A new whistleblower dossier strengthens FinTelegram’s earlier reporting on GammaG, the Georgian payment processor operating as GammaG. The new material does not prove common ownership with CoinsPaid, CryptoProcessing, or the wider Dream Finance ecosystem. But it does show something operationally important: a merchant relationship that allegedly began through CoinsPaid appears to have been routed into GammaG, then collapsed into a prolonged funds dispute, opaque “bank return” claims, and a notice that the servicing entity would be shut down. In the post-Lithuania environment, that is exactly the kind of pattern compliance professionals should pay attention to. Key Findings A whistleblower says a merchant seeking crypto payouts was onboarded through CoinsPaid but ultimately signed to GammaG. The merchant says it topped up its wallet with $30,000, after which the funds effectively disappeared for months. Uploaded emails show GammaG repeatedly claiming the money had been returned by the bank, while failing to provide documentary proof. In a separate email chain, GammaG informed the same client that the servicing legal entity would be closed and the contract terminated due to “operational and compliance requirements across various jurisdictions.” This sequence strengthens FinTelegram’s working hypothesis that GammaG may have served as a continuity or substitute rail for parts of the CoinsPaid / CryptoProcessing / Dream Finance orbit. The Merchant Trail Is the Real Story According to the whistleblower, the affected business is a YouTube creator payment network that pays partners a revenue share. Some clients wanted to receive their payouts in crypto, so the company used CoinsPaid. But instead of remaining in a clearly branded CoinsPaid relationship, the merchant says it was ultimately contracted through GammaG. It then topped up its wallet with $30,000, and the money allegedly became stuck for almost a year. That matters because this is not just another support complaint. It goes to the compliance core: who actually contracted the merchant, who controlled the wallet, who touched the funds, and which entity carried the AML and conduct obligations. The Emails Add Evidentiary Weight The uploaded correspondence materially supports the whistleblower’s account. In one thread, GammaG told the merchant that the funds had been returned by the bank and asked the client to verify receipt. When the merchant replied that nothing had arrived, GammaG said it had requested formal payment confirmation and would forward it once received. But in the materials provided to FinTelegram, no such proof appears. Instead, the merchant repeatedly escalated, stating: “We’ve received nothing yet,” then demanding proof, and later warning that the matter would become public and criminal complaints would follow. That is a serious red flag. If a processor claims that funds were returned through a banking partner, it should be able to produce a clear documentary trail. The Shutdown Notice Is Even More Telling A second email thread may be even more revealing. There, GammaG told the merchant that the legal entity providing services would be formally closed and would cease operations. As a result, the contractual relationship would need to be terminated. GammaG attributed this to a review of “operational and compliance requirements across various jurisdictions.” That is not routine language. It suggests an entity under stress, whether due to restructuring, banking pressure, jurisdictional risk, or migration into another vehicle. Combined with the unresolved funds issue, the message points to something larger than a single merchant dispute. It suggests an unstable servicing chain at the very moment the legal entity itself appears to have been in flux. The GammaG emails — citing “ongoing review of operational and compliance requirements across various jurisdictions” — mirrors the language used by Dream Finance UAB in its Lithuanian suspension notice and the liquidation notices in El Salvador and Poland. This is a recurring playbook: regulatory pressure triggers entity closure, but client funds are not returned — they are “in transit from the bank” indefinitely, and communications degrade into automated ticket responses with no substance. Why This Fits the Existing FinTelegram Hypothesis FinTelegram has already reported on the apparent proximity between GammaG, CoinsPaid, CryptoProcessing, and the wider Dream Finance / SoftSwiss ecosystem. The new whistleblower material does not prove formal integration, but it does reinforce the functional closeness FinTelegram had already identified. That is especially relevant because Dream Finance’s Lithuanian route came under pressure as the regulatory perimeter tightened. In that context, a Georgian processor assuming a more prominent role would make obvious operational sense. If one structure becomes impaired, another node in the network may pick up the flow. This is why GammaG matters. The issue is not whether the public-facing brands look separate. The issue is whether GammaG functioned as a continuity rail when older structures became less usable. Why GammaG Fits the Existing FinTelegram Hypothesis FinTelegram’s earlier reporting already placed GammaG in the same investigatory field as CoinsPaid, CryptoProcessing, Dream Finance, and the broader SoftSwiss payment orbit. The new whistleblower information does not overturn that reporting. It reinforces it. The critical point is this: the source says it came to GammaG through CoinsPaid. That alone does not prove common ownership. But it does strongly support the view that GammaG was not operating in isolation. Rather, it appears to have been functionally close enough to the CoinsPaid channel to serve as a contracting or operational endpoint for a merchant relationship that originated there. That is precisely the kind of arrangement investigators need to scrutinize. In high-risk sectors, especially those touching crypto, gambling, offshore merchants, and cross-border processing, the real structure often only becomes visible when a merchant relationship breaks down. And when it breaks down, the most important question is usually not what the public-facing brand says. It is which entity actually held the risk, touched the funds, and dealt with the banks. The Dream Finance Context Makes GammaG More Important This case cannot be viewed in isolation from the regulatory backdrop. As FinTelegram has reported, the Dream Finance Group, associated with CoinsPaid and CryptoProcessing, was forced to retreat from Lithuania at the end of 2025 as the regulatory perimeter tightened. That matters because Lithuania had long been a favored jurisdiction for crypto and payment structures serving cross-border business. Once those structures became impaired or politically costly, any ecosystem dependent on them would need alternatives. That is where GammaG becomes strategically interesting. A Georgian company stepping into a more prominent role would make obvious operational sense. Georgia sits outside the tightening EU crypto perimeter, offers geographic and structural distance, and can function as a useful alternative base for higher-risk payment activity if Lithuanian channels become unavailable or commercially toxic. This is why the new whistleblower material matters so much. It adds a concrete merchant-side example to a broader pattern FinTelegram has already been documenting: when one legal route closes, another node in the network appears to pick up the flow. The GammaG–CoinsPaid–SoftSwiss Triangle The wider context is what gives the GammaG material its investigative significance. CoinsPaid and CryptoProcessing sit within the Dream Finance cluster, while SoftSwiss is not just a gaming software name in the background. SoftSwiss publicly said that FinteqHub was developed by its PSP team, and Ivan Montik’s official SoftSwiss biography states that he serves as an adviser and mentor at CoinsPaid. Those are not rumor-level associations; they are public statements from SoftSwiss itself. Read more about the Dream Finance Group here. FinTelegram’s prior investigations establish the structural context: GammaG LLC (Georgia) surfaces behind the “CoinsPaid” deposit button at offshore casinos such as Vegadream (Starscream Group), where the merchant descriptor explicitly reads “STARDUST GLOBAL CCS LTD (Starscream)”. GammaG and CoinsPaid are presented jointly as a combined rail in iGaming support documentation (“Coinspaid / GammaG”), confirming operational integration rather than coincidence. The Dream Finance Group (CoinsPaid / CryptoProcessing) is controlled by beneficial owners Max Krupyshev (CEO, Ukraine) and Alexander Horst Riedinger (Austria), with entities spanning Estonia, Lithuania (now shut), El Salvador (liquidated), Poland (liquidated), Delaware, and Canada. Dream Finance UAB (Lithuania) suspended all crypto services at the end of 2025 following the expiry of MiCA transitional arrangements and the Bank of Lithuania’s enforcement wave. FinTelegram’s hypothesis — confirmed by the whistleblower — is that GammaG serves as a Georgian jurisdictional escape hatch: when EU/Baltic entities face regulatory closure, client funds and processing activity are routed through GammaG, which operates outside MiCA’s reach and with minimal Georgian VASP oversight. The whistleblower’s own reference to maxkrupyshev.com in his March 5 email to GammaG confirms that clients themselves have connected the dots between GammaG and CoinsPaid’s CEO. Conclusion: Another Piece of the Same Puzzle The new whistleblower information is not the whole story. But it is another meaningful piece of the same puzzle. It confirms that GammaG was not just a name surfacing in technical breadcrumbs or side references. It was a real operational and contractual counterparty in a merchant relationship that, according to the whistleblower, originated through CoinsPaid. It also confirms a disturbing pattern: missing funds, unverified claims of a bank return, evasive communication, and a sudden notice that the servicing entity itself would be closed. In FinTelegram’s assessment, this materially strengthens the working hypothesis that GammaG sits closer to the CoinsPaid / CryptoProcessing / Dream Finance ecosystem than public branding alone suggests. In the shadow world of offshore gambling, crypto processing, and high-risk merchant flows, that is exactly how the real payment chokepoints tend to reveal themselves. GammaG now deserves to be treated not as a peripheral Georgian curiosity, but as a priority node in the continuing investigation into the real payment infrastructure behind the CoinsPaid and SoftSwiss orbit. Summary Data CategoryDetails CategoryDetailsEntityGammaG LLC (Georgia)Domaingammag.geContactaccounts@gammag.geRelated BrandsCoinsPaid, CryptoProcessingParent GroupDream Finance Group (CoinsPaid / CryptoProcessing)Beneficial OwnersMax Krupyshev (CEO), Alexander Horst RiedingerKnown Casino ConnectionsVegadream, Rant Casino (Starscream Group); merchant descriptor “STARDUST GLOBAL CCS LTD (Starscream)”Whistleblower Incident$30,000 frozen (Enfinity/enfinity.com); funds not returned; contract terminated March 2, 2026Regulatory ContextDream Finance UAB (Lithuania) shut down Q1 2026 (MiCA); El Salvador and Poland entities liquidated; GammaG (Georgia) appears to serve as offshore continuation vehicleRisk Rating Critical Whistle42 Call If you have contracts, onboarding packs, bank correspondence, wallet screenshots, transaction hashes, settlement records, KYB files, internal chats, or compliance memos involving GammaG, CoinsPaid, CryptoProcessing, Dream Finance, or SoftSwiss-linked payment structures, contact FinTelegram securely via Whistle42. We are particularly interested in material showing: the actual contracting entity behind merchant onboarding, which entity held or controlled merchant funds, banking partners involved in returns or settlements, and any evidence of migration from Lithuanian structures into Georgian or other substitute vehicles. Share Information via Whistle42

A player communication reviewed by FinTelegram raises a serious compliance question for Revolut: did the fintech initially tell a customer that Mastercard chargebacks had been raised and finally decided, only to later admit that no chargebacks had been submitted at all? Against the backdrop of FinTelegram’s long-running investigations into illegal offshore casino payment rails, the case sharpens a broader issue: whether Revolut’s controls are robust enough when gambling payments are routed through open-banking facilitators, masked descriptors, and intermediary payment layers. Key Findings A player exchange reviewed by FinTelegram indicates that Revolut first suggested disputes had gone through Mastercard and reached a final outcome, then later admitted that no chargebacks had been submitted and the cases were closed internally. Revolut publicly says it may block illegal gambling transactions where required by local law and offers an optional “gambling block,” but that control is disabled by default and depends on transactions being identified as gambling. Revolut Business states that “gambling and quasi-cash merchants” are unsupported industries, which makes repeated casino-related payment exposure especially sensitive from a compliance perspective. Revolut’s current UK personal terms do not amount to a blanket retail ban on gambling for all adults; they prohibit illegal use generally, while the specific gambling-establishment block in the published UK terms is expressly stated for 16–17 accounts and is based on MCC classification. The European Banking Authority says payment institutions are commonly associated with elevated ML/TF risk, especially where they serve higher-risk sectors such as gambling and crypto, use cross-border models, platforms/marketplaces, intermediaries, and weak transaction monitoring. Dutch regulator Ksa has explicitly said it can issue binding directives to payment service providers to stop facilitating illegal gambling operators, showing that payment rails are now firmly inside the enforcement perimeter. The Player Evidence: Why This Exchange Matters FinTelegram reviewed screenshots of a player’s communication with Revolut concerning disputed casino-related transactions. In the first phase of the exchange, Revolut support reportedly told the player that the cases had been submitted through Mastercard under the appropriate dispute categories, that intermediary descriptors had been taken into account, and that final decisions had already been reached, leaving no reopening or pre-arbitration rights. The player then pressed for the audit trail that would ordinarily exist if Mastercard chargebacks had really been initiated: chargeback reference numbers, ARNs, dispute reason codes, submission dates, second presentment status, pre-arbitration steps, and confirmation of whether Mastercard or the acquirer had actually reviewed the disputes. That pressure appears to have produced the key admission. In the later exchange, Revolut support allegedly confirmed that no chargebacks were submitted to the acquiring banks, that the disputes were closed internally, and that the Mastercard chargeback process was not initiated. If that reading is correct, the issue is not merely an unfavorable outcome for the player. It is a potentially misleading description of what process was actually used. From a compliance standpoint, this distinction is critical. A customer told that a scheme chargeback was raised and rejected is in a very different position from a customer whose bank simply made an internal decision not to initiate the scheme process at all. Revolut’s Published Position on Gambling Revolut’s public materials show a mixed picture, but not a simple one. Revolut says its optional “gambling block” can block card payments identified as gambling, including bookmakers, online casinos, and sports betting apps, but it is disabled by default when an account is opened. Revolut also says that in some European countries it is required to block transactions to and from illegal gambling providers and that it enforces regulator lists on a legal basis. At the same time, Revolut’s published UK personal terms do not impose a blanket prohibition on adult retail customers using accounts for gambling. The general restriction is on using the account for illegal purposes. The specific published gambling-establishment card restriction appears in the schedule for 16–17 accounts, where Revolut says it relies on the merchant’s MCC code rather than the actual details of the purchase. For business users, the position is stricter. Revolut Business lists “gambling and quasi-cash merchants” among unsupported industries. That means the more accurate compliance framing is this: Revolut clearly recognizes gambling as a special-risk area and claims some control mechanisms, but those controls depend heavily on identification, classification, and legal-trigger lists. That leaves obvious room for failure when gambling payments are laundered through alternative descriptors, intermediaries, or open-banking layers. Why Open Banking Changes the Risk Picture This is where FinTelegram’s broader payment-rails research becomes highly relevant. Revolut Bank UAB is licensed in Lithuania as a bank and is authorized not only for core banking activity but also for payment functions including card-based payment execution, acquiring of payment, money remittance, payment initiation services, and account information services. Meanwhile, open-banking specialists such as Yapily Connect are regulated payment-initiation providers; Yapily’s own site says Yapily Connect UAB is regulated by the Bank of Lithuania and that Yapily offers solutions for iGaming. ACPR’s 2017 annual report states that Perspecteev became the first company licensed in Europe to provide the PSD2 account-information and payment-initiation services. Read our Yapily reports here. This matters because a bank like Revolut does not necessarily “accept” an illegal casino as a formal gambling merchant in the classic acquiring sense for risk to arise. The risk can emerge one layer earlier or later in the chain: the player sees a casino front-end; the payment is routed through an open-banking facilitator or gateway; the bank sees a payment initiation request, a proxy payee, or an intermediary descriptor; the real economic beneficiary or gambling context may be obscured or fragmented across entities and steps. That is precisely the kind of layered structure regulators worry about. The EBA says payment institutions often serve higher-risk sectors including gambling and crypto; that platforms and marketplaces add layers that increase overall ML/TF risk; and that intermediaries, cross-border models, and poor transaction monitoring materially increase exposure. Descriptor Masking, MCC Dependence, and “Transaction Laundering” Risk Revolut’s own published terms for younger users are revealing on one point: when it blocks gambling-establishment purchases, it says it relies on the merchant’s registered business type (MCC code), not the actual details of what is being bought. That is not evidence of wrongdoing by Revolut. But it does show the structural vulnerability. If the effective gambling payment is disguised through: a non-gambling MCC, a gateway or facilitator descriptor, a substitute payee, a marketplace- or platform-like wrapper, or an open-banking payment flow that does not transparently present the underlying gambling merchant, then gambling controls tied to classification, merchant type, or local blocklists may be less effective in practice. This is the heart of the player’s complaint in the screenshots. The player did not argue that intermediaries are prohibited per se. The complaint was that descriptors such as MBM Ramp, BlueOC, Sknvrs, or TransferOp Payment Gateway Ltd may have obscured the true merchant and the real nature of the funded service, which in turn could affect whether Revolut framed the disputes correctly and whether it should have attempted scheme remedies at all. For FinTelegram’s long-running offshore casino investigations, that is a familiar pattern: a regulated payment or open-banking rail at the visible front, with the unlawful gambling context concealed by payment architecture. The Enforcement Angle: Why Regulators Could Take Interest Revolut is already under supervisory pressure elsewhere. The Bank of Lithuania’s public register shows Revolut Bank UAB was fined €3.5 million on 4 April 2025 for AML/CFT-related violations, and it also lists earlier sanctions and warnings, including prior AML/CFT measures and other enforcement actions. The EBA’s 2023 report on payment institutions is directly relevant here. It says the sector is commonly associated with higher ML/TF risk; that gambling companies are proportionately more common among PI customers than in banking; that platforms and marketplaces add layers; that payment institutions often have a higher risk appetite than retail banks; and that common weaknesses include insufficient transaction monitoring, poor suspicious transaction reporting, weak governance, and overreliance on banks to detect suspicious activity. Against that background, a regulator looking at persistent illegal-casino rail exposure through Revolut would likely focus on several questions: Transaction monitoring: Did Revolut identify repeat patterns consistent with illegal gambling or payment laundering? Counterparty due diligence: Did it understand who the real payees and facilitators were behind recurring open-banking and gateway flows? Customer dispute handling: Did it properly classify customer disputes where merchant descriptors may have masked the underlying transaction? Governance and escalation: Were recurring casino-related complaints treated as isolated customer-service incidents or as a broader compliance signal? Country-specific blocking obligations: Where regulators publish blacklists or require payment blocking, were those obligations implemented effectively? That last point is not theoretical. The Dutch gambling regulator Ksa has publicly said that since online gambling legalization it has the power to issue a binding directive to payment service providers to stop facilitating illegal gambling operators. In other words, payment firms are no longer peripheral to gambling enforcement. They are increasingly treated as chokepoints. Could Revolut Face Regulatory Action? Potentially, yes. Whether any specific action is warranted would depend on the underlying facts, but the possible supervisory pathways are clear. For its EU banking operations, the Bank of Lithuania and, depending on context, ECB-linked supervisory structures could examine whether Revolut’s AML/CFT systems, transaction monitoring, governance, and high-risk-sector controls are adequate. In the UK, the FCA and PRA would be interested in governance, systems and controls, customer treatment, and financial-crime risk management where UK-regulated entities are involved. Gambling regulators in relevant jurisdictions may also scrutinize whether payment providers are facilitating payments to blacklisted or unlicensed operators despite national blocking regimes. None of that means Revolut has knowingly accepted illegal casino operators as direct merchants on its own books. In many cases, the more plausible compliance concern is indirect facilitation: allowing payments to pass through regulated-looking open-banking or gateway layers that conceal the true gambling destination. But from a supervisory perspective, that distinction does not eliminate the problem. It sharpens the question of whether the bank’s controls are good enough for the business model and risk environment in which it operates. FinTelegram’s Preliminary Compliance View Based on the player material reviewed and the wider payment-rails context, FinTelegram’s preliminary view is as follows: Revolut’s exposure to the offshore casino ecosystem appears less like an isolated edge case and more like a recurring control problem tied to modern payment architecture. The central risk is not simply “gambling” in the abstract. It is the combination of: illegal offshore operators, open-banking facilitators, intermediary descriptors, fragmented counterparties, cross-border payment chains, and consumer disputes that can be misframed if banks rely too heavily on formal descriptors rather than economic reality. If Revolut support first told the player that Mastercard chargebacks had been submitted and finally decided, then later admitted they had never been initiated, that raises uncomfortable questions not only about customer communications but about whether the underlying payment pattern was truly investigated on its substance. Call for Whistleblowers If you have used Revolut in connection with offshore casinos, open-banking gambling deposits, masked merchant descriptors, failed withdrawals, or refused chargeback requests, FinTelegram would like to hear from you. In particular, we are interested in: screenshots showing how Revolut described disputed gambling payments, transaction records involving open-banking facilitators or generic gateway descriptors, cases where a chargeback was said to be “rejected” but may never have been raised, and examples of repeated deposits to casino-linked payment chains despite Revolut’s published gambling controls. Please share documents, screenshots, and payment records confidentially via Whistle42. Your information may help establish whether this is a customer-service failure, a descriptor problem, or a broader compliance blind spot in one of Europe’s most important fintech payment rails. Share Information via Whistle42

