Brazilian heist highlights real-time payment fraud concerns

• How it happened: Hackers exploited stolen credentials from an IT vendor.
• Recovery efforts: Brazil's central bank blocked part of the transaction and working to recover the rest
• Similar systems: Meanwhile, in the U.S., real-time payment systems have so far seen minimal fraud.

Overview bullets generated by AI with editorial review

A cyberattack last week that exploited stolen credentials targeted the Brazilian real-time payment system Pix and diverted hundreds of millions of dollars, highlighting the risk of fraud losses inherent in real-time payment infrastructures, and the cybersecurity risks of third parties.

The incident primarily affected two financial institutions that operate in Brazil, HSBC and Artta. The threat actor, which has not been publicly identified, exploited legitimate credentials of an IT provider to third-party technology provider Sinqia, a Brazilian company that connects financial institutions to the central bank's real-time payments system.

A regulatory filing in the U.S. by Evertec, Sinqia's parent company, reported that approximately R$710 million (roughly $130 million U.S. dollars) in unauthorized business-to-business transactions were processed through Sinqia's Pix environment on Friday and that the incident was limited to that system.

The company said "a portion" of the R$710 million has been recovered and "additional recovery efforts are ongoing," according to the filing.

Brazilian media outlet g1 reported that the Brazilian Central Bank blocked R$350 million in fraudulent transactions and that it was working to recover the remaining funds amid an investigation by the country's federal police.

Both HSBC and Artta said that customer accounts and funds were unaffected.

"HSBC reaffirms its commitment to data security and remains available to assist authorities with their investigations," the multinational said.

"Protecting our customers' funds is Artta's top priority," the Brazilian bank said. "We remain in direct contact with Sinqia and the central bank to ensure full resumption of services as quickly as possible."

Evertec attributed the unauthorized transactions to the "exploitation of legitimate Sinqia IT vendors' credentials," which they have since terminated.

The incident Friday follows another large-scale attack in July where hackers diverted nearly R$1 billion (roughly $180 million USD) by exploiting vulnerabilities in C&M Software, a technology provider for banks. Currently, no evidence suggests a correlation between the two attacks.

It also follows an announcement by the Brazilian Central Bank about enhancements to Pix's security mechanisms aimed at improving the return of funds to fraud victims. These changes, which will become mandatory in February, enable the Pix refund mechanism to identify the paths of diverted funds and facilitate refunds within 11 days of a dispute.

Also, starting in October, participating institutions will provide a self-service function within their Pix applications for users to easily dispute transactions without human interaction.

U.S. real-time payments fraud has been minimal, so far

The Brazilian Pix heist suggests fraud losses would be a critical challenge for financial institutions embracing real-time payment systems globally, including the FedNow service and The Clearing House's RTP network in the United States.

While real-time payments revolutionize access to funds, their irrevocable nature and rapid processing complicate fraud loss recovery.

However, to date, U.S. financial institutions appear to have a firm handle on fraud in the space, especially compared to alternatives such as paper checks, which have become magnets for fraud even as their overall use declines.

A report released last month in collaboration with The Clearing House indicates that, in April 2025, out of 35 million transactions on the RTP network, there were only 123 instances of reported fraud. That's a rate of one report of fraud for every 300,000 transactions.

For comparison, data from the Federal Reserve Payments Study and the Financial Crimes Enforcement Network indicate that, for every 32,000 check transactions in 2021, there was one suspicious activity report, or SAR, related to check fraud. That is nearly 10 times the reported fraud rate of the RTP network.

This is based on 11.2 billion check transactions in the U.S. that year, according to the Federal Reserve Payments Study, and 350,373 SARs about check fraud, according to the Financial Crimes Enforcement network.

The Federal Reserve has not released statistics about fraud on FedNow. However, Nick Stanescu, chief FedNow executive, said in a Q&A posted in June on the FedNow website that customers of the service "have seen very little evidence of fraud on the FedNow network to date."

While the two fraud rates are not directly comparable because of differences in methodology and reporting factors, their large difference — and the increasing number of check fraud reports in the intervening four years — suggest real-time payments are far less prone to fraud than checks.

While fraud in real-time payments in the U.S. appears to be well under control so far, the Brazilian incident serves as a stark reminder about the consequences of failing to stay ahead of criminal tactics. It also highlights the need to continuously evaluate and strengthen security protocols as real-time payments rapidly grow in prevalence, particularly when such transactions rely on third-party providers.