{"id":646487,"date":"2026-05-10T11:04:31","date_gmt":"2026-05-10T09:04:31","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=646487"},"modified":"2026-05-12T13:16:36","modified_gmt":"2026-05-12T11:16:36","slug":"full-extent-of-r2-billion-city-of-ekurhuleni-hack-revealed","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/646487-full-extent-of-r2-billion-city-of-ekurhuleni-hack-revealed.html","title":{"rendered":"Full extent of R2-billion City of Ekurhuleni hack revealed"},"content":{"rendered":"\n

More details have been revealed about the City of Ekurhuleni’s “digital state of emergency”, where it reportedly lost R2 billion in revenues due to a long-running cyberattack allegedly abetted by insiders.<\/p>\n\n\n\n

The Sunday Times reported<\/a> that the metro’s IT billing infrastructure, called SOLAR, was systematically infiltrated and taken over by a local hacking syndicate.<\/p>\n\n\n\n

Per the report, compiled by independent third-party OMA Chartered Accountants in July 2025, a network of municipal insiders and conveyancers colluded to take control of the billing system.<\/p>\n\n\n\n

It also contained details on how the metro’s ICT infrastructure solution provider, BCX, allegedly had weak system controls and security protocols.<\/p>\n\n\n\n

That allegedly made it difficult to detect the attack and challenging to trace the source of the fraudulent activity once it was uncovered.<\/p>\n\n\n\n

Once criminals breached SOLAR, they manipulated billing data to illegally reduce property debts owed by residents and businesses and issue large illegal payments using taxpayer money.<\/p>\n\n\n\n

The fraud, which took place “over many months,” was first detected in mid-2023. It was only publicly reported three years later when the metro presented the findings<\/a> to Parliament last week.<\/p>\n\n\n\n

A delegation from the metro, including its executive mayor, Nkosi Xhakaza, the MMC for finance, and the acting city manager, briefed the Standing Committee on Public Accounts (SCOPA) on the extent of the fraud.<\/p>\n\n\n\n

They said R2 billion was siphoned out of the city by this syndicate, which was able to breach the ICT systems through a severe lack of basic cybersecurity precautions.<\/p>\n\n\n\n

OMA said the fraud was enabled by a “near total collapse” of Ekurhuleni’s IT and information security controls. The billing system had no reliable audit trails.<\/p>\n\n\n\n

Lack of audit controls led to critical back-end records being altered or deleted without detection. It was discovered that more than 60 administrator accounts were shared between employees or were generic.<\/p>\n\n\n\n

Many of these operated key servers. Basic security protocols were disregarded, allowing the same users to create, approve, or alter billing transactions, thereby removing individual accountability.<\/p>\n\n\n\n

Acting city manager Tsholofelo Koopedi said that criminals were accessing internal systems by easily breaching public Wi-Fi networks of the metro’s government offices.<\/p>\n\n\n\n

“You could drive to our licence station in Bedfordview, where we have Wi-Fi, and just park outside, and if you are a hacker, you can get access to our VPN and do these things,” he said.<\/p>\n\n\n\n

The revelations uncovered by OMA were even more significant following the murder of the metro’s head of corporate and forensic audits, Mpho Mafole, in 2025.<\/p>\n\n\n\n

Sunday Times reported that it was informed by multiple sources that Mafole was probing the fraudulent billing activity, among other sensitive investigations, before his murder.<\/p>\n\n\n\n

Keyloggers, spyware and mass malware deployment<\/h2>\n\n\n\n
\"\"
Nkosindiphile Xhakaza, City of Ekurhuleni executive mayor<\/figcaption><\/figure>\n\n\n\n

While SCOPA heard that R2.5 billion was the total amount of lost revenue, or the budget shortfall, the total related to the cybercrime alone was estimated at R2 billion. <\/p>\n\n\n\n

Boksburg lost the most money due to the hacks, at R31 million. Alberton suffered a direct revenue loss of R30 million, while Germiston lost R5 million.<\/p>\n\n\n\n

Attackers allegedly worked with officials to ransack these systems. Once inside, perpetrators used the billing system to create fake Rates Clearance Certificates by altering or deleting back-end billing data.<\/p>\n\n\n\n

Perpetrators also created fake invoices, funnelling payments of about R40,000 per transaction to unknown “billing solutions providers.”<\/p>\n\n\n\n

These payments allegedly allowed the rates account of property owners to be manipulated, leading to properties being cleared and transferred despite outstanding debts.<\/p>\n\n\n\n

The delegation told SCOPA they believed that insiders in the department’s ICT division were responsible for “opening the door” to hackers with whom they colluded.<\/p>\n\n\n\n

A former security architect consultant in the city was fired after it was discovered that he had connected a spy laptop containing malware, keylogging scripts, and remote access tools to municipal servers.<\/p>\n\n\n\n

The consultant later admitted to hacking Ekurhuleni’s IT infrastructure in an affidavit. The report also indicated that he allegedly installed a keylogger on the former city manager’s laptop.<\/p>\n\n\n\n

