Daily Maverick
Dailymaverick logo

Business Maverick

Business Maverick, DM168, Crypto

The Africrypt files, Part 2 — The Cajee brothers’ ‘escape’ plan

The Africrypt files, Part 2 — The Cajee brothers’ ‘escape’ plan
Yeshiel Panchia
By Yeshiel Panchia
18 May 2025
Facebook
3
In the second part of Daily Maverick’s investigation into Africrypt, we show how Raees and Ameer Cajee appear to have executed what may be one of SA’s swiftest financial exits in recent memory.

Part 1 of this story established the scale and structure of the cryptocurrency scam, and Part 2 investigates how the exit unfolded – and why, despite so many red flags, no major legal consequences have followed.

Multiple passports and a shifting identity


“It was a centralised system pretending to be decentralised,” cryptocurrency analyst Wiehann Olivier told Daily Maverick. “There was no oversight, no third-party security testing and no asset segregation.”

Travel records and supporting whistleblower data reviewed by Daily Maverick confirm that both Raees and Ameer Cajee used Vanuatu-issued passports during their post-exit international travel. Our forensic investigation shows that the brothers travelled to the UK, then Dubai, Turkey and Zurich, in that order.

This was notwithstanding the unfolding scandal involving their company, Africrypt. Although the total number of affected investors has never been confirmed by authorities, a July 2021 statement by the Financial Sector Conduct Authority (FSCA) estimated investor losses at just more than R200-million and noted that the company appeared to have solicited funds from “several hundred individuals”.

The scandal erupted when investors received a single email from the Cajee brothers on 13 April 2021, claiming that Africrypt’s wallets had been compromised. It would be the last formal communication most investors ever received.

Read more: South Africa Bitcoin ‘Ponzi’ Scheme Out of Regulator’s Reach

Daily Maverick understands, based on travel logs in the forensic report, that the brothers departed South Africa within weeks of this email. Although their exact departure date remains unconfirmed, the Badaspex v Africrypt high court application confirms that liquidation proceedings had already been launched at that stage.

Forensic records also show that Ameer Cajee obtained a second Vanuatu passport in March 2022 – while under a Swiss travel ban imposed in May 2021.

This passport, issued under the name “Ameer J Cajee”, was acquired via a Dubai-based intermediary, despite his original Vanuatu passport being valid until 2031. Court records indicate that Ameer’s appeal against the travel restrictions was dismissed in December 2022, and the ban only expired in late February 2023.

Digital traces leaked by a whistleblower and reviewed by Daily Maverick show that shortly after the second Vanuatu passport was activated, activity tied to Cajee-linked devices and accounts began surfacing in jurisdictions including Qatar, Turkey, Switzerland and the United Arab Emirates (UAE). This included logins to previously dormant Africrypt infrastructure, suggesting that someone with prior system access retained operational awareness.

Forensic records show successful logins to legacy Africrypt admin panels in December 2023 using credentials tied to founder email accounts. Although this is not conclusive proof of international travel under a different identity, the timing, geographic spread and access patterns collectively suggest a deliberate effort to obscure physical location and digital footprint.

The Cajees maintain that their systems were hacked. However, given that login credentials, devices and internet protocol (IP) traces match travel logs and known movement patterns, it appears unlikely that continued system access was solely the result of a third-party compromise.

Given a right of reply, Ameer Cajee denied any wrongdoing related to passport issuance or use, and challenged any suggestion that the documents were unlawfully acquired or used. He described the claims as “baseless, speculative, and deliberately misleading”.

The Zurich connection: Ameer Cajee and the Trezor wallets


The Office of the Chief Public Prosecutor in Zurich confirmed to Daily Maverick that criminal proceedings against both brothers are continuing on suspicion of money laundering. One brother was arrested in Zurich in November 2021 and later released on bail.

“We can only confirm that the Public Prosecutor’s Office III of the Canton of Zurich is conducting criminal proceedings against the two brothers you mentioned on suspicion of money laundering,” the office said.

Daily Maverick has verified through legal correspondence and whistleblower logs that Ameer Cajee was subsequently placed under supervised release at a hotel in Zurich. The Swiss prosecutor confirmed that Ameer had been released on bail to a “designated residence”. Access logs from the hotel, leaked to Daily Maverick, show more than 40 badge entries linked to his digital ID, and photographs geolocated and timestamped confirm his presence on the premises.

Sources close to the investigation claim that Ameer tried to access Trezor devices – hardware wallets – suspected of containing Africrypt’s missing bitcoin.

