In our previous instalments, we revealed a massive international syndicate operating online trading platform “scams” and the characters running a distinct South African division hiding in plain sight behind the country’s regulatory regime. Now we turn to the money, specifically the byzantine financial arrangements set up to collect and disperse would-be “traders” investments.
This investigation is based on a large leak of data originally provided to Sveriges Television, the Swedish national broadcaster, to which amaBhungane has gained access as part of a global consortium of media organisations coordinated by the OCCRP.
In Parts One and Two, we introduced the international syndicate running over 70 suspected fraudulent online trading platforms worldwide, as well as a special “regulated” South African division making use of real financial service provider licences.
Despite the veneer of legitimacy provided by these licences we saw how thousands of people invested millions of rands and, nearly always losing all of it after being misled and harassed into disastrous and possibly fictitious investments.
Underneath it all lies a financial architecture for collecting money from these aspiring traders that is built on fake and fly-by-night money movers, alleged money launderers and other shady “high risk” offshore entities.
At the other end, as we will see, massive amounts of money flow through a dizzying network of crypto wallets.
Like any online retailer, each platform requires payment service providers (PSPs) that link clients, in this case the aspirant traders, to the often opaque ultimate destination of their funds.
Within Scam Empire, finding PSPs to move money has been a perennial concern, with dedicated chat groups constantly updating managers on the “integration” of new “solutions” to match the need for large and frequent transfers in multiple currencies across multiple countries.
All told, the platforms seem to have used over 200 distinct payment methods, many of them obscure and short-lived.
In South Africa, a bizarre procession of these “solutions” show how the trading platforms, behind the veil of fancy websites and seeming regulatory compliance, had one foot planted firmly in the illicit financial system.
‘High risk’
Around August 2023, SkyMT, one of the South African platform “brands” featured in our previous instalments, ran into a serious problem. Its PSP for collecting deposits from “traders” was raising red flags and getting worried about its own exposure to legal risk.
The provider in question was Durban-based Swiffy, which had signed “high-risk merchant” agreements with both SkyMT and the larger local Scam Empire offering Finbok.
“High risk” agreements are an industry standard for specific kinds of clients, including those involved in foreign exchange and online gambling. Part of the deal is a hard limit on how many fraud or bank complaints can be received before the relationship is terminated.
At Swiffy, this limit was reached before very long.
Documents in the leak show that by November 2023, Swiffy decided to withhold deposits that were due to be transferred to SkyMT, as well as Finbok.
In the case of Finbok, Swiffy was sitting with R2.8 million it had not paid onwards after three fraud complaints reflected in a statement of account.
Graphic supplied/ amaBhungane
On 17 November, SkyMT and Vector sent identical letters to Swiffy promising it “full and irrevocable indemnity against all losses of whatsoever nature, past, present or future as may be incurred … by virtue of rendering its payment platform services to ourselves.”
In return, Swiffy would have to pay over whatever it owed within 24 hours, which it did.
And that was seemingly the end of Swiffy’s work for Scam Empire.
The important part, however, is how the platforms dealt with what was immediately an existential threat.
Without a payment system, they would simply be unable to take people’s money.
What followed was a scramble for stopgaps that would see traders’ money enter a system bristling with red flags.
Plan B
When SkyMT lost access to Swiffy, it started using an entity named Astra Neo Enterprises to collect deposits. Would-be traders were directed to deposit their funds into one of this entity’s bank accounts at Standard Bank, Nedbank or ABSA.
Graphic supplied/ amaBhungane
The problem with this is that Astra is not a payment service provider at all, but instead a scrap metal company in Benoni.
In Scam Empire’s records, payments to Astra are, with telling vagueness, called “Fin Solution”.
Graphic supplied/ amaBhungane
It was, however, a short-lived stopgap. Contained in the leak of documents from the global Scam Empire syndicate, there are letters from both Nedbank and Standard Bank to Astra Neo informing it that its accounts are getting shut down.
From the Standard Bank letter, we can see that the account in question was only opened in September 2023, which indicates that it was possibly created especially for collecting SkyMT deposits. The account was closed on 5 November, with the bank citing “fraudulent activity investigated by SAPS, SARS”.
A month later Nedbank came calling, citing “high fraudulent activity in your account” and “a few” SAPS cases.
Graphic supplied/ amaBhungane
It is not clear what has happened to Astra Neo’s ABSA account.
However, as soon as “Fin Solution” was shut down, SkyMT turned to another payment service which the records vaguely refer to as “SA Banking Solution”. The only clue as to what this entailed is a handful of proof of payment slips we could match to transactions ascribed to this solution.
The recipient was something named Hampton Capital.
