South Africa’s Lotto has a dark window which is open to fraud
Lottery operator Ithuba uses a highly reputable system to conduct South Africa’s Lotto draws. However, there is a “dark window” between the draw and release of the results where there is no public scrutiny.
Goolam (@goolammv), a noted leaker on Twitter/X in South Africa, recently raised suspicions about the trustworthiness of the Lotto results in a post titled “The Lotto Secrecy Files”.
The account has gained a reputation for the accuracy of sensitive information it releases about South African politics and cases of alleged corruption against high-profile individuals.
“Originally, when Ithuba took over from Gidani in 2015, Lotto draws were aired live on SABC in the traditional, highly visible way,” stated Goolam.
“Around 2018–2019, Ithuba quietly shifted the draws to digital channels like YouTube, framing it as modernisation.”
Today, Lotto ticket sales close at 20:30, with the draw scheduled for 20:55. However, the video of the draw is only uploaded to YouTube after 21:00.
According to Goolam, this creates a “dark window” of several minutes where the operator, regulators, and auditors control everything without public visibility.
Goolam also noted that the public no longer trusts the government or NGOs working for government when they say something has been independently audited.
Auditors did not prevent the looting of VBS Mutual Bank, nor stop State Capture. In fact, Goolam noted that some auditing firms were even named in State Capture inquiries for enabling corruption.
“The power of a lottery lies in public trust. Once the public suspects tampering, participation drops. The delayed YouTube upload undermines that trust,” argued Goolam.
“Unlike a live TV broadcast, the recording can, in theory, be edited, reshot, or manipulated before release.”
Matters are not helped by various scandals surrounding the national lottery, as well as an incident in December 2020 where a consecutive sequence was drawn — 5, 6, 7, 8, 9, with 10 the Powerball.
Although a consecutive set of numbers being drawn is no more or less likely than any other set of numbers, twenty people split the jackpot that day. They also all played manual picks. No “Quick Picks” won.
Many people choosing consecutive lottery numbers is also not unusual, with the UK lottery revealing in 2014 that around 10,000 people play the numbers 1, 2, 3, 4, 5, 6 in each draw.
However, reasonable explanations for these phenomena did little to assuage South Africans who were already suspicious that corrupt officials were somehow robbing the lottery.
A security expert’s view
MyBroadband contacted Orange Cyberdefense’s ethical hacking director and SA MD, Dominic White, for a security expert’s view regarding the trustworthiness of the South African national lottery.
White said Ithuba uses a third-party system from Szrek2Solutions, which uses a patented random number generation method.
The security and non-repudiation of the Szrek2Solutions electronic draw system was last assessed by Canadian firm Bulletproof in 2018.
Non-repudiation includes ensuring data integrity, which means ensuring that draw results and timestamps cannot be modified after they are generated.
Bulletproof’s report found that the system was secure and auditable, and that results could be reproduced for verification if needed.
The public version of Bulletproof’s report has been redacted to exclude two sections containing sensitive technical details about the system and the terms and conditions between Bulletproof and Szrek2Solutions.
MyBroadband has seen an unredacted version of the report, and nothing in the redacted sections countermands Bulletproof’s findings.
While White expressed concerns about the report’s age, he said the description of how the draw system functions made sense.
“It sounds well-engineered and, if stored correctly, historical draws can be verified at a technical level,” he said.
However, White noted that it may not be necessary to compromise the electronic draw system to manipulate the Lotto results.
He acknowledged that he was not a lotteries or fraud expert, but said there were no public independent verification reports of Lotto draws.
This was despite the Szrek2Solutions system claiming to be able to produce detailed technical validations and reports that independent auditors can verify.
“The draw that got everyone suspicious in December 2020 did have Szrek say they verified it, and it looks like Szrek is a well-respected provider of these services to multiple countries,” White stated.
“However, with scant detail, it’s not clear if every draw is validated to the same level — independent auditors are mentioned, but why are there no reports of their independent verification?”
“Trust me” no longer good enough
Having Ithuba and the National Lotteries Commission (NLC) state that results have been audited is no longer good enough, even with a reputable and untainted auditor doing the job.
White said this was especially so considering that the Special Investigating Unit (SIU) has alleged that auditors have been complicit in corruption at the NLC.
In November 2024, the SIU told the Parliamentary Portfolio Committee on Trade, Industry and Competition that five professional auditing firms assisted in stealing funds from the NLC.
None of these firms were involved in auditing the Lotto draw results. However, their alleged involvement in fraud casts a cloud and raises questions about the effectiveness of auditing to combat corruption.
The SIU’s chief operations officer, Leonard Lekgetho, reiterated the role auditing firms have played in this corruption during a presentation to the Standing Committee on Public Accounts in May 2025.
He said professional enablers, specifically accounting and auditing firms, assisted non-profits in submitting fraudulent financial statements to meet NLC grant application requirements.
Lekgetho added that, in other cases, the funds were laundered through attorneys. The non-profit would receive the grant and then transfer the funds to an attorney.
The attorney would then use the money to purchase property. Attorneys would also sometimes help non-profits complete grant applications.
“We know there has been significant corruption in the allocation of grants before, so we need strong proof of trust in the draw process too, making it very strange that no such proof has been released,” said White.
“Even in the case of the December 2020 issue, if the results were audited, why was the independent audit report not released?”
“Right now, we just have to trust them, with no evidence that anyone has verified this trust, which is a notable gap.”
White said a final issue was that even if a draw can be validated, the lack of compliance with a wider set of controls can mean fraud can creep in elsewhere.
Therefore, what controls are in place to ensure that draws are not run multiple times to generate a desired result or to prevent people from buying tickets with winning numbers after a draw?
MyBroadband contacted Ithuba for comment, but it did not respond by publication.
Loading ...