How Little Known KwikBet Leveraged Stolen Kenyans Data To Build Its Empire

Most Kenyans who bet on Kwikbet know the platform the way they know their mobile money wallet: functionally, without curiosity about what lies behind it.

The yellow and purple website, the paybill number 290028, the SMS code 29028, the Omoka jackpot, the Aviator free bet rain.

Kwikbet has been a quiet fixture of the Kenyan betting landscape since 2017, never the loudest voice, never the biggest headline, never the company whose name appears in Senate proceedings or whose directors are summoned to account. That invisibility has served it extremely well.

It is about to end.

A Directorate of Criminal Investigations forensic report, compiled from WhatsApp conversations recovered from the devices of two former Safaricom employees convicted of stealing subscriber data, names Kwikbet among the companies that purchased that stolen information.

The data covered not only the 11.5 million Safaricom subscribers identified as active gamblers, with their complete betting histories, M-Pesa transaction records, geolocation coordinates, and identity document numbers.

The forensic record establishes that the full Safaricom subscriber database of 29.9 million Kenyans was extracted and available to buyers. Kwikbet, according to that official DCI analysis, was among those who came to the market.

The High Court sitting in Nairobi will on May 13 deliver a judgment in a constitutional petition arising from the same theft. Whatever the court concludes about Safaricom’s liability, the forensic record that names Kwikbet was compiled by Kenya’s own criminal investigators and submitted in active proceedings. It does not disappear on May 14. It sits in the court file, waiting for the authorities who compiled it to do something with it.

Kwikbet has operated in comfortable anonymity for seven years. The DCI forensic report it appears in has existed for the same seven years. The judgment on May 13 makes that coincidence indefensible.

SOLAMI LIMITED: THE COMPANY KWIKBET DOESN’T ADVERTISE

Kwikbet is not operated by a company most Kenyans could name if asked.

It is the trading name of Solami Limited, a software and technology company registered in Kenya and headquartered at the third floor of a building on Mpaka Road, Westlands, Nairobi.

The company employs between eleven and fifty people according to corporate intelligence databases.

It describes itself as operating in software development, computer networking equipment, and network security hardware. Its annual revenue has been estimated at approximately two million US dollars.

Solami Limited holds a BCLB bookmaking licence, with various sources citing licence numbers BK0000130, BK0000310, and BK0000670 at different points in the company’s history, reflecting licence renewals across multiple regulatory periods.

The company’s own current terms and conditions confirm it is licensed under the Betting, Lotteries and Gaming Act, Cap 131. Its paybill number, its SMS short code, and its website are all the external faces of a corporate structure that has made transparency an afterthought.

The directors and shareholders of Solami Limited are not publicly disclosed on the company’s platform, its marketing materials, or any public statement it has made.

Unlike Betika, whose corporate structure is traceable to named individuals through company registry records and professional profiles, and unlike Odibets, whose connection to Jimmy Kibaki, Andrew Aligula and Kareco Holdings is part of its public narrative, Kwikbet has traded in deliberate opacity.

What is established from the court proceedings and the forensic record is that George Mburu, the co-founder of Roamtech Solutions Limited and a founding member of Betika, appears in the DCI WhatsApp evidence in connection with the purchase of stolen subscriber data.

Kwikbet is named in the same forensic analysis as a recipient of the data, placing it in the same criminal ecosystem as Betika during the same eleven-month period of the theft.

The forensic record’s positioning of Kwikbet alongside Betika and Odibets in the same transaction network invites the question of whether the connection between Kwikbet and the Betika ownership structure through George Mburu extended beyond Betika itself.

Kenya Insights sought confirmation from Solami Limited on this question. No response was received.

What is documented is this: the company operating Kwikbet acquired stolen citizen data during the same period it was positioning itself in one of the most competitive and rapidly growing markets in Sub-Saharan Africa.

It did so through a criminal scheme that Kenya’s own investigators documented in a forensic report

It then survived the 2019 industry crackdown that eliminated its largest rivals, and it grew on the other side of that crackdown without ever having to answer a single public question about how it acquired its early competitive intelligence.

WHAT KWIKBET BOUGHT: THE CONTENTS OF THE STOLEN SAFARICOM DATABASE

The Safaricom data theft that began in June 2018 was not a simple leak of subscriber names and phone numbers. Former senior Safaricom employees Simon Billy Kinuthia and Brian Wamatu Njoroge, operating through a network of intermediaries, extracted one of the most comprehensive subscriber surveillance datasets ever assembled in Kenyan corporate history.

