EXCLUSIVE: Odibets Bought Stolen Data From Millions Of Kenyans

On May 13, a High Court in Nairobi will deliver a judgment that stands to reshape Kenya’s betting industry and potentially send criminal investigators to the headquarters of one of the country’s most recognisable sports betting platforms.

At the centre of the coming reckoning is Odibets, the Parklands-based betting firm operated by Kareco Holdings Limited, and the damning question contained in a police forensic report: did the company knowingly purchase the stolen personal data of millions of Kenyans to build its customer base?

The answer, as established by WhatsApp forensic evidence filed in court and supplied by Safaricom’s own investigators to the Directorate of Criminal Investigations, appears to be yes. Not once. Repeatedly. And on an industrial scale that dwarfs anything previously reported.

The data was not merely offered for sale. It was bought, distributed, and used. The forensic trail leads directly to Odibets.

THE SCALE OF THE THEFT

Public understanding of this scandal has been anchored to the figure of 11.5 million subscribers, the number of Safaricom customers identified as active gamblers whose betting histories, identity documents, M-Pesa transaction records, and geolocation data were extracted and sold.

But court documents reviewed by Kenya Insights reveal that the true scope of the data heist was almost three times larger.

In a WhatsApp exchange on July 17, 2018, former Safaricom employee Simon Billy Kinuthia sent a message to his co-conspirator Brian Wamatu Njoroge that should send a chill through every Kenyan who has ever owned a Safaricom SIM card: “I have the full details of our 29.9M Customers backed up somewhere.” This was not a boast about future plans.

The data had already been extracted.

What the rogue insiders pilfered from Safaricom’s servers between June 2018 and May 2019 represented a comprehensive surveillance dossier on nearly the entire Kenyan telecommunications user base at the time.

The stolen records encompassed full names, national identity card numbers, passport numbers, military identification numbers, alien card numbers, M-Pesa transaction histories, total betting amounts, gambling patterns and histories, handset IMEI numbers, dual SIM specifications, and precise subscriber geolocation data down to county and locality level.

In the hands of a betting company, this was not merely a marketing database. It was a precision targeting weapon for identifying, classifying, and approaching the most financially vulnerable gamblers in the country.

THE FORENSIC EVIDENCE AGAINST ODIBETS

The WhatsApp forensic analysis, extracted from the devices of the former Safaricom employees and supplied by Safaricom itself to the DCI, names Odibets directly.

According to court documents reviewed by this publication, the report lists Odibets alongside Betika, Kwikbet, and SportPesa as firms that received the illegally obtained subscriber data.

The document does not describe a single transaction.

It describes multiple distributions of subscriber information across an eleven-month period, with datasets tailored in scale and segmentation to match the commercial specifications of individual purchasing firms.

Kenya Insights can report that the data was not sold in a single bulk transfer but parcelled out in commercially convenient tranches.

Forensic evidence shows that subsets of 100,000 records, 200,000 records, and 50,000 records were distributed separately, with employees negotiating prices, supplying sample datasets to prospective buyers, and transmitting full databases only upon receipt of payment or confirmation of purchase.

Odibets, which was founded in 2018 and launched its platform the same year the theft began, was positioned at the very start of its growth trajectory when this data arrived.

The company used the M-Pesa ecosystem as its exclusive payment gateway, making Safaricom subscriber data of particular commercial value to its targeting operations.

A witness statement from Charles Njuguna Kimani, a Safaricom employee implicated in the scheme, illuminates how the operation was embedded within the company’s internal culture.

“On Monday 3rd June, I was called for a meeting with Mr. Ben and Mr. Karauri at Milan Restaurant Westlands. Mr. Karauri asked us to send comprehensive data for use by the company. I passed the message using the normal channel and received the Google Drive link for download.”

The forensic record further shows that on September 11, 2018, at 7:40 in the morning, Wamatu sent a request for the entire industry dataset covering 11.5 million gambling subscribers. By 12:21 that same afternoon, the data had been transferred.