The Ukrainian fintech group Fondy raises a difficult compliance question. In the UK, Fondy Ltd is an FCA-authorised EMI with minimal reported turnover and repeated losses. In Austria, its ultimate parent V & A Holding GmbH entered insolvency in February 2026 and lists Valeriia Vahorovska and Ronny Pecik as shareholders. In Ukraine, the National Bank (NBU) cancelled the participation of LLC FC “Alliance”, operating under the Fondy brand, in Visa and Mastercard payment systems after receiving documented information indicating national-security risks. The public record does not prove a laundering scheme. It does, however, present a multi-jurisdictional structure that merits serious regulatory and forensic scrutiny. Key Findings Weak UK operating profile: Fondy Ltd reported only £72,927 turnover in 2024 against a £645,415 annual loss, while year-end cash fell to £71,617. Its directors explicitly relied on continued support from V&A Holding GmbH in the going-concern note. Repeated recapitalisation: Companies House and the audited accounts show continuing share-capital increases, with called-up capital rising to £3,997,742 at 31 December 2024 and to £4,323,445 by 31 December 2025. Austrian parent insolvent: Austrian insolvency records show V & A Holding GmbH, Börseplatz 4, Vienna, entered into insolvency procedures on 16 February 2026. AKV identifies Valeriia Vahorovska as managing director and shareholder, and Ronny Pecik as shareholder. Official Ukraine action: The NBU said it cancelled the registration of LLC FC “Alliance” as an indirect participant in Visa and Mastercard after receiving documented information from law-enforcement and a specialised state body indicating risks of threats to Ukraine’s national security. The NBU also said the Fondy trademark is owned by V&A Holding GmbH and that Vahorovska is a 95% participant and director of that Austrian company. Pecik link adds geopolitical sensitivity: A reviewed October 2015 intelligence-style report describes Pecik as having ties to Russian and Ukrainian oligarch interests, including the Klyuev brothers, Deripaska and Vekselberg, and says some related Austrian vehicles were operated from addresses linked to him. Those claims should be treated as attributed intelligence/reporting, not as proven fact in this article. UK Layer: Fondy Ltd Looks Funding-Dependent, Not Revenue-Driven Fondy Ltd’s 2024 audited accounts show a company that is still not funding itself commercially. Turnover fell from £77,951 in 2023 to £72,927 in 2024. Cost of sales exceeded turnover, producing a gross loss of £98,474. Administrative expenses were £754,264, and the company ended the year with a loss of £645,415. Cash at bank fell to £71,617, while net cash used in operations was £713,191. The balance sheet also shows heavy intra-group dependence. Of £847,810 debtors, £842,719 was owed by group undertakings. The notes identify Fondy Group Limited as the immediate parent and V&A Holding GmbH as the ultimate parent. The directors’ going-concern note explicitly relies on continued support from V&A Holding GmbH. Share capital rose to GBP 3,997,742 after GBP 1.55m of new equity in 2023–2024, but cash declined to GBP 71,617; the main asset is GBP 842,719 “amounts owed by group undertakings”, primarily V&A Holding GmbH. Companies House and Fondy’s own disclosures show Valeriia Vahorovska as sole director and person with significant control, while FinTelegram’s information places her residence in Vienna. The UK entity therefore appears as a capital‑funded regulatory wrapper, economically dependent on a foreign holding and intra‑group flows rather than genuine UK‑market revenues. Austrian Layer: V&A Insolvency and the Pecik Shareholder Link The Austrian parent is no longer a theoretical support pillar. Both KSV1870 and AKV report that V & A Holding GmbH, headquartered at Börseplatz 4, 1010 Vienna, entered insolvency proceedings in February 2026. AKV identifies the company as a financial-services business and names Valeriia Vahorovska as managing director and shareholder and Ronny Pecik as shareholder. That matters because Fondy Ltd’s UK going-concern case depends on support from this Austrian entity. It also sharpens the importance of the shareholder base and the Vienna address itself. The user’s point that Börseplatz 4 is associated with the same Vienna business milieu around Pecik and Zapotocky is directionally relevant, but based on the currently cited public sources, the article should state only what can be clearly supported: Pecik is a recorded V&A shareholder, and the insolvent V&A entity is based at Börseplatz 4. Ukraine Layer: Official National-Security Risk Action The strongest Ukraine point is the official one. On 29 April 2024, the National Bank of Ukraine (NBU) announced that it had cancelled the registration of LLC FC “Alliance” as an indirect participant in Visa and Mastercard payment systems. The NBU said it took this step after receiving documented information from law-enforcement and a specialised state body that the company’s activity contained risks of threats to Ukraine’s national security. It also stated that the company operated under the Fondy brand and that the trademark owner was V&A Holding GmbH, in which Valeriia Vahorovska was a 95% participant and director. Ukrainian reporting cites NBU and SBU sources as alleging that: 80–90% of Fondy’s transactions were miscoded, disguising real merchant activity, under‑reporting volumes and facilitating tax evasion. Fondy’s technology and affiliates supported the “Unified Wallet W1”, which operated on occupied territories and allegedly routed payments from Ukraine to occupied Donetsk and onward to Russia. Vahorovska’s brother Bondarenko ran related payment activity in Russia, paying taxes there, while leasing software from the Ukrainian Fondy entity. These findings mirror international typologies of transaction laundering and sanctions‑sensitive cross‑border value transfer and are directly relevant to assessing the residual risk in the Fondy group and its successor structures. Ukrainian media and security sources connect Vahorovska to: (i) husband Volodymyr Vahorovskyi, whose associates created the W1 wallet used on occupied territories, and (ii) brother Aleksei Bondarenko, who allegedly ran payment business in Russia and rented software from Fondy while paying taxes there. Note: The official NBU notice does not itself state the percentages of alleged miscoding, nor does it expressly set out the more detailed Russia/DNR allegations seen in Ukrainian media. Ireland–Georgia layer: TBC‑anchored restructuring of Fondy A fourth, structurally important layer of the Fondy ecosystem operates between Ireland and Georgia, centred on TBC Bank Group and its UK holding vehicle. Registry and press information indicate that, while Ukrainian regulators were preparing to revoke Fondy’s licence, the group’s European technology and payment operations were being partially re‑platformed into an Irish structure co‑owned with TBC. Irish filings show Fondy IT Dev and Research Limited (Irish Co. 623874) as a Fondy‑branded development company whose largest shareholder is Fondy Payments Limited (Irish Co. 642231). Companies House filings show that Fondy IT Dev and Research Limited was controlled by Valeriia Vahorovska in 2024. SoloCheck and related data identify Fondy Payments Limited as having TBC INTERNATIONAL HOLDINGS LIMITED (UK) as its largest shareholder, while Ukrainian/English‑language media report that the Georgian TBC Bank Group obtained Antimonopoly Committee approval in April 2024 to acquire control over “Fondy Payments Ltd” and the Ukrainian Fondy entity FC Elains (ООО ФК «Элайенс»). Companies House records link TBC International Holdings Limited (15122698) to Georgian banker Vakhtang Butskhrikidze (LinkedIn), CEO of the TBC Group, with TBC BANK GROUP PLC listed as founder, confirming that Fondy’s Irish payments vehicle is structurally embedded in the TBC group. From a compliance perspective, this Ireland–Georgia leg means that Fondy’s core technology and European client‑facing payment capabilities have been partly shifted into an Irish platform backed by a listed Georgian banking group, while: The Ukrainian Fondy licence has been revoked on national‑security and miscoding grounds. The Austrian ultimate parent V&A Holding GmbH (historical controller of Fondy alongside Ronny Pecik and Valeriia Vahorovska) is insolvent. The UK EMI Fondy Ltd remains chronically loss‑making and dependent on capital from V&A. This configuration raises significant questions: To what extent did the Irish–TBC structure effectively migrate “clean” parts of the Fondy business (technology, selected clients, EU market access) into a fresh vehicle, leaving high‑risk historic flows and liabilities behind in the Ukrainian, Austrian and UK legacy entities? Whether TBC’s acquisition process adequately accounted for NBU and security‑service concerns regarding Fondy’s past miscoding, possible links to Russian/“DNR” payment infrastructures, and its role in high‑risk broker/gambling payments. Accordingly, any counterparty dealing with Fondy Payments Limited (Ireland), Fondy IT Dev and Research Limited, or TBC‑associated Fondy infrastructure should treat the Ireland–Georgia layer as an integrated part of the Fondy risk complex and apply enhanced due diligence, including historic‑relationship mapping back to Ukrainian Fondy, V&A Holding GmbH, and Fondy Ltd (UK). The Pecik Dimension: Why It Raises the Temperature Ronny Pecik’s presence in V&A changes the texture of the Austrian link. Pecik is an Austrian businessman with unusually strong Austria–Ukraine–Russia connections, including relationships with the Klyuev brothers, references to Viktor Vekselberg, Oleg Deripaska, Dmytro Firtash, and others, and assertions that Austrian corporate infrastructure linked to Pecik intersected with politically exposed Ukrainian and Russian-linked networks. Again, these are claims in a reviewed report, not findings independently proven here. But they are relevant context when assessing why a Fondy/V&A structure involving Pecik deserves enhanced scrutiny. Summary Table LayerEntity / PersonJurisdictionVerified roleRisk relevanceUK EMIFondy LtdUnited KingdomFCA-authorised EMI; active company; loss-making and funding-dependentWeak economic substance profileAustrian parentV & A Holding GmbHAustriaUltimate parent in Fondy accounts; insolvent from 16 Feb 2026Parent-support and prudential concernIreland-Georgia-UKFondy IT Dev and Research LimitedFondy Payments LimitedTBC International Holdings LimitedIrelandUKGeorgiaFondy IT Dev and Research was part of the Fondy group until at least Dec 2024Possible asset deal between Fondy and Georgian TBC groupKey executiveValeriia VahorovskaUK / Austria / Ukraine nexusDirector of Fondy Ltd; shareholder/MD of V&A per Austrian insolvency sourceCentral control figureShareholderRonny PecikAustriaShareholder of insolvent V&A per AKVRaises geopolitical and integrity questionsUkraine operating brandLLC FC “Alliance” / FondyUkraineFondy-branded entity removed from Visa/Mastercard indirect participation by NBUOfficial national-security-risk action Conclusion The cleaner and stronger compliance case is this: Fondy is not being accused here of proven money laundering on the current public record. But the structure around it is deeply problematic. The UK EMI shows negligible turnover and persistent losses; the Austrian parent that underpins its going-concern case is insolvent; the Ukrainian Fondy-branded entity was removed from Visa and Mastercard participation on national-security-risk grounds; and the Austrian shareholder picture includes Ronny Pecik, whose broader Eastern-European and oligarch-linked associations have long attracted scrutiny. That combination is more than enough to justify closer attention from regulators, counterparties, and investigative journalists. Whistleblower CallFinTelegram invites insiders, former employees, auditors, counterparties, compliance staff, and technical contractors with information about Fondy Ltd, V & A Holding GmbH, Valeriia Vahorovska, Ronny Pecik, intercompany funding, merchant onboarding, Ukraine payment flows, or related Austrian and Ukrainian structures to contact Whistle42 securely. We are especially interested in source-of-funds evidence for capital increases, intercompany-transfer records, software-licensing arrangements, and documents explaining the operational relationship between the UK EMI, the Austrian parent, and the former Ukrainian Fondy-branded entity.

The Holyluck whistleblower dossier has pushed one name to the foreground: Alona Shevtsova, the person with significant control of UK EMI Smartflow Payments Limited, dba SENDS. Ukraine’s Economic Security Bureau reports Shevtsova is a suspect in a UAH 5 billion “miscoding” case tied to illegal online casinos, and Poland has now detained alleged accomplice Iryna Tsyhanok in that same case. In a follow-up to the Holyluck report, FinTelegram examines what the ESBU announcement says, how the alleged laundering architecture worked, and why the combination of offshore casinos, merchant masking, and regulated payment rails deserves urgent scrutiny. Key Findings ESBU case is real and current: Ukraine’s ESBU says Iryna Tsyhanok was detained in Poland in a case involving UAH 5 billion in alleged miscoded payments for illegal online casinos, and names Alona Shevtsova as a suspect. IBOX Bank is central to the historical scandal: Ukraine’s central bank revoked IBOX Bank’s license in March 2023 for systematic AML/CFT violations. SENDS/Smartflow adds a new rail: Smartflow Payments Limited is an active UK company and an FCA-authorized EMI under FRN 900873; Companies House lists Alona Shevtsova as the active person with significant control. The alleged method is the key story: The ESBU says the scheme used false payment purposes and controlled companies to disguise illegal-casino transactions as ordinary commerce — the same basic risk pattern raised in the Holyluck dossier. The ESBU Case in Plain Terms According to the ESBU, the alleged scheme revolved around miscoding: casino-related payments were routed through controlled companies and presented with false purposes for non-existent goods and services. The bureau says this enabled illegal online-casino flows to move outside their true risk classification. In April 2025, ESBU announced the detention in Poland of Iryna Tsyhanok, described as Shevtsova’s alleged accomplice and a wanted person in the same UAH 5 billion case. This mirrors the earlier NBU findings on Leogaming Pay / LEO, where over UAH 462 million in 2020 alone were routed as “sports poker and e‑sports tournaments” to companies that never organised such events but in reality collected for illegal casinos, with miscoding to MCC 7994 (video games) rather than gambling MCCs. In both cases, regulators highlight systemic failures (or abuse) of merchant category code assignment and transaction purpose fields, key indicators of deliberate transaction laundering. Tsyhanok’s alleged role as a bank department director suggests internal operational facilitation, including account opening, monitoring overrides, and acceptance of false descriptors for the controlled merchant network. Shevtsova Profile Public records portray the Ukrainian national Alona (Alyona Dehrik‑) Shevtsova as a central architect of Ukraine‑linked high‑risk payment ecosystems, spanning non‑bank payment systems, a bank, and a UK EMI. She founded LeoGaming Pay and the LEO payment system, which regulators later associated with large‑scale processing for illegal gambling via miscoded Visa/Mastercard transactions routed as “sports poker and e‑sports tournament” or video‑game payments, while funds in fact flowed to unlicensed casino operators such as Cosmolot and 1xBet. She subsequently acquired a significant stake in IBOX Bank and served in senior governance roles, steering the institution into the gambling and high‑risk payments sector, and later emerged as the person with significant control and a director of the FCA-regulated E-Money Institution (EMI) Smartflow Payments Limited dba SENDS, creating a vertically integrated structure from non‑bank processor, to bank, to UK EMI. Ukrainian authorities have imposed NSDC sanctions on her and opened criminal proceedings for illegal gambling activities and money laundering, but at this stage she remains a suspect and is entitled to the presumption of innocence. IBOX Bank and Iryna Tsyhanok IBOX matters because it is the historical compliance anchor for the case. Ukraine’s central bank says it revoked IBOX Bank’s license and moved to liquidation over systematic AML/CFT violations. The ESBU’s later account gives the alleged mechanism: payments from illegal-casino players were accepted through controlled entities under false commercial descriptions. In that framework, Iryna Tsyhanok appears not as a peripheral name but as an alleged operational participant in the same miscoding architecture. Why This Matters for Offshore-Casino Payment Rails The Holyluck dossier alleged a familiar pattern: offshore gambling activity presented to payment systems through descriptors and coding that looked like lower-risk commerce, with a routing chain touching TAS Link / PayLink, SENDS / Smartflow, and Quicko. That dossier does not prove criminal intent by those firms. But the ESBU case makes the broader topic timely because it shows Ukrainian authorities are already pursuing a model in which illegal-casino payments were allegedly laundered through miscoding, front entities, and fragmented rails. Companies House and FCA records confirm that Smartflow is an authorised electronic money institution (FRN 900873) and that Alona Shevtsova is the active person with significant control and director, tying the Holyluck flow structurally back to the same individual implicated in the IBOX Bank and LEO gambling‑miscoding cases. Sanctions‑screening red flag: SENDS on OpenSanctions An additional, material risk factor is that Smartflow Payments Limited (trading as SENDS) appears as a listed entity in the OpenSanctions consolidated dataset, under identifier NK‑UoszMKPbMFDALJozSi4NGN, with SWIFT/BIC EPSLGB22 and UK incorporation details matching the FCA‑authorised EMI controlled by Alona (Alyona) Shevtsova. OpenSanctions aggregates official and high‑risk lists from multiple jurisdictions and typology sources; an inclusion does not itself constitute a governmental designation, but for compliance purposes it is a clear high‑risk screening hit that should trigger enhanced due diligence and, for many counterparties, a risk‑based refusal to onboard or to continue the relationship. In the context of the Holyluck payment trail—where SENDS/Smartflow acts as the acquiring endpoint for transactions that appear MCC‑masked and originate from an unlicensed offshore casino routed through Ukrainian TAS Link/PayLink layers—this OpenSanctions listing significantly amplifies the risk profile. Financial institutions, card schemes, and payment partners exposed to SENDS should therefore: (i) treat the brand as a sanctions‑screening “red” and subject to escalated review; (ii) reassess existing relationships and exposure to Holyluck and other high‑risk merchants transacted via SENDS; and (iii) ensure that all new and historical traffic involving SENDS is subjected to targeted AML/CTF reviews, including transaction‑pattern analysis and retrospective sanctions‑screening reconciliation. Summary Conclusion This is the compliance story to watch: not merely offshore casinos, but the payment presentation layer around them. If the ESBU is right, the scandal was never just gambling; it was about disguising gambling as something else. The Holyluck follow-up makes that issue newly relevant in a UK-regulated context because SENDS / Smartflow now sits on the map. That is not proof of repetition. It is, however, a strong reason for supervisors, schemes, and investigators to look much harder. Summary Table Name / BrandEntity / PersonJurisdictionApparent RoleAlona ShevtsovaPSC of Smartflow Payments; sanctioned figure in Ukraine reportingUK / UkraineControl and continuity-risk figureSENDS(www.sends.co)Smartflow Payments LimitedUnited KingdomFCA-authorized EMI; current regulated railIBOX BankBank liquidated after license revocationUkraineHistorical banking rail in AML scandalIryna TsyhanokAlleged accomplice detained in PolandPoland / UkraineAlleged operational participant in ESBU caseIllegal online casinosNot exhaustively identified in ESBU releaseCross-border / offshoreUnderlying high-risk merchant activityControlled companies / false descriptorsNot fully named in ESBU releaseMulti-jurisdictionalAlleged merchant-masking layer Whistleblower Call FinTelegram invites insiders with evidence on Alona Shevtsova, Smartflow / SENDS, IBOX Bank, Iryna Tsyhanok, miscoded casino flows, or related acquiring and payout rails to contact Whistle42 securely. We are especially interested in onboarding files, MCC decisions, descriptor mapping, acquirer correspondence, and internal AML escalations. Share Information via Whistle42

