#153: Short Takes: The latest Pix fraud: when the attack targets reserve accounts
W FINTECHS NEWSLETTTER #153
👀 Portuguese Version 👉 here
👉 W Fintechs is a newsletter focused on financial innovation. Every Monday, at 8:21 a.m. (BrasÃlia time), you will receive an in-depth analysis in your email.
Welcome to the Short Takes edition! As the name suggests, unlike deep dives, these editions will explore a variety of topics that might later evolve into full deep-dive editions.
Short Takes is designed for entrepreneurs, investors, and operators looking for quick, actionable insights.
Last week, I wrote about how the MED, the Special Return Mechanism, works and how it represents one of the Central Bank’s main efforts to tackle the rise in Pix-related fraud. Along with other initiatives like GRAF and DICT, the MED is part of the anti-fraud framework being developed in Brazil to deal with a payment system that, while expanding access and lowering costs, has also shown that every innovation comes with its own risks. While the MED focuses on transactions between individuals, using tools like dispute resolution and transaction blocking, the most recent fraud incident exposes a much more sophisticated and less visible layer of the problem: attacks on reserve accounts within the financial infrastructure through technology providers.
You can read last week’s full edition on how Pix fraud works and how the return mechanism operates below 👇
In the early morning of July 1, 2025, an executive at BMP, a banking-as-a-service company, received a call from a bank reporting that a Pix transfer of R$18 million had been processed. It was four in the morning. Alarmed, he went to the office and, after checking with C&M Software, discovered that this was only the beginning of a much larger breach. Within a few hours, more than R$400 million had disappeared from the company’s account. This was not a typical attack targeting end users. It was an operation aimed directly at the reserve accounts that financial institutions hold at the Central Bank for settling transactions with one another.
Reserve accounts are not visible to the public because they do not hold customers’ funds directly. Instead, they function as the financial institution’s cash reserves at the Central Bank. These accounts are used to settle Pix transfers, wire transfers, and clearing operations. The hackers managed to carry out fraudulent transfers from these accounts using valid credentials.
The criminals gained access through an IT service provider, in this case C&M Software, which acts as a bridge between fintechs and the Central Bank. Large banks like Itaú or Bradesco connect directly to the Central Bank’s network, but many fintechs outsource this access. The service provider offers messaging services, web services, and APIs that allow institutions to send and receive payment instructions within the Brazilian Payment System. It was at this intermediary point that the fraud took place. The hackers did not attack the Central Bank’s system or directly breach the fintechs’ servers. Instead, they used legitimate access credentials to walk through the front door.
C&M, as a PSTI, acted as a translator for payment instructions. Once the criminals took control of this interface, they began sending transfer messages as if they were the financial institution itself. Instead of targeting customers, they went straight for the central cash reserves of fintechs. When C&M noticed the abnormal activity, it disabled Pix functionality for the affected institutions. But the damage had already been done. A portion of the stolen money was quickly converted into cryptocurrency, mostly stablecoins like USDT. SmartPay, one of the platforms used, detected unusual activity and managed to freeze part of the funds, returning R$130 million to BMP. Even so, the company’s estimated net loss stands at R$270 million. The investigation is still ongoing, but one important takeaway is that Pix, as an infrastructure, enables both tremendous benefits and significant risks.
Behind the fraudulent operation is a less visible part of Brazil’s financial system: Information Technology Service Providers. These providers, authorized by the Central Bank, play a central role in communication between financial institutions and the National Financial System Network. They operate the APIs, messaging systems, and integrations that enable payments, balance checks, identity validation, and settlements. In many cases, especially among fintechs and midsize banks, PSTIs take on responsibilities that were once handled by the traditional banking core.
In practice, this means the security of critical operations like sending a Pix depends not only on the financial institution’s infrastructure but also on that of its PSTI. The C&M incident exposed this structural weakness. The attackers didn’t need to breach multiple layers of security across different fintechs or invade the Central Bank itself. They only had to compromise a single connection point—the PSTI—to access digital certificates, private keys, and operational credentials. This allowed them to sign transactions as if they were the banks themselves, using C&M’s authorized platform to inject legitimate orders into the SPI.
Technically, the attack required not just privileged access to the provider’s environment but also a deep understanding of the architecture of the Brazilian Payment System. The messages followed SPI protocols precisely, including correct digital signatures. As a result, the settlement system had no reason to reject them. In mission-critical systems like finance, this is the fine line between efficiency and vulnerability. When validation is based on the formality of a message rather than the legitimacy of its origin, all it takes is the right key in the right interface for a fraud to go unnoticed.
The incident also highlights how the boundary between traditional finance and crypto assets is becoming increasingly blurred. The money was stolen in reais but escaped through the blockchain, meaning it was converted into stablecoins. Detecting anomalies at the conversion points between fiat and crypto may become a key focus of upcoming regulations.
The July 2025 incident will likely be remembered as a turning point. Not just because of the amount stolen, but because of what it reveals about the nature of today’s threats. As I tried to show in last week’s edition, every technological innovation, no matter how fascinating, carries the cultural imprint of the country where it was created and, clearly, risks that must be carefully considered.
Until the next!
Walter Pereira
If you know anyone who would like to receive this e-mail or who is fascinated by the possibilities of financial innovation, I’d really appreciate you forwarding this email their way!
Disclaimer: The opinions expressed here are solely the responsibility of the author, Walter Pereira, and do not necessarily reflect the views of the sponsors, partners, or clients of W Fintechs.