FinTelegram has received a whistleblower dossier concerning Mega.bet, Global Nexus Ltd, IMMIX Solutions Ltd, P.Z.T. Services Ltd, Potens Corporate Services Ltd, PAYTECH LTD, and Panagiotis Toulouras. Cyprus filings show that IMMIX Solutions Ltd was initially linked to SoleFocus Solutions N.V. in Curaçao before 100% of its shares were transferred to Global Nexus Ltd in Belize. The dossier also introduces PAYTECH LTD as a potential payment-technology node requiring further scrutiny. 2-Minutes Briefing FinTelegram has received a new whistleblower dossier concerning the offshore casino brand Mega.bet, illegally operating in Europe, and a network of entities allegedly supporting its corporate, licensing, fiduciary, and payment infrastructure. The entities and individuals named in the material include Global Nexus Ltd in Belize, IMMIX Solutions Ltd in Cyprus, SoleFocus Solutions N.V. in Curaçao, P.Z.T. Services Ltd, Potens Corporate Services Ltd, PAYTECH LTD, and Panagiotis / Panayiotis Toulouras. This is Part 1 of a multi-part investigation. It focuses on the corporate stack and Cyprus fiduciary/payment-tech environment behind the Mega.bet structure. A separate follow-up will address the alleged payment rails, including Sends.co/Taslink, Yapily, retail-style card descriptors, and reported reversals. The available documents reviewed by FinTelegram already support one key conclusion: Mega.bet does not appear to be a simple offshore casino brand operating from a single jurisdiction. The dossier points to a layered setup involving Curaçao, Cyprus, Belize, Anjouan, and Costa Rica-facing operator language. Key Findings Cyprus filings show that IMMIX Solutions Ltd, company number HE 462990, is a Cyprus company registered on 19 July 2024. The Cyprus registry data lists Global Nexus Ltd, Belize, as the shareholder of IMMIX Solutions Ltd, holding 1,000 ordinary shares. A Cyprus HE57 share-transfer filing shows that SoleFocus Solutions N.V. in Curaçao transferred 1,000 ordinary shares of IMMIX Solutions Ltd to Global Nexus Ltd on 23 October 2024. The same Cyprus documents list Potens Corporate Services Ltd as the correspondence address for filings and P.Z.T. Services Ltd as secretary of IMMIX Solutions Ltd. A March 2026 HE4 filing shows that Georgia Nikoletti was appointed director of IMMIX Solutions Ltd on 9 March 2026. Her occupation is listed as ΥΠΑΛΛΗΛΟΣ, meaning employee or clerk. The same filing shows that Despoina Mavroudi resigned as director on 9 March 2026. The whistleblower identifies PAYTECH LTD as a potential technical infrastructure node. PAYTECH markets white-label payment gateway, payment orchestration, PSP integration, smart routing, cascading, cards, open banking, crypto, e-wallets, and gambling/betting-capable payment infrastructure. FinTelegram has not yet independently verified that PAYTECH processed Mega.bet transactions. However, the overlap between the Cyprus fiduciary environment, payment-tech offering, and offshore casino structure makes PAYTECH a key lead for further scrutiny. The Corporate Stack: Curaçao To Cyprus To Belize The Cyprus filings reviewed by FinTelegram show a clear corporate sequence. IMMIX Solutions Ltd was incorporated in Cyprus in July 2024. Its registry profile lists it as an active private limited company with registration number HE 462990 and registered office at Archiepiskopou Makariou III, 84, Office 1, 6017 Larnaka, Cyprus. A subsequent HE57 share-transfer filing shows that the shares of IMMIX Solutions Ltd were originally held by SoleFocus Solutions N.V., a Curaçao entity listed at Zulkertuintjeweg Z/N, Curaçao. On 23 October 2024, SoleFocus Solutions N.V. transferred 1,000 ordinary shares to Global Nexus Ltd, listed at Barrack Road 9, Belize City, Belize. This is not a random corporate footnote. It is the core of the structure. The documents describe a pipeline: Curaçao origin, Cyprus vehicle, Belize shareholder. According to the whistleblower, Global Nexus Ltd is the offshore casino parent and Anjouan license holder used for the Mega.bet brand. FinTelegram is separately seeking confirmation from the relevant parties and licensing bodies. IMMIX Solutions Ltd: The Cyprus Processing Vehicle The role of IMMIX Solutions Ltd is central to the dossier. The Cyprus registry data shows IMMIX as a Cyprus company owned by the digital marketing provider Global Nexus Ltd in Belize (website). Its secretary is listed as P.Z.T. Services Ltd, while Potens Corporate Services appears in the filing documentation as correspondence/contact layer. The whistleblower alleges that IMMIX acted as a European-facing processing or settlement vehicle for the Mega.bet network. That allegation requires further transaction-level verification. However, the corporate documents already show that IMMIX is the Cyprus link between the offshore shareholder in Belize and the Cyprus fiduciary layer. For regulators, banks, card issuers, and open-banking providers, this matters. A Cyprus company with EU-facing banking or payment relationships may provide a much more acceptable appearance than a direct offshore casino operator in Belize or an Anjouan-licensed gambling entity. The Fiduciary Layer: P.Z.T., Potens And Director Rotation The Cyprus filings raise serious governance questions. IMMIX’s secretary is listed as P.Z.T. Services Ltd, while Potens Corporate Services Ltd appears in the filings as the correspondence address. The documentation therefore places IMMIX within a Cyprus corporate-service environment connected to Larnaka-based fiduciary and legal-service infrastructure. The director history is particularly notable. The HE4 filing reviewed by FinTelegram shows that Georgia Nikoletti was appointed director of IMMIX Solutions Ltd on 9 March 2026. Her official occupation is listed in Greek as ΥΠΑΛΛΗΛΟΣ, meaning employee or office clerk. The same filing shows that Despoina Mavroudi resigned as director on the same date, 9 March 2026. FinTelegram does not claim that this director rotation is unlawful. However, the timing and nature of the replacement raise obvious accountability questions. A Cyprus lawyer resigns, and a person listed as an employee or clerk becomes the director of a company owned by a Belize entity and allegedly linked to offshore casino operations. That is a legitimate subject for regulatory and journalistic scrutiny. The PAYTECH Lead A new whistleblower submission introduces PAYTECH LTD as a potential technical infrastructure node in the Mega.bet / Global Nexus / IMMIX setup. PAYTECH markets itself as a provider of white-label payment gateway, payment orchestration, and financial management technologies. Its website describes capabilities including payment widgets, cards, e-wallets, crypto, open banking, local payment methods, PSP integrations, smart routing, cascading, fraud monitoring, PCI-DSS-related security features, merchant management, reconciliation, reporting, and analytics. Particularly relevant is PAYTECH’s own positioning for online merchants, payment service providers, betting, and gambling use cases. Its materials describe hundreds of integrations and the ability to connect multiple PSPs and payment technologies through a unified infrastructure. FinTelegram has not yet independently verified that PAYTECH processed Mega.bet transactions or powered the Mega.bet cashier. However, the whistleblower’s PAYTECH lead is highly relevant because the alleged Mega.bet structure requires exactly the type of payment orchestration, provider switching, routing, and checkout integration that PAYTECH markets. PAYTECH therefore emerges as a key entity for further questions: Did PAYTECH provide technology, gateway, cashier, API, PSP-integration, routing, onboarding, monitoring, or payment-orchestration services to Mega.bet, Global Nexus Ltd, IMMIX Solutions Ltd, or related merchants? Read our Rail Atlas Cases reports here. Licensing Optics: Anjouan, Belize And Costa Rica The whistleblower claims that Mega.bet presents different corporate and licensing narratives depending on access route and user geography. According to the dossier, ordinary users may see Costa Rica-facing operator language, while other access routes expose an Anjouan / Global Nexus / IMMIX-related structure. FinTelegram’s review corroborates the whistleblower’s core claim. The Mega.bet setup fits a broader pattern now common across illegal offshore casino operations: geo-targeted, multi-layer architectures built around rotating domains, interchangeable legal entities, offshore licensing wrappers, and fragmented payment rails. The purpose is obvious — to obscure the real gambling beneficiary, dilute the payment purpose, and present different regulatory realities to players, banks, payment processors, and enforcement authorities. With AI-driven profiling and real-time routing, these structures will likely become even more individualized, tailoring legal disclosures, cashier pages, payment methods, and risk controls to each player’s location, device, behaviour, and payment instrument. FinTelegram is seeking further technical captures, HTML evidence, and screenshots to document this alleged dynamic presentation. If confirmed, this would be a significant regulatory red flag. Dynamic corporate presentation can make it harder for players, banks, payment processors, issuers, and regulators to identify the actual merchant, operator, licensing basis, and legal counterparty behind gambling transactions. The Payment-Rail Allegations Will Be Addressed Separately The whistleblower also alleges split payment rails involving Yapily Connect UAB for open-banking deposits and Sends.co/Taslink for card payments. The material further alleges retail-style or digital-goods card descriptors, including names such as Shtsy, xchlab, sk1nzone.com, QUANAICAE, and DENOVE. FinTelegram has previously observed Sends.co/Taslink-linked structures in other offshore casino payment-rail contexts. However, for the Mega.bet case, FinTelegram is still reviewing transaction-level evidence, including card statements, checkout screenshots, descriptors, PSP metadata, refund records, and open-banking traces. Read our Taslink reports here. This payment-rail layer will be the subject of Part 2 of this investigation. Compliance Questions This case raises several immediate compliance questions: Who is the actual merchant of record for Mega.bet player deposits? What is the relationship between Mega.bet, Global Nexus Ltd, and IMMIX Solutions Ltd? Why was IMMIX Solutions Ltd initially linked to SoleFocus Solutions N.V. in Curaçao before its shares were transferred to Global Nexus Ltd in Belize? What role do P.Z.T. Services Ltd and Potens Corporate Services Ltd play in the IMMIX structure? Why did Despoina Mavroudi resign as director on 9 March 2026, and why was Georgia Nikoletti appointed on the same date? Does PAYTECH LTD provide any technology, gateway, cashier, orchestration, routing, API, PSP-integration, or payment-management services to Mega.bet, IMMIX Solutions Ltd, Global Nexus Ltd, or related entities? Did Sends.co/Taslink process card payments for Mega.bet or associated merchant descriptors? Did Yapily or any connected open-banking provider process deposits or reversals linked to IMMIX or Mega.bet? Which entity is responsible for AML, KYC, gambling compliance, chargebacks, refunds, and player complaints? Structural Overview Für den Artikel selbst würde ich zusätzlich diese kurze Box verwenden: LayerEntities / BrandsFunctionCasino FrontMega.bet, mega.betPlayer-facing offshore casino brandOffshore Parent / License LayerGlobal Nexus Ltd, Anjouan/Comoros license opticsAlleged casino parent and licensing wrapperCyprus Processing VehicleIMMIX Solutions Ltd, immix.proCyprus company allegedly used as EU-facing processing/settlement layerCuraçao Setup LayerSoleFocus Solutions N.V., Agnese MuiznieceInitial shareholder / founding setup before transfer to BelizeFiduciary LayerP.Z.T. Services Ltd, Potens Corporate Services Ltd, Panayiotis Toulouras, toulouraslaw.comCyprus secretarial, legal and corporate-services environmentDirector LayerDespoina Mavroudi, Georgia NikolettiDirector change in March 2026; governance/accountability questionPayment-Tech LeadPAYTECH LTD, pay.techPotential gateway/orchestration infrastructure lead; direct Mega.bet role still under reviewAlleged Payment RailsYapily, Sends.co, TaslinkOpen-banking and card-processing allegations for Part 2Alleged Card DescriptorsShtsy, xchlab, sk1nzone.com, QUANAICAE, DENOVEAlleged retail/digital-goods masking descriptors requiring transaction-level proof Preliminary Assessment The available material supports a preliminary but serious investigative finding: Mega.bet appears to sit on a layered offshore casino infrastructure involving a Curaçao-originated corporate setup, a Cyprus vehicle, a Belize shareholder, Anjouan licensing optics, and alleged EU-facing payment rails. The strongest evidence currently relates to the corporate structure of IMMIX Solutions Ltd and its transfer from SoleFocus Solutions N.V. to Global Nexus Ltd. The director rotation and Cyprus fiduciary layer raise additional accountability questions. The PAYTECH lead is highly relevant but still requires transaction-level confirmation before stronger conclusions can be drawn. FinTelegram will continue to review the evidence and invites insiders, payment professionals, affected players, former employees, compliance officers, and service providers to submit further information. Whistle42 Call For Information If you have information about Mega.bet, Global Nexus Ltd, IMMIX Solutions Ltd, PAYTECH LTD, P.Z.T. Services Ltd, Potens Corporate Services Ltd, Sends.co/Taslink, Yapily, or related casino payment rails, please contact FinTelegram via Whistle42. We are particularly interested in: Payment screenshots and card statements; Merchant descriptors; Open-banking screenshots; Refund or reversal notices; PSP dashboards or transaction logs; Mega.bet cashier screenshots; Anjouan license documents; Communications with support, payment processors, or legal representatives; Internal emails, API logs, or routing configurations. FinTelegram protects whistleblowers and treats all submissions confidentially. Share Information via Whistle42

FinTelegram has received a new player complaint pointing to a suspected Open-Banking casino funding rail involving Yapily Connect UAB, Pellopay Finance LTD, UAB Travel Union, Paysolo/Contiant, and the offshore casino brand Immerion. The case shows a familiar pattern: regulated payment infrastructure appears to have been used to fund offshore casino accounts while the visible SEPA payee was not the casino, but a payment intermediary. The complainant, whose identity is known to FinTelegram but withheld for privacy reasons, compiled a comprehensive dossier documenting his open banking deposits in February 2026. According to the submitted dossier, the payment flow was initiated via Yapily Connect UAB and routed through a Paysolo/Contiant interface, while the visible receiving party was Pellopay Finance LTD, holding an account at UAB Travel Union in Lithuania. The dossier is supported by screenshots over the deposit processes. The casino allegedly funded through this structure: Immerion Casino. The Alleged Rail The submitted evidence suggests the following payment chain: And I would update the rail table accordingly: LayerEntity / EvidenceFunction in the alleged railPlayer BankRevolut EUSource account used by the playerCasino LayerImmerion CasinoCasino account allegedly credited with depositsCheckout / Orchestration LayerPaysolo / king.paysolo.netVisible payment page routing the player into bank authenticationGateway / Hosted Page LayerContiant / th.contiant.comAdditional payment-page / routing infrastructure visible in screenshotsOpen-Banking LayerYapily Connect UAB / https://www.yapily.com/PISP / payment-initiation infrastructureVisible SEPA PayeePellopay Finance LTD / https://pellopay.comNamed recipient of the transfersAccount InfrastructureUAB Travel Union / https://mytu.coBank/account infrastructure for PellopayResultImmerion Casino DepositCasino deposit allegedly credited after the payment flow This is the red flag: the player says he funded a casino account, but the visible SEPA beneficiary was Pellopay Finance LTD — not Immerion Casino. The Payment Evidence: Casino Deposit, Paysolo Checkout, Yapily Initiation, Pellopay Payee The submitted evidence does not merely show a player claiming to have lost funds at an offshore casino. It shows a sequence of payment screenshots that appear to connect the casino deposit process with an Open-Banking payment rail. The evidence package includes: Evidence LayerWhat The Documents ShowRelevanceCasino layerScreenshots from immerion4.com showing casino deposits in different amounts Indicates that the player’s casino account was credited with matching deposit amounts.Checkout layerA Paysolo-branded checkout page at openbanking.paysolo.net, showing a payment order, Revolut EU as selected bank, and an instruction to authenticate the paymentPlaces Paysolo as the visible cashier / payment-orchestration layer between the casino and the Open-Banking flow.PISP layerPayment confirmation screens naming Yapily Connect UAB as the Open-Banking payment initiation providerShows that the payment was initiated through regulated Open-Banking infrastructure.Visible SEPA payeeRevolut receipts showing Pellopay Finance LTD as recipient of the paymentsShows that the visible beneficiary was not the casino, but Pellopay.Bank/account infrastructureRevolut receipts naming UAB Travel Union as bank/account infrastructure, with BIC UATULT22XXX and an IBAN beginning LT68 3480…Identifies the Lithuanian account layer used for the Pellopay recipient account.Technical logsGDPR/Open-Banking records containing payment references, consent IDs and idempotency IDsProvides API-level metadata linking the payment-initiation flow to the same transactions. The submitted screenshots place Paysolo at the open-banking checkout layer. This is consistent with FinTelegram’s earlier Rail Atlas findings around openbanking.paysolo.net, where Paysolo appears as a user-facing open-banking gateway between casino-facing cashier layers and regulated Open-Banking infrastructure. The Paysolo-branded payment interface with the selected bank Revolut EU asks the player to press Authenticate to continue with the bank website. The Paysolo page points into a Pellopay/Yapily payment-initiation flow in the Revolut rail, with Pellopay Finance LTD appearing as the visible SEPA payee. The Revolut screenshots then show completed transfers to Pellopay Finance LTD, including amounts of €100, €130, €200 and €400, while the casino screenshots from immerion4.com show corresponding deposit credits in the same amount range. This creates the core forensic red flag: The player appears to have funded a casino account, but the Open-Banking payment journey exposed Paysolo as the checkout layer and Pellopay Finance LTD as the visible SEPA payee — not Immerion Casino. The Paysolo Problem. The screenshots place Paysolo at the visible Open-Banking checkout layer. This is significant because paysolo.net does not present the transparency one would expect from a payment layer embedded in regulated Open-Banking flows. FinTelegram has previously identified openbanking.paysolo.net in casino-facing payment corridors involving Pagagate, Urbenics and Revolut. In the present complaint, Paysolo again appears as the bridge between the casino cashier and the Yapily/Pellopay payment-initiation flow. That raises the core question: who operates the Paysolo gateway, who contracted with it, and what merchant information was passed downstream to Yapily, Pellopay and the player’s bank? FinTelegram has not yet established whether Paysolo contracted directly with Immerion, Pellopay, Yapily, Contiant, or another intermediary. But the screenshots make Paysolo a critical node in the payment chain. Any serious inquiry must therefore include Paysolo, not just Yapily, Pellopay and UAB Travel Union. Yapily’s Response: “We Are Only PIS/AIS Infrastructure” The complainant provided a response from Yapily’s compliance team. Yapily stated that it had acted in line with its regulatory role as a PIS/AIS provider. It said it does not open or control bank accounts, does not hold or control customer funds, does not intervene in payment transactions, and cannot return payments because it is neither the sending nor the receiving bank. That may be technically