My Response to Kikabet's Public Statement
I want to respond to Kikabet's recent post because they publicly referred to me while leaving out important context.
First, I reported a security vulnerability affecting their platform. Kikabet has now publicly acknowledged that this vulnerability existed, stating that their leaderboard API was exposing more user information than intended. They also confirmed they fixed the issue after my report and paid me a $150 bug bounty.
This means the core security issue I reported was real.
The exposed endpoint returned information that should never have been accessible to a normal user. Depending on the account, it exposed data including:
Email addresses
Phone numbers
Telegram usernames
Wallet balances
Total wagered amounts
Deposits
Withdrawals
VIP levels
Internal identifiers
Various backend account fields
I have chosen not to publish other users' personal information because those users are not responsible for the vulnerability.
Leaderboard observations
https://i.ibb.co/F4P7dfj6/unnamed-1.pngWhile reviewing the exposed API data, I compared it with the public Weekly and Monthly Race leaderboards.
During the period I monitored them, I noticed several observations that I believe deserve clarification.
Examples included accounts showing:
More than $4.1 million wagered from approximately $200 deposited, with withdrawn_usd recorded as 0.
More than $1.49 million wagered from approximately $10 deposited, with withdrawn_usd recorded as 0.
More than $6.09 million wagered, approximately $3.5 million profit, around $50 deposited, while withdrawn_usd remained 0.
I also observed several leaderboard accounts using email patterns similar to:
contact+2@...
contact+3@...
contact+6@...
contact+8@...
contact+10@...
These observations do not, by themselves, prove misconduct. There may be legitimate explanations for these values or these email formats. However, they raise reasonable questions that deserve a public explanation.
My intention
At no point was my goal to expose innocent users.
Before publishing anything, I asked Kikabet whether I should redact users' information, and I intended to avoid exposing personal data. My goal was to disclose the security issue responsibly while documenting my observations.
Kikabet's response
Instead of addressing my questions about the leaderboard, Kikabet chose to focus on a separate disagreement regarding a deposit.
That dispute does not change the fact that:
the API vulnerability existed,
user information was exposed,
Kikabet acknowledged the issue,
and the vulnerability was fixed after it was reported.
These are separate issues.
What I would like clarified
I would appreciate a public explanation regarding:
What exactly does the withdrawn_usd field represent?
Why did multiple high-ranking leaderboard accounts have withdrawn_usd recorded as 0?
Are accounts using company-domain email addresses internal, testing, or employee accounts?
If they are internal accounts, are they excluded from leaderboard competitions and prizes?
Were all affected users informed that some of their account information had been exposed?
Final thoughts
I am not asking readers to assume fraud or manipulation. I am asking for transparency.
The API exposure has already been acknowledged by Kikabet themselves. My observations about the leaderboard remain questions based on the data I observed, and I believe those questions deserve clear answers.
I encourage everyone to review the available evidence objectively and draw their own conclusions based on the facts rather than speculation.
Response Data from leaderboard api endpoint
[
{
"entry": {
"_id": "6a204b67ef468bcb0e02c59b",
"wager_usd": 3534516.6099999994,
"time": 1780444800,
"user": "69b60b3a7c11e7a3a50d8e05",
"type": "month",
"updated_at": "2026-06-22T02:19:40.820000Z",
