A leading Brazilian fintech company has revealed details of a cyber-attack in which threat actors attempted to steal 710 million reals ($130m) from two banking customers.
Evertec subsidiary Sinqia provides software to connect financial institutions in the country to the central bank’s popular Pix instant payments system.
However, on August 29 it identified unauthorized activity in its Pix environment, the firm said in an SEC filing.
“The unauthorized activity is related to business-to-business financial transactions involving two financial institutions that are customers of Sinqia’s Pix transaction processing services,” it explained.
“The company believes that approximately R$710m in unauthorized transactions affecting those two Sinqia customers were processed through Sinqia’s Pix environment on August 29, 2025. The company has been informed that a portion of that amount has been recovered and additional recovery efforts are ongoing.”
Sinqia added that the unauthorized transactions were made possible after threat actors were able to use compromised credentials from one of Sinqia’s “IT vendors.”
The two financial institutions affected were HSBC and Artta, according to a notice on the latter’s website.
Sinqia has terminated access to the compromised credentials, and the affected parties are currently awaiting a decision on when Pix and Brazilian Payments System (SPB) services are allowed to restart.
Sinqia said that, on detecting the unauthorized activity, its incident response processes kicked in immediately and it halted Pix transaction processing before calling in forensic experts.
“Subsequently, the BCB informed Sinqia that it would not be permitted to resume processing transactions in the SPB and Pix until the BCB reviews and approves the actions taken,” its SEC filing added.
“Sinqia communicated promptly with federal and state law enforcement authorities in Brazil and the financial institution customers using its Pix environment.”
No data is believed to have been stolen in the raid.
Another Example of High-Stakes Credential Theft
Although the identity of the culprit is unclear, the attack appears relatively unsophisticated. However, it’s yet another example of the security risks associated with static passwords.
A Mandiant report from April revealed that use of stolen credentials for initial access accounted for 16% of incidents in 2024, up from 10% the previous year. That made it the second most popular method, after vulnerability exploitation.
Verizon’s DBIR puts the figure at 22%, although this relates specifically to data breaches.
The use of stolen credentials as a tactic for initial access and lateral movement is being fueled by an infostealer epidemic. Some 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months, according to Flashpoint.