WILLEMSTAD — A major data security breach involving Curaçao-licensed operator Santeda International B.V. and its MyStake Casino platform is raising urgent data protection concerns, according to forensic investigators who contacted Curaçao Chronicle with exclusive details.
The breach reportedly stems from a hacker publication in May 2025, in which a PDF document containing credentials for 540 MyStake user accounts — including email addresses and passwords — was leaked online. Investigators claim they were able to access almost every account linked to the leaked credentials during an independent security audit, viewing unredacted personal information such as names, addresses, phone numbers, dates of birth and transaction histories.
A forensic source involved in the audit told Curaçao Chronicle that “the level of exposed data is deeply concerning,” and that no meaningful action has been taken by the operator in more than eight months to protect affected users. According to the source, there has been no forced password reset, no official notification to users, and no indication that users have been warned about potential misuse of their data — all critical steps under modern data protection standards.
Investigators stress that this represents a severe ongoing privacy and security risk for players, who remain vulnerable to credential misuse, identity theft, phishing and account takeover without any remediation from the platform.
Offshore Gambling Under Scrutiny
MyStake is licensed under a Curaçao eGaming license and operated by Santeda — a company more widely known internationally for its network of casino brands, including Goldenbet, Velobet, Cosmobet, Rolletto and others. Recent industry reports by monitoring group GAMRS have linked Santeda to a large offshore gambling network generating billions in turnover from UK and European players, often bypassing regulated safeguards.
Santeda has faced regulatory action abroad: in Spain, authorities fined the company €5 million and banned it from gambling activities for two years over illegal online operations in 2022.
While the operator’s Curaçao license should theoretically afford regulatory oversight, experts point out that enforcement of data protection and responsible gambling standards in offshore jurisdictions varies widely. In this case, no public statement has yet been made by Santeda, MyStake or Curaçao regulators regarding the alleged breach.
Regulatory and Player Safety Concerns
Industry watchdogs and player protection advocates say the breach raises urgent questions about the effectiveness of oversight by the Curaçao Gaming Authority (CGA) and wider consumer safeguards for online gambling platforms based in the jurisdiction. Santeda’s platforms have drawn scrutiny for operational issues including delayed withdrawals, disputed payouts and alleged regulatory evasion tactics.
Moreover, independent sources have labeled MyStake and sister sites as part of a “black-market” online gambling network that engages consumers in markets where local regulations prohibit such activity, particularly in the UK and EU.
A spokesperson for DealMeOut & GAMRS, the independent analysis group that shared details of the breach with Curaçao Chronicle, said the evidence and video documentation will soon be published publicly and that the group is prepared to share full technical findings with regulators and media.
What Comes Next?
Affected users and Curaçao residents with concerns about personal data or platform security may face heightened risks unless immediate action is taken. Relevant authorities — including the Curaçao Gaming Authority, the Curaçao Data Protection Office and the Ministry of Finance, which oversees online gaming supervision — have been approached for comment.
MyStake and Santeda International have not yet issued a public comment as of publication.
This investigation is ongoing. Curaçao Chronicle will continue to follow developments and report as more information becomes available.