Hackers Siphon R2 Billion from Ekurhuleni Municipality in Massive Cyber Heist Revealed at SCOPA Hearing

The SCOPA Hearing Revelation

In a stunning disclosure during a Standing Committee on Public Accounts (SCOPA) hearing on May 6, 2026, the City of Ekurhuleni Metropolitan Municipality revealed that hackers had siphoned more than R2 billion from its systems through a sophisticated cybercrime operation. This massive breach, described by committee members as a clear manifestation of organized crime, has sent shockwaves through South Africa's public sector, highlighting profound vulnerabilities in municipal cybersecurity infrastructure.

The hearing, focused on the municipality's latest audit outcomes and ongoing Special Investigating Unit (SIU) probes, brought to light how cybercriminals exploited basic security lapses to steal funds intended for essential public services. As details emerged, lawmakers expressed outrage over the scale of the theft and the ease with which it occurred, demanding immediate accountability and systemic reforms.

Background on Ekurhuleni Metropolitan Municipality

The City of Ekurhuleni, one of South Africa's eight metropolitan municipalities, serves over 3.8 million residents across key areas like Germiston, Kempton Park, Benoni, and Boksburg, east of Johannesburg in Gauteng province. Established in 2000, it manages critical services including water, electricity, roads, waste management, and licensing for driver's licenses and vehicle registrations.

With an annual budget exceeding R50 billion, Ekurhuleni plays a pivotal role in Gauteng's economy, supporting industries such as aviation at OR Tambo International Airport and manufacturing hubs. However, the metro has faced chronic financial challenges, including irregular expenditure flagged by the Auditor-General, billing shortfalls, and service delivery protests, making it a prime target for financial exploitation.

How the Cyber Heist Unfolded: Step-by-Step

The hackers' operation was deceptively simple yet devastatingly effective. Between 2023 and 2024, perpetrators physically drove to the municipality's licensing department, where they connected to an unprotected public Wi-Fi network. No advanced remote hacking was needed; the open Wi-Fi provided direct access to internal systems without firewalls or encryption barriers.

Once inside, they manipulated the billing and payment processing software. By generating fraudulent transactions for driver's licenses and vehicle license discs, the criminals issued bogus documents while diverting payments away from municipal accounts. Funds from legitimate customers were rerouted to hacker-controlled destinations, vanishing into a web of untraceable digital trails. This low-tech physical proximity attack exploited outdated IT protocols, allowing repeated access over months.

Timeline of the Breach

• Early 2023: Initial detections of anomalies in licensing revenue, dismissed as billing errors.
• Mid-2023 to 2024: Hackers conduct multiple on-site intrusions via open Wi-Fi, siphoning funds incrementally to avoid detection.
• Late 2024: Auditor-General audit uncovers massive discrepancies; internal investigation launched.
• 2025: SIU steps in, confirming cybercrime scale; referrals to law enforcement.
• May 6, 2026: Full details aired at SCOPA hearing, sparking national outrage.

This prolonged timeline underscores how delayed responses amplified the damage, with losses accumulating unnoticed amid routine operations.

SCOPA's Reaction and Key Findings

SCOPA chairperson Bheki Hadebe labeled the incident 'organized crime at its doorstep,' grilling municipal executives on oversight failures. The Auditor-General's report highlighted 'internal control deficiencies' in IT governance and supply chain management, contributing to the breach. While the cyber heist dominated discussions, SIU also detailed separate land fraud involving 208 properties worth R58 million fraudulently transferred using fake documents.

Committee members called for criminal charges against negligent officials and urged Treasury intervention to bolster municipal cybersecurity funding. For more on the parliamentary proceedings, see the official Parliament statement.

Photo by Clinton Chiloane on Unsplash

Political and Public Backlash

Opposition parties like the Democratic Alliance (DA) and Freedom Front Plus demanded the suspension of implicated executives, pointing to a pattern of mismanagement. DA Gauteng leader Solly Msimanga stated, 'This is not just theft; it's a betrayal of taxpayers funding basic services.' Residents' groups organized protests, linking the loss to potholed roads and water outages.

Social media erupted, with #EkurhuleniCyberHeist trending as citizens shared frustrations over rising tariffs despite deteriorating services. The African National Congress (ANC)-led coalition defended recovery efforts but faced accusations of cover-ups.

Immediate Impacts on Residents and Services

The R2 billion loss—equivalent to about 4% of the metro's budget—has strained service delivery. Licensing backlogs surged, delaying renewals for thousands. Electricity and water revenue shortfalls compounded existing issues, leading to proposed tariff hikes of up to 15% for 2026/27. Uncollected fines and impaired assets further eroded financial stability.

Residents in townships like Etwatwa and Duduza reported intermittent outages and poor road maintenance, attributing woes to diverted funds. Economically, businesses faced higher operational costs, stifling growth in an already challenged post-pandemic recovery.

Cyber Vulnerabilities in South African Municipalities

Ekurhuleni's breach is symptomatic of wider issues. Many municipalities rely on legacy systems from the 1990s, lacking modern encryption, multi-factor authentication, or regular patches. A 2026 report noted South Africa as Africa's top cyber target, with public sector attacks up 60% year-on-year.

Similar incidents include the 2023 Moqhaka Local Municipality ransomware attack, locking data and halting payments. Experts cite underfunded IT departments, skills shortages, and phishing susceptibility as key gaps. For insights into rising threats, check this analysis.

Investigations and Recovery Efforts

The SIU has referred cases to the Hawks and National Prosecuting Authority, pursuing asset freezes and international leads. To date, only a fraction—around R400 million—has been recovered, with hackers traced to syndicates possibly operating from Eastern Europe or locally.

Ekurhuleni implemented Wi-Fi segmentation, endpoint detection, and staff training post-breach. Partnerships with private cybersecurity firms aim to audit all systems. However, full recovery timelines remain uncertain amid ongoing probes.

Lessons Learned: Building Resilience

This heist emphasizes the need for zero-trust architectures, where no user or device is inherently trusted. Municipalities should prioritize:

• Regular vulnerability assessments and penetration testing.
• Employee awareness programs against social engineering.
• Segmented networks to isolate public-facing services.
• Robust incident response plans with backups offline.
• Collaboration with national cyber agencies like the State Security Agency.

Government pledges R500 million for municipal cybersecurity upgrades in the 2026 budget, signaling a proactive shift.

Photo by Pawel Janiak on Unsplash

Future Outlook and National Implications

As digital transformation accelerates, municipalities must evolve or risk paralysis. Ekurhuleni's case could catalyze reforms, including mandatory cyber insurance and centralized threat intelligence sharing. For residents, restored trust hinges on transparent recovery and tangible service improvements.

South Africa stands at a crossroads: invest in defenses now or face escalating losses. With cybercrime costing the economy R2.2 billion annually, the Ekurhuleni heist serves as a stark warning—and a call to action.