A bizarre security breach has scuttled crowdfunding efforts for Zimbabwe’s ChatGPT alternative

This story began as a feature article on a crowdfunding drive by AfricAI, the AI startup that developed chatbots, ZivAI and DanAI. Instead, it became an investigation into hacking, fraud, and industrial espionage allegations.

While AI is a global hot topic, Zimbabwe has been locked out of a big part of the conversation. Sanctions from the United States and the European Union mean that ChatGPT, one of the most popular AI tools, is banned in Zimbabwe. But gaps like this create opportunities for entrepreneurs to develop alternatives. The two popular alternatives for Zimbabweans are ZivAI and DanAI–both created by a company called AfricAI. The chatbots have won the company media coverage, but in a bizarre turn of events, AfricaAI is now facing allegations of fraud.

The allegations are connected to a crowdfunding drive in which the company raised over $24,000 of its $50,000 target in three weeks. Per the crowdfunding MOU, donors are “entitled to receive a proportional portion of 10% of the Company based on their contribution amount, upon Series [A] raise.”

AfricAI suffers breach

But on Friday, July 7th, AfricaAI shared in a press release that its fundraising page had been breached. Part of the statement read, “We regret to inform you of a recent security breach that occurred on our funding page. On July 7, 2023, an unauthorised individual gained access to our Superbase-hosted backer database. We have taken immediate action to address the situation and strengthen our security measures to prevent any such incidents in the future.”

The company also claimed that a certain Michael Dera was behind the “hack”, claiming that he “exploited a vulnerability that allowed unauthorised access to our backer database.” Regardless, AfricaAI claimed that the funds donated were not lost.

Dera disputes AfricAI’s characterisation of events and instead said that he only highlighted the company’s security deficiencies. “If you opened the page, you noticed that apart from sending blank transactions, they were also sending people’s personal details, including emails and phone numbers, without any sort of security. I also noticed that because everything was exposed like that, I could also do a post request to their website as well,” Dera told TechCabal on a call.

Dera inflated the website’s figures to millions of dollars to show the vulnerabilities, sharing the process on social media. He said AfricAI was not truthful about the funds they had raised and the number of backers.

“Hacker” accuses AfricAI of dishonesty

Dera says his motivation was the company’s dishonesty about the funds they had raised and the number of backers. He shared a payload of the transactions he captured with TechCabal and insinuated that some donations were fake. Dera bases his claims on the manual nature in which most donations were added to the funding platform.

AfricAI’s founder, Kuda Musasiwa, agreed that the transactions were added manually but only because some donors had sent funds via bank account transactions instead of the funding page. He also claims that those bank transactions were also recorded on Stripe. Musasiwa shared the transactions on his Stripe dashboard with TechCabal, which matched the payment IDs on the payload shared by Dera which TechCabal had asked to corroborate. Musasiwa’s rebuttal opens the possibility that Dera’s original claims may be false.

While Dera still sticks to his judgment until he sees Musasiwa’s Stripe dashboard, he claims he will apologise if he’s proven wrong. “If I am proven to be lying, I will come out and apologise. I have nothing against being wrong.” If Dera accepts that his claims are wrong, the reputational damage to AfricAI would already have been done.

How will AfricAI move forward?

According to Musasiwa, the actions and accusations by Dera have caused indelible damage to AfricAI’s reputation and its ability to more funds. He blames Dera’s actions on jealousy and “industrial espionage” as Dera works for a competing software development firm.

“Since the incident last week, we have seen a major slowdown in funding from even our most active backers. I would be the first to admit that we could have done better regarding security on the funding page but that does not give [Dera] the right to do what he did. He could have just reached out to us to correct the vulnerabilities but he chose to destroy our reputation instead,” he said.

Moving ahead, ZivAI intends to beef up its security on all platforms, including the funding page, and also pursue legal action against Dera, a challenging route for a fledgling startup still raising funds to do the most basic functionalities like paying for equipment and paying employees.

On the threats of legal action against himself, Dera stated that apart from social media “threats” from Musasiwa and his spouse, some of which he shared with TechCabal, he has not had any communications from Musasiwa’s legal team. “As far as I’m concerned, if I hacked their data, they’re supposed to report the incident to the UK Information Commissioner’s Office because that’s where their company is registered. GDRP requires that incidents like this be reported to them within 72 hours. Otherwise, there’ll be a financial penalty for that. The fact they have not done so speaks volumes.”

When TechCabal asked Musasiwa what challenges they faced in the crowdfunding process in an earlier interview, he confidently said none, before adding that getting investors to believe in the project’s validity was the only challenge. Never would he have thought that an incident like this could derail their fundraising efforts.

“Part of building tech products is learning from your mistakes literally every day. This has been a very unfortunate and costly incident but we continue on our mission to try build our platforms for the benefit of our users,” he concluded.