The Bellville Specialised Commercial Crimes Court this month delivered one of the first convictions under the Cybercrimes Act.
The case is among the first publicly reported convictions under the Cybercrimes Act, which was enacted in 2021 to combat the escalating threat of cybercrime in South Africa. The Act criminalises a broad spectrum of cyber- and computer-related offences, providing a robust legal framework for prosecuting cybercriminals, said Era Gunning, an executive in the banking and finance practice at law firm ENS.
Lucky Majangandile Erasmus was sentenced to eight years in prison, with three years suspended for five years. The court also declared him unfit to possess a firearm.
Erasmus, who was previously employed by Ecentric Payment Systems, a prominent South African payment service provider, was apprehended in December 2023 following a sophisticated cyberattack on Ecentric.
Collaborating with a co-accused, Felix Unathi Pupu, who was an employee at the time, Erasmus installed unauthorised remote access software on Ecentric’s systems. This allowed them to unlawfully access and steal sensitive data and make illegal changes to access credentials for senior management.
Thereafter an anonymous individual contacted Ecentric’s chief executive, indicating they had compromised Ecentric’s IT environment and would be holding the business to ransom.
On 14 November 2023, the person made the first ransom demand of US$534 260 (currently about R9.62 million). If the ransom was not paid within 16 hours, Ecentric’s data would be published across various platforms.
A second ransom demand was made on 30 November 2023 in the amount of US$1m. If the ransom was not paid, further action would be taken to prove the data breach and hack. This was followed by social media posts attempting to reveal a data breach.
Despite the cyber extortion demands, no ransom was paid.
Four of Ecentric’s retail clients experienced fraud losses of R794 808.51 because of the illegal activities.
Erasmus and Pupu were arrested on 14 December 2023.
Erasmus entered a plea agreement with the State and was convicted on 17 charges under the Cybercrimes Act, including:
- theft of data,
- attempted cyber extortion,
- cyber fraud,
- unlawful access to computer systems,
- use of unauthorised software or hardware tools,
- interference with networks, data, and storage media, and
- unauthorised password resetting.
As part of the court’s ruling, Erasmus was ordered not to commit any further offences during the suspension period, including fraud, conspiracy to commit fraud, theft, or violations of the Cyber Crimes Act or the Trespass Act.
Pupu remains in custody and is scheduled for plea and sentencing on 30 June.
Gunning said the conviction underscores that imprisonment is a tangible and enforceable consequence under the Cybercrimes Act, sending a clear message that cyber offences are serious and have real victims.
“Successful prosecutions hinge on robust digital forensic evidence. Legal teams must be involved early to ensure evidence is collected lawfully and is admissible. Preserving logs, access records, and system data immediately after a breach is crucial for supporting legal proceedings,” she said.
