OdiBets Faces Investigation After 29.5 Million Safaricom Customers’ Data Breach, Risks Losing License

On May 13, 2026, Justice Bahati Mwamuye of the Constitutional and Human Rights Division of the High Court at Nairobi Milimani Law Courts delivered a judgment that removed all ambiguity from a question Odibets had spent seven years hoping nobody would formally answer.

The court confirmed, on the constitutional record, that subscriber data extracted from Safaricom’s systems between June 2018 and May 2019 was trafficked to third-party betting companies for commercial gain.

The judgment in Constitutional Petition E095 of 2026, styled Musungu and 10 others versus Safaricom PLC, cited the forensic analysis of WhatsApp communications introduced into evidence by Safaricom itself through its Further Affidavit as Annexure ATM-3, noting at Paragraph 67 that the communications expressly referenced various recipients of the data, including persons or entities identified as Andrew, Odibet, the Mburus, Betika, Charles, and the Mule, among others.

Andrew is Odibets. The court has said so, on the constitutional record, in a judgment that is now part of Kenya’s legal precedent.

Six days after that judgment was delivered, on May 19, 2026, Benedict Kabugi Ndungu, the original whistleblower who reported the breach to the police in 2019 under OB Number 80/22/5/2019, filed a formal letter addressed jointly to Mr. Mohamed I. Amin, CBS, OGW, the Director of Criminal Investigations, and Peter Maina Karimi, the Director General of the Gambling Regulatory Authority of Kenya.

The letter, which Kenya Insights has reviewed in full, requests the immediate investigation and prosecution of Kareco Holdings Limited trading as Odibets, and the immediate suspension or cancellation of licence numbers BK-0001095 and PG-0001096 issued to Kareco Holdings Limited. It also formally requests the same action against other firms in the same forensic record.

Odibets is now in the most dangerous regulatory and criminal position any Kenyan betting company has occupied since the BCLB crackdown of 2019. It faces simultaneous pressure from a court judgment, a formal whistleblower petition to two regulatory authorities, an ongoing criminal case in which its name appears in court-exhibited forensic evidence, and the unresolved fact that the data it purchased has never been recovered and remains in its possession to this day.

The High Court has ruled. The whistleblower has filed. The licences are named. The data is still there. Odibets has nowhere left to stand.

WHAT THE HIGH COURT FOUND: THE JUDGMENT THAT CHANGES EVERYTHING

Constitutional Petition E095 of 2026 was filed by eleven Safaricom subscribers whose personal and financial data was among the records extracted and trafficked during the 2018 to 2019 breach. Justice Mwamuye found that Safaricom violated Articles 22, 23, 28, 31(c) and (d), and 46 of the Constitution of Kenya, 2010, and awarded each of the eleven petitioners Sh900,000 in general damages, for a total of Sh9.9 million, with costs and interest at court rates from May 13, 2026 until full payment.

The financial quantum is not the significance of this ruling. The significance is what the judge found as a matter of constitutional fact. The court accepted the evidentiary record that the data breach was sustained and systemic, spanning the entire period from June 2018 to May 2019, not isolated.

It accepted the WhatsApp forensic analysis as materially reinforcing the inference of a sustained and systemic compromise of subscriber data. And it accepted, on the record, that the communications in that forensic analysis expressly named Odibets among the recipients of the data.

Safaricom had argued that the company bore no liability because the employees who stole the data acted outside the scope of their employment for personal criminal gain. Justice Mwamuye rejected this defence comprehensively. The court found that the corporation, as custodian and data controller of the most intimate subscriber information, bore constitutional responsibility for the governance failures that made the theft possible and the dissemination that followed. The rogue employee defence, long the standard corporate shield in data breach litigation across the continent, died in Courtroom E at Milimani on May 13, 2026.

A second constitutional petition, No. 247 of 2019, filed by Kabugi himself and representing the full class of approximately 11.5 million affected subscribers, remains pending, having been stayed pending the outcome of Criminal Case No. 962 of 2019 against Simon Billy Kinuthia and Brian Wamatu Njoroge.

That petition, if prosecuted to judgment and successful, would apply the same constitutional framework to a class of 11.5 million claimants at the same damages rate. The arithmetic requires no elaboration.

A second petition representing 11.5 million subscribers remains pending. At Sh900,000 per subscriber, the arithmetic is not complicated. The total exposure is Sh10.35 trillion.

THE WHATSAPP EVIDENCE: WHAT ANDREW DID, DATE BY DATE

The DCI forensic analysis of WhatsApp communications between Simon Billy Kinuthia and Brian Wamatu Njoroge, now forming part of the court record in Criminal Case No. 962 of 2019 and introduced into the constitutional petition record through Safaricom’s own affidavit, contains a chronological table of transactions that establishes Odibets’ participation in the data acquisition scheme with documentary precision.