The Zurich Prosecutor’s Office also confirmed that “items related to a South African fraud case” were seized in Zurich. Though they declined to specify which items, investigators believe they included hardware wallets.

Crypto disappearing act: coordinated disappearance, continued control


While investors were still coming to terms with the announcement of a supposed hack, back-end activity on the Africrypt platform told a different story.

According to access logs reviewed by Daily Maverick, administrative sessions linked to devices associated with Raees and Ameer Cajee remained active for at least 72 hours after the public announcement of the hack. These sessions accessed internal wallet balances, user tables and system-level controls.

Login records show that the same internet connection was used multiple times during this period to access Africrypt’s admin system. This connection was linked to a fibre line bearing subscriber information associated with the Cajee surname. The device used matched one previously linked to Raees Cajee and remained online throughout.

Some key examples that contradict the narrative of a hack include:

  • Admin logins recorded after 13 April 2021 from a device previously linked to Raees Cajee;

  • An IP address associated with a fibre line registered to a subscriber bearing the Cajee surname; and

  • Apparent continued access to wallet infrastructure and user data for at least 72 hours after the alleged breach.


In their April 2021 announcement, the Cajees told investors that “system, client accounts, client wallets and nodes were all compromised”.

“Their own login sessions were still active while they were publicly claiming to be locked out,” said one digital forensics consultant who worked with affected investors. “They were inside the house while claiming it was being robbed.”

In his right of reply, Ameer Cajee denied the allegations and demanded that Daily Maverick provide specific forensic logs or device records. We have chosen not to publish or share these in order to protect our sources.

Digital clean-up on aisle three


Although investor withdrawals were suspended and communication ceased, internal network logs suggest that background activity on Africrypt systems persisted. Logs show data transfers to encrypted Amazon cloud storage via virtual private network tunnels routed through Switzerland and the UAE.

Devices previously linked to the Cajees remained active during this time. This activity spiked between 14 and 18 April 2021 – the same window during which major cryptocurrency withdrawals occurred.

Daily Maverick conducted an independent blockchain analysis, verified by a cybersecurity analyst, which confirmed that at least R300-million in digital assets was moved from Africrypt-linked wallets during that period.

Fourteen withdrawals were routed through Wasabi Wallet, a privacy-focused application that fragments and anonymises transactions. The outputs were then dispersed to platforms such as Binance, Kraken and Huobi, as well as to two unregistered exchanges believed to be non-KYC (know-your-customer) compliant.

By the time that court-appointed liquidators obtained access to the wallets, they had been emptied. Forensic analysis of email metadata from one of the brothers’ accounts shows a pattern of outbound encrypted messages and cloud sync requests referencing “vault fallback ops” – language consistent with cold wallet backup transfers. While the contents of these messages remain inaccessible, their timing and destination strongly suggest that off-platform recovery mechanisms were activated.

A curtain built to fall


Africrypt operated as a closed ecosystem with no independent oversight. There were no third-party custodians, no external compliance mechanisms and no regulatory supervision. Fund custody, trading, onboarding and internal audits were all handled by the Cajees themselves.

“They created a fully enclosed ecosystem,” Olivier said. “When you control the wallets, the DNS [domain name system], the servers and the message, there’s no audit trail – and no one to stop you when you walk out with the keys.”

Evidence reviewed by Daily Maverick suggests that Africrypt infrastructure remained accessible even after the platform was declared defunct. DNS pings, access telemetry and wallet monitoring indicate system use well beyond the shutdown.

Since Africrypt’s collapse, some regulatory gaps have been closed. In 2022, the FSCA declared crypto assets financial products, formally placing them under its supervision. In response to questions, the FSCA told Daily Maverick: “The legislation declaring crypto assets a financial product does not operate retrospectively … the FSCA has not conducted any retrospective investigations.”

By the end of 2023, cryptocurrency platforms in South Africa were required to register or shut down. The Financial Intelligence Centre also began classifying crypto service providers as accountable institutions, requiring compliance with KYC and anti-money laundering protocols.

Although these changes offer a framework for future oversight, they come too late for those burnt by Africrypt.

Ameer Cajee concluded his right of reply by stating that any publication of what he characterised as defamatory material would be met with legal action.

What began in a regulatory void ended in a vanishing act. The Cajee brothers are gone – but their system left traces, and the questions it raised haven’t disappeared. DM

This story first appeared in our weekly Daily Maverick 168 newspaper, which is available countrywide for R35.

Categories:

Tags: