Odibets Bought Stolen Data From Millions Of Kenyans

On May 13, a High Court in Nairobi will deliver a judgment that reaches far beyond any single case and threatens to fundamentally alter the legal landscape of Kenya’s multi-billion-shilling betting industry.

At the centre of the coming reckoning is Odibets, the Parklands-based betting firm operated by Kareco Holdings Limited, and the question at the heart of a Directorate of Criminal Investigations forensic report: did the company knowingly and repeatedly purchase the stolen personal data of millions of Kenyans to build its customer base?

The answer embedded in that official forensic record is yes. And the scale of what was bought goes far beyond what has previously been reported in the public domain.

The DCI forensic report does not describe a one-time transaction. It describes a systematic, multi-tranche commercial relationship between Odibets and the perpetrators of the largest data heist in Kenyan telecommunications history.

THE HEIST: 29.9 MILLION KENYANS EXPOSED

The story of Kenya’s most consequential data theft begins in June 2018, nearly a full year before the police sting operation that eventually brought it into the open. Simon Billy Kinuthia, at the time a senior Safaricom manager with unrestricted access to network and M-Pesa audit systems, began extracting subscriber information from the company’s servers and transferring it, via Google Drive, to a network of insiders and commercial buyers. His accomplice was Brian Wamatu Njoroge, then head of regional expansion at the telco. Together, the two men operated what court documents describe as a systematic, sustained scheme to harvest and monetise Safaricom’s most sensitive subscriber data.

The WhatsApp forensic analysis, conducted by the Directorate of Criminal Investigations and submitted as an official forensic report in these proceedings, established the scope of the theft definitively. On July 17, 2018, Kinuthia sent Wamatu a message that should be read as a statement of intent and achievement in equal measure: “I have the full details of our 29.9M Customers backed up somewhere.” This was not speculation. The data had already been extracted. Every Safaricom subscriber in Kenya at the time, not merely those identified as gamblers, had their most sensitive personal information lifted from the company’s servers.

What was taken was not merely a list of phone numbers. Court documents detail a surveillance dossier on millions of Kenyans encompassing full names, national identity card numbers, passport numbers, military identification numbers, alien card numbers, M-Pesa transaction histories, total amounts wagered on betting platforms, individual gambling patterns and frequencies, handset IMEI numbers, dual SIM specifications, and precise geolocation data down to county and locality level. The gamblers-specific subset, covering 11.5 million subscribers who had used their Safaricom lines to bet, constituted twenty-three percent of the company’s customer base and represented the commercially valuable core of what was sold to betting firms.

The data moved through a chain that the DCI forensic investigators traced with precision. Kinuthia extracted it and pushed it to a Google Drive. Wamatu served as the conduit to external buyers. Charles Njuguna Kimani, a third Safaricom employee, facilitated meetings and transfers. The chain was designed, with deliberate criminal intent, to insulate the original sources from direct contact with purchasers. As Sergeant Joseph Chebor noted in his investigating officer’s statement: “The chain worked so that the end person did not know the origin of the data.” The architecture of deception protected the sellers. It did not cleanse the buyers.

ODIBETS: NAMED DIRECTLY IN THE FORENSIC RECORD

The DCI forensic report, compiled from the WhatsApp conversation extracts recovered from the devices of Kinuthia and Wamatu, names Odibets directly as one of the companies that received the stolen subscriber data. This is not an allegation based on inference or circumstantial association. It is the finding of an official criminal investigation conducted by Kenya’s Directorate of Criminal Investigations and submitted before a court of law.

The data distributions to Odibets were not conducted as a single bulk transaction. The forensic evidence shows multiple transfers across the eleven-month period, with datasets segmented commercially to suit individual buyers. Records of 50,000 subscribers, 100,000 subscribers, and 200,000 subscribers were transferred in separate tranches. Prices were negotiated. Sample datasets were provided to prospective buyers as proof of the data’s authenticity and commercial utility. Upon confirmation of payment or agreement, full databases were transmitted. Odibets, which was incorporated in 2018 and launched its platform the same year the theft commenced, was a recipient of multiple such deliveries across that period.

Odibets was not alone in this market. The DCI forensic record identifies other firms as having also received the stolen data. Those firms received it multiple times. The evidence places Odibets within a network of buyers who collectively stripped the privacy of tens of millions of Kenyans for commercial advantage. But Kenya Insights concentrates in this report on Odibets, because it is Odibets whose corporate identity, whose licence, and whose senior officers are most directly accountable to the questions the forensic record raises for a single, identifiable, Nairobi-registered company.