Kabugi’s letter to the DCI and GRAK, which reproduces key excerpts from this forensic table, places the specific dates and specific language of the scheme on formal record with the regulator.

On July 17, 2018, Brian Wamatu sent a message reading: Andrew has confirmed Friday. The DCI forensic analysis annotates this as confirming direct engagement with Andrew of Odibets.

On the same date, a second message reads: Issue is that he wants everything like we had talked about, confirming negotiation for the full dataset. On August 30, 2018, Wamatu sent the message: We are now due for Andrew, right? The 5.2 is now 5.7. Are required to provide a refresh? The forensic analysis records this as confirming an ongoing relationship with Odibets, with a data refresh being requested. This was not a one-time purchase. Odibets was requesting updated data tranches months into the scheme.

On October 11, 2018, the message reads: Ongeza Odibets ya akina Andrew, a direct instruction to add Odibets to the next distribution package. On October 22, 2018, another message reads: Can you check what our friends Andrew have done in October? The forensic analysis annotates this as confirming the monitoring of Odibets’ performance using the stolen data, meaning the conspirators were actively tracking whether the data they had sold was generating the commercial results Odibets was using it for.

On December 5, 2018, two messages are recorded. The first: 1M. The forensic annotation reads: Confirms Sh1 million payment from Odibets. The second, sent the same day: Odi wailsemaje, watalipa? The forensic annotation reads: Confirms Odibets as a paying customer. By December 2018, Odibets had paid Sh1 million for the stolen subscriber data and the conspirators were tracking its payment record.

This is not allegation. This is not inference. This is a documented transactional record from the DCI’s own forensic analysis, produced in court, cited in a High Court constitutional judgment, and now formally placed before the DCI director and the GRAK director general by the man who first reported the entire scheme in 2019.

THE BREACH IS NOT OVER: THE DATA IS STILL THERE

One of the most critically underreported facts in the seven years since this scheme was uncovered is that the stolen data has never been recovered. This is not a matter of inference or allegation. It is an admission made by Safaricom in its own court pleadings.

In Civil Suit No. 194 of 2019 and the replying affidavits of Safaricom’s Senior Manager-Litigation, Daniel Ndaba, sworn on September 9, 2019, October 16, 2019, and January 20, 2020, Safaricom expressly stated before the court that it has been unable to secure, retrieve, or delete the subscriber data uploaded to the Google Drive or downloaded onto the personal laptops and devices of its former employees and third parties.

The data sold to betting companies and other third parties has never been retrieved.

The sensitive personal, financial, betting pattern, and geolocation data of the 29.5 million subscribers and the 11.5 million punters whose records were specifically targeted remains in the hands of unauthorised third parties.

In the case of Odibets, that means the company that paid Sh1 million for stolen subscriber records in December 2018 has been holding those records ever since.

The data breach that began in June 2018 is not a historical event. It is a live, ongoing violation of the privacy rights of millions of Kenyans that continues on every day that Odibets remains in possession of data it purchased from a criminal scheme.

Kabugi’s letter is explicit on this point. He submits to the DCI and GRAK that the continued retention of the stolen data by the betting companies constitutes an ongoing violation under the Penal Code, the Data Protection Act 2019, Article 31(c) and (d) of the Constitution on the right to privacy, Article 28 on human dignity, and Article 46 on consumer protection. The constitutional violations are not past tense. They are present continuous.

Safaricom admitted in court it cannot recover the data. The data Odibets purchased in December 2018 is still with Odibets. Every day that data sits on Odibets’ systems is a continuing criminal offence.

SELECTIVE JUSTICE: HOW THE DCI USED ITS OWN REPORT AGAINST ONLY THE SELLERS

The most consequential allegation in Kabugi’s formal letter, and the one with the most damaging implications for the institutions of justice in Kenya, is not about Odibets. It is about the DCI itself.

The DCI conducted the forensic investigation.

The DCI compiled the WhatsApp analysis.

The DCI produced the report that names Odibets as a buyer, documents the payment of Sh1 million, and records specific dates and specific messages demonstrating a sustained commercial relationship between the Safaricom conspirators and Kareco Holdings Limited.

That report is now in the court record in Criminal Case No. 962 of 2019. Safaricom and the ODPP are using it actively to prosecute Kinuthia and Wamatu, the sellers.

