IT Worker arrested for selling access in $100M PIX cyber heist
IT Worker arrested for selling access in $100M PIX cyber heist
July 08, 2025
Brazil arrests IT worker João Roque for aiding $100M PIX cyber heist, one of Brazil’s biggest banking system breaches.
Brazilian police arrested João Roque (48), an IT employee at C&M, for allegedly aiding a cyberattack that stole over 540 million reais (~$100 million) via the PIX banking system. The company C&M links smaller banks to Brazil’s PIX system.
PIX is Brazil’s instant payment system, launched by the Central Bank of Brazil in November 2020. It allows users to send and receive money 24/7 in real time using a phone number, email address, CPF/CNPJ (Brazilian tax ID), or a random key.
The man was detained in Jaraguá, São Paulo.
“João Nazareno Roque, 48, was arrested this Thursday in the City Jaraguá neighborhood, in the North Zone of the capital.” reported the Brazilian website Globo. “According to the police, he received R$15,000 for his access password and to enter commands into the C&M system.”
João Nazareno Roque allegedly sold system access for R$5,000 and helped develop a tool for fund diversion for R$10,000. He claims he only spoke to the criminals via phone and changed devices every 15 days to avoid tracking. The cyberattack hit at least six financial institutions, shaking the market. Despite working in IT, Roque’s LinkedIn profile highlights 20 years of experience as an electrician and four years as a cable TV technician.
“It was because of this role at C&M that he was lured by hackers. He said in a statement to the Cybercrimes police station that he was approached as he was leaving a bar in the capital of São Paulo to give his password to the criminals and run codes on the system to generate fraud.” continues Globo.com.
Hackers breached C&M’s system, executing fake PIX transactions in one night, targeting only financial institutions. Police are seeking four more suspects and have frozen R$270 million. Brazil’s Central Bank has suspended part of C&M’s operations to prevent further attacks.
C&M stated it’s cooperating with authorities and took prompt technical and legal actions. The breach likely stemmed from social engineering, not system flaws. CMSW’s defenses helped trace the access. The company confirmed that it remains fully operational.
“So far, the evidence suggests that the incident was the result of the use of social engineering techniques to improperly share access credentials, and not of failures in CMSW’s systems or technology. We would like to emphasize that CMSW was not the origin of the incident and remains fully operational, with all of its products and services functioning normally,” reads a statement shared by C&M.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, PIX system)
