Article illustration 1

In one of the most audacious fintech breaches in recent years, hackers infiltrated transaction processor Sinqia S.A.—a Brazilian subsidiary of Puerto Rico-based Evertec—and attempted to steal $130 million via Brazil's real-time Central Bank payment system known as Pix. The August 29th attack, disclosed in an SEC filing, leveraged stolen credentials from an IT vendor account to initiate unauthorized business-to-business transactions targeting two financial institutions.

The Anatomy of a Near-Catastrophe

Pix, launched in 2020, processes over 40% of Brazil's electronic payments—a 24/7 system integral to the country's financial operations. Sinqia, acquired by Evertec in 2023, provides critical software and IT services to 24 Brazilian banks through this infrastructure. Upon detecting the breach:

  1. Sinqia immediately halted all Pix transaction processing
  2. Engaged external cybersecurity forensics experts
  3. Worked with impacted institutions (including HSBC, according to local reports) to recover funds

"The financial and reputational impact... could be material," Evertec warned investors, noting that while portions of the $130 million were recovered, the full extent remains unclear.

Third-Party Access: The Critical Vulnerability

Forensic analysis revealed the attackers didn't directly breach Sinqia's core systems. Instead, they compromised credentials belonging to an IT vendor with privileged access to Sinqia's Pix environment—a stark reminder of supply chain weaknesses. The Central Bank of Brazil has since revoked Sinqia's access to Pix, paralyzing its services while restoration efforts undergo stringent security reviews.

Why This Attack Resonates Globally

This incident underscores three critical threats facing financial infrastructure:

  • API & Payment System Targeting: Pix's ubiquity makes it a high-value target, mirroring attacks on SWIFT and Fedwire systems.
  • Third-Party Blind Spots: Vendor access remains a systemic weak point, enabling lateral movement into critical environments.
  • Speed vs. Security: Real-time payment systems prioritize transaction velocity, complicating fraud detection during active breaches.

The forced suspension of Sinqia's Pix access demonstrates how quickly operational disruption follows security failure in interconnected banking ecosystems. As financial institutions increasingly rely on centralized real-time networks, this breach serves as a case study in securing vendor access pathways before attackers exploit them—not after millions vanish into digital shadows.