Seven years later, the DCI has not arrested, charged, or even summoned for questioning any official of Kareco Holdings Limited or Odibets, despite those names, those corporate identifiers, and those monetary transactions appearing explicitly in its own forensic document.

Charles Njuguna Kimani, the third Safaricom employee who admitted in a witness statement to receiving the data, downloading it, and actively marketing it to betting companies including Odibets, has similarly never been charged.

No forensic audit has been conducted on the banking records, M-Pesa records, or phone records of Odibets or its directors to trace the flow of funds from the company to the conspirators. No action has been taken to compel Odibets to produce records of how it acquired, stored, and utilised the stolen subscriber data.

Kabugi’s letter to the DCI Director does not accept this as an oversight.

He submits formally that the DCI has engaged in selective investigations, targeting the low-level employees while deliberately shielding the corporate beneficiaries of this criminal enterprise. He asks the Director of Criminal Investigations for a written explanation of the decision not to investigate, arrest, or charge any official of the buying companies, despite the explicit references in the DCI’s own forensic report, and for a referral of the matter to the Asset Recovery Agency for investigation into the proceeds of crime derived from the data breach.

He asks the Director of Public Prosecutions for a directive to the DCI to complete the investigation within a specified timeframe, to file charges against all individuals and corporate entities involved, and for a public statement clarifying whether the DPP’s office considers the purchase of stolen personal data by licensed entities to be a prosecutable offence.

He asks the Ethics and Anti-Corruption Commission to investigate whether any public officers within the DCI or ODPP have been compromised or have deliberately failed to act, and to review the decision-making process that led to the selective prosecution of only the Safaricom employees.

These are not rhetorical questions.

They are formal requests lodged with the EACC against Kenya’s own criminal investigation and prosecution apparatus. If those institutions have failed to act on this evidence for seven years, the question of why they failed is now before the anti-corruption body.

The DCI used its own forensic report to prosecute the sellers. For seven years, it used the same report to do nothing about the buyers. The EACC is now formally asked to explain why.

LICENCES BK-0001095 AND PG-0001096: FORMALLY IN THE REGULATOR’S HANDS

Kabugi’s letter to GRAK Director General Peter Maina Karimi at ACK Garden Annex, Bishop Road, Seventh Floor, requests immediate action on named, numbered licences.

Licence number BK-0001095 and PG-0001096, both issued to Kareco Holdings Limited trading as Odibets, are formally before the Gambling Regulatory Authority with a request for immediate suspension or cancellation.

The legal basis for that suspension request is not speculative. The Gambling Control Act 2025, under which the GRA operates and under which Odibets holds its current operating authority, requires all licensees to operate with integrity and in full compliance with the law. Participation in a criminal enterprise to acquire stolen subscriber data constitutes a fundamental breach of licence conditions under that Act. The GRA’s predecessor body, the BCLB, withdrew the licences of twenty-seven companies in 2019. None of those companies had appeared by name in a DCI forensic report as a documented purchaser of stolen subscriber data at a specific documented price on a specific documented date.

Kabugi further requests that the GRAK issue an immediate notice to Odibets requiring it to produce records of all data acquisition from third parties since January 2018, all payments made to individuals or entities outside the normal course of business, and all data protection policies and breach notification records.

He requests that the GRAK commission an independent forensic audit of Odibets’ systems to determine whether stolen Safaricom subscriber data remains in the company’s possession. Given Safaricom’s court admission that the data has never been recovered, the answer to that audit question is not difficult to anticipate.

THE CRIMINAL CHARGES ODIBETS FACES: A FOUR-COUNT EXPOSURE

Kabugi’s letter sets out four categories of criminal offence that he submits have been committed by Odibets and Kareco Holdings Limited, based on evidence already in the DCI’s possession. Each is grounded in Kenyan statute.

The first is handling stolen goods under Section 322 of the Penal Code. A person who receives or retains stolen property, knowing it to be stolen, is guilty of a felony. Subscriber data constitutes property for the purposes of this provision. The betting companies knew, or ought to have known, that data containing intimate financial records, identity documents, and geolocation information of millions of people could not have been obtained through any legitimate commercial channel. The sample data provided before each purchase was itself the notification of its criminal origin.

The second is computer fraud under Section 26 of the Computer Misuse and Cybercrimes Act 2018. Obtaining economic benefit through unauthorised access to computer data is an offence. Odibets obtained commercial benefit by using stolen subscriber data to target high-probability gamblers, enhancing its revenues.

The WhatsApp forensic record documents the monitoring of that commercial benefit, with the conspirators tracking what Odibets had done with the data in October 2018.

The third is money laundering under Section 3 of the Proceeds of Crime and Anti-Money Laundering Act 2009.

