Hackers strike again despite tighter Central Bank rules | Markets

The attack, which primarily affected FictorPay, actually targeted the software company Diletta Solutions, according to information obtained by Valor. Other fintechs that are clients of Diletta were also affected, with total losses nearing R$40 million.

Sources familiar with the investigation say the criminals used a modus operandi similar to that of the July attack on C&M Software—the largest in the history of Brazil’s National Financial System (SFN)—by coercing or bribing a Diletta employee into handing over their passwords, a strategy known in hacking circles as “social engineering.”

Diletta confirmed it was the victim of a cyberattack and stated that it took all necessary measures once the incident was identified. “Diletta is cooperating with law enforcement authorities to assist in the investigation and identification of those responsible. The security of our clients is our top priority,” the company said, adding that no personal data was involved. Founded in 2016 by Israeli computer scientist Michel Cusnir, Diletta is headquartered in Campinas, São Paulo.

FictorPay said it had been notified of an “irregular activity” at a service provider that works with several companies. The fintech reported that the incident was being investigated with the help of information security specialists and that none of its own systems were compromised.

“The company understands the seriousness of the incident and reaffirms its commitment to the security and integrity of its clients’ and partners’ data,” FictorPay said in a statement.

The fintech uses banking as a service (BaaS) solutions from Celcoin, which denied any breach or compromise of its own infrastructure. “An unusual movement was detected in a client’s account by our monitoring systems. We immediately blocked operations and alerted the client,” Celcoin said.

Valor has learned that Celcoin noticed the suspicious transactions late Sunday afternoon and informed FictorPay. Because the fintech frequently processes large volumes, the attack was not detected right away, allowing around R$26 million to be stolen. The rest of the diverted funds are believed to have passed through other BaaS providers.

Until last month, Celcoin connected to the Pix system via a technology service provider (PSTI). After the Central Bank introduced stricter rules for such participants, Celcoin began connecting directly.

The new rules set a R$15,000 limit per transaction for institutions that access Pix through PSTIs. However, since Celcoin now connects directly, that limit did not apply in the Diletta case. “In this setup, the BaaS provider—Celcoin, in this case—is responsible for compliance and customer onboarding, but application-level security rests with the fintech that manages the end-user relationship,” one source explained.

Another key difference is that, while earlier attacks affected reserve accounts held at the Central Bank, this time the stolen funds belonged to clients, and it remains unclear whether they will be reimbursed.

According to Marco Zanini, CEO of Dinamo Networks and a digital security expert, the hackers likely installed an extra layer in Diletta’s API, allowing them to intercept calls between the fintechs and their core banking systems. “To the BaaS provider, the operation command looks entirely legitimate. The regulator recently imposed new rules for PSTIs, but the explosion of banking apps has left APIs exposed. You can strengthen authentication and security protocols—but that adds cost,” Mr. Zanini said.

Ricardo Higashitani, a partner at the Felsberg Advogados law firm specializing in banking and capital markets, noted that the Central Bank faces a dilemma: tightening regulations to ensure trust without hindering smaller fintechs’ access to the system. “If you raise the regulatory bar too high, you restrict access. But perhaps stricter standards are needed to mitigate IT-related risks. Criminals are creative and always find new loopholes,” he said.