A whistleblower dossier reviewed by FinTelegram suggests that deposits into the unlicensed offshore casino Holyluck were routed through a layered payment chain involving checkout.agpayer.com, a Paylink node associated with Ukraine’s TAS Link, and Smartflow Payments Limited — the UK electronic money institution trading as SENDS and authorized by the FCA. The dossier includes comprehensive screenshots and other documentations. Here is our report. Key Findings HolyLuck Casino Network: appears to be operated by Costa Ricao-registered Gem Limitata through multiple domains including holyluck.com, holyluck2.com, or holyluck3.com. Named acquirer identified: Newly reviewed correspondence shows TAS Link directing the complainant to SENDS / Smartflow Payments Limited as the acquirer handling the case. MCC 5816 appears in transaction evidence: A reviewed card-transaction screenshot shows a London GBR descriptor, ECOM, tokenized = yes, and merchant category 5816, consistent with the whistleblower’s miscoding allegation. Quicko payout trail reinforced: A separate screenshot shows a payout reference to quickowallet TarnowskieGo POL, supporting the earlier claim that Quicko sat on the payout side of the alleged gambling flow. Regulatory context sharpens the case: Public records show Smartflow Payments Limited is FCA-authorized under FRN 900873, while Companies House records show Alona Shevtsova as the active person with significant control. Ukrainian authorities have separately sanctioned Shevtsova and publicly linked her to an IBOX Bank miscoding case involving illegal casinos. The case also appears broader than a single website. According to additional information provided by the whistleblower, the gambling operation uses multiple Holyluck domains, including holyluck.com, holyluck2.com, and holyluck3.com, and is linked to Gem Limitada, a Costa Rica-registered entity. That multi-domain structure is relevant because it suggests a networked merchant-facing operation rather than an isolated payment event. A Hidden Acquirer Comes Into View The most important development in this whistleblower case is that the acquiring side is no longer opaque. In an email reviewed by FinTelegram, TAS Link LLC told the complainant that the case had been forwarded to the acquirer and instructed the complainant to direct further inquiries to mm@sends.co. That materially changes the profile of the story. What had previously looked like a technically plausible routing trail now points to a specifically named UK-regulated payment institution: Smartflow Payments Limited, trading as SENDS. Public records support that Smartflow Payments Limited is a real and regulated UK EMI. SENDS states on its website that Smartflow is authorized by the FCA under the Electronic Money Regulations and Payment Services Regulations, and the FCA register export lists 900873 – Smartflow Payments Limited – Authorised Electronic Money Institution. Companies House records also show Ms Alona Shevtsova as the active person with significant control and an active director. The whistleblower card-transaction screenshot shows a 50.00 EUR debit with: a London GBR merchant descriptor, merchant category 5816, transaction type: ECOM, and tokenized: yes. A second screenshot shows a payout reference to quickowallet TarnowskieGo POL, consistent with the earlier claim that the payout side of the flow ran through Quicko in Poland.A third screenshot contains the TAS Link message pointing the complainant to SENDS as the acquirer. Taken together, these materials do not yet prove criminal complicity by any party. But they significantly tighten the evidentiary chain: deposit-side presentation → routing-side infrastructure → acquiring-side identification → payout-side endpoint. Why MCC 5816 Matters The compliance significance of the new transaction screenshot lies in the appearance of MCC 5816. The whistleblower’s core allegation is that an offshore gambling deposit was not presented to the card system as gambling, but as a lower-risk digital-goods transaction. Mastercard materials distinguish gambling from digital-goods categories and require acquirers to assign a valid and accurate MCC. If the reviewed screenshot reflects the actual authorization or clearing presentation of an offshore casino deposit, then the case raises a serious question of MCC masking or miscoding rather than a simple consumer dispute. Summary Table: The Alleged Payment Chain Brand / NameLegal EntityJurisdictionApparent RoleEvidence PositionHolyluck(holyluck.com, holyluck2.com, holyluck3.com, etc)Gem LimitadaCosta RicaUnderlying gambling-facing merchant activityPublic information on the Holyluck websitescheckout.agpayer.comNot publicly identifiedUnconfirmedanonymous Checkout / orchestration layerRouting screenshot supports presence in flowpaylink.com.ua / inst3.paylink.com.uaPublicly associated with TAS Link infrastructureUkraineTechnical routing nodeRouting screenshot supports presence in flowTAS Link(www.taslink.ua)TAS Link LLCUkraineProcessing / technical intermediaryReviewed email shows TAS Link directing the complainant to SENDS as acquirerSENDS(www.sends.co)Smartflow Payments LimitedUnited KingdomNamed acquirer in TAS Link correspondenceSupported by TAS Link email plus FCA / Companies House recordsQuickowallet / Quicko(quickowallet.com)Quicko sp. z o.o.PolandApparent payout endpointPayout screenshot supports reference; KNF revocation independently verifiedAlona ShevtsovaPerson with significant control of Smartflow Payments LimitedUkraine / UK company controlOwnership / control contextSupported by Companies House and Ukrainian official/public sources The TAS Link Role Is Now More Concrete The original screenshots suggested a path through checkout.agpayer.com and a paylink.com.ua node. TAS Link’s own materials describe PayLink as an e-commerce and online-payments platform supporting Google Pay, Apple Pay, card payments, transfers, and related payment-system features. TAS Link also publicly states that it has been NovaPay’s processing partner for more than five years and describes itself as a Mastercard Member Service Provider and Visa Third Party Agent. The new evidence does not prove TAS Link was the acquirer. It shows something narrower and important: TAS Link was in a position to identify the acquirer and, when pressed, named SENDS. That distinction matters. It turns TAS Link from a merely inferred routing node into a documented intermediary touchpoint in the transaction trail. SENDS, Smartflow, and the Shevtsova Context Companies House records show SMARTFLOW PAYMENTS LIMITED is active and that Alona Shevtsova is the active person with significant control. SENDS’ own legal and company pages state that Smartflow Payments Limited is the regulated entity behind the SENDS brand and is authorized by the FCA under FRN 900873. That ownership fact is relevant because Ukrainian authorities have already acted against Shevtsova in a separate context. In April 2025, President Zelensky enacted an NSDC sanctions decision that included Alyona/Alona Shevtsova, and the Economic Security Bureau of Ukraine later said that Shevtsova and others were suspected in a UAH 5 billion miscoding scheme linked to illegal casinos. According to the ESBU, the suspects allegedly used controlled companies and false payment purposes describing non-existent goods and services. Separately, the National Bank of Ukraine said IBOX Bank’s license was revoked and liquidation initiated for systematic violations of AML/CFT requirements. The Quicko Side of the Rail The reviewed whistleblower screenshot referencing quickowallet TarnowskieGo POL supports the whistleblower’s claim that a partial payout moved through Quicko sp. z o.o. That matters because Poland’s KNF announced on 21 January 2026 that it revoked Quicko’s authorization to provide payment services as a national payment institution, stated that the decision was immediately enforceable, and required the unwinding of relevant relationships by 30 April 2026. Concluding Summary The Holyluck dossier is a well-documented complaint about an offshore casino deposit. Based on the materials reviewed by FinTelegram, it now presents a troubling payment-chain picture: an alleged gambling-facing transaction, a routing path involving checkout.agpayer.com and paylink.com.ua, a TAS Link email naming SENDS / Smartflow Payments Limited as the acquirer, and a payout reference tied to Quicko in Poland. Read more on checkout.agpayer.com and other anonymous payment gateways here. That does not yet prove that Smartflow, TAS Link, Quicko, or any other intermediary knowingly facilitated illegal gambling or intentionally miscoded the underlying merchant activity. But it suggests that this was not a random payment anomaly. The reviewed screenshots and correspondence point to a cross-border architecture involving a Ukrainian technical node, a UK-regulated EMI, and a Polish payout endpoint — exactly the kind of fragmented structure in which merchant masking, MCC presentation issues, and transaction-laundering risks can arise. The regulatory context makes the case even harder to ignore. Smartflow Payments Limited publicly states that it is FCA-authorized under FRN 900873 and Companies House identifies Alona Shevtsova as the active person with significant control. TAS Link publicly markets PayLink as an e-commerce and online-payments platform and says it has been NovaPay’s processing partner for more than five years. Poland’s KNF publicly announced the revocation of Quicko’s payment-services authorization in January 2026. These are verifiable public facts; the key unanswered question is how they fit the specific Holyluck transaction trail described by the whistleblower. For FinTelegram, the document-backed whistleblower dossier is raising serious compliance questions. The strongest current line is this: a named acquirer has emerged, MCC 5816 appears in the reviewed transaction details, TAS Link explicitly pointed the complainant to SENDS, and the payout side appears to reference Quicko. That is already enough to justify scrutiny by card-scheme compliance teams, AML officers, supervisors, and journalists. Whistleblower Call FinTelegram is continuing to investigate whether the Holyluck case reflects an isolated payment anomaly or part of a broader cross-border processing pattern involving Smartflow Payments / SENDS, TAS Link / PayLink, agpayer, Quicko, and other merchants or casinos using similar descriptor and MCC structures. Insiders, former employees, compliance officers, acquirer-side staff, gateway operators, risk analysts, and merchants with evidence relating to SENDS, Smartflow Payments Limited, TAS Link LLC, paylink.com.ua, checkout.agpayer.com, Quicko, or similar MCC 5816-coded gambling-facing card flows are invited to contact Whistle42 securely. Share Information via Whistle42

Mastercard’s agreement to acquire stablecoin infrastructure specialist BVNK for up to $1.8 billion shows that stablecoins are no longer being treated as a fringe crypto experiment. For one of the world’s largest card networks, they are becoming a strategic payments rail that must be integrated, governed, and monetized. Key Findings Mastercard will acquire BVNK for up to $1.8 billion, including $300 million in contingent payments. The deal is aimed at connecting on-chain payments and fiat rails, especially for cross-border payments, remittances, payouts, P2P, and B2B flows. BVNK has built its business around enterprise-grade stablecoin infrastructure, including payments, payouts, wallets, fiat conversion, and payment orchestration. In Europe, BVNK operates through System Pay Services (Malta) Ltd, which states that it is regulated by the MFSA as an electronic money institution and as a CASP under MiCA. Mastercard is effectively buying licensed stablecoin infrastructure at scale rather than taking years to build it internally. The Deal: Mastercard Moves To Own The Stablecoin Bridge On 17 March 2026, Mastercard announced that it had entered into a definitive agreement to acquire BVNK in a transaction valued at up to $1.8 billion, including $300 million in contingent consideration. Mastercard said the acquisition is expected to close before the end of 2026, subject to customary closing conditions and regulatory approvals. This is not a cosmetic crypto move. Mastercard’s own framing makes clear that the group wants to connect stablecoin-based payments with its global fiat infrastructure. In the company’s words, the transaction is intended to link on-chain payments and fiat rails, supporting use cases such as cross-border remittances, payouts, person-to-person transfers, and business payments. The strategic logic is obvious: if stablecoins become a mainstream settlement layer for international commerce and treasury movement, the traditional card networks cannot afford to stand aside and watch a parallel payments stack emerge without them. Reuters reported that Mastercard viewed acquisition as the faster route, rather than spending years developing the same capabilities internally. Who Is BVNK? BVNK (website) is a stablecoin infrastructure provider that has positioned itself as a bridge between traditional payments and blockchain-based value transfer. On its website, the company presents itself as providing enterprise-grade stablecoin infrastructure for global businesses, including embedded wallets, payment orchestration, custody, payments, liquidity, and conversion between fiat and stablecoins. In its own post explaining the acquisition, BVNK says Mastercard is buying the company for its expertise in building stablecoin infrastructure and that the combined vision is to deliver stablecoin capabilities at Mastercard scale. BVNK also says the deal will help bring stablecoin functionality into Mastercard’s payment endpoints and broader payments ecosystem. This business model matters. BVNK is not primarily being sold as a speculative crypto venue or token issuer. It is being sold as regulated financial infrastructure: the plumbing that lets businesses accept, send, convert, and settle digital-dollar flows in a way that can interface with the conventional banking and payments system. That is precisely the sort of asset a global card network would want to control. This last point is an inference based on Mastercard’s stated goals and BVNK’s product positioning. Why The Regulatory Structure Matters A critical part of BVNK’s value lies in its regulatory positioning in Europe. BVNK’s disclosures state that System Pay Services (Malta) Ltd is authorized and regulated by the Malta Financial Services Authority as an Electronic Money Institution and that BVNK is also authorized by the MFSA as a crypto-asset service provider under Malta’s Markets in Crypto-Assets Act in accordance with MiCA. BVNK separately announced on 16 February 2026 that it had secured its MiCA licence in Malta, allowing it to offer regulated digital-asset services across Europe. In the same announcement, BVNK described its European stack as combining MiCA-regulated crypto services, EMI-regulated euro payments, and direct access to SEPA infrastructure. For Mastercard, this is likely one of the most attractive features of the target. In payments, especially cross-border and digital-asset payments, licences are not a side issue. They are part of the competitive moat. Buying a stablecoin company with an operational European regulatory stack is very different from buying a pure technology play with unresolved licensing questions. That assessment is an inference, but it is strongly supported by the public structure of the deal and the emphasis both parties place on regulated infrastructure. Known Financial Terms The known public terms are relatively straightforward. Mastercard disclosed a total transaction value of up to $1.8 billion, of which $300 million is contingent. Publicly available materials do not appear to spell out the performance triggers or milestones tied to that contingent component. That matters because the headline number may not equal the final value ultimately paid. The contingent portion suggests an earnout-style structure or milestone-linked consideration, which is common where a buyer wants to preserve incentives and manage execution risk in a fast-moving market segment. The exact trigger mechanics, however, have not been publicly disclosed in the sources reviewed. FinTelegram Assessment From a FinTelegram perspective, this acquisition is a strategic marker for the payments industry. Mastercard is not simply buying “crypto exposure.” It is buying regulated stablecoin rails, enterprise infrastructure, and a platform designed to connect blockchain settlement with the fiat financial system. The deeper message is that stablecoins are moving into the financial mainstream. When a global card network is willing to commit up to $1.8 billion for a stablecoin infrastructure provider, the debate is no longer whether stablecoins matter. The debate is who will control the gateways between regulated fiat finance and the new on-chain settlement layer. In that sense, Mastercard is not betting on crypto hype. It is betting on a future in which the winners are the firms that own the interface between traditional payment rails and digital-dollar infrastructure. BVNK, through its Malta-based regulated structure and stablecoin-focused enterprise stack, gives Mastercard a ready-made position in that future. Call For Information Whistleblowers, insiders, payment experts, compliance officers, and former partners with information about BVNK, System Pay Services (Malta) Ltd, stablecoin payment processing, regulatory onboarding, merchant acceptance, payout flows, or related compliance issues are invited to share information with FinTelegram through our whistleblower platform Whistle42. Share Information via Whistle42

RagazzeInVendita (RIV) presents itself as an Italian-facing adult cam/chat platform, but its own terms route payment services through Pagorapido SA in Las Palmas, with card statements said to show Pagorapido. Pagorapido’s own site, in turn, markets payment processing for ecommerce, marketplaces, and online content and states that it is “Property of Hydra Group.” FinTelegram conducted a comparative analysis of RIV’s payment rails against those of XLoveCam and CrushOn.ai. Key findings RIV does not present its card rail under its own name. Its terms identify Pagorapido SA as the payment-services provider and say the card statement will show Pagorapido SA. Pagorapido looks like a front layer, not a transparent PSP disclosure page. The site reads like generic marketing copy, not like a clearly disclosed regulated payment institution. process1.payments.site is not just a generic checkout page. The source code shows a full hosted-payment environment with direct card-data capture, live session logic, and merchant configuration. Source-code analysis shows that process1.payments.site seems to be connected to the Cyprus EMI Payabl. The adult payment setup is multi-layered across several rails. Card payments run through intermediary brands and shadow domains, while SEPA, PayPal, and crypto rails add further routing layers. RIV and XLoveCam appear to use YowPay for SEPA transfers. The reviewed bank-transfer instructions point to a Banking Circle Germany account, with different listed recipients depending on the platform. RIV’s PayPal rail adds another intermediary layer. The reviewed flow points to Epoch / join.wnu.com, while XLoveCam appears to use a more direct PayPal setup. Crypto rails were identified for RIV and XLoveCam. At XLoveCam, the reviewed flow runs through secure.acwebconnecting.com and CoinPayments. The compliance problem is the opacity of the payment chain. Platform brand, payment-facing brand, gateway domain, and underlying processor are split across different layers, raising obvious questions around KYB, MCC assignment, descriptor clarity, monitoring, and processor disclosure. This pattern fits a broader high-risk payments playbook. The more layers inserted between the merchant and the actual processor, the harder it becomes for consumers, counterparties, and supervisors to see who is really handling the transaction. Compliance analysis 1. The disclosed RIV rail and the observed rail do not fully match RIV’s terms are explicit: payment services are provided by Pagorapido SA, and Pagorapido SA is also the card-statement descriptor. That means RIV itself is telling users there is a separate payment layer between the adult platform and the actual card-processing stack. In FinTelegram’s reviewed checkout materials, the live card page was not served from a transparent Pagorapido domain, but from process1.payments.site. That gap matters. In compliance terms, the key question is no longer only “who is the merchant?” but also “which entity is the contractual merchant-of-record, which entity provides the gateway, and which regulated institution is actually underwriting or routing the transaction?” 2. Pagorapido looks more like a façade layer than a transparent PSP Independent review does not show Pagorapido presenting itself like a normal regulated European payment institution. Its site contains generic marketing copy, a single visible contact email, broad claims about serving ecommerce, marketplaces, and online-content sellers, and the footer statement “Property of Hydra Group.” We did not find visible licensing disclosures on the site content reviewed. At the same time, the Spanish company record linked to the same address and CIF named in RIV’s terms shows a general intermediation company profile, not a clearly disclosed PI/EMI profile, and flags registry problems in 2023. That does not by itself prove illegality, but it materially weakens any claim that Pagorapido is a transparent, stand-alone, clearly regulated card processor. 3. process1.payments.site appears to be the real gateway layer The public web fetch of process1.payments.site yields no meaningful corporate disclosure, which is itself notable for a payment touchpoint. FinTelegram’s reviewed materials show two converging facts: traffic flowing from process1.payments.site toward pay4.payabl.com, and a separate adult-adjacent checkout (crushon.ai) loading an iframe from pay4.payabl.com. Taken together, those facts support a strong conclusion that process1.payments.site is not an isolated gateway, but part of a closely tied backend card-processing ecosystem. 4. Payment Gateway Process1 hosted by Payabl FinTelegram commissioned an expert opinion of the high-risk payment gatewayprocess1.payments.site. The forensic analysis indicates that the domain is not an independent generic checkout page but a Payabl-associated hosted payment environment operating under an opaque, non-Payabl-branded domain. The source code shows a direct technical match with Payabl’s HPP architecture, including the /hpp/ routing structure, asset paths, POST endpoints, hidden-field schema, multilingual session flow, and even Payabl branding residue in the favicon, while the live payment session identifies Cyprus-registered TECHIEPIE LTD as the merchant presented to the payer. TECHIEPIE LTD is the legal entity behind the AI-powered adult platform CrushOn.ai (see below). In practical terms, the gateway appears to function as a shadow payment layer that collects card data on behalf of front-end merchants while obscuring the underlying payment-processing relationship from consumers, raising obvious compliance questions around merchant transparency, processor disclosure, and the use of non-branded infrastructure in higher-risk payment flows. Download the Intelligence report for the Payment Gateway 5. Cross-platform recurrence increases the compliance concern The RIV pattern is not isolated in the materials reviewed for this report. FinTelegram’s screenshots show the same process1.payments.site layer appearing in the card rail of xlovecam.com, where the visible intermediary is CCMedia, and in the NSFW AI platform CrushOn.ai, where the iframe described above was separately observed. Independent research confirms that billingccmedia.com redirects to ccmedia.fr; ccmedia.fr identifies CCMedia as a Marseille SARL and advertises “secure internet micropayments.” Independent research also confirms that AC Webconnecting’s terms describe an adult-platform family including XLove, XLovecam, XXXLove, and XLovegay, with users redirected through various domains and white labels. crushon.ai itself identifies TECHIEPIE LTD in Nicosia in its site footer. This reuse of one gateway family across multiple adult or adult-adjacent merchants is a classic signal that risk should be assessed at network level, not merchant by merchant. 6. Why the layering is a compliance problem The EBA’s own work on payment institutions is directly relevant. Supervisors told the EBA that payment institutions often have a higher proportion of higher-risk customers; that platforms and marketplaces create additional layers which increase ML/TF risk; that cross-border business is a major risk factor; that new technology and remote onboarding raise risk; and that widespread use of intermediaries is one of the most significant delivery-channel risks in the PI sector. Applied here, the concern is straightforward: a consumer sees an adult brand, the statement may show a different descriptor, the visible payment brand may itself be opaque, and the underlying gateway may sit inside a different regulated processor’s environment. That can undermine clean KYB, merchant-descriptor accuracy, MCC integrity, chargeback analysis, suspicious-activity escalation, and effective screening of restricted or sensitive merchant categories. Payment Rails Overview SEPA / Bank Transfer RagazzeInVendita (RIV) and XLoveCam appear to use YowPay (yowpay.com) for SEPA deposits. Reviewed payment instructions show transfers routed to a YowPay account at Banking Circle Germany under IBAN DE39 2022 0800 0059 2403 75. The listed recipients differ by platform: Hydro Group for RIV and AC Webconnecting for XLoveCam. No comparable SEPA / bank-transfer rail was identified for CrushOn.ai in the reviewed materials. PayPal All three platforms reviewed appear to offer a PayPal-based fiat deposit option. At RIV, the PayPal flow appears to run via Epoch (epoch.com) and the gateway join.wnu.com, adding an intermediary layer between the platform and PayPal. At XLoveCam, PayPal appears to be integrated more directly, without the additional payment-facilitator layer observed in the RIV flow. CrushOn.ai also appears to offer PayPal as a fiat-funding option. Crypto A crypto rail was identified for RIV and XLoveCam. At RIV, customers appear to deposit directly into designated crypto wallets linked to the platform. At XLoveCam, crypto deposits appear to be routed through secure.acwebconnecting.com and CoinPayments (coinpayments.net). No comparable crypto rail was identified for CrushOn.ai in the reviewed materials. Card Payments The card-payment rail remains the most compliance-sensitive layer in this review. At RIV, the visible payment-facing brand is Pagorapido, while the observed card-processing flow leads into process1.payments.site, a Payabl-associated hosted payment environment. At XLoveCam, the card rail appears to run through CCMedia and then into process1.payments.site. At CrushOn.ai, reviewed materials indicate card-payment exposure through process1.payments.site and a separate Payabl-linked flow via pay4.payabl.com. Compliance Takeaway Across the reviewed adult platforms, the payment architecture appears deliberately layered: visible platform brands sit on top of intermediary payment-facing entities, which in turn connect to underlying gateway infrastructure. This structure may serve commercial and operational purposes, but from a compliance perspective it reduces transparency around the true payment chain, complicates merchant identification, and raises obvious questions around KYB, MCC accuracy, descriptor clarity, monitoring, and processor disclosure in higher-risk merchant segments. Summary table Brand / siteDisclosed entityJurisdiction(s)Observed / declared railCompliance noteRagazzeInVendita (RIV)RIV terms name Pagorapido SA, Calle San Agustin 13, Las Palmas, CIF A76360437Italy-facing front end;Owner: Bulgarian Hydra Group EOOD;Spain payment layerragazzeinvendita.com → Pagorapido SA descriptor/payment layer → observed process1.payments.site gatewayTerms disclose Pagorapido, but reviewed checkout materials indicate a different operational gateway.PagorapidoSite says “Property of Hydra Group”; Spanish company data identifies Pagorapido SAHydra-linked branding; Spain company recordMarkets payment collection for ecommerce, marketplaces, and online contentOpaque PSP presentation; company-data record shows intermediation object and 2023 registry/NIF problems.XLoveCamAC Webconnecting terms place XLovecam within the SNV / ACW platform family; CCMedia is Marseille SARLCuraçao / Netherlands / Francereviewed materials: xlovecam.com → ccmedia.fr / billingccmedia.com → process1.payments.siteShows the same hidden-gateway pattern with a different visible intermediary.CrushOn.AITECHIEPIE LTD shown in site footerCyprus / US (Dover address also shown in footer)reviewed materials: crushon.ai → process1.payments.site; alternate observed rail via Payabl iframeAdult-adjacent AI site reusing the same gateway family strengthens the network-level inference. Call for insiders and whistleblowers: FinTelegram is seeking additional information from insiders at Pagorapido, Hydra-linked entities, CCMedia, AC Webconnecting, acquiring partners, scheme-monitoring teams, and compliance vendors. In particular, we are interested in merchant onboarding files, MCC assignment records, statement-descriptor policies, reserve/chargeback rules, suspicious-activity escalation protocols, and contracts governing the use of process1.payments.site and pay4.payabl.com in adult-payment flows. Please share information confidentially via Whistle42. Share Information via Whistle42

Clearhaus, the Danish acquirer owned by Unzer, says it has become the first Danish acquirer to launch a Payment Facilitator (PayFac) solution. The move is strategically important: it lets regulated platforms embed card acquiring directly into their own products while Clearhaus stays in the background as the licensed acquirer. But in the FinTelegram view, the launch also raises a familiar question: when payment infrastructure becomes more deeply embedded and operational control is distributed, who ultimately owns the compliance risk? Key Findings Clearhaus is now openly marketing a PayFac model in which licensed platforms handle sub-merchant onboarding, KYC/AML, ongoing monitoring, and first-line fraud/chargeback handling, while Clearhaus provides the underlying acquiring rails. Clearhaus is a Danish payment institution licensed by the Danish FSA, with pan-European passporting, and is a principal member of Visa and Mastercard. Its own site says it reached 42,000 customers in January 2026. Clearhaus has been part of Unzer since the 2021 acquisition of Clearhaus and QuickPay, a deal Unzer framed as making the group a “fully integrated payment service provider.” Unzer currently presents itself as serving more than 85,000 merchants across Europe with around 750 employees in eight offices. FinTelegram has previously reported critically on Unzer’s financial turbulence, BaFin scrutiny, and AML-related deficiencies. Unzer later announced that BaFin had ended the special monitorship and fully lifted the onboarding ban at Unzer E-Com in October 2024. Report The press release sent to FinTelegram is more than a product announcement. It signals a structural step in the Nordic and wider European acquiring market: Clearhaus is moving beyond classic merchant acquiring and into a PayFac architecture designed for regulated platforms, marketplaces, SaaS providers, and other embedded-finance operators. According to Clearhaus’s own PayFac materials, the model is aimed at licensed entities such as financial institutions or EMIs that want to integrate acquiring directly into their own products. In this setup, the platform controls the merchant lifecycle, including onboarding and compliance, while Clearhaus provides the licensed acquiring infrastructure in the background. Clearhaus also says the model supports Visa and Mastercard acceptance, recurring payments, merchant-level reporting, automated settlement and reconciliation, configurable payouts, and connectivity to more than 30 payment gateways. That is commercially significant. Embedded payments has been one of the dominant trends in European fintech, and the PayFac model is attractive because it shortens merchant onboarding, keeps the platform at the center of the customer relationship, and avoids forcing every sub-merchant into a separate acquiring contract. Clearhaus explicitly says sub-merchants can be onboarded under the PayFac’s own processes and receive their own MIDs without separate acquiring agreements. From a compliance perspective, however, the most important line in the Clearhaus materials is not the commercial one but the risk allocation: the PayFac takes on full compliance responsibility for KYC, AML, risk assessment, ongoing monitoring, and first-line fraud and chargeback handling. Clearhaus remains the licensed acquirer, but the operational compliance burden shifts materially toward the platform layer. That distinction matters. In theory, the model creates a clean separation of roles. In practice, it can also create a layered-risk environment in which acquiring, onboarding, platform governance, and merchant behavior are spread across multiple actors. In FinTelegram’s compliance view, such models can be efficient and legitimate, but they also demand unusually strong control frameworks, especially where platforms touch sectors with elevated AML, fraud, sanctions, or consumer-protection risk. Clearhaus: Not A Newcomer, But A Growing Acquiring Infrastructure Player Clearhaus is not an unknown startup improvising its way into PayFac. It says it is authorised by the Danish Financial Supervisory Authority, passported across Europe, and a principal member of both Visa and Mastercard. Its corporate timeline states that it onboarded its first customer in 2015, was acquired by Unzer in 2021, announced POS acquiring in May 2025, and hit 42,000 customers in January 2026. The company has also widened its scope beyond pure e-commerce acquiring. In February 2026, Clearhaus announced expansion into physical-store payments in Denmark, and in 2025 it framed this as part of a broader “Unified Commerce” strategy under Unzer. This makes the PayFac launch look less like a one-off feature and more like part of a broader build-out: online acquiring, in-store acceptance, and now embedded platform acquiring. The Unzer Context: Growth, Integration, And A Troubled Regulatory Backstory FinTelegram has covered Unzer critically before, and that context should not be ignored when assessing any new group-level strategic rollout. Unzer acquired Clearhaus and QuickPay in early 2021, saying the transaction would make the group a fully integrated PSP. Later that year, Robert Bueninck became CEO as Unzer pushed to integrate multiple acquisitions and scale its European footprint. But the growth story was followed by regulatory and financial stress. FinTelegram’s prior coverage highlighted Unzer’s severe 2022 losses, restructuring pressure, and earlier regulatory scrutiny. The Unzer tag page on FinTelegram also points readers to reporting on BaFin action in 2022 and more recent reporting tied to the broader “Operation Chargeback” environment. On the regulatory side, Unzer itself acknowledged in August 2022 that BaFin had completed a special audit of Unzer E-Com GmbH, identified findings particularly in onboarding and AML processes for the period examined, imposed a temporary pause on new customer acceptance at that subsidiary, and appointed a special commissioner. Unzer later said that, as of October 2024, BaFin had ended the special monitorship and fully lifted the onboarding ban at Unzer E-Com. That later remediation is relevant and should be noted fairly. But so is the earlier fact pattern: Unzer’s controls were serious enough to trigger special supervisory intervention. For FinTelegram readers, that means new strategic products launched within the group deserve not just commercial attention, but close scrutiny around governance, merchant acceptance standards, and effective risk oversight. Why The PayFac Model Deserves Careful Monitoring The PayFac model is not inherently problematic. It can improve onboarding speed, simplify merchant operations, and create better payment integration for legitimate businesses. But it also concentrates power at the platform layer. The key compliance question is straightforward: how strong are the controls of the licensed PayFac that stands between the merchants and the acquiring rails? If a platform is doing the onboarding and first-line compliance, then the quality of its KYB/KYC, merchant due diligence, ongoing monitoring, fraud handling, and escalation protocols becomes decisive. That is especially true in sectors where platform operators may be commercially incentivised to maximize merchant growth while the underlying acquirer is structurally one step removed from day-to-day merchant contact. In other words, embedded finance can reduce friction for legitimate commerce — but it can also reduce friction for problematic merchant activity if governance is weak. That is why FinTelegram generally views PayFac structures as compliance-sensitive infrastructure, not just product innovation. FinTelegram Assessment Clearhaus’s new PayFac offer is commercially logical and strategically consistent with Unzer’s broader “unified commerce” push. Clearhaus appears to bring real acquiring infrastructure, regulatory standing in Denmark, and scale across Europe. However, because Clearhaus is part of Unzer, the launch cannot be viewed in isolation from the group’s recent history. Unzer has already shown how quickly growth, integration pressure, onboarding, and AML governance can become regulatory flashpoints. Even if major remediation has since taken place, the lesson remains valid: payment infrastructure groups do not get judged only by product innovation, but by the resilience of their controls. For regulators, partners, and merchants, the Clearhaus PayFac rollout should therefore be watched through two lenses at once: commercial innovation on one side, compliance execution on the other. Whistleblowers, platform insiders, merchants, and compliance professionals with information about Clearhaus, Unzer, or PayFac onboarding practices are invited to contact FinTelegram via Whistle42. Share Information via Whistle42

Pagorapido is a card‑payment brand embedded in the Bulgarian Hydra Group’s RagazzeInVendita (RIV) adult‑content ecosystem. It appears to function as an in‑house merchant‑of‑record/payment vehicle rather than a transparent, independently regulated PSP. Its public website shows strong signs of being a placeholder or façade, while the underlying legal entity in Spain has an irregular registry status, raising significant red flags for compliance teams. Key findings Pagorapido is used as merchant of record and billing descriptor (“PAGORAPIDO”) for credit/debit card payments on RagazzeInVendita.com (RIV). RIV’s checkout explicitly states that payments are “securely processed by Pagorapido,” and the descriptor PAGORAPIDO appears on card statements. RIV / “I Love RIV” terms refer to Pagorapido SA as the processor of card payments for ragazzeinvendita.com and related services. The site pagorapido.com shows a footer: “Property of Hydra Group – Copyright © Pago Rapido”, directly linking the Pagorapido brand to Hydra Group, the operator of RIV. Spanish corporate records identify Pagorapido SA (A76360437), incorporated in Las Palmas (Canary Islands) in 2019, with a broad corporate purpose including telematic services and financial intermediation. Directors and apparent controllers include Roberto Maggio (president), Cristian Orto, Vincenzo Orto, and Vanessa Patitucci, who are also connected to other Hydra‑related entities. Registry entries indicate that Pagorapido SA’s company sheet has been provisionally closed/removed from the index, suggesting an inactive or irregular status since 2023. The public website uses “Lorem ipsum” placeholder text (e.g., on the Portfolio page) and vague marketing slogans, with no licence details, no clear corporate disclosures, and non‑functional or empty social‑media links. No payment‑institution or e‑money licence numbers or supervising authorities are disclosed, despite claims of processing payments for many companies, including high‑risk adult merchants. Overall, Pagorapido combines group‑internal control, registry irregularities, high‑risk merchant exposure and a façade‑like website, making it a high‑risk counterparty from an AML/CFT and fraud‑prevention perspective. Compliance analysis and conclusion From a compliance angle, Pagorapido appears to be a group‑internal card and possibly crypto gateway for Hydra Group’s RIV adult platforms, rather than a properly branded, independently supervised PSP. The same controlling group seems to own the merchant (RIV) and the processor (Pagorapido), which concentrates risk and undermines arm’s‑length checks and balances. The irregular Spanish registry status of Pagorapido SA, combined with continued commercial use of the Pagorapido brand, raises concerns that card flows may be routed through an entity that is no longer in good standing or may be using alternative structures that are not transparently disclosed. The absence of clear licensing information, meaningful website content, and transparent ownership/contacts is inconsistent with good practice for EU‑regulated payment institutions. For financial institutions, card schemes, and PSPs, this constellation justifies high‑risk classification, enhanced due diligence, and careful review of any direct or indirect exposure (including merchants that route card traffic through Pagorapido for adult or other high‑risk verticals). Onboarding or maintaining relationships without additional clarity on licensing, corporate status and true transactional flows would be difficult to justify under a risk‑based AML/CFT framework. Summary table FieldDataBrand / trading namePagorapido / Pago RapidoMain domain(s)pagorapido.comKey role in payment chainMerchant of record / card gateway for RagazzeInVendita (RIV)Legal entity (claimed/linked)Pagorapido SA (Spain)Registered jurisdictionLas Palmas, Canary Islands, Spain (company sheet provisionally closed)Group / ownershipHydra Group (website footer); directors incl. Roberto Maggio, Cristian Orto, Vincenzo Orto, Vanessa PatitucciMain business verticalsAdult webcam and content (RIV network); possibly other high‑risk online merchantsClaimed regulatory statusMarkets itself as “certified” / PCI‑compliant; no public PI/EMI licence details disclosedKnown partners / platformsRagazzeInVendita.com (RIV) and affiliated RIV Network sitesKey red flagsIn‑house MoR for adult content; irregular registry status; façade‑like website; opaque licensing Call to whistleblowers and affected customers FinTelegram is collecting additional intelligence on Pagorapido, Hydra Group, and the wider RIV payment setup. Current and former employees, contractors, processors, banks, and merchants—as well as customers who paid via Pagorapido—are invited to share contracts, internal documents, payment confirmations, chargeback evidence, and technical details about the payment flows. If you have relevant information, please file a report via our secure whistleblower platform Whistle42, where submissions can be made confidentially and, if desired, anonymously to support ongoing investigations. Share Information via Whistle42

FinTelegram’s latest compliance investigation reveals how YowPay, a Luxembourg-based payment orchestration layer, facilitates high-risk transactions for the Italian adult platform RagazzeInVendita. Our analysis traces a complex cross-border rail involving Bulgarian operators and German banking infrastructure, raising significant questions about KYC transparency and regulatory oversight in the A2A payment sector. Key Findings High-Risk Facilitation: YowPay is actively providing the payment gateway for RagazzeInVendita (RIV), an Italian live cam and adult chat platform. Merchant Identified: The investigation confirms HYDRA GROUP EOOD, registered in Sofia, Bulgaria, as the operator and payment agent for RIV. German Banking Rail: Payments are routed through a SEPA Instant rail to a Banking Circle S.A. account in Munich, Germany (IBAN: DE39 2022 0800 0059 2403 75). Regulatory Arbitrage: YowPay operates as a “Technical Service Provider” in Luxembourg, offloading regulatory responsibility to partners like LinkCy and Paynovate, creating layers between the merchant and the regulator. Owner Background: Founder Christian Caumont has a long-standing history in high-risk tech ventures, including the .cam TLD registry. Compliance Analysis The Platform: RagazzeInVendita (RIV) RagazzeInVendita (RIV) is a prominent Italian digital marketplace for adult entertainment, specializing in live cam performances and private adult chats. While the site presents itself as an Italian consumer-facing platform, its financial operations are entirely offshore. The site explicitly lists HYDRA GROUP EOOD as its payment agent, creating a legal separation between the content delivery and the flow of funds. The YowPay Architecture YowPay positions itself as an “orchestration layer” for SEPA Instant and Open Banking. In the case of RIV, YowPay provides the customer-facing interface that generates EPC QR codes or triggers Account-to-Account (A2A) transfers. From a compliance perspective, this “Software-as-a-Service” (SaaS) model is often used to facilitate high-risk verticals (Adult, Gaming, Crypto) that struggle to maintain traditional Visa/Mastercard merchant accounts due to high chargeback rates and strict “Adult Content” policies. By utilizing SEPA Instant, YowPay and its merchants bypass the card schemes’ monitoring systems entirely. Risk Indicators & “Layering” The payment flow identified is a classic example of cross-border complexity: Consumer (Italy) pays for adult content. YowPay (Luxembourg) provides the technical gateway. Banking Circle (Germany) hosts the beneficiary account. Hydra Group EOOD (Bulgaria) receives the funds. This geographic fragmentation makes AML (Anti-Money Laundering) monitoring and UBO (Ultimate Beneficial Owner) verification significantly more difficult for any single national regulator. Furthermore, YowPay’s reliance on LinkCy (France) and Paynovate (Belgium) for its “regulatory backbone” means that YowPay itself is not directly supervised as a financial institution, despite being the primary point of contact for high-risk merchants. YowPay Data Summary Data PointDetailsTrading NameYowPayDomainwww.yowpay.comLegal EntityYowPay Luxembourg S.à r.l.Registered Address33 Avenue de la Liberté, L-1931 LuxembourgKey PersonnelChristian Caumont (Founder & CEO)Business ModelSEPA/Open Banking Orchestration (High-Risk Verticals)Regulatory StatusTechnical Service Provider (Unlicensed)Regulated PartnersLinkCy SAS (France), Paynovate SA/NV (Belgium)Associated MerchantHYDRA GROUP EOOD (Bulgaria)Banking PartnerBanking Circle S.A. (Germany Branch) Whistleblower Information Request FinTelegram is committed to bringing transparency to the high-risk payment ecosystem. We are looking for more information on YowPay, its relationship with HYDRA GROUP EOOD, and other high-risk merchants currently utilizing their SEPA rails. If you have information regarding YowPay’s internal compliance procedures, fee structures, or hidden beneficial owners, please contact us via our whistleblower platform, Whistle42. Share Information via Whistle42

The French Supreme Court (Cour de Cassation) has just recently firmly established the liability of payment processors like WorldPay and Seroph Holding (AlgoCharge) for facilitating unauthorized binary options schemes. As restitution payouts loom, this critical ruling sets a formidable due diligence standard that could ripple across the EU, offering renewed hope for victims pursuing institutional giants like ING‘s Payvision. Key Findings Joint and Several Liability: The French Cour de Cassation confirmed that primary payment service providers (WorldPay) and their intermediaries (Seroph Holding BV) are jointly liable for victim losses when they fail in their statutory duty of vigilance. Ignorance is Not a Defense: Processing payments to entities on a financial regulator’s blacklist (like the French AMF) constitutes an “apparent anomaly.” Payment processors cannot claim ignorance of the unregulated nature of the merchants they serve. Jurisdiction in Cyber-Torts: The Court provided crucial clarification on the “location of financial loss” under the Brussels I Regulation, affirming that victims solicited in their home country can sue foreign payment processors under local law for torts and quasi-delicts. EU-Wide Ripple Effect: The stringent duty of care established by the French courts provides a powerful legal framework that could significantly bolster cross-border recovery actions, such as EFRI’s multi-million-euro claim against ING’s Payvision in the Netherlands. Analysis of the French Case: WorldPay, AlgoCharge, and Seroph Holding For years, unregulated binary options and Forex platforms (such as 50 Option, Triompheoption, and Finch Markets) wreaked havoc on European retail investors. The financial plumbing that enabled these scams relied heavily on licensed payment processors. In the case reviewed by the Cour de Cassation, French victims wired funds to bank accounts legally held by the UK-based WorldPay AP Ltd. However, WorldPay had leased or made these accounts available to a Dutch entity named Seroph Holding BV via a “Payment Processing Agreement.” Seroph Holding BV is the corporate entity that operated as the high-risk payment processor AlgoCharge. The Paris Court of Appeal (in 2022) and the subsequent review by the Cour de Cassation found severe compliance failures. Seroph Holding operated without the proper authorization to act as a payment service provider. Furthermore, the funds were being funneled to brokerage brands explicitly blacklisted by the French Autorité des Marchés Financiers (AMF). The courts ruled that WorldPay violated its general obligations of vigilance by failing to verify Seroph’s regulatory status and by ignoring the glaring red flags of processing transactions for blacklisted entities. Jurisdiction and the “Location of Financial Loss” (Quasi-Delicts) A major legal battleground in this case was jurisdiction. WorldPay, a UK entity, argued that French law should not apply and that French courts lacked jurisdiction because the victims voluntarily wired money from their local accounts to foreign-held accounts. In its statements regarding the “location of financial loss and the applicable law in matters related to torts or quasi-delicts”, the Cour de Cassation had to interpret Article 5(3) of the Brussels I Regulation. The Court noted that purely financial damage affecting a local bank account is not, on its own, a sufficient connecting factor if the victim voluntarily transferred the funds. However, the Court determined that the harmful event was not just the bank transfer, but the entire fraudulent solicitation mechanism. Because the unregulated brokers actively targeted and solicited the victim while he was residing in France, the tortious act was sufficiently connected to French territory. This allowed the courts to apply French consumer protection and civil liability laws against the foreign payment processors who facilitated the scam. Hypothesis: Implications for EU Jurisdictions and EFRI vs. Payvision Hypothesis: The Cour de Cassation’s ruling establishes a “Strict Vigilance” standard that bridges the gap between AML/KYC regulatory fines and direct civil liability to victims. This precedent will likely serve as a blueprint for courts in other EU member states, severely weakening the traditional defense used by payment processors that they are merely “neutral technological conduits.” This is highly relevant to the ongoing legal action initiated by the European Funds Recovery Initiative (EFRI) against the Dutch payment processor Payvision and its parent company, ING Bank. EFRI has compiled evidence that Payvision processed an estimated €131 million for massive binary options boiler rooms operated by convicted cybercriminals Uwe Lenhoff and Gal Barak (e.g., Option888, XTraderFX). Like WorldPay, Payvision allegedly provided the vital financial infrastructure for unregulated, offshore shell companies to siphon money from European consumers. If the standards established by the French courts are mirrored in Dutch or German legal systems, Payvision’s defense will face a severe stress test. The French standard dictates that failing to identify that a sub-merchant lacks a required financial license—or ignoring regulatory warnings—is a direct breach of a processor’s duty of care. Because EU consumer protection and financial directives (like PSD2 and AMLD5) are largely harmonized, it is highly probable that Dutch courts will view Payvision’s alleged failure to conduct basic due diligence on Lenhoff and Barak’s operations as a similar “quasi-delict.” Consequently, ING/Payvision could find themselves jointly liable to compensate the victims of the boiler rooms, just as WorldPay and Seroph have been ordered to do in France. Call to Action The walls are closing in on the payment processors that turned a blind eye to the binary options and Forex fraud epidemic. If you are an industry insider, a former employee of a payment service provider, or a professional with knowledge of how AML, KYC, and due diligence checks were bypassed to onboard fraudulent merchants, your information is vital. Help us hold the enablers accountable. Please share your insights and internal documents securely and anonymously via our whistleblower platform, Whistle42. Share Information via Whistle42

