$130M Real-Time Payment Fraud Attempt via Stolen Vendor Credentials
- SHAH MUHAMMAD ASH-SYAFIQ BIN SHAHRIL
- Sep 4
- 2 min read
Overview
On August 29, 2025, threat actors gained unauthorized access to Sinqia S.A., the Brazilian subsidiary of Evertec Inc., and attempted to steal $130 million by exploiting Brazil’s Pix real-time payment system. Evertec is a publicly traded full-service transaction processor operating across Latin America, Puerto Rico, and the Caribbean, serving a broad base of financial institutions. Its subsidiary Sinqia, acquired in 2023, is a leading provider of financial software and IT services to 24 financial institutions in Brazil, making it a critical player in the country’s financial infrastructure. The attack leveraged Pix, Brazil’s instant payments platform launched by the Central Bank of Brazil in 2020. Pix enable 24/7 real-time fund transfers and has rapidly become the dominant payment method in the country. Its popularity has also made it an attractive target for cybercriminals, including operators of Android banking malware and other financial fraud schemes. In a filing to the U.S. Securities and Exchange Commission (SEC), Evertec confirmed the breach and disclosed that no evidence of personal data exposure has been identified. The company emphasized that the attack was contained before full financial loss occurred, and recovery efforts are ongoing to mitigate potential damage and restore normal operations.
Attack Details
Entry Point
• Hackers accessed Sinqia’s Pix environment using stolen credentials from an IT vendor account.
• No evidence suggests lateral movement beyond Pix infrastructure.
Attack Execution
• Attempted unauthorized business-to-business transactions targeting two financial institutions.
• Local media named HSBC Brazil, but the bank confirmed no customer impact.
• Evertec reports partial recovery of stolen funds; exact amount undisclosed.
Incident Response
• Transaction processing halted in Pix environment immediately.
• External cybersecurity forensics experts engaged.
• Access to Pix revoked by Central Bank of Brazil pending assurance and remediation.
Impact
Financial Risk
• Attempted theft: $130 million USD.
• Amount recovered: undisclosed, recovery efforts ongoing.
Operational Risk
• Pix services suspended for 24 financial institutions connected via Sinqia.
• Business continuity temporarily affected.
Reputational Risk
• Public disclosure via SEC filing may affect investor confidence.
• Possible regulatory scrutiny by Brazilian Central Bank and financial oversight bodies.
No Confirmed Data Breach
• No evidence of customer data exposure or compromise beyond Pix environment.
Recommendation
For Financial Institutions
• Enforce vendor access controls: Use MFA, time-bound access, and strict auditing.
• Review Pix transaction monitoring for anomalies.
• Perform credential hygiene checks on all third-party integrations.
For Payment System Operators
• Segment high-value environments to contain vendor credential misuse.
• Implement continuous threat hunting for unauthorized access patterns.
• Strengthen incident response exercises with real-time payment fraud scenarios.
For Regulators and Industry Bodies
• Mandate vendor risk assessments for fintech service providers.
• Expand mandatory reporting of real-time payment fraud attempts.
Comments