Patrick Kinoti Marithi, the former head of Safaricom’s ethics and compliance department, provided a sworn statement on June 9, 2019 acknowledging: “I established that the data could be extracted from our computer systems.”

His statement forms part of the prosecution’s forensic record and is among the materials now before the court.

Odibets was not a passive recipient. The forensic record describes a company that actively acquired stolen intelligence on millions of Kenyans and built its commercial operations on it.

KARECO HOLDINGS: THE COMPANY BEHIND THE BRAND

Odibets is the trading name of Kareco Holdings Limited, registered and headquartered at Plot No. LR 209/2167, Crescent Lane, Parklands, Nairobi. The company operates under a Betting Control and Licensing Board licence and, since the enactment of the Gambling Control Act 2025, holds a bookmaking licence under the newly established Gambling Regulatory Authority of Kenya.

Jimmy Kibaki, reportedly the son of the late President Mwai Kibaki, serves as chairman and is the public face of the company’s operations. A shadow owner Andrew Aligula has also been outed in media reports.

The firm has expanded beyond Kenya into Ghana, Zambia, and Zimbabwe and claims a user base exceeding ten million across East Africa.

The company presents itself as a responsible operator and carries the standard responsible gambling disclaimers on its platform: “Gambling can be addictive. Play responsibly.”

Its website includes a dedicated responsible gambling page with advice on deposit limits and addiction hotlines.

These disclosures now sit in grotesque contrast to the allegation that the company’s growth was seeded, at least in part, by stolen biometric and financial data harvested without the knowledge or consent of the very people it was targeting.

The company’s rise has been rapid. Launched in 2018 and aggressively marketed through matatu branding, newspaper advertising, billboards, and social media campaigns targeting Kenya’s youth, Odibets grew to become one of the dominant players in a sector where, according to industry data, gross gaming revenue totalled Sh88.24 billion between 2018 and 2022.

The DCI forensic timeline suggests that the stolen data arrived in the company’s hands at precisely the moment it needed a competitive advantage over established rivals such as SportPesa, Betin, and Betika.

THE LEGAL PERIL ODIBETS FACES

The judgment on May 13 will be delivered in a constitutional petition brought by Augustine Onalo, representing 11.5 million affected subscribers and prosecuted by Mola Kimosop Advocates.

The petitioners seek Sh1.5 million per subscriber in constitutional damages from Safaricom. But the implications for Odibets are governed by an entirely separate and more immediately dangerous legal framework.

Kenya’s Data Protection Act of 2019 came into force on November 25, 2019, after the data theft had already occurred but while Odibets was actively using the stolen datasets for commercial targeting.

The Act provides for administrative fines of up to Sh5 million or, in the case of a business entity, up to one percent of annual turnover for the preceding financial year, whichever is lower.

For a company of Odibets’ scale, one percent of annual revenue could represent a far more significant penalty than the statutory ceiling.

The Office of the Data Protection Commissioner has demonstrated a willingness to enforce these provisions, having issued its first maximum penalty of Sh5 million against Oppo Kenya in December 2022 and having ordered compensation against Safaricom and Becton Dickinson East Africa in February 2025.

Beyond administrative fines, the Act provides for criminal liability for directors and company officers who have committed wilful violations of data protection law, with the prospect of imprisonment.

The Computer Misuse and Cybercrimes Act further criminalises the receipt and commercial use of data obtained through unauthorised computer access.

If the court accepts the forensic evidence that Odibets knowingly purchased data extracted from Safaricom’s servers without the consent of subscribers, the company’s exposure extends from regulatory sanction through to criminal prosecution of its senior officers.

The Betting Control and Licensing Board, and its successor the Gambling Regulatory Authority of Kenya, possess independent powers to impose fines, suspend licences, and initiate licence revocation proceedings against operators found to have acquired data through illegal means.

The BCLB has already demonstrated its regulatory muscle in 2025, shutting down more than fifty betting firms operating without proper licences and introducing strict advertising guidelines banning celebrity endorsements and requiring pre-approval of all promotional materials.

A finding that Odibets purchased stolen subscriber data would create a compliance emergency of an entirely different order.

