On June 30, 2025, C&M Software, which connects Brazil’s Central Bank to local banks and financial institutions, was hacked after an employee sold login details for about $2,700.
The breach let attackers steal 800 million Brazilian reais, or roughly $140 million, from reserve accounts at six linked institutions. Threat actors used the stolen credentials to break into the system and move funds at will.
How the Hack Unfolded?
Investigators found that a single staff member of C&M Software handed over valid corporate credentials in exchange for cash. With these details, the hackers accessed the software managing reserve accounts.
Six banks, including BMP, saw unauthorized transfers from the accounts they held with the central bank’s system. This single point of failure exposed the weakness in a network that sits at the heart of Brazil’s financial plumbing.
Laundering Through Crypto
According to on‑chain detective ZachXBT, the attackers converted about $30 million to $40 million of the stolen reais into Bitcoin, Ether and USDt.
They then laundered these digital assets through exchanges in Latin America and over‑the‑counter trading desks. By spreading the funds across multiple platforms, they aimed to erase money trails and complicate any tracing efforts.
Echoes of Other Breaches
This intrusion mirrors a recent incident at Coinbase, where customer service staff were bribed to reveal user data.
That breach affected around 69,000 clients and showed how social engineering can undermine even top crypto firms. The C&M hack serves as a reminder that both finance and crypto sectors face similar threats when insiders turn against their employers.
Rising Cyber Risks for Centralised Systems
The attack on C&M highlights the growing danger that centralised software and servers pose. A single compromised login can expose millions of records, sensitive documents or billions in capital.
Such systems offer hackers massive returns on minimal effort since one breach can unlock access to entire networks. As attackers adopt new tools like artificial intelligence, the odds of finding and exploiting weak points increase.
The Case for Decentralisation
Eran Barak, CEO of Shielded Technologies, argues that blockchain privacy tools will play a key role in stopping AI‑assisted hacks. He points to zero-knowledge proofs as an example. With these methods, networks do not store all user data in one place.
Instead, they verify transactions without revealing personal information. This forces hackers to target individual wallets or accounts, where their payoff would be limited to a single record rather than millions. Barak says that would make hackers move on to easier targets.
Lessons and Next Steps
Brazil’s financial authorities are now auditing C&M Software’s security practices and reviewing access controls across all linked banks.
Institutions are being urged to tighten staff vetting and to monitor for unusual login patterns. At the same time, exchanges and fintech firms around the world are watching closely, knowing that insider threats can strike anywhere.