The payments made by Odibets to the Safaricom employees, documented in the DCI forensic record including the Sh1 million payment in December 2018, constitute proceeds of crime.

The use of intermediaries referred to in the WhatsApp messages as mules to structure those payments is identified in Kabugi’s letter as a classic money laundering technique.

The forensic messages documenting the mule network, including references to Mule got 300 and we 1.35 each, establish a payment structuring architecture designed to conceal the flow of funds.

The fourth is conspiracy to commit a felony under Section 393 of the Penal Code. The betting companies, acting through their directors and agents, conspired with the Safaricom employees to acquire stolen data for commercial gain.

The WhatsApp record of negotiations, sample data provision, price agreement, and delivery over an eleven-month period constitutes the evidentiary foundation of a conspiracy charge that does not require the prosecution to prove Odibets knew the precise technical means by which the data was extracted. It requires only proof that Odibets knowingly paid for and received data that had been unlawfully obtained.

KARECO HOLDINGS LIMITED: A COMPANY THAT MUST NOW ACCOUNT

Odibets is the trading name of Kareco Holdings Limited, registered at Plot No. LR 209/2167, Crescent Lane, Parklands, Nairobi. Jimmy Kibaki, widely reported as the son of the late President Mwai Kibaki, serves as chairman and is the most prominent public figure associated with the company, Andrew Aligula a little known personality is also listed as a major shareholder in the company.

The firm holds licences BK-0001095 and PG-0001096 under the Gambling Regulatory Authority of Kenya and operates across Kenya, Ghana, Zambia, and Zimbabwe with a claimed user base exceeding ten million.

The company was incorporated in 2018 and launched its platform in the same month the data theft commenced.

Its growth since then has been built on an M-Pesa-integrated platform that made Safaricom subscriber data the most commercially targeted intelligence available to any betting operator. Its website carries responsible gambling messaging. Its terms and conditions describe a company operating within a lawful regulatory framework. Its marketing material presents an image of Kenyan entrepreneurial legitimacy.

Against all of this, the DCI forensic record places December 5, 2018: 1M. Confirms Sh1 million payment from Odibets. October 11, 2018: Ongeza Odibets ya akina Andrew. October 22, 2018: Can you check what our friends Andrew have done in October. August 30, 2018: We are now due for Andrew, right? And July 17, 2018: Andrew has confirmed Friday.

Those messages do not belong to an allegation. They belong to an official DCI forensic report. They are on the record of Criminal Case No. 962 of 2019. They have been cited by a High Court judge in a constitutional judgment. They are now before the GRAK director general in a formal letter from the man who first brought this entire matter to the attention of the authorities in 2019.

THE RECKONING IS NO LONGER COMING. IT HAS ARRIVED.

For seven years, Kareco Holdings Limited operated Odibets without a single regulatory question being asked about its appearance in the DCI forensic record. It renewed its licence. It expanded into three African countries. It processed billions of shillings in bets. It ran jackpot promotions. It sponsored events. It served millions of Kenyans, including the millions whose stolen data it had purchased in 2018 to identify and target them in the first place.

That period is now over.

The High Court has issued a constitutional judgment that names Odibets on the court record and establishes the legal framework for civil liability on a scale that could reach Sh10.35 trillion if the pending class petition of 11.5 million subscribers is prosecuted to its logical conclusion.

The GRAK director general has received a formal petition requesting licence suspension, naming the specific licence numbers, citing the specific evidence, and requesting a forensic audit of Odibets’ systems to determine whether the stolen data, which Safaricom admits it cannot recover, remains in the company’s possession.

The DCI director has received a formal letter from the original whistleblower requesting a written explanation for why, having produced a forensic report documenting Odibets as a paying customer in a criminal data scheme, the Directorate took no action against the company for seven years.

The EACC has received a parallel request to investigate whether that failure of action reflects compromise within the DCI or the ODPP. The DPP has been asked to issue a directive for prosecution within a specified timeframe.

The data Odibets purchased has never been recovered. It remains in the company’s possession. Every day that passes is a continuing violation of the constitutional rights of 29.5 million Kenyans. There is no statute of limitations on serious crime in Kenya. There is now no institutional wall left for Odibets to stand behind.

Kareco Holdings Limited and Odibets did not respond to questions submitted by Kenya Insights regarding the formal whistleblower petition, the High Court judgment, the DCI forensic evidence identifying the company as a purchaser of stolen subscriber data, the specific WhatsApp messages referencing Andrew, the Sh1 million payment of December 2018, or the current status of the stolen data in the company’s possession. No response was received by the time of publication.