Cryptocurrency scam linked to a newly minted ‘$Ramaphosa’ token exploited South African Parliament’s official X, Facebook, and YouTube accounts

A cryptocurrency scam linked to a newly minted ‘$Ramaphosa’ token exploited South African Parliament’s official X, Facebook, and YouTube accounts

A cryptocurrency scam has hit South African Parliament, with hackers exploiting the institution’s official X, Facebook, and YouTube accounts on Saturday, March 15, 2025, to promote a fraudulent token.

The scam, which saw the creation of a new cryptocurrency and subsequent presale promotion via hacked government channels, was part of a broader cyberattack.

A review of the blockchain activity shows the token was created less than 24 hours before the hack, according to on-chain data from Solscan, Birdeye, and GeckoTerminal.

Analysis of the Solana blockchain reveals that the creator of the $Ramaphosa token is the Solana wallet 73V5WCNqQRuLj2V1ryH1zNrxgthGu7HrGPDViTn1GpxK, which is explicitly tagged as the Token Creator and associated with Pump.fun, confirming that the token was launched using its smart contract system. The same wallet is linked to the @GouvofRSA account, which falsely claimed to be the “official crypto feed of Parliament of the Republic of South Africa” and was used to create at least two tokens, including $Ramaphosa and ParliamentofRSA (RSATOKEN).

This is further confirmed by blockchain expert and Head of FinTech and Digital Assets at Forvis Mazars in South Africa, Wiehann Olivier.

“It once again points back to some of the advantages that blockchain technology has in terms of the immutability of it… any activity or transaction executed on the blockchain is traceable and open”.

A screenshot showing the confirmed creator of the $Ramaphosa token @GouvofRSA. Picture: Yeshiel Panchia

Reviewing this wallet’s transaction history shows multiple interactions with the smart contract “splbot -> launch-your-own-memecoin.sol,” a known tool for rapidly generating Solana-based tokens. This suggests a premeditated scam, with fraudsters rapidly generating tokens and exploiting social media to attract investors.

The first transactions in this wallet occurred approximately seven to nine hours before the time of the hack, aligning with the timeframe and suggesting a likely connection between the two events.

A screenshot from analysis tool GeckoTerminal showing the transaction history of the $Ramaphosa token. Picture: Yeshiel Panchia

Shortly after the hack, the wallet moved funds, suggesting an attempt to withdraw stolen liquidity before detection. An outgoing transaction of 0.8299 SOL, valued at approximately $110, matches a common pattern in crypto scams, where scammers extract as much as possible before abandoning the project. The wallet has also conducted multiple transactions with “[email protected],” a Solana-based crypto gambling site, a known method for obfuscating financial trails in cryptocurrency-related fraud.

Heating up the burner

Heating up the burner further, analysis shows the same wallet has interacted with multiple other scam-like tokens, suggesting it may be part of a broader network of coordinated crypto frauds.

The timing of the token creation, immediate promotion via a compromised government account, and subsequent liquidity movements indicate a deliberate attempt to exploit the credibility of Parliament’s social media presence to facilitate financial fraud.

Olivier did note that while the open nature of blockchain technology is useful in tracing such indicants, it’s not without obstacles; “Of course there are challenges in terms of the pseudo-anonymity of it [blockchain], in that you can’t necessarily see who executed a transaction.”

From a security risks perspective, the $Ramaphosa token exhibits multiple high-risk indicators. The top ten wallets control a total of 99.99999999999999 percent of the token’s supply, a strong indication of centralised control and a high likelihood of a rug pull.

The token is not listed on Jupiter’s Strict List, indicating a lack of credibility within Solana’s trading ecosystem. Its market cap of $3,722 and liquidity of $3,780 make it highly susceptible to price manipulation.

Most crucially, given how it was advertised, and that the price spiked and crashed within hours, matches the typical pattern of fraudulent trading schemes.

Tracking transactions on Raydium DEX reveals that liquidity was quickly removed shortly after trading began, another hallmark of crypto scams. This suggests the coin’s creators deliberately extracted funds before abandoning the project.

The close proximity in timing between the creation of the $Ramaphosa token and the hacking of Parliament’s social media accounts suggests a well-planned financial fraud operation.

The fact that the token was rapidly generated less than 24 hours before the hack, and that the hackers immediately focused on promoting it in posts designed to deceive unsuspecting investors, aligns closely with the actions of a coordinated scam.

The timing of the token’s creation and the hacking of Parliament’s social media accounts suggests a deliberate connection. Hackers gained access to the institution’s platforms to promote the $Ramaphosa token, exploiting its credibility to deceive investors.