Graphic supplied/ amaBhungane
This company, which has no public presence and was deregistered shortly after having done work for Scam Empire, belongs to one Muaaz Rajah, apparently an employee of FNB.
We asked Rajah for comment but were met with a spokesman who later ceased communications.
SkyMT collapsed at the end of 2023 – a development very possibly linked to it being cut off from payment services.
As we reported previously, however, SkyMT was just a dress rehearsal for the major Scam Empire endeavour in South Africa, Vector Financial Services and the two platforms it operated: Finbok and Finxocap.
The Nigerian connection
Judging by records in the leak, the Finbok trading platform got off the ground in September 2023 with only one PSP onboard – a Nigerian company named OnlineNaira.
While OnlineNaira is a real company, Finbok clients were not really paying their deposits to it.
Instead, they were directed to pay into the accounts of three obscure local entities named KB Auto Sales, BBS Concepts and Online Rands and Naira. These belong to husband-and-wife team Kabir and Yinka Adalemo, who themselves run a modest remittance business between South Africa and Nigeria.
Graphic supplied/ amabhungane
According to Kabir Adalemo, he was approached by OnlineNaira’s owner in Nigeria, Kayode Adesiyan, to accept deposits from South African clients and pay out Nairas back home.
This arrangement was allegedly brokered by the consultancy Clearsky Solutions, a Hong Kong-based company affiliated to the Israeli law firm Porat Group. Readers might recall from Part Two of this investigation how these two entities appeared to set up seemingly fabricated ownership structures for trading platforms that included SkyMT.
We approached Clearsky for comment, but none was forthcoming.
In any case, we can see from records in the leak that “OnlineNaira” did, in fact, channel South African “traders'” money to Nigeria.
One of the key figures in the financial management of the syndicate is Israeli Eduard Brovshtein, who is, in internal chat groups, referred to as “CFO”.
In a leaked spreadsheet, evidently authored by Brovshtein, payments received via OnlineNaira are given in Naira and match Rand deposits tabulated elsewhere in the leak.
It is not clear why Finbok would need South African Rand deposits converted to Naira, but according to Adalemo, the funds would ultimately be converted into cryptocurrency.
Adesiyan did not respond to questions.
The leak shows that the “OnlineNaira” payment system was shut down after a number of fraud complaints from Finbok investors, including a SAPS complaint that was withdrawn after the complainant received a small payout of R15 000.
The Kenyan “money launderer”
The use of payment services that self-evidently aren’t above-board represents just a small part of the money that has flowed through the Scam Empire system in South Africa.
The sprawling spreadsheets in the leak exhaustively detail dealings with traders and note the relevant PSP for every transaction with platforms like SkyMT, Finbok and Finxocap.
These include many “high risk” providers that are on the face of it legitimate but which have already had run-ins with the law abroad.
Among the many agreements in the leak is a tripartite “merchant acquiring service agreement” between Vector (that is, Finbok and Finxocap) and service providers named Ellerman Labs and Brighter Technologies.
Traders making deposits using “Brightcard” would in fact be using Ellerman, a Kenyan payments company with a presence in several African countries.
Ellerman is a subsidiary of another Kenyan company named Virtual Pay Holdings, which has also provided payment solutions to other parts of Scam Empire. Virtual Pay Holdings, in turn, belongs to Virtual Pay International, also in Kenya.
Behind it all sits Kenyan businessman David Morema Obangi, whose companies were last year found by a Kenyan court to have, “on balance of probabilities”, engaged in money laundering.
Graphic supplied/ amaBhungane
Specifically, the parent company of Ellerman (the Scam Empire PSP) seemingly laundered funds through a separate Obangi vehicle named Virtual Financials International under the guise of salaries and allowances.
The funds in question were moved in 2023 and would most likely not include the deposits made by Finbok victims, but having a case of money laundering hanging around your neck seems to be par for the course for operators within the financial architecture of Scam Empire.
The Ukrainian illegal gambling laundry
One of Vector Financial Services’ major payment solutions was an obscure entity trading as Interkassa. While Interkassa is registered in the Marshall Islands as International Company Limited, the company itself is based in Ukraine and acts as an aggregator for payment systems.
Graphic supplied/ amaBhungane
Since 2022, Interkassa has formed part of a Ukrainian police investigation into illegal online gambling and, more pertinently, the laundering of the proceeds of that gambling to the Russian operators of the “casinos”.
In a search-and-seizure application to a court in Kyiv prosecutors claimed that “funds received from the illegal activities… are withdrawn from the territory of Ukraine to the territory of the Russian Federation according to the following mechanism: funds from illegal online casino and gambling activities are accepted through payment systems: “Interkassa”, “Tranzzo” and “FourBill”… after which they are credited to the personal accounts of the participants in the illegal mechanism” [translation from the original Ukrainian].
