‘Kenya’s Most Wanted Cybercriminal’ Claims to Expose Safaricom Security Flaws in Viral Live Stream—Telco Silent as Public Backlash Grows

A self-proclaimed ethical hacker, Kevin Kiproni alias Idris Shareef, has ignited a firestorm after claiming he breached Safaricom’s systems, live-streaming his exploits to thousands while accusing the telecom giant of ignoring critical vulnerabilities and dismissing researchers.

Shareef, once labeled a “wanted cybercriminal” by the Directorate of Criminal Investigations (DCI), now positions himself as a whistleblower challenging corporate and state accountability in a saga blending cybersecurity, legal drama, and public intrigue.

The Hack Heard Across Kenya

On Friday evening, Shareef, known as @IdrisShareef on X (formerly Twitter), posted a bombshell thread: “I ethically hacked Safaricom, reported the vulnerabilities, and guess what? No rewards, no thanks, just silence.”

The post went viral, amassing over half a million views on his follow-up videos, where he allegedly demonstrated access to Safaricom’s systems.

By Saturday, his follower count skyrocketed from 1,000 to 5,000, with Kenyans split between hailing him as a hero or condemning him as a criminal.

In a brazen move, Shareef promised—and delivered—a live-streamed “repeat hack” hours later, urging viewers to witness Safaricom’s “underground-level security gaps.”

While the technical specifics remain unverified, cybersecurity analysts who reviewed the footage noted his demonstration appeared to show unauthorized access to internal portals, though Safaricom has yet to confirm a breach.

Safaricom’s Bug Bounty Program: “Schrödinger’s Policy”?

Central to Shareef’s critique is Safaricom’s bug bounty program, hosted on HackerOne, a platform where ethical hackers report vulnerabilities for rewards. Safaricom’s program, launched in 2021, promises payouts of up to $10,000 for “critical” flaws.

However, its rules exclude common issues like cross-site scripting (XSS) and SSL misconfigurations, which Shareef claims renders it “a legal thriller designed to disqualify researchers.”

Key Safaricom Bug Bounty Program Details** (via HackerOne):

Scope: Limited to specific web/mobile apps (e.g., MySafaricom App, MPESA APIs).

Out-of-Scope: Social engineering, physical attacks, low-risk flaws.

Payouts: $100–$10,000, based on severity.

Controversy: Researchers criticize its narrow scope and delayed responses.

Shareef alleges he reported four critical vulnerabilities via email—not HackerOne, as Safaricom’s policy oddly requires—only to be told the company “was already aware” of them.

“They’re fixing bugs internally while researchers waste time,” he wrote, calling the program “experimental and discretionary,” a phrase Safaricom uses to reserve the right to cancel rewards arbitrarily.

History of Past Attacks

Safaricom, whose services power Kenya’s booming mobile money platform M-Pesa and an array of digital applications, has not been a stranger to cyber threats.

In recent years, the telecom titan has weathered coordinated phishing scams, SIM swaps, sporadic DDoS attacks, and other attempts to breach its defenses.

Despite these challenges, Safaricom maintains that its security framework is robust and continuously evolving.

The Making of ‘Kenya’s Most Wanted Cybercriminal’

The narrative surrounding Idris Shareef is as controversial as his claims. Previously associated with an alleged hacking incident involving a money lending system, he has been labeled “wanted” by law enforcement—a claim he vehemently disputes. In a follow-up statement that has since circulated widely, he sought to set the record straight:

“I want to clarify a few things about my situation. I am not a hacker in the criminal sense. I only began learning basic technical skills after the DCI labeled me as one, a designation that spurred a series of posts on my Twitter account. My intention is not to seek fame but to use the very platform that the DCI used to brand me ‘wanted’ to share my story and ask for public assistance.

To clear up any confusion: I was arrested in Rongai in November 2023—though I can’t recall the exact date. After a brief five-minute interrogation and a three-day detention, I was released with instructions to return for further questioning, which I duly followed. Yet in April 2024, I was shocked to see a ‘wanted’ notice posted. I immediately surrendered at the Parklands station, spent a cold weekend in detention, and later appeared at Mlimani Law Courts on charges I was never properly briefed on. I denied the charges, posted cash bail, and was released.

Now, I ask: If this is the new system in Kenya, why wasn’t I presented in court within 24 hours as the law mandates? And which application was allegedly hacked—and with what financial loss? These are the details I deserve to know.”

Idris insists that his actions were intended solely to spotlight the vulnerabilities he discovered and to compel a reassessment of Safaricom’s cybersecurity protocols.

For now, Safaricom has neither confirmed nor refuted the specific allegations of a breach in its systems.

Local cybersecurity experts commenting on the issue remain divided. While some commend Idris for drawing attention to potential systemic issues, others warn that such public disclosures—especially when aired live—could inadvertently aid malicious actors.

“Ethical hacking must be conducted within strict guidelines,” notes one cybersecurity analyst, “and while the vulnerabilities he claims to have found are concerning, there is a danger in turning these demonstrations into spectacles that undermine trust in digital services.”

As the controversy deepens, the DCI, which once detained Idris briefly, has yet to issue a formal statement regarding the current allegations.

Update

Idriss has offered to surrender himself to the police. He claims, “I’m ready to fight the big bully.”

DISCLAIMER:

Readers are advised that while these explosive claims have ignited fierce debate, definitive proof of a breach remains elusive. Authorities and Safaricom insist that their systems are secure, and further inquiries will be essential to unravel the true extent of any vulnerabilities allegedly exposed.

This story is under active investigation. The allegations reported herein are based on public statements and social media posts, and no formal charges or verified breaches have been confirmed at this time.