Hackers stole nearly $140 millionĀ from six banks in Brazil by using an employee’s credentials fromĀ C&M, a company that offers financial connectivity solutions.
The incident reportedly occurred on June 30, after the attackers bribed the employee to give them his account credentials and perform specific actions that would help their operations.
Insider threat
According to Brazilian media reports, the employee (JoĆ£o Nazareno Roque)Ā sold his corporate credentials to the hackers for roughly $920, granting them access to a confidential system connected to Brazilās Central Bank.
Roque then executed commands into C&M systems as instructed by the hackers through the Notion collaboration. He received another $1,850 for this.
TheĀ C&M employee attempted to conceal his activity and changed mobile phones every 15 days, but he was arrested on July 3 in SĆ£o Paulo.
The threat actors convinced Roque to participate in the operation after being approached when he was leaving a bar.
This shows the attackers did their research identifying potential weak links in the company, mirroring a similar approach against Coinbase recently, where support agents in India were bribed to siphon out sensitive customer information.
The Brazilian police reportedly are managingĀ three investigations into this large-scale attackĀ but no details about the hackers have been published.
Crypto wallets monitored
Meanwhile, blockchain investigator ZachXBT wrote on Telegram that the attackers have already converted $30-40 million of the stolen money to cryptocurrency such as BTC, ETH, and USDT. They used various exchanges and unlabeled Latin American over-the-counter (OTC) markets.
ZachXBT notesĀ that he is monitoring the threat actorsā wallet addresses and is assisting the authorities in freezing the funds.
In a statement to Brazilian media, C&M emphasized that its systems remain secure, and the attack was only possible through social engineering, not a security flaw.
The company also added that its protection framework played a crucial role in pinpointing the source of the unauthorized access and aiding the policeās investigation.
BleepingComputer has also reached out to C&M about the incident, but a comment wasnāt immediately available.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
Get the Report
