EXCLUSIVE: Inside the CR17 leaks and the conflict between Ramaphosa's man and security head

accreditation
President Cyril Ramaphosa.
President Cyril Ramaphosa.

An investigation by News24 has revealed that a cyber security expert who was brought into President Cyril Ramaphosa's campaign for the ANC leadership is suspected of leaking confidential information into the public domain. The tech expert, who is "implicitly" trusted by Ramaphosa, however left his side after a falling out with the president's head of security. Kyle Cowan reports.

An investigation by top cops into the source of leaked emails from the heart of President Cyril Ramaphosa's CR17 campaign has exposed huge rifts between the president's most trusted security allies.

At the centre of the probe is a shadowy IT expert, who the president "trusts implicitly", with links to the State Security Agency and the police’s crime intelligence unit.

The cyber consultant, News24 has established, is Alexio Papadopulo, 37, who, according to leaked CR17 bank statements, was  to provide cyber security to Ramaphosa and his campaigners.

The Presidency confirmed that the Directorate for Priority Crime Investigation, or the Hawks, and SAPS Crime Intelligence were now investigating  hacking of Ramaphosa's and his advisor’s emails surrounding his successful 2017 ANC presidential bid.

News24 understands the Hawks’ cybercrime division is seeking access to all electronic devices connected to the campaign server.

News24’s investigation has established that:

  • Papadopulo was at the centre of the CR17 campaign’s cyber and IT operations;
  • He is suspected by key Ramaphosa operatives of being the source of the leaks;
  • Both the SSA and crime intelligence have shown heightened interest in his activities;
  • The CR17 campaign was constantly targeted by hackers seeking access to its servers.

Papadopulo worked for Ramaphosa for eight months after he became president, before leaving after a series of confrontations with the head of the presidential protection unit, Major General Wally Rhoode. It culminated in Papadopulo allegedly having to strip down in Rhoode’s office to check if he was wearing a listening device.

A senior intelligence source with knowledge of the investigation into the leaked emails told News24 that Papadopulo and former SSA director general Arthur Fraser are "tight" – meaning they share a close . Papadopulo also declined a job offer from SSA after Ramaphosa became president, and a family member claimed to have done contract work for the SSA in the past.

Alexio Papadopul

Alexio Papadopulo. Image:Supplied

The police’s crime intelligence unit seemingly also have more than a passing interest in Papadopulo. It is understood that there has been contact between him and representatives of crime intelligence, and that they are aware of his activities and affairs over the last two years. It is, however, unclear what their specific interest in or link with him is. One crime intelligence official described Papadopulo as "unassuming" and no different from "the man on the street".

CR17 campaign relentlessly targeted during ANC battle

 close to Ramaphosa, who have direct knowledge of conversations and concerns in his circles, say Papadopulo is suspected of being the leak.

But Papadopulo, who set up and managed the CR17 email server "alexio.online" specifically for the campaign is, according to documents and interviews with key officials involved in the probe,  in the Hawks investigation and no direct evidence links him to the leaks.

Papadopulo, who is cooperating with the Hawks, authored a report of activity on the email server which shows the emails may have been obtained through a hack, orchestrated by persons unknown, of the laptops or cellphones of key Ramaphosa advisors. 

confirms that throughout the campaign and after, the laptops of Ramaphosa’s closest aides were targeted with malware and "phishing" attacks – virus-type software that would have attempted to gain access to the computers to log passwords.

URL addresses on the bottom of the leaked emails show they were most likely printed after email accounts were logged into from a web application.

The report contains the IP addresses that accessed the server. News24 traced one of the IPs to an internet service provider in India. The remaining IPs show the server was accesses via Telkom and Cell C networks.

News24 understands the Hawks now want access to all the electronic devices of Ramaphosa and his staff in the Presidency who used alexio.online emails, a necessary step to determine if their cellphones or laptops were hacked.

It is understood the Presidency has indicated to the Hawks that it would only undertake this process once the legal review process of Public Protector Busisiwe Mkhwebane’s report, where the emails are first mentioned, is finalised.

Presidency spokesperson Khusela Diko said the leak of Ramaphosa’s private correspondence was a breach of security, which prompted the request for an investigation.