Unlicensed offshore casinos increasingly hide behind Cyprus‑based “payment agents” that sit between players, dubious Anjouan or Curacao operators, and EU‑regulated banks and fintechs. Super Spin and Rolly Spin, allegedly run by Comentive LTD in Belize under a low‑credibility Anjouan license, explicitly use Norvelic Limited in Cyprus — fronted by nominee director Georgia Chrysostomou — as their EU payment agent, exemplifying a structurally high‑risk model that tests the limits of PSD2 and EU AML rules. Key findings Offshore casinos like Super Spin and Rolly Spin use Norvelic Limited, HE 475930, Nicosia as a Cyprus “payment agent” for Comentive LTD, their Belize/Anjouan operator. Cypriot law firms openly market Cyprus Payment Processing Agent Companies (CPPAC) as an unlicensed bridge between offshore gaming operators and EU banks / PSPs, exploiting group‑exemption rules under PSD2. These agents are deliberately inserted as a layer in the payment rails, so that EU financial institutions contract with an EU company instead of directly with the offshore casino operator. Where the Cyprus payment agent is a wholly‑owned group entity that “only” processes the parent’s player funds, providers argue it falls outside PSD2 licensing but it still falls squarely under EU and Cypriot AML/CTF obligations. If the underlying casino targets markets where it operates illegally (for example without local licenses), the Cyprus payment agent and its (nominee) directors risk facilitating illegal gambling and money laundering under both Cypriot and other EU laws. Nominee directors like Georgia Chrysostomou, who sign for these payment agents, can face personal exposure if they know or should know that the entity processes funds for illegal casinos and misleads EU banks or EMIs about the true business. Compliance analysis Why offshore + Cyprus payment agent structures? Cyprus Payment Processing Agent structures are marketed as a way for offshore‑licensed casinos to obtain EU‑recognised banking, merchant accounts and PSP integrations that they could not secure directly. Banks and fintechs (including card acquirers and firms like Revolut) often refuse to board a Belize or Anjouan casino, but will onboard an EU company with a clean registry record and a generic “payment services / IT” business description. Law‑firm marketing explicitly describes the architecture: Offshore operator (e.g. Comentive LTD, Belize/Anjouan) runs the casino and holds the cheap license. Cyprus PPA/CPPAC (e.g. Norvelic Ltd) is incorporated as a wholly‑owned subsidiary that handles all player payments and settlements within the EU. The Cyprus company contracts with EU banks and PSPs and invoices the offshore casino for “payment processing” or “management” fees. This PPA layer is therefore deliberately inserted into the rails between the offshore casino and payment institutions, both to reduce risk perception and to exploit a regulatory niche in PSD2. Cyprus compliance when the payment agent is “in‑group” Cyprus advisors invoke Article 3(3)(n) of the EU Payment Services Directive (PSD2) and its local transposition, which exempt intragroup payment services (between a parent and its subsidiaries) from PSP licensing. On that basis, a Cyprus payment agent that processes only its own group’s gambling revenues may legitimately argue that it does not need a payment‑institution license from the Central Bank of Cyprus. However: Even if PSD2 licensing is not required, such entities must still comply with Cypriot and EU AML/CTF rules and satisfy stringent KYC/AML expectations of their banks and EMIs. Supervisory commentary stresses that gambling‑related businesses are high‑risk and must implement robust customer due diligence, transaction monitoring and suspicious‑activity reporting to MOKAS (Cyprus FIU).​ Where the sole function of the Cyprus company is to collect EU player funds for an offshore casino that lacks authorization in target markets, the structure moves from a legitimate efficiency tool into a facilitation mechanism for potentially illegal gambling and ML/TF risk. EU‑wide implications of Cypriot agents for illegal casinos If Cypriot payment agents like Norvelic facilitate casinos that are unlicensed and therefore illegal in certain EU jurisdictions, they and their banking partners risk: Constructively participating in illegal gambling payments, similar to the “payment‑blocking” logic used by German regulators under GlüStV 2021. Breaching the high‑risk third‑country and high‑risk sector obligations under the EU AMLD framework, including enhanced due diligence. Exposure to cross‑border enforcement, civil refunds and criminal investigations where players’ home states treat such offers as illegal and recoverable. The use of nominee directors and generic service‑provider addresses does not shield the structure from EU law; rather, it is an additional red flag for willful risk obfuscation in the payment chain. Responsibility of nominee directors Nominee directors such as Georgia Chrysostomou, who front Norvelic Limited and many similar entities, cannot rely indefinitely on formalistic “nominee” labels: Under Cypriot company and AML law, directors owe duties of oversight, honesty and proper corporate governance; knowingly signing for a payment agent that processes funds for unlicensed or illegal casinos may constitute facilitation of criminal offenses or money‑laundering. If they participate in onboarding, bank representations or KYC documentation that mischaracterize the business (e.g. omitting the gambling profile or illegal target markets), they risk personal civil and criminal liability, including aiding and abetting fraud, ML, and regulatory breaches. The more these directors appear across chains of high‑risk payment agents and gaming structures, the weaker any argument becomes that they are “unaware” of the underlying business model. Summary compliance hypothesis Cyprus‑based payment agents like Norvelic Limited are central to an intentional regulatory‑arbitrage strategy: offshore casino operators obtain cheap, weak licenses (e.g. Anjouan), then bolt on a Cyprus payment layer marketed by local law firms as PSD2‑exempt intragroup processing, while in practice using it to secure EU banking access and conceal the true nature and illegality of their gambling offers in key markets. From a compliance perspective, these structures should be treated as high‑risk conduits whose directors and counterparties carry direct AML and illegal‑gambling exposure across the EU. Call to whistleblowers and players FinTelegram is expanding its Rail Atlas mapping of Cypriot payment agents, nominee directors and offshore casino structures such as Comentive LTD, Norvelic Limited, Super Spin and Rolly Spin. Players, current and former employees of Cypriot law firms, corporate‑service providers, banks, EMIs and payment agents who have knowledge of these arrangements — including onboarding files, contracts, bank representations and internal risk assessments — are invited to provide information via our Whistle42 platform. All submissions are processed confidentially and can help regulators and courts dismantle high‑risk payment chains that expose EU consumers to illegal gambling and financial harm. Share Information via Whistle42

The criminal case against former AirSoft CEO Shay Benhamou before the Bamberg Regional Court is not just another legacy binary-options story. It goes to the heart of a far bigger compliance question: when does a white-label software provider stop being a neutral technology vendor and become a knowing enabler of cyber-enabled investment fraud? German prosecutors appear determined to test exactly that boundary. Key Findings German prosecutors have brought four counts of commercial and organized fraud against former AirSoft CEO Shay Benhamou in Bamberg, with alleged investor losses exceeding €94 million. OCCRP reports that prosecutors allege AirSoft’s brokerage software was “central to the fraud,” that the company shared in scam revenues, and that AirSoft employees were operationally involved in some cases. FinTelegram had already warned in its August 24, 2022 report that AirSoft was a venture of interest for German law enforcement and was repeatedly linked to scam-facilitating activities. The AirSoft case fits a broader enforcement pattern in which prosecutors increasingly target the technical infrastructure behind broker scams, not just the visible scam brands and boiler rooms. The same legal logic is relevant beyond broker fraud. In white-label casino and gaming structures, providers often control the licence umbrella, payment stack, and compliance framework, making “we only provide technology” an increasingly weak defense. Report A Case That Goes Beyond One Former CEO The proceedings against former AirSoft CEO Shay Benhamou before the Bamberg Regional Court are significant because they target not merely a scam brand or a boiler-room operator, but the software layer behind fraudulent broker operations. According to OCCRP, opening arguments began on March 2, 2026, and the indictment covers Benhamou’s work as CEO of Israel-based AirSoft from March 2015 until at least the end of June 2021. Prosecutors accuse him of four counts of commercial and organized fraud and allege investor damage of more than €94 million. This is what makes the case strategically important. It addresses a core question that has accompanied the binary-options and CFD fraud industry for years: can the provider of a white-label brokerage platform be held responsible when its software is used not for legitimate trading, but as the operational backbone of industrialized investor fraud? FinTelegram Had Raised Red Flags In 2022 FinTelegram identified AirSoft as a high-risk white-label broker-platform provider long before the current German proceedings reached trial. In its August 24, 2022 report, FinTelegram described AirSoft as a venture of interest for German law enforcement because of alleged scam-facilitating activities. It also noted that the company repeatedly surfaced in connection with broker scams and identified Shay Benhamou as the company’s longtime CEO. That early reporting now looks prescient. The present criminal case strongly suggests that German authorities did not view AirSoft as a peripheral vendor, but as part of the infrastructure that enabled multiple fraudulent broker operations to scale across jurisdictions. This tracks with what FinTelegram has argued for years: in cyber-enabled investment fraud, the visible broker brand is often only the storefront. The real continuity and control often sit deeper in the stack — with the software providers, CRM operators, payment facilitators, and other infrastructure enablers. The Legal Fault Line: Neutral Vendor Or Knowing Enabler? The defense position, as reported by OCCRP, is that the case raises a fundamental legal question about when a software provider may be held criminally liable for the misuse of its product by third parties. In abstract terms, that is a legitimate question. A generic technology provider cannot automatically be responsible for every illegal use of its product. But the issue in AirSoft is not abstract. OCCRP reports that prosecutors allege Benhamou “knowingly and willingly” provided a brokerage “all-in-one solution” that was “central to the fraud” carried out by criminal groups in multiple countries. They also allege that AirSoft took a share of scam revenues and that, in some cases, AirSoft employees had to be operationally involved and in fact were involved. That changes the legal picture materially. A provider ceases to look like a neutral software vendor when several indicators appear together: knowledge of criminal use, repeated servicing of obviously fraudulent operators, operational support, continuing access to the environment, customization of the platform, and direct participation in the revenues generated by the fraud. Once those elements are present, the software company begins to look less like a supplier and more like an infrastructure partner in the offense. Why The Software Was Central To The Fraud In broker scams, the software is not a passive technical accessory. It is the very interface through which deception is staged. The fake trading platform displays manipulated balances, simulated trades, artificial profits, and fabricated account histories that make the victim believe a legitimate investment process is taking place. Without that digital front end, the boiler-room pitch would lose much of its persuasive power. According to OCCRP, the AirSoft software was allegedly used across multiple fraudulent brands, including Huludox, Fibonetix, Nobeltrade, Tradecapital, and Forbslab. Those brands were reportedly part of a wider network whose leaders were convicted by the Bamberg court in 2025 for scam operations run through call centers in countries including Bulgaria, Serbia, Ukraine, Georgia, Israel, and Kosovo. That is why the software-provider question matters so much. If the platform was not merely sold once and forgotten, but remained embedded in the operational model of known scam brands, then liability analysis must look at the real function of the provider in the fraud chain. The law should assess substance over formal labels. A Wider Enforcement Pattern Is Emerging The AirSoft case is not isolated. It is part of a wider prosecutorial trend in which the infrastructure layer of online investment fraud is coming under direct criminal scrutiny. OCCRP notes that the Bamberg Regional Court had already heard another 2026 case involving software provider Mikheil Biniashvili and the Puma TS trading system. In that case, prosecutors said the software was deployed by hundreds of scam brands, and Biniashvili received a seven-and-a-half-year prison sentence in a plea deal after being found to have knowingly profited from fraudulent operations. This is a major development. For years, enforcement focused primarily on boiler-room managers, visible broker brands, and front-facing fraud actors. Increasingly, however, prosecutors are moving upstream toward the technical layer that made these scams scalable: software providers, platform operators, and back-office enablers. The evolution of the German-led investigations supports that view. Eurojust said in 2023 that a coordinated action against a fraudulent online investment platform had already identified at least 33,000 victims and estimated losses of €89 million, with arrests and searches across Bulgaria, Romania, and Israel. The message is clear: authorities are no longer satisfied with dismantling the visible fraud brands while leaving the infrastructure providers untouched. The Tradologic Comparison Matters The AirSoft proceedings also invite comparison with Tradologic, another major software provider in the broker-scam ecosystem. EFRI reports that on September 8, 2023, Tradologic co-owner Ilan Tzorya. received an eight-year prison sentence and former CEO Micha Golod received six years, while noting that both verdicts are under appeal and therefore not yet final. Even though those judgments are not final, they underline an important point: European prosecutors and courts are increasingly prepared to examine whether the provider of the software environment for fraudulent broker schemes was knowingly embedded in the criminal model. The legal theory is not radical. It reflects the practical reality of how cyber-enabled investment fraud worked for years: the software was not neutral infrastructure floating in a vacuum; it was often the organized, monetized backbone of the deception. Insider Evidence And Whistleblower Material Are Crucial FinTelegram has for years received insider and whistleblower information suggesting that major broker-platform providers such as AirSoft, PandaTS, Puma TS, and Tradologic were not blind to the nature of many of their clients. On the contrary, the information received indicates that these providers often had detailed visibility into their clients’ operations and in some cases supported them with additional services, including payment integrations and technical support that went beyond ordinary software licensing. This aspect is especially important from a legal standpoint. Knowledge is rarely proven by one email or one public statement. It is often inferred from patterns: repeated servicing of notorious scam brands, continuous back-office support, privileged technical access, revenue participation, and the absence of any meaningful compliance off-ramp despite obvious red flags. The more integrated the provider is into the client’s operations, the harder it becomes to sustain a plausible-deniability defense. That is precisely why insider evidence can become decisive in cases like Bamberg. The Relevance Beyond Binary Options: White-Label Casino And Gaming Hubs The implications of the AirSoft case go beyond the legacy broker-fraud sector. The same structural issues arise in white-label online gambling and casino models. SOFTSWISS itself explains that in a white-label structure, the operator launches the brand under the provider’s existing licence and integrated platform, while “the legal accountability lies with the licence holder – the platform provider.” It also states that white-label systems typically include integrated payment methods, KYC/AML tools, CRM features, technical maintenance, hosting, and compliance monitoring. That matters because it shows how deeply the platform provider sits inside the operational model. A provider that supplies the licence umbrella, payment stack, compliance framework, and core backend cannot easily present itself as a detached software vendor. Its entire value proposition is built on integration and control. SOFTSWISS also notes that local licensing regimes in markets such as Germany, the UK, Sweden, and the Netherlands do not permit this kind of white-label arrangement, and that the provider’s licence defines where the platform may and may not operate. This is where the comparison with illegal or unlicensed gambling becomes legally relevant. If a white-label gaming hub knowingly provides its infrastructure to operators targeting restricted jurisdictions, processes payments through centralized stacks, and remains responsible for compliance monitoring under its licence umbrella, then the old formula — “we are only the technology provider” — becomes increasingly untenable. The front end may be different from a broker scam, but the liability logic is strikingly similar: knowledge, control, operational involvement, and economic participation. Where Hub Liability Should Begin The real question raised by the AirSoft case is not whether software developers should be criminalized for building technology. They should not. The real question is where legal responsibility begins when a provider knowingly services fraudulent or unlawful operators through an integrated white-label hub. In practical compliance terms, that boundary should be examined through a number of indicators: whether the provider knew or must have known of the unlawful business model; whether it continued servicing the client despite obvious red flags; whether it retained privileged operational access; whether it integrated or controlled payments, CRM tools, and other mission-critical systems; and whether it shared in the revenues generated by the unlawful conduct. Where those indicators are present, responsibility does not end with the licensing agreement or software contract. At that point, the provider becomes part of the enabling infrastructure. That is why the Bamberg proceedings deserve close attention well beyond the legacy binary-options field. Conclusion The Shay Benhamou case may become a landmark in the legal treatment of cybercrime infrastructure. It tests whether those who built, operated, and profited from the platforms behind fraudulent broker brands can still hide behind the claim that they merely supplied neutral technology. German prosecutors appear to be arguing that AirSoft crossed that line. If the court agrees, the implications will extend far beyond AirSoft — to PandaTS, Puma TS, Tradologic, and to white-label hub models in adjacent sectors such as online gambling. For FinTelegram readers, the lesson is straightforward: the visible scam brand is often only the surface. The real leverage points sit deeper in the stack — in the software providers, payment hubs, and compliance umbrellas that make fraud and illegal cross-border operations scalable. The age of plausible deniability for these infrastructure operators may be coming to an end. Call for Whistleblowers FinTelegram continues to investigate the software, payment, and white-label infrastructure behind broker scams and illegal gambling operations. If you have information about AirSoft, Shay Benhamou, PandaTS, Puma TS, Tradologic, white-label casino hubs, integrated payment stacks, or licence-umbrella structures used for unlawful cross-border operations, share it securely through Whistle42. Share Information via Whistle42

FinTelegram has reviewed an email chain from a player alleging delayed withdrawals, repeated stalling, blocked live-chat access, and unresolved account-closure issues involving Super Spin and sister brand Rolly Spin. The complaint identifies Belize-registered Comentive Ltd as operator and points to a Cyprus payment-agent structure disclosed on the casino side, raising wider compliance questions around offshore gambling operations, consumer harm, and payment facilitation. Key Findings A player complaint reviewed by FinTelegram alleges that Super Spin delayed a £1,500 withdrawal for an extended period despite prior successful withdrawals and completed KYC. The same source alleges that support first cited technical issues or review processes, then became non-responsive while live chat repeatedly promised resolution “asap.” The complaint identifies Comentive Ltd as the Belize operator behind Super Spin and Rolly Spin and states that Norvelic Limited in Cyprus acts as payment agent. The player names Revolut, Mercuryo, Gwaypayment, Rillpay, and “Krypotonim” as payment channels or processors allegedly connected to the casino flows. FinTelegram treats these as allegations requiring clarification. The complaint also raises potential responsible-gambling and consumer-protection concerns, alleging that Rolly Spin failed to close an account despite repeated requests. A Player Complaint That Fits a Familiar Pattern According to the emails reviewed by FinTelegram, the player says she joined Super Spin, deposited funds, passed KYC, and won just over £20,000 without using a bonus. She says the casino’s published withdrawal limits were £1,500 a day, £4,000 a week, and £12,000 a month, but that she was only able to withdraw £4,000 over several weeks and had to fight repeated delays and excuses even for those payments. She further alleges that one £1,500 withdrawal remained outstanding well beyond the stated timelines, while support first cited technical issues and later stopped responding. In later emails, she says there were multiple outstanding withdrawals and that live chat repeatedly told her the matter would be resolved “asap” before allegedly blocking her again. That pattern matters. In many offshore casino disputes, the real friction begins not when players deposit, but when they try to cash out. Super Spin, Rolly Spin, Comentive Ltd, and the Payment-Agent Structure The complaint identifies Comentive Ltd as the operator behind Super Spin and links the same company to Rolly Spin. The reviewed material describes Super Spin as operated by Comentive Ltd, a Belize company, while Norvelic Limited, registered in Nicosia, Cyprus, is described as acting as a payment agent for Comentive Ltd. That disclosure is important. Offshore casinos often rely on European payment-side structures, agents, intermediaries, or merchant-routing arrangements to maintain access to payment rails even when the gambling operation itself sits outside major regulated jurisdictions. In this case, the player complaint places a Belize operator, an offshore licensing presentation, and a Cyprus payment-agent layer into the same picture. The existence of such a structure does not in itself prove unlawful conduct by every named entity. But it clearly raises questions that deserve answers. The Payment-Rail Questions In her messages to FinTelegram, the player names Revolut, Mercuryo, Gwaypayment, and Rillpay, as payment channels or processors she believes were involved in deposits or withdrawals connected to Super Spin. She also alleges that deposits were miscoded and routed to unrelated merchants. FinTelegram treats those statements as player allegations requiring documentation and response, not as established fact. RollySpin cashier with UTRG and ChainValley (previously UTRG) for fake FIAT deposits via Skrill and Neteller In our review of RollySpin in the context of this complaint, we once again identified UTRG and its Polish successor scheme, ChainValley (https://app.chainvalley.pro), as facilitators of FAKE FIAT transactions via Skrill and Neteller via the anonymously operated payment gateway app.gwaypayment.com. Still, the central compliance question is straightforward: who is actually processing player payments, under what merchant description, and for whose economic benefit? That question becomes particularly important when a player alleges delayed withdrawals while also identifying multiple payment intermediaries and a disclosed Cyprus payment agent in the background structure. Consumer-Harm and Responsible-Gambling Concerns The material reviewed by FinTelegram also points to potential consumer-protection and responsible-gambling issues beyond the withdrawal dispute itself. The player says she also held an account with Rolly Spin and that the operator failed to close that account despite repeated requests. She further told FinTelegram that other players were allegedly being ignored when trying to close accounts, including cases involving disclosed gambling addiction. If substantiated, that would move the issue well beyond poor customer service. A casino that allegedly delays withdrawals while also failing to process closure requests is exposing itself to serious credibility and compliance questions. Review Pressure and Reputation Management Allegations The player also alleges that Super Spin attempted to influence review behavior. In one email, she claims that the casino had previously made a “deal” under which removing a negative Trustpilot review would help ensure smoother future withdrawals, and that any further negative reviews would move her withdrawals “down the priority list.” These are serious allegations and, at this stage, remain allegations. But if supported by screenshots or correspondence, such conduct would suggest not only payout friction, but active pressure on players to moderate public criticism while funds remain pending. That combination is precisely why the case deserves closer scrutiny. Right to Comment FinTelegram has invited Comentive Ltd, Super Spin, Rolly Spin, and Norvelic Limited to comment on the allegations and clarify the precise role of the entities involved in payment processing and player-account handling. At the time of publication, no response had been received. Here is a compact summary table you can drop into the report. I’ve phrased the regulation column as site-disclosed / claimed rather than validated regulatory status. The uploaded email chain identifies the same operator and Cyprus payment-agent structure, and the current site disclosures for both brands match that. Summarizing Table Entity typeBrand / EntityDomainSite-disclosed regulationOperator / roleJurisdictionCasino brandSuper Spinsuper-spin.comClaims to be licensed and regulated by the Government of the Autonomous Island of Anjouan, Union of Comoros, under License No. ALSI-202505024-FI1.Operated by Comentive LTD (reg. no. 000047924).Brand targets players online; operator disclosed as Belize.Casino brandRolly Spinrollyspin.comClaims to be licensed and regulated by the Government of the Autonomous Island of Anjouan, Union of Comoros, under License No. ALSI-202505024-FI1.Site disclosure and player material link it to Comentive LTD.Brand targets players online; operator disclosed as Belize.OperatorComentive LTDn/an/aSite-disclosed owner/operator of Super Spin; same structure also used for Rolly Spin in the source material. Belize registration no. 000047924; source material says formed 9 April 2025 and active.Belize — Sea Urchin Street, San Pedro Town, Ambergris Caye, Belize.Payment agentNorvelic LIMITEDn/an/aDisclosed by both casino sites as payment agent of Comentive LTD;EU/Cyprus payment handler for Super Spin and Rolly Spin. Reg No HE 475930.Cyprus — Avlonos 1, Maria House, 1075 Nicosia, Cyprus.Director Georgia Chrysostomo A careful editorial note you could place under the table: Editorial note: The licensing information above reflects operator website disclosures and source material reviewed by FinTelegram. It should be read as claimed regulatory positioning, not as an independent endorsement of the effectiveness or legitimacy of that regulatory framework. Recent reporting by Le Monde described the broader Anjouan licensing ecosystem as facing serious credibility questions and cited the Comorian central bank’s earlier position that certain supposed offshore authorities and approvals were illegal. Call for Information Whistleblowers, affected players, compliance insiders, and payment professionals: if you have information on Super Spin, Rolly Spin, Comentive Ltd, Norvelic Limited, or the payment rails behind these brands, contact FinTelegram or submit your information via Whistle42. Documented evidence helps identify the financial intermediaries and operational structures behind offshore casino schemes. Share Information via Whistle42

