On Friday, 7 January it was announced that Johann Steynberg, the fugitive CEO of Mirror Trading International (MTI) had been arrested in Brazil on 29 December 2021. Steynberg fled South Africa in December 2020 after MTI had collapsed. The scheme was liquidated on 30 June 2021 with investors trying to claw back some of their money.
Steynberg was apprehended by an elite military police unit after presenting a fake identity document. After his arrest police found another two fake identity documents, two laptops, a cell phone and six credit cards. Our source has decided to remain anonymous. Here is a unique insight into some of the events that have transpired.
Table of Contents
According to Anonymous: “It is unusual that he had two laptops and only one phone in his possession judging from the vague news reports of his arrest. In these matters there is almost always a second burner phone. Forensic analysis of these devices will be critical in retrieval of information, accounts and wallet access. Further to that, if I were a fugitive on the run and did not want to be found I would definitely not use a credit card.”
Red flag past
Steynberg has a history of dubious projects that date back as far as 2010. These schemes include Slap The Guru and Devoted Investments. Another company domain Kipisa.com was registered in 2015 in Panama for Kipi SA.
In the above screenshot we see the username ‘joesteyn’ appear which is most certainly Steynberg and right away there is deception in regards to him investing in his own “business” under a false name. This username will surface later in MTI.
One of the most bizarre revelations from the Steynberg arrest is that he has a Brazilian girlfriend. He still has a wife and child in South Africa who were left behind when he fled the country in December 2020 after MTI’s collapse. Steynberg married his wife Nerina in 2006. In 2011 Steynberg registered an account using his personal Gmail account on the dating site Fling.com under the username “Euro137”. When he registered the account he adjusted his date of birth (1983-07-13) slightly to 1984-06-12 so as to perhaps throw off any scent from his trail.
This data was extracted from public data dumps.
At the height of the MTI saga, when their forex broker FXChoice closed MTI’s trading account, it was claimed that another broker took over MTI’s forex trading called Trade300. It is widely believed that Steynberg himself was behind this entity.
Anonymous: “There was indeed a user account called ‘joesteyn’ on the Trade300 WordPress site and the domain name registration has a bit of a history. If I were Steynberg I would have definitely made the tactical move to purchase a domain name with some history behind it to add some credibility.”
“A tactic used by people to deceive is to hand a victim one piece of information to quell any doubts they had. Sometimes a person will just want to have that information regardless of whether it is pertinent or not thus suspending critical thinking. It is a common thread with these crypto-based scams to just give any information or data and a victim will pretend to understand it or dismiss that voice in the back of their minds.”
There are indeed traces of a Trade300 related to finances online but perhaps coincidence:
“On 20 July 2020 Johann Steynberg and Tom Fraser, business advisor to MTI, had a meeting with Gerhard van Deventer and Andrea Coetzer from the FSCA”, Anonymous relates about the regulators stepping in. “Both Steynberg and Fraser stated under oath that they partook in criminal activity and nobody at MTI was qualified to be working there, but I am focusing more on the subtext here and flagged a few things.
Deventer takes the soft approach up until the end of the interview whilst Coetzer takes a clinical, direct approach. Good cop, bad cop perhaps. I would say particularly Fraser underestimates the FSCA team and tries to take control throughout the interview while Steynberg, in general, seems rather confused. Since Cheri Marks attended another FSCA interview Steynberg could have had a tactic of bringing in ‘loud’ personalities to deflect and try to confuse the investigators.
Coetzer notably keeps reverting back to previous answers given. This is a common method used in questioning: revert back to the past to see if the integrity of statements hold up. Remember – a recollection is from memory but a lie is from imagination so does not hold up if you go backwards.
I get the impression based solely on the transcript that Fraser is indicating dishonesty right from the start. He starts almost every statement in a submissive, apologetic manner and then waffles on about his business acumen and talks to the two financial regulators as if they know nothing. People who talk too much in an interview and that appear overly ‘helpful’ or ‘hyper arrogant’ in my experience are either nervous or up to something. He mostly says nothing and veers off topic often. He also states his belief in the remarkable skill of Steynberg several times to drive home some linguistic programming. Fraser often interjects when Steynberg is asked a question to perhaps further try to control the room. Towards the end of the interview Fraser’s answers become shorter. Fraser states what a savvy businessman he is yet during the interview says he invested in a stokvel and lost all his money indicating that he operates in this MLM (multi level marketing) space. He also repeats ‘Ponzi’ dozens of times and is the only one who uses the term. In one instance Fraser even completes Steynberg’s sentence and constantly repeats himself hence why I say he was trying to control the room.
