Hackers Breach Fintech Environment, Attempted $130M Theft via Brazil’s Pix Network

What happened

On 2 September 2025, security reporting indicated that attackers gained unauthorized access to the environment of Evertec’s Brazilian subsidiary, Sinqia S.A., and attempted to steal $130 million by exploiting connectivity to Brazil’s central bank real‑time payment system, Pix.

“Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A. after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix).”

Public reporting describes the incident as an attempted heist; available accounts do not indicate that the full amount was transferred or successfully stolen. Details about the intrusion vector, the attacker identity, and the final disposition of funds have not been disclosed in the reporting.

Background and context — why this matters

Pix is Brazil’s instant payment system, operated under the central bank, that enables near‑real‑time transfers between financial institutions and fintechs. Since its launch, Pix has become a dominant payment rail in Brazil because of speed and ubiquity. That centrality also makes the system a high‑value target: compromise of participant systems can enable large, rapid transactions that are difficult to reverse.

The incident underscores two broader trends: the rising targeting of financial rails and third‑party fintech ecosystems, and the operational risk that comes from tightly interconnected payment infrastructure. Attackers now focus less on low‑value fraud and more on high‑impact transfers, using access to intermediary systems, credential theft, or API and integration weaknesses to try to move substantial sums quickly.

Technical analysis and expert guidance for practitioners

While public reports are sparse on specific technical controls bypassed in this incident, several consistent themes are relevant to practitioners assessing similar exposures.

• Assume inadequate segmentation between rails and business systems increases risk. Environments that expose payment‑clearing interfaces alongside less‑protected development, testing, or administrative systems allow an attacker who gains foothold to pivot toward high‑value transaction capabilities.
• Privileged access must be tightly managed and audited. Compromise of a single privileged account can permit transaction initiation, modification, or approval. Implementing least privilege, just‑in‑time privilege elevation, and hardware‑backed MFA for any account able to interact with settlement or clearing APIs reduces blast radius.
• Cryptographic strong‑mindedness for transaction authenticity. Where possible, cryptographic signing of payment orders, non‑repudiation mechanisms, and end‑to‑end transaction integrity checks make unauthorized transfers easier to detect or prevent.
• Real‑time monitoring tuned for payment anomalies. Instant payment systems require monitoring that looks for unusual patterns: outlier amounts, atypical routing, mass key changes, or high‑value flows outside normal business windows. Integrate behavioral analytics and automated hold/escalation for transactions exceeding defined thresholds.
• Immutable, tamper‑evident logging and synchronized clocks. Effective incident response depends on trustworthy logs. Attackers often attempt to erase traces; ensuring logs are streamed off‑host, protected by WORM storage or SIEM retention policies, and tied to an authoritative time source strengthens investigations.
• Supply‑chain and third‑party controls. If the compromised environment was an outsourced or partner instance, the incident highlights the need for rigorous vendor security assurance: attestations, penetration testing, continuous monitoring, and contractual incident notification timelines.

For incident responders, prioritized actions on detection are standard but critical:

• Isolate affected systems and preserve volatile evidence (memory, network captures) for forensic analysis.
• Assess active transactions and hold or reverse suspicious transfers where possible through central bank or settlement operator mechanisms.
• Rotate credentials and revoke compromised keys or certificates used by the affected systems.
• Coordinate with the central bank, industry CERTs, and law enforcement for coordinated containment and recovery steps.
• Perform a post‑incident root cause analysis and remediation plan before restoring full connectivity to payment rails.

Comparable incidents and known trends

Large, attempted transfers through compromised financial messaging systems are not unprecedented. High‑profile historic cases—such as nation‑scale attacks on interbank messaging platforms—illustrate how attackers target settlement rails and intermediary systems to move funds at scale.

Across jurisdictions, real‑time payment systems have become attractive to fraudsters. Since Pix’s introduction, regulators and industry bodies in Brazil have repeatedly warned about misuse of instant payment rails for fraud and emphasized the need for stronger participant controls. Globally, the past decade shows a shift toward sophisticated, high‑value attacks rather than isolated card‑fraud incidents.

Potential risks, implications, and recommended actions

Risks and implications from an incident of this nature extend beyond immediate financial loss:

• Systemic and liquidity risk: A successful large transfer can strain settlement liquidity and require central bank intervention. Even an attempted heist can force temporary throttles or participant freezes.
• Reputational damage: Financial institutions and third‑party providers risk customer and partner trust loss, regulatory scrutiny, and litigation if controls are found inadequate.
• Regulatory consequences: Central banks and financial regulators typically demand incident notification and may impose fines or mandated remediation when participant security lapses are identified.
• Contagion risk: Compromise of one participant can be leveraged to target connected institutions if lateral movement is possible through payment rails or shared services.

Actionable recommendations for organizations that participate in instant payment systems:

• Enforce strong network segmentation between clearing interfaces and non‑production or administrative networks.
• Require hardware MFA and certificate‑based authentication for any account capable of initiating or approving high‑value transactions.
• Implement multi‑party controls such as dual approval for transfers above defined thresholds and short‑window manual review for out‑of‑policy flows.
• Deploy continuous threat detection with focus on payment rails: monitor API usage, rate spikes, and access patterns deviating from normal business operations.
• Ensure vendors and subsidiaries adhere to the same security standards; include right‑to‑audit clauses and incident response SLAs in contracts.
• Coordinate crisis playbooks with central banks and industry peers to enable rapid freezing, reversal, or hotlisting of suspect transactions and keys.

Conclusion

The reported attempted theft against Evertec’s Brazilian subsidiary Sinqia via the Pix network is a sharp illustration of the risks that come with instant payment rails and highly connected fintech ecosystems. Even when theft is not completed, such incidents highlight weaknesses in segmentation, privileged access controls, and real‑time transaction monitoring. Financial institutions, payment processors, and regulators must treat these systems as mission‑critical infrastructure: harden participant environments, enforce strict vendor oversight, and implement layered controls that combine cryptographic protections, behavioral analytics, and human oversight for high‑value transfers.

Source: www.bleepingcomputer.com