Crooks stole millions meant to help people during Covid by making up fake workers. They used old companies to trick the system, claiming money for people who didn’t exist. But then, investigators launched a huge raid, hitting many places at once. They found tons of proof, like hidden ledgers and phones, hoping to get the stolen money back and fix the broken system.
How did South Africa’s biggest Covid-relief fraud operate?
South Africa’s largest Covid-relief fraud involved syndicates creating “ghost payrolls” by using dormant companies and false employee lists to claim from the Unemployment Insurance Fund’s TERS scheme. They exploited weak verification processes, submitting claims for non-existent workers, and quickly laundering the funds through various bank accounts and assets.
The Zero-Hour Takedown
At first light on Thursday, dozens of simultaneous raids lit up two provinces as investigators from the Special Investigating Unit fanned out in the largest one-day operation the agency has ever attempted. Tactical teams locked down a 200-metre ring around a sleek office park in uMhlanga’s Ridge precinct at 05:00 sharp, while 500 kilometres north another squad breached a luxury Sandton estate whose owner had boasted on Instagram that he was “printing money during lockdown.”
Between those headline-grabbing sites, the dragnet stretched to 34 locations: harbour-side transport depots, back-room hair salons in townships, a roadside farmstall outside Heidelberg and suburban houses retro-fitted as call-centre hubs. Every address had been pinpointed after six months of number-crunching bank records, scraping metadata and following cellphone pings that began with a single anonymous e-mail: “Look at why a shell with no staff received R38 million in TERS.”
Case files already show 16 companies, 37 people, 214 bank accounts, 438 dubious relief claims and R161 million in questionable payouts. Investigators say the group turned the Unemployment Insurance Fund’s Covid-19 Temporary Employer/Employee Relief Scheme into a private cash dispenser for 18 months, running what appears to be a loose but highly adaptable syndicate.
The Blueprint for “Ghost Payroll” Looting
The scheme relied on simplicity and speed. Spotters recruited real micro-firms that had never paid UIF contributions, borrowed their registration papers, swapped in new bank accounts the ring controlled, invented make-believe staff lists and fired claims through the hastily built online portal. As soon as Treasury released money, the loot was split. One shelf company filed for 1,412 workers – more than the country’s biggest platinum smelter employs – yet its brick-and-mortar address is a single-room bunny-chow takeaway in KwaMashu that actually has two permanent employees.
Disaster regulations meant Labour Centres sat idle; verification was left to an automated handshake between the Companies Commission database and SARS tax numbers. Syndicate members kept dormant firms alive by lodging annual returns, back-dating director changes and paying token tax just large enough to keep the green “compliant” light glowing. Once the portal stamped them “verified,” the risk of exposure cratered. SIU cyber analysts found 94% of the bogus submissions landed between 23:00 and 03:00, hinting at bulk uploads timed for the skeleton night crew. The largest claim – R11.2 million – slipped in at 02:17 on a Sunday in August 2020, won approval 11 minutes later and was cashed out the same afternoon at ATMs in Sandton and Strand.
Following the Digital Paper Trail
Search warrants issued under the 2022 tweak to the SIU Act let detectives clone hard drives on the spot, so Thursday’s haul features 72 terabytes of mirrored data, 47 servers, 134 phones and crypto-ledger thumb-drives hidden inside a child’s school shoe. A diamond merchant’s safe disgorged handwritten isiZulu ledgers that nick-name TERS takings as “i-UIF,” with codenames such as “Mageza” (gunman) and “S’khaftin” (lunchbox) believed to chart weekly kickbacks. One A4 pad cites a meeting at a Midlands hatchery where “10% to M” was agreed; detectives suspect “M” is a mid-ranking official who could unfreeze flagged payments.
Money flows are being mapped with the Financial Intelligence Centre, major banks and two big audit firms working pro bono. Classic laundering patterns emerge: payouts hop from the UIF master account to “trading” accounts, shatter into dozens of subcontractor invoices, slide into retail money-market deposits, and end either as cash or as minibus taxis and suburban homes. One account absorbed R3.8 million, shipped R3.79 million away within 48 hours and then dozed for half a year with exactly R10,000 on call – textbook sleeper-account behaviour. Title-deed sweeps have already linked 28 properties – from Polokwane townhouses to a Margate sea-view flat – to the same four cellphone numbers that appear on the fraudulent forms.
Unions, Upgrades and the Global Fallout
Trade unions, still angry that bona-fide hotel staff waited months for relief, applauded the bust but asked how internal brakes failed so badly. A confidential UIF post-mortem handed to Parliament last October admits the “non-existent integration” between the Covid dashboard and the contributor database let 41,000 non-compliant firms bag at least one payment. Fraud-risk rule tweaks were proposed in July 2020 – and vetoed because they might “slow humanitarian payouts.” Commissioner Teboho Maruping says 6,223 suspicious files have since been shipped to the SIU; Thursday’s blitz targets only the million-rand-plus layer, so a second wave of smaller but plentiful scams is queued for later.
Because syndicates ignore provincial borders, the SIU landed a single omnibus warrant under section 3(1) of the Special Tribunals Act, letting teams hit multiple magisterial districts at once. Each squad blended Hawks commercial-crime detectives, SAPS intervention-unit members for high-risk entries, and digital reservists who can clone an iPhone in 17 minutes. Body-cams streamed encrypted feeds to a Pretoria command post, ensuring evidence integrity; footage already shows a suspect trying to swallow two SIM cards – evidence recovered, obstruction docket opened.