Steynberg’s answers are sometimes confused and he even appears to mumble a critical person’s name at one stage for some reason. Fraser several times attests to the intelligence of Steynberg, yet Steynberg can barely speak English during the interview. His answers compared to Fraser are a lot shorter, hardly ever using long or convoluted words. Something I noticed in regards to this interview and in minutes of MTI meetings is that Steynberg is always in the process of making a change, working on something, about to release something, working with a team on a task, but never actually doing anything at all. Steynberg several times tries to subtly deflect liability onto other people and just generally seems to not know anything.”
The Last Supper
The last Zoom call that Steynberg appeared on was streamed on 7 December 2020. By this time it was already obvious that Steynberg had left South Africa.
Anonymous talks us through this video: “Cheri Marks’ and other MTI leaders on the call show body language that indicated stress. Firstly, her blink rate is very high. Her eyes often shift left and right as well as close to block out the viewer. At a point near the end of the call Marks starts to swivel in her chair back and forth while Steynberg is speaking which is a change in her movement. Several times during the call Marks smiles. The smile does not last and it is with her mouth and not with her eyes. “
“Steynberg also mirrors a lot of her body language and their interactions are very passive aggressive. Marks pushes her lips together while waiting for Steynberg to answer several questions possibly indicating stress and several times she over-gesticulates which, based on other videos of her, is a break from her usual body language. Marks’ also nods constantly as if she wants the viewer to follow along.”
“At the 44:59 mark, Marks makes mention about catching up with outstanding withdrawals. Steynberg reacts by his respiration clearly becoming higher, adjusting his shirt as if he is hot and taking a drink of water but swallowing it really slowly. He also appears to be more self aware looking around and adjusting his laptop camera’s view slightly.”
Anonymous: “Shortly after Steynberg’s disappearance Cheri Marks released a letter with her explanation of what was going on. Included in the communication was an allegedly automated “dead man’s switch” email that was set to go out in the event of an issue with Steynberg. Here is the exact creation date of this ProtonMail email address: 2020-12-15 13:54:54. Straight away this contradicts the narrative as the body of the email contains the date of “1 December 2020” at the top. This is of course impossible since the account had not been created yet. The actual timestamp of the email just below the email address is: Tue, 15 Dec 2020, 14:36. So less than an hour after this ProtonMail account was created the email was sent from it.”
“The devil is in the details here as you cannot automate an account creation for any Proton service and you also have to either supply a recovery email or telephone number. Contrary to popular belief, Proton does service search warrants under certain conditions but indeed can only supply a certain amount of information.”