"created_at": "2026-06-03T15:42:31.009000Z"
},
"user": {
"_id": "69b60b3a7c11e7a3a50d8e05",
"name": null,
"avatar": "\/img\/avatars\/69b60b3a7c11e7a3a50d8e051781854252.jpg",
"email": "sensitive",
"client_seed": "sensitive",
"roles": [],
"name_history": [
{
"time": "2026-03-15T01:28:26.904679Z",
"name": "benkirane"
}
],
"referral": "677e6c02c1c4ddb3ca05c57e",
"referral_code_id": "69aecc2d35253805c90a32ca",
"referred_date": "2026-03-15T01:28:26.833000Z",
"referral_bonus_percent": 10,
"referral_bonus_activated": false,
"affilka_stag": null,
"updated_at": "2026-06-28T20:08:05.622000Z",
"created_at": "2026-03-15T01:28:26.905000Z",
"wagered_usd": 4169159.06,
"vip_level": 17,
"latest_user_agent": "sensitive",
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T18:58:29.189000Z",
"deposited_usd": 200,
"usdt": {
"$numberDecimal": "1025665.71"
},
"withdrawn_usd": 0,
"chat_rules_agreed": true,
"private_bets": true,
"rakeback_usdt": 14359.548093000005,
"private_profile": true
}
},
{
"entry": {
"_id": "6a20550f0a47400fc40066c8",
"wager_usd": 860574.6399999992,
"time": 1780444800,
"user": "692c35852022df31c204b132",
"type": "month",
"updated_at": "2026-06-28T18:27:03.853000Z",
"created_at": "2026-06-03T16:23:43.759000Z"
},
"user": {
"_id": "692c35852022df31c204b132",
"name": null,
"avatar": "\/img\/avatars\/692c35852022df31c204b1321765872306.jpg",
"email": "contact+3@kikabet.com",
"client_seed": "b7775558f030885a4b11dd7148c3dc16",
"roles": [],
"name_history": [
{
"time": "2025-11-30T12:16:05.826288Z",
"name": "trump007"
}
],
"updated_at": "2026-06-28T18:27:53.979000Z",
"created_at": "2025-11-30T12:16:05.826000Z",
"wagered_usd": 1492192.1199999999,
"vip_level": 15,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T17:48:33.234000Z",
"deposited_usd": 10,
"usdt": {
"$numberDecimal": "11027.8"
},
"rakeback_usdt": 0,
"private_profile": true,
"private_bets": true,
"rakeback_claim": "2026-06-22T21:38:18.203000Z",
"affilka_stag": null,
"chat_rules_agreed": true,
"withdrawn_usd": 0
}
},
{
"entry": {
"_id": "6a23799210eec0ff1b0de8a9",
"wager_usd": 576141.1799999994,
"time": 1780704000,
"user": "69c5afe7186cc4701a07c02f",
"type": "month",
"updated_at": "2026-06-28T18:56:28.743000Z",
"created_at": "2026-06-06T01:36:18.147000Z"
},
"user": {
"_id": "69c5afe7186cc4701a07c02f",
"name": "tupipac",
"avatar": "\/img\/avatars\/69c5afe7186cc4701a07c02f1775453993.jpg",
"email": "contact+6@kikabet.com",
"client_seed": "dedd4afe16676f11d0c79a7e2581a231",
"roles": [],
"name_history": [
{
"time": "2026-03-26T22:15:03.913944Z",
"name": "tupipac"
}
],
"referral": "677e6c02c1c4ddb3ca05c57e",
"referral_code_id": "69aecc2d35253805c90a32ca",
"referred_date": "2026-03-26T22:15:03.851000Z",
"referral_bonus_percent": 10,
"referral_bonus_activated": false,
"updated_at": "2026-06-28T21:36:44.872000Z",
"created_at": "2026-03-26T22:15:03.914000Z",
"wagered_usd": 1548725.18,
"vip_level": 16,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T17:23:00.462000Z",
"deposited_usd": 10000,
"usdt": {
"$numberDecimal": "27676.58"
},
"affilka_stag": null,
"withdrawn_usd": 0,
"rakeback_usdt": 485.33044049999995,
"rakeback_claim": "2026-06-06T01:38:52.167000Z",
"chat_rules_agreed": true,
"private_profile": true
}
},
{
"entry": {
"_id": "6a2e0ae2e76adb9ca0039629",
"wager_usd": 569965.7000000001,
"time": 1781395200,
"user": "69212c766902883d910c64a0",
"type": "month",
"updated_at": "2026-06-28T18:22:54.030000Z",
"created_at": "2026-06-14T01:58:58.156000Z"
},
"user": {
"_id": "69212c766902883d910c64a0",
"name": "babyslim",
"avatar": "\/img\/avatars\/69212c766902883d910c64a01768653828.jpg",
"email": "contact+2@kikabet.com",
"client_seed": "5f75e1446e3632ca1ce8535aea11b50c",
"roles": [],
"name_history": [
{
"time": "2025-11-22T03:22:30.152464Z",
"name": "babyslim"
}
],
"updated_at": "2026-06-28T18:23:20.123000Z",