The DCI forensic analysis, drawn from recovered WhatsApp conversations between Kinuthia and Wamatu, establishes what the stolen records contained. Each subscriber’s full name. National identity card number. Passport number. In many cases, military identification number or alien card number. The subscriber’s complete M-Pesa transaction history. Total amounts wagered on betting platforms over the subscription period. Detailed gambling frequency and behavioural patterns. Handset IMEI numbers and dual SIM specifications. And precise geolocation data, placing each subscriber not merely in a county but in a specific locality.

For a betting company, this information is not simply useful. It is transformative. It answers the question that every betting firm’s marketing department is trying to answer through legitimate means: which specific Kenyans bet, how much do they bet, how often do they lose, and where can we reach them? The stolen data provided those answers with clinical precision for 11.5 million identified gamblers, and it offered partial but still commercially significant intelligence on the remaining 18.4 million subscribers in the full 29.9 million database.

Kinuthia made the scope of what had been extracted explicit in a WhatsApp message on July 17, 2018: the full details of all 29.9 million Safaricom customers had been backed up.

That message was recovered by DCI investigators and forms part of the forensic record.

The transaction chain that delivered portions of this dataset to companies including Kwikbet was documented in the same forensic analysis.

The data was sold in commercial tranches, segmented to suit each buyer’s needs. Datasets of 50,000 subscribers, 100,000 subscribers, and 200,000 subscribers were packaged separately. Sample data was provided on request to confirm authenticity. Payment followed confirmation. Kwikbet was among those confirmed as having transacted in this market.

What Kwikbet bought was not a marketing list. It was a forensic map of which Kenyans were addicted to gambling, how much they had lost, and exactly where they lived. That intelligence cannot be acquired legitimately. It was stolen.

THE CRACKDOWN THAT CHANGED EVERYTHING: FROM 15,000 TO 85,000 USERS IN EIGHT WEEKS

In July 2019, the Betting Control and Licensing Board refused to renew the licences of twenty-seven betting firms, including SportPesa, Betin, and Betway, which together controlled eighty-five percent of Kenya’s betting market.

The government simultaneously directed Safaricom to shut down the paybill numbers and SMS short codes of the suspended companies, severing their ability to receive customer deposits and cutting off millions of active bettors from their preferred platforms overnight.

Seven companies survived the cull with their licences intact: BetLion, Mcheza, Kwikbet, Odibets, Gamemania, Betpalace, and Betika.

The BCLB’s stated criteria for survival included tax compliance, operation within the law, sufficient liquidity, and a satisfactory four-year financial track record.

The regulator did not, at that point, possess or act on the DCI forensic evidence that at least three of those seven surviving companies, including Kwikbet, had been purchasing stolen subscriber data throughout the period under review.

The consequences for Kwikbet were dramatic and swift.

In June 2019, before the crackdown, Kwikbet had approximately 15,000 users, placing it among the smallest platforms in the Kenyan market.

Two months later, in August 2019, that number had grown to 85,000, an increase of more than five hundred percent.

It had become one of the fastest-growing betting platforms in the country, not through advertising, not through sponsorship, not through any identifiable marketing investment of the kind that drove Betika’s user acquisition, but through the sudden availability of a market from which 85 percent of operators had been excluded.

The question of how Kwikbet, with its modest infrastructure, its limited sports offering, and its negligible public profile, managed to capture tens of thousands of new users in the immediate aftermath of the crackdown has never been publicly examined.

The DCI forensic record provides a partial answer.

A company that had, over the preceding year, purchased detailed intelligence on which Kenyans were the most active gamblers, where they lived, and what their betting patterns looked like was not competing blind in the post-crackdown market.

It knew who to reach.

It knew how they bet. It knew their financial behaviour through their M-Pesa histories. The stolen data was not merely a marketing list. It was a conversion toolkit built from stolen citizen intelligence.

THE NETWORK: KWIKBET, BETIKA, AND THE SAME FORENSIC TRAIL

The DCI forensic report does not name Kwikbet in isolation. It names Kwikbet alongside Betika and Odibets as recipients of stolen Safaricom subscriber data.

The forensic linkage between Kwikbet and Betika, already companies with overlapping beneficial interests through George Mburu’s connection to both the Roamtech corporate structure that underpins Betika and his appearance in the WhatsApp evidence, creates a picture of coordinated data acquisition that is more troubling than any individual purchase in isolation.