Key Findings Perspecteev SAS is a real, regulated French payment institution operating under the Bridge brand, with public corporate registration and institutional backing from Groupe BPCE and Truffle Capital. Bridge/Perspecteev appears in the final authorization stage of deposit flows linked to offshore casino brands targeting German users, according to the submitted rail-map evidence. The intermediary layer includes “SaferSEPA”, a public-facing label with little or no meaningful legal disclosure, creating a transparency gap in the merchant-facing part of the payment chain. Germany’s gambling framework explicitly prohibits participation in payments connected to unauthorized gambling, and violations can trigger enforcement and significant fines. France’s gambling regulator ANJ has publicly stated that payment service providers are part of the illegal-gambling enforcement perimeter, especially where offshore operators target French or European players. The case fits a broader Rail Atlas pattern: illegal front end → opaque gateway/intermediary → regulated payments touchpoint → bank authorization. A Regulated French PISP Turns Up in Illegal-Casino Payment Rails FinTelegram has reviewed a detailed source memorandum on Perspecteev SAS and the use of its Bridge payment-initiation infrastructure in deposit flows tied to offshore casinos targeting German users. The submitted material documents step-by-step deposit journeys in which the end user is ultimately asked by Revolut to authorize PERSPECTEEV SAS, while the merchant layer presented by Bridge is labeled “SaferSepa.com.” Perspecteev SAS is not an obscure shell. It is a French payment institution registered under SIREN 529 196 313, headquartered at 4 rue de la Pierre Levée, 75011 Paris, and publicly listed as an active company in the French business register. Public corporate records also show that Anna Maj has served as president since June 2025 and Alexis Roque as directeur général since October 2024. Bridge’s own 2022 funding round was substantial: €20 million from Truffle Capital and Groupe BPCE, the latter describing itself in the announcement as France’s second-largest banking group. The same release described Bridge as the brand of Perspecteev SAS and said the company was the first European player approved under PSD2 by the French regulator. That makes the appearance of Perspecteev in offshore gambling deposit rails especially relevant. This is not a fringe provider at the edge of the market. It is a regulated, institutionally backed open-banking player operating inside mainstream European payments. Rail Atlas Findings: Phantom SaferSEPA as Bridge Merchant The expert report submitted to FinTelegram documents real‑money deposit flows from users in Germany into two SOFTSWISS‑connected offshore casinos: Jet4Bet (Hollycorn N.V.) and Bitkingz (Dama N.V.). Both operators are Curacao‑registered, have no German GGL license, and thus qualify as illegal gambling offers under the German Interstate Treaty on Gambling 2021 (GlüStV 2021).​ At the core of the payment chain is SaferSEPA, which appears as Bridge’s merchant on the Bridge consent page (pay.bridgeapi.io), where “SaferSepa.com” is displayed together with the transaction amount and an internal ID. Publicly, safersepa.com does not identify a corporate entity, license number, registered office, or management. At the time of review, the site displayed only sparse text telling users to reference a transaction subject line such as “2616 SaferSEPA.com eWallet Payment” when making inquiries. No meaningful legal disclosure is visible in the captured page text. That matters because under the EBA’s AML framework, where a PISP has a business relationship with a payee or merchant, the merchant is the relevant customer for CDD purposes. In EBA Q&A 2021_6048, the EBA states that PISPs are not expected to perform CDD on both the payer and the payee at the same time and indicates that, in this scenario, the customer is the online merchant (payee). If Bridge onboarded SaferSEPA or a similar intermediary as a merchant, the obvious question is: who exactly was onboarded? If it did not, then a different question follows: how is Perspecteev’s regulated initiation layer being inserted into this payment journey at all? Perspecteev on the open-banking authorization page The investigation shows that SaferSEPA controls the customer journey before and after the Bridge consent step, receiving the hand‑off from the casino, performing bank selection (pay303.com), and then routing to Bridge and onward to the player’s bank. On Revolut’s open‑banking authorization page (oba.revolut.com), German users are explicitly asked to authorize PERSPECTEEV SAS, closing the loop between the unlicensed casino, the phantom gateway, and the regulated French PISP.​ Read our reports on Perspecteev here. Rail Map: From Curacao Casinos to EU Banks The material reviewed by FinTelegram documents two deposit journeys from Germany involving offshore casino brands Jet4Bet and Bitkingz. In both cases, the payment flow ends with the user being redirected to a Revolut authorization screen naming PERSPECTEEV SAS as the entity to be authorized. In one of the flows, the Bridge consent page itself reportedly displays “SaferSepa.com” as merchant. The following flows were recorded from Germany using actual deposits, with each redirect documented step‑by‑step.​ Flow A – Jet4Bet (Hollycorn N.V.) Start at jet4bet.com – deposit modal, “Open Banking”, €50.​ Redirect to secure.bankgate.io – German bank selection page showing Postbank, Commerzbank, Revolut, N26, TARGOBANK, ING (DiBa), Deutsche Bank, Berliner Sparkasse.​ User selects Revolut and is sent to oba.revolut.com – consent screen “to authorise PERSPECTEEV SAS”.​ Flow B – Bitkingz (Dama N.V.) Start at bitkingz.com – Quick Deposit, method “Mandato Direct”, €50.​ Redirect to pay303.com – SaferSEPA‑branded loading screen.​ Redirect to pay.bridgeapi.io – Bridge consent page showing “SaferSepa.com”, €50.00, internal ID 1588662, with options “Pay with QR” and “Pay online”.​ After “Pay online”, return to pay303.com – SaferSEPA‑branded bank selection.​ Selection of Revolut triggers redirect to trx.safersepa.com (“Revolut – Payment processing”), followed by oba.revolut.com – again asking the user to authorize PERSPECTEEV SAS as PISP.​ These observations demonstrate a layered structure in which Curacao casinos front German‑language offers, SaferSEPA/pay303 act as opaque conduits, Perspecteev’s Bridge handles the regulated open‑banking initiation, and EU banks execute the underlying SEPA transfers.​​ Entities and Domains in the Rail The evidence maps a layered structure that is by now familiar in the offshore gambling world: illegal front end, opaque gateway brand, regulated payments touchpoint, then bank authorization. LayerObserved entity / domainRoleCasino front‑endJet4Bet (jet4bet.com), BitKingz (bitkingz.com)Deposit UI (“Open Banking” / “Mandato Direct”) for German users.​GatewaySaferSEPA / pay303.comSaferSEPA‑branded loading screens and bank selection.​PISP consentpay.bridgeapi.ioBridge payment page showing “SaferSepa.com” as merchant.​Processingtrx.safersepa.comSaferSEPA‑branded payment processing.​Bank gateway (A)secure.bankgate.ioBank selection (German banks) for Jet4Bet flow.​Bank authorizationoba.revolut.comEnd‑user bank consent UI.​Authorized PISPPERSPECTEEV SASNamed on Revolut consent screen in both flows.​ Casino Operators and SOFTSWISS Context Both Jet4Bet and Bitkingz are part of the wider SOFTSWISS casino ecosystem, which operates dozens of Curacao‑licensed brands targeting European markets. Jet4Bet is operated by Hollycorn N.V. (Curacao #144359, license OGL/2023/176/0095) with more than 70 casino brands, while Bitkingz belongs to Dama N.V. (Curacao #152125, license OGL/2023/174/0082), successor of Direx N.V., running 100+ brands.​ Under GlüStV 2021, neither operator is authorized by the German GGL; their offers are therefore classified as illegal gambling for German residents. According to GGL reporting, the authority investigated around 1,864 websites and initiated more than 130 prohibition proceedings against Curacao‑licensed operators in 2023 alone, confirming a broad enforcement campaign against offshore gambling platforms.​ Summary Data on Perspecteev SAS CategoryDetailsLegal EntityPerspecteev SAS (France).​​Domainhttps://www.bridgeapi.io/RatEx42Compliance ProfileLinkedInBridge APIRegistrationSIREN 529 196 313; address: 4 rue de la Pierre Levée, 75011 Paris, France.​​FoundersJoan Burkovic (CEO), Emmanuel Costa (CTO), Robin Dauzon, David Sabbatini.​Current leadershipAnna Maria Maj (Présidente, since Aug 2025), Alexis Roque (DG).​OwnershipTruffle Capital and Groupe BPCE (BPCE Digital & Payments); ~€20M Series A in July 2022.​​LicenseACPR Payment Institution, REGAFI #72649, Agreement #16918 (PISP + AISP).​​Key milestoneFirst European entity to receive PSD2 approval (Jan 2018).​​Holding evidenceMORPHIC FINANCIAL GROUP LTD present on UK Companies House as related corporate entity.​Scale>€1.5B payments initiated; 300+ B2B clients; 8M+ accounts connected daily.​​Observed roleProvides PISP services to SaferSEPA; named on bank consent screen in illegal casino deposit flows.​ Regulatory Exposure: Under EBA Guidelines on ML/TF risk factors (EBA/GL/2021/02) and EBA Q&A 2021_6048, a PISP that maintains a business relationship with a payee must treat the merchant as its customer for AML and customer due diligence purposes. This implies that Bridge must identify, verify, and risk‑assess SaferSEPA/pay303, including license status, ultimate beneficial ownership, and exposure to prohibited sectors like unlicensed gambling.​ German law: PISPs are subject to payment-blocking In the present case, SaferSEPA/pay303 have no visible legal identity and no disclosed payment or gambling license, yet control payment flows from clearly illegal German‑facing casinos to EU‑based banks via Bridge. If Bridge has formally onboarded SaferSEPA as a merchant, this points to serious deficiencies in KYB and ongoing monitoring; if not, it raises equally serious questions about the security and integrity of Bridge’s API access, including the possibility of unauthorized third‑party use.​ From a German law perspective, § 4(1) sentence 2 GlüStV 2021 prohibits participation in payments related to unlicensed gambling, and § 9(1) sentence 3 no. 4 GlüStV 2021 empowers the GGL to impose payment‑blocking orders on all participants in the payment chain, including PISPs, backed by fines of up to €500,000 per infringement.​ Three decisions have significantly clarified this position: OVG Sachsen‑Anhalt (Oct 2023) – upheld a GGL payment‑blocking order against a PSP cooperating with PlatinCasino’s operator, confirming the broad reach of GlüStV enforcement.​ VG Halle (Oct 2024) – confirmed a blanket prohibition against a Swiss PSP for all unlicensed gambling transactions, underscoring that foreign PSPs are not shielded from German measures.​​ OVG Magdeburg (2 Dec 2024, 3 M 169/24) – explicitly addressed a Zahlungsauslösedienst (PISP) and held that PISPs are fully covered by the participation ban; the court noted that payment initiation on a gambling site typically presupposes an acceptance contract between the PISP and the operator, enabling the PISP to check national compliance.​​ The Magdeburg ruling also confirmed that German gambling law applies extraterritorially where foreign operators and payment providers target German consumers, and foreign payment providers must respect GGL prohibitions even if they are domiciled outside Germany. This interpretation places Perspecteev/Bridge squarely in the crosshairs if German regulators connect the documented SaferSEPA rails to their wider payment‑blocking practice.​ The French Regulatory Dimension Bridge is supervised in France, and France has its own strong public-policy stance against illegal online gambling. French law generally prohibits unlicensed online casino activity, and the ANJ has become increasingly aggressive against the illegal market. In December 2023, the ANJ said that, in the illegal market it studied, 50% of identified illegal-offer sites belonged to companies registered in Curaçao. It also stressed that it intended to act not only against illegal operators but also against payment service providers enabling the financial flows between illegal operators and players. The same ANJ page notes that since March 2022 it has had administrative powers to block and delist illegal sites and had already issued 300 blocking acts covering 1,230 URLs. That gives the Perspecteev matter a second regulatory dimension: even if the operational harm is focused on Germany, the home-state supervisor cannot simply ignore how a French-regulated institution’s payment-initiation layer is being used. Call for Information FinTelegram is currently deepening its investigation into Perspecteev SAS / Bridge, SaferSEPA, pay303.com, and related intermediaries in the illegal casino payment chain. Current and former employees of Perspecteev, BPCE‑related payment entities, SaferSEPA/pay303, SOFTSWISS operators, and partner PSPs are invited to share internal documents, onboarding records, merchant risk assessments, contractual arrangements, and technical integration details with us. Reports can be filed securely and anonymously via our whistleblower platform, where every submission is handled confidentially and evaluated for inclusion in ongoing Rail Atlas investigations.​ Share Information via Whistle42

While European gambling regulators intensify their crackdown on illegal offshore casinos, a more uncomfortable question is emerging for the banking sector: are major retail banks, through rigid chargeback practices and weak scrutiny of miscoded card transactions, helping illegal gambling networks stay operational? Complaints involving shell merchants, false MCC coding, and rejected disputes suggest a systemic compliance gap that deserves closer regulatory scrutiny. Key Findings Major retail banks may be processing card payments linked to illegal offshore casinos through shell merchants using allegedly false Merchant Category Codes (MCC). Transactions that should raise immediate AML and card-scheme red flags can appear on card statements as “digital goods” or ordinary retail purchases rather than gambling activity. Consumers who report the true gambling context of such transactions allegedly face dispute rejection, even where there are indicators of miscoding or transaction laundering. This creates a perverse incentive structure in which accurate disclosure may reduce the chance of recovery, while generic “goods not delivered” complaints may have a better chance of success. The alleged mismatch between internal bank dispute logic, card-scheme rules, and AML obligations deserves scrutiny by financial regulators, not only gambling authorities. The Banking Paradox: How Tier-1 European Banks May Be Enabling Illegal Offshore Casinos Through Transaction Laundering Blind Spots Across Europe, regulators are stepping up enforcement against illegal offshore gambling operators. National gambling authorities are issuing fines, publishing warnings, and ordering access restrictions against unlicensed casino websites targeting local consumers. Yet one critical question remains insufficiently examined: how are deposits to these operators still being processed so easily through mainstream banking channels? According to information shared with FinTelegram, part of the answer may lie in the intersection of card acquiring, dispute handling, and compliance failures at major European retail banks. The allegation is not that banks openly support illegal gambling. The more troubling concern is that some banks, including Revolut, may be structurally ignoring obvious warning signs of transaction laundering and merchant misrepresentation, thereby allowing illegal offshore casino ecosystems to continue operating in plain sight. The Hidden Payment Layer Behind Illegal Gambling When consumers deposit funds with offshore casinos, the transaction does not always appear as gambling. Instead, the charge may be routed through an intermediary merchant or shell company that presents itself as a software seller, digital goods provider, e-commerce business, or other innocuous commercial entity. In such cases, the transaction may be processed under a Merchant Category Code other than the gambling MCC 7995. Market participants and affected consumers have repeatedly pointed to MCC 5816 and similar retail-oriented classifications as examples of how gambling-related payments may be disguised. Regulators and supervisors already warn about illegal gambling payment risk, shell/sub-merchant opacity, and transaction laundering. What remains insufficiently addressed is the specific role of false or misleading MCC allocation in helping those flows evade bank controls (read also “Gambling and Gaming Good Practices for Payment Institutions and Good Practices Sub-Merchants published by the Dutch DNB). From a compliance perspective, that is not a minor technical issue. If a gambling transaction is deliberately disguised through a false merchant identity and misleading MCC coding, this may amount to transaction laundering. It is also a serious AML, KYC, and card-scheme risk indicator. Why the Chargeback Process Matters The compliance issue becomes especially visible when the consumer later tries to dispute the transaction. A typical scenario described to FinTelegram is this: a consumer deposits funds with an offshore casino, later loses access to the account, faces withholding of winnings, or discovers that the merchant description on the card statement does not match the actual service received. The consumer then approaches the issuing bank to request a chargeback. At that point, the dispute is allegedly assessed not through the lens of merchant misrepresentation, transaction laundering, or scheme-rule compliance, but through a simplified internal script: the customer intended to gamble, the funds reached the casino environment, therefore the service was rendered and the dispute is rejected. The problem is not merely poor customer service. This approach indicates a deeper structural failure: the bank may be refusing to examine whether the named merchant was false, whether the MCC was manipulated, whether the acquirer onboarded the merchant properly, and whether the entire payment chain was designed to circumvent gambling controls. The Compliance Red Flags Banks Should Not Ignore From an AML and card-compliance perspective, several red flags should trigger enhanced scrutiny: 1. Merchant-description mismatch The merchant shown on the statement allegedly does not correspond to the casino brand actually used by the consumer. 2. Suspicious MCC allocation The payment may be classified as digital goods, software, or general retail rather than gambling, despite the underlying transaction being casino-related. 3. Use of shell entities The named merchant is often an obscure corporate vehicle with no meaningful public-facing commercial activity consistent with the transaction description. 4. Dispute logic detached from merchant truth Instead of examining whether the transaction was honestly represented, banks may focus only on the consumer’s subjective intent to gamble. 5. Possible scheme-rule avoidance Where acquiring-side documentation, merchant identity, and service representation do not align, the matter may implicate card-scheme compliance, not just customer dissatisfaction. These are not exotic issues. They go to the heart of AML controls, merchant due diligence, and the integrity of the card-payment ecosystem. The Perverse Incentive: Honesty May Hurt the Consumer Perhaps the most disturbing aspect of the allegations is the incentive structure they create. Consumers report that when they fully explain the offshore casino context in an attempt to expose merchant deception, the bank may reject the dispute on moralistic or policy grounds linked to gambling. However, when the same transaction is framed in generic commercial terms — for example, as software or digital goods not delivered — the dispute may have a better chance of succeeding, simply because the shell merchant cannot prove delivery of the supposed product. This suggests a highly problematic outcome: banks may be encouraging concealment while discouraging honest reporting of suspicious payment conduct. In other words, the system may be better at processing simplified consumer scripts than at confronting potential transaction laundering. A Regulatory Blind Spot Beyond Gambling Enforcement This is why the issue should not remain confined to gambling regulators. Authorities such as the Dutch KSA, the UK Gambling Commission, and other national gambling watchdogs can act against unlicensed casino operators. But they do not supervise the internal dispute-handling logic of major retail banks. That is where financial regulators and AML supervisors enter the picture. The real compliance question is whether retail banks and their card-dispute departments are sufficiently trained, required, and incentivized to identify transaction laundering indicators when consumers present evidence of merchant mismatch, false MCC coding, and shell-company routing. If not, banks risk becoming passive infrastructure providers for illegal gambling networks while publicly maintaining zero-tolerance rhetoric. Read our report on Revolut and the Norway situation here. Why ING, Rabobank, and Other Banks Deserve Closer Scrutiny The institutions mentioned by the source — including ING and Rabobank — are not singled out here as proven wrongdoers. However, they are cited as examples of major banks whose internal handling of such cases deserves closer examination. For FinTelegram, the central question is whether the alleged failures are isolated case-management problems or signs of a broader structural pattern across European consumer banking. If dispute teams systematically ignore transaction laundering indicators because the underlying consumer activity involved gambling, that would represent a serious governance issue. It would also raise questions about how banks interpret their obligations under AML frameworks, card-scheme rules, and consumer-protection standards. FinTelegram’s Preliminary Assessment The allegations presented to FinTelegram point to a potentially important enforcement gap at the intersection of illegal gambling, acquiring, retail banking, and card-dispute operations. Even where a consumer knowingly engaged with a gambling website, that does not eliminate the need to examine whether the transaction was deceptively presented, processed through a false merchant, or intentionally miscoded to bypass controls. A bank that refuses to engage with those elements may be overlooking precisely the kind of conduct that AML and card-compliance frameworks are meant to detect. This is not merely a consumer-rights issue. It is a potential payment-integrity issue. Call for Whistleblowers and Insiders FinTelegram is investigating how banks, acquirers, PSPs, and card-dispute departments handle suspicious card transactions linked to illegal offshore casinos, shell merchants, and false MCC coding. We invite insiders, compliance officers, former dispute-team staff, acquirer employees, payment specialists, and affected consumers to share information, documents, merchant descriptors, chargeback correspondence, or internal guidance through our whistleblower platform, Whistle42. If you have evidence of transaction laundering, miscoded gambling transactions, shell merchants, or internal bank policies that systematically ignore these red flags, please submit your information securely and confidentially via Whistle42. Share Information via Whistle42

