Third hacker attack on financial system hits TED infrastructure

The fintech Monbank, based in Rio Grande do Sul, suffered a hacker attack on Tuesday that diverted R$ 4.9 million from its reserve account. This incident adds to two other recent cyber attacks targeting the financial sector in Brazil — against C&M Software and Sinqia. This marks the third cyber attack to become public in the Brazilian financial sector in two months. This time, however, the victim was not the Pix infrastructure, but the TED system.
In both the C&M and Sinqia cases, the criminals also targeted reserve accounts of financial institutions that used the services of IT service providers. These accounts are held at the Central Bank and are used for interbank operations such as Pix, TEDs, and boletos.
In the case of Monbank, however, the attack occurred through the TED operation for non-customers, according to sources familiar with the investigation who informed the Valor newspaper. The criminals attempted to access the system through the Pix environment initially but were blocked by the Central Bank.
The Pix system is located in a separate infrastructure, the Instant Payment System (SPI). A second attempt was made through the TED operation for customers, but this was also blocked. There are no details yet on how the criminals managed to access the fintech’s system, but there are indications that they may have infiltrated Monbank’s structure without using an IT service provider, as was the case with C&M and Sinqia.
After identifying the attack, Monbank disconnected from the Reserve Transfer System (STR) — which settles TED transactions — and Pix to prevent further attempts. In a statement, the fintech reported that it has recovered R$ 4.7 million of the initially diverted amount. The incident was reported to the Central Bank and the Federal Police.
This incident comes just days after Sinqia was also targeted in a hacker attack. In a statement released on Tuesday, the company revealed that the criminals used ‘legitimate credentials’ to access the system, with the amount diverted reaching ‘approximately R$ 710 million’, of which a portion has already been recovered. Initially, sources had reported that R$ 670 million had been diverted, with R$ 630 million from HSBC and R$ 40 million from Artta, a Direct Credit Society (SCD).
In June, C&M Software had already fallen victim to hackers in an attack resulting in an estimated loss of over R$ 1 billion, as reported by the Valor newspaper. The São Paulo Civil Police investigated the involvement of an ‘insider’ — an employee of the company, João Nazareno Roque, who allegedly sold access credentials to a criminal group. So far, the Police have not released any new updates on the case, and Nazareno remains in custody.