The original scheme was designed precisely to prevent buyers from knowing the origin of the data.

Sergeant Joseph Chebor, the DCI investigating officer, noted in his statement on the criminal case: the chain worked so that the end person did not know the origin of the data.

The rogue Safaricom employees, the intermediaries, and the purchasing companies were deliberately insulated from one another in the transaction chain.

This means that Kwikbet’s legal exposure depends not on whether it knew the data came directly from Safaricom’s servers, but on whether it knowingly received and commercially exploited stolen subscriber data.

On that question, the forensic record speaks for itself.

The Computer Misuse and Cybercrimes Act, 2018, which was in force throughout the period of the theft, criminalises the receipt and commercial use of data obtained through unauthorised access to a computer system.

It does not require the recipient to have participated in the original breach. It requires only that they received data they knew or ought to have known was obtained without authorisation, and used it for commercial purposes.

A betting company that purchased a dataset comprising the complete gambling histories, financial records, and identity documents of hundreds of thousands of Kenyans, delivered through a commercial transaction in which sample data was provided in advance to confirm its authenticity, is not in a position to claim ignorance of its provenance.

The sample data itself, containing intimate financial and personal details that could only have been extracted from a telecommunications company’s subscriber records, was the notification.

THE LEGAL RECKONING: WHAT REGULATORS AND PROSECUTORS CAN DO

The legal tools available against Kwikbet and Solami Limited are the same framework that applies to Betika and Odibets, but with one additional dimension: for a company of Kwikbet’s relative size, the financial consequences of that framework are potentially more existential.

The Data Protection Act, 2019, which came into force on November 25 of that year after the theft had commenced but while its effects were still being commercially exploited, provides for administrative fines of up to Sh5 million or one percent of annual turnover for the preceding financial year, whichever is lower.

For Solami Limited, with estimated revenues in the region of two million US dollars annually, one percent of annual turnover represents a meaningful and potentially crippling financial sanction.

The Act further provides for criminal prosecution of directors and company officers who have committed wilful violations, with imprisonment as a sentencing option.

The Computer Misuse and Cybercrimes Act carries penalties including imprisonment of up to twenty years for offences involving the receipt and use of data obtained through unauthorised computer access.

For a company whose corporate structure has been deliberately kept opaque, the exposure of its directors to personal criminal liability under this provision is particularly acute.

Without publicly named directors willing to stand behind the company’s conduct, there is no human shield between the forensic evidence and the corporate entity that benefited from it.

The Gambling Regulatory Authority of Kenya, which inherited the BCLB’s regulatory powers under the Gambling Control Act, 2025, holds authority to investigate licensed operators, impose fines, suspend operations, and revoke licences.

The GRA’s predecessor body approved Kwikbet for licensing for the 2025/2026 financial year as part of its approved list of 99 operators.

That licensing decision was made without reference to, or public acknowledgment of, the DCI forensic report that names the company as a buyer of stolen data.

The GRA is now confronted with the question of whether a company identified in an official criminal investigation as a purchaser of stolen citizen data is a fit and proper holder of a gambling licence issued in Kenya.

The Office of the Data Protection Commissioner has the authority to open a formal investigation, issue enforcement notices, impose administrative fines, and refer cases to the DPP for criminal prosecution.

The ODPC has been active in enforcement in recent years, issuing its first maximum fine against Oppo Kenya in 2022 and ordering compensation against Safaricom and a corporate employer in 2025.

The forensic identification of Kwikbet as a buyer of stolen personal data, encompassing identity documents, financial histories, and precise location data, represents exactly the category of unlawful data processing that the Act was designed to address.

For a company as small as Kwikbet, one percent of annual turnover under the Data Protection Act and the prospect of director imprisonment under the Cybercrimes Act are not theoretical risks. They are potentially existential ones. And the DCI already has the evidence.

THE KENYANS BEHIND THE DATA POINTS

Every subscriber record in the stolen Safaricom database represents a real person.

The 11.5 million identified gamblers whose betting histories were extracted and sold had never consented to that extraction.

Many did not know they were in any database at all.

Their M-Pesa transaction records, their gambling losses, the precise location from which they placed their bets, and the frequency with which they returned despite those losses were converted into commercial intelligence that was sold to companies including Kwikbet.

The betting addiction crisis that has consumed Kenyan public health resources, broken families, and contributed to documented suicides among young men is not primarily the creation of any single company.