Odibets did not acquire a marketing database. It acquired a precision targeting system built on the stolen financial histories and gambling records of millions of Kenyans who never consented and were never told.

KARECO HOLDINGS: THE COMPANY BEHIND THE BRAND

Odibets is the trading name of Kareco Holdings Limited, registered at Plot No. LR 209/2167, Crescent Lane, Parklands, Nairobi. Jimmy Kibaki, widely reported as the son of the late President Mwai Kibaki, serves as chairman and is the most prominent public face of the company’s operations. The firm has expanded beyond Kenya into Ghana, Zambia, and Zimbabwe and claims a user base exceeding ten million across East Africa. It holds a bookmaking licence under the newly established Gambling Regulatory Authority of Kenya and was among the 99 firms approved for licensing by the BCLB for the 2025/2026 financial year.

The company launched in 2018, the same month the data theft commenced. It built its brand on aggressive outreach across matatus, billboards, print media, and digital platforms, targeting Kenya’s youth with promotions, free bets, and M-Pesa integrated deposit incentives. Its marketing proposition, summarised by the hashtag BetExtraODInary, was aimed squarely at the demographic most likely to be represented in the stolen Safaricom database: young, urban, financially active, and already betting on mobile platforms.

The company presents itself as a responsible operator. Its website carries mandatory responsible gambling notices. Its homepage states that persons under eighteen years are not eligible to participate. Its terms and conditions describe a company operating within a regulated framework and committed to lawful conduct. Against those assurances, the DCI forensic report places a stark and unresolved contradiction. The company that advertises responsible gambling launched its growth trajectory on stolen intelligence about which Kenyans were already the most deeply addicted to it.

Independent reviewers assessing the Odibets platform as recently as June 2025 noted that the company does not provide built-in tools for users to set daily, weekly, or monthly spending limits from their account dashboard. Users seeking self-exclusion must contact customer support manually rather than using a self-service toggle. There are no in-app reminders or time-out alerts. The gap between the company’s responsible gambling rhetoric and the functionality available to its users is, on its own terms, significant. In the context of the forensic record, it is damning.

THE COMMERCIAL LOGIC OF BUYING STOLEN CITIZEN DATA

To understand why Odibets purchased stolen Safaricom subscriber data, it is necessary to understand precisely what that data contained and what it made possible for a company competing in one of the most saturated betting markets in Africa.

The stolen records did not merely contain names and phone numbers. They contained each subscriber’s complete betting history: the precise amounts they had wagered over time, how frequently they bet, across which platforms, the size of individual transactions, and patterns of loss. Combined with M-Pesa transaction records and geolocation data accurate to the locality level, this information answered the question that every betting company’s marketing department is trying to answer through legitimate means: which specific Kenyans are already betting, how much are they losing, how often do they return, and where do they live?

The stolen database answered all of those questions simultaneously, for 11.5 million people, with clinical precision. A company that purchased even a single tranche of 100,000 subscriber records from this database gained more actionable targeting intelligence about Kenya’s gambling population than any legitimate marketing exercise could produce in years. A company that purchased multiple tranches, as the DCI forensic record establishes Odibets did, accumulated a cumulative intelligence advantage over every competitor operating without stolen data.

These were not marketing leads in any conventional sense. They were vulnerability profiles assembled without consent from the most intimate financial and behavioural records of millions of Kenyans. The people in the database had not signed up to receive betting advertising. They had not agreed to share their financial histories with commercial operators. They had used their phones, made their payments, and placed their bets in the reasonable expectation that Safaricom would protect that information. Odibets purchased it anyway.

THE DEAL THAT NEVER CLOSED: HOW THE CRIMINAL SCHEME WAS EXPOSED

The original target of the data conspirators was not Odibets. Mark Nderitu, who served as the commercial agent for Kinuthia and Wamatu, initially sought to sell the stolen database to the dominant betting platform in Kenya at the time. Benedict Kabugi, brought into the scheme as a networking intermediary because of his connections in Nairobi’s business community, arranged two meetings between the data vendors and the target company’s chief executive, the first at Club Milan in Westlands on June 3, 2019, and the second at ABC Place on June 7.

At those meetings, sample data was shown and the commercial proposition was made. The deal collapsed. The target company’s executive declined to complete the transaction, and did something the conspirators had not anticipated: he reported the approach to Safaricom. That report triggered the criminal complaint to the DCI, initiated the sting operation, and led to the arrests of Kinuthia and Wamatu. The company approached had not completed a purchase. It had, in the end, triggered the prosecution.