For years, Payvision was sold to the market as a Dutch fintech success story. In reality, the newly published Payvision chat excerpts presented by EFRI point to something far uglier: a regulated payment institution that, according to criminal case materials cited by EFRI, did not merely process payments for scam networks around Uwe Lenhoff and Gal Barak, but allegedly helped keep those networks alive when fraud pressure, chargebacks, blocked accounts, and liquidity stress threatened to choke them. If these chats say what they appear to say, then Europe is not looking at a mere compliance lapse. It is looking at payment infrastructure turned into fraud infrastructure. Key Findings From processor to enabler: The EFRI chat exhibits suggest that Payvision did not merely process payments, but allegedly helped scam networks solve critical payment and settlement problems. Awareness of fraud risk: The published messages strongly indicate that Payvision knew it was dealing with merchant structures tied to fraudulent broker operations linked to Uwe Lenhoff and Gal Barak. Conversion over compliance: According to EFRI, Payvision allegedly facilitated higher card acceptance for scam merchants through high-risk setups, including MOTO processing and the use of MCC 6211. Keeping the scam machine alive: The chats show repeated urgency around blocked accounts, delayed settlements, and emergency transfers, underscoring how vital Payvision was to the continued operation of the fraud schemes. Top-level involvement: Several excerpts suggest that extraordinary transfers and exceptional payment decisions required approval at the highest level, allegedly involving founder and CEO Rudolf Booker. ING-linked money flows: EFRI’s report points to the use of Stichting Payvision accounts, including ING-linked accounts, to move or reroute funds when ordinary channels came under pressure. Profiting from toxicity: The evidence suggests that Payvision did not just profit from processing scam payments, but also from the fallout through chargeback fees and so-called fraud-risk premiums. Risk as a revenue stream: The “Chargeback and Fraud Risk Premiums” document supports the allegation that fraud-related distress was monetized rather than treated as a reason to exit the client relationship. More than an AML failure: While Dutch prosecutors established structural AML shortcomings, the EFRI materials suggest conduct that may have gone beyond weak controls into active operational support. A scandal that reaches ING: Because ING acquired Payvision at a premium valuation and later shut it down, the affair raises unresolved questions about due diligence, oversight, and institutional accountability. The payment layer as crime infrastructure: The wider lesson is stark: industrial-scale broker fraud could not have functioned without payment partners willing to keep funds flowing despite obvious red flags. Potential smoking-gun evidence: The Payvision chats may be among the most damaging documentary exhibits yet published in the wider Lenhoff-Barak cybercrime complex. The Chats Start Where The Scandal Really Starts: Conversion The first exhibit published by EFRI goes straight to the commercial heart of online broker fraud: payment acceptance. According to EFRI’s report and the cited court files, Payvision allegedly accepted MOTO transactions and used MCC 6211 for Lenhoff-linked schemes even though the operating entities did not hold a MiFID licence. EFRI further says a seized 19 February 2016 chat recorded Lenhoff celebrating that, after Payvision was introduced, the decline rate fell by 65% and acceptance rose by 80%. The accompanying image published by EFRI shows the message trail behind that claim. That is not a technical footnote. In scam economics, conversion is everything. Boiler rooms can lie all day, but if card payments do not clear, the fraud dies. EFRI’s second screenshot reinforces that point: in December 2015, Lenhoff allegedly complained that 3D Secure on Option888 was causing them to lose too many clients. The implication is devastating. According to the report, the fraud network needed fewer controls and easier card acceptance, and Payvision allegedly supplied exactly that. Then Came The Operational Support The scandal turns darker in the chats about blocked accounts and payment rerouting. EFRI says that after Wirecard Bank blocked the Payific Ltd account effective 1 November 2016 because of fraud complaints, the Lenhoff organisation came under severe pressure. The chat screenshots published by EFRI show the panic: “we are losing Tomer,” “we need it urgently,” and “Payvision cannot provide a swift of the transaction but that the money has left their account and will be with the beneficiary.” EFRI says these messages reflect direct intervention to keep a key creditor paid and the fraud machine running after its ordinary banking channel broke down. That is the point where the old defense — “we were just the processor” — starts to collapse. Processors do not normally become crisis managers for merchant groups drowning in fraud complaints. Yet EFRI’s report describes repeated “special” transfers, including direct payments from Stichting Payvision accounts to third parties, allegedly to preserve operational continuity for the Lenhoff network. If accurate, that is not neutral processing. That is active stabilisation of a criminal cashflow system. Booker’s Name Appears Where it Should Never Have Appeared One of the most toxic features of the published exhibits is not just the transfers themselves, but the reported need for top-level approval. EFRI states that these extraordinary payments required the approval of Rudolf Booker, Payvision’s founder and then CEO. One screenshot published by EFRI includes the lines: “that depends on what Rudolf agrees to do” and “ask Chang before, cause Rudolf is in Asia.” Another line says, “at least then we can do the big ones from there.” Even if one adopts the most cautious legal reading, those are not the optics of a processor trying to isolate itself from toxic merchants. They are the optics of a senior-management-controlled relationship in which the payment provider appears to be helping solve merchant liquidity and routing problems in a red-flagged fraud environment. That is precisely why these chats are so dangerous. They drag the scandal out of the realm of bad onboarding and into the realm of deliberate operational enablement. The ING Account Angle is Explosive EFRI moves from chats to flow evidence. According to the report, after another provider, MoneyNetInt, stopped cooperating because of suspicious settlement activity, millions paid by victims through Visa and Mastercard into Stichting Payvision accounts held at ING Bank N.V. and Deutsche Bank were allegedly redirected onward to Winslet Enterprises, a company EFRI identifies as being under Lenhoff’s control. The published tables show a series of transfers from an ING-linked Stichting Payvision account totaling roughly €3.08 million, followed by additional transfers from a Deutsche Bank-linked Stichting account totaling roughly €2.75 million. This is where the scandal stops being a Payvision-only story and becomes an ING legacy story. ING bought a 75% stake in Payvision in 2018 at a valuation of €360 million. Three years later, it announced it would phase the business out; Reuters reported that ING had already written down €188 million in goodwill and had previously sold half of Payvision’s operations for a nominal €1. ING itself said in 2021 that it had strengthened Payvision’s governance and compliance after the acquisition. But the public question is now much sharper: what exactly did ING buy, what did it know, and when did it know it? Payvision Did Not Just Process The Fraud But Charged For The Fallout EFRI’s fourth exhibit may be the most cynical of all. It includes a Payvision letter titled “Chargeback and Fraud Risk Premiums,” addressed to Hitchcliff Ltd and signed by Booker. The document says Payvision would impose an additional fee of €1 per euro of chargeback and fraud volume, and the published pages show a debit amount of €658,057.31. EFRI says these were not isolated fees but part of a broader commercial model in which Payvision allegedly processed more than €134 million for Barak- and Lenhoff-linked schemes while profiting from high processing fees, chargeback handling fees, and private penalty-style premiums. That is what makes the case morally and legally grotesque. According to EFRI’s presentation of the record, Payvision was allegedly not losing money because the merchants were toxic. It was making money because they were toxic. The more fraud risk materialised, the more the processor could bill around it. In that light, the “risk premium” begins to look less like prudent pricing and more like a monetised fraud externality. Dutch Enforcement Confirmed AML Failure — But Barely Touched The Scandal The Dutch Public Prosecution Service said in April 2024 that two former Payvision directors received fines of €150,000 and €180,000 because Payvision had, from 2016 through April 2020, carried out inadequate customer due diligence, failed to properly identify beneficial owners and the purpose of business relationships, and failed to maintain ongoing monitoring. The criminal investigation, the OM said, began after a report from De Nederlandsche Bank (DNB). That official statement is already damning. But compared with the picture painted by the EFRI chats, it also looks absurdly narrow. Because the EFRI material does not describe a processor sleepwalking through KYC failures. It describes, according to the cited court files, a firm embedded in the day-to-day payment problems of known scam networks, allegedly rerouting flows, supporting third-party payouts, approving exceptional transfers, and profiting heavily from chargeback-driven distress. If that evidentiary picture is broadly correct, then Europe is not dealing with a sloppy gatekeeper. It is dealing with a financial enabler. The Wider ING backdrop Makes The Payvision Affair Even Uglier The Payvision scandal also lands against a broader ING history of AML and control failures. In 2018, ING agreed to pay €775 million in the Netherlands after admitting that criminals had been able to launder money through its accounts for years; Reuters reported prosecutors said those shortcomings were structural and long-lasting. In 2020, Reuters also reported that a Milan court ordered ING to pay €30 million to settle an Italian money-laundering case. None of that proves liability for the conduct alleged in the EFRI report. But it does destroy any comforting fantasy that Payvision sat inside a pristine control culture. The Need to Cover-Up ING has every incentive to bury Payvision as an embarrassing failed acquisition. Payvision is dissolved, the executives took relatively modest fines, and the bank would prefer the market to remember only a bad M&A bet. But the EFRI chats threaten to turn that narrative inside out. They suggest that what ING bought was not just a fast-growing fintech, but a revenue machine allegedly fed by some of Europe’s most notorious scam brokers. According to EFRI, the same criminal case materials show not only awareness of the fraud environment but apparent assistance in solving the payment and settlement problems that kept those schemes alive. Rudolf Booker (left) and Gijs op de Weegh: the Payvision fintech cowboys and their crime merchants That is why this case matters for every regulator, court, and victim in Europe. Fraud does not scale without finance. Boiler rooms need cards, acquiring, settlement, merchant shells, trust accounts, and someone willing to keep the money moving when the red flags start flashing. The Payvision chats, as published by EFRI, go to the heart of that architecture. They show the payment layer not as a neutral bystander, but as the nervous system of the scam economy. Conclusion What emerges from the Payvision chats is not the picture of a negligent payment processor that failed to ask enough questions. It is the picture of a financial intermediary that, according to the documented communications and the surrounding case files, appears to have known exactly what kind of merchants it was dealing with and nonetheless helped keep their fraud operations running. If these chats withstand full judicial scrutiny, then Payvision was not standing at the edge of the scam economy — it was operating inside it, managing frictions, protecting flows, and profiting from the victims’ losses at every stage. That is why this case should not end with a few legacy fines, corporate silence, and selective amnesia at ING. Europe needs full accountability for the executives, institutions, and banking structures that turned payment processing into an instrument of industrial-scale fraud. Share Information via Whistle42

FinTelegram has now published its DeFi Compliance Perimeter as a permanent evergreen framework page. The reason is straightforward: we increasingly see DeFi brokers, DeFi investment schemes, and their supporting rails as the next major perimeter problem in digital finance. In phenomenological terms, this looks familiar. What binary options once represented for the convergence of gambling, speculative retail trading, and weakly supervised distribution, DeFi brokers and DeFi schemes may now represent for crypto-native markets. The labels have changed, the rails are more complex, and the structures are more technical. But the investor-protection logic is strikingly similar. FinTelegram’s published framework therefore focuses on the practical questions of Access Control, Flow Control, economic control, and governance control to assess when a DeFi-labeled model begins to look less like “pure DeFi” and more like a controlled, commercially organized financial service. Key Findings FinTelegram has published the DeFi Compliance Perimeter as a living evergreen framework on its website. The framework’s core thesis is that the decisive question is no longer whether a project calls itself “DeFi,” but when it becomes a controlled, commercially organized financial service. FinTelegram identifies Access Control and Flow Control as the first decisive indicators that a supposedly decentralized model may in fact sit inside the practical compliance perimeter. The framework also stresses that MiCA does not automatically exempt services merely because part of the activity is decentralized, and that MiFID II may also apply where crypto-assets or structures qualify as financial instruments. FinTelegram sees a strong phenomenological parallel between the historic binary-options segment and today’s DeFi broker and DeFi investment-scheme segment: fast-growing retail speculation, fragmented accountability, aggressive onboarding, and markets evolving faster than perimeter enforcement. The first practical applications of this framework were FinTelegram’s recent reviews of Hyperliquid and AXIOM, both of which raised questions about DeFi branding, leveraged retail access, and embedded funding rails. Compliance Analysis Why FinTelegram Has Created A DeFi Compliance Perimeter FinTelegram has now formally published its DeFi Compliance Perimeter because the DeFi segment is no longer a niche innovation story. It is becoming an investor-protection and perimeter-enforcement story. The framework page states the core thesis clearly: the decisive question is not whether a project uses the word “DeFi,” but when a DeFi-labeled scheme becomes a controlled and commercially organized service. That is the point at which existing regulatory logic — under MiCA, MiFID II, AML/CFT, and broader conduct standards — may begin to apply in substance, even where market participants continue to market the model as decentralized. Why We View DeFi Phenomenologically Like Binary Options FinTelegram does not argue that DeFi brokers are legally identical to binary options. The point is different and more important: the pattern looks familiar. Binary options emerged from a grey zone between gambling logic and financial speculation. For years, the sector industrialized retail losses through gamified trading interfaces, weakly supervised operators, aggressive marketing, payment intermediaries, and fragmented cross-border structures before regulators fully defined the perimeter. FinTelegram’s DeFi framework explicitly uses that history as a warning. Its published text notes that the binary-options era shows how long markets can operate in a grey zone before regulators fully define the perimeter, and it uses that history to explain why earlier scrutiny matters for investor protection. In phenomenological terms, the DeFi segment shows similar traits: speculative retail exposure, friction-reduced onboarding, complex but commercially orchestrated rails, fragmented accountability, and narratives that initially outrun supervisory interpretation. That is why FinTelegram views the DeFi segment not merely as crypto infrastructure, but as a potential successor to earlier high-risk retail trading ecosystems. The New Broker Problem: Same Game, New Rails The biggest difference between the old binary-options world and the new DeFi world is not necessarily the retail psychology. It is the architecture. Where offshore brokers once relied on card acquirers, shell PSPs, introducing agents, and jurisdictional arbitrage, DeFi brokers and DeFi investment schemes increasingly rely on: wallet-native onboarding, on/off-ramp partners, routing layers, embedded trading access, execution venues, yield mechanisms, and “interface-only” or “non-custodial” defenses. FinTelegram’s published framework argues that these structures should not be judged by labels alone. Instead, they should be assessed through four control layers: Access Control, Flow Control, Economic Control, and Governance & Risk Control. That is the practical lens FinTelegram will now use for systematic DeFi coverage. The logic is simple. Once identifiable actors control the front end, the client relationship, the funding route, the wallet logic, fee capture, or the emergency powers of a supposedly decentralized system, the claim of being fully outside the perimeter begins to weaken. Hyperliquid And AXIOM Were Only The Beginning FinTelegram’s earlier reporting on Hyperliquid and AXIOM already foreshadowed this shift. Those reviews were early case studies in what FinTelegram now describes more systematically through its DeFi Compliance Perimeter. Hyperliquid raised the question of whether a DeFi-labeled derivatives venue with broad retail accessibility and limited visible perimeter controls should really be treated as a credibly permissionless protocol. AXIOM then added another layer by showing how a branded front end can package leveraged DeFi trading, wallet integration, and buy-crypto rails into a more broker-like retail journey. Together, these cases made one thing clear: DeFi brokers and DeFi investment schemes deserve the same kind of structured scrutiny that FinTelegram once applied to binary options, offshore brokers, and their payment enablers. Why Investor Protection Requires A Public Framework One of the strongest parts of the published framework is its investor-protection logic. The page states that the lesson from binary options was not only that the products were risky, but that markets can scale retail harm faster than regulation can define the perimeter. That is precisely why FinTelegram is treating DeFi brokers, DeFi investment schemes, and their supporting rails as a developing investor-protection story rather than merely a technical crypto story. This is also why the framework is being published as a living framework. FinTelegram explicitly says it will evolve as new cases, legal interpretations, regulatory actions, and expert feedback emerge. That openness is deliberate. The perimeter is still moving, the segment is still changing, and many compliance professionals are still working through how MiCA, MiFID II, AML/CFT, and conduct rules intersect in these hybrid models. FinTelegram’s Strategy Going Forward Going forward, FinTelegram will use the DeFi Compliance Perimeter as the anchor for a more systematic review strategy. That means future coverage will increasingly focus on: DeFi brokers offering leverage, perpetuals access, or broker-like trading functionality; DeFi investment schemes built around staking, vaults, yield, or “earn” narratives; on/off-ramp and wallet rails that move users from fiat into high-risk speculative environments; and perimeter watch cases where “DeFi” branding appears to mask concentrated operational control. In this sense, the DeFi Compliance Perimeter is more than a framework page. It is also FinTelegram’s editorial roadmap for the next phase of compliance reporting. Summary Compliance Statement FinTelegram has published the DeFi Compliance Perimeter because the DeFi segment increasingly resembles a new perimeter challenge in investor protection. From our perspective, this segment should be approached phenomenologically in much the same way the binary-options segment once had to be approached: as a fast-growing retail-risk environment where commercial innovation and distribution speed can outpace perimeter enforcement. The new rails are more technical, the language is more sophisticated, and the structures are more fragmented. But the underlying compliance question is familiar: who controls access, who controls the flow, who monetizes the journey, and who bears responsibility when retail users are harmed? FinTelegram’s answer is to make that question visible through a public, living framework and to apply it systematically across DeFi brokers, DeFi investment schemes, and their supporting rails. Call To Insiders, Traders, And Whistleblowers If you are a trader, insider, builder, compliance officer, former employee, investor, payment provider, or infrastructure partner with relevant information about DeFi brokers, DeFi investment schemes, or their supporting rails, contact FinTelegram confidentially via Whistle42. We are particularly interested in: internal compliance assessments, rail and wallet-routing architecture, on/off-ramp integration, target-market and geo-blocking practices, admin-key and governance concentration, retail-investor complaints, and evidence showing how supposedly decentralized systems are commercially orchestrated in practice. Together, we can help make this developing segment more transparent, more understandable, and harder to game in the interest of investor protection. Share Information via Whistle42

