NextFin news, Brazil's Central Bank issued a new alert on Sunday regarding a surge in hacker attacks on financial institutions across the country, with a focus on vulnerabilities in the Pix instant payment system and other digital transfer platforms.
The alert came as part of a broader response to recent cyberattacks that exploited security gaps in payment institutions, IT service providers, and pooled accounts used within the National Financial System Network. The Central Bank's governor, Gabriel Galipolo, emphasized that these attacks are primarily orchestrated by organized crime groups aiming to exploit weaknesses in the financial infrastructure.
In response, the Central Bank announced immediate measures including a cap of 15,000 reais (approximately $2,767) on digital cash transfers conducted by payment institutions not authorized by the Central Bank. This cap targets the typical transaction size, as 99% of corporate transactions via Pix or TED bank transfers fall below this threshold. The measure aims to force attackers to conduct multiple smaller transactions, complicating their operations.
Additionally, the Central Bank accelerated the deadline for unauthorized payment institutions to apply for official licensing from December 2029 to May 2026. This move seeks to eliminate unlicensed firms that may be controlled by criminal organizations or lack adequate controls to prevent illicit fund flows.
The investigation revealed that IT service providers, known as PSTIs, which connect smaller banks to the payment system, were involved in the two largest recent fraud cases. These providers improperly stored access credentials, enabling hackers to bypass security measures and execute fraudulent transfers. The Central Bank highlighted the need for tighter controls over PSTIs without undermining the competitive banking environment.
Another vulnerability identified involves pooled accounts, where funds from multiple clients are consolidated without individual identification. While these accounts can reduce transaction costs in legitimate scenarios, they also pose risks for money laundering and were linked to recent law enforcement operations targeting organized crime in Brazil's fuel sector.
The Central Bank's alert and new regulations follow a series of cyberattacks, including one just two days prior targeting the Reserve Transfer System (STR), which processes traditional wire transfers between banks.
These developments underscore the Central Bank's commitment to strengthening the security of Brazil's financial system amid rising cyber threats. The measures were announced following a board meeting on Friday and communicated publicly on Sunday, with ongoing efforts to monitor and respond to emerging risks.
Sources: Folha de S.Paulo (2025-09-07), Reuters (2025-09-05), Valor International (2025-09-04)
Explore more exclusive insights at nextfin.ai.