In brief:

  • R$ 30 million ($5 million) was stolen from a bank account in Brazil.
  • Investigators were confused as to how the theft happened.
  • It was almost as though one corporate account stole the money from another corporate account.

An online bank heist swindled R$30 million ($5 million) from an account of steel manufacturer Gerdau at Santander bank last month. The money was sent to buy Bitcoin in the Brazilian market, but was stopped by local crypto exchanges.

According to the police report, filed on April 20 and provided to Portal do Bitcoin, the Spanish bank asked the public prosecutor to open an investigation into aggravated theft in Porto Alegre.

The stolen funds were swapped for Bitcoin. Image: Shutterstock.

The document shows that on April 16, Gerdau notified Santander of the problem. According to an internal investigation, financial irregularities were noticed that were later traced to an attack on the steel manufacturer's Internet bank account. Then, 11 Electronic Fund Transfers were carried out at different locations.

The heist stumps investigators

The amounts were transferred to the bank accounts of four companies located in São Paulo, Rio Grande do Sul and Rondônia. Santander monitored the movement of the money, which ended up arriving in Brazilian over-the-counter trading desks.

However, this was not a simple hack.

The transfers were not made from a Gerdau account login. The debit was made by another company, Mundial Illumination, also an account holder, located in the metropolitan region of Porto Alegre.

Through Mundial's internet banking system, the fraudsters were able to program and carry out trades on electronic trading funds (ETFs). At the end of the operation, the system's internal channel coding was manipulated to help move the money. Only the money did not exit from the account of the company that was logged in—Mundial—but rather from Gerdau.

"It is as if a corporate bank account had invaded another corporate bank account for the order to debit the bank," says the investigation sent to the Public Prosecutor.

According to the internal investigation, all transactions were made from the same IP address. The fraud had been planned since the previous week. Six days before the fraud, Santander blocked a Mundial Illumination transaction because it exceeded the typical transaction limit—a common security procedure.

A bank manager contacted the bank and requested that the transaction limit be lifted. This meant that high-value transactions could now be made.

Swapping the stolen money for Bitcoin

Although not included in Santander's internal investigation, the stolen money was apparently used to try and buy Bitcoin through over-the-counter traders (who buy and sell large amounts of Bitcoin) in the Brazilian market.

In conversation with eight people involved in the case, the Portal do Bitcoin found that those responsible for the hack tried to buy R$ 30 million ($5 million) in cryptocurrencies—which triggered a storm of bank account blockages wherever the money went.

Any exchange that received a fraction of the money stolen from Santander swiftly blocked the funds.

It was not possible to confirm how much Bitcoin was given to the scammers, since the amounts differ among the people consulted—from R$ 3.5 million ($600,000) to R$ 15 million ($2.5 million).

“As it was a very high amount, of R $ 5 million [$900,000], we asked for a bank statement from the original account. When we realized that the money we received had entered the original account on the same day, we blocked the operation. Immediately, the customer started to pressure me to send the Bitcoin, but I didn't. A short time later, the bank blocked my account,” said the owner of an OTC trading desk, who asked not to be identified.

It is possible some of the funds were sent through other peer-to-peer exchanges.

Asked about the case by Portal do Bitcoin, Santander and Gerdau declined to comment on the case.

[This story was originally published on PortaldoBitcoin.com, and is shared by arrangement with that site. It has been edited to conform with Decrypt's style.]