BTG Pactual has halted all Pix operations following a cyberattack that resulted in the diversion of about USD 18 million from its Central Bank reserves.

The majority of the stolen funds have been recouped, but between USD 3.822.000 (BRL 20 million) and USD 7.644.000 (BRL 40 million) remain under investigation.

Atypical activity was identified on the morning of Sunday, March 22, 2026, leading to the activation of security measures that temporarily suspended Pix services. According to BTG Pactual’s statement, no customer accounts were compromised and no personal data was exposed. The stolen funds originated from reserves maintained by the institution at the Central Bank for instant payment transactions.

Background on the Incident

The attack is part of a pattern seen in recent significant breaches affecting the Pix ecosystem: each has targeted the settlement infrastructure rather than individual account holders. In July 2025, vulnerabilities in C&M Software were exploited to carry out what was then the largest recorded theft from the system—over USD 152 million (BRL 800 million)—with at least eight institutions impacted and three suspended by the Central Bank.

In January 2026, Banco do Nordeste also had to suspend Pix operations after an attack on a third-party provider. The extent of this incident is still being determined.

Following the C&M Software breach in July 2025, the Central Bank expanded its anomaly detection requirements for all Pix participants. While DetectaFlow, a system developed by Núclea, was deployed to address security risks posed by the near-instantaneous nature of the payment system, recent attacks suggest that real-time protection has yet to fully keep pace.

Implications for Governance and Oversight

The widespread impact on institutions like BTG Pactual highlights the operational disruption such cyberattacks can cause, even when they do not directly harm customers. The concentration of these attacks on settlement infrastructure raises questions about governance structures and auditing processes applied to this critical layer.

The frequent and large-scale incidents over the past year indicate a structural challenge for the Pix ecosystem: its speed, ubiquity, and real-time finality make it efficient but also vulnerable at an infrastructural level. There is growing scrutiny on whether the Central Bank will issue updated security guidelines for Pix participants, particularly focusing on third-party provider governance and settlement system auditing. Attention is also being paid to BTG Pactual’s timeline for restoring Pix services after full recovery of the stolen funds.