10 Million Kenyans’ Personal Data Allegedly Being Sold on Dark Web in Chilling New Cybersecurity Scare

A disturbing claim emerging from the murky corners of the internet has sparked fresh concerns over the safety of personal data belonging to millions of Kenyans.

Cybersecurity monitors tracking criminal activity on dark web forums say a hacker using the alias “MrDarkRoot” is advertising what is claimed to be one of the largest collections of Kenyan citizen data ever assembled. The seller alleges the database contains personal information belonging to approximately 10 million people.

If the claims are true, the implications could be staggering.

According to screenshots and reports circulating among cyber intelligence communities, the alleged dataset contains an extraordinary range of sensitive information. The seller claims to possess full names, dates and places of birth, national identity card numbers, passport details, residential addresses, telephone numbers, email addresses, tax information, banking records, vehicle ownership records, property details, medical histories, vaccination records, educational backgrounds, criminal records, business registration information and passport-style photographs.

Screenshot

For any cybercriminal, such information would be a goldmine.

Yet there is an important caveat. No independent cybersecurity firm, government agency or regulator has publicly verified the authenticity of the alleged database. Experts familiar with dark web marketplaces caution that cybercriminals often exaggerate the size and value of stolen datasets to attract buyers and build credibility.

Even so, the allegations have landed at a particularly sensitive moment for Kenya, which has experienced a growing number of data security incidents in recent years.

The country has spent billions of shillings digitising public services and moving government records online. Platforms such as eCitizen have become central to everyday life, handling everything from passport applications and business registrations to driving licences and tax services. While digital transformation has improved efficiency, it has also concentrated enormous volumes of personal information in interconnected systems that are increasingly attractive to hackers.

The latest claims follow a series of high-profile breaches and suspected cyber intrusions that have raised uncomfortable questions about how securely Kenyan institutions are protecting sensitive data.

One of the most significant incidents emerged in late 2025 when reports surfaced that hackers had gained access to data linked to millions of users of the M-Tiba healthcare platform. The alleged breach involved highly sensitive medical information and prompted investigations by the Office of the Data Protection Commissioner.

Earlier, the Business Registration Service was forced to investigate reports that company records and shareholder information had been compromised and later appeared on underground marketplaces. The incident drew particular attention because some of the exposed records were linked to influential political and business figures.

Cybersecurity analysts say the alleged MrDarkRoot database is especially alarming because of its breadth. Unlike many breaches that target a single institution, the advertised information appears to span multiple aspects of a person’s life. If genuine, it would provide criminals with a detailed profile of individuals, making it easier to commit identity theft, financial fraud, impersonation scams and other forms of cybercrime.

The danger is not limited to stolen money.

With access to personal records, criminals can open fraudulent accounts, apply for loans using stolen identities, target victims with convincing scams or even use sensitive information for extortion and blackmail. Medical records, financial information and family details are among the most valuable forms of data traded in underground criminal markets.

For now, Kenyan authorities have not issued any public statement confirming the existence of the alleged 10 million-record database. The Office of the Data Protection Commissioner has also not announced any investigation specifically linked to the claims.

That has done little to calm anxieties among cybersecurity experts, many of whom note that major breaches often first surface on dark web forums long before affected organisations acknowledge them publicly.

The claims may ultimately prove false, exaggerated or based on recycled data from older breaches. But even if that turns out to be the case, the episode serves as another stark reminder of the growing cyber threats facing Kenya as more personal information moves online.

For millions of Kenyans, the possibility that such an enormous volume of personal data could be circulating among cybercriminals is unsettling enough. Whether MrDarkRoot is bluffing or sitting on a genuine treasure trove of stolen records, the incident has once again exposed a difficult reality. In Kenya’s digital age, personal information has become one of the most valuable and vulnerable assets a citizen possesses.