"created_at": "2025-11-22T03:22:30.153000Z",
"wagered_usd": 864387.64,
"vip_level": 14,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"deposited_usd": 10,
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T18:18:36.010000Z",
"usdt": {
"$numberDecimal": "182732.07"
},
"rakeback_usdt": 2300.497620499999,
"private_profile": true,
"affilka_stag": null,
"chat_rules_agreed": true,
"withdrawn_usd": 0
}
},
{
"entry": {
"_id": "6a2c82e6b17fdb9f5900bb18",
"wager_usd": 256893.79000000007,
"time": 1781222400,
"user": "69ed17bf12eac5b2c00e477a",
"type": "month",
"updated_at": "2026-06-28T21:35:18.692000Z",
"created_at": "2026-06-12T22:06:30.205000Z"
},
"user": {
"_id": "69ed17bf12eac5b2c00e477a",
"name": null,
"avatar": "\/img\/avatars\/69ed17bf12eac5b2c00e477a1782668510.jpg",
"email": "contact+8@kikabet.com",
"client_seed": "7762d6bd91786207d61605721af01f74",
"roles": [],
"name_history": [
{
"time": "2026-04-25T19:36:31.938107Z",
"name": "hachoninho"
}
],
"affilka_stag": "178_69ed177a1371e4d2df5f992a",
"updated_at": "2026-06-29T00:58:23.176000Z",
"created_at": "2026-04-25T19:36:31.938000Z",
"wagered_usd": 391846.28,
"vip_level": 10,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T17:32:49.796000Z",
"deposited_usd": 22019,
"chat_rules_agreed": true,
"usdt": {
"$numberDecimal": "27958.03"
},
"withdrawn_usd": 0,
"rakeback_usdt": 74.549187,
"rakeback_claim": "2026-06-19T07:29:05.962000Z",
"private_bets": true,
"private_profile": true
}
},
{
"entry": {
"_id": "6a20a9e77fdd9bc6c801e13a",
"wager_usd": 248199.6000000001,
"time": 1780444800,
"user": "678ac9bd25a333cb920ee86d",
"type": "month",
"updated_at": "2026-06-19T11:28:28.811000Z",
"created_at": "2026-06-03T22:25:43.643000Z"
},
"user": {
"_id": "678ac9bd25a333cb920ee86d",
"name": "Chicha7ayo",
"avatar": "\/img\/avatars\/678ac9bd25a333cb920ee86d1767539783.jpg",
"email": "
chicha7ayo@gmail.com",
"client_seed": "6d4976a4622497e81c6a23f02147b3f3",
"roles": [],
"name_history": [
{
"time": "2025-01-17T21:21:01.005611Z",
"name": "Chicha7ayo"
}
],
"updated_at": "2026-06-29T17:42:33.058000Z",
"created_at": "2025-01-17T21:21:01.006000Z",
"wagered_usd": 6092431.38927785,
"deposited_usd": 50,
"vip_level": 18,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"usdt": {
"$numberDecimal": "183598.422044"
},
"vip_manager": "677e6c02c1c4ddb3ca05c57e",
"vip_manager_name": "bengeist",
"trading_usdt": {
"$numberDecimal": "0"
},
"phone": "06666666",
"telegram_contact": "TATAWI",
"last_instant_rakeback_update": "2025-04-26T12:24:02.683000Z",
"instant_rakeback_last_claim": "2025-04-26T12:20:38.000000Z",
"rakeback_usdt": 2850.9400119999887,
"rakeback_claim": "2026-03-24T16:55:26.723000Z",
"nextOriginalsWebsocketSecretRefresh": "2026-06-30T17:41:14.335000Z",
"private_bets": false,
"referral": "692422f707b517e11a0a8b92",
"referral_bonus_activated": false,
"referral_bonus_percent": 0,
"referral_code_id": "6924232008444c49e6082d48",
"referred_date": "2026-01-06T19:51:06.809000Z",
"profited_usd": 3514791.4165596096,
"data_country": "Morocco",
"withdrawn_usd": 0,
"affilka_stag": null,
"chat_rules_agreed": true
}
},
{
"entry": {
"_id": "6a21b58a6d073e6ca3075b48",
"wager_usd": 178835.55470000004,
"time": 1780531200,
"user": "6a0f4c7ae354db04e00d2ab7",
"type": "month",
"updated_at": "2026-06-11T15:24:01.902000Z",
"created_at": "2026-06-04T17:27:38.667000Z"
},
"user": {
"_id": "6a0f4c7ae354db04e00d2ab7",
"name": null,
"avatar": "\/img\/avatars\/6a0f4c7ae354db04e00d2ab71780921036.jpg",
"email": "
napoliadam11@gmail.com",
"client_seed": "2e6a71f96c2c79613ab9313cd801c158",
"roles": [],
"name_history": [
{
"time": "2026-05-21T18:18:34.506951Z",
"name": "adnapoli"
}
],
"main_currency": "np_USDT",
"updated_at": "2026-06-14T00:01:16.882000Z",
"created_at": "2026-05-21T18:18:34.507000Z",
"wagered_usd": 433484.23023489997,