correct. But it is not the end of the compliance question. If Open-Banking payment initiation infrastructure is repeatedly used to route funds into offshore casino accounts through payment intermediaries, the relevant questions are obvious: Who was Yapily’s direct client in this flow? What due diligence was conducted on the use case? Did Yapily know that the payment flow was funding an offshore casino account? Were gambling-risk filters applied? Why did the visible payee not clearly identify the casino end-use? FinTelegram is not accusing Yapily of holding player funds. The question is different: Was Yapily’s regulated Open-Banking infrastructure used as a casino funding rail? Pellopay: The Visible Payee Pellopay Finance LTD, a FINTRAC-registered Canadian money service provider, is a critical node in this complaint. According to the submitted evidence, Pellopay appears as the direct recipient of the SEPA transfers, while the player alleges that the funds were credited to his Immerion Casino account. A Paysolo-branded checkout page was prompted to the player to authenticate a Revolut payment. The page referred to Pellopay Finance LTD and Yapily Connect, suggesting that Paysolo acted as a front-end checkout or routing layer between the casino cashier and the regulated Open-Banking payment initiation flow. FinTelegram has not yet established whether Paysolo contracted directly with the casino, Pellopay, Yapily, or another intermediary. The complainant also provided a Pellopay response stating that the matter was outside Pellopay’s scope of responsibility, that the payment had been processed and received by the merchant, and that refunds must be initiated directly by the merchant. The Gmail Support Red Flag. Pellopay appears as the visible SEPA payee in the player’s Revolut receipts. Yet the support communication provided to FinTelegram appears to involve a Gmail address rather than a corporate Pellopay domain. That is highly unusual for a payment intermediary sitting inside a regulated Open-Banking rail. Who exactly was communicating with the player — Pellopay itself, an outsourced support desk, a merchant operator, a cashier provider, or another intermediary? That answer raises the central question: If Pellopay was the visible payee, who was the merchant behind Pellopay’s collection flow? “Contact the merchant” is not enough. In opaque casino payment rails, the payment intermediary is often the only entity visible to the player and the bank. Pellopay should explain whether it acted for Immerion, an affiliate, a payment gateway, a cashier provider, or another merchant-of-record. UAB Travel Union: Infrastructure Layer The Revolut payment screenshots identify UAB Travel Union as the bank/account infrastructure connected to the Pellopay recipient account. FinTelegram does not allege that UAB Travel Union knowingly processed illegal casino payments. But where a regulated Lithuanian institution appears as the account infrastructure for a payment intermediary allegedly collecting funds for an offshore casino, the compliance question is unavoidable: What did UAB Travel Union know about Pellopay’s underlying merchants and payment purposes? The complainant alleges that UAB Travel Union initially indicated it would investigate but later stopped responding. FinTelegram will ask UAB Travel Union to comment. Parallel Lead: Techoptions / Hellspin TechOptions is the smoking parallel lead. The evidence package does not only point to Pellopay and Immerion. It also shows a separate Yapily-powered payment screen naming Techoptions (CY) Group Ltd as merchant, followed by Revolut evidence via ISX Financial. TechOptions’ website says the group is “home to” Hellspin and Ivibet, describes itself as an online casino management company, and lists Techoptions (CY) Group Ltd, Nicosia, as billing agent. That makes the TechOptions leg highly relevant: it places the Yapily/Open-Banking flow directly next to a declared iGaming operator, not some generic e-commerce merchant. This matters because it suggests the issue may not be limited to Pellopay and Immerion. It may point to a broader pattern: Open-Banking rails being used by or around offshore iGaming operators to move player deposits through regulated payment infrastructure. KYC Pressure And Possible Data-Sharing Red Flag The complainant also submitted screenshots of KYC demands from Immerion and Ybets. Both request copies of ID documents and a selfie with the ID document. The complainant alleges that these requests appeared after he raised disputes and that he had not interacted with Ybets. FinTelegram treats this as a data-sharing red flag, not yet as proof of a GDPR breach. Possible explanations include common casino ownership, shared affiliate infrastructure, shared KYC providers, shared CRM systems, or unauthorized data circulation. The point requires further investigation. But the timing and similarity of the KYC requests are noteworthy. FinTelegram Assessment This case is not a classic insider leak. It is a player-side payment complaint. But it is backed by more than screenshots of a casino loss. The file contains: Open-Banking payment confirmation screens; Revolut payment receipts; Pellopay recipient details; UAB Travel Union account infrastructure references; Yapily compliance correspondence; Pellopay correspondence; Casino deposit screenshots; GDPR/Open-Banking transaction references; a parallel Techoptions / Hellspin-related lead. The emerging pattern is clear: Regulated Open-Banking infrastructure appears to have been used to fund offshore casino accounts while the visible SEPA payee was not the casino but a payment intermediary. That is a regulatory issue. It is not merely a private player-refund dispute. Questions For Yapily, Pellopay, UAB Travel Union And Immerion FinTelegram will ask the involved parties to answer the following questions: Did Yapily Connect UAB initiate payment flows that ultimately funded Immerion Casino accounts? Who was Yapily’s direct client in the Pellopay / Immerion flow? Did Yapily know that the payment purpose was online gambling or casino funding? Why was Pellopay Finance LTD the visible SEPA payee instead of the casino operator? Who was the legal merchant-of-record behind the Pellopay collection flow? What due diligence did Pellopay perform on the underlying merchant or casino cashier provider? What role did UAB Travel Union play in providing account infrastructure to Pellopay? Did UAB Travel Union classify or monitor these flows as gambling-related? Were any suspicious activity reports or internal AML escalations filed? Are Immerion and Ybets connected through ownership, affiliate infrastructure, KYC providers, CRM systems, or payment providers? Call For Information FinTelegram is seeking information from: players who deposited into Immerion Casino via Open Banking, Revolut, Yapily, Paysolo, Contiant, Pellopay or UAB Travel Union; players who saw Pellopay Finance LTD as payee after funding casino accounts; insiders at Yapily, Pellopay, UAB Travel Union, Paysolo, Contiant, ISX Financial, Techoptions, Immerion or related casino cashier providers; compliance officers with knowledge of Open-Banking casino funding flows. Information can be submitted confidentially via the FinTelegram whistleblower platform. Open Banking was designed to make payments faster and safer. It was not designed to become a shadow cashier layer for offshore casinos. Share Information via Whistle42

FinTelegram’s latest casino payment-rail reviews indicate a coordinated migration from the Polish crypto on-ramp ChainValley to the Georgian payment gateway Nylo. The pattern looks disturbingly familiar: the same offshore casinos, the same fake-FIAT crypto-buy flow, the same Skrill/Neteller/Rapid Transfer/Paysafecard wrappers — and the same opacity around the true gambling beneficiary. 2-Minutes Briefing Over the last days, FinTelegram reviewed the payment rails of several offshore casinos, including SpinBoss, DudeSpin, Betify, Malina Casino, Betalice, and Oro.gg. The reviews produced a striking pattern: where FinTelegram previously observed the Polish crypto on-ramp ChainValley, the reviewed casino cashiers now increasingly route players through Nylo, a Georgian payment gateway operating through app.nylo.pro. The reviewed screenshots show a familiar two-step structure: the player believes they are making a normal casino deposit via Skrill, Neteller, Rapid Transfer, Paysafecard or similar payment methods. In reality, the checkout screen frames the transaction as an “Exchange order” and asks the player to agree to buy crypto and send it to a specified address. That wording is not incidental. It is the core legal and compliance wrapper of the rail. Nylo’s public website presents the company as a payment gateway supporting cards, bank transfers, local payments, deposits, payouts and settlements. It discloses Nylo LLC, identification number 412790154, registered on 18 February 2025 in Kutaisi, Georgia. FinTelegram’s working hypothesis is clear: utPay, ChainValley and Nylo may represent successive operating layers of the same or closely connected casino-payment network. We have not yet found a public corporate filing proving common ownership between Nylo and the UTORG/ChainValley network. But the operational evidence is too strong to ignore. Key Findings 1. Same casino ecosystem, new on-ramp label FinTelegram’s current screenshots show Nylo appearing in payment flows connected to offshore casino brands previously reviewed with ChainValley-style rails. The observed Nylo screens include: Casino / Review ContextObserved RailPlayer-Facing MethodUnderlying StructureBetifyNyloSkrill / Neteller-style wallet flow“Exchange order” / buy crypto and send onwardMalina CasinoNyloNeteller-style flowCrypto-purchase wrapperBetaliceNyloNeteller-style flowCrypto-purchase wrapperOro.ggNyloNeteller-style flowCrypto-purchase wrapperDudeSpinNyloSkrill / Paysafecard / Rapid Transfer / Neteller variantsCrypto-purchase wrapperDudeSpinMiFinityMiFinity cashier overlaySeparate wallet rail with opaque recipient label “CME” in screenshotDudeSpinPerspecteev / RevolutOpen-banking authorizationRevolut authorization shown for PERSPECTEEV SAS FinTelegram recognized Nylo order pages at app.nylo.pro, with order IDs, EUR amounts, payment-brand logos, and the consent statement: “I agree to buy crypto and send it to the specified address.” That is not a normal casino deposit flow. It is a casino funding rail disguised as a crypto purchase. 2. The utPay → ChainValley → Nylo sequence is not random FinTelegram previously documented utPay’s role in offshore casino payment rails. UAB Utrg, operating as utPay, later announced that it had suspended all crypto-asset services from 1 January 2026 pending MiCA authorization. Its terms state that crypto-related services have been suspended and will not be provided unless and until UAB Utrg obtains the necessary MiCA authorisations. UTORG’s own licensing page identifies UAB “Utrg” at the Vilnius address and discloses UTORG LABS HOLDING LTD in Abu Dhabi as owner of the website. The same page also contains a “Buy Crypto” link pointing to app.chainvalley.pro, creating a visible operational bridge from the UTORG web stack to ChainValley. Chain Valley Sp. z o.o. is a Polish company with KRS 0001036419, NIP 7252331409, based in Warsaw, registered on 16 May 2023. Polish corporate data shows Ilie Cernisev as representative and shareholder, with Cernisev holding 100% of the shares in the most recent ownership period shown. The UTORG link is reinforced by an earlier Massachusetts regulatory opinion addressed to Ilie Cernisev, CEO of Utorg OÜ, confirming his role in the Utorg ecosystem. The ChainValley link to the UTORG ecosystem is therefore much stronger than merely circumstantial. The Nylo link is not yet proven at corporate level — but the rail behavior now looks like a third migration step. Entity & Rail Intelligence Table Entity / BrandJurisdictionPublic Corporate / Regulatory DataObserved / Reported RoleUTORG LABS HOLDING LTDhttps://utorg.comAbu Dhabi, UAEDisclosed by UTORG as owner of the UTORG website; registration no. 000008060, Abu Dhabi address.Holding / brand layer for UTORG web stackUAB Utrg / utPayhttps://utpay.ioLithuaniaLegal name UAB Utrg; Vilnius address; utPay terms say crypto services suspended pending MiCA authorization.Earlier casino crypto-payment railUtorg OÜhttps://utpay.ioEstoniaIlie Cernisev was addressed by Massachusetts regulator as CEO of Utorg OÜ.Historic / related UTORG operating layerChain Valley Sp. z o.o. / ChainValleyhttps://chainvalley.proPolandKRS 0001036419; Warsaw; website chainvalley.pro; Cernisev shown as shareholder/representative.Successor rail after utPay in casino crypto-purchase flowsNylo LLC / Nylohttps://nylo.proGeorgiaIdentification no. 412790154; registered 18 Feb 2025; Kutaisi, Georgia; markets itself as payment gateway.Newly observed casino crypto-purchase rail via app.nylo.pro Core Finding 1: The Nylo Flow Is a Fake-FIAT Crypto Rail The reviewed Nylo payment processes are not ambiguous. They show: Player → Casino Cashier → Skrill/Neteller/Rapid Transfer/Paysafecard selection → Nylo exchange order → crypto purchase consent → onward transfer to specified address → casino balance credit The player-facing reality is “deposit €20 or €50 into a casino.”The legal/technical reality appears to be “buy crypto and send it elsewhere.” This is the same architecture FinTelegram previously flagged with utPay and ChainValley: a fake-FIAT rail where fiat-branded payment methods are used as funding instruments for an automated crypto conversion and transfer to an undisclosed destination wallet. That structure raises obvious compliance questions: Risk AreaConcernConsumer disclosureDoes the player understand they are not making a casino deposit but purchasing crypto?Chargeback / refund rightsA crypto purchase may weaken the player’s refund expectations compared with a card/wallet casino depositMerchant-of-record transparencyThe visible payee is the on-ramp, not the casino operatorAML/CFT monitoringThe true gambling beneficiary may be obscured behind a crypto-transfer wrapperGambling complianceLicensed payment providers may not see the transaction as gambling fundingMiCA / VASP perimeterThe rail may move the transaction from PSD2-style payment processing into crypto-asset service territory Core Finding 2: Nylo Is a Fresh Georgian Entity With a Broad Payment-Gateway Pitch Nylo’s website does not present it as a small experimental tool. It presents a mature “payment gateway” promising easy integration, fraud prevention, 24/7 support, cards, bank transfers, local payments, deposits, payouts, settlements and multi-currency processing through “own infrastructure and trusted partners.” This matters because the reviewed casino flows do not show Nylo as a simple technology widget. They show Nylo as the conversion node in a player-facing transaction. Georgia’s National Bank defines VASP activities to include exchange between convertible virtual assets and fiat currencies, transfer of convertible virtual assets, safekeeping/administration, trading-platform administration, lending and ICO-related services. The National Bank of Georgia has also warned that only registered VASPs or authorized financial-sector entities may provide virtual-asset services, and urged citizens to verify the activity status of providers. FinTelegram should therefore ask Nylo directly: Is Nylo LLC registered with the National Bank of Georgia as a Virtual Asset Service Provider? If yes, where is the registration certificate displayed for users, including on app.nylo.pro? This question is particularly important because the reviewed Nylo checkout is not a passive payment page. It appears to execute or intermediate a crypto-purchase-and-transfer transaction. Core Finding 3: The Domain Pattern Looks Like a Rail Migration Signature The domain pattern is almost too clean: BrandMain DomainCheckout / App DomainObserved RoleutPayutpay.ioapp.utpay.ioEarlier casino crypto railChainValleychainvalley.proapp.chainvalley.proSuccessor casino crypto railNylonylo.proapp.nylo.proNewly observed casino crypto rail By itself, an app. subdomain proves nothing. Many payment providers use this pattern. But in this context, the pattern becomes relevant because it appears in the same casino vertical, with the same fake-FIAT checkout logic, the same wallet/voucher funding methods, and a clean temporal handoff from one brand to the next. FinTelegram’s conclusion: this is not merely a domain similarity. It is a behavioral and operational similarity. Core Finding 4: ChainValley Already Had a Visible UTORG Link The ChainValley chapter was not speculative. UTORG’s own website displayed a “Buy Crypto” product link to app.chainvalley.pro, while disclosing UAB Utrg as the legal name and UTORG LABS HOLDING LTD as the website owner. In parallel, Polish corporate data identifies Chain Valley Sp. z o.o. and shows Ilie Cernisev as its representative and 100% shareholder in the latest ownership period. The Massachusetts Division of Banks addressed Cernisev as CEO of Utorg OÜ in a 2022 opinion concerning virtual-currency purchase and sale activity. That combination gave FinTelegram a credible basis to describe ChainValley as part of, or at minimum closely connected to, the UTORG operational universe. The open question now is whether Nylo is the next shell, partner, successor, or white-label instance of the same payment network. FinTelegram Hypothesis FinTelegram’s working hypothesis is: The offshore casino ecosystem that previously used UAB Utrg/utPay and then ChainValley may now have migrated to Nylo LLC in Georgia. The migration appears to preserve the same payment logic: familiar fiat-branded methods are used to trigger crypto purchase orders, with the purchased crypto sent to undisclosed wallet addresses linked to casino funding. The shift may be designed to preserve high-risk casino payment capacity after regulatory pressure and negative media exposure affected earlier rails. This is a hypothesis, not yet a final ownership finding. But it is supported by: The same casino vertical and overlapping brands. The same fake-FIAT crypto-purchase architecture. The same user consent wording: buy crypto and send to a specified address. The same wallet/voucher rails: Skrill, Neteller, Rapid Transfer, Paysafecard. The same app.[brand].pro checkout architecture. The timing: utPay suspension, ChainValley exposure, then Nylo emergence. The lack of transparent disclosure of the ultimate casino beneficiary or destination wallet. Compliance Questions For Nylo, ChainValley, UTORG, and Casino Operators FinTelegram invites the involved parties to answer the following questions: Is Nylo LLC registered as a VASP with the National Bank of Georgia? Does Nylo process deposits for offshore casinos, directly or indirectly? Does Nylo share management, ownership, technology, code, processing partners, wallet infrastructure, merchant contracts, employees or beneficial owners with ChainValley, UAB Utrg, Utorg OÜ or UTORG LABS HOLDING LTD? Why do Nylo’s casino flows mirror the earlier ChainValley and utPay flows? Who controls the destination crypto addresses in the Nylo exchange orders? Are players told, before payment, that they are purchasing crypto rather than making a direct casino deposit? Do Skrill, Neteller, Rapid Transfer and Paysafecard approve the use of their payment methods for these offshore casino crypto-purchase flows? Which casino operator, payment agent or merchant-of-record receives the economic benefit of the player’s funds? FinTelegram Assessment This is a classic regulatory whack-a-mole pattern. First came utPay.Then came ChainValley.Now comes Nylo. Each layer appears to preserve the essential function: allow offshore casinos to accept European players’ money through familiar payment brands while reframing the transaction as a crypto purchase. The true casino beneficiary disappears behind a conversion layer. The player sees Skrill, Neteller, Rapid Transfer or Paysafecard. The processor sees an exchange order. The bank or wallet provider may see a crypto on-ramp. The casino receives funded player balance. That is the magic trick. And this is precisely why FinTelegram believes regulators, payment providers, wallet operators and open-banking firms should examine the Nylo flows immediately. Whistleblower Call To Action FinTelegram is seeking further information about Nylo, ChainValley, utPay, UTORG, and the casino payment rails used by SpinBoss, DudeSpin, Betify, Malina Casino, Betalice, Oro.gg, and related brands. We are particularly interested in: merchant contracts; wallet destination addresses; internal settlement records; Slack/Telegram communications; screenshots of casino cashier flows; payment-provider onboarding documents; KYC files; links between Nylo, ChainValley, UAB Utrg, Utorg OÜ and UTORG LABS HOLDING LTD. Insiders, players and compliance officers can submit information confidentially via Whistle42. Share Information via Whistle42