The Data Protection Act provides for criminal prosecution of directors for wilful violations. If the court accepts the forensic evidence, Odibets’ senior officers face potential imprisonment.

THE HUMAN COST: WHAT ODIBETS’ DATA PURCHASE ENABLED

The commercial logic of purchasing Safaricom subscriber data was simple and predatory. The stolen datasets did not merely contain names and phone numbers.

They contained each subscriber’s complete betting history, total amounts wagered, gambling frequency, and financial transaction patterns through M-Pesa.

Combined with geolocation data down to the locality level, this information allowed a betting company to identify with statistical precision which Kenyans were the most financially exposed, the most psychologically dependent on gambling, and the most likely to continue betting regardless of losses. These were not marketing leads. They were vulnerability profiles.

Kenya is now the most gambling-saturated nation in Sub-Saharan Africa by participation rate. A GeoPoll survey of six African countries found that 83.9 percent of Kenyans polled had gambled, the highest proportion in the study.

According to figures cited in court documents in the subscriber data petition, nearly 80 percent of respondents seeking psychiatric treatment at Kenyan institutions are now classified as problem or pathological gamblers.

A 2025 study examining peri-urban men in Kajiado County found that 69 percent were using gambling as a maladaptive coping mechanism for economic stress, with 93.1 percent reporting severe post-gambling guilt and 51.7 percent reporting a material worsening of their mental health as a result of gambling.

In 2024, Kenyans bet a total of Sh766 billion, a figure that surpasses Kenya’s entire national education budget of Sh656 billion for the same period. Kenya Revenue Authority collected Sh13.233 billion in excise duty from the betting sector in the 2024/2025 financial year, a number the government regularly cites as evidence of the industry’s economic contribution.

What it does not cite is the human cost of that revenue: the graduates who have lost life savings, the traders who have died by suicide, the families destroyed by addiction driven, in substantial part, by the targeted manipulation of the most vulnerable bettors using their own stolen data.

The consequences of gambling addiction targeted through stolen intelligence are not abstract. In October 2024, Susan Njeri, a small-scale trader in Kakamega County known as Mama Sammy, died by suicide after losing Sh60,000 on a betting platform.

In the same year, a first-class honours graduate from Maasai Mara University lost Sh900,000 on a single night’s betting and took his own life. Research published in December 2025 confirmed what addiction counsellors have documented for years: that the gambling crisis in Kenya is overwhelmingly concentrated among economically stressed young men who were lured into compulsive behaviour by platforms that knew, through stolen data, exactly how to reach them and exactly what offer to make.

As addiction counsellor Chrispus Githae Kimaru has observed, betting companies in Kenya are not selling entertainment.

They are industrialising desperation.

For Odibets, the allegation in the forensic report is that the company went further still: it paid for intelligence on where to find that desperation most efficiently.

A PLATFORM BUILT ON AGGRESSIVE ACQUISITION

Kenya Insights’ review of Odibets’ operational history reveals a company that has consistently pushed the boundaries of competitive marketing in a sector already under regulatory scrutiny.

The firm’s rapid rise from its 2018 launch to a dominant position in the market was built on aggressive outreach across matatus, print media, and digital platforms, targeting young Kenyans with promotions, free bets, and data bundle incentives designed to lower the psychological and financial barriers to entry.

Its marketing proposition, summarised by the hashtag BetExtraODInary, was aimed squarely at the demographic most vulnerable to gambling addiction: unemployed or underemployed young men in urban and peri-urban Kenya who saw betting as a viable supplement to income.

The company’s responsible gambling infrastructure has been described by independent reviewers as limited and reactive.

A June 2025 assessment noted that Odibets does not provide built-in tools for users to set daily, weekly, or monthly spending limits from their account dashboard.

Users seeking self-exclusion must contact customer support directly rather than using a self-service toggle.

There are no in-app reminders or time-out alerts.

These gaps are not illegal in themselves, but they sit in pointed contrast to the company’s public assurances of responsible operation and become far more troubling when placed alongside the allegation that the company built its user acquisition strategy on data acquired through criminal means.

