Story audio is generated using AI
A brazen takeover by a cybercrime syndicate saw Ekurhuleni’s IT billing system effectively seized, former municipal manager Imogen Mashazi’s laptop hacked, and a covert spy device deployed — fuelling a shadowy operation investigators say enabled a staggering R2bn fraud.
The full extent of the unprecedented breach is set out in a forensic report compiled by OMA Chartered Accountants in July 2025, detailing how the syndicate systematically infiltrated and took control of the municipality’s IT billing infrastructure, known as SOLAR.
According to the report, a network of municipal insiders and conveyancers colluded by funnelling payments of about R40,000 per transaction to “billing solution providers” to orchestrate the manipulation and deletion of municipal debt records, creating the false appearance of reduced or cleared balances to unlawfully fast-track property transfers.
Once inside SOLAR, the perpetrators manipulated billing data to unlawfully reduce property debts owed to the city by residents and businesses, and to facilitate the illegal issuance of rates-clearance certificates, said the report, adding that they did so by altering or deleting back-end billing records.
“This manipulation results in a lower reported outstanding balance than what is actually owed, thereby concealing the full extent of the debtor’s liability. These transactions artificially reduced the brought-forward balances on debtor accounts, thereby understating the actual amounts owed by debtors. This not only impacts the accuracy of the municipality’s revenue records, but may also enable improper clearance certificate issuance,” said the report.
Malware and keyloggers were found to be repeatedly deployed within the system. OMA forensic report
In one example, OMA’s investigators found that a Springs-based conveyancing firm paid about R40,000 to a company styled as a “billing solution provider” to secure the unlawful alteration of municipal billing records. The payment allegedly resulted in the rates account of property owners TD and G Mngomezulu being manipulated, allowing a property at 7872 Bee‑Eater Street in Etwatwa to be cleared and transferred despite outstanding municipal debt.
The fraud, orchestrated over many months but detected only in mid‑2023, resulted in hundreds of millions of rand in confirmed losses, with investigators cautioning that the total exposure could be more than R2bn.
The fallout from the fraud has led to the suspension of Ekurhuleni’s chief information officer, Peter Paulos Moloko Monyepao. The metro argues that the city’s ICT environment collapsed under Monyepao, who is now subject to a disciplinary hearing and an investigation by the Hawks.
OMA’s investigation has taken on added significance after the killing in 2025 of Mpho Mafole, who was head of corporate and forensic audits at the city. Multiple sources in Ekurhuleni have told the Sunday Times that the rates billing fraud probe was one of several sensitive investigations Mafole was actively working on at the time of his death.
Others included R1.8bn chemical toilet contracts and allegations of corruption in the metro’s Harambee bus rapid transit service. He was also looking at multibillion-rand security and housing contracts.
Investigators found that the fraud was enabled by a near total collapse of Ekurhuleni’s IT and information‑security controls. The city’s billing systems had no reliable audit trails, allowing critical back-end record changes to be made and erased without detection. More than 60 administrator‑level accounts, many of them shared or generic, operated across key servers, obliterating individual accountability. Even the most basic safeguards were missing — there was no segregation of duties, meaning the same users could create, approve, and alter billing transactions — a breakdown that left municipal finances wide open to abuse.
The breach of Ekurhuleni’s IT systems included a physical infiltration of municipal offices, said the report. Lucas Mhlonishwa Dhlamini, a former security architecture consultant, was fired after it was discovered that he had connected a spy laptop, complete with hacking tools such as malware, keylogging scripts and remote-access tools to the municipal servers at the Kempton Park Customer Care Centre.
“Mr Lucas Mhlonishwa Dhlamini was dismissed following the discovery of an unattended laptop placed at the CoE [City of Ekurhuleni] offices containing malware and remote-access tools”, said the report. Dhlamini later deposed an affidavit, admitting hacking into the metro’s IT infrastructure. The report reveals that Dhlamini had also hacked Mashazi’s laptop. Dhlamini’s spy laptop had “traces of unauthorised access including to the City Manager’s machine”, said the report.
Investigators found keylogging (surveillance and malicious spyware) software embedded in Ekurhuleni’s IT infrastructure had infected critical servers and individual workstations responsible for authentication and access control. The spyware captured keystrokes on compromised machines, harvesting usernames, passwords and administrative credentials, and giving unauthorised users access to the municipality’s sensitive IT systems.
The report shows that the presence of the software was flagged repeatedly by multiple officials. Each time it was identified and removed, the perpetrators reinstalled it, exposing a pattern of sustained and deliberate redeployment.
“Malware and keyloggers were found to be repeatedly deployed within the system. Endpoint protections were allegedly tampered with by insiders. Despite attempts to block or remove the software ... it was persistently reinstalled, indicating a sophisticated or deliberate compromise,” said the report.
The forensic report casts the Business Connexion Group (BCX), Ekurhuleni’s long‑time IT service provider, as a central player in the environment in which the fraud thrived. BCX had deep access to the metro’s billing systems, including the power to change data behind the scenes, yet investigators found little evidence of proper checks, monitoring or accountability. When the fraud was uncovered, officials could not say who accessed its IT systems — where, how or when — in part because the very systems BCX helped manage kept no reliable records of activity.
The report stops short of accusing staff of BCX, a subsidiary of Telkom, of being part of the fraud, but it is scathing about the failures under its watch. Investigators found that BCX helped create and manage the back-end systems that allowed criminals to slip in, move freely through the system and cover their tracks.
Natalie Coenraad, a database administrator at the city, told OMA’s investigators that “BCX created most core back-end system user accounts and routinely manages admin access without structured review”. There is no structured audit trail or control over BCX personnel who have long-term system administration privileges, she said. The company “continues to operate the SOLAR environment with minimal oversight from CoE” and “no formal documentation exists governing the roles, responsibilities, or constraints on BCX’s authority”, she said.
BCX’s head of marketing, Mpho Hlefana, said the company acknowledges ongoing public reporting on unauthorised activities around the generation of valid rate certificates affecting Ekurhuleni’s core network, infrastructure, system management, or security controls beyond its contractual obligations.
“BCX remains open to supporting the City of Ekurhuleni Metropolitan Municipality and relevant stakeholders where appropriate.” She said that the company takes data security and integrity seriously and remains committed to transparency and collaboration.
Monyepao declined to comment, saying that the matter is the subject of his disciplinary hearing, which is confidential. Ekurhuleni’s spokesperson, Phakamile Mbengashe, did not respond to questions emailed to him on Thursday.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.