An investigation by News24 has revealed that a cyber security expert who was brought into President Cyril Ramaphosa's campaign for the ANC leadership is suspected of leaking confidential information into the public domain. The tech expert, who is "implicitly" trusted by Ramaphosa, however left his side after a falling out with the president's head of security. Kyle Cowan reports.An investigation by top cops into the source of leaked emails from the heart of President Cyril Ramaphosa's CR17 campaign has exposed huge rifts between the president's most trusted security allies.At the centre of the probe is a shadowy IT expert, who the president "trusts implicitly", with links to the State Security Agency and the police’s crime intelligence unit. The cyber consultant, News24 has established, is Alexio Papadopulo, 37, who, according to leaked CR17 bank statements, was paid R4.8m by the CR17 campaign to provide cyber security to Ramaphosa and his campaigners. The Presidency confirmed that the Directorate for Priority Crime Investigation, or the Hawks, and SAPS Crime Intelligence were now investigating the possible hacking of Ramaphosa's and his advisor’s emails surrounding his successful 2017 ANC presidential bid.News24 understands the Hawks’ cybercrime division is seeking access to all electronic devices connected to the campaign server.News24’s investigation has established that:Papadopulo was at the centre of the CR17 campaign’s cyber and IT operations;He is suspected by key Ramaphosa operatives of being the source of the leaks;Both the SSA and crime intelligence have shown heightened interest in his activities;The CR17 campaign was constantly targeted by hackers seeking access to its servers.Papadopulo worked for Ramaphosa for eight months after he became president, before leaving after a series of confrontations with the head of the presidential protection unit, Major General Wally Rhoode. It culminated in Papadopulo allegedly having to strip down in Rhoode’s office to check if he was wearing a listening device.A senior intelligence source with knowledge of the investigation into the leaked emails told News24 that Papadopulo and former SSA director general Arthur Fraser are "tight" – meaning they share a close relationship. Papadopulo also declined a job offer from SSA after Ramaphosa became president, and a family member claimed to have done contract work for the SSA in the past.Alexio Papadopulo. Image:Supplied The police’s crime intelligence unit seemingly also have more than a passing interest in Papadopulo. It is understood that there has been contact between him and representatives of crime intelligence, and that they are aware of his activities and affairs over the last two years. It is, however, unclear what their specific interest in or link with him is. One crime intelligence official described Papadopulo as "unassuming" and no different from "the man on the street".CR17 campaign relentlessly targeted during ANC battleTwo sources close to Ramaphosa, who have direct knowledge of conversations and concerns in his circles, say Papadopulo is suspected of being the leak. But Papadopulo, who set up and managed the CR17 email server "alexio.online" specifically for the campaign is, according to documents and interviews with key officials involved in the probe, not a suspect in the Hawks investigation and no direct evidence links him to the leaks. Papadopulo, who is cooperating with the Hawks, authored a report of activity on the email server which shows the emails may have been obtained through a hack, orchestrated by persons unknown, of the laptops or cellphones of key Ramaphosa advisors. The report, seen by News24, confirms that throughout the campaign and after, the laptops of Ramaphosa’s closest aides were targeted with malware and "phishing" attacks – virus-type software that would have attempted to gain access to the computers to log passwords. URL addresses on the bottom of the leaked emails show they were most likely printed after email accounts were logged into from a web application. The report contains the IP addresses that accessed the server. News24 traced one of the IPs to an internet service provider in India. The remaining IPs show the server was accesses via Telkom and Cell C networks. News24 understands the Hawks now want access to all the electronic devices of Ramaphosa and his staff in the Presidency who used alexio.online emails, a necessary step to determine if their cellphones or laptops were hacked. It is understood the Presidency has indicated to the Hawks that it would only undertake this process once the legal review process of Public Protector Busisiwe Mkhwebane’s report, where the emails are first mentioned, is finalised. Presidency spokesperson Khusela Diko said the leak of Ramaphosa’s private correspondence was a breach of security, which prompted the request for an investigation. "We understand that an investigation is being undertaken. The Presidency therefore is not in a position to comment on speculation or rumour, but will rather await the outcome of that investigation," she said in response to questions over Papadopulo and his links to the intelligence community. Papadopulo, Fraser, the Hawks and CR17 campaign managers were asked to comment for this story, but had not responded at the time of publication. Cyber warfareNews24 has established that Papadopulo was an IT consultant brought in by the CR17 campaign's head of security, Wally Rhoode, to ensure the communications of campaign members would remain secure. After Ramaphosa assumed office, Rhoode was appointed as the head of the Presidential Protection Unit. As well as ensuring the electronic communications of the president and the campaign were secure, Papadopulo also conducted sweeps for bugs in hotel rooms and official residences occupied by the president.Rhoode, who worked on the campaign’s security, is understood to have recruited Papadopulo for the job. Rhoode was asked to comment for this story, but refused to do so. For at least eight months into Ramaphosa’s presidency, Papadopulo was still involved, conducting security assessments, bug sweeps, drafting reports for Ramaphosa, and advising the PPU on cyber security matters. Ramaphosa, News24 was told, trusts Papadopulo explicitly. But in late 2018, Papadopulo walked out, allegedly after several confrontations with Rhoode, which culminated in Papadopulo allegedly being asked to strip down to his underwear in Rhoode’s office, so that he could be checked for recording devices. Hawks probe started in AugustLast month, News24 first published details of the leaked emails, which showed that Ramaphosa was aware of the funding of his campaign despite persistent denials that he had any direct knowledge of financial issues. A little more than a week after publication, the head of the PPU, Rhoode, wrote to the head of the Hawks, General Godfrey Lebeya, asking for a probe into the possible hacking of Ramaphosa and his advisor’s email accounts.Head of the Presidential Protection Unit, Major General Wally Rhoode. Image:Supplied News24 understands the Hawks investigation actually started earlier in August.In his letter, Rhoode expressed concern that Ramaphosa’s personal communications may have been compromised.According to information obtained by News24, three possible scenarios exist on how the emails were leaked. Either, Papadopulo himself is the leak, as he would have had access to the entire email server. The second possibility is a complicated hack of the laptops or cellphones of Ramaphsoa’s advisors. The third possibility is that a member of the campaign leaked the emails. So far, the probe has sought to determine whether the email server used by the CR17 campaign members was hacked or compromised in some way, while Papadopulo’s report given to the Hawks suggests that, rather than a complicated server hack, forces unknown gained access to two laptops belonging to key Ramaphosa advisors, who also worked on the campaign. The email server in question, "alexio.online", was set up and managed by Papadopulo himself. News24 traced Papdopulo through his website, also alexio.online. A page attached to the website, but which is no longer available on the home page, revealed the name of a company named Mardiscore, trading as "The Agency". The page included FNB banking details for the company. Company records confirmed Papadopulo is the sole director of The Agency, which was registered in March 2017. Leaked bank statements also reaveled that R4.8m was paid to The Agency between September 2017 and February 2019.A screenshot of the web page that led News24 to Alex Papadopulo. It shows the name of Papadopulo's company, Mardiscore, trading as The Agency.