FinTelegram has already unmasked Zentoria Limited – a freshly minted Irish “bookmaker” fronted by Mykhaylo Pavlenko and an Alina Vavilova who appears to match the Cyprus‑based Head of Affiliate Program at Russian‑rooted fintech group Quadcode – as the hidden EU paymaster funnelling players’ money into blacklisted NovaForge casinos through the innocent‑sounding “Spinsopotamia.com Dublin” descriptor. If regulators confirm that the Alina named on Ireland’s Remote Bookmaker register is indeed the same person who publicly represents Quadcode – a group that builds and runs global brokerage infrastructure from its Cypriot base – Zentoria’s Irish licence suddenly looks less like a provincial betting permit and more like a personal bridgehead into a much larger Russian‑Cypriot high‑risk fintech universe. Who is who Name / EntityTypeRole in the storyWhy it mattersMykhaylo PavlenkoIndividualKey person behind Zentoria Limited and named in connection with the Irish Remote Bookmaker licence for SPINSOPOTAMIA.COM. He appears to be one of the formal operators giving Zentoria its licensed Irish face. Alina VavilovaIndividualKey person behind Zentoria Limited; an Alina Vavilova also appears publicly on LinkedIn as a Cyprus‑based Quadcode affiliate executive. She is the most intriguing personnel link because she may connect the Irish bookmaker structure to Cyprus’s high‑risk fintech ecosystem, although that identity match is not yet conclusively proven in public records. Zentoria LimitedCompanyIrish‑registered and Irish‑licensed remote bookmaker tied to SPINSOPOTAMIA.COM; appears as payee in offshore casino deposit flows. It is the central licensed entity allegedly used to route payments for illegal offshore casino schemes. SPINSOPOTAMIA.COMBrand / trading nameTrading name on Zentoria’s Irish licence and the billing descriptor seen on card statements as “Spinsopotamia.com Dublin.” It functions as the “clean” front label masking deposits into blacklisted offshore casino brands. NovaForge GroupOffshore casino networkLinked to brands such as Spinsy and Robycasino that use Zentoria/Spinsopotamia payment rails. NovaForge is the offshore casino engine allegedly benefiting from Zentoria’s Irish merchant and licensing infrastructure. Quadcode / QCL QUAD CODE CY LIMITEDCompany / groupCyprus‑based fintech and brokerage technology group; relevant because of the apparent public link via an Alina Vavilova profile. It may represent a broader high‑risk fintech backdrop around the Zentoria story, but any direct corporate connection to Zentoria remains unproven on the current public record.  Irish licence, Cyprus connectsion, and Payment Racket A brand‑new Irish bookmaker, Zentoria Limited, incorporated in April 2024 and licensed under the trading name SPINSOPOTAMIA.COM, has rocketed from obscurity to the centre of a global offshore casino payment racket, FinTelegram’s Rail Atlas investigations reveal. Victim statements and live test deposits show that players funding unlicensed NovaForge casinos such as Spinsy and Robycasino are in fact being billed by Zentoria via the innocuous‑sounding card descriptor “Spinsopotamia.com Dublin.” Instead of seeing “Robycasino” or “Spinsy” on their bank statements, customers see an EU‑licensed Irish bookmaker – allowing NovaForge’s blocked brands to smuggle gambling payments through mainstream card rails under cover of Zentoria’s Irish licence. Zentoria’s incorporation file blows apart the illusion of an Irish‑rooted bookmaker and exposes a clean Cyprus control chain instead: the sole founding shareholder is ONEPALM LTD, a Limassol‑based company that subscribed for all 1,000 issued ordinary shares through its representative Natalia Panayiotou, with the signatures witnessed in Limassol by Elena Coloubars. In other words, from day one Zentoria is an Irish gambling vehicle whose equity, corporate will and paperwork all flow through ONEPALM’s address in Limassol, while Latvian director Alina Vavilova signs the declarations that the company will carry out “Gambling and betting activities” in Ireland – firmly anchoring Zentoria’s supposedly Irish licence in the heart of Cyprus’s high‑risk fintech and gambling hub. Vavilova: The QUADCODE Connections Irish records and the official Register of Licensed Remote Bookmaking Operations identify Mykhaylo Pavlenko and Alina Vavilova as the responsible persons for Zentoria and SPINSOPOTAMIA.COM. Vavilova’s LinkedIn profile shows a background in high‑risk online marketing, while Pavlenko keeps a low public profile behind multiple similar‑name entries – a duo that looks more like hand‑picked licence fronts than local bookies. According to her LinkedIn profile, Alina Vavilova is not just any marketing manager but the long‑time Head of Affiliate Program at Quadcode, a controversial Russian‑rooted fintech outfit operating from Cyprus. Quadcode itself is run through QCL QUAD CODE CY LIMITED, a Limassol‑based entity that describes Quadcode as a fintech company “specializing in financial brokerage activities and offering advanced financial products to clients globally” and maintains offices across Cyprus, Dubai, Gibraltar, Australia and the United Kingdom. The Alina Vavilova listed by the Irish Revenue as a responsible person for Zentoria appears to match a publicly visible Alina Vavilova in Limassol, Cyprus, who presents herself on LinkedIn as Head of Affiliate Program for the Russian‑rooted fintech group Quadcode. If this is indeed the same individual – something regulators can easily verify using their access to KYC and fit‑and‑proper files – then Zentoria’s Irish bookmaker licence would be personally linked into the wider Quadcode universe that builds and runs trading infrastructure worldwide, adding yet another highly sensitive layer to the Zentoria story. FinTelegram’s evidence suggests Zentoria is not a simple Irish bookmaker but a regulatory cosplay vehicle, built to pass personal‑fitness checks and then weaponised to route offshore casino money through EU banking infrastructure. “Spinsopotamia.com Dublin”: the Trojan Horse descriptor The mechanics are classic transaction‑laundering dressed up with an Irish licence. Players deposit at unlicensed NovaForge casinos such as Spinsy or Robycasino, some of which are already blocked by regulators like ACMA. The card transaction is quietly routed to Zentoria’s merchant set‑up in Dublin. The billing label shows “Spinsopotamia.com Dublin”, suggesting a licensed Irish bookmaker, not a blacklisted offshore casino. FinTelegram has branded Zentoria a “Trojan Horse bookmaker”: a clean Irish shell on the outside that in reality acts as NovaForge’s secret EU paymaster. Key entities and individuals in the Zentoria complex CategoryName / LabelJurisdiction / LocationRole / FunctionKey FactsCompanyZentoria LimitedIreland (Dublin 4)Irish‑licensed remote bookmaker; payment hubIncorporated 4 April 2024; in Dublin; principal activity 9200 Gambling and Betting; holds Remote Bookmaker’s Licence with trading name SPINSOPOTAMIA.COM; used as payee and billing entity “Spinsopotamia.com Dublin” for offshore NovaForge casinos (Robycasino, Spinsy).CompanyONEPALM LTD Cyrpus (Limassol)Sole shareholder of Zentoria LimitedSubscribed for all 1,000 issued Zentoria shares through its representative Natalia Panayiotou, with the signatures witnessed in Limassol by Elena Coloubars. Brand / DomainSpinsopotamia.comIreland / EU‑facing“Clean” casino/bookmaker front; billing descriptorTrading name on Zentoria’s Remote Bookmaker’s Licence; appears as billing descriptor “Spinsopotamia.com Dublin” on player card statements; serves as Trojan‑Horse front to obtain EU merchant accounts that are then used to process deposits for NovaForge’s offshore casinos.Casino brandsRobycasino, Spinsy (NovaForge)Offshore (unlicensed / blacklisted)Illegal online casinos using Zentoria railsOperated by NovaForge Group; targeted or blocked by regulators such as ACMA; player deposits technically billed via Zentoria/Spinsopotamia instead of the casino name; part of the wider NovaForge offshore network.CompanyNovaForge GroupOffshore (various)Operator of blacklisted casino networkControls/operates Robycasino, Spinsy and related brands; relies on EU‑based payment infrastructure, including Zentoria Limited and Spinsopotamia billing, to reach EU and Australian players despite regulatory blocks.Natural personMykhaylo PavlenkoLinked to Ireland (Zentoria)Key individual / director of ZentoriaListed by Irish Revenue as responsible person on Zentoria’s Remote Bookmaker’s Licence (ZENTORIA LIMITED, SPINSOPOTAMIA.COM); identified by FinTelegram as one of the two main actors behind Zentoria; acts as formal corporate face of the licensed Irish bookmaker.Natural personAlina Vavilova (LinkedIn)Linked to Ireland (licence)Key individual / director of ZentoriaListed by Irish Revenue as responsible person for Zentoria Limited; central figure in the Irish licensing footprint. LinkedIn profile shows an Alina Vavilova based in Cyprus, acting as Head of Affiliate Program Quadcode;CompanyQuadcode / QCL QUAD CODE CY LIMITEDCyprus (Limassol)Fintech / brokerage technology groupQuadcode presents itself as a fintech company specializing in financial brokerage services and advanced financial products; operated through QCL QUAD CODE CY LIMITED (HE 391725) registered in Limassol, address around Kato Polemidia; part of a wider Quadcode group with entities in multiple jurisdictions; potential personal link to Zentoria via Alina Vavilova’s public role.Natural personSergei Dobrovolskii (LinkedIn)United KingdomFounder QuadcodeFormer IQ Option executieveNatural personKirill Bolotov (LinkedIn)CyprusDirector / UBO / Executive QuadcodeKirill Bolotov joined the company in 2020 from IQ Option Europe Irish authorities under pressure Ireland’s Remote Bookmaker regime, with its personal‑fitness tests, beneficial‑ownership rules and AML obligations, was designed to keep exactly this kind of abuse out. Yet Zentoria – licensed in 2024 and controlled by Pavlenko and Vavilova – is now surfacing at the heart of payment flows for NovaForge casinos that regulators such as ACMA have already targeted. Under the Betting (Amendment) Act 2015, Ireland can revoke licences and pursue criminal sanctions when remote bookmakers violate their obligations. With FinTelegram’s findings now public, the key question for Irish authorities is brutal and simple: Did Zentoria turn a hard‑won Irish licence into a licence‑to‑launder for offshore casinos – and who really pulls the strings behind it? Regulators in Ireland and Cyprus can easily resolve this mystery by matching the Alina Vavilova named in Zentoria’s licensing files with the Quadcode executive in Limassol – and if they don’t, FinTelegram will keep asking why. Call to action: check your statements – and speak up FinTelegram urges: Players to scan their statements for “Spinsopotamia.com Dublin”, Zentoria Ltd or similar descriptors tied to suspicious casino activity. Bank, EMI and PSP insiders to review internal alerts related to Zentoria, SPINSOPOTAMIA.COM or NovaForge traffic. Evidence and internal documents can be submitted securely via Whistle42, FinTelegram’s whistleblower platform. The more light is thrown onto Zentoria’s flows, the harder it becomes for any regulator to pretend this is just another small Irish bookmaker. Share Information via Whistle42

South Korean crypto exchange Bithumb has blocked all virtual-asset deposits and withdrawals involving the overseas crypto payment platform Heleket, citing suspected money laundering and terrorist-financing exposure. The move follows TRM Labs’ assessment that Heleket is likely operationally connected to the Russia-linked processor Cryptomus, which was hit by Canada’s FINTRAC with a record CAD 176.96 million AML penalty in October 2025. 1-Minute Briefing South Korean crypto exchange Bithumb has imposed an immediate block on all virtual-asset deposit and withdrawal transactions involving Heleket, an overseas crypto payment processor. According to Bithumb’s official notice dated 21 May 2026, the platform cited suspected involvement of Heleket in money laundering and terrorist-financing-related illegal activity and referred to South Korean AML and virtual-asset user-protection rules as the legal basis for the measure. The case is not merely another exchange compliance update. It points to a broader risk pattern: crypto payment processors that present themselves as merchant-service infrastructure may, in practice, function as cross-border laundering and sanctions-evasion rails for high-risk users, darknet markets, cybercrime service providers, and sanctioned ecosystems. Key Findings Bithumb has blocked Heleket immediately. The Korean exchange’s notice states that all deposits and withdrawals involving Heleket are restricted from 21 May 2026 with immediate effect. TRM Labs links Heleket to Cryptomus. In April 2026, TRM Labs assessed with high confidence that Cryptomus or its ultimate controllers likely created and launched Heleket, citing common architecture, timing, shared personnel, branding, and extensive on-chain connections. Cryptomus already carries heavy regulatory baggage. Canada’s FINTRAC imposed a CAD 176,960,190 administrative penalty on Xeltox Enterprises Ltd., operating as Cryptomus, for widespread AML/CFT failures, including failures to file suspicious transaction reports and large virtual-currency transaction reports. Garantex exposure is a major red flag. TRM reported that early liquidity into Heleket wallets came from Garantex, the Russia-linked crypto exchange sanctioned by OFAC and later disrupted by international law-enforcement action. OFAC designated Garantex in April 2022, and the U.S. DOJ announced a coordinated disruption of Garantex infrastructure in March 2025. Bithumb itself is under compliance pressure. Earlier in 2026, South Korean authorities imposed a 36.8 billion won penalty on Bithumb over AML violations, including transfers involving unregistered overseas virtual-asset service providers. A Seoul court later stayed the six-month partial business suspension, while public reporting left the status of the monetary fine less clear. Compliance Analysis The Heleket case demonstrates how crypto payment processors can become the operational layer between regulated exchanges and high-risk counterparties. Unlike a traditional crypto exchange, a processor may appear as neutral infrastructure: merchant checkout, API layer, settlement wallet, or cross-border payment gateway. But where KYC controls are weak or selectively applied, the processor can become a compliance shield for users who would otherwise be rejected by regulated venues. TRM’s assessment is particularly significant because it does not rely on a single indicator. The reported connection between Cryptomus and Heleket is based on a combination of infrastructure, personnel, branding, timing, and on-chain activity. In compliance terms, this is the difference between a name change and a continuity-of-control scenario. If correct, Heleket may not be a new clean provider but a parallel rail designed to preserve access for users affected by Cryptomus’s increased regulatory scrutiny. The FINTRAC case against Cryptomus adds further gravity. The Canadian regulator found 2,593 contraventions across six violation types, including failures to report suspicious transactions linked to darknet markets, fraud proceeds, ransomware payments, child sexual-abuse-material trafficking indicators, and sanctions evasion. FINTRAC also stated that Cryptomus failed to comply with obligations relating to transactions associated with Iran. For regulated exchanges, the lesson is clear: blocking sanctioned entities is no longer enough. Exchanges must identify successor platforms, clone processors, parallel brands, shared-wallet clusters, and migration flows. A processor that emerges after another provider tightens KYC controls should trigger enhanced due diligence, not routine onboarding. Red Flags For Exchanges And Banks The Heleket/Cryptomus pattern contains several compliance red flags: use of a new payment brand after regulatory pressure on a related processor; shared infrastructure or personnel between supposedly separate entities; initial or material liquidity from sanctioned or disrupted exchanges; exposure to darknet markets, cybercrime services, ransomware, CSAM-related flows, or sanctions evasion; use of offshore or mailbox-style corporate structures; cross-border merchant payments without transparent beneficial ownership and merchant-risk controls. These are not merely crypto-sector risks. They matter to banks, EMIs, payment institutions, stablecoin issuers, wallet providers, and VASPs that touch settlement, fiat ramps, merchant accounts, or liquidity channels. FinTelegram Assessment Bithumb’s move should be read as part of a wider market shift. The compliance perimeter is expanding from “listed exchange” to payment infrastructure, wallet clusters, merchant gateways, and processor networks. Heleket is now a test case for how exchanges respond when blockchain intelligence firms identify a potentially high-risk processor before a regulator has issued a formal sanctions designation. For FinTelegram, the case confirms a recurring thesis: the most relevant financial-crime exposure in crypto increasingly sits not only at exchanges, but in the rails between exchanges, merchants, processors, OTC liquidity, and sanctioned ecosystems. The next generation of AML/CFT enforcement will focus on these rails. Call For Information FinTelegram invites insiders, compliance officers, former employees, affected users, and payment-industry sources with information on Heleket, Cryptomus, Garantex-related flows, merchant onboarding, processor wallets, or exchange integrations to contact us via Whistle42. Share Information via Whistle42

The Vienna conviction of former Austrian intelligence officer Egisto Ott adds a new and explosive layer to the Wirecard saga. Court reporting and prosecutorial accounts indicate that Ott passed sensitive information to Jan Marsalek and Russian handlers, reinforcing the view that Marsalek operated far beyond the role of a rogue corporate executive. This matters for the ongoing Munich proceedings against former Wirecard CEO Markus Braun. While Marsalek remains a fugitive and is now widely described in investigative and prosecutorial reporting as a Russian intelligence-linked operative, Braun continues to face trial in Germany in a case whose factual backdrop appears increasingly intertwined with espionage rather than ordinary corporate misconduct alone. Egisto Ott’s Role According to Reuters and other reporting on the Vienna proceedings, Ott was accused and ultimately convicted of using his former intelligence and police access to retrieve confidential information for Russia. Those activities allegedly included obtaining personal data, checking official databases, and supplying information to Jan Marsalek, who had become a crucial intermediary between criminal, financial, and intelligence circles. Link to Marsalek Ott’s relevance to the Wirecard context lies in his operational relationship with Marsalek. The case reporting indicates that Marsalek relied on Austrian insiders such as Ott to procure data, facilitate contacts, and support clandestine activities, suggesting that the former Wirecard COO was running networks that reached directly into state institutions. Wirecard Implications Ott’s conviction supports a wider interpretation of the Wirecard scandal. If Marsalek was already functioning as a Russian asset while serving as Wirecard’s chief operating officer, then the company may have been exploited as a cover structure, intelligence access point, or logistics channel in addition to being the site of one of Europe’s biggest postwar corporate frauds. The Braun Asymmetry That creates a legally awkward asymmetry. Markus Braun remains in custody and on trial in Munich, while the executive now most strongly associated with covert Russian operations—Marsalek—remains beyond the reach of German justice. Reuters reported that the Wirecard trial began in December 2022, and as of 21 May 2026 it has been running for 1,261 days, or roughly 41.4 months. The proceedings had already exceeded 100 trial days some time ago, underlining the exceptional length and complexity of the case. Legal and Compliance View For compliance analysts, Ott’s conviction is not a side story. It strengthens the argument that Wirecard should be assessed not only through the lenses of accounting fraud, market deception, and supervisory failure, but also through counterintelligence, sanctions-risk, political exposure, and infiltration vulnerabilities. The central unresolved issue is whether key legal narratives around Wirecard were framed too narrowly at the outset. As more evidence emerges around Marsalek’s intelligence role and his Austrian support network, the boundary between financial crime and state-linked covert activity appears increasingly artificial. Call for Information FinTelegram calls on whistleblowers, former insiders, service providers, investigators, compliance professionals, and other knowledgeable sources to submit information concerning Wirecard, Egisto Ott, Jan Marsalek, associated intelligence contacts, facilitators, payment structures, and cross-border networks. Information can be provided securely and confidentially through FinTelegram’s whistleblower platform Whistle42. In cases involving financial crime, espionage exposure, sanctions evasion, or regulatory capture, even fragments of internal documentation or timeline evidence may prove decisive. Share Information via Whistle42