The distinction is legally and factually important. The company that declined and reported does not appear in the DCI forensic analysis as a buyer of stolen data. Odibets does. The difference between those two positions in 2019 is the difference between being a witness and being a subject of criminal inquiry.

THE HUMAN COST: WHAT THE DATA PURCHASE ENABLED

The commercial rationale for purchasing stolen Safaricom subscriber data was cold and calculated: identify which Kenyans bet, how much they bet, how often they lose, where they live, and what their financial patterns look like through M-Pesa. Then target them with precision. The human consequences of that targeting are now documented in public health research, court submissions, and the inquest records of young people who have died.

Kenya is now the most gambling-saturated country in Sub-Saharan Africa by participation rate. A GeoPoll survey spanning six African countries found that 83.9 percent of Kenyans polled had gambled, the highest proportion recorded across the continent. According to data cited in court documents in the subscriber petition, nearly 80 percent of Kenyans seeking psychiatric treatment at relevant institutions are now classified as problem or pathological gamblers. A 2025 peer-reviewed study of peri-urban men in Kajiado County confirmed that 69 percent were using betting as a maladaptive coping mechanism for economic stress, while 93.1 percent reported intense guilt following gambling losses and 51.7 percent experienced a material deterioration in their mental health as a direct consequence of gambling behaviour.

In 2024, Kenyans bet a total of Sh766 billion, a figure that surpasses the entire national education budget of Sh656 billion for the same year. The Kenya Revenue Authority collected Sh13.233 billion in excise duty from the betting sector in the 2024/2025 financial year, which the government cites as evidence of the industry’s economic contribution. What does not appear on any government balance sheet is the human cost of that revenue.

In October 2024, Susan Njeri, a small-scale trader in Kakamega County known as Mama Sammy, died by suicide after losing Sh60,000 on a betting platform. In the same year, a first-class honours graduate from Maasai Mara University lost Sh900,000 in a single night of betting and took his own life. His family buried him in Baringo. Between 2019 and 2021, there was a documented rise in gambling-related suicides, predominantly among young men who had lost everything from tuition fees to life savings on single football matches. Addiction counsellor Harrison Irungu has described the invisible nature of the crisis: you cannot drink Sh100,000 worth of alcohol in one night without someone noticing. A Sh100,000 bet happens in seconds, on a phone, and leaves no physical trace until the human being behind it collapses.

The people whose data Odibets purchased from the criminal scheme were not abstract data points. They were the most financially exposed gamblers in Kenya, identified with precision through their stolen records, targeted with intelligence no legitimate operator possessed, and pushed deeper into addiction by a company that knew exactly how vulnerable they already were.

These were not marketing leads. They were the stolen financial records of Kenya’s most desperate gamblers, bought and used to ensure they could never escape the company targeting them.

THE LEGAL ARSENAL: WHAT PROSECUTORS AND REGULATORS CAN DO TO ODIBETS

The legal exposure facing Odibets, Kareco Holdings, and its senior officers is substantial, multi-dimensional, and far from theoretical. Kenya’s Data Protection Act, which came into force on November 25, 2019, provides for administrative fines of up to Sh5 million per violation or, in the case of a business entity, up to one percent of annual turnover for the preceding financial year, whichever is lower. For a company operating at Odibets’ scale, with operations across four African countries and a claimed user base exceeding ten million, one percent of annual revenue could represent a far more significant penalty than the statutory ceiling. The Office of the Data Protection Commissioner has demonstrated a clear willingness to enforce these provisions, having imposed the Sh5 million ceiling in its first major enforcement action in 2022 and having issued multiple enforcement notices in the years since.

Beyond administrative penalties, the Data Protection Act provides for criminal liability for directors and company officers who have committed wilful violations, with the possibility of imprisonment. The Computer Misuse and Cybercrimes Act separately criminalises the receipt and commercial use of data obtained through unauthorised computer access, with penalties including prison terms of up to ten years for individual offenders. If the court on May 13 accepts the forensic evidence that Odibets knowingly purchased data extracted from Safaricom’s servers without subscriber consent, the company’s exposure extends from regulatory sanction through to the criminal prosecution of its controlling officers.