ESMA’s February 2026 public statement is a watershed moment for the DeFi-perps segment. The EU regulator has now made explicit what many compliance analysts long suspected: derivatives marketed as “perpetual futures” or “perpetual contracts” are likely to fall within the EU’s existing CFD product-intervention perimeter when they provide leveraged exposure and are not exclusively physically settled. That matters directly for Hyperliquid, which offers perpetual derivatives with leverage of up to 40x and, according to FinTelegram’s earlier testing, remains accessible from EU jurisdictions without KYC or effective perimeter controls. In short, the label may be DeFi, but the regulatory logic is moving back toward the old broker world. Key Findings ESMA said on 24 February 2026 that derivatives marketed as “perpetual futures” or “perpetual contracts” are likely to fall within the scope of the EU’s existing national CFD product-intervention measures where they meet the CFD definition. ESMA also said the commercial name is irrelevant, that funding-rate mechanisms and voluntary safeguards such as insurance funds do not change the classification analysis, and that firms must assess these products under MiFID II and investor-protection rules. Under the long-standing EU CFD framework, crypto CFDs for retail clients are subject to a 2:1 leverage cap, margin close-out, negative balance protection, a standardised risk warning, and a ban on incentives. Hyperliquid’s own documentation says its perpetuals are derivatives without expiration, support per-wallet cross or isolated margin, cover 100+ assets, and offer leverage ranging from 3x to 40x. Hyperliquid’s contract specifications also state there are “no address-specific restrictions,” a statement that sits uncomfortably beside ESMA’s insistence on narrow target markets, appropriateness checks, and compliant distribution strategies for complex leveraged derivatives. FinTelegram previously documented that EU residents could fund, swap, and trade Hyperliquid perps without KYC, geo-blocking, or deposit limits, and separately argued that Hyperliquid functions more like a foundation-controlled trading venue than a credibly permissionless protocol. FinTelegram’s AXIOM review also showed how broker-like DeFi front ends can package Hyperliquid perpetuals into a branded retail interface with up to 50x leverage and direct fee capture. Finance Magnates correctly identified the practical significance of ESMA’s move: if crypto perpetuals are treated as CFDs in the EU, the implications for leverage, distribution, and retail targeting are profound. Compliance Analysis ESMA Has Now Closed The Naming Loophole The most important development is not political rhetoric but legal framing. ESMA’s February 2026 statement says that derivatives marketed as perpetual futures or perpetual contracts are likely to fall within the scope of the existing national CFD product-intervention measures where they meet the relevant definition. ESMA is explicit that the assessment must be made irrespective of the product’s commercial name. It adds that a derivative giving exposure to an underlying value that is not exclusively physically settled would likely fall within scope, and that features such as a funding-rate mechanism, negative balance protection, or insurance funds are not relevant to that classification analysis. That is a major perimeter signal for the entire crypto-perps sector. It means that the old trick of changing the label while preserving the economic substance is losing credibility in Europe. In FinTelegram terms: this is the same perimeter game, but with new rails. Why This Matters For Hyperliquid Hyperliquid is not a theoretical case. Its own documentation describes perpetuals as derivative products without expiration that rely on funding payments. It supports per-wallet cross or isolated margin, lists 100+ perpetual assets, and allows leverage that varies by asset from 3x to 40x. Its contract-specifications page also says there are “no address-specific restrictions.” Those are not the hallmarks of a narrow, professionally controlled derivatives distribution model for EU retail clients. They look far closer to a globally accessible high-leverage derivatives venue. That tension becomes sharper when read against ESMA’s statement. ESMA says leveraged derivatives require a very careful target-market assessment, are expected to have a narrow target market, require an appropriateness assessment in non-advised services, and raise conflicts-of-interest concerns where products are issued or traded within the same group ecosystem. ESMA also says such perpetual derivatives are packaged investment products for PRIIPs purposes, meaning a KID is needed when they are distributed to retail clients. In other words, the EU framework is moving in the exact opposite direction from the “connect wallet and start trading” logic that has fuelled the growth of crypto perpetuals. The Old CFD Logic Is Back This is where the comparison with the binary-options and CFD era becomes more than rhetorical. ESMA’s 2018 intervention measures for CFDs were adopted precisely because retail distribution of leveraged speculative products had become a major investor-protection problem. Those measures included leverage limits from 30:1 down to 2:1 depending on the asset class, margin close-out, negative balance protection, a ban on incentives, and standardised risk warnings. For cryptocurrencies, the cap was 2:1. Finance Magnates highlighted the practical consequence immediately after ESMA’s February 2026 statement: if crypto perpetuals are treated as CFDs, then the EU retail model for these products becomes drastically narrower than the high-leverage offshore-style norm. Its related coverage also framed the issue in the context of a market measured in the tens of trillions, while academic commentary from Cornell noted that cumulative crypto perpetual volume since 2020 had already surpassed $60 trillion. That is precisely why FinTelegram views this as a core DeFi compliance issue, not a niche product-classification debate. When a massive, fast-growing leveraged market collides with investor-protection rules built for CFDs, the perimeter question becomes strategic. Summary Table: CFDs vs Crypto Perpetual Futures Investor and Regulatory Comparison CharacteristicCFDsCrypto Perpetual FuturesInvestor PerspectiveRegulatory / Compliance PerspectiveBasic product logicA CFD is a derivative giving long or short exposure to price movements in an underlying, typically cash-settled. ESMA’s CFD definition focuses on economic exposure rather than branding.Crypto perpetuals are typically marketed as derivatives without expiry that provide ongoing leveraged exposure to crypto prices, usually via margin and a funding-rate mechanism. Hyperliquid’s docs describe perpetuals exactly in those terms.For investors, both products are primarily speculation tools rather than spot ownership.ESMA’s February 2026 statement makes clear that perpetuals can fall within the CFD perimeter if they meet the functional definition.Commercial labelHistorically marketed openly as CFDs.Often marketed as “perpetual futures” or “perpetual contracts.”Investors may perceive perpetuals as something materially different from CFDs because of the crypto-native branding.ESMA says the commercial name is irrelevant; firms must assess the substance of the instrument under MiFID II and CFD rules.Settlement logicTypically cash-settled or capable of cash settlement.Perpetuals often avoid traditional expiry and use mark prices plus funding flows rather than physical delivery. ESMA says a derivative not exclusively physically settled would likely fall within the CFD measures unless excluded.Investors may not care whether settlement is “cash” or “funding-rate based” if the economic result is leveraged price exposure.ESMA explicitly says that funding-rate mechanisms do not change the classification analysis.ExpiryCFDs do not have a classic futures expiry profile in the retail-broker model.Perpetuals are specifically designed to have no expiry date. Hyperliquid states its contracts are derivatives without expiration.No expiry makes perpetuals easier and more “casino-like” for continuous retail speculation.Lack of expiry does not remove them from the CFD perimeter if the functional criteria are met.LeverageIn the EU retail context, leverage is capped under the CFD intervention regime; crypto CFDs are limited to 2:1.Hyperliquid states that leverage on its perpetuals ranges from 3x to 40x depending on the asset.Higher leverage is commercially attractive to retail users but sharply increases liquidation and loss risk.This is one of the clearest tensions: EU CFD rules sharply restrict retail leverage, while crypto perpetual venues often market much higher leverage.Margin modelMargin is integral to CFDs, with EU rules requiring margin close-out protection.Hyperliquid documents both cross and isolated margin for perpetuals.Margin makes both products highly sensitive to volatility and liquidation cascades.ESMA highlights leverage and margin trading as core risk factors in target-market and investor-protection analysis.Risk controlsEU retail CFD rules require leverage limits, mandatory risk warnings, margin close-out, negative balance protection, and a ban on incentives.Crypto-perps venues may offer voluntary protections, insurance funds, or negative-balance-style language, but ESMA says such safeguards do not alter the classification analysis.Investors may wrongly assume that venue-level safeguards make the product “regulated enough.”ESMA says voluntary protections are not a substitute for compliance with the underlying product-intervention framework.Target marketUnder MiFID II product-governance logic, leveraged derivatives should have a narrow target market.Hyperliquid’s model appears globally accessible, and its docs say there are “no address-specific restrictions.”Retail investors experience these products as open-access speculation tools.ESMA warns that mass marketing to inexperienced investors is inconsistent with a narrow target market.Appropriateness assessmentRequired when complex derivatives are distributed on a non-advised basis to retail clients in the EU.Many DeFi-perps environments are designed for immediate wallet-based access, often without classic appropriateness workflows.Retail investors may enter a high-risk derivatives environment without any meaningful suitability friction.ESMA explicitly reminds firms that an appropriateness assessment is needed for complex derivatives in non-advised services.Disclosure regimeRetail distribution of CFDs in the EU comes with standardized warnings and conduct requirements.ESMA says perpetual derivatives are packaged investment products, so a PRIIPs KID is needed when distributed to retail clients.Investors in crypto perpetuals often do not receive a disclosure package comparable to traditional retail derivatives distribution.This is a major compliance issue for EU-facing distribution of crypto perpetuals.Conflicts of interestTraditional broker-CFD models have long raised execution and principal-risk conflicts.ESMA flags a prominent conflict where derivatives are issued by a group entity or traded on a group venue and then pushed to clients.Investors may not see how venue, issuer, front end, and fee capture can align against them.This point is especially relevant in vertically integrated DeFi ecosystems and front ends built around a single venue.Regulatory narrativeClearly recognized as regulated leveraged derivatives in the EU retail perimeter.Often presented as innovative DeFi-native instruments outside legacy broker logic.Investors may assume “DeFi” means a different, freer, or less intermediated risk model.ESMA’s message is that naming and crypto-native mechanics do not change the core regulatory analysis.FinTelegram compliance viewCFDs are the historical benchmark for leveraged retail-perimeter analysis.Crypto perpetuals, especially where offered through DeFi-style access layers, increasingly look like CFDs in new technical packaging.For investors, the economic reality may be closer to the old CFD world than the DeFi narrative suggests.For regulators and compliance analysts, the perimeter test is shifting decisively toward substance over form. Short Takeaway From an investor-protection perspective, the core difference between CFDs and crypto perpetuals is often less significant than the marketing suggests: both deliver leveraged exposure to price movements without true spot ownership, and both can generate rapid retail losses. From a regulatory perspective, ESMA’s February 2026 statement makes the key point explicit: where crypto perpetuals function like CFDs, they should increasingly be treated like CFDs, regardless of the DeFi or futures-style branding. Hyperliquid’s Structure Still Looks More Like A Venue Than A Pure Protocol FinTelegram has already argued that Hyperliquid should not be treated as a credibly permissionless DeFi scheme. In earlier reporting, we documented EU access to perpetuals without KYC, geo-blocking, or deposit limits. We also argued that Hyperliquid’s foundation-controlled infrastructure, concentrated validator structure, and discretionary intervention powers make it look functionally closer to a centrally steered trading venue than to a neutral autonomous protocol. ESMA’s new statement strengthens that compliance view. If the commercial name is irrelevant, if funding mechanisms do not change the analysis, and if the decisive issue is the substance of the derivative and the way it is distributed, then Hyperliquid’s DeFi branding no longer answers the core regulatory question. The real question becomes whether EU clients are being given access to what are, in substance, CFD-like leveraged derivatives without the controls, restrictions, and disclosures the EU framework requires. AXIOM Shows How The Hyperliquid Risk Gets Retail-Packaged The AXIOM case makes the issue even more urgent. FinTelegram recently showed that AXIOM packages Hyperliquid-powered perpetuals inside a branded retail-facing interface, advertises leverage up to 50x, and imposes its own 0.01% fee per transaction. That is exactly how a foundational derivatives venue can become part of a wider broker-like distribution stack: front-end branding, fiat onboarding, wallet orchestration, and a simplified user journey for leveraged trading. Read our Axiom reports here. So the Hyperliquid issue is not only about Hyperliquid itself. It is also about the growing ecosystem of DeFi brokers and DeFi gateways building retail-facing businesses on top of Hyperliquid’s derivatives rail. Once that happens, the perimeter problem becomes larger, not smaller. FinTelegram’s View FinTelegram’s working conclusion is that ESMA has now provided compliance analysts with a much clearer lens: many crypto perpetuals are no longer best understood as exotic DeFi novelties. They increasingly look like leveraged retail derivatives that belong in the same investor-protection conversation that once transformed the treatment of CFDs and binary options in Europe. Hyperliquid is one of the clearest test cases for that shift. Summary Compliance Statement ESMA’s February 2026 statement materially strengthens the case that crypto perpetuals offered to EU retail clients should be analysed through the existing CFD perimeter, not merely through DeFi marketing language. Hyperliquid’s own documentation describes leveraged perpetual derivatives with no expiration, funding-rate mechanics, broad asset coverage, and leverage up to 40x, while FinTelegram’s earlier reporting documented EU access without KYC or effective gating. In our view, that combination creates a serious MiFID II / CFD investor-protection issue. And where front ends such as AXIOM package Hyperliquid perps into simplified retail journeys, the old broker logic reappears in a new technical wrapper. Call To Whistleblowers If you have information about Hyperliquid, AXIOM, their EU-facing access controls, target-market assessments, appropriateness workflows, product-governance discussions, PRIIPs/KID analysis, or the way perpetuals are distributed to retail users, contact FinTelegram confidentially via Whistle42. We are particularly interested in internal compliance memos, legal assessments, geo-blocking logic, wallet and routing evidence, and discussions around how crypto perpetuals are classified under MiFID II and the CFD framework.

FinTelegram is expanding its compliance coverage. Alongside offshore casinos and their payment processors, we will increasingly focus on DeFi brokers and DeFi investment schemes. The reason is straightforward: the old perimeter game has not disappeared. It has evolved. Where binary options and offshore CFD brokers once used shell structures, payment agents, and weakly supervised cross-border rails, a new generation of platforms now uses DeFi branding, wallet-based onboarding, on/off-ramp layers, perpetuals venues, and “interface-only” narratives to reach retail users. MiCA was designed to address parts of this new reality, but the market is already moving faster than regulation and investor protection once again. Key Findings FinTelegram sees a clear strategic continuity between the old binary options / CFD perimeter game and the emerging DeFi broker model. ESMA intervened against binary options and CFDs in 2018 because of serious investor detriment, including a prohibition on the marketing, distribution, or sale of binary options to retail investors and restrictions on CFDs. MiCA does not exempt a service merely because part of it is performed in a decentralized manner; Recital 22 says MiCA applies where services are provided or controlled directly or indirectly by identifiable persons, and only fully decentralized services without an intermediary fall outside scope. EBA and ESMA have already warned that DeFi labels are not legal conclusions and that DeFi-related models present significant AML/CFT and other risks. FinTelegram’s recent reporting on Hyperliquid-related perimeter questions and AXIOM’s funding architecture shows that DeFi brokers and DeFi investment schemes deserve dedicated, systematic scrutiny. FinTelegram’s future coverage will therefore place greater emphasis on DeFi brokers, DeFi investment schemes, and the supporting rails that move users from fiat into high-risk crypto trading environments. Why FinTelegram Is Expanding Its Coverage FinTelegram was born in the era of binary options and offshore brokers. Back then, the pattern was painfully familiar: aggressive retail acquisition, opaque operators, outsourced payment flows, weak disclosures, and a business model built around staying one step ahead of regulation. ESMA’s 2018 intervention against binary options and CFDs did not come out of nowhere. It reflected serious investor-protection concerns and concrete market harm. Binary options were prohibited for retail investors, while CFDs were placed under restrictions such as leverage caps, negative balance protection, and standardized risk warnings. Today, the wrapper has changed, but the perimeter game looks strikingly familiar. Instead of offshore brokers offering binary options and CFDs through card acquirers, shell PSPs, and introducing agents, we increasingly see DeFi-branded interfaces, perpetuals access layers, wallet-linked trading environments, tokenized “earn” products, and multi-step on/off-ramp architectures. The language is newer and more technical. The legal positioning is more sophisticated. But the retail risk can be the same or worse: leverage, opacity, cross-border reach, and weak accountability. The Shift From Binary Options To DeFi The old broker world sold the illusion of easy returns through highly speculative products packaged for retail users. The new DeFi segment often does something similar, but with more layers. A modern DeFi broker or DeFi investment scheme may present itself as “just an interface,” “non-custodial,” or “decentralized.” Yet the practical user journey often includes a branded front end, a wallet setup, a fiat on-ramp or aggregator, a routing layer, a trading or yield venue, and one or more licensed or semi-regulated service providers embedded in the flow. That architecture makes responsibility harder to pin down. It also creates a false sense of legitimacy. A regulated on-ramp inside the chain does not automatically mean the destination platform itself sits safely inside the regulatory perimeter. That is precisely why MiCA matters. Recital 22 makes clear that crypto-asset services can still fall within scope even when part of the activity is performed in a decentralized manner. What matters is whether the service is provided or controlled, directly or indirectly, by identifiable persons. Only services that are fully decentralized and operate without any intermediary fall outside scope. This is the key compliance lens for FinTelegram going forward. The question is not whether a platform calls itself DeFi. The question is who controls the client journey, the money flow, the wallet logic, the fee extraction, and the risk exposure. New Rails, More Complex Structures The rails are what make the current phase more dangerous. In the binary-options era, the core enabling structures were payment processors, acquiring banks, shell companies, and offshore entities. In the DeFi era, the supporting rails are often more complex and harder to understand for ordinary investors. They can include fiat-to-crypto on-rampers, aggregator layers, self-custodial or quasi-custodial wallets, bridge-like mechanics, perpetuals venues, staking wrappers, and “earn” products routed through multiple providers. This complexity is not a side issue. It is central to the business model. It allows operators to fragment responsibility and tell a story in which nobody appears to be fully accountable. The interface says execution happens elsewhere. The on-ramp says it only processes the fiat leg. The protocol says it is decentralized. The user, meanwhile, sees one seamless trading journey. That is why recent FinTelegram work on Hyperliquid and AXIOM matters. These reports were not isolated pieces. They were early case studies in a broader structural shift. They showed how broker-like access to leveraged crypto trading can be embedded inside branded interfaces and supported by sophisticated on/off-ramp architecture. Markets Are Again Moving Faster Than Regulation This is another familiar lesson from the binary-options years. By the time regulators imposed emergency restrictions in 2018, the binary-options and CFD sectors had already caused large-scale retail harm. ESMA’s own intervention record shows how serious the investor-detriment problem had become. The same dynamic risks reappearing in the DeFi segment. Markets innovate faster than legal interpretation, and retail distribution evolves faster than investor-protection mechanisms. Even now, EBA and ESMA are still analyzing DeFi and related crypto models, warning that the term “DeFi” itself should not be treated as a legal conclusion and noting significant ML/TF and broader conduct risks in the sector. MiCA is an important step, but it is not a magic shield. It provides a regulatory framework, central registers, and authorization architecture for crypto-asset service providers, but the market is already testing the edges of that framework through front ends, access layers, hybrid models, and outsourced execution stacks. Why Investor Protection Requires Earlier Scrutiny The binary-options disaster should not be repeated. That market left a trail of victims, enforcement actions, broken lives, and enormous losses for unsuspecting retail investors. The lesson was not only that the products were risky. The lesson was that opacity, weak perimeter enforcement, and delayed scrutiny allowed those products to spread far too long before decisive action was taken. FinTelegram’s role is not to wait until the damage is complete. It is to identify risk patterns earlier, map the enabling rails, and make the economic reality of these structures visible before the next retail-investor disaster scales out of control. That is why DeFi brokers and DeFi investment schemes will now receive more sustained attention alongside offshore casinos. The underlying compliance logic is the same: retail users are being onboarded, monetized, and exposed through weakly supervised or strategically fragmented structures. What FinTelegram Will Cover In the months ahead, FinTelegram will expand its compliance coverage across four related lanes: DeFi brokers: platforms and interfaces offering leverage, perpetuals access, synthetic exposure, or broker-like crypto trading functionality. DeFi investment schemes: yield, staking, vault, “earn,” and other products that function economically like speculative investment schemes. On/off-ramp and wallet rails: the funding and conversion architecture that moves users from fiat into high-risk crypto environments. Perimeter watch: MiCA boundary cases, interface-only defenses, non-custodial claims, and the role of licensed firms inside higher-risk ecosystems. This is not anti-crypto coverage. It is compliance and investor-protection coverage. The target is not innovation. The target is perimeter gaming, opacity, and the monetization of retail risk without clear accountability. Summary Compliance Statement FinTelegram believes that DeFi brokers and DeFi investment schemes represent the next major perimeter challenge in digital finance. The migration from binary options and offshore brokers to DeFi-branded trading and investment structures does not reduce compliance risk. In many cases, it increases it by adding technical complexity, outsourced execution layers, and fragmented accountability. MiCA has created an important framework, but supervisory and investor-protection questions remain open, especially where identifiable operators organize access to crypto-asset services through branded interfaces and supporting rails. FinTelegram will therefore intensify its scrutiny of this segment in the same spirit that once drove its coverage of binary options, offshore brokers, and their payment enablers. Call To Whistleblowers And DeFi Investors If you are a DeFi investor, trader, insider, developer, service provider, or former employee with relevant information, contact FinTelegram confidentially via Whistle42. We are particularly interested in: internal compliance assessments, wallet and routing logic, on/off-ramp integration structures, KYC/AML workflows, hidden operators and control persons, partner contracts, geo-targeting practices, leverage and liquidation mechanics, and investor complaints or internal risk discussions. Together, we can monitor and track this evolving DeFi segment in the interest of investor protection. Because the lesson from binary options was clear: when markets evolve faster than transparency, retail investors pay the price. Share Information via Whistle42