Baltic FIUs Publish Landmark Study On Payment Rails And AML Risk The Estonian Financial Intelligence Unit, together with the FIUs of Latvia and Lithuania and with support from the Bank of Lithuania, has published a major regional strategic study titled “Evolving Payment Landscapes and AML Challenges in the Baltic States.” The study covers the period from 2021 to the first half of 2024 and analyses payment service providers, credit institutions, payment institutions, e-money institutions, cross-border payment accounts, suspicious transaction reports, and emerging money-laundering typologies across the Baltic States. For FinTelegram, the study is highly relevant. It confirms what our investigations into illegal casino payment rails, investment scam payment infrastructures, crypto on-ramp structures, and open-banking routes have repeatedly shown: the modern AML battlefield is no longer limited to traditional banks. It is increasingly located in the opaque interaction between digital banks, EMIs, PIs, VIBAN structures, embedded finance platforms, crypto platforms, and cross-border payment accounts. The study does not read like a theoretical risk paper. It reads like an official confirmation of the new payment-rail reality. Key Findings The Baltic FIUs identify clear structural differences between the three jurisdictions. Estonia and Latvia remain largely bank-dominated markets with predominantly domestic client bases, while Lithuania has developed into a regional FinTech payment centre with materially higher foreign-client activity and cross-border exposure. The study states that Lithuania’s growth in digital banking, EMI and PI services has deepened integration with the EU financial system but has also increased ML/TF risks linked to complex transactions and non-face-to-face service delivery. The study also confirms that Estonia and Latvia have reduced exposure to high-risk non-resident clients through de-risking and stronger AML controls. However, this did not eliminate risk. Instead, some risk appears to have migrated. The FIUs note that client off-boarding by traditional banks helped drive customers toward Lithuanian PSPs and other alternative digital providers. A central finding is that Lithuanian FinTech PSP accounts stand out in suspicious transaction reporting by Estonian and Latvian FIUs. Fraud schemes, tax evasion, and attempts to circumvent EU sanctions dominate the regional ML landscape and are often facilitated through digital banks, EMIs, and VASPs. The study further highlights transit accounts, shell companies, strawmen, and VIBAN structures as recurring obstacles to identifying beneficial owners and tracing illicit funds. Lithuania: Regional FinTech Hub — And Regional Risk Magnet Lithuania’s strategy to become an EU FinTech hub has succeeded. According to the study, Lithuania has attracted a significant number of payment and e-money institutions and hosts a materially larger PI/EMI market than Estonia or Latvia. The study also notes that Lithuania’s PI/EMI sector has been assessed as high-risk because of non-resident portfolios, international transactions, high-risk industries, remote onboarding, and pass-through payments. This is not a condemnation of Lithuania’s FinTech strategy. It is a warning about its consequences. The study shows that Lithuania’s role as a regional hub comes with structural AML pressure. Lithuanian PSPs process very large volumes for non-domestic clients. In 2024, Estonian and Latvian clients overwhelmingly used a single Lithuanian digital bank, both in terms of client numbers and transaction volumes. The study does not name the institution, but the concentration finding is significant for regulators, supervisors, and investigative journalists alike. This concentration matters because FinTelegram’s own Rail Atlas investigations have repeatedly encountered Lithuanian-regulated or Lithuania-linked digital banking and FinTech structures in payment chains serving high-risk sectors, including offshore gambling, crypto on-ramps, and cross-border investment schemes. Estonia: BaaS, VIBANs And Crypto Correspondent Risk The study also identifies Estonia-specific vulnerabilities. Although Estonia remains bank-dominated, the FIUs point to risks arising from a BaaS model used by a market participant and from correspondent-style services involving foreign virtual-asset and FinTech platforms. The study states that suspicious funds are often channelled through the Estonian financial system using VIBANs, which may obscure the beneficial owner and the transaction origin. The numbers are striking. According to the study, cross-border payment volumes of respondent financial institutions in Estonia rose from €105 billion in 2021 to €136 billion in 2024. Of this, PI/EMI respondent payments reached €84 billion in 2024, while VASP-related transactions reached €33.5 billion. Approximately 89% of the total cross-border payment volume involved non-resident respondents, mostly from the EEA and the United Kingdom. This aligns closely with FinTelegram’s investigative focus on payment chokepoints. The critical issue is not only whether a bank, EMI, or payment institution is licensed. The issue is whether its business model creates nested, opaque, or insufficiently monitored rails for third-party operators, crypto platforms, offshore merchants, or high-risk digital businesses. VIBANs And Embedded Finance: The New Opacity Layer The study gives particular attention to VIBANs, open-banking structures, embedded finance, and BaaS. Latvia’s NRA flags VIBANs and open-banking structures as emerging risks because of sub-account opacity, unclear responsibility for CDD and transaction monitoring, and difficulties for FIUs or law enforcement when requesting information or freezing assets across jurisdictions. Estonia’s NRA also flags VIBAN services offered to financial intermediaries without sufficient risk assessment of their clients, as well as bundled transaction files that may prevent adequate risk profiling. This is exactly the problem FinTelegram has described in its casino and scam payment-rail investigations: the payment chain becomes fragmented. The consumer sees one interface, the bank sees another counterparty, the real merchant or beneficial operator may sit behind several gateways, and the final economic purpose may be diluted or hidden. In practice, this creates what FinTelegram calls payment-purpose dilution: the further the payment travels through gateways, processors, VIBAN layers, open-banking intermediaries, crypto ramps, and offshore merchants, the harder it becomes to determine what the transaction was really for. Fraud, Tax Evasion And Sanctions Circumvention Dominate The Baltic FIUs identify three dominant predicate offence categories: fraud, tax evasion, and sanctions circumvention. The study notes that payment services in Estonia, Latvia, and Lithuania are frequently used in the layering stage of money-laundering schemes, including fraud-related flows, tax evasion schemes, and sanctions evasion, often through digital banks, EMIs, and VASPs. For Latvia, STRs referencing Lithuania increased between 2022 and 2024, suggesting growing risk exposure or at least growing reporting attention in relation to Lithuanian-linked financial flows. For Estonia, STRs referencing Lithuanian accounts also increased significantly, and the study states that Lithuanian accounts held by Estonian entities and individuals formed a major share of Estonian STRs concerning foreign accounts. The study also notes that crypto-related risks appear more pronounced in Lithuanian FinTech PSPs. Around 7% of Estonian STRs involving payment-account transactions included cryptocurrency-related activity on average, but by 2024 that share rose to around 12%. For Lithuanian accounts, the proportion was higher, at roughly 18% of STRs related to payment accounts. FinTelegram Interpretation: The Baltic Region As A Payment-Rail Laboratory The Baltic region is becoming a test case for the future of European AML supervision. The region has strong digital infrastructure, advanced FinTech ecosystems, close Nordic banking links, EU passporting dynamics, crypto exposure, and significant cross-border activity. This makes it innovative — but also vulnerable. The official study confirms four FinTelegram working theses: First, de-risking does not remove risk; it relocates it. When traditional banks off-board clients, the business may move to digital banks, EMIs, PIs, VIBAN providers, or crypto-friendly intermediaries. Second, licensing is not the same as transparency. A licensed EMI or digital bank can still become a chokepoint for high-risk payment flows if it serves opaque intermediaries or relies on insufficiently transparent third-party structures. Third, crypto risk increasingly enters through payment rails, not only through crypto exchanges. The interaction between bank accounts, VIBANs, EMIs, VASPs, and on/off-ramp structures is now one of the most important AML risk zones. Fourth, cross-border payment flows require cross-border supervision. National supervision is structurally insufficient where clients, beneficial owners, PSPs, VASPs, merchants, and victims are spread across different jurisdictions. The Casino Payment-Rail Angle Although the study is not specifically about illegal online casinos, its findings are directly relevant to FinTelegram’s ongoing investigations into offshore gambling payment rails. Illegal casino operators frequently rely on exactly the type of structures highlighted by the FIUs: payment intermediaries, cross-border PSPs, non-transparent payees, VIBAN-like account structures, crypto on-ramps, open-banking flows, and payment-purpose dilution. In these ecosystems, the player may believe they are making a casino deposit, while the banking layer may see a transfer to a payment processor, gateway, wallet provider, or unrelated commercial descriptor. The Baltic FIU study therefore provides an official AML framework for understanding why these rails matter. They are not merely technical payment channels. They are potential financial-crime infrastructure. Regulatory Takeaway The Baltic FIUs recommend regional indicators for PSP-related STRs, detailed sector-specific typology studies focusing on digital banking, embedded finance, PI/EMI and virtual-asset segments, better dissemination of red flags, enhanced staff training, and stronger data harmonisation across the region. FinTelegram would go one step further: European regulators should treat payment-rail opacity as a standalone compliance risk. Where the consumer-facing merchant, payment descriptor, technical gateway, account holder, beneficial operator, and economic purpose do not align, enhanced due diligence should be mandatory. The key question is no longer simply: Is the PSP licensed? The better question is: What payment rail is the PSP enabling — and for whom? FinTelegram Conclusion The Baltic FIUs have delivered an important and unusually relevant study. It confirms that AML risk in the Baltic region has moved into a more complex phase: less cash, fewer traditional non-resident banking scandals, but more digital rails, more cross-border accounts, more FinTech concentration, more VIBAN opacity, more crypto adjacency, and more rapid movement of funds. For FinTelegram, this is a strong validation of the Rail Atlas approach. To understand modern financial crime, investigators, regulators, banks, and victims must follow the rails — from the consumer interface to the gateway, from the gateway to the PSP, from the PSP to the VIBAN or correspondent layer, and from there into crypto, offshore accounts, or settlement structures. The Baltic States are not merely a regional AML case study. They are a preview of Europe’s payment-risk future. Share Information via Whistle42

FinTelegram’s Rail Atlas reviews show a recurring pattern in offshore casino payment flows: the player starts a deposit at an online casino, but the bank-facing payment screen names a payment processor — such as CAPITOLIO INC. or Domus Payment Solutions — as the payee. In card payments, players may at least have chargeback routes. In Pay-by-Bank and open-banking account-to-account rails, those protections are materially weaker. This architecture creates a serious compliance and consumer-protection problem: if the casino operator disappears from the payment screen, how can players enforce refund claims against illegally or unauthorised gambling operators? 2-Minutes Briefing FinTelegram’s recent Payment Rail Atlas reviews of offshore casino cashiers, including 1Go Casino and Winnita, have identified a recurring payment architecture: the player initiates what is economically a casino deposit, but the bank-facing payment screen names a payment processor or infrastructure company as the payee rather than the casino operator. In the 1Go Casino review, CAPITOLIO INC. appeared as payee in a Revolut/Yapily open-banking rail, while Domus Payment Solutions appeared as payee in a separate Pay-by-Bank rail. In the Winnita review, FinTelegram again found Domus Payment Solutions as named payee in a Pay-by-Bank flow involving InstantBankPayment, Token GmbH/Token.io, and Revolut. Read our Winnita payment rail review here. This is not merely a technical detail. In card payments, consumers may have card-scheme chargeback routes. Open-banking payments are different. They are account-to-account transfers initiated from the customer’s bank account, and industry sources describe them as bypassing card-network rails with no card-scheme chargeback mechanism; disputes depend on merchant refund policies and any protections offered by the payment-initiation provider. The timing matters. In Case C-440/23, the Court of Justice of the European Union held that EU law does not prevent a Member State from prohibiting online gambling services even where the operator holds a licence in another Member State, and the case expressly concerned recovery of lost stakes and abuse-of-law arguments. In Case C-77/24 Wunner, the CJEU addressed cross-border claims linked to unlicensed online gambling and confirmed the relevance of the player’s country of participation/residence for determining where the damage occurred. Against that legal backdrop, processor-as-payee architectures become especially problematic. If the player cannot clearly identify the actual casino operator or ultimate gambling beneficiary from the payment flow, recovery claims may become practically difficult, even where national law gives the player a right to reclaim deposits or losses from an unauthorised gambling operator. Key Findings FinTelegram has observed processor-as-payee structures in several casino rails. In 1Go Casino, CAPITOLIO INC. and Domus Payment Solutions appeared in different rails; in Winnita, Domus Payment Solutions appeared as payee in a Pay-by-Bank rail. The casino operator may disappear from the bank-facing payment flow. The player sees the casino cashier at the start, but the bank or open-banking authorisation screen may show a processor, MSB, wallet platform, or collection entity. Processor-as-payee is not automatically unlawful. A processor may lawfully appear as merchant of record, payment facilitator, collection agent, or technical payee. But in gambling-origin payments, this is only defensible if the underlying merchant, payment purpose, processor role, refund route, and licensing status are clearly disclosed and properly monitored. The risk is payment-purpose dilution. The payment starts as a casino deposit but may arrive at the bank layer as an ordinary account-to-account transfer to a payment infrastructure company. Open-banking rails weaken card-style recovery options. PXP’s open-banking explainer states that open-banking payments bypass card networks and have no card-scheme chargeback mechanism; disputes fall to merchant refund policies and any PISP protections. CJEU case law increases the importance of payment transparency. Case C-440/23 confirms that EU law does not automatically shield cross-border operators from national gambling restrictions and restitution consequences; Case C-77/24 Wunner strengthens the relevance of the player’s country for claims linked to unlicensed online gambling. Opaque payment architecture can impair player protection. If the bank statement shows CAPITOLIO INC. or Domus Payment Solutions rather than the casino operator, the player may face practical obstacles in proving the link between deposits and the illegal or unauthorised gambling service. The Observed Architecture Typical Processor-as-Payee Casino Flow LayerWhat the Player SeesWhat FinTelegram ObservedCompliance Concern1Casino cashier1Go Casino / Winnita deposit pageGambling purpose is clear at the start.2GatewayInstantBankPayment, BillBlend, SegoPay, Tryzto, Token.io or similarThe casino brand begins to disappear behind intermediaries.3Open-banking / PISP layerYapily, Token.io, Bridge/SaltEdge or similarA regulated or semi-regulated chokepoint initiates/supports the A2A payment.4Bank authenticationRevolut, Wise or another bankPlayer authenticates a push payment.5Payee screenCAPITOLIO INC. or Domus Payment SolutionsNon-casino payee appears instead of the operator.6Economic destinationCasino account / player balance creditedUltimate gambling beneficiary may not be transparent. The central issue is not that processors exist. Payment processors are normal in digital commerce. The issue is merchant substitution at the visibility layer: the consumer-facing merchant is an offshore casino, while the bank-facing payee is a processor. Is It Allowed To Show a Processor Instead of the Casino Operator? The Compliance Answer A processor may be shown as payee in a lawful merchant-of-record, payment facilitator, collection-agent, or technical on-ramp model. But where the player is not clearly informed that the processor receives funds for, or on behalf of, the casino — and where the bank-facing transaction no longer identifies the gambling merchant or the gambling purpose — the structure creates serious transparency, AML, payment-compliance, and consumer-protection risk. In other words: processor-as-payee is lawful in principle, but high-risk in practice when used for casino-origin deposits. A compliant model would need to answer the basic questions: Who is the actual gambling operator? Is the operator licensed in the player’s jurisdiction? Is the processor collecting funds for that operator? Does the player understand whom they are paying? Does the bank or PISP receive the gambling context? Does the player have a clear refund or complaint route? Is the payment purpose preserved through the rail? If those questions cannot be answered, the model becomes a transparency problem. Why It May Breach Consumer Protection Principles EU consumer law is built around clear, timely and understandable information. Consumers must know the identity of the trader and the essential characteristics of the service before making a transactional decision. The Unfair Commercial Practices Directive treats omissions of material information as potentially misleading where the average consumer needs that information to make an informed decision. In a casino deposit context, the identity of the casino operator and the fact that the payment funds gambling activity are material. If the consumer-facing casino disappears from the payment screen and is replaced by a processor name, the player may not know: who actually operates the gambling service; who receives or controls the funds; who is responsible for refunds; where to direct a restitution claim; whether the transaction is classified as gambling or as an ordinary transfer. That does not automatically prove a legal breach in every case. But it creates a strong misleading-omission and transparency risk, especially where the casino is not authorised in the player’s jurisdiction. Payment Compliance Analysis 1. Payee vs. Ultimate Merchant Under payment law, the payee shown in an A2A payment may be the entity designated to receive funds. In platform models, that entity may be a processor or collection agent. But from a compliance perspective, the ultimate merchant and economic purpose cannot disappear. In gambling, this is critical. Banks, PISPs, PSPs and MSBs must know whether they are facilitating gambling-related transactions, particularly where the underlying operator targets jurisdictions requiring local authorisation. If CAPITOLIO INC., Domus Payment Solutions, or similar entities appear as payees for casino-origin deposits, their role should be transparent: Are they merchant of record, agent, processor, settlement provider, on-ramp provider, or simply a technical collection account? 