Big development after hackers claim they stole R175 million by infiltrating South African financial systems

On Tuesday, GroundUp reported that the South African Social Security Agency (Sassa) will suspend payments of the Covid-19 Social Relief of Distress (SRD) grant to fraudulent beneficiaries.
We decided to investigate how seriously Sassa is addressing the issue. We obtained a sample of 2,400 applications that we know to be fraudulent.
They were sent to us by the N4aughtySec Group, a hacker group that emerged after publicly claiming responsibility for an attack on TransUnion and Experian in 2023. The group claimed to have demanded a ransom of $30-million from each company.
In November, N4aughtySec claimed it had stolen R175 million with fraudulent Sassa SRD Grants sent to TymeBank accounts.
The group provided screenshots of a proof of payment showing funds transferred from TymeBank accounts to an Investec account.
N4aughtySec also provided GroundUp with its evidence. We could not validate the claim that R175 million was stolen, but we were able to isolate a list of 2,404 known fraudulent Sassa SRD Grants and their associated fraudulent phone numbers.
This led to a discovery that the cellphone numbers were created using a major security flaw in Me&you Mobile’s online eSIM ordering system. Following our report, Me&you Mobile stopped offering eSIMs online.
The list of fraudulent SRD grant also allowed us to analyse Sassa’s progress in tackling the problem.
Sassa separates applications into one of four categories:
- Invalid: The SASSA grant does not exist or the phone number registered to the SASSA grant does not match.
- Awaiting Identity Verification: The SASSA SRD Application has been blocked until the person verifies their identity by facial scan.
- Active Application: These are applications currently active and not marked as fraudulent.
- Awaiting Reapplication: These require people to reapply for the SRD grant.
The results of our analysis are summarised in this table:
Analysis of 2,404 known fraudulent Sassa SRD grants | ||
---|---|---|
Category | 14 November 2024 (Before) | 21 January 2025 (After) |
Invalid | 805 | 836 |
Awaiting Identity Verification | 576 | 1,288 |
Active Application | 1,019 | 279 |
Awaiting Reapplication | 4 | 1 |
Initially, we examined the data in November 2024 to establish a baseline understanding of how fraudulent applications were being managed.
We noticed a significant number of these applications remained active or were in the “Awaiting Identity Verification” category, raising questions about SASSA’s ability to handle such cases efficiently.
Note that this is a sample. There are many more fraudulent grants. But assuming this sample is representative — and there is no reason to think it isn’t — it can tell us how much progress Sassa has made.
When we revisited the data on 21 January 2025, we were able to compare the changes that had occurred over the past two months.
This comparative analysis allowed us to measure the extent of Sassa’s efforts and determine whether there had been tangible progress identifying and suspending fraudulent grants.
The shifts in the numbers demonstrate that Sassa has made considerable progress, although some fraudulent applications persist.
The number of applications flagged as “Awaiting Identity Verification” more than doubled, indicating that Sassa is actively blocking grants until identity verification is completed.
Active applications dropped by 73%, suggesting an effort to stop known fraudulent grants.
A slight increase in “Invalid” applications (up 4%) further reflects ongoing system adjustments. (The Awaiting Reapplication category has too few entries to reach meaningful conclusions.)
Based on our findings, Sassa has made progress in addressing fraudulent applications.
However, Sassa needs to continue to improve its processes, detection systems, and ensure that fraudulent cases are resolved swiftly.
Sassa also needs to make sure its verification system is up and easy-to-use. At the time of writing it was down.
This article was first published by GroundUp and is reproduced under a CC BY-ND 4.0 licence.