This type of malware, also called spyware, is used by threat actors to harvest passwords from individuals, which can later be used for nefarious purposes, like gaining access to billing systems.<\/p>\n\n\n\n

“Malware and keyloggers were found to be repeatedly deployed within the system,” the OMA report stated. “Endpoint protections were allegedly tampered with by insiders.”<\/p>\n\n\n\n

“Despite attempts to block or remove the software \u2026it was persistently reinstalled, indicating a sophisticated or deliberate compromise.”<\/p>\n\n\n\n

Last week, the delegation told SCOPA that insiders also ceased all security monitoring on the system from 18:00 until 06:00, where manipulation was expected to have taken place.<\/p>\n\n\n\n

BCX responds to allegations that it was responsible for back-end systems<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The report also placed blame on Telkom-owned IT provider BCX, which developed most of the city’s core back-end systems and routinely managed admin access for the city.<\/p>\n\n\n\n

According to the report, BCX allegedly lacked a structured audit trail and control over personnel with long-term system administrator privileges. The report did not accuse BCX’s staff of being complicit.<\/p>\n\n\n\n

In response to our questions, BCX said it was aware of concerns regarding the City of Ekurhuleni’s ICT system and remained committed to supporting “lawful processes and upholding data security.”<\/p>\n\n\n\n

“BCX’s role was limited to defined support services within the municipality’s environment and did not include oversight of its core network, infrastructure, system management, or security controls,” it said.<\/p>\n\n\n\n

“Independent forensic investigations commissioned by BCX and the municipality found no evidence of wrongdoing by BCX.”<\/p>\n\n\n\n

Peter Moloko Monyepao, the city’s chief information officer, was suspended due to the fallout of the fraud. He was placed on suspension in 2025 as the ICT environment allegedly collapsed under his watch.<\/p>\n\n\n\n

Monyepao is now subject to a disciplinary hearing, and he is involved in an ongoing investigation by the Hawks.<\/p>\n\n\n\n

MyBroadband reached out to the City of Ekurhuleni and suspended CIO Moloko Monyepao for comment on the allegations, and they did not respond by publication.<\/p>\n\n\n\n

Following publication, BCX provided a more comprehensive statement responding to the report’s allegations. It is reproduced below.<\/p>\n\n\n\n

\n

BCX acknowledges ongoing public reporting and discussion regarding unauthorised activities affecting the City of Ekurhuleni Metropolitan Municipality\u2019s systems.<\/p>\n\n\n\n

BCX was first made aware of this issue on 19 July 2023. Initial findings indicated that this was not an isolated incident, but part of a broader, coordinated effort impacting multiple regions and operations within the City of Ekurhuleni Metropolitan Municipality. As investigations progressed, it became evident that the unauthorised activities were adapting to the security measures being implemented, requiring continuous monitoring and enhanced response efforts.<\/p>\n\n\n\n

The primary concern has been the irregular generation of valid rates clearance certificates used in property sales and transfers via external legal representatives. This was facilitated by unauthorised changes to debtor accounts, allowing clearance certificates to be generated with seemingly approved balances. In some instances, data modifications falsely reflected debtor payments. Additionally, financial journals were submitted by individuals who did not have the necessary system permissions.<\/p>\n\n\n\n

BCX confirms that at no point did our teams have oversight of, or access to, the City of Ekurhuleni Metropolitan Municipality\u2019s core network, infrastructure, system management, or security controls beyond the scope of our agreed day-to-day support responsibilities.<\/p>\n\n\n\n

The ERP system and associated databases are managed within the City of Ekurhuleni Metropolitan Municipality environment, and BCX\u2019s role was limited to defined support services, which did not extend to ownership or management of municipal data or the subsequent manipulation that occurred within the environment.<\/p>\n\n\n\n

Following identification of the incident, BCX supported investigative and response processes within the scope of its agreed responsibilities, including incident monitoring, escalation, and technical support activities. BCX remains open to engaging with the City of Ekurhuleni Metropolitan Municipality and relevant stakeholders where appropriate.<\/p>\n\n\n\n

An independent forensic investigation commissioned by BCX and conducted by Cyanre, together with a separate forensic investigation commissioned by the City of Ekurhuleni Metropolitan Municipality, found no evidence of wrongdoing by BCX in relation to the breaches or fraudulent activities identified.<\/p>\n\n\n\n

BCX takes data security and integrity seriously and remains committed to transparency and collaboration.<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"

A new report revealed the full extent of the attack on the City of Ekurhuleni where spyware and insiders aided in the theft of over R2 billion. <\/p>\n","protected":false},"author":341213,"featured_media":646488,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[6851,15709,15227,165,105120,105121,105122,17034],"class_list":["post-646487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-bcx","tag-city-of-ekurhuleni","tag-cybersecurity","tag-fraud","tag-mpho-mafole","tag-noksi-xhakaza","tag-oma-chartered-accountants","tag-scopa"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646487"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=646487"}],"version-history":[{"count":12,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646487\/revisions"}],"predecessor-version":[{"id":647074,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646487\/revisions\/647074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/646488"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=646487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=646487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=646487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}