Protonmail uses the Pretty Good Privacy (PGP) encryption standard for encrypting emails. Herewith is the PGP key for the email address firstname.lastname@example.org which confirms its creation date.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: ProtonMail xsBNBF/YpA4BCADXcrv5MJsrWEOc1y/A7MfK2nQYj4roWG/9wq8AQzgye1gQ oda8N3L6lSmIxbb5OWlgO66Tu9SXYjs0WkI/uDbf2WzqR9Gr2DoRlOWxKZ8n EQiycmhTNuqM8pKWhwj8ZDQmh1fwyx4zLSRqelUWhOz5GR0mkHcWRiTczVKD SJ6A4eCrwET3caWY2oTBd+euaBr2k4L0rIha1oLUYkCLuZy6cg6ml08eX+yQ Xv5BifAl1DoYm/irMO8Bi4R6zSslyXKtK29iVrsrln5PX0WIybp//1Qn+F86 zbY/GPltzTKDyZ7kOJ+rN8qhDRb+RvTbG5S/8mf6RX0HweFu/JLed2FJABEB AAHNMW10aS1pY29lQHByb3Rvbm1haWwuY29tIDxtdGktaWNvZUBwcm90b25t YWlsLmNvbT7CwI0EEAEIACAFAl/YpA4GCwkHCAMCBBUICgIEFgIBAAIZAQIb AwIeAQAhCRDprd7G4AVA4BYhBCI7KezIF3+V5FeTfOmt3sbgBUDgXN4H/jec Hcrmf71tL3LPJx/n555gf30dGk++VBxf/OSZ/CVoK2a331qRfKerpqs/vAEH tW9qNGZvGrRYO0thaBwok3AUQwAgvvBDC9zDQOREgC8TKzLpgxkonNpgWIYz tZRMsmnWb0YQy6l8+Zz1WYVn+5yiJ6HDBcCSDvddn1T4cVuAYOVTUQIvIsPC s9+rc5XNqxvzw6NCOmN/J1T2Wh1zxu471bwBNVbr8MF8kSbSr8y4mLspVQsE kSN9L78MjR9+37Tyo9onyplkzhClL4U/+0UnwvdhZzzeasEcS6FYAuxW36vi 4Ov222PAr/ITMDPvm2J6Jc75JLr0U846XdYLdGfOwE0EX9ikDgEIAJcDlApN jrIFN9Kd+DZCdkAVrhLVfkfxhKohZH/lRW6IWLzf/gxkJOw3u4EqejnOG3uv 3yREx8pAuSl8Z/jxfjsyqo3CweB/hPZtqfD1z8XDgZMMUgXwUnqC0Br57rJ4 wOUGviC0qNV7dBsHoTX1jIPy+ZIya4zH9w5Zgxt3HyCPPEvsGE2nF3BNoYfb JOOHscbsenazana5h8PEDKumrWBYDWT1rl0VXJ/xp1Lw8TOQIlFWPKfc+OOx Gzq06/3o6+UC3jSv0eF1NDYApBCSiy/pUMGNtjJ3b0BpUlX3xuDyRNQ8bUu7 7bfWdaCkRKJ1L9YZPcs2v6uiw03HkThBjJUAEQEAAcLAdgQYAQgACQUCX9ik DgIbDAAhCRDprd7G4AVA4BYhBCI7KezIF3+V5FeTfOmt3sbgBUDgMJIIANIH gFpByp8tvtYfRGHKmlSWeiObkSZXjs+t5nEPyyCcavoG/f36BD3aC1ZG5tSf 5sO14dYq0yVd23mvxSSiUFLtQgJqdSWUFdeEfyGVmydNe4zc/hyIniKmblwn VzNHUuF+jZir4zutkpyyaQRI4Zred5obWtwAeV+8XyCiABdOHeuAgADwa++W ESJ/OKn70RxJAXjvTdNjHWYt4KKEhnQctIieyHNxpNJd4i++XjEcu7pY2rRg jU84mZ+PMwcn3uyR3253zKhN+3mr0eiBJwKF7XBLf3F2c66hTZpVr3Iex4LV JIg3XQH5JzxNSr54JWkBvmolXR6j2inRTzw0OiM= =s03k -----END PGP PUBLIC KEY BLOCK-----
Anonymous: “After Steynberg went missing a private investigator was mandated by Marks and the MTI leaders to locate him. A submission amongst all the court documents was the report from a Private Investigator (PI) called Nambiti Investigations formerly known as Classidra Investigation Services. A lookup on the Private Security Industry Regulation Authority (PSIRA) site, which governs persons or companies operating in the security field, showed that Nambiti’s license expired in 2017. This could be an issue with regards to what was conducted according to the submitted report. On page 1558 of the report the PI claims that he established the IP addresses used by Steynberg and several other people and claims that he tracked them down to a specific physical location. The report included no annexure containing this list of IP addresses nor any explanation of how the PI achieved this technically impossible feat. There are a number of other discrepancies inside the report, for example calling the Incident Report Book at a charge office an ‘Information Book’.”
When asked about his final thoughts, Anonymous says: “These are amateurs playing in the professional league who got lucky. A little bit of time and a lot of OSINT (open source intelligence) you can see a bit more behind the curtain with my findings as this entire debacle has turned into an open source investigation of sorts.
A sobering thought is that if it weren’t for the diligent work of one journalist, the general public would have no idea or care about MTI’s transgressions. Coupled with the solid investigation conducted by the inundated FSCA, one hopes credit is given where it is due. When I wake up tomorrow morning, I will be thankful for many things but mainly thankful that I am not a defendant with regards to MTI because there is a lot more data beyond what I have released and others will have already figured out far more.”
Steynberg will be charged in Brazil for using a fraudulent identity document and have to pay a fine. Since there was an international warrant out for his arrest he might be extradited to South Africa. The Hawks have confirmed his arrest and are busy investigating. Since MTI sold products to US citizens, Steynberg might also face charges in the US.