On August 29, 2025, hackers successfully executed a breach of Sinqia S.A., a Brazilian subsidiary of Evertec, Inc., targeting its operations within the Brazilian Central Bank’s real-time payment system, Pix. This unauthorized access culminated in an attempt to siphon off $130 million through fraudulent transactions.
Evertec is a prominent financial technology firm recognized for its full-service transaction processing capabilities across Latin America, Puerto Rico, and the Caribbean. Sinqia, which Evertec acquired in 2023, specializes in financial software and IT services tailored for the banking sector.
In an official filing with the U.S. Securities and Exchange Commission (SEC), Evertec disclosed that upon identifying the unauthorized activity, Sinqia adhered to its incident response protocol. This involved immediate cessation of transaction processing within the Pix environment and engaging external cybersecurity forensics experts to assess and mitigate the breach.
Understanding Pix: A Critical Infrastructure
Launched by the Central Bank of Brazil in November 2020, Pix serves as the country’s instant payment system, facilitating round-the-clock fund transfers. The system has rapidly ascended to become Brazil’s primary payment method, making it an attractive target for cybercriminals, particularly those deploying Android banking malware strategies.
The Incident: Unauthorized Transactions and Recovery Efforts
The cyber attackers attempted to initiate unapproved business-to-business transactions involving two of Sinqia’s client financial institutions. Reports indicated potential links to HSBC; however, a spokesperson from the bank confirmed that no customer funds or data were compromised during the incident.
While part of the embezzled $130 million has been successfully recovered, specific recovery amounts remain undisclosed, with efforts ongoing to recoup the full amount. Investigations revealed that the hackers attained access to Sinqia’s Pix operational environment by exploiting stolen credentials linked to an IT vendor’s account.
Current Status and Regulatory Actions
The Central Bank of Brazil has temporarily revoked Sinqia’s access to the Pix system as a precautionary measure. The company is working diligently to restore its access by providing all necessary information and assurances to regulatory authorities. Importantly, Evertec stated that there is no evidence suggesting the breach affects systems beyond Sinqia’s Pix interactions, nor has there been any indication of personal data exposure.
Implications for Financial Institutions
Significantly, the breached Pix environment is crucial for the operations of 24 financial institutions within Brazil. Evertec has acknowledged the potential financial and reputational ramifications stemming from this incident. The company emphasized that the full impact, including possible effects on internal controls, remains indeterminate but could be materially significant.
In conjunction with the incident, recent data indicates that approximately 46% of compromised environments experienced password cracking, a dramatic increase from 25% the previous year. Institutions must respond proactively to these threats by reassessing their cybersecurity protocols and enhancing their defense mechanisms against such vulnerabilities.
For a comprehensive analysis of current trends in prevention, detection, and data exfiltration strategies, industry stakeholders are encouraged to access the Picus Blue Report 2025.