:strip_icc()/i.s3.glbimg.com/v1/AUTH_da025474c0c44edd99332dddb09cabe8/internal_photos/bs/2022/A/e/0KyrvtTfKYAxvzAO39bA/programming-g369f66bd2-1920.jpg)
A new hacker attack against the financial system embezzled around R$25 million from a FictorPay customer last Sunday.
According to people with knowledge of the episode, in this case, the diversion affected the account of a fintech client, unlike the previous ones, in which the attack affected accounts that institutions maintained at the Central Bank.
FictorPay is a payment solution from Fictor, a holding and company management group, and offers financial services through Celcoin, in the banking as a service (a type of service outsourcing). According to interlocutors familiar with the matter, what is known so far is that criminals invaded the systems of Diletta Solution, a company that gives access to Celcoin systems to FictorPay users.
When contacted, Celcoin stated that there was no invasion, attack or compromise directly in its technological infrastructure or transactional environment. According to the company, an unusual movement was identified in a customer’s account, “readily detected” by the monitoring systems. Subsequently, operations were preventively blocked and the customer was alerted. “We continue to support the client in investigations and procedures for recovering values, maintaining direct contact with the competent authorities.”
Diletta and FictorPay have not yet responded to contacts.
The incident occurs after the BC tightened the rules for fintechs and for transfers via Pix and TED precisely due to the increase in criminal attacks on the system. The regulator imposed, for example, a limit of R$15,000 per transaction carried out by fintechs without a license from the BC or by institutions from all financial segments that use technology providers to access the agency’s systems.
It also determined that all institutions that do not yet have authorization must make a request to the authority by May 2026 and made a series of new demands on technology providers that mediate financial operations. The BC also created a dispute button for fraudulent operations on Pix and started blocking Pix keys and Pix keys marked by participating institutions as being used for scams and fraud.