"We understand that an investigation is being undertaken. The Presidency therefore is not in a position to comment on speculation or rumour, but will rather await the outcome of that investigation," she said in response to questions over Papadopulo and his links to the intelligence community.

Papadopulo, Fraser, the Hawks and CR17 campaign managers were asked to comment for this story, but had not responded at the time of publication.

News24 has established that Papadopulo was an IT consultant brought in by the CR17 campaign's head of security, Wally Rhoode, to ensure the communications of campaign members would remain secure.

December 17.2017. The ANC national conference in N

After Ramaphosa assumed office, Rhoode was appointed as the head of the Presidential Protection Unit.

As well as ensuring the electronic communications of the president and the campaign were secure, Papadopulo also conducted sweeps for bugs in hotel rooms and official residences occupied by the president.

Rhoode, who worked on the campaign’s security, is understood to have recruited Papadopulo for the job. Rhoode was asked to comment for this story, but refused to do so.

For at least eight months into Ramaphosa’s presidency, Papadopulo was still involved, conducting security assessments, bug sweeps, drafting reports for Ramaphosa, and advising the PPU on cyber security matters.

Ramaphosa, News24 was told, trusts Papadopulo explicitly.

But in late 2018, Papadopulo walked out, allegedly after several confrontations with Rhoode, which culminated in Papadopulo allegedly being asked to strip down to his underwear in Rhoode’s office, so that he could be checked for recording devices.

Hawks probe started in August

Last month, News24 first published details of the leaked emails, which showed that Ramaphosa was aware of the funding of his campaign despite persistent denials that he had any direct knowledge of financial issues.

A little more than a week after publication, the head of the PPU, Rhoode, wrote to the head of the Hawks, General Godfrey Lebeya, asking for a probe into the possible hacking of Ramaphosa and his advisor’s email accounts.

Wally Rhoode

Head of the Presidential Protection Unit, Major General Wally Rhoode. Image:Supplied

News24 understands the Hawks investigation actually started earlier in August.

In his letter, Rhoode expressed concern that Ramaphosa’s personal communications may have been compromised.

According to information obtained by News24, three possible scenarios exist on how the emails were leaked. Either, Papadopulo himself is the leak, as he would have had access to the entire email server. The second possibility is a complicated hack of the laptops or cellphones of Ramaphsoa’s advisors.

The third possibility is that a member of the campaign leaked the emails.

So far, the probe has sought to determine whether the email server used by the CR17 campaign members was hacked or compromised in some way, while Papadopulo’s report given to the Hawks suggests that, rather than a complicated server hack, forces unknown gained access to two laptops belonging to key Ramaphosa advisors, who also worked on the campaign.

The email server in question, "alexio.online", was set up and managed by Papadopulo himself.

News24 traced Papdopulo through his website, also alexio.online. A page attached to the website, but which is no longer available on the home page, revealed the name of a company named Mardiscore, trading as "The Agency".

The page included FNB banking details for the company.

Company records confirmed Papadopulo is the sole director of The Agency, which was registered in March 2017. Leaked bank statements also reaveled that R4.8m was paid to The Agency between September 2017 and February 2019.

CR17

A screenshot of the web page that led News24 to Alex Papadopulo. It shows the name of Papadopulo's company, Mardiscore, trading as The Agency. 

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
Lockdown For
DAYS
HRS
MINS
Voting Booth
With Faf de Klerk out injured, who should start at scrumhalf for the Springboks against Wales on 6 November?
Please select an option Oops! Something went wrong, please try again later.
Results
Herschel Jantjies
35% - 1127 votes
Cobus Reinach
61% - 1979 votes
Grant Williams
4% - 113 votes
Vote
Rand - Dollar
14.86
-1.0%
Rand - Pound
20.44
-1.0%
Rand - Euro
17.22
-0.9%
Rand - Aus dollar
11.14
-1.2%
Rand - Yen
0.13
-0.6%
Gold
1,793.77
-0.8%
Silver
24.16
-1.7%
Palladium
2,003.50
-3.0%
Platinum
1,034.06
-2.7%
Brent Crude
85.99
+0.5%
Top 40
61,025
+1.0%
All Share
67,615
+1.0%
Resource 10
63,620
+0.3%
Industrial 25
87,147
+1.5%
Financial 15
14,027
+0.9%
All JSE data delayed by at least 15 minutes Iress logo
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE