On June 30, 2025, C&M Software, a service provider for Brazil's central bank, was hit by a significant cyber attack that resulted in an estimated loss of approximately $140 million (equivalent in Brazil's currency to 800 million reais) from the reserve accounts of six financial institutions.

The breach was facilitated by an internal security lapse: hackers purchased login credentials from a C&M Software employee for just under $3,000, which allowed them direct access to critical banking systems.

Reports indicate that after gaining access, the attackers transferred large sums out of reserve accounts before converting an estimated $30 to $40 million of the stolen funds into cryptocurrencies - including Bitcoin, Ethereum, and Tether - through over-the-counter (OTC) desks and exchanges in Latin America. This rapid conversion into digital assets complicated the investigation and recovery process because it made tracing and freezing stolen funds more challenging.

C&M Software confirmed the incident stemmed from a social engineering attack in which an employee was approached outside of work and enticed with financial benefits to sell his credentials. 

The organization emphasized that although its infrastructure remained uncompromised, the breach exposed vulnerabilities arising from insider threats and the misuse of internal access.

In response, the Brazilian Central Bank directed all institutions to suspend access to C&M Software's platform immediately to contain the attack and protect critical systems.

Law enforcement and blockchain investigators have been actively involved in tracking the stolen funds, identifying unregistered OTC desks, and working with exchanges to freeze assets. Despite these efforts, only a portion of the stolen funds - around five million dollars in cryptocurrency - has been recovered as of mid-July, and Brazilian authorities have not yet made any arrests related to the laundering operation.

The incident has been described as the largest digital theft in Brazil's history and has sharpened focus on the risks posed by insider threats, social engineering, and the use of cryptocurrencies for money laundering. 

Experts and industry leaders have noted that while technical safeguards are essential, human error and manipulation remain critical weak points in cybersecurity for financial institutions.

Source: https://www.ainvest.com/news/software-cyber-attack-leads-140-million-loss-2507/
 

Commentary
 

In the above matter, an employee was approached outside of work to sell his credentials.

When employees sell credentials to criminals, organizations face substantial risks that can affect every dimension of their operation. Such transactions open the door to unauthorized access, allowing attackers to infiltrate systems, steal sensitive financial and customer data, and manipulate business operations. This often results in significant financial losses, regulatory penalties, reputational harm, and a severe erosion of customer trust.

Attackers may use stolen credentials to spread malware, deploy ransomware, or stage sophisticated frauds like business email compromise, each of which can cause further disruptions and monetary damage. The availability of credentials for sale on dark web marketplaces also means that numerous attackers may buy and exploit the same access, amplifying the consequences for the employer.

There have been other several notable cases in which employees sold their credentials to cybercriminals. In one case, a system administrator who had been laid off used his former access to sabotage a manufacturing plant, causing more than a million dollars in damages.

Surveys have shown as many as 20 percent of employees would consider selling their work passwords for relatively small sums, often under $1,000, indicating how common and accessible this insider threat can be across all sectors and regions.

To prevent employees from selling credentials, organizations need a comprehensive strategy that addresses both human and technical factors. This includes regular security awareness training to help employees recognize the value of the data they handle and understand the dangers of credential misuse.

Enforcing strong authentication mechanisms, such as multi-factor authentication, significantly reduces the impact of any single compromised credential.

Investing in secure password management, implementing the principle of least privilege, and regularly auditing account access help lessen both temptation and opportunity for misuse.

Additionally, ongoing monitoring for unusual access patterns or for compromised credentials circulating on the dark web can help detect threats early. Establishing a workplace culture that rewards ethical behavior and makes clear the consequences of insider threats is crucial for minimizing the risks of credential sales.

Additional Sources: https://www.dashlane.com/blog/employees-may-sell-work-passwords-for-next-to-nothing; https://www.welivesecurity.com/2021/01/05/breached-employee-credentials-gaming-companies/