Cyber extortionist sentenced to eight years in jail

In a landmark case, a man was last week sentenced to eight years in jail for contravening South Africa’s Cyber Crimes Act.

Lucky Majangandile Erasmus (36), a former employee of Ecentric Payment Systems, was sentenced by the Specialised Commercial Crimes Court after entering into a plea agreement with the State to a combined eight years imprisonment for cyber fraud, theft of data and attempted cyber extortion.

The total sentence was eight years imprisonment, with three years suspended for five years.

In a statement, the South African Police Service (SAPS) says the charges include one count of contravening section 12 of the Cyber Crimes Act, one count of theft of data, two counts of attempted cyber extortion, four counts of cyber fraud, four counts of unlawful accessing of a computer system, three counts of unlawful acts with software or hardware tool, two counts of unlawful interference with a network or data, one count of unlawful interference with a data storage medium, one count of resetting of passwords, one count of unlawful access and one count of trespassing.

The Act creates cyber crimes as new criminal offences under South African law. These relate to unlawful access to a computer system or computer data storage medium, as well as unlawful interception of data and/or processing of unlawfully intercepted data.

It was signed into law by president Cyril Ramaphosa in 2021.

The charges arose from events in late 2023, when Erasmus and his co-accused, Felix Unathi Pupu (43), also a former Ecentric employee, illegally installed software on the company’s IT systems, enabling remote access.

Following the breach, an unknown party contacted Ecentric’s CEO, claiming that critical elements of the company’s IT infrastructure had been compromised and threatening to release sensitive company data unless a ransom was paid.

On 14 November 2023, the first ransom demand was issued – $534 260 (R9 473 170) to be paid within 16 hours – with a threat to publish the data across various platforms within 30 hours if the demand was not met.

A second ransom demand of $1 million (R17 million) followed on 30 November 2023, accompanied by additional threats to expose evidence of the data breach.

While Ecentric refused to pay the ransom, four of its retail clients suffered financial losses amounting to R794 808.51 as a result of the attack, says SAPS.

Erasmus and Pupu were arrested on 14 December 2023. Erasmus has remained in custody since his arrest and was formally sentenced last week. His co-accused, Pupu, remains in custody and is scheduled to appear in court on 30 June for plea and sentencing.

As part of the court’s ruling, Erasmus was ordered not to commit any further offences during the suspension period, including fraud, conspiracy to commit fraud, theft, or violations of the Cyber Crimes Act or the Trespass Act.

Additionally, Erasmus was declared unfit to possess a firearm.

Ecentric welcomed the sentencing, saying: “We can confirm that a former employee involved in a 2023 security breach, Lucky Majangandile Erasmus, has been convicted on 17 charges related to cyber fraud, theft of data and attempted cyber extortion.

“We are pleased to report that Mr Erasmus has now been sentenced by the Bellville Specialised Commercial Crimes Court in Cape Town.”

Digital forensics company Cyanre, which was involved in the investigation, took to social media to say: “This significant development underscores our nation’s commitment to combating cyber crime and safeguarding digital spaces.

“We are proud of our team who played a pivotal role in managing the security breach, demonstrating exceptional skill in identifying and tracing the suspects involved. Their dedication and expertise were instrumental in bringing this case to a successful resolution.

“We extend our heartfelt gratitude to the investigating officer from the Hawks, whose tireless efforts led to the swift arrest of the perpetrators. Their unwavering commitment to justice has set a precedent for future cyber crime investigations.

“Additionally, we acknowledge the invaluable support provided by the legal team at Clyde & Co. Their expert legal advice and guidance throughout the process were crucial in navigating the complexities of this case.”

According to Cyanre, this conviction marks a historic moment in South Africa’s fight against cyber crime, highlighting the effectiveness of the Cyber Crimes Act and the collaborative efforts of all parties involved.

“We remain steadfast in our mission to protect individuals and organisations from cyber threats and to uphold the integrity of our digital infrastructure. As we reflect on this achievement, we are reminded of the importance of continued vigilance, innovation and collaboration in the ever-evolving realm of cyber security.”