2. AML/KYB Risk Casino-origin payments are high-risk because gambling is a regulated sector and can involve fraud, chargeback abuse, money-laundering typologies, affordability concerns, and consumer-harm issues. If a processor receives funds from players, its KYB file should show: the upstream casino operator; the contractual counterparty; the target jurisdictions; licensing analysis; merchant-category classification; transaction-monitoring logic; complaint and refund handling; whether funds are settled onward to the casino, affiliate, wallet, crypto rail, or another processor. Without those controls, the processor-as-payee model becomes a collection layer for unauthorised gambling. 3. Payment-Purpose Dilution FinTelegram uses the term payment-purpose dilution for the process by which a transaction that starts as a casino deposit appears downstream as an ordinary transfer to a payment processor. That is the key danger. Banks and PISPs may screen the visible payee and payment reference but not the upstream gambling context. In that case, the risk model sees a processor; the economic reality is an offshore casino deposit. Consumer and Player Protection Impact No Card Chargeback Layer Card payments are embedded in card-scheme dispute and chargeback frameworks. Pay-by-Bank and open-banking payments are account-to-account push payments authenticated by the payer. They do not use card networks, and PXP describes the absence of card-scheme chargebacks as one of the key differences and risk trade-offs of open banking. For a casino player, this creates a harsh combination: the payment is difficult to reverse; the bank statement may show a processor, not the casino; the casino operator may be offshore and difficult to sue; the processor may deny responsibility as “technical infrastructure”; the bank may argue that the customer authorised the transfer. This weakens practical enforcement of player rights. Refund Claims After Recent CJEU Case Law The CJEU’s recent gambling jurisprudence makes this problem more important. In C-440/23 European Lotto and Betting and Deutsche Lotto- und Sportwetten, the Court’s judgment concerned national authorisation requirements for online games of chance, overriding reasons in the public interest, online slot machines, secondary lotteries, recovery of lost stakes, and abuse of law. The Court’s press release summarises the outcome as recognising that a consumer may bring a claim for restitution of lost stakes against operators established in another Member State, and that EU law does not prevent Member States from maintaining authorisation requirements in the public interest. This should be stated precisely: the CJEU did not create a blanket EU-wide automatic refund right for every player in every case. Rather, it confirmed that EU law does not prevent Member States from attaching civil-law consequences — including nullity and restitution claims — to online gambling offered without the required national authorisation. In C-77/24 Wunner, the Court addressed cross-border liability claims linked to unlicensed online gambling and the country where damage occurs. The case listing describes the issue as the country from which the player participates, and legal commentary summarises the judgment as confirming that players may generally rely on the law of their habitual-residence Member State when pursuing claims linked to foreign operators lacking the required local licence. Together, these cases make payment transparency crucial. If national law gives the player a restitution route, the payment evidence must allow the player to prove who received funds, for whose benefit, and for which gambling operator. Processor-as-payee rails can obstruct that proof. The Practical Enforcement Problem The player’s legal position may be strong on paper but weak in practice. Player Needs To ProveWhat Processor-as-Payee Rails May ShowThe payment funded an illegal or unauthorised casino depositBank screen shows a transfer to CAPITOLIO INC. or Domus Payment Solutions.The casino operator received the fundsOperator is not shown as payee.The casino lacked required local authorisationPayment record does not identify the gambling operator.The claim should be directed to the operatorThe visible payee may say it was only a processor or on-ramp.The bank should treat it as gambling-relatedBank may classify it as ordinary A2A transfer to a corporate payee.The transaction can be disputedNo card-scheme chargeback layer exists. This is the consumer-protection conflict: The law may give the player a refund claim.The payment architecture may make that claim difficult to enforce. Compliance Classification Risk AreaAssessmentPayment transparencyHigh risk if the casino operator and gambling purpose are not clearly disclosed.Consumer protectionHigh risk where players cannot identify the trader/operator or enforce refund claims.AML/KYBHigh risk where processors collect funds for offshore gambling merchants.Gambling complianceHigh risk where casinos target jurisdictions without local authorisation.Bank monitoringImpaired if the visible beneficiary is a processor rather than the gambling operator.Chargeback / dispute rightsWeaker than card rails because A2A payments lack universal card-style chargebacks.Litigation / restitutionPlayer claims may be obstructed by lack of clear payment evidence linking deposits to the casino operator.Regulatory reportingWeak if processors and PISPs do not preserve upstream merchant and payment-purpose data. FinTelegram Position Processor-as-payee architecture is not automatically illegal. But in offshore casino rails it is a major red flag. A compliant model would require at least: clear disclosure of the casino operator; clear disclosure that the processor receives funds for or on behalf of the casino; clear payment purpose shown to the player and, where possible, to the bank/PISP; documented merchant onboarding and KYB; evidence that the casino is authorised in the target jurisdiction; effective blocking of jurisdictions where the casino is not licensed; refund and complaint routes identifying the actual merchant and responsible processor; transaction monitoring that preserves the upstream gambling context; audit trails showing how funds move from processor payee to ultimate casino beneficiary. Without these safeguards, the architecture may amount to practical concealment of the true merchant and payment purpose. Questions for Processors, PISPs and Banks FinTelegram believes the following questions should be asked whenever a processor appears as payee in a casino-origin open-banking rail: Who is the actual gambling operator behind the deposit? Does the processor receive funds for or on behalf of that operator? Is the operator licensed in the player’s jurisdiction? What merchant category and risk classification is used? What does the payer’s bank see — processor only, or casino context? What does the PISP see — processor only, or upstream merchant context? Is the player told that the processor is collecting funds for the casino? Who handles refund and restitution claims? Can the processor provide an audit trail from player deposit to casino settlement? Are unauthorised gambling jurisdictions blocked? If the answer to these questions is unclear, the rail should be treated as high-risk. Conclusion The processor-as-payee model observed in 1Go Casino and Winnita shows a serious weakness in modern open-banking casino payments. The player thinks he is depositing into a casino. The bank-facing screen may show a payment processor. The card chargeback layer is absent. The underlying casino operator may be offshore, opaque, or not locally licensed. Yet recent CJEU case law confirms that EU law does not prevent Member States from attaching civil-law consequences, including restitution claims, to gambling services offered without required national authorisation. That creates the core consumer-protection conflict: The law may give the player a refund claim.The payment architecture may make that claim difficult to enforce. For payment processors, PISPs, banks, and gambling regulators, this is no longer theoretical. If processors such as CAPITOLIO INC. or Domus Payment Solutions appear as named payees in casino-origin Pay-by-Bank or open-banking rails, they should be expected to explain exactly whose funds they collect, for which merchant, under which licence, in which jurisdiction, and with what disclosure to the player. Open banking is a payment innovation. It must not become an opacity layer for unauthorised offshore gambling. FinTelegram will continue to document these rails because payment transparency is now central to player protection. Call for Information FinTelegram invites casino players, payment insiders, PSP employees, compliance officers, banking staff, and former employees of offshore gambling operators to provide information about processor-as-payee casino rails. We are particularly interested in payment confirmations, bank screenshots, open-banking consent screens, payee names, merchant descriptors, refund correspondence, casino KYC files, PSP onboarding documents, settlement records, and internal compliance communications involving CAPITOLIO INC., Domus Payment Solutions, InstantBankPayment, Token GmbH/Token.io, Yapily, SaltEdge/Bridge, Revolut, and related casino payment flows. Information can be submitted confidentially via Whistle42. Share Information via Whistle42

After the Bank of Lithuania revoked Paytend Europe UAB’s EMI licence for serious and systematic AML/CFT failures — including a mishandled relationship with an unnamed high-risk customer — MEXC appears to have re-engineered its Euro deposit rail. FinTelegram’s fresh deposit simulation (screenshots on file) shows Legend Trading now embedded as the fiat service layer inside MEXC’s “Bank Transfer” flow, including KYC onboarding and terms acceptance — yet the rail still routes deposit logic through Finetix Ltd S.R.L. as the contractual counterparty. Combined with whistleblower-supplied bank transfer evidence from Italy showing 2024 deposits to MEXC Estonia OÜ via Lithuanian infrastructure and additional on-ramp rails via ClearJunction-prefixed accounts, a consistent pattern emerges: MEXC systematically swaps providers while preserving an obfuscation-first architecture designed to keep the “MEXC” beneficiary out of the sending bank’s line of sight. Key Findings (Compliance Signals) Whistleblower evidence (Italy, 2024): bank transfer receipts show EUR deposits routed to MEXC Estonia OÜ via a Lithuanian IBAN (masked in publication), and additional rails via Banxa and MoonPay using ClearJunction-prefixed accounts (CLJU). FinTelegram rail mapping (Feb 2026): FinTelegram documented a dual architecture with Finetix Ltd S.R.L. as the universal contractual recipient, with routing via HEURO SAS / OuiTrust for SEPA Instant and Paytend Europe UAB for standard bank transfer. Open Letter escalation (18 Feb 2026): FinTelegram publicly put Paytend on notice and stated that Paytend was processing Euro deposits for MEXC via Finetix; Paytend’s continued facilitation was framed as a compliance and governance failure. Regulatory enforcement (6 Mar 2026): Bank of Lithuania revoked Paytend’s licence after inspection found serious and systematic deficiencies and referenced incorrect information and missing correspondence tied to a high-risk customer relationship. New rail shift (today’s simulation): FinTelegram observed Legend Trading replacing Paytend/OuiTrust as the user-facing “Bank Transfer” fiat service layer inside MEXC — while Finetix remains present in the legal/contractual wording of the deposit flow (screenshots on file). Critical inference (defensible): MEXC’s rail is not “one provider.” It is a provider-swappable obfuscation stack with a persistent contractual shield layer — the compliance risk does not disappear when one EMI or processor disappears. Evidence Pack (Whistleblower — anonymized) FinTelegram reviewed supporting documents from an Italian retail user (identity withheld; personal data not published). The documents include: Banxa deposit instructions referencing a ClearJunction-prefixed IBAN (CLJU) and bank details for Clear Junction Limited. BBVA transfer receipt showing a EUR bank transfer to Banxa using a CLJU-prefixed account (masked in publication). BBVA transfer receipt showing a EUR bank transfer to MoonPay Technology Services Limited using a CLJU-prefixed account (masked in publication). BBVA transfer receipt showing a EUR bank transfer to MEXC Estonia OÜ using a Lithuanian IBAN (masked). BBVA transfer receipt showing a later EUR bank transfer to “Mexc” using the same Lithuanian IBAN pattern (masked). Why it matters: this is not “forum chatter.” These are bank-level payment artifacts that demonstrate how EU retail funds were routed to MEXC-linked beneficiaries and/or MEXC-adjacent on-ramp partners through structured rails. What Changed: From Paytend/OuiTrust to Legend Trading — Without Changing the Core Design 1) The older model (documented by FinTelegram) In February 2026, FinTelegram described a dual-rail architecture: Finetix Ltd S.R.L. acting as the universal “contractual recipient,” routing through HEURO SAS / OuiTrust for SEPA Instant, and routing through Paytend Europe UAB for standard bank transfers. FinTelegram’s Open Letter (18 Feb 2026) stated that Paytend continued to process Euro deposits for MEXC via Finetix. 2) The enforcement shock (Bank of Lithuania) On 6 March 2026, the Bank of Lithuania revoked Paytend’s EMI licence after inspection findings that included systemic AML/CFT and internal control failures and an explicit reference to a mishandled high-risk customer relationship. 3) The new model (today’s simulation — screenshots on file) FinTelegram’s new deposit simulation indicates: Legend Trading (webiste) is now the embedded fiat service layer inside MEXC’s “Bank Transfer” flow, including integrated onboarding/KYC and “Legend” terms acceptance. Despite the provider swap, the Romanian payment agent Finetix still appears in the deposit rail’s contractual wording — consistent with Finetix’s historical role as “contractual recipient / legal shield” previously documented by FinTelegram. The flow appears engineered to avoid showing a static IBAN to the user and instead pushes users into an “online banking login / hand-off” style transfer initiation, where payment details can be auto-populated and less transparent to the end user (and often harder for the public to audit). On MEXC’s SEPA deposit rail, the beneficiary is now shown as SecureSwap s.r.o. (secureswap.exchange), a Czech-registered entity presented inside a P2P-style “notify seller” flow. In our deposit simulation (screenshot on file), MEXC instructs users to transfer funds to a Lithuanian IBAN starting with “LT…3130…,” which corresponds to the Lithuanian financial-institution code 31300 = UAB ZEN.COM—meaning the SEPA collection leg is routed via ZEN.COM’s Lithuanian EMI infrastructure, not directly to an account transparently labelled “MEXC.” Compliance takeaway: this looks like rail refactoring, not remediation. Legend Trading: Why This Provider Swap Raises New Questions Legend Trading’s own EU site positions “Legend Trading EU” as an institutional liquidity provider with products such as “Legend Gateway,” and it lists exchange showcases (including KuCoin). The site also states: “Legend Ireland Financial Limited … is regulated by the Central Bank of Ireland.” This creates a very direct compliance question: If a regulated or regulated-adjacent provider is deeply integrated into MEXC’s EU fiat deposit flow, what is the exact compliance perimeter being applied to the MEXC relationship and its downstream payment architecture? FinTelegram is not alleging wrongdoing by Legend Trading based solely on integration. But in a post-Paytend world — where a Lithuanian supervisor has just revoked a licence citing serious AML/CFT deficiencies and a high-risk customer relationship — a provider stepping into the same rail inherits the same core risks unless the architecture itself changes. Finetix: The Constant Node FinTelegram’s February 2026 rail analysis called Finetix the universal contractual gateway/recipient in MEXC euro deposits and noted that it functions as a “legal shield” layer in the stack. The whistleblower evidence from 2024 further supports that MEXC-linked collections existed before the later “Finetix-fronted” evolution: earlier rails show direct beneficiary naming (“MEXC Estonia OÜ” / “Mexc”) and additional third-party on-ramps (Banxa/MoonPay) — consistent with a strategy of multi-rail redundancy. Compliance interpretation: when a stack keeps the same contractual shield while swapping the pipe, the intent is typically continuity under pressure — not improved transparency. Updated Rail Map PeriodUser-facing railContractual / named recipientPipe / Provider layer2024 (whistleblower Italy)Bank transfer + on-ramp purchases“MEXC Estonia OÜ” / “Mexc” (bank receipts) + Banxa/MoonPayLithuanian IBAN rail + ClearJunction-prefixed accounts for Banxa/MoonPayFeb 2026 (FinTelegram)Standard bank transfer + SEPA InstantFinetix as contractual recipientPaytend (standard bank transfer) + HEURO/OuiTrust (SEPA Instant)Feb 2026 (Open Letter)Euro deposits for MEXCFinetixPaytendMar 2026 (Regulator)——Paytend licence revoked; “high-risk customer” referenceMay 2026 (FinTelegram simulation)Bank Transfer “Legend …” + bank-login initiationFinetix still present in rail wordingLegend Trading as embedded service layer Compliance Verdict This is now a pattern with a signature: MEXC uses EU-facing rails to pull retail fiat. It keeps a contractual shield layer (Finetix) or other intermediating structures that reduce beneficiary transparency. When a facilitator becomes exposed or sanctioned, MEXC hot-swaps the provider and refactors the UI/flow to reduce auditability. Whistleblower bank artifacts show the rails were operational in 2024 and routed to MEXC-linked beneficiaries and/or MEXC on-ramp partners. Paytend’s revocation does not “end the story.” It demonstrates that the risk was real, and the provider swap suggests that MEXC’s priority is operational continuity, not compliance clarity. What FinTelegram Will Now Investigate (and what regulators should ask) Legend Trading → MEXC: What is the exact scope of Legend’s services (pure gateway vs. MoR vs. settlement orchestration)? Finetix’s continuing role: Why does Finetix remain in the contractual layer even after the “pipe” changes? Bank-login payment initiation: Which AIS/PIS or open-banking infrastructure is being used? Who is the PISP? Where is the consent stored? Downstream settlement: Which banks/EMIs now hold the accounts that previously sat behind Paytend / HEURO? Consumer disclosure: Is the ultimate beneficiary relationship sufficiently disclosed for AML/CTF and consumer protection expectations? Call for Whistleblowers (MEXC, Legend, Finetix, and EU Banking Partners) If you are: a MEXC customer who used “Bank Transfer / Easybank / Legend …” deposit routes, a current or former employee/contractor of Legend Trading, Finetix, HEURO/OuiTrust, Paytend, or any integrated PSP/PISP, or a compliance professional at a bank that processed these flows, we want evidence: deposit instructions, settlement details, beneficiary data, IBANs (privately), on-chain TXIDs, support tickets, and contractual documentation. Submit via Whistle42. FinTelegram follows the conversions — and the pipes. If you know what replaced Paytend behind the scenes, help us map it. Share Information via Whistle42

