SA Parliament's social media accounts hacked to promote the launch of $Ramaphosa token

A cryptocurrency scam linked to a newly minted ‘$Ramaphosa’ token exploited South African Parliament’s official X, Facebook, and YouTube accounts in a coordinated cyberattack on Saturday, March 15, 2025.

The fraudulent posts, designed to deceive unsuspecting investors, directed users to a questionable token launched mere hours before the breach. Blockchain forensics suggest a deliberate financial fraud operation, with the token’s creator wallet actively moving funds through gambling sites.

Parliament Spokesperson Moloto Mothapo confirmed the breach to Daily Maverick, stating “Parliament has identified a security breach affecting one of its 25 YouTube streaming services (channels), which is integrated with official social media accounts. This breach resulted in the unauthorised upload of content not aligned with the work of the Institution.”

The unauthorised posts featured a graphic advertising the presale of the cryptocurrency token ‘$Ramaphosa’, accompanied by hashtags referencing Solana, cryptocurrency, and South Africa. The posts also contained a shortened link embedded within the image, which, when followed, redirected users to Pump.fun, a website that allows for the instant creation of tokens with little oversight. Pump.fun is widely known for hosting memecoins, which are often exploited in rug-pull and pump-and-dump scams.

Forensic analysis: tracking the ‘$Ramaphosa’ token and its creator

A blockchain forensic analysis of the ‘$Ramaphosa’ token reveals that it was minted less than 24 hours before the Parliament hack, according to on-chain data from Solscan, Birdeye, and GeckoTerminal.

Daily Maverick identified the creator of the token as the Solana wallet 73V5WCNqQRuLj2V1ryH1zNrxgthGu7HrGPDViTn1GpxK, which is explicitly tagged as the Token Creator and associated with Pump.fun, confirming that the token was launched using its smart contract system. The same wallet is linked to the @GouvofRSA account, which falsely claimed to be the “official crypto feed of Parliament of the Republic of South Africa” and was used to create at least two tokens, including $Ramaphosa and ParliamentofRSA (RSATOKEN).

Blockchain expert and Head of FinTech and Digital Assets at Forvis Mazars in South Africa, Wiehann Olivier, confirmed Daily Maverick’s methodology.

“It once again points back to some of the advantages that blockchain technology has in terms of the immutability of it… any activity or transaction executed on the blockchain is traceable and open”.

A screenshot showing the confirmed creator of the $Ramaphosa token @GouvofRSA. Picture: Yeshiel Panchia

A review of this wallet’s transaction history shows multiple interactions with the smart contract “splbot -> launch-your-own-memecoin.sol,” a known tool for mass-producing Solana-based tokens. This suggests a premeditated scam, where fraudsters rapidly generate tokens and exploit social media to attract investors.

The first transactions in this wallet occurred approximately seven to nine hours before the Parliament hack, aligning with the timeframe of the breach and indicating a likely connection between the two events.

A screenshot from analysis tool GeckoTerminal showing the transaction history of the $Ramaphosa token. Picture: Yeshiel Panchia

Shortly after the hack, the wallet moved funds, suggesting an attempt to withdraw stolen liquidity before detection. An outgoing transaction of 0.8299 SOL, valued at approximately $110, matches a common pattern in crypto scams, where scammers extract as much as possible before abandoning the project. The wallet has also conducted multiple transactions with “[email protected],” a Solana-based crypto gambling site, a known method for obscuring financial trails in cryptocurrency-related fraud.

Further analysis shows that the same wallet has interacted with multiple other scam-like tokens, suggesting it may be part of a broader network of coordinated crypto frauds. The timing of token creation, immediate promotion via a compromised government account, and subsequent liquidity movements indicate a deliberate attempt to exploit the credibility of Parliament’s social media presence to facilitate financial fraud.

Olivier did note that while the open nature of blockchain technology is useful in tracing such indicants, it’s not without obstacles; “Of course there are challenges in terms of the pseudo-anonymity of it [blockchain], in that you can't necessarily see who executed a transaction.”

Security risks and blockchain red flags

The $Ramaphosa token exhibits multiple high-risk indicators flagged in from a security perspective. The entire token supply is controlled by the top ten wallets, a strong indication of centralised control and a high likelihood of a rug pull.

The token is not listed on Jupiter’s Strict List, meaning it lacks credibility within Solana’s trading ecosystem. Its market cap of $3,722 and liquidity of $3,780 make it highly susceptible to price manipulation.

Most crucially, given how it was advertised, and that the price spiked and crashed within hours, matches the typical pattern of fraudulent trading schemes.

Further blockchain tracking of transactions on Raydium DEX confirms that liquidity was removed shortly after trading began, another hallmark of crypto scams. This suggests the coin’s creators deliberately extracted funds before abandoning the project.

The link between the hack and fraud

The near-simultaneous creation of the $Ramaphosa token and the Parliament social media hack suggests a well-planned financial fraud operation. Blockchain analysis reveals the token was minted just hours before the breach, with proceeds quickly funnelled into crypto gambling platforms.

The timing of the token’s creation and the hacking of Parliament’s social media accounts suggests a deliberate connection. Parliament’s credibility was likely exploited to promote the scam, with attackers using the breach as a vehicle to enhance the legitimacy of their fraudulent token. The hack itself may have been financially motivated, with attackers gaining access to official platforms solely to execute the fraud.

Next steps

The confirmation from Parliamentary spokesperson Moloto Mothapo that the compromise occurred through one of Parliament’s YouTube channels indicates that the attack was likely one of social engineering, with an attacker gaining access to details via a social contact or even poor account security such as weak passwords or a lack of two-factor-authentication.

Parliament has committed to implementing additional security measures to prevent future breaches.

Public awareness and caution

Cryptocurrency scams are increasingly using political figures and institutions to create a false sense of legitimacy – given the proliferation of cryptocurrency advocacy, particularly by public figures in the United States, the rate at which such cryptocurrency scams has increased is high.

This incident highlights the ongoing risks posed by financial fraud in the digital age, as well as the vulnerability of the South African government’s accounts and possibly weak security practices.

As investigations continue, it will be critical to assess how Parliament’s security infrastructure was compromised and what measures can be taken to prevent similar breaches in the future. DM.