The Gambling Regulatory Authority of Kenya, which superseded the BCLB under the Gambling Control Act of 2025, holds independent statutory power to investigate licensed operators, impose fines, suspend licences, and initiate revocation proceedings. The GRA demonstrated its enforcement appetite in early 2025 by shutting down more than fifty unlicensed betting firms, introducing strict advertising prohibitions banning celebrity endorsements, and mandating the resubmission of detailed documentation from all licensed operators. A finding that Odibets purchased stolen citizen data would represent a category of misconduct of an entirely different order from the advertising and licensing violations the GRA has addressed to date.

Then there is the civil liability. The constitutional petition before the High Court seeks Sh1.5 million per subscriber from Safaricom for 11.5 million affected subscribers. Should the court validate the forensic evidence of data purchases by Odibets, the legal architecture for equivalent civil claims against the company by those same subscribers becomes immediately available. The 29.9 million subscribers whose data was also extracted, though not yet forming the core of a separate claim, represent a potential second wave of litigation. At Sh1.5 million per affected individual, even a fraction of that cohort pursuing claims against Odibets would generate figures that could fundamentally threaten the company’s financial viability.

SEVEN YEARS OF SILENCE: THE QUESTIONS THAT MUST NOW BE ANSWERED

The DCI forensic report naming Odibets as a buyer of stolen data was compiled in the course of an active criminal investigation that commenced in 2019. The former Safaricom employees at the centre of the scheme, Simon Billy Kinuthia and Brian Wamatu Njoroge, were charged with computer fraud and the unlawful copying and transfer of privileged subscriber data. Their criminal case has been proceeding in the courts for seven years. Benedict Kabugi, the man whose report to police initiated the prosecution, faces his own criminal charges of demanding money with menaces, which he denies. The DCI has had the forensic evidence identifying Odibets as a buyer since the investigation commenced.

Seven years later, no criminal charges have been brought against Kareco Holdings Limited, Odibets, or any of the company’s senior officers in connection with the purchase of stolen subscriber data. The Office of the Data Protection Commissioner has not opened a formal investigation into Odibets’ data handling practices arising from the theft. The BCLB did not initiate licence proceedings against the company on the basis of the forensic evidence. The GRA renewed Odibets’ licence for the 2025/2026 financial year without any public acknowledgment of the company’s appearance in a DCI forensic report.

Legal analysts who have reviewed the case documents observe that a judgment validating the evidentiary basis of the petition, including the forensic identification of Odibets as a purchaser of stolen data, would create irresistible institutional pressure on the DCI and the Office of the Director of Public Prosecutions to explain why prosecution has been confined to the sellers and not extended to the buyers. The police officers who compiled the forensic analysis documented both sides of every transaction. The institutional decision to charge only one side of those transactions has never been publicly explained.

The DCI documented the buyers. The DCI documented the transactions. The DCI documented the prices. Seven years later, only the sellers face charges. On May 13, that silence becomes a scandal in its own right.

THE RECKONING ODIBETS CANNOT ESCAPE

Odibets has invested considerable effort in building the image of a Kenyan success story: locally owned, youthfully aspirational, deeply woven into the fabric of popular culture through matatu branding, social media presence, and the BetExtraODInary identity. Jimmy Kibaki’s chairmanship lends the company a recognisable public face and a narrative of Kenyan entrepreneurship operating within a legitimate regulatory framework.

The DCI forensic report tells a different story. It describes a company that, in the first year of its existence, acquired intelligence on millions of Kenyans through a criminal enterprise, used that intelligence to identify and target the most financially vulnerable gamblers in the country, and built a multi-country, multi-billion-shilling business on the proceeds. It describes a company that paid for stolen data knowing that the people whose information it was buying had never consented, would never consent, and had no knowledge that their M-Pesa histories, identity documents, and betting records were being commercially exploited.

The Gambling Regulatory Authority of Kenya has sweeping powers to investigate, sanction, and revoke the licences of operators found to have violated the terms under which they were licensed. The Data Protection Commissioner has the power to impose fines, issue compliance directives, and refer matters for criminal prosecution. The Director of Public Prosecutions has the authority to charge the directors of Kareco Holdings Limited with criminal offences under the Data Protection Act and the Computer Misuse and Cybercrimes Act.

Seven years have passed since the forensic report was filed. On May 13, the court will speak. What the regulators and prosecutors do next will determine whether Kenya’s data protection laws mean anything at all, or whether a betting company can purchase the stolen private information of thirty million citizens, profit from that crime for years, build an empire on it, and walk away without consequence.