FinTelegram publicly confronted Lithuanian EMI Paytend Europe UAB on 18 February 2026, warning that Paytend’s payment rails were facilitating the red-listed crypto exchange MEXC—and that this ecosystem was operating with a striking mix of opacity, regulatory friction, and disregard for basic compliance hygiene. On 6 March 2026, the Bank of Lithuania announced it had revoked Paytend’s EMI licence after an inspection found serious and systematic AML/CFT and internal-control failures. The BoL anncouncement includes a damning line: Paytend provided incorrect information about a business relationship with a high-risk customer and failed to retain and submit correspondence related to that relationship. The regulator did not name the customer. But FinTelegram had already mapped the rails, named the entities, and put the facilitator on notice. This enforcement action is not only a blow to Paytend—it is a public validation of FinTelegram’s CyberFinance Intelligence model and a fresh warning flare over MEXC’s European fiat access. Key Findings FinTelegram documented the rail early (May 2024): FinTelegram reported that MEXC processed fiat flows for crypto purchases via MEXC Estonia OÜ, which in turn used Paytend Europe UAB (Lithuanian EMI) for bank-transfer handling. FinTelegram escalated publicly (18 Feb 2026): In an open letter, FinTelegram said Paytend continued to process euro deposits for MEXC via Finetix Ltd S.R.L. and highlighted traffic/referral signals indicating a material MEXC → Paytend linkage. Regulator struck (6 Mar 2026): The Bank of Lithuania revoked Paytend’s licence after an inspection found serious and systematic deficiencies in business-relationship monitoring, AML/CFT risk management, and internal controls—plus failure to submit suspicious transaction reports despite escalation indicators. The “high-risk customer” sentence matters: The Bank of Lithuania stated Paytend provided incorrect information about its relationship with a high-risk customer and failed to retain/submit correspondence related to that relationship. The customer was not named. Strategic implication: This enforcement outcome materially strengthens FinTelegram’s credibility against recurring legal intimidation: the core compliance warnings published by FinTelegram were aligned with—and later echoed by—regulatory findings. What Happened: FinTelegram’s MEXC–Paytend Coverage, Then Enforcement This is not just another supervisory action in the Baltic payments sector. It is a regulatory event that strongly suggests FinTelegram once again identified a high-risk cyberfinance structure before the authorities formally intervened. FinTelegram has repeatedly assessed MEXC as a high-risk (“red-listed”) exchange and focused on the operational question that matters most to regulators and banks: who keeps the fiat rails open, and how is the risk being laundered into “legitimate” infrastructure? In its May 2024 whistleblower request, FinTelegram described the structure as MEXC → MEXC Estonia OÜ → Paytend Europe UAB, with Paytend functioning as the regulated payment layer enabling bank-transfer fiat flows. On 18 February 2026, FinTelegram escalated from reporting into formal public accountability with an Open Letter to Paytend Europe UAB. FinTelegram stated it had sent an urgent notification to Paytend’s compliance/board and warned that Paytend’s rails were facilitating MEXC. The open letter further asserted that forensic tests confirmed Paytend was still processing Euro deposits for MEXC via Finetix Ltd S.R.L., and pointed to referral-traffic signals tying Paytend’s inbound audience to MEXC properties. Less than three weeks later, the Bank of Lithuania published its inspection outcome: Paytend Europe UAB lost its licence. The Bank stated that Paytend’s monitoring measures were insufficient across all stages, internal investigations were incomplete or formalistic, and suspicious transaction reports were not submitted despite escalation indicators. Read our Paytend Europe reports here. Then came the line that should make every compliance officer sit up: Paytend provided the supervisor incorrect information about its relationship with a high-risk customer and failed to retain/submit the correspondence related to that relationship. FinTelegram’s Role: Not “Cause,” But a Public Record That Matters Let’s be precise—and strong. FinTelegram does not claim to be the regulator. The Bank of Lithuania acted under its own statutory mandate, based on its own inspection. But FinTelegram did three things that are strategically decisive: Mapped the rail and named the facilitator early.FinTelegram identified Paytend’s role in MEXC’s European fiat access long before the enforcement action—turning a vague “crypto risk” story into a traceable compliance architecture. Put the facilitator on notice and made it public.The open letter placed Paytend’s compliance posture under public scrutiny and created a timestamped record of FinTelegram’s concerns—explicitly referencing the MEXC rail and the intermediating structure described in FinTelegram’s testing. Built evidence-led pressure that is hard to SLAPP away.The Bank of Lithuania’s later findings—systemic monitoring deficiencies, failure to escalate STRs, internal-control failures, and the “high-risk customer correspondence” issue—are exactly the type of supervisory language that validates the direction and seriousness of FinTelegram’s prior warnings. In short: FinTelegram did not “revoke the licence.” FinTelegram did what a CyberFinance Intelligence platform is supposed to do—identify the rail, name the node, and force the compliance question into daylight. Was the “High-Risk Customer” MEXC? The Bank of Lithuania did not name the customer. Full stop. However, FinTelegram has publicly documented Paytend’s relationship with MEXC-linked rails since 2024 and reiterated it in February 2026 with specific references (including Finetix as the front-layer and Paytend as the regulated pipe). On that basis, FinTelegram assesses that MEXC is a plausible candidate for the unnamed “high-risk customer” referenced in the revocation announcement. This remains an inference until the underlying supervisory file becomes public or is otherwise confirmed. What This Means for MEXC and the Ecosystem Even without naming MEXC, the Paytend revocation has immediate ecosystem implications: Fiat access fragility: When a core EMI node is removed, high-risk platforms must scramble for replacement rails—often through weaker intermediaries, more opaque shells, or riskier PSPs. Regulatory heat transfer: Enforcement against the facilitator is frequently a prelude to deeper scrutiny of the downstream customer relationships that created the risk. Validation effect: This event strengthens FinTelegram’s earlier characterization of MEXC as structurally problematic from a compliance standpoint—because the rails described by FinTelegram now intersect with a regulator’s declaration of serious and systematic AML/CFT failure and a mishandled “high-risk customer” relationship. Conclusion The Bank of Lithuania’s revocation of Paytend Europe UAB’s EMI licence is a major compliance event in its own right. But it is also a reputation event for FinTelegram: a demonstration that rigorous rail mapping, evidence-led escalation, and public accountability can anticipate and align with regulatory outcomes. FinTelegram will continue to publish structured CyberFinance Intelligence that identifies not only the schemes—but also the facilitators who keep them operational. Call for Whistleblowers and MEXC Customers If you are a current or former MEXC customer, or a current/former employee or service provider connected to Paytend, Finetix, MEXC Estonia OÜ, or any MEXC fiat on-ramp/payment orchestration stack, we want evidence. We are especially looking for: bank transfer beneficiary details and payment instructions used for MEXC deposits/withdrawals Paytend/Finetix-linked correspondence, contracts, onboarding packs, or compliance questionnaires screenshots of MEXC deposit flows, KYC/AML interactions, freezes, and withdrawal denials payment processor identifiers: PSP names, acquirers, IBANs, descriptors, merchant entities, routing screenshots internal compliance/risk decisions (where available) Submit securely via Whistle42. Share Information via Whistle42

Winnita’s Pay-by-Bank deposit flow routes player funds through an opaque chain in which the player sees neither the offshore casino operator nor the ultimate economic beneficiary. Instead, the visible payment journey runs through the anonymous gateway payment  checkout.instantbankpayment.com, the regulated open-banking provider Token GmbH/Token.io, the customer bank Revolut, and the named payee Domus Payment Solutions, creating material compliance, AML, and consumer-protection concerns. Key findings Winnita’s Pay-by-Bank deposit rail uses the generic gateway checkout.instantbankpayment.com, not a clearly identified casino-branded payment page, which immediately reduces transparency for the player.​ In the Revolut authorization flow, Token GmbH appears as the regulated third-party provider initiating the payment via open-banking APIs. In the payment review screen, the named payee is Domus Payment Solutions rather than the casino operator or disclosed gambling merchant. Public materials show Token GmbH/Token.io is a regulated PISP/AISP open-banking provider active in Pay-by-Bank services across Europe, including the iGaming sector. Public materials show Domus Payment Solutions presents itself as a payment platform and wallet provider, while external compliance-focused profiles link it to high-risk payment activity and historical regulatory questions. From the player’s perspective, the transaction is economically a casino deposit but operationally appears to be a transfer to a payment processor, making complaints, disputes, and forensic tracing materially harder. From the bank’s perspective, the visible beneficiary is the processor, not the casino merchant, which can impair risk classification, transaction monitoring, and gambling-related controls. Because Pay-by-Bank is an account-to-account push payment rail, players generally do not benefit from card-scheme chargeback rights, which increases the consequences of merchant opacity. Overview This report analyzes the Pay-by-Bank deposit rail used by the offshore casino Winnita, with a focus on the transaction chain Winnita -> InstantBankPayment -> Token GmbH -> Revolut -> Domus Payment Solutions. The evidence indicates a payment flow in which the player initiates a casino deposit, but the visible payment counterparties are a generic gateway, a regulated open-banking payment initiator, and a payment processor acting as payee rather than the underlying gambling operator. From a compliance and consumer-protection standpoint, this structure is problematic because it obscures the identity of the ultimate merchant from both the player and, at least on the face of the payment instruction, the executing bank. This undermines transparency, complicates complaints and refunds, and may weaken the effectiveness of merchant due diligence, AML screening, and transaction monitoring across the payment chain. Rail description The observable Winnita Pay-by-Bank flow begins in the casino cashier and redirects the player to checkout.instantbankpayment.com, a generic payment interface that does not itself disclose the gambling merchant in the manner players would reasonably expect.​ The player is then redirected into a Revolut authentication and consent flow in which Revolut asks the user to authorize Token GmbH, indicating that Token is the third-party provider invoking open-banking access and payment initiation. A subsequent review screen shows the beneficiary as Domus Payment Solutions and states that Token.io is initiating the payment.​ The result is a multi-layer structure in which the player’s bank account is debited for a casino deposit, but the visible beneficiary is a processor and not the casino operator or receiving merchant itself. Condensed rail view EntityVisible to playerApparent role in Winnita railCompliance relevanceWinnitaYes​Offshore casino / deposit originator​Source of the payment intent; gambling context is clear at cashier stage but disappears downstream.​InstantBankPayment (checkout.instantbankpayment.com)Yes​Generic checkout gateway / front-end payment router​Anonymous or minimally branded gateway design reduces merchant transparency and frustrates user understanding.​Token GmbHToken.ioYes, at bank consent stageRegulated open-banking PISP/AISP initiating the bank paymentFCA & BaFinregulated, Key regulated chokepoint; responsible for partner due diligence, governance, and risk controls proportionate to high-risk sectors.RevolutYes​ASPSP / executing bank for the player account​Executes authenticated push payment, but may only see processor-level beneficiary data rather than the underlying casino merchant.Domus Payment SolutionsDomuspay.ioYes, as payee​Named beneficiary / merchant-of-record / payment processorProcessor intermediation can mask the economic purpose and ultimate gambling merchant from players and banks.Underlying casino operator / merchantNo​Ultimate economic recipient or beneficiary of casino deposit​Non-disclosure creates consumer-protection, AML, and merchant-identification concerns. Token GmbH The BaFin and FCA-regulated Germen Token GmbH, commonly branded as Token.io within the group structure, is publicly presented as a regulated open-banking provider offering payment initiation and account information services across Europe and the UK. The Open Banking directory lists Token GmbH and Token.io Ltd as regulated providers, and Token.io markets itself as account-to-account payments infrastructure for PSPs, gateways, acquirers, and banks. Token also publicly identifies iGaming as one of the verticals it serves, which is significant in the present context because Winnita’s deposit rail appears to use Token’s infrastructure as the regulated payment-initiation layer between the checkout gateway and Revolut. This does not make Token the casino merchant, but it places Token at a central compliance chokepoint in the rail. Domus Payment Solutions Domus Payment Solutions (Domuspay.io) appears in the Winnita rail as the named payee on the payment review screen rather than the casino operator (screenshot left).​ Publicly available Domus materials present the company as a payment platform, wallet, and international payments provider, while external compliance-oriented profiles describe it as a payment processor active in high-risk environments and note regulatory-history issues around its Canadian MSB status. For the purposes of the Winnita rail, Domus is the immediate beneficiary visible to the player and likely the payment-facing entity visible to the bank. That role is highly significant because it separates the payer from the actual gambling merchant and can obstruct both consumer understanding and effective transaction classification. Compliance analysis Merchant opacity The most serious issue is the disappearance of the actual merchant from the payment journey. The player begins at an offshore casino cashier and intends to fund gambling activity, yet the payment instruction presented in the banking flow identifies Domus Payment Solutions as payee and the German Token GmbH as the initiator, not the casino operator. This is a classic merchant-opacity problem: the commercial reality of the payment is not accurately reflected in the payment-facing presentation. This creates several compliance consequences. First, it frustrates the principle that payers should understand whom they are paying and for what purpose. Second, it may impair the bank’s ability to identify the transfer as gambling-related if the beneficiary descriptor and routing logic point primarily to a processor rather than the underlying merchant. Third, it weakens auditability because the user-facing evidence chain no longer clearly ties the debit to the underlying casino operator. Consumer protection From the player’s perspective, the payment is functionally a casino deposit but legally and operationally resembles a transfer to a processor. That distinction matters because account-to-account open-banking payments generally do not provide the chargeback protections associated with card rails, and industry materials around Pay-by-Bank explicitly market lower chargeback exposure as a merchant benefit. As a result, players face a particularly adverse combination of risks: no clearly disclosed gambling merchant, no intuitive route for complaint against the ultimate recipient, and limited post-transaction recourse once the push payment has been authenticated and executed. In practical terms, the player may only see “Domus Payment Solutions” on the payment screen or account record, making it difficult to contest the transaction as a casino deposit or to connect it to the offshore operator behind the gambling site. AML and transaction monitoring Merchant opacity also matters for AML, sanctions screening, and high-risk merchant controls. When the visible beneficiary is a processor rather than the actual gambling merchant, the payment chain may appear cleaner or less risky than the underlying economic activity justifies. This can reduce the effectiveness of customer-risk and merchant-risk models at multiple points in the chain, particularly if onboarding and monitoring focus on the direct processor relationship rather than the downstream casino portfolio. For regulated actors such as Token and Revolut, that raises questions about how downstream merchant activity is identified, classified, and monitored where processors or gateway operators stand between the bank and the underlying offshore casino. For Domus, the issue is even more direct: acting as named payee for deposits that are economically casino transactions may amount to systematic concealment of the true merchant context from the payer and possibly from bank-side controls. Regulatory Chokepoints The Winnita rail demonstrates that regulated entities remain embedded in the chain even where the gambling merchant is offshore. Revolut is the customer-facing bank, and Token is the regulated PISP/AISP facilitating the initiation layer.  That means the rail is not outside supervisory reach simply because the casino is offshore; rather, the key compliance question becomes whether the regulated participants are adequately identifying and managing the downstream merchant risk. In high-risk sectors such as offshore gambling, regulators and payment partners would reasonably ask whether onboarding, due diligence, and ongoing monitoring sufficiently identify the ultimate merchants, the jurisdictions served, the legality of the gambling offer, and the transparency of the payee information shown to end users. The evidence in the Winnita flow suggests those questions are not merely theoretical. Comparison with other rail cases The Winnita findings fit a broader pattern observed in other offshore casino payment-rail investigations, where processors rather than gambling operators appear as visible payees in open-banking deposit flows.​ FinTelegram’s 1Go Casino rail investigation documented another layered flow involving InstantBankPayment and processor intermediation, including a route in which Domus Payment Solutions appeared as payee rather than the casino operator.​ That recurrence strengthens the inference that processor-level payee substitution is a systematic feature rather than an isolated technical artifact. Read our 1Go casino rail analysis here. Conclusions The Winnita Pay-by-Bank rail is not merely a neutral payment architecture. It is an opaque, processor-mediated structure in which the player initiates a casino deposit but is shown neither the ultimate merchant nor, apparently, the true gambling beneficiary in the bank payment flow. That opacity creates material consumer-protection harm, weakens payment transparency, complicates complaints and recovery efforts, and raises significant AML and merchant-monitoring questions for every regulated participant in the chain. The central compliance consequence is straightforward: when the visible payee is a processor such as Domus Payment Solutions instead of the actual casino merchant, both the payer and the executing bank lose sight of the true economic counterparty. In a high-risk sector such as offshore gambling, that is a serious red flag because it can conceal merchant identity, impair risk controls, and deprive players of meaningful post-transaction remedies. Call for information Players, insiders, payment professionals, and counterparties with knowledge of Winnita or similar offshore casino rails are encouraged to submit additional material to FinTelegram via the Whistle42 whistleblower platform. Relevant evidence includes payment confirmations, bank statements, screenshots of deposit and payout flows, merchant descriptors, support correspondence, KYC or onboarding documents, and any records showing which processor or beneficiary actually received the funds. Share Information via Whistle42

