Portuguese 
English 
Spanish 
4 min of reading 
0 comments 
Hacker Attack on Fintech FictorPay Causes Loss of R$ 26 Million; App Failure Allowed 280 Transfers via Pix and Exposed Weakness in Third-Party Systems.
On the evening of Sunday, October 19, 2025, the Brazilian financial sector was surprised by one of the largest hacker attacks of the year. The fintech FictorPay, controlled by the holding company Fictor, suffered a cyber invasion that resulted in the theft of approximately R$ 26 million. The criminal action began around 6 PM and lasted only a few hours, enough time for the invaders to exploit a flaw in the system and make at least 280 Pix transactions to 270 dummy accounts spread across different financial institutions.
According to information confirmed by the company and reported by specialized media, the attack originated from a security breach in a white label application developed by a partner company of the fintech. The vulnerability allowed the hackers to access authentication credentials and make unauthorized withdrawals directly from corporate accounts linked to FictorPay.
A Breach That Cost Millions via Pix
The invasion did not directly target the internal systems of FictorPay, but rather the service provider responsible for the transaction application. From that point on, the criminals managed to intercept communications and transfer funds in series, in an automated manner, without fraud alerts being triggered in time.
-
“No one will make us change the Pix,” says Lula after the US report.
-
Lula responds directly to Trump and says that Pix is from Brazil and will not change under pressure from anyone, after a report from the United States pointed out the Brazilian payment system as an American trade barrier.
-
Amazon has just announced a new fee on all deliveries, and your online purchases will become more expensive starting April 17, including for those buying from the United States here in Brazil.
-
He sold his share for R$ 4 thousand, saw the company become a giant worth R$ 19 trillion, and missed the opportunity of a lifetime.
According to initial investigations, the hackers used automated software to carry out dozens of simultaneous Pix transfers, moving the funds to newly created accounts in digital banks and smaller fintechs.
The transactions were made in blocks of average amounts between R$ 50,000 and R$ 200,000, configuring a planned and professionally executed attack.
Cybersecurity experts interviewed by the press pointed out that the use of gaps in third-party applications is one of the main vulnerabilities faced by companies in the financial sector. The FictorPay case serves as a warning for other institutions that use third-party systems integrated into their digital environment.
The Dimension of the Company and the Impact of the Attack
Founded in 2007, the holding company Fictor operates in financial services, food industry, and infrastructure, and employs over 4,000 employees.
The company reported revenue of R$ 3.5 billion in 2024 and projects to reach R$ 5 billion in 2025, driven by the growth of FictorPay, its main front in the digital financial sector.
The theft of R$ 26 million represents a small fraction of the company’s revenue, but it had a significant symbolic and reputational impact.
In a statement to the press, FictorPay stated that it had informed the competent authorities, including the Federal Police and the Central Bank, and assured that customers were not directly affected, as the loss impacted the company’s own resources.
Investigations and Tracking of Funds
The investigations are being conducted by the Federal Police along with the National Data Protection Authority (ANPD) and the Cybercrime Combat Unit of Cyber Crimes.
Sources linked to the investigation reported that part of the transfers has already been traced to accounts in different Brazilian states, as well as indications of movements attempting to disguise the funds in cryptocurrency exchanges.
The Central Bank is also monitoring the case, since the operation involved the misuse of the Pix infrastructure, which security is shared responsibility among participating financial institutions.
Although the system is considered secure, the case reinforces that failures in the integration of private platforms still represent a weak point.
Experts Warn: The Weakest Link Is Still Third-Party Software
For digital security analysts, the case of FictorPay is further evidence that the growth of fintechs needs to be accompanied by technical rigor in technological partnerships.
White label solutions, while speeding up launches and reducing costs, can open critical gaps if not periodically audited.
According to cybersecurity consultant Rafael Lourenço, “the integration of external systems with digital wallets is today the main risk vector in the financial market. The attacks are becoming more sophisticated, and criminals are aware of the weak points in cloud environments.”
FictorPay confirmed that it has reinforced its security measures and is reevaluating contracts with suppliers to avoid similar incidents.
The Warning for the Future of the Financial Sector
The attack on FictorPay is added to the list of the biggest digital scams ever recorded in the Brazilian financial system in 2025.
Although Pix is one of the safest payment methods in the world, the case shows that the vulnerability is not in the system itself, but in the structure of the companies that use it.
The escalation of cyber crimes in the country reinforces the need for stricter auditing and encryption policies for banks, cooperatives, and fintechs.
In the end, the lesson is clear: the more digital the money is, the more strategic the care for security must be.
Seja o primeiro a reagir!