Banco do Nordeste Discloses R$146.6 Million PIX Loss as Brazil Records 12 Institutional Attacks in Four Months

Banco do Nordeste disclosed a R$146.6 million loss from a January 2026 cyberattack in its first quarter financial results published May 13. The attack exploited a vulnerability in a third-party technology service provider, draining funds from a settlement sweep account used in PIX transaction processing. BNB suspended PIX operations on January 26 and restored service three days later, confirming no customer data was leaked or individual accounts compromised.

The BNB loss brings confirmed institutional PIX settlement attack losses to R$1.76 billion across four incidents in 12 months: C&M Software (approximately R$800 million diverted from fintechs and mid-sized banks, mid-2025), Sinqia (R$710 million including HSBC-related funds, September 2025), BTG Pactual (R$100 million from Central Bank reserves, March 2026), and now BNB. All four attacks followed the same pattern: criminals compromised technology service providers connected to the PIX settlement infrastructure rather than attacking PIX core systems directly.

Marcelo Alves de Souza, coordinator of the Fraud Prevention Commission at the Brazilian Banking Association (ABBC), confirmed that Brazil's financial system recorded 12 cyberattacks related to the PIX ecosystem in the first four months of 2026 alone. In response, Law 15,397/2026 (sanctioned April 30) criminalizes for the first time the lending of bank accounts for illicit fund transit, carrying penalties of four to eight years imprisonment. BCB Resolution 559 (published April 23) strengthens participant oversight with mandatory CVM-registered independent audits and a new exclusion criterion for institutions without an active SPI connection for more than 90 consecutive days.