Editorial Note: The legal notice was signed by a person identifying himself as Hennadii Postnov, Director of Capitolio Inc. FinTelegram has not yet been able to independently verify this individual’s director status from publicly accessible sources. Capitolio is invited to provide an Alberta corporate registry extract, director resolution, or other evidence confirming Mr. Postnov’s authority to act for the company. After FinTelegram identified CAPITOLIO INC. as the visible payee in a tested 1Go Casino Revolut/Yapily open-banking deposit flow, the Canadian MSB demanded removal of the report. But Capitolio’s own notice does not refute the key payment-rail finding. On the contrary, it confirms that Capitolio appears as named payee in transactions processed through its open-banking on-ramp infrastructure. Since publication, Capitolio appears to have corrected regulatory information on its website, and 1Go Casino appears to have removed the Revolut option from its cashier. This is precisely why FinTelegram’s Rail Atlas matters. 2-Minutes Briefing FinTelegram’s Rail Atlas was created to document how offshore casino deposit flows travel through payment gateways, open-banking providers, wallets, crypto rails, and regulated chokepoints before reaching the final bank-facing payment screen. The recent 1Go Casino / Capitolio case provides a useful methodology example. Read the 1Go Casino rail analysis here. In the original FinTelegram review, a tested 1Go Casino deposit flow led from the casino cashier through several gateway layers and ultimately to a Revolut/Yapily open-banking screen where CAPITOLIO INC. appeared as the visible payee. Capitolio later sent FinTelegram a formal legal notice demanding removal of the article. The notice alleges defamation and demands full removal, but it does not appear to refute the central screenshot-based finding. Instead, Capitolio states that it appears as named payee in transactions processed through its Open Banking on-ramp infrastructure, describing this as standard technical architecture. That statement is important. It means the core issue is not whether FinTelegram correctly saw Capitolio as payee. Capitolio’s position appears to confirm that this can be the normal setup for its on-ramp infrastructure. The real question is whether open-banking rails, PISPs, PSPs, MSBs, and banks can detect the underlying commercial purpose when the user starts inside an offshore casino cashier but the bank-facing payee is a payment-infrastructure entity. Since the publication, two further developments strengthen the Rail Atlas thesis: First, Capitolio appears to have modified its website. Earlier screenshots showed Capitolio displaying CSSF registration number B00000408 and RCS number B222310 under the headline “Company Registered in Canada.” Those identifiers match Banking Circle’s Luxembourg regulatory references; Banking Circle’s own website identifies Banking Circle S.A. as a Luxembourg credit institution supervised by the CSSF and lists financial registration number LUB00000408 and trade register number B222.310, with its footer also showing CSSF registration number B00000408 and RCS number B222310. Capitolio’s current public pages now present the Canadian registration and FINTRAC information, including FINTRAC registration M24928320 and Corporate Access Number 2025599024. Second, a fresh review of the 1Go Casino cashier indicates that the Revolut rail has apparently been removed, while other open-banking / Pay by Bank rails remain available. In the updated review, FinTelegram again found Domus Payment Solutions as payee in a Pay by Bank rail, and an additional open-banking route led via secure.bankgate.io toward a bank login interface showing Bridge SaltEdge API. Salt Edge publicly markets payment initiation and open-banking products, and Bridge documentation describes open-banking payment initiation functionality. This is the broader message: payment-rail reporting works. It creates visibility. It forces processors to respond. It causes infrastructure changes. And it exposes the structural weakness in open-banking casino payments: the visible payee may not be the player-facing casino brand. Key Findings Capitolio demanded removal of FinTelegram’s report but did not identify a clear factual error in the core rail evidence. The notice mainly objects to categorisation, framing, lack of pre-publication contact, and personal-data handling. Capitolio appears to confirm the central payee finding. Its notice states that Capitolio appears as named payee in transactions processed through its Open Banking on-ramp infrastructure. This confirmation is methodologically important. It supports FinTelegram’s core Rail Atlas concern: in open-banking rails, the bank-facing payee may be the infrastructure/on-ramp provider rather than the underlying merchant or casino brand. FinTelegram made proportionate editorial adjustments. The category “Illegal Payment Services” was removed, a personal name was removed, and the word “scheme” was replaced with “operating model.” These changes do not alter the core payment-rail finding. Capitolio appears to have corrected its website after publication. Earlier evidence showed CSSF/RCS identifiers matching Banking Circle references; the currently visible Capitolio pages now present Canadian and FINTRAC registration details. Capitolio identifies itself as an Alberta corporation and FINTRAC-registered MSB with registration number M24928320. The original CSSF/RCS issue was real and relevant. Banking Circle’s official regulatory-information page lists the same Luxembourg-style identifiers: CSSF registration number B00000408 and RCS number B222310. The 1Go Casino cashier appears to have changed after FinTelegram’s report. A fresh FinTelegram review indicates that the Revolut option was removed from the cashier, while Pay by Bank and crypto-related rails remained visible. Domus Payment Solutions still appeared as payee in a Pay by Bank rail. This means the non-casino-payee issue did not disappear; it shifted to another rail. Bridge / SaltEdge appeared in the updated open-banking route. The updated review showed a bank login page referencing Bridge SaltEdge API, reached after routing through secure.bankgate.io. Salt Edge and Bridge both publicly describe open-banking / payment-initiation infrastructure. What Capitolio’s Notice Actually Says Capitolio’s notice is framed as a formal legal demand. It alleges that FinTelegram’s article is inaccurate, misleading, and defamatory, and it demands complete removal. It relies on Alberta defamation law, Austrian law, EU platform rules, and GDPR arguments. However, from a Rail Atlas perspective, the most important sentence is not the legal threat. It is this position: Capitolio states that it appears as named payee in all transactions processed through its Open Banking on-ramp infrastructure. Capitolio presents this as a defence: it says the payee appearance is a standard technical architecture and not a compliance violation. FinTelegram’s interpretation is different. The fact that Capitolio appears as payee may indeed be part of its technical model. But that is exactly why the case matters. If the technical architecture of an open-banking on-ramp means that the infrastructure provider appears as the visible payee for casino deposits, then the decisive compliance question becomes: Does the bank, PISP, MSB, processor, and transaction-monitoring system still see the upstream casino context? If not, open banking can create payment-purpose dilution. Capitolio’s Position vs. FinTelegram’s Interpretation IssueCapitolio’s PositionFinTelegram’s InterpretationPayee appearanceCapitolio says it appears as named payee in transactions processed through its Open Banking on-ramp infrastructure.This confirms the observed payee role. The unresolved question is whether the upstream casino context was visible and monitored.Technical architectureCapitolio argues this is standard and not a violation.Standard architecture can still create systemic compliance risk if it masks the underlying merchant purpose.1Go Casino connectionCapitolio disputes FinTelegram’s framing and demands removal.The screenshot-based finding remains: a tested 1Go Casino flow showed CAPITOLIO INC. as payee.Article categoriesCapitolio objected to “Illegal Gambling” and “Illegal Payment Services.”FinTelegram removed “Illegal Payment Services” and can keep the focus on payment-rail evidence, not adjudicated liability.“Scheme” wordingCapitolio objected to the word “scheme.”FinTelegram replaced it with “operating model.”Compliance officer nameCapitolio objected to personal-data use.FinTelegram removed the personal name.Core Rail Atlas issueCapitolio says no compliance violation is established.FinTelegram says the structure raises legitimate questions about merchant visibility, KYB, payment-purpose classification, and casino-origin funds. Why the Capitolio Response is Interesting The Capitolio letter is important because it illustrates a recurring pattern in payment-rail investigations. Payment processors and infrastructure providers may not deny the architecture. Instead, they may argue that the architecture is standard, technical, or necessary. That is not the end of the inquiry. It is the beginning. If the architecture causes a bank-facing payee to differ from the consumer-facing merchant, then compliance teams must ask: Who is the real merchant? Who onboarded the merchant? Who knows the payment is casino-related? What does the bank see? What does the PISP see? What does the MSB see? What does the consumer see? Is the payment classified as gambling, gaming, crypto, or ordinary services? Are high-risk jurisdictions and unlicensed gambling markets blocked? The answer cannot simply be: “This is how open banking works.” If open banking works in a way that removes the casino brand from the bank-facing payee layer, then regulators should examine whether the model creates a blind spot. The Website Correction: Why the CSSF/RCS Issue Matters One of FinTelegram’s findings in the Capitolio article concerned an unusual regulatory-information issue. Earlier screenshot evidence showed Capitolio’s website displaying: Company Registered in CanadaCSSF registration number: B00000408RCS number: B222310 That was problematic because CSSF/RCS identifiers are Luxembourg regulatory/company references, not Canadian corporate identifiers. Banking Circle’s official regulatory page lists Banking Circle S.A. as a Luxembourg credit institution supervised by the CSSF and provides financial registration number LUB00000408 and trade register number B222.310; its footer also displays CSSF registration number B00000408 and RCS number B222310. FinTelegram did not claim that Capitolio was connected to Banking Circle. The issue was website integrity and regulatory representation. A Canadian MSB should not display unexplained Luxembourg banking identifiers that appear to correspond to another financial institution. After the FinTelegram report, Capitolio appears to have modified the website. The currently visible Capitolio pages now present Canadian registration information, including FINTRAC registration number M24928320 and Alberta Corporate Access Number 2025599024. That is a concrete impact. FinTelegram identified an apparent regulatory-information anomaly. The website appears to have been corrected. That is precisely what compliance reporting is supposed to achieve. The Updated 1Go Casino Cashier: Revolut Removed, Rails Remain A fresh FinTelegram review of the 1Go Casino cashier indicates that the Revolut tile has apparently disappeared from the visible payment options. The updated cashier still showed: Crypto Currency; ByBit; Pay by Bank; another Pay by Bank-style rail; This suggests that the specific Revolut rail identified in the original report may have been removed or disabled after publication. If so, that would be another meaningful impact of the Rail Atlas report. However, the broader rail problem remains. The updated 1Go Casino review found Domus Payment Solutions as payee in the Pay by Bank rail. In addition, the open-banking route now led through secure.bankgate.io and into a bank login page that displayed Bridge SaltEdge API. Salt Edge publicly describes payment-initiation services as enabling payments through open-banking channels, and Bridge’s documentation describes open-banking payment initiation via payment requests. This means the 1Go cashier may have changed rails, not necessarily reduced risk. The names may change. The methodology remains the same: follow the rail from the casino cashier to the bank-facing authorisation screen and identify the real payee, the PISP, the gateway, and the responsible processor. The Updated 1Go Rail Map Original Revolut / Yapily / Capitolio Rail LayerObserved ElementCompliance RelevanceCasino front-end1Go Casino cashierUser starts a casino deposit.Gateway layerBillBlendFirst visible payment-routing layer.Gateway layerSegoPayAdditional payment-routing layer.Gateway layerTryztoOpaque intermediary layer.Open-banking bridgeInstantBankPaymentBridge into bank/open-banking flow.Regulated PISP layerYapily Connect UABUser authorised Yapily through Revolut OBA.Bank-facing endpointRevolut OBAFinal authorisation interface.Visible payeeCAPITOLIO INC.Non-casino payee shown at bank-facing layer. Updated Pay by Bank / Bridge / SaltEdge Route LayerObserved ElementCompliance RelevanceCasino front-end1Go Casino cashierUser starts a casino deposit.Payment optionPay by BankAccount-to-account deposit rail remains available.Gatewayssecure.bankgate.iocheckout.instantbankpayment.comRouting layer into bank-authentication flow.Open-banking interfaceBridge SaltEdge APINew or alternative open-banking layer observed in the updated review.Open banking facilitatorsBridge by Perspecteev(https://bridgeapi.io) SaltEdge (https://saltedge.com)Bridge (Perspecteev) and SaltEdge are operated by regulated financial service providers in the UK and France and should not facilitate illegal casinos.Bank loginSelected bank login screenUser is directed into bank authentication.Visible payee in related Pay by Bank flowDomus Payment SolutionsNon-casino payee issue remains present in the 1Go cashier environment. Rail Atlas Methodology: The Lesson From Capitolio The Capitolio case demonstrates why FinTelegram does not merely report “payment options.” It maps payment rails. A casino cashier screenshot is only the starting point. The relevant questions emerge only after following the user journey: Which gateway appears first? Which intermediary domains are used? Which regulated PISP or open-banking provider appears? Which bank authorisation screen appears? Who is the visible payee? Is the payee the casino brand, the operator, a payment agent, an MSB, or a third-party collection entity? Does the payment purpose remain visible as gambling? Do the rails change after public exposure? The Capitolio case answers one of these questions in a particularly important way. Capitolio’s notice states that Capitolio appears as named payee in its open-banking on-ramp transactions. That may be technically standard for Capitolio. But in a casino-origin flow, it raises exactly the compliance issue FinTelegram identified. The question is not merely whether the payee name is technically correct. The question is whether the payment ecosystem understands that the money started as a casino deposit. Why This Matters for Payment Processors FinTelegram’s reporting is designed to create visibility and accountability across high-risk payment rails. The objective is not to attack legitimate payment innovation. The objective is to ensure that regulated and semi-regulated payment infrastructure is not used to support offshore casinos that target users in jurisdictions where they do not hold the required local licence. 1Go Casino is publicly associated with Galaktika N.V. and a Curaçao licence. Public casino pages identify Galaktika N.V. as the operator and reference Curaçao licence OGL/2024/169/0146. The Cyprus-based Unionstar Limited is named as the casinos payment agent. A Curaçao licence does not automatically authorise an operator to target players in every EU jurisdiction. In many European markets, online gambling requires local authorisation, national licensing, or strict compliance with domestic gambling rules. This is where payment processors become relevant. If a casino cannot lawfully operate in a target jurisdiction, payment processors should not provide hidden or indirect funding channels into that market. The key compliance expectation is simple: Do not let payment architecture turn an illegal or unauthorised casino deposit into an ordinary-looking bank transfer to a payment-infrastructure company. Regulatory Questions Raised The Capitolio response and the updated 1Go cashier raise several questions for regulators and payment firms: If an open-banking on-ramp provider appears as named payee, how is the underlying merchant shown to the user, the bank, and the PISP? If the payment originates in a casino cashier, who is responsible for classifying the transaction as gambling-related? Can banks detect casino-origin deposits where the visible payee is an MSB, PSP, or payment agent? Do PISPs and open-banking aggregators receive upstream merchant-category information from gateways and payment orchestrators? Are processors required to block merchants that target jurisdictions where the casino lacks local authorisation? What happens when a rail is removed after media exposure? Is the merchant terminated, migrated, or simply re-routed? Does the replacement of one rail with another indicate genuine compliance remediation or merely payment-rail rotation? Should open-banking consent screens disclose the underlying merchant and commercial purpose, not only the technical payee? These are not theoretical questions. They are now visible in live casino payment flows. Conclusion Capitolio’s legal notice did not undermine FinTelegram’s Rail Atlas reporting. It strengthened the methodology. The central finding was that CAPITOLIO INC. appeared as the visible payee in a tested 1Go Casino Revolut/Yapily open-banking deposit flow. Capitolio’s response did not clearly refute that. Instead, it stated that Capitolio appears as named payee in transactions processed through its open-banking on-ramp infrastructure. That is exactly the point. The payment industry may regard this as normal technical architecture. FinTelegram regards it as a critical compliance question when the upstream transaction originates from an offshore casino cashier. If the casino brand disappears before the transaction reaches the bank-facing layer, payment-purpose dilution has occurred. The aftermath is also telling. Capitolio appears to have corrected its website after FinTelegram highlighted the CSSF/RCS anomaly. 1Go Casino appears to have removed the Revolut rail after FinTelegram exposed the Revolut/Yapily/Capitolio flow. But other rails remain, including Pay by Bank routes, Domus Payment Solutions as payee, and a newly observed Bridge/SaltEdge route through secure.bankgate.io. That is the Rail Atlas lesson: The rail may change.The payee may change.The gateway may change.The compliance question remains. FinTelegram will continue following the payment rails, documenting the chokepoints, and asking payment processors, PISPs, MSBs, banks, and regulators the same question: Do your systems know when an ordinary-looking account-to-account payment is actually an offshore casino deposit? Call for Information If you, as a player or insider, have information about Capitolio or other payment facilitators in the casino industry, please share it with us via our whistleblower platform, Whistle42. If you have any relevant payment documents or screenshots, please send them to us. Share Information via Whistle42

