In one of the most significant insider-assisted cyberattacks in Brazil’s financial history, a low-level IT operator working at C&M Software—a company that links smaller banks to Brazil’s PIX real-time payment system—was arrested for facilitating unauthorized access to the company’s core infrastructure. The breach compromised the connectivity hub between financial institutions and the Central Bank, resulting in a multi-million-dollar fraud operation affecting at least six banks.
The suspect, João Nazareno Roque, 48, used his administrative credentials and technical access to assist attackers in executing fraudulent operations inside the company’s backend systems. The breach occurred not through malware or zero-day exploitation, but through a textbook case of social engineering, credential sharing, and human vulnerability.
Timeline and Modus Operandi
Phase 1 – Social Engineering and Initial Contact
According to police records and Roque’s own statement:
- He was first approached outside a bar in São Paulo by an individual who demonstrated intimate knowledge of his job.
- Days later, he received a WhatsApp call offering him BRL 5,000 (~USD 1,000) in exchange for access to internal systems.
🛑 Red Flag: No exploitation of software was needed — the entire breach hinged on trust abuse and targeted social interaction.
Phase 2 – Credential Theft and Remote Access Setup
Once Roque agreed to cooperate:
- He physically handed over his corporate login and password to a courier (motoboy).
- He was later paid BRL 10,000 to continue injecting code into C&M’s systems using his own machine.
- Attackers sent instructions via a Notion workspace, guiding him on what to run and how.
📎 This reflects a growing trend in remote-controlled insider operations that use legitimate platforms (e.g., Notion, WhatsApp) for covert command and control (C2) communications.
Phase 3 – Operational Security Measures
Roque maintained strict OPSEC behavior:
- He changed his phone every 15 days to avoid forensic tracking.
- He never met his handlers in person and claimed not to know their identities.
- All communication was encrypted or handled via transient, peer-to-peer messaging apps.
Despite this, digital forensics and system telemetry eventually linked the malicious activity to his credentials and device.
Institutional Impact and Response
The attack triggered high alert in the Brazilian financial system, especially among fintechs and digital banks that rely on third-party integration providers like C&M.
C&M Software’s Response:
- Issued a statement confirming no technical vulnerability was exploited.
- Asserted that the attack was the result of “credential abuse via social engineering.”
- Highlighted that internal security monitoring tools helped identify the origin of the breach quickly.
C&M maintains that all systems remain operational and that they are actively assisting law enforcement.
Lessons for the Cybersecurity Community
1. People Are Still the Primary Attack Surface
This incident reinforces that even the most secure systems are vulnerable to the humans behind them. Training and access control are insufficient if employees can be manipulated or coerced.
2. Credential Abuse Is Easier Than Exploiting Software
This breach didn’t require a single buffer overflow or privilege escalation — it simply involved buying access. It’s a stark reminder that credential lifecycle management is critical.
Solution: Enforce MFA on all privileged accounts, monitor for login anomalies, and validate the geo-context of login behaviors.
3. Insider Threat Monitoring Must Be Behavioral
Organizations often lack visibility into command execution patterns, personal device usage, or non-sanctioned collaboration tools (e.g., Notion, Telegram).
Recommendation: Deploy UEBA (User and Entity Behavior Analytics) tools to detect abnormal patterns such as:
- Use of new tools
- Unusual command execution times
- Sudden access to sensitive systems
Red Team Perspective: How an Attacker Operates
From a red teaming or adversary emulation perspective, this case offers a valuable blueprint:
| Step | Technique |
|---|---|
| Recon | Social profiling on LinkedIn and local reconnaissance |
| Initial Access | Human approach + monetary coercion |
| Command & Control | Remote workstations + productivity platforms (Notion) |
| Persistence | Repeat access via coerced human assistance |
| Payment Channel | Untraceable, cash-based delivery via couriers |
No malware, no RCE, no exploits — just psychological manipulation and trust abuse.
Broader Implications
- Regulatory Wake-Up Call: This case could lead to new compliance requirements for vendors that provide financial integration middleware.
- Supply Chain Risk Expansion: While third-party tech vendors have long been seen as a risk, low-level employees in non-core roles are emerging as weak points.
- Digital Identity Verification Needed: Robust identity validation for internal operations and separation of duties (SoD) could have prevented access from a single operator.
This case is a clear reminder: humans remain the weakest link in security chains — and attackers know it. For defenders, this underscores the importance of defense in depth, not just at the perimeter, but deep within the organization, where overlooked users may hold the keys to critical systems.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
