Nubank proactively got involved in the issue and said that, in fact, the reports are false: they are just scams that cybercriminals themselves use their keys to earn money. You can find more details here: https://blog.nubank.com.br/bug-do-pix-em-dobro-cuidado-com-esse-golpe/
On the other hand, Superdigital went offline for security fixes and made a statement on its social networks, which may show a real problem about the case:
A supposed vulnerability in Superdigital, Santander ‘s digital bank, allowed cybercriminals to move a millionaire amount during the early hours of Saturday (16). Specific details about the flaw are still lacking, but images and videos prove that carders have even managed to withdraw money via flaw.
TecMundo got in touch with Santander earlier today (16), however, due to the large flow of images and videos running on social networks (such as Twitter and YouTube), it was decided to publish this report as an alert to customers before a placement.
It is possible to follow cybercriminals making withdrawals in boxes 24 hours
Details about the flaw, about how the scam is carried out, will not be released until the vulnerability is resolved. However, in the images below, it is possible to monitor cybercriminals making withdrawals in 24-hour boxes and note balances with more than R $ 270 thousand. According to an anonymous source who declined to be identified, Saturday morning became a real party for carders.