On Sunday, March 22, 2026, hackers diverted approximately R$100 million (about US$16.4 million) from BTG Pactual, Latin America's largest independent investment bank, through Brazil's instant payment system known as Pix. Brazil's Central Bank detected atypical movements starting at 6am. BTG suspended Pix operations as a precaution. By Monday, March 23, services began to be restored. R$73 million was recovered. Between R$20 million and R$40 million remains missing.
The stolen funds did not come from client accounts. They were BTG's own settlement reserves held at the Central Bank. No personal data was exposed. No investor accounts were accessed. The breach was internal.
For anyone following Brazil's financial system, or investing in it, this incident raises a straightforward question: is Pix actually safe?
Timeline of the BTG Pactual attack
The attackers chose a predictable window: early Sunday morning, when oversight is at its lightest. They accessed BTG's settlement account at the Central Bank and executed a series of Pix transfers to accounts at multiple institutions: Banco Inter, Banco do Brasil, Bradesco, Caixa Econômica Federal, PicPay, Itaú, and Mercado Pago.
Brazil's Federal Police and CyberGaeco (a specialized cybercrime unit) were called in. Investigators are examining the potential use of an outdated credential linked to a former banking technology vendor that once provided services to BTG. The possibility of insider involvement, specifically employees with access to reserve account credentials, has not been ruled out.
After dispersing funds across multiple accounts, the attackers converted a portion into cryptocurrencies to hinder tracing. This is not a new tactic: it is the standard playbook from every major attack on Brazil's financial system since 2025.
| Event | Date | Detail |
|---|---|---|
| Central Bank detection | Sunday, March 22, 6am | ~R$100 million diverted |
| BTG suspends Pix | Sunday, March 22 | Preventive measure |
| Service restoration begins | Monday, March 23 | R$73 million recovered |
| Unrecovered funds | Under investigation | R$20-40 million |
A pattern: R$800 million, R$710 million, now R$100 million
The BTG attack did not happen in isolation. Since 2025, Brazil's financial system has suffered at least three major Pix-related incidents, with total losses exceeding R$1.5 billion.
July 2025: C&M Software (R$800 million). Hackers breached C&M Software, a technology vendor serving more than 8 financial institutions. The attack resulted in the diversion of approximately R$800 million, the largest incident in the series.
September 2025: Sinqia (R$710 million). Technology provider Sinqia was targeted in an attack that diverted R$710 million: R$669 million associated with HSBC and R$41 million with credit society Artta. A significant portion was blocked by the Central Bank.
January 2026: Banco do Nordeste. The bank suspended Pix after a third-party vendor was compromised. It was the first such incident involving the institution since Pix launched.
The pattern is consistent: the attacks do not target the Pix system itself, but the internal systems of institutions and, critically, their third-party technology vendors. Outdated credentials, third-party access gaps, and internal governance failures are the entry points.
Warning
Since 2025, attacks on banking technology vendors have resulted in losses exceeding R$1.5 billion (approximately US$250 million). The weakest link is not Pix itself: it is the intermediary systems of participating institutions.
The Pix system itself was not compromised
This is the most important distinction: the Pix infrastructure, operated by Brazil's Central Bank, remains intact.
Pix works like a highway. Transfers travel along this highway securely, with end-to-end encryption, multi-layer authentication, and real-time monitoring by the Central Bank. What was compromised in every attack since 2025 were the "vehicles" traveling on that highway: the internal systems of banks and their vendors.
In BTG's case, the hackers did not break any Pix protocol. They obtained the credentials that the bank uses to operate within the system. It is analogous to cloning a car key rather than breaking through the road itself.
The Central Bank confirmed that the Instant Payment System (SPI) was not violated. What failed was the credential management of a participating institution.
For context, Pix processes over 200 million transactions daily across Brazil. The system's central architecture, maintained by the Central Bank, has never been directly breached since its launch in November 2020.
Info
The Central Bank monitors all Pix transactions in real time. It was this monitoring that detected BTG's atypical movements at 6am on Sunday, enabling rapid intervention.
Crypto as the escape route
In every major attack since 2025, the stolen funds followed the same path: dispersion across multiple bank accounts, then conversion to cryptocurrencies.
The logic is straightforward. Bank transfers are traceable: every Pix transaction carries the sender's and receiver's tax identification number. Cryptocurrencies, while recorded on blockchain, allow movements between pseudonymous wallets that make identifying ultimate beneficiaries significantly harder.
In the BTG attack, funds were dispersed across at least 7 different institutions before being partially converted to crypto. The Federal Police recovered R$73 million, but the portion converted to digital assets represents the most challenging part of the investigation.
This pattern is accelerating a debate already underway in Brazil: crypto regulation. The ability to trace crypto operations and identify end beneficiaries is central to law enforcement's capacity to respond effectively to financial cybercrime.
Protecting your money
The 2025 and 2026 attacks targeted institutional infrastructure, not individual accounts. But that does not mean personal precautions are unnecessary, especially for everyday Pix usage.
Set transfer limits. Every Brazilian bank allows you to adjust Pix limits per transaction and per time period. Reduce your nighttime limit (8pm to 6am) to a low amount or zero. Most physical attacks on individuals happen through coercion, and low limits reduce the potential damage.
Enable two-factor authentication (2FA). Biometrics, tokens, or secondary device confirmation. Each additional authentication layer makes unauthorized access harder.
Use random Pix keys. Prefer random keys over those linked to your CPF (tax ID), email, or phone number. Keys tied to personal data make social engineering attempts easier.
Avoid public Wi-Fi for financial transactions. Open networks are known interception vectors. Use your mobile network or a trusted VPN.
Know the MED (Special Return Mechanism). If you fall victim to Pix fraud, you have up to 80 days to request a return through MED via your bank. The bank must notify the receiving institution within 30 minutes to freeze the funds. The faster you report, the higher your chances of recovery.
Tip
Set your nighttime Pix limit now. Most banks allow you to reduce it to R$0 between 8pm and 6am, with changes taking effect within 24 to 48 hours as a security measure.
What this means for investors
Financial system security directly concerns every investor. The 2025 and 2026 attacks did not compromise Pix as infrastructure, but they exposed the urgent need for financial institutions to invest continuously in cybersecurity, credential governance, and third-party vendor auditing.
For individual investors, the lesson is twofold: the central system is robust, but personal security depends on your own practices. Configured limits, strong authentication, and awareness of social engineering attempts remain your best defenses.
At Royal Binary, the security of investor funds is an operational priority. With operations managed by Sidnei Oliveira's team, drawing on over 6 years of financial market experience, and with full operational transparency (CNPJ 64.020.950/0001-60, Avenida Paulista 807, Sao Paulo, Brazil), our model is designed to mitigate risk at every stage.
Returns in the financial market are variable income. Past results do not guarantee future returns.
Tip
Want to understand how Royal Binary's managed trading works? Explore our plans and trading history at app.royalbinary.io.