Tragic Fall: From Electrician to IT, C-Suite Aspirations End as Employee Gets Arrested for Selling Credentials

• An IT employee of C&M Software has testified to receiving bribes from cybercriminals
• João Nazareno Roque was arrested on July 3, 2025, by the Brazilian police
• Roque, 48, traded his office credentials for R$15,000 (USD 3000), which has so far cost financial institutions over $100M via PIX transfers

The person allegedly behind the largest fraud in the PIX instant payment system has been arrested by the Brazilian police. João Nazareno Roque, 48, an IT employee at C&M Software, was apprehended at his residence in São Paulo during an operation targeting those involved in the PIX fraud scheme.

Roque’s unethical actions in March led to the compromise of over 15 banks and fintechs, with C&M Software acting as the compromised intermediary that granted attackers indirect access to other financial institutions connected to PIX’s ecosystem. 

He was at a bar in São Paulo when contacted by members of the criminal group responsible for breaching BPM, Bradesco, and Credsystem. 

Bradesco is one of the country’s largest banks, while BPM and Credsystem operate in credit and payment processing services. 

The presently unknown hackers offered Roque money in exchange for his system credentials. This insider breach allowed them to hack transaction pipelines without raising immediate suspicion as they used Roque’s account details. 

Roque testified that he received two payments from them in March. One was for R$5,000 they paid in cash. However, it was delivered via a motorcycle courier. In exchange, he handed over his corporate login credentials for C&M Software. 

The second payment was of R$10,000, also through a courier, and was paid for him to enter remote commands into the system on behalf of the criminal group using his workstation.

“Two weeks later, he created an account on the Notion platform to receive instructions on how to operate the system remotely and then began executing commands from his own computer,” read a translated report by G1, a news media platform in Brazil.

There is no evidence of direct breaches of the Central Bank of Brazil or end-user accounts.

This social engineering attack, wherein an insider allegedly sold his access credentials to cybercriminals, resulted in the unauthorized transfer of approximately 540 million reais (around USD 100 million) via PIX. 

Cybercriminals funneled the stolen funds through a network of accounts to evade detection and obscure the money trail.

A timeline of the events related to João Nazareno Roque and the PIX cyberattack:

• March 2025: João Nazareno Roque was approached by the criminals at a bar in São Paulo
• June 30, 2025 (early morning, 4:30 AM to 7:00 AM): The cyberattack on C&M Software's systems occurred, leading to the mass financial transfers via Pix
• July 3, 2025 (Thursday): Roque was arrested by the Civil Police
• July 4, 2025: The police disclosed that Roque confessed to his involvement

This insider attack allowed the hackers to bypass traditional access control mechanisms and infiltrate payment processing databases and transaction orchestration systems without triggering security alerts, as all actions were executed using Roque’s legitimate credentials.

It is likely that while extracting sensitive data and initiating unauthorized monetary transfers, system audit logs and identity verification modules recorded the activity under Roque’s profile, mistakenly identifying him as a trusted internal user.

These credentials may have included not just his login details, but also privileged access tokens, API keys, database connection strings, or hardcoded service account passwords—any of which could grant attackers deeper control over PIX-linked transaction systems.

Roque worked as a building electrician and then shifted to cable TV installation. At age 42, he made a career move into technology studies—a decision that draws suspicion over the nature and the motive behind the specific transition.

In a social media post, Roque was found saying, “I am at an age where many expect to already be in C-level [leadership] positions, but I am here with a great desire to start over. With the sparkle in my eyes and the willingness of a young boy to give my best, as well as learn everything I can.”

After completing his education in 2023, he secured a job as a junior back-end developer. He later found a job at C&M Software. The incident involving Roque underscores the critical importance of comprehensive employee vetting and ongoing monitoring, especially for roles with access to sensitive financial systems.

It is not clear if Roque was influenced later by cybercriminals or if he joined a company such as C&M Software with prior intent; his fraud was short-lived.

To mitigate such risks, organizations should implement strict privileged access management (PAM) controls, enforce multi-factor authentication (MFA) for internal tools, deploy behavioral analytics and anomaly detection systems, and adopt insider threat monitoring platforms that can flag unusual access patterns, even when originating from verified user accounts.