FinTelegram has received a victim-organized app list that changes the OpenPayd–Klickl case materially. The list identifies several dozen victim-app entries and at least 27 different app/front-end names allegedly used to lure victims into the same OpenPayd–Klickl payment rail. KXTRA and Peelhuntaicore were not isolated brands. They appear to be part of a disposable app-front-end layer feeding victim funds into OpenPayd Malta vIBANs / CFTEMTM1 and onward to Klickl Europe. 2-Minute Briefing The OpenPayd–Klickl fraud rail was evidently fed by a whole factory of fake investment apps. A victim-organized list reviewed by FinTelegram identifies 46 victim-app entries and at least 27 distinct app/front-end names, including Peelhuntaicore, KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT, KKRDE, kkr-am-pro, KzipPro, FD MIN, Quantanils, Phantom, Voya, SSIM INT, KIZ/Kl Zep variants, and others. This changes the case. We are no longer looking at one scam app or one impersonation scheme. The evidence points to a multi-app fraud architecture: disposable app frontends, WhatsApp/Telegram grooming, fake dashboards, blocked withdrawals — and a stable payment backend. The stable backend is the key. Previous OpenPayd payment summaries show victim Payins followed by immediate transfers to Klickl Europe Sp. z o.o. with the reference “Sweep to Primary Account.” OpenPayd’s GDPR response to victims confirmed the vIBAN architecture: OpenPayd’s corporate client was Klickl Europe; the victim-facing IBAN was a named virtual IBAN linked to Klickl Europe’s payment account; funds credited to that account became the property of Klickl Europe. Public warnings support the app-front-end pattern. Legitimate Peel Hunt warns that it does not use WhatsApp, downloadable apps or social-media channels for regulated investment activity and specifically names PEELHUNTAICORE and PHFINCORE as apps not associated with Peel Hunt. BaFin has warned about WhatsApp groups pushing alleged crypto trading through FintechX and FNTCX apps. Public scam reports also identify BMBEX/BMEBEX, MirrorTrd, SSGM Pro, and YHT as high-risk or scam-linked trading/app names. The frontends changed. The rail stayed the same. Key Findings The app list is “mindblowing” evidence of scale. The screenshot identifies dozens of victim-app entries and at least 27 distinct app/front-end names. This is not one rogue app. It is a repeatable app-front-end layer. Peelhuntaicore was only one face of the scheme. Seven listed victims are connected to Peelhuntaicore, but the list also includes KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT and many more. The payment backend is the common denominator. Prior OpenPayd summaries show Payin → Transfer → Klickl Europe, often with “Sweep to Primary Account.” The app names changed; the OpenPayd–Klickl rail remained stable. The apps match known scam typologies. Peel Hunt publicly denies any link to Peelhuntaicore and PHFINCORE, while BaFin and public scam warnings identify similar WhatsApp/app crypto-trading schemes involving FintechX, FNTCX, BMEBEX, MirrorTrd, SSGM Pro and YHT. Klickl Europe cannot credibly be treated as a passive recipient. If dozens of app-front schemes funded Klickl Europe through OpenPayd vIBANs, Klickl should have merchant/customer data, wallet destinations, conversion records, ledger entries and transaction-monitoring alerts. OpenPayd must explain the vIBAN exposure. OpenPayd provided the vIBAN infrastructure. It must explain how many Klickl-linked vIBANs were issued, how many app-front complaints were received, and why repeated retail deposits did not stop the rail earlier. Regulators should treat this as a payment-enabled investment-fraud network. Disposable apps plus stable payment rails are not “weak compliance.” They are the operating model of modern cyber-enabled investment fraud. Key Data Table Entity / App / MechanismRoleEvidenceRed FlagOpenPayd Malta / CFTEMTM1vIBAN infrastructure / payment facilitatorOpenPayd files and GDPR responseVictim-facing vIBANs used for scam depositsKlickl Europe Sp. z o.o.(part of Klickl Group)Corporate client / sweep recipientPayment summaries show transfers to Klickl EuropeFunds repeatedly swept to same Polish VASPPeelhuntaicoreFake Peel Hunt app frontendVictim list; Peel Hunt warningLegitimate Peel Hunt denies associationPHFINCOREFake Peel Hunt-related app frontendVictim list; Peel Hunt warningNamed by Peel Hunt as not associatedKXTRAFake investment app frontendVictim list; Humer fileLinked to KKR-style investment narrativeFinTechX / FintechXApp/frontendVictim list; BaFin warning about FintechX/FNTCX in WhatsApp groupsGerman regulator warning patternBMEBEX / BMBEXApp/frontendVictim list; public scam warningsIdentity/brand-shift patternMirrorTrd / Mirror TradeApp/frontendVictim list; public warning reportsTrading-app scam warningSSGM ProApp/frontendVictim list; public low-trust/scam-risk reportsDisposable app / download ecosystemYHTApp/frontendMultiple victims in list; public high-risk broker/app reportsRepeated victim count; fake investment patternOther listed appsAbrI3, AGAMK, CSCpro, FD MIN, Gimch Elite, KIZ/Kl Zep variants, KR, KKRDE, kkr-am-pro, KzipPro, Phantom, Quantanils, SSIM INT, Voya, Y-Max 2.01Victim-organized app listRequires further victim files and app screenshots Rail Map Fake investment app frontend → WhatsApp / Telegram grooming → OpenPayd Malta named vIBAN / CFTEMTM1 → Payin → immediate Transfer → “Sweep to Primary Account” → Klickl Europe Sp. z o.o. → crypto/on-ramp or settlement layer → unknown operators Short explanation: the apps appear to be the disposable victim interface. They create the fake balance, fake profits and fake withdrawal process. The rail is the money machine: OpenPayd vIBAN intake, Klickl Europe as recipient, and an unknown downstream crypto or settlement layer. Read our Klickl Europe reports here. FinTelegram Assessment Established Facts The victim-organized app list contains 46 victim-app entries and at least 27 distinct app/front-end names. Previous OpenPayd payment summaries show victim deposits being transferred to Klickl Europe with “Sweep to Primary Account.” OpenPayd’s GDPR response confirms that the relevant named vIBAN was linked to Klickl Europe’s payment account and that credited funds became Klickl Europe’s property. Strong Inferences The evidence points to a scalable fraud architecture: many frontends, one payment backend. KXTRA and Peelhuntaicore were not exceptions. They were part of a broader app-front layer feeding OpenPayd–Klickl rails. Working Hypotheses Klickl is a global crypto scheme controlled by Chinese nationals. Klickl Europe is the scheme’s Polish entity – registered as a VASP – that is used as payment facilitators for this vast scam network. The Polish Klickl entity is registered as a merchant at OpenPayd, a licensed EMI supervised by the MFSA in Malta. So we are not dealing here merely with anonymous scammers, but also with specific registered and licensed payment processors, whose beneficial owners and executives can be held responsible for the victims’ losses (read our “Who is behind Klickl report here“). The same applies to the relevant regulators. Klickl Europe was not merely an accidental recipient. It evidently acted as on-ramp, settlement layer, or merchant-account hub for operators behind multiple fake investment apps. Whether Klickl or related persons were closer to the fraud operators remains open — but the volume and repetition make ignorance hard to accept. Open Questions Who created or controlled the apps? Which merchants or customers did Klickl onboard? Were funds converted to crypto? Which wallets or exchanges received the money? What transaction-monitoring alerts did OpenPayd and Klickl generate? Why were the same rails active across so many app names? Whistleblower / Victim Call FinTelegram is collecting: OpenPayd GDPR / DSAR responses; OpenPayd payment-summary Excel files; app screenshots; app download links or APK files; WhatsApp / Telegram group screenshots; fake broker names and phone numbers; vIBANs and bank receipts; Klickl account references; wallet addresses and transaction hashes; police reports; BaFin / regulator complaints; emails or chats from Klickl or OpenPayd. We are especially interested in Peelhuntaicore, PHFINCORE, KXTRA, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT, KKRDE, kkr-am-pro, KzipPro, FD MIN, Quantanils, Phantom, Voya, SSIM INT, and KIZ/Kl Zep variants. Share Information via Whistle42

FinTelegram has identified mixfind.com as the named payee in a Skrill Prepaid Mastercard verification screen during a casino deposit review. MixFind publicly presents itself as a Payment Support Portal that helps users identify unknown card charges — but its website does not disclose a legal entity, jurisdiction, ownership, PSP role, acquiring relationship, or merchant portfolio. We are asking players, insiders, PSP staff, and compliance officers to help identify the operator behind MixFind. Key Findings MixFind appeared as a transaction payee. In a Skrill Prepaid Mastercard verification screen reviewed by FinTelegram, the payee appeared as “mixfind.com” for a EUR 20.00 transaction. The transaction arose inside a casino deposit review. FinTelegram observed MixFind in the context of a payment test connected to an offshore casino cashier flow. MixFind does not present itself as a casino merchant. The website describes itself as a payment lookup portal for users who do not recognize a transaction and want to retrieve merchant and order information. MixFind claims to cross-reference “millions of transactions.” Its homepage says its system “securely cross-references millions of transactions” and allows users to view merchant name, contact information, and receipt data associated with a charge. The legal operator is not disclosed. MixFind’s terms refer only to “Company,” “we,” and “us,” but do not identify a legal entity, registration number, address, directors, jurisdiction, or licensing status. MixFind acknowledges “authorized billing partners.” Its terms state that the portal helps identify statement descriptors, debits, or card charges executed by “authorized billing partners.” MixFind says it is not a financial institution and does not process payments through the portal. That statement does not explain why mixfind.com appeared as a payee in the Skrill verification flow. MixFind’s privacy policy says inquiry data may be transmitted to merchants, payment gateways, or acquiring banks. This confirms that MixFind claims to sit near the merchant/gateway/acquirer reconciliation layer. Only an email address is provided. MixFind lists info@mixfind.com for legal, privacy, compliance, and DPO-style correspondence, but does not disclose a company name or physical address. Brief Summary: What We Know About MixFind MixFind describes itself as a Payment Support Portal for identifying unknown card charges. The site asks users to submit their name, email address, first six and last four card digits, transaction date, amount, and comments in order to “pull up” merchant and order information attached to a payment. Its terms define the portal as a billing inquiry tool for statement descriptors and card charges executed by authorized billing partners, while simultaneously stating that MixFind is not a bank, credit union, or financial institution and does not process payments through the portal. Its privacy policy is more revealing. It says MixFind may share inquiry data with the specific merchant, payment gateway, or acquiring bank associated with the charge. That places MixFind, at minimum, close to the charge reconciliation, descriptor, merchant-support, gateway-support, or acquirer-support layer. Read our Malina casino payment rail review here. The MixFind source code adds another layer to the concern. The site is a noindex/nofollow WordPress-based “Payment Lookup” portal using a custom /wp-json/payment-lookup/v1/lookup endpoint to collect partial card data and transaction details. Yet it discloses no legal operator, no jurisdiction, no PSP/acquirer relationship and no merchant portfolio. In light of MixFind appearing as the payee in a Skrill card verification screen, this is a descriptor-layer red flag that requires explanation from Skrill, the acquirer, MixFind’s undisclosed operator and its “authorized billing partners.” What MixFind does not disclose is equally important: no legal entity, no jurisdiction, no beneficial owner, no management, no registration number, no acquiring partner, no PSP relationship, no merchant portfolio, and no explanation why mixfind.com appeared as the named payee in a Skrill Prepaid Mastercard transaction connected to a casino deposit test. Call to Action FinTelegram Request: Who Is Behind MixFind? FinTelegram is seeking information about MixFind, the anonymously operated payment-support portal at mixfind.com, after the domain surfaced as a named payee in a Skrill Prepaid Mastercard verification screen during an offshore casino deposit review. We are especially interested in documents showing whether MixFind is: a merchant descriptor layer; a payment support portal for high-risk merchants; a chargeback-reduction or transaction-reconciliation tool; a payment facilitator interface; a merchant-of-record wrapper; a gateway support layer; an acquirer-facing inquiry system; or a front-end for another payment processor. We are asking casino players, payment insiders, PSP staff, acquiring-bank employees, compliance officers, fraud analysts, former employees, and whistleblowers to submit information through Whistle42. Please send us: Skrill, Neteller, MiFinity, card, bank, or wallet receipts showing mixfind.com as payee or descriptor; screenshots of payment verification screens naming MixFind; bank or card statements showing MixFind-related descriptors; emails or support replies from MixFind; charge lookup results from mixfind.com; merchant names returned by MixFind after entering transaction details; MCC data, ARN numbers, authorization codes, transaction IDs, or acquiring-bank references; documents identifying MixFind’s legal entity, owners, directors, PSP partners, acquiring banks, processors, or “authorized billing partners”; internal onboarding, KYB, risk, compliance, chargeback, or monitoring records involving MixFind; evidence linking MixFind to online casinos, betting platforms, crypto purchases, fake-FIAT deposits, or high-risk merchants. The central question is simple: Why does an anonymous “Payment Support Portal” appear as the payee in a Skrill card transaction connected to a casino deposit flow? Players and insiders can submit documents securely via Whistle42. Share Information via Whistle42

FinTelegram’s latest OpenPayd files show a hard pattern: victim deposits into OpenPayd vIBANs were swept to Klickl Europe Sp. z o.o. The Polish entity is controlled by Xu Zhao, who appears linked to Michael (Xu) Zhao, founder/CEO of Klickl and a crypto-finance figure connected to IDCM, VGPay, Crypto 1 Acquisition Corp, and C1 Fund. This is not a faceless payment rail. It has names, entities, and control points. 2-Minute Briefing Klickl is not a small Polish VASP. The Polish entity is only the EU-facing rail node of a broader, Chinese-controlled crypto-finance system with multiple business units, websites, jurisdictions, and payment functions. FinTelegram has repeatedly identified Klickl Europe Sp. z o.o. in OpenPayd victim files. The payment pattern is consistent: victims paid into OpenPayd named vIBANs / CFTEMTM1, and the funds were then transferred to Klickl Europe with the reference “Sweep to Primary Account.” That places the Polish entity directly inside the victim-fund flow. But the Polish company is not the whole structure. It is the European access point. Klickl’s own ecosystem presents a much larger operation. Klickl Pay describes itself as a “multi-jurisdictional virtual asset service provider” operating across different licensing frameworks and hubs. It offers merchant payments, global transfers, stablecoin payments, and fiat/crypto collection and payout functionality through wallet and API infrastructure. In other words, Klickl is not merely registering as a Polish VASP. It markets itself as a cross-border fiat-and-crypto payment system. The wider Klickl footprint includes multiple domains and product lines: klickl.com, klickl.eu, klicklpay.com, klicklx.com, klicklone.com, klicklcustody.com, ex.klickl.com, futures.klicklx.com, alliance.klickl.com, and other related digital-asset interfaces. These are not decorative websites. They map to payments, exchange, custody, merchant infrastructure, trading, Web3 accounts, and partner networks. The control question leads back to Xu Zhao / Michael Xu Zhao. The Polish register identifies Xu Zhao as the control person behind Klickl Europe. Public and SEC-linked materials connect Michael Xu Zhao to the broader Klickl/IDCM/VGPay/Crypto 1/C1 Fund network. This gives Klickl an international dimension: Poland for EU market access, ADGM/UAE for MENA positioning, Canada through the IDCM Exchange / FINTRAC node, U.S. vehicles through SEC-linked structures, and Hong Kong/China-linked crypto networks. That is the core finding: Klickl Europe appears to be the EU rail node of a global Klickl/Zhao crypto-payment system. OpenPayd provided the vIBAN infrastructure. Klickl Europe received the victim funds. The broader Klickl network must now explain where the money went, which business unit handled it, and who controlled the downstream wallets, exchanges, or settlement accounts. Read our reports on Klickl Europe here. Key Findings Klickl is not merely a Polish VASP. Klickl Europe is the EU-facing entity that appears in OpenPayd victim files, but the broader Klickl structure presents itself as a multi-jurisdictional crypto-finance and payment system with payments, fiat/crypto collection, stablecoin payments, exchange, custody, merchant services, Web3 accounts and API infrastructure. Klickl Pay explicitly describes itself as a multi-jurisdictional virtual-asset service provider. OpenPayd files place Klickl Europe inside the victim-fund flow. The payment summaries show the same pattern: victim Payin into OpenPayd infrastructure, immediate Transfer, and funds routed to Klickl Europe with the reference “Sweep to Primary Account.” The Humer file alone shows four Payins totaling €100,500, each matched by a transfer to Klickl Europe. The OpenPayd GDPR response confirms the vIBAN architecture. OpenPayd confirmed that the victim-facing IBAN was not a normal personal account, but a named virtual IBAN linked to Klickl Europe’s corporate payment account. OpenPayd also stated that once funds were credited, they became the property of Klickl Europe. That makes Klickl the economic recipient, not a passive name in the background. The Polish entity appears to be the EU rail node. Klickl Europe Sp. z o.o. is incorporated in Poland, disclosed with KRS 0001053580 and Polish virtual-asset registration RD WWW-930. Its role in the OpenPayd files suggests that it was used as the EU collection and on-ramp point for European victim flows. The Klickl ecosystem is global and multi-domain. The network includes or references multiple domains and product lines: klickl.com, klickl.eu, klicklpay.com, klicklx.com, klicklone.com, klicklcustody.com, ex.klickl.com, futures.klicklx.com, alliance.klickl.com, and related digital-asset interfaces. These map to