Graphic supplied/ amaBhungane
Interkassa’s role in Scam Empire is complicated, with the company effectively hiding behind another equally obscure Dubai-based – but apparently Armenian-owned – payment aggregator named Lasur IT Holdings, trading as Multihub.
On Finbok and Finxocap “traders'” deposit slips, as well as in the main tabulations of Scam Empire transactions, payments reflect “Multihub” as the recipient.
Elsewhere in the leak, however, it is revealed that the real payment provider in these cases is Interkassa. There are even invoices addressed to Vector by Multihub, charging it fees for facilitating these Interkassa payments.
Graphic supplied/ amaBhungane
The exact nature of payments through Interkassa seems to confuse even the managers of Scam Empire at times. In a chatgroup called “Multihub-Finbok Support+Tech” someone named “Dan Sus” tells “Michael_F” (who we have previously identified asEduard Brovshtein) that “we work with the Interkassa provider and do not know who is behind them, since such information is not disclosed”.
Graphic supplied/ amaBhungane
We reached out to Interkassa and received no response.
With Multihub we ran into a perculiar situation when the apparent director Leonardo Henrique first told us that “Our company is not related to the company lasur it”.
When we pointed out that the Lasur IT (Multihub) agreement with Vector was signed by Karen Mikayelyan, a partner of Henrique’s in other ventures – and then asked for their contact details – he replied that “we cannot disclose personal data, it is against the law”.
Catch me if you can
We asked the South African Reserve Bank (SARB) about the seeming cross-border free-for-all described above.
While the SARB said that it is “not at liberty to disclose information regarding any entities that we may be investigating,” it suggested that the arrangements we’ve exposed are unlikely to be above board.
Any payment service provider in South Africa is meant to follow a directive issued back in 2007 on third party conduct within the national payment system.
In the case of scrap metal dealer Astra Neo, for instance, the company may very well have run a legal payments side-business, but that would have required a separate legal entity meeting the requirements of the National Payment System Act. This was not the case.
When it comes to entities owned by people allegedly guilty of money laundering abroad, this does, as one would expect, “raise concern” in the eyes of the authorities.
As the SARB notes: “Engagement in illicit activities such as money laundering, whether within South Africa or abroad, may raise serious concerns regarding an entity’s fitness and propriety to operate in the South African financial sector. In such cases, the SARB, in collaboration with relevant Regulators, may assess the implications for the entity’s continued authorisation or registration, in line with applicable regulatory frameworks.”
A more dangerous regulatory lacuna, however, is consistently exploited by Scam Empire.
Cashing out
While the South African trading platforms forming part of the Scam Empire syndicate used these and more questionable methods to bring money in, what happens next is infinitely more complicated, not least because the myriad entities in the network almost exclusively use cryptocurrencies.
The leak contains roughly 77 000 unique crypto wallet addresses. These are the “bank accounts” used by the syndicate’s various component parts, investors who paid with crypto as well as the service providers who accepted crypto as payment.
The flows within the system are chaotic and – for now – mostly untraceable despite payments being painstakingly recorded in hundreds of tables.
There are, however, a number of major identifiable nodes. One of these is the South African division, which seems to have handled far more than its share of the cash flowing through the system.
In particular, we have been able to unravel payments to and from Vector, the operator of Finbok and Finxocap.
First, and unusually within the overall scheme, the leak contains bank account statements for Vector at FNB and ABSA.
Vector also seemingly roped in third parties to open accounts in its name. In the leak there is an invoice from an accountant in Dubai named Ben Feivel who charged Vector EUR3 500 to open a “client-facing” FNB account in January 2024, which corresponds to the starting date for the statements.
Graphic supplied/ amaBhungane
While this is not illegal, it is unclear why a South African company would pay an offshore service provider over R70 000 to open a South African bank account for them.
Nonetheless, in the statements we can see a steady stream of inflows from individual “traders” as well as the small number of payouts to these investors. We can also see incoming payments from some of the PSPs we looked at above.
The main exit point for money coming into Vector’s accounts is a Cape Town-based crypto company named Xago Technologies.
We mentioned Xago in Part One of this investigation and showed how it was not only used in South Africa but also received direct deposits from “traders” in other countries, including from a man who appears to be Scam Empire’s single largest victim, UK citizen Stuart Daburn.
The company has bank accounts at local, Swiss and British banks into which deposits were made.
Daburn has launched a massive court case trying to reclaim several million pounds he lost to the syndicate and in court papers he identifies Xago as one of the companies he was told to make deposits with by the scammers.
