This month could barely have started any worse for some financial institutions in Brazil.

On 30 June 2025, C&M Software, a Brazilian company that provides a "bridge" helping the country's central bank connect to local banks, revealed that it had been hacked.

800 Brazilian reals (approximately US $140 million) was stolen from the reserve accounts of six financial institutions as a result of the security breach.

In the wake of the attack, which made massive news headlines in Brazil, the country's Banco Central suspended access to C&M Software's platform for all local banks and institutions while it investigated what had gone wrong, and to contain the damage.

Then, on Friday 4 July, the news desk of São Paulo's TV Globo reported that the city's police had arrested an employee of C&M Software.

48-year-old IT worker João Roque, who worked on backend systems at C&M Software, is alleged to have assisted hackers by selling them login credentials for approximately US $2,700 - granting them unauthorised access to sensitive critical systems.

According to police, Roque created the mechanism for the hackers to divert funds. According to TV Globo Roque claims to have only communicated with the cybercriminals via cellphone, and did not known personally. He is said to have changed his mobile phone every 15 days in an attempt - clearly futile - to avoid being tracked.

In a police statement, Roque reportedly claimed that he had first been approached in March by cybercriminals as he was leaving a São Paulo bar. He claims that later he received instructions via WhatsApp, and received payments for his services via a motorcycle courier.

The money ultimately stolen by the hackers was from reserve accounts, used by financial institutions to exchange funds between themselves, rather than those belonging to customers - meaning that members of the public should not be directly impacted by the attack.

Further investigations into the attack are ongoing. Brazilian authorities have since frozen US $50 million linked to the incident, and C&M Software says that it is co-operating with the investigation and that it has now brought its platform back online.

Attacks like this strongly underline the importance of not just considering your organisation's security, but also the security of your suppliers and the risks that their employees might pose.