A look at Brazil’s Largest Financial Hack: Junior Developer Sells Access for $900 over a couple of beers

🍻

The Biggest heist in Brazilian history is also its biggest hack — and importantly, one that hinged on very poor governance — not technical expertise.

./background

This week, Brazil’s newspapers reported on an alleged R$ 1 Billion (around USD 180 Million) digital heist against a financial institutions service provider — the final amount is yet to be determined at the time of writing this.

The service provider has ties to the biggest financial institutions in Brazil, so a lot of supply chain dependency here… 🚩

Official reports in portuguese available online, i.e.:

Roubo de R$ 1 bilhão? O que se sabe sobre o ataque hacker à C&M, prestadora de serviços de instituições financeiras — ISTOÉ DINHEIRO

Roubo de R$ 1 BILHÃO: o que sabemos sobre o CRIME no Brasil • Tecnoblog

and many more reports of course. You can get an LLM to summarize, research details for you — Im not here for this.

./findings

The most recent findings however, a couple of days since initial reporting, is that the whole attack / heist was made possible, not due to a major criticial vulnerability, or a especially crafted payload delivered to an employee, it was a social engineering at a bar!