In South Africa, the single largest victim, Seumas Reynolds, also made his deposits through Xago.
Xago, in turn, apparently sent deposits to a Polish crypto company named 4Word Solutions that also crops up several times in the leak.
As reflected in our previous story, Xago strenuously denies “being complicit in or enabling fraudulent or money laundering operations”.
According to the SARB, “while the current exchange control framework does not yet provide for direct oversight of crypto asset service providers (CASPs), important safeguards do exist”.
It appears, however, that this does not go much further than crypto exchanges being “accountable institutions” that are obliged to self-declare suspicious transactions to the Financial Intelligence Centre.
The widespread use of cryptocurrency makes much of Scam Empire’s finances incredibly hard to untangle.
Vector, however, represents one case where the veil can be partially lifted.
The cryptosphere
From the leak, we have been able to identify eight of the crypto wallets used by Vector to send and receive payments.
We also managed to track payments through one of these wallets, which gives us an idea of how the company fits into the wider syndicate.
Incoming payments are unfortunately all from either crypto exchanges (which do not allow us to identify the actual source) or wallets we can’t identify.
Outgoing payments, however, can to some extent be traced due to the presence in the leak of other financial records identifying the same wallets.
We can see that Vector, for instance, made payments from the wallet we analysed to voice-over-internet protocol (VOIP) providers. These are the companies that allow the call centres (based largely in Bulgaria) to call victims from sham ‘local’ phone numbers.
The same wallet also made contributions to something called “Headquarters” in Israel and to “Cy HQ” – a Cyprus-based part of the network hosting a call centre operation codenamed “Tesla” that targeted mostly South Africans.
The most important destination of Vector crypto payments, however, at least from this wallet, was to a Ukrainian company known as EM Develop.
This company is a hub for paying so-called affiliate marketers, the advertising companies that create the often entirely false and misleading online ads featuring bogus celebrity endorsements and outlandish claims about (fictitious) AI-powered trading bots.
These marketers are key to the entire syndicate, as well as other legitimate online businesses that require traffic to be guided to their doors.
What is interesting about Vector’s expenditure on EM Develop services is that the payments bear no relationship at all to the amount of business Vector’s trading platforms do.
The mysterious money
Vector’s two platforms, Finbok and Finxocap, pulled in investor deposits of just over $12 million in 2024.
The money paid to EM Develop from the single wallet we analysed since April 2024 came to $7.5 million, or 60% of all deposits from “traders”, while Vector still had to cover operational costs such as its share of the Scam Empire call centre operation, salaries for agents and other sundries.
The money being sent to EM Develop is also far higher than the total advertising expenditure claimed by Vector’s own director Dustan Cornelissen, who told us it was “nearly $2 million”.
When we asked him about the disparity, he did not answer us.
Vector’s outsized expenditure on marketing leads to two possible inferences.
On the one hand, it might be that Vector is for some reason picking up the bill for the larger syndicate’s advertising – possibly because, unlike many of the platforms within the network, it is actually a real company brandishing the apparent legitimacy of a financial services licence.
Alternatively, the payments could be for something in addition to advertising. It is hard to say, because while onwards payments from EM Develop can be seen to largely go to identifiable affiliate marketers, a lot of it goes to unidentifiable crypto wallets.
The overall design of the Scam Empire system, however, can be at least partially untangled from the warren of crypto payments detailed in the leak.
Details in a spreadsheet named “Headquarters Operation Report” show how all the “units” pay regular contributions to the running costs of the central office.
These units are codenamed “Serbia”, “GB” and “Zebra”. The South African operations mostly fell within Serbia, which, confusingly, refers to a call centre operation based in Bulgaria.
Graphic supplied/ amaBhungane
Inside the operation report, there are minute details of some $17 million in onward payments, almost a third of which consisted of salaries. While the names of staff are often only given as their first names or pseudonyms, the job titles are often interesting. On the staff list, for instance, is someone named “Superman” whose job is “polygraph”, i.e., lie detector.
One of the employees at HQ is Gershon Bresler, the legal troubleshooter we encountered in Part Two, who deals with litigious traders in South Africa under the pseudonym “Paul van Rensburg”.
Also visible is “Eduard”, who is most likely the aforementioned Eduard Brovshtein.
A separate operations report for one of the subsidiary units includes line items for “South Africa regulation”, on which $120 000 was spent in November 2023.
There remain, however, thousands of other payments we have yet to trace.
As we mentioned, the bulk of the money flows within Scam Empire are obscured by the use of cryptocurrency. AmaBhungane is hard at work, piercing this final veil. Look out for what we have found in Part Four of this investigation.
