilian financial technology company authorized by the Banco Central do Brasil to provide connectivity between smaller financial institutions and Brazil's national payment infrastructure, including the PIX instant-payment system. On June 30, 2025, hackers exploited credentials sold by an insider employee to drain approximately R$800 million (roughly USD 140–148 million) from reserve accounts of at least six financial institutions, in what became Brazil's largest recorded banking cyberattack. A portion of the stolen funds—estimated at USD 30–40 million—was subsequently laundered through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT, with on-chain investigator ZachXBT playing a central role in tracing and partially freezing the laundered assets.","timeline":[{"date":"2025-03-01","event":"João Nazareno Roque, a C&M Software IT employee, is allegedly approached outside a São Paulo bar by an unidentified individual who demonstrates knowledge of his employer and begins the social engineering recruitment process.","source":"","source_url":"https://www.technadu.com/tragic-fall-from-electrician-to-it-c-suite-aspirations-end-as-employee-gets-arrested-for-selling-credentials/602034/"},{"date":"2025-06-30","event":"Between 12:18 AM and 7:00 AM, attackers use insider credentials and stolen digital certificates to inject fraudulent PIX payment orders into Brazil's SPI, draining an estimated R$800 million (USD 140–148 million) from reserve accounts of at least six financial institutions. The Banco Central orders emergency suspension of C&M's SPB connections.","source":"","source_url":"https://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/"},{"date":"2025-07-01","event":"Media disclosure begins. Brazilian courts begin freezing accounts; approximately R$160 million reported recovered in initial freeze actions. ZachXBT begins publicly tracing converted crypto funds.","source":"","source_url":"https://segura.security/post/cyberattack-on-brazils-payment-system-technical-analysis-timeline-risks-and-mitigation/"},{"date":"2025-07-03","event":"João Nazareno Roque arrested by São Paulo Civil Police. He confesses to selling credentials for approximately R$15,000 in two installments and enabling remote system access. Police identify at least four hackers involved.","source":"","source_url":"https://therecord.media/brazil-police-arrest-worker-theft"},{"date":"2025-07-04","event":"CoinDesk reports that hackers laundered USD 30–40 million of the stolen funds through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT. ZachXBT publicly describes his investigation and collaboration with Brazilian law enforcement.","source":"","source_url":"https://www.coindesk.com/business/2025/07/04/hackers-behind-usd140m-brazil-banking-heist-turn-to-crypto-to-launder-their-loot"},{"date":"2025-07-04","event":"ZachXBT announces that USD 5 million in crypto has been frozen through cooperation with Binance, Bitso, Bybit, Tether, and Chainalysis. He publicly criticizes Circle for allegedly refusing to cooperate with the investigation.","source":"","source_url":"https://coinedition.com/zachxbt-slams-circle-brazil-heist-investigation/"},{"date":"2025-11-22","event":"DragonForce ransomware group lists C&M Software on their dark-web leak site, claiming to have exfiltrated 393.92 GB of sensitive financial infrastructure data. Ransom deadline set for November 29, 2025. Researchers note the data may be recycled from the June 2025 compromise.","source":"","source_url":"https://botcrawl.com/cm-software-data-breach/"}]},"v":1}