But companies that used stolen intelligence about which Kenyans were the most deeply addicted, the most financially exposed, and the most geographically accessible bear a specific moral and legal accountability that is distinct from the industry-wide criticism of aggressive marketing and predatory product design.

Kwikbet’s terms and conditions note, in the standard regulatory language, that persons below eighteen years are not eligible to participate. Its platform states that it is committed to responsible gambling.

Its withdrawal terms cap maximum payouts at Sh500,000.

These are the formal artefacts of a regulated company performing the regulatory obligations the BCLB requires.

They sit in grotesque contrast to the forensic record that places the company among those who purchased stolen private data on millions of Kenyans, including their most intimate financial and behavioural information, to build the competitive position from which those responsible gambling platitudes are now delivered.

SEVEN YEARS UNEXAMINED: THE QUESTIONS NOBODY HAS ASKED KWIKBET

Kwikbet has never been the subject of a Senate probe. No consumer lobby has formally petitioned the BCLB about the company’s data handling practices.

No Kenyan court has heard a case about unpaid winnings against Solami Limited.

The company has never been summoned to explain its growth, its data sourcing, or its corporate structure. It has operated in the comfortable shadow of more prominent competitors who drew the scrutiny that should have been distributed across the entire sector.

That obscurity has been an asset. While Betika faced Senate questioning, while Odibets attracted regulatory attention over advertising standards, while SportPesa generated years of public controversy over taxes and international sponsorships, Kwikbet processed bets, collected M-Pesa deposits, and grew its user base without attracting the attention that its appearance in a DCI forensic report would have demanded, had anyone been looking.

The BCLB conducted the 2019 licensing review that allowed Kwikbet to survive the crackdown while eliminating twenty-seven competitors.

That review did not surface the DCI forensic evidence.

Whether that is because the forensic analysis was completed after the licensing decision, because information sharing between the DCI and the BCLB was inadequate, or because the regulatory process was simply not designed to capture that category of misconduct is itself a question that the GRA now needs to answer publicly.

The DCI compiled the forensic report.

The DCI submitted it in criminal proceedings.

The DCI has had its own institutional record of naming Kwikbet as a buyer of stolen data in an official document for seven years.

The Directorate of Criminal Investigations has not, in that period, brought charges against Solami Limited or any officer of that company in connection with the purchase of stolen subscriber information. As the constitutional petition heads to judgment on May 13, that institutional failure to act on evidence the DCI itself produced is now part of the story.

FORCED INTO THE OPEN

Kwikbet would prefer that this story did not exist. Solami Limited has spent seven years in productive obscurity, processing bets, renewing its licence, expanding its casino games catalogue, and growing its jackpot offerings without generating the kind of institutional attention that its position in the DCI forensic record warrants.

The company now advertises itself as Kenya’s number one leading sportsbook and Aviator site.

It invites Kenyans to bet now and win big. Its responsible gambling page advises users to gamble only what they can afford to lose.

What it does not advertise is that a DCI forensic report has identified it as a buyer of stolen personal data covering millions of Kenyans.

What it does not explain is how a platform with 15,000 users in June 2019 reached 85,000 by August of the same year, during the same period when the criminals who had been selling it subscriber data were being arrested and charged.

What it does not disclose is the corporate structure of Solami Limited, the identities of its directors, or the chain of ownership that connects the company to the same network identified in the WhatsApp forensic evidence.

The Gambling Regulatory Authority of Kenya is now in the position of having licensed a company that its sister institution, the Directorate of Criminal Investigations, identified years ago as a participant in Kenya’s most significant data theft.

The Office of the Data Protection Commissioner is in the position of having never formally investigated a company whose data processing practices, as documented in an official forensic report, represent a textbook violation of the rights the Act was enacted to protect.

The Director of Public Prosecutions is in the position of overseeing a prosecution against the sellers of stolen data without ever having charged the buyers.

The May 13 judgment is addressed to Safaricom. But the evidence it validates, including the forensic identification of Kwikbet as a buyer of stolen citizen intelligence, is addressed to Solami Limited.

To its directors, whoever they are.

To the GRA, which licences it. To the ODPC, which has not investigated it. To the DPP, which has not charged it. And to the DCI, which knows exactly what is in its own report.

Solami Limited, trading as Kwikbet, did not respond to questions submitted by Kenya Insights regarding its identification in the DCI forensic report, its data acquisition practices during 2018 and 2019, its corporate structure and beneficial ownership, or the growth in its user base following the July 2019 BCLB crackdown. No response was received by the time of publication.