On 3 June 2025, the Bellville Specialised Commercial Crimes Court marked a significant milestone in South Africa's legal history when it delivered one of the country's first cybercrime convictions under the Cybercrimes Act 19 of 2020. Mr Lucky Majangandile Erasmus was sentenced to eight years in prison, with three years suspended for five years.
This case is among the first publicly reported convictions under the Cybercrimes Act, which was enacted in 2021 to combat the escalating threat of cybercrime in South Africa. The Act criminalises a broad spectrum of cyber and computer-related offences, providing a robust legal framework for prosecuting cybercriminals.
Erasmus, previously employed by Ecentric Payment Systems, a prominent South African payment service provider, was apprehended in December 2023 following a sophisticated cyberattack on Ecentric. Collaborating with a co-accused, Felix Unathi Pupu, who was a current employee, Erasmus installed unauthorised remote access software on Ecentric's systems. This allowed them to unlawfully access and steal sensitive data and make illegal changes to access credentials for senior management. After the breach, an anonymous individual contacted Ecentric's CEO, threatening to expose the company's data and contact its customers unless a ransom of USD534,260 was paid within 16 hours. Thereafter, a second ransom demand in the amount of USD1 million was made. This was followed by social media posts attempting to reveal a data breach. Despite the cyber extortion demands, no ransom was paid. Four of Ecentric's retail clients experienced fraud losses of ZAR794 808,51 due to the illegal activities.
Erasmus entered into a plea agreement with the State and was convicted on 17 charges under the Cybercrimes Act, including:
- theft of data,
- attempted cyber extortion,
- cyber fraud,
- unlawful access to computer systems,
- use of unauthorised software or hardware tools,
- interference with networks, data, and storage media, and
- unauthorised password resetting.
The co-accused, Mr Pupu, remains in custody and is scheduled for plea and sentencing on 30 June 2025.
Erasmus will effectively serve five years' direct imprisonment. The court also declared him unfit to possess a firearm.
The conviction underscores that imprisonment is a tangible and enforceable consequence under the Cybercrimes Act, sending a clear message that cyber offences are serious and have real victims. Successful prosecutions hinge on robust digital forensic evidence. Legal teams must be involved early to ensure evidence is collected lawfully and is admissible. Preserving logs, access records, and system data immediately after a breach is crucial for supporting legal proceedings.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
