BTG Pactual Restores PIX After R$100 Million Hack Exposes Institutional Settlement Vulnerability

Hackers penetrated BTG Pactual's internal systems on Sunday, March 22, diverting approximately R$100 million from the bank's settlement reserves held at the Banco Central do Brasil. The central bank's automated monitoring systems detected atypical movements in BTG's accounts at approximately 6 AM, triggering security protocols that led to the immediate preventive suspension of all PIX operations at the institution.

The diverted funds were not taken from individual customer accounts but from institutional reserves that BTG maintains at the central bank for settling instant payment transactions. According to Metropoles, the attackers dispersed the stolen funds across accounts at seven financial institutions including Banco Inter, Banco do Brasil, Bradesco, Caixa Economica Federal, PicPay, Itau, and Mercado Pago before converting portions into cryptocurrency.

BTG Pactual confirmed it recovered approximately R$73 million of the diverted amount, with between R$20 million and R$40 million still under investigation. The bank restored PIX operations on Monday, March 23, stating that no customer accounts were accessed and no personal data was exposed during the incident. Brazil's Federal Police launched an investigation into the attack.

The Banco Central do Brasil confirmed that PIX infrastructure and its own systems remained uncompromised throughout the event. The vulnerability was internal to BTG Pactual, and the central bank's monitoring capabilities were instrumental in the early detection that limited losses.

This incident marks the third significant PIX-ecosystem fund diversion in under twelve months. In mid-2025, an attack on technology provider C&M Software resulted in more than R$800 million being diverted from fintechs and mid-sized banks connected to PIX. A separate attack on financial technology firm Sinqia in September 2025 diverted approximately R$710 million. In each case, the attackers targeted institutional settlement infrastructure rather than individual PIX users or the payment system's core architecture.

The recurring pattern of attacks against settlement reserves reveals an evolving threat profile for instant payment ecosystems globally. While PIX transactions remain secure for end users, the institutions holding concentrated settlement balances at the central bank present high-value targets for well-organized threat actors who exploit internal system weaknesses to access these pools of funds.

BCB had implemented new cybersecurity requirements for PIX and STR environments with a full compliance deadline of March 1, 2026, under Resolution 541 and CMN Resolution 5,201. The requirements mandate multiple authentication factors for administrative access, physical and logical isolation of PIX environments from other systems, and enhanced credential and certificate monitoring. The BTG Pactual attack occurred just three weeks after these requirements became enforceable, raising questions about the pace of implementation across the roughly 930 institutions participating in the PIX ecosystem.