There are several aspects to the Africrypt “hack” — reckoned to have lost R43-billion — that have caught the attention of law enforcement authorities across the globe.
The first is the size of the reported theft at US$2.9-billion (or about R43-billion). It’s a figure so eye-popping huge that many have questioned whether this volume of money could have come out of South Africa.
The other aspect of the theft that has law enforcement on high alert is whether this was the result of a hack — as claimed by Raees and Ameer Cajee, the two brothers behind Africrypt — or whether it was an inside job. The Cajees fled South Africa, apparently in fear of their lives after receiving death threats immediately after the alleged hack.
The man who has a better understanding than most of what happened is Hamilton Cheong, a South African-born forensic sleuth now based in the US, who has spent the last few weeks assisting law enforcement agencies around the world to unpack what happened to the Africrypt billions.
Cheong’s company, Crypto Investigation Bureau (CIB), helps governments and organisations secure their digital assets against modern-day threats coming from ransomware and organised crime. It has developed a blockchain track-and-trace programme called “God’s View” to hunt down missing digital assets, and it was this programme that was used to piece together the movement of funds into and out of Africrypt wallets.
The blockchain is a detailed and immutable ledger of all bitcoin transactions, and is open to public scrutiny. The problem is linking bitcoin addresses with real-world people and organisations, though that is becoming easier through the use of software tools like God’s View, which made it possible to track every bitcoin moving into and out of Africrypt-controlled wallets.
Cheong says the evidence does not support the story of a hack originating out of Ukraine, as claimed by Raees Cajee in an affidavit before the high court seeking to stop the final liquidation of Africrypt. Under Cajee’s version of events, on 13 April hackers from Ukraine smashed through several layers of security to make off with more than R50-billion in crypto assets.
“We don’t think this is possible,” says Cheong, a certified crypto and blockchain investigator. “If this is true, the hackers would have broken through several security layers in a matter of minutes to get to the crypto, and that is extremely unlikely. We don’t think this was a hack. One reason we say this is that four months before the alleged hack, funds were being depleted out of wallets under the control of Africrypt.”
Raees Cajee claims in his affidavit that the extent of funds under Africrypt control was closer to $6-million (R88.5-million) than the R54-billion claimed by attorney Darren Hanekom of Hanekom Attorneys, who is representing several Africrypt clients. Even that low figure of $6-million is disputed, as claims totalling around R200-million in South Africa have been mounted against Africrypt. (Raees Cajee could not be reached by phone for comment.)
Cheong says Hanekom’s claim of R43-billion is closer to the truth, and hints that the actual figure could be higher – much higher – once all the wallets used by Africrypt are totalled up.
By painstakingly piecing together the web of transactions into and out of wallets used by Africrypt, Cheong hints that some of these wallets are used by operators known for ransomware attacks on business and by dark Web operatives.
“I don’t buy the hack story, and I think the Cajees were in over their heads and perhaps got mixed up with some really bad people,” says Cheong. A better picture of what occurred awaits the release of a full forensic report by Cheong’s team.
Astonishingly, he says there are some disturbing tie-ins between Africrypt and Mirror Trading International (MTI), the crypto scam headed by CEO Johann Steynberg that roped in more than 23 000 bitcoins from hundreds of thousands of investors around the world. MTI is currently in provisional liquidation, and Steynberg remains at large, having gone Awol in December 2020 when MTI members’ requests for withdrawals went unanswered. Some of the same “tumblers” used by Africrypt were also used by MTI, says Cheong.
Tumblers are used by money launderers to hide the origin of funds by effectively creating an omelette out of several bitcoin eggs. Bitcoin from several sources are mixed and broken up in these tumblers and then shipped out, usually in small quantities, to cover the tracks of the money launderers.
Cheong dedicated hundreds of hours of his own and his team’s time to unravelling the Africrypt web because he had the resources and tools to do it. He also has a deep sense of patriotism. Africa is home, he says, but South Africa is earning a reputation internationally as a haven for dodgy crypto ventures.
MTI was rated by Chainalysis as the world’s biggest crypto scam of 2020, but it pales alongside what appears to have been stolen out of Africrypt-linked wallets. Says Cheong: “We must assume the Cajee brothers are innocent until proven guilty. My question to them is why have they not commissioned an incident report by professionals to clear their names, instead of running? If they are willing to provide CIB with their full app and source code, we would love to help.”
Cheong says he grew up in a troubled family and ended up homeless in South Africa for extended periods. He was passed between different households but, while working at a scrapyard, discovered a talent for fixing broken computers. Forced out of necessity into entrepreneurship, he sold reconfigured computers at flea markets over weekends, and left for Israel in 2014 where he gained hands-on experience in some of the biggest tech businesses in the world.
That experience also drew him into coding and financial markets. In 2016, he created an electronic wallet for the secure storage of digital assets, and that brought him to the attention of Canadian investors who helped fund the early-stage launch of a product called Just Wallet. “We’re trying to replace Swift as the global system for payments,” says Cheong.
Ironically, he believes cryptos are a scam, in large measure because the boast of decentralised control is already subverted by the centralisation of control of parts of the crypto value chain in certain hands. “We have ransomware attacks occurring on a daily basis and no one has really come up with a firewall against that. This is what we decided to do. You’ve got huge volumes of wealth being transmitted electronically and far too many weak points in the chain.”
When the Africrypt story is finally told, Cheong’s name will feature strongly in the credits.
- This article was originally published on Moneyweb and is used here with permission