Financial institutions received a security alert from the Central Bank on Saturday (06/09) regarding a new cyberattack against a payment company not authorized to operate by the monetary authority. According to the message sent to institutions, the Central Bank identified “a cyber incident at an unauthorized entity, resulting in the improper theft of financial funds.” Sources estimate that approximately R$30 million was diverted in the operation, reinforcing concerns about vulnerabilities in the financial system when unauthorized players are involved.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
Recommended Actions
In response, the Central Bank advised institutions to take immediate steps, including reinforcing continuous monitoring of all financial transactions, even those classified as book transfers (movements of funds within the same institution). Market participants believe the embezzled money was dispersed into about 400 receiving accounts, many of which are suspected to belong to shell companies designed to obscure the financial trail.
No Risk to Customers
Attorney Guilherme Carneiro, representing company E2, confirmed that the embezzled amount is still under investigation. E2 stated that it has already implemented internal verification and monitoring protocols and reaffirmed the full integrity of its operational systems. The company emphasized that there was no breach of its infrastructure, ensuring that no additional customer accounts or funds are at risk.
Protection Measures
In the wake of this fourth cyberattack reported this year, the Central Bank announced a new package of measures to strengthen the security of the national financial system. The measures aim to close loopholes exploited by organized crime, including the introduction of a R$15,000 limit for Pix and TED transactions made through unauthorized payment institutions connected via Information Technology Service Providers (PSTIs).Stricter requirements for PSTI accreditation were also introduced, alongside the rule that no payment institution can begin operating without prior authorization from the Central Bank.
Fragility
The fragility of this structure became evident after previous attacks on companies such as C&M Software and Sinqia, where combined embezzlements reached around R$1.5 billion. The situation has raised alarms within the federal government. On Wednesday (03/09), Robinson Barreirinhas, Secretary of the Federal Revenue Service, admitted that the Financial Activities Control Council (COAF) “is not capable” of tracking the illicit flow of money through so-called pocket accounts widely used by fintechs, which creates additional risks for financial oversight.
Bank Requests
Despite the Central Bank’s new measures, representatives of major financial institutions argue that the package is insufficient to deal with the growing sophistication of organized crime. Banks have submitted proposals for further actions, such as imposing stricter financial limits on overnight transfers, introducing delays in the processing of high-value Pix transactions, and prohibiting the use of Pix by individuals or companies identified as shell accounts. These requests aim to reduce opportunities for large-scale fraud and minimize systemic impacts, while also pushing the Central Bank to adopt a stronger regulatory posture.
Analysis:
The cyberattack on an unauthorized payment company shows the real risks that security gaps in the financial system pose for both individual users and businesses. Even though the affected entity was not formally authorized by the Central Bank, the diversion of millions through shell accounts creates ripple effects that erode trust in digital transactions. For users, this means greater exposure to fraud attempts, delays in recovering stolen funds, and the risk of unknowingly interacting with institutions that operate outside regulatory oversight. For businesses, the incident raises the cost of compliance and forces companies to allocate more resources to transaction monitoring and fraud prevention, directly affecting operational efficiency.
In practical terms, the case demonstrates that vulnerabilities in unauthorized operators can still generate systemic consequences. If confidence in Pix and other fast-payment methods is shaken, companies that rely on digital transactions may face reduced customer engagement or increased demand for alternative payment options. Meanwhile, stricter limits and new controls proposed by the Central Bank, while necessary, could also slow down legitimate financial operations, affecting cash flow for companies and convenience for consumers.
