In a coordinated cyberattack on March 15, 2025, hackers compromised South African Parliament’s official X, Facebook, and YouTube accounts to promote a fraudulent cryptocurrency token called $Ramaphosa. The scam leveraged Parliament’s credibility to lure unsuspecting investors into purchasing the token, which was created just hours before the breach.
A Pre-Planned Crypto Scam? What Blockchain Analysis Reveals
Blockchain forensics indicate that the scam was a premeditated financial fraud operation, with the token’s creator wallet actively funneling funds through crypto gambling sites.
Parliament spokesperson Moloto Mothapo confirmed the breach, stating:
“Parliament has identified a security breach affecting one of its 25 YouTube streaming services (channels), which is integrated with official social media accounts. This breach resulted in the unauthorized upload of content not aligned with the work of the Institution.”
The fraudulent posts featured a graphic advertising a presale for the $Ramaphosa token, including hashtags related to Solana, cryptocurrency, and South Africa. A shortened link embedded within the image directed users to Pump.fun, a controversial platform that allows instant token creation with minimal oversight.
Pump.fun has been widely criticized for hosting memecoins often linked to rug-pull and pump-and-dump scams, making it a breeding ground for crypto fraud.
Tracking the $Ramaphosa Token and Its Creator
A deep dive into on-chain data from Solscan, Birdeye, and GeckoTerminal revealed that the $Ramaphosa token was minted less than 24 hours before the Parliament hack.
Key findings include:
- The token’s creator wallet (73V5WCNqQRuLj2V1ryH1zNrxgthGu7HrGPDViTn1GpxK) was linked to Pump.fun, confirming it was launched using its smart contract system.
- The same wallet was connected to @GouvofRSA, a fraudulent X account that posed as “the official crypto feed of Parliament of the Republic of South Africa.”
- This wallet was also used to create another fraudulent token called RSATOKEN.
Blockchain expert Wiehann Olivier, Head of FinTech and Digital Assets at Forvis Mazars South Africa, confirmed that blockchain’s transparency made it possible to trace these fraudulent activities:
“Blockchain’s immutability allows every transaction to be tracked. However, pseudo-anonymity remains a challenge in identifying the individuals behind the fraud.”
How the Crypto Scam Unfolded
The wallet’s transaction history suggests a deliberate scam strategy:
- The first transactions occurred just hours before the Parliament hack, aligning with the breach’s timeframe.
- Shortly after the hack, the wallet transferred 0.8299 SOL (~$110)—a move consistent with crypto scams that extract liquidity before vanishing.
- The wallet also interacted with casino@flip.gg, a Solana-based crypto gambling site, a common method used to launder stolen funds and obscure financial trails.
Further analysis indicates that the same wallet has been involved in multiple other fraudulent token launches, suggesting a broader network of crypto scams operating under similar tactics.
High-Risk Indicators: Red Flags Around the $Ramaphosa Token
Blockchain security analysis flagged multiple red flags around the $Ramaphosa token, including:
- Top 10 wallets controlling 100% of the supply, indicating centralized control and a high likelihood of a rug pull.
- Not listed on Jupiter’s Strict List, meaning it lacks credibility within Solana’s ecosystem.
- Low market cap ($3,722) and liquidity ($3,780), making it vulnerable to extreme price manipulation.
- A rapid price spike followed by a crash, a common pattern in pump-and-dump schemes.
- Liquidity removed from Raydium DEX shortly after trading began, another hallmark of a deliberate exit scam.
The Link Between the Hack and the Fraud
The near-simultaneous creation of the $Ramaphosa token and the Parliament social media breach strongly suggests a well-coordinated financial fraud operation. Hackers likely exploited Parliament’s credibility to gain public trust, using the breach as a way to enhance the legitimacy of their fraudulent token before cashing out.
This aligns with previous high-profile crypto scams, where attackers hack social media accounts of government institutions, celebrities, or brands to push fake investment opportunities.
Security Lapses and Government Response
Parliament has since committed to enhancing cybersecurity measures to prevent similar breaches in the future. The attack likely stemmed from poor account security, such as weak passwords or a lack of two-factor authentication.
Given the increasing sophistication of cyberattacks in the financial sector, government institutions must strengthen their cybersecurity infrastructure to protect against such frauds.
Crypto Scams on the Rise: Public Awareness Is Key
This scam highlights the growing trend of fraudsters leveraging political figures and institutions to create a false sense of legitimacy. Similar scams have surged globally, particularly as public figures like Elon Musk, Donald Trump, and major institutions express interest in cryptocurrency.
The South African government must take proactive steps to strengthen security, educate the public, and crack down on fraudulent crypto operations. Investors, in turn, must remain cautious and verify sources before engaging with crypto-related financial opportunities.
As investigations continue, understanding how Parliament’s security was compromised will be critical in preventing future cyber fraud incidents.