In a separate regulatory encounter, Odibets found itself embroiled in a dispute with Opera Software Ireland Limited, ultimately requiring the intervention of the Competition Authority of Kenya to order Opera to unblock the platform after it was excluded from the browser and its users redirected to rival betting sites.

The CAK issued a cease and desist order against Opera in June 2024 pending investigation of the competitive conduct.

The episode illustrates the lengths to which Odibets has been prepared to deploy regulatory mechanisms to protect and expand its market access.

WHAT HAPPENS ON MAY 13

The High Court judgment on May 13 will address, in the first instance, the constitutional liability of Safaricom for the actions of its employees.

But it will do so through a factual record that includes the forensic identification of Odibets as a recipient of illegally obtained data.

Whatever Safaricom’s liability for the breach itself, the forensic report’s identification of Odibets as a purchaser of stolen data is now a matter of court record.

If the court accepts the forensic evidence as admissible and credible, the pathway to action against Odibets becomes significantly clearer.

The DCI, which received the forensic report from Safaricom in 2019, has not yet brought criminal charges against any of the betting companies named as purchasers of the stolen data.

The ODPC has not opened a formal investigation into Odibets’ data handling practices arising from the theft. The BCLB, now transitioning to the Gambling Regulatory Authority of Kenya, has not publicly addressed the company’s appearance in the forensic record.

Each of these silences becomes harder to maintain once a High Court judgment formally validates the evidentiary basis of the petition.

Legal analysts who have reviewed the case documents note that a judgment accepting the petitioners’ core allegations would create an irresistible pressure on the DCI and the Office of the Director of Public Prosecutions to explain why, seven years after the forensic report was filed, no criminal charges have been brought against the companies that purchased the stolen data.

The petitioners are seeking Sh1.5 million per subscriber from Safaricom, representing a total exposure of Sh17.25 trillion for the 11.5 million affected subscribers.

The data of the remaining 18.4 million subscribers whose records were also extracted has not yet been the subject of a separate claim, but the legal architecture for such a claim is now clearly established.

For Odibets, civil exposure extends to any of the 29.9 million subscribers whose data was accessed and who can demonstrate that Odibets was among the companies that received and used their information.

A COMPANY THAT MUST ANSWER

Odibets has invested considerable effort in cultivating the image of a Kenyan success story: locally owned, community-minded, and youthfully aspirational.

It has sponsored grassroots football teams and the national amputee football squad.

It wraps itself in the colours and idioms of popular Kenyan culture. On its website and in its marketing materials, it presents an earnest face of responsible gambling and consumer protection.

The forensic report in the Nairobi High Court tells a different story.

It describes a company that, in the first year of its existence, acquired intelligence on nearly 30 million Kenyans through a criminal enterprise, used that intelligence to identify and target the most financially vulnerable gamblers in the country, and built a multi-billion-shilling business on the proceeds.

It describes a company that paid for stolen data knowing that the people whose information it was buying had never consented, would never consent, and had no knowledge that their M-Pesa histories, identity documents, and betting records were being commercially exploited.

The Gambling Regulatory Authority of Kenya has sweeping powers to investigate, sanction, and revoke the licences of operators found to have violated the terms under which they were licensed.

The Data Protection Commissioner has the power to impose fines, issue compliance directives, seize equipment, and refer matters for criminal prosecution.

The Director of Public Prosecutions has the authority to charge the directors of Kareco Holdings Limited with criminal offences under the Data Protection Act and the Computer Misuse and Cybercrimes Act.

Seven years have passed since the forensic report was filed.

On May 13, the court will speak.

What the regulators and prosecutors do next will determine whether Kenya’s data protection laws mean anything at all, or whether a betting company can purchase the stolen private information of thirty million citizens, profit from that crime for years, and walk away without consequence.

Odibets has not responded to questions submitted by Kenya Insights regarding its appearance in the DCI forensic report, the allegation that it purchased stolen Safaricom subscriber data, or its current data handling practices. Kareco Holdings Limited was also contacted and did not respond by the time of publication.