Although the SIU cannot prosecute, it can freeze and claw back assets. The Special Tribunal has received 214 urgent applications targeting R92 million in cash, 31 properties and a helicopter allegedly bought with looted TERS money. Civil cases ride parallel to criminal ones because the burden of proof is lighter; lawyers expect courts to break new ground on “unjust enrichment” and “constructive trust,” remedies used sparingly against state-capture kingpins but never on this scale in social-security fraud. If the Margate flat doubled in value, the windfall is deemed tainted and also forfeits to the state.
Cross-border tentacles appeared when Isle of Man–linked Standard Bank accounts each received R400,000; the dates line up with United Kingdom furlough-fraud headlines, suggesting a transnational playbook swap. The Financial Intelligence Centre has already briefed Britain’s National Crime Agency, and a formal mutual-legal-assistance plea is being drafted to pierce two British Virgin Islands shells. Lesotho’s anti-corruption body wants its own probe after discovering the same South African shelf companies claimed wages for garment workers who never set foot north of the border.
Public outrage is amplified because almost every citizen either collected TERS or knows someone who did. Tip-offs flood WhatsApp lines: a Durban domestic worker sent a voice note proving her employer listed her as “factory staff” yet pocketed the payout; her file is earmarked for the next garment-sector strike in KwaZulu-Natal. Xenophobic rhetoric flared on Twitter, but the SIU stresses 78% of implicated directors hold South African IDs, confirming this is a home-grown hustle.
Beyond courtrooms, the SIU is pushing systemic fixes. It wants the UIF to adopt a biometric portal the Department of Home Affairs is piloting, so every future claim must match a live fingerprint or facial scan, instantly suffocating ghost workers. Treasury has ring-fenced R260 million for the upgrade, yet go-live is pencilled for 2026. In the interim, any firm requesting relief for more than 50 employees will face a mandatory site visit; that rule sliced June 2025 disbursements by 18% but also hurt legitimate rural claimants where Labour Centre cars are few.
From complaint to preservation orders, the case has taken 196 days, the fastest sprint in the unit’s recent history; the norm for 2024/25 is 627. Investigators repurposed state-capture analytics, fed it pandemic-era variables – such as staff numbers rising while GDP tanked – and watched the engine spit out 600 red-flagged firms in 48 hours. The toolkit is being offered gratis to BRICS anti-graft partners; India and Brazil, where emergency wage schemes also haemorrhaged billions, may soon stage copy-cat raids.
No one is declaring victory yet. History shows only 14% of Arms-Deal loot has returned to state coffers, and global Covid-fraud restitution sits at a meagre 8%. Success will hinge on courts accepting that interest and capital gains are equally dirty, and on banks waiving confidentiality without protracted subpoenas. For now, the SIU has quietly rented every clean server rack in Midrand and cancelled leave until March 2026; 72 terabytes of evidence promise late nights and, they hope, a record-breaking pay-back.
[{“question”: “
What was the nature of the Covid-relief fraud in South Africa?
“, “answer”: “The fraud involved syndicates exploiting the Unemployment Insurance Fund’s Temporary Employer/Employee Relief Scheme (TERS) by creating ‘ghost payrolls.’ They used dormant companies and fabricated employee lists to claim TERS funds for non-existent workers, effectively turning the scheme into a private cash dispenser for 18 months.”}, {“question”: “
How did the perpetrators manage to execute the ‘ghost payroll’ scheme?
“, “answer”: “The scheme relied on simplicity and speed. Fraudsters recruited dormant micro-firms, swapped their bank accounts for ones they controlled, invented fake staff lists, and submitted claims through the online portal. They exploited weak verification processes, as Labour Centres were inactive due to disaster regulations, and verification was an automated handshake between the Companies Commission database and SARS tax numbers. Many bogus submissions were timed for late-night bulk uploads to avoid scrutiny.”}, {“question”: “
What triggered the investigation into this large-scale fraud?
“, “answer”: “The investigation was initiated by a single anonymous email tip-off that questioned why a shell company with no staff received R38 million in TERS funds. This led investigators from the Special Investigating Unit (SIU) to conduct six months of intensive data analysis, including number-crunching bank records, scraping metadata, and tracking cellphone pings, which ultimately pinpointed the fraudulent activities.”}, {“question”: “
What was the scale and impact of the SIU’s operation against the fraud?
“, “answer”: “The SIU launched a massive one-day operation, conducting simultaneous raids at 34 locations across two provinces. This ‘zero-hour takedown’ involved tactical teams and resulted in the collection of 72 terabytes of data, 47 servers, 134 phones, and various other pieces of evidence. Case files already show 16 companies, 37 people, 214 bank accounts, 438 dubious relief claims, and R161 million in questionable payouts. The SIU has also frozen assets, including cash, properties, and a helicopter, through urgent applications to the Special Tribunal.”}, {“question”: “
How did the fraudsters launder the stolen money?
“, “answer”: “The money laundering followed classic patterns. Payouts from the UIF master account would hop to ‘trading’ accounts, then shatter into dozens of subcontractor invoices, slide into retail money-market deposits, and ultimately end up as cash or converted into assets like minibus taxis and suburban homes. Investigators identified ‘sleeper accounts’ that would quickly move most of the funds after receiving them, leaving only a small balance. Title-deed sweeps have linked 28 properties to the same cellphone numbers used in fraudulent forms.”}, {“question”: “
What systemic changes are being proposed to prevent future fraud?
“, “answer”: “The SIU is pushing for systemic fixes, including the adoption of a biometric portal being piloted by the Department of Home Affairs. This portal would require a live fingerprint or facial scan for every future claim, aiming to instantly eliminate ‘ghost workers.’ While this upgrade is penciled for 2026, in the interim, any firm requesting relief for more than 50 employees will face a mandatory site visit. The SIU’s analytical tools, which rapidly identified red-flagged firms, are also being offered to BRICS anti-graft partners to combat similar emergency wage scheme frauds.”}]
