One of Brazil’s largest-ever digital heists has taken a crypto twist. Following the theft of nearly $140 million (R$800 million) from six financial institutions connected to Brazil’s Central Bank, blockchain sleuth ZachXBT has uncovered that up to $40 million of the stolen funds have already been converted into Bitcoin (BTC), Ethereum (ETH), and Tether (USDT).
The criminals allegedly used Latin American over-the-counter (OTC) crypto platforms and exchanges to launder the money, making it more difficult to trace and recover the assets.
Social Engineering: The Point of Entry
The breach occurred on June 30, targeting C&M Software—a third-party service provider responsible for connecting Brazilian banks to the Central Bank’s reserve transfer system. In a statement, C&M Software confirmed that the breach originated from a social engineering attack, not a technical flaw.
At the center of the scandal is employee João Nazareno Roque, who reportedly sold his login credentials to the attackers for R$15,000 (roughly $2,780). The stolen credentials were allegedly used to access the banking network, though investigators believe additional credentials or authentication tools may have been compromised as well.
“This incident was not a failure of our systems but a misuse of internal credentials. Our infrastructure remained secure, and immediate internal controls helped contain the threat,” C&M Software said in an official statement.
Largest Digital Theft in Brazil’s History
The attack is being described as the largest digital financial theft in Brazil’s history, with victims including six separate financial institutions. Brazilian authorities and cybersecurity experts are now investigating how the attackers were able to bypass security systems with insider-level access.
ZachXBT, who has been assisting with tracking and freezing the stolen funds, said on Telegram that he would publish wallet addresses linked to the theft “when it’s appropriate,” adding that he has been helping to identify and attribute activity on unregulated OTC platforms.
Human Weakness Still the Biggest Vulnerability
Experts say this breach is a textbook case of social engineering—a tactic that exploits human psychology rather than software vulnerabilities.
“The weakest link is always human,” noted data analyst Fernando Molina.
A report from Sprinto backs up that claim, stating that 98% of cyberattacks globally involve some form of social engineering, such as phishing emails, impersonation, or fraudulent support channels. The crypto sector is no exception. In fact, it’s a prime target.
ZachXBT recently revealed another case where an elderly American lost $330 million in Bitcoin through a similar social manipulation scheme. And according to Scam Sniffer, over 43,000 crypto users lost $39 million to phishing scams in just the first half of this year.
