BTG Pactual has suspended all Pix operations after a cyberattack diverted approximately USD 18 million from the bank's Central Bank reserves.
The bank states that most of the diverted amount has been recovered, though between USD 3.822.000 (BRL 20 million) and USD 7.644.000 (BRL 40 million) remains under investigation.
The bank identified atypical activity on the morning of Sunday, 22 March 2026, and activated security protocols that led to the preventive suspension of Pix services. According to a statement issued by BTG Pactual, no customer accounts were accessed and no account holder data was exposed. The funds diverted were not sourced from individual client accounts but from reserves maintained by the institution at the Central Bank for the settlement of instant payment transactions. The Central Bank of Brazil had not issued an official comment at the time of publication.
The incident is the third significant attack on the Pix ecosystem in under a year, and each follows a recognisable pattern: rather than targeting individual account holders, attackers have focused on the settlement infrastructure connecting financial institutions to the payment system. In July 2025, vulnerabilities in C&M Software were exploited in what became the largest recorded attack on the system to date. More than USD 152 million (BRL 800 million) was embezzled, at least eight institutions were affected, and the Central Bank suspended three participants. In January 2026, Banco do Nordeste suspended Pix operations following a separate attack on a third-party provider, with the full extent of the impact still under investigation at the time.
Following the July 2025 C&M Software incident, the Central Bank of Brazil expanded its anomaly detection requirements to all Pix participants. A system called DetectaFlow, developed by Núclea had already been deployed to address security risks created by the near-instantaneous nature of the payment system, though the recent sequence of attacks suggests real-time protection mechanisms have not kept pace with the methods employed.
Implications for Pix governance and oversight
For institutions of BTG Pactual's scale, suspension of Pix generates substantial operational disruption and reputational pressure, even where no direct harm to customers has occurred. The concentration of attacks on the settlement layer raises questions about the governance frameworks governing these intermediaries and the audit processes applied to settlement systems.
The frequency and scale of incidents over the past year point to a structural challenge for the Pix ecosystem: the same attributes that make it operationally efficient, namely speed, ubiquity, and real-time finality, also create systemic vulnerabilities at the infrastructure level. Industry observers are monitoring whether the Central Bank of Brazil will issue updated security requirements for Pix participants, with particular attention to third-party provider governance and settlement system auditing. The confirmation of full recovery of the diverted funds and the timeline for BTG Pactual's restoration of Pix services are also being closely watched.
