A second hacker attack on the infrastructure of instant payment Pix in less than two months has put Brazil’s financial system on high alert. In the case involving C&M in July—which resulted in nearly R$1 billion being siphoned off—it was later discovered that an employee had handed over credentials to criminals, showing that the Central Bank’s systems were not compromised. That made it a less severe incident. Now, however, a new breach has hit another technology service provider (PSTI), Sinqia, moving R$670 million and raising questions about the security of this link in the chain and whether the monetary authority needs to adjust rules governing the instant payment system.
There are differences between the C&M and Sinqia cases. In the first, the breach was linked to a corrupt employee; in the second, it remains unclear how the criminals operated. Valor learned that the Federal Police is investigating the incident. Also, in the C&M case, the operations were carried out overnight, and only a very small portion of the stolen funds was blocked before being funneled into cryptocurrency exchanges. By contrast, the latest attack happened during business hours, and the Central Bank is said to have blocked a significant share of the money.
Experts told Valor that the differences may suggest the monetary authority acted faster this time in detecting suspicious transactions and blocking them. Another possibility is that Sinqia had more robust systems and reacted more quickly to suspected fraud. Still, the similarities between the attacks highlight existing vulnerabilities. “These two problems lit a red light, sending a signal to the market that stricter security rules must be put in place. These are improvements in controls, but it’s been an expensive learning process,” said Marco Zanini, CEO of Dinamo Networks.
A banking industry source said Pix remains secure and that, so far, there is no indication that the Central Bank’s systems were compromised. Still, he believes the regulator will need to review certain aspects, particularly high-value transactions. “Pix is very fast, and that’s great for customers, but criminals are also taking advantage of this efficiency. As the saying goes, convenience is the enemy of security.”
A representative from one of the seven technology service providers authorized by the Central Bank denied that they are a weak link in the chain, but admitted they represent a gateway for attackers to access several financial institutions at once. “By breaching one of these providers, attackers gain a door to multiple institutions, with higher financial volumes. To be a technology service provider, you must meet security requirements verified by the Central Bank, but each provider can make that process more robust.”
Marta Helena Schuh, professor of cybersecurity and director of cyber insurance at Howden Brasil, also pointed to risks in the supplier chain of financial institutions. “In this latest case, forensic investigation is still needed to pinpoint the origin, but in any case, I believe there must be a shift in how critical suppliers to the Pix system are contracted. One attack shook the system; now, with a second, we must really assess whether there’s a structural problem. If no corrective action is taken, we are being negligent. If a third case happens, it would indeed be extremely serious.”
For Marcelo Estevez, chief technology officer at EXA, outsourcing providers must be hired under very strict security criteria, since they become an extension of the bank’s own operations. “It’s not enough to look at price or technical capacity; it’s key to verify whether the partner follows international cybersecurity standards, has clear governance processes, and conducts regular resilience testing. In the financial sector, which is highly regulated, this scrutiny must be doubled.”
He believes new attacks are likely to happen, since the ability to move large sums digitally creates an incentive for criminals. “These incidents send a clear message: it’s no longer a question of if we will be attacked, but when, and the state of readiness will determine the scale of losses.”
According to Mr. Zanini of Dinamo, the cases point to potential negligence in storing client keys—data that should be kept in secure repositories—and in managing access credentials to provider systems, which should require multi-factor authentication. “The Central Bank should tighten regulation. It already has a document with security recommendations, but they are not mandatory. Companies also need more effective compliance measures. Over time, the financial market has neglected these risks,” he said.
On Saturday (30), Sinqia said in a statement that the incident affected only its Pix environment, that it is working with “top forensic specialists,” and has already contacted the “limited number” of clients impacted. “There is no evidence of suspicious activity in any other Sinqia systems beyond Pix. Furthermore, at this time, we see no signals that any personal data has been compromised.” The Central Bank did not respond when contacted.
/i.s3.glbimg.com/v1/AUTH_63b422c2caee4269b8b34177e8876b93/internal_photos/bs/2025/X/O/FGJuG0RTihqIWWSyJxzw/investe02.jpg "New hacker attack on Pix raises alarm in Brazil’s financial system (1)")
:strip_icc()/i.s3.glbimg.com/v1/AUTH_63b422c2caee4269b8b34177e8876b93/internal_photos/bs/2025/X/O/FGJuG0RTihqIWWSyJxzw/investe02.jpg)