"vip_level": 11,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"nextOriginalsWebsocketSecretRefresh": "2026-06-12T07:38:02.740000Z",
"deposited_usd": 5438,
"withdrawn_usd": 0,
"mad": {
"$numberDecimal": "0"
},
"google_id": "113828542022590780468",
"private_bets": true,
"private_profile": false,
"chat_rules_agreed": true,
"usdt": {
"$numberDecimal": "42000.01"
},
"rakeback_usdt": 0,
"rakeback_claim": "2026-06-11T15:23:52.871000Z",
"ban_reason": "Removed"
}
},
{
"entry": {
"_id": "6a231b8d66e4aca7fe0d89b1",
"wager_usd": 162627.2399999997,
"time": 1780617600,
"user": "69f7436f4c2c36eb9901a6d2",
"type": "month",
"updated_at": "2026-06-06T22:22:56.176000Z",
"created_at": "2026-06-05T18:55:09.908000Z"
},
"user": {
"_id": "69f7436f4c2c36eb9901a6d2",
"name": "monosaimff",
"avatar": "https:\/\/lh3.googleusercontent.com\/a\/ACg8ocJPkAaIcFbTNSdYeACiaWQv5cE9ZD7YKa-X9s64jlM7gfZ6ex4=s96-c",
"email": "
monosaimff@gmail.com",
"client_seed": "4fab5457bacefec6ac1286ceaf5a6ee3",
"roles": [
{
"id": "*"
}
],
"name_history": [
{
"time": "2026-05-03T12:45:35.562331Z",
"name": "monosaimff"
}
],
"google_id": "114939516818463538238",
"email_verified": true,
"updated_at": "2026-06-29T15:54:44.269000Z",
"created_at": "2026-05-03T12:45:35.562000Z",
"latest_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/26.5 Safari\/605.1.15",
"wagered_usd": 207313.5031858,
"vip_level": 9,
"deposited_usd": 11448.66465,
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T00:54:49.880000Z",
"usdt": {
"$numberDecimal": "13598.52"
},
"withdrawn_usd": 0,
"mad": {
"$numberDecimal": "0"
},
"chat_rules_agreed": true,
"rakeback_usdt": 45.4733
}
},
{
"entry": {
"_id": "6a1e4f31f171e50cfe051bf2",
"wager_usd": 158155.06999999998,
"time": 1780358400,
"user": "6a10cb30cab07337a80934de",
"type": "month",
"updated_at": "2026-06-29T08:43:49.422000Z",
"created_at": "2026-06-02T03:34:09.734000Z"
},
"user": {
"_id": "6a10cb30cab07337a80934de",
"name": null,
"avatar": "\/avatar\/6a10cb308a9e2",
"email": "
fixedneymar264@gmail.com",
"client_seed": "a1ca56510088bf5de9dc0021a2ed49b9",
"roles": [],
"name_history": [
{
"time": "2026-05-22T21:31:28.567867Z",
"name": "neymar"
}
],
"main_currency": "np_USDT",
"updated_at": "2026-06-29T17:41:46.121000Z",
"created_at": "2026-05-22T21:31:28.568000Z",
"wagered_usd": 180757.08,
"vip_level": 8,
"latest_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/26.5 Mobile\/15E148 Safari\/604.1",
"nextOriginalsWebsocketSecretRefresh": "2026-06-30T08:41:15.775000Z",
"deposited_usd": 5000,
"usdt": {
"$numberDecimal": "55902.69"
},
"withdrawn_usd": 0,
"private_bets": true,
"private_profile": true
}
},
{
"entry": {
"_id": "6a204afeef468bcb0e02c54f",
"wager_usd": 122994.73000000005,
"time": 1780444800,
"user": "69f0f27d7f297627d906f7b6",
"type": "month",
"updated_at": "2026-06-28T21:21:55.407000Z",
"created_at": "2026-06-03T15:40:46.244000Z"
},
"user": {
"_id": "69f0f27d7f297627d906f7b6",
"name": null,
"avatar": "\/img\/avatars\/69f0f27d7f297627d906f7b61777398780.jpg",
"email": "contact+10@kikabet.com",
"client_seed": "9d36ec5162de7f82f284359cfeae65a4",
"roles": [],
"name_history": [
{
"time": "2026-04-28T17:46:37.891297Z",
"name": "arnoldomi"
}
],
"affilka_stag": "178_69f0f2584cbb5a501b465aa4",
"updated_at": "2026-06-28T21:21:58.014000Z",
"created_at": "2026-04-28T17:46:37.892000Z",
"wagered_usd": 797253.28,
"vip_level": 14,
"latest_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/149.0.0.0 Safari\/537.36",
"nextOriginalsWebsocketSecretRefresh": "2026-06-29T17:28:23.682000Z",
"deposited_usd": 112010,
"usdt": {
"$numberDecimal": "10751.1"
},
"chat_rules_agreed": true,
"withdrawn_usd": 0,
"rakeback_usdt": 158.469228,
"private_profile": true,
"private_bets": true,
"rakeback_claim": "2026-06-15T22:46:11.632000Z"
}
}
]
these all are their accounts so no need to be worry