South African brothers allegedly steal R54bn in biggest crypto scam ever

Published by
By Ciaran Ryan

While hundreds of thousands of investors were scrambling to find out what happened to funds they had invested in failed crypto scam Mirror Trading International (MTI), a far bigger crypto disappearing act was playing out without hardly anyone paying attention.

Late last year, (MTI) went belly up after its CEO, Johann Steynberg, fled the country with billions in bitcoin.

Steynberg apparently left the country on 3 December 2020 and hasn’t been seen since.

Africrypt, which reportedly counts several high profile South Africans and celebrities among its investors, was hacked on or about April 13.

A staggering $3.6 billion (roughly R54 billion) was swiped out of multiple wallets controlled by directors of the company in a matter of hours.

This is according to an analysis, conducted by Hanekom Attorneys, of blockchain transactions involving wallets controlled by Africrypt.

The “hack” is deemed extremely suspicious by investigators, not least because the two founders of Africrypt – Raees and Ameer Cajee – reportedly disappeared to the UK within days of this happening.

Though the investigation is still ongoing with multiple regulatory authorities now looking into it, this may turn out to be one of the biggest financial scandals in SA’s history. Not quite Steinhoff-scale, but way larger than MTI.

The reason Africrypt attracted such little public attention was that clients were asked not to alert authorities as this would frustrate the recovery of assets from the hackers. That, according to Hanekom Attorneys, which represents several Africrypt clients, allowed the perpetrators time to make good their escape with crypto worth more than R50 billion.

It begs the question: how did a low-key crypto company with a trading history of little less than two years end up with crypto assets of nearly R50 billion (nearly five times the size of MTI)?

Darren Hanekom of Hanekom Attorneys believes it is unlikely all these funds came from South Africans, saying it was more likely a money laundering operation for international players, of which the Cajees were just a part.

Also suspicious is the fact that clients were requested to sign an investment agreement with Hong Kong-based RaeCreateWealth Limited, which limited the liability of the company for virtually any kind of loss. The agreement is so weighted in favour of RaeCreateWealth Limited that it exonerates it from any hacks – but this contractual limitation of liability does not apply where a crime has been committed.

Not good for SA’s reputation

Whether this was an international money laundering operation or not, the case does little to enhance SA’s reputation as a safe haven financial centre, coming so soon after the collapse of MTI, and brings urgency to the growing clamour for crypto regulations.

Some clients are known to have invested R1.5 million, with a few as much as R15 million and R20 million.

While some Africrypt clients are known to have been paid commissions for referring new clients, it does not appear to have been a multi-level marketing scheme (unlike MTI).

The real success of the company was its ability to scout for clients among a relatively limited pool of high-net-worth investors who knew each other.

While MTI was offering returns of up to 10% a month using a trading bot, Africrypt’s sales pitch was even more outrageous, with some clients being promised 10% a day, also using a computerised algorithm. Clients were invited to choose between a conservative, moderate and aggressive investment approach.

In an investor presentation, Africrypt boasted returns of 2-11% a month depending on whether you chose a passive, passive-aggressive or aggressive portfolio. In the 20 months to August 2020, there was not a single losing month.

The results were so mouthwatering that it was treated as something of a secret among the inner circle admitted to this exclusive club.

Hanekom says Africrypt bore all the hallmarks of a scam, with the Cajees posting pictures of their luxury cars and boasting on social media about their extensive experience in cryptos: “Whilst we are aware of the many opportunities available for young people in the cryptocurrency space, we were suspicious of the claims that over 100 000 Ethereum coins were mined from home-based computer systems. Given South Africa’s high electricity costs, and unstable power generating capabilities, we found this claim particularly difficult to accept.”

By way of comparison, Toronto Stock Exchange-listed Hive Blockchain Technologies, a professional crypto mining firm, mined just 71 660 Ethereum coins in 2020.

In an investor presentation, 21-year old Raees Cajee – the founder and CEO – says he first learned of bitcoin in 2009 while watching the news with his father “and ever since he was hooked”. Raees would have been about eight at the time. He apparently started mining Ethereum while still at school and was “soon building his own Artificial Intelligence models which developed into an AI driven trading system,” according to the presentation.

“It was this dynamic and innovative trading system that has fuelled Africrypt’s astronomical growth from a one-man operation running out of a bedroom to, to one of Africa’s largest and most successful AI trading companies in only a few years.”

Hanekom Attorneys has notified crypto exchanges around the world in the hope of intercepting any of the addresses and crypto marked as suspicious should they be presented for sale.

The matter has been reported to the Financial Sector Conduct Authority (FSCA), the Hawks and the SA Reserve Bank.

“This was different to MTI in one crucial respect,” says Hanekom. “In the case of MTI, clients were required to purchase bitcoin on a local exchange and ship it to an MTI bitcoin wallet.

“In the case of Africrypt, they were required to deposit funds into an FNB account which would then be used to purchase bitcoin, often on Luno. That bitcoin would then be broken up and mixed with other transactions to disguise the source.”

A Companies and Intellectual Property Commission (CIPC) database search shows Africrypt (Pty) Ltd was registered in July 2019, with two active directors: Raees Cajee and Niranjan Patel. The company’s address is listed as 49 Glenhove Road, Melrose in Johannesburg, shown below.

Africyrpt HQ in Melrose, Johannesburg

Source: Google Maps

Two other companies bearing similar names were later registered: Africrypt Investments was registered in January 2020, and Africrypt OTC in March 2021. None of these companies are listed as having auditors.

According to a report by Hanekom Attorneys: “R54 billion has been transferred from its South African account(s) through bitcoin on the blockchain, and has regrettably, now been dissipated in its entirety. Whilst we are still in the process of investigating the transfer of funds, with transactions on the blockchain being active up and until even date, upon an initial reconciliation, it seems that the funds were subjected to various dark web tumblers and mixers, resulting in severe fragmentation.”

One reason the ‘hack’ is extremely suspicious, says Hanekom, is that one of the addresses used by the so-called hackers was used for a normal crypto transaction prior to the hack.

This points to an inside job.

On April 13, chief operating officer Ameer Cajee sent the following message to clients:

Dear Client,

We regret to inform you that due to the recent breach in our system, client accounts, client wallets and nodes were all compromised. At this point it is unknown to us the extent of personal client information breached during the attack.

Unfortunately, this has forced Africrypt to halt operations. We have begun the process of attempting to retrieve stolen funds and compromised information. Our number one priority is retrieving the funds as speedily as possible, however, this process is very wary and will take a substantial amount of time to complete, if successful. Furthermore, we have begun a full system audit to determine the extent of the breach.

We urge all clients to please be patient as we attempt to resolve the situation at hand. It is understandable that clients may proceed the legal route, but we ask clients to please acknowledge that this will only delay the recovery process.

Clients will be kept updated on progress made in the recovery process and with any information regarding the parties involved in orchestrating the attack on our systems.

The company’s website has since gone offline and all further communications have ceased.

Says Hanekom: “This is many times bigger than MTI and in many ways more clever in the way it was set up and executed.

“Imagine making R54 billion disappear within 24 hours.”

He adds: “Our further analysis of the blockchain links the flow of cryptocurrency transactions to certain large local exchanges. We trust that these exchanges will be open to disclosing information relating to wallets used by Africrypt or their proxies.”

Brandon Topham, head of enforcement at the FSCA, says: “We don’t have jurisdiction but we are looking at complaints to see if there is a financial product hidden in there.”

Republished from Moneyweb with permission

For more news your way

Download our app and read this and other great stories on the move. Available for Android and iOS.

Published by
By Ciaran Ryan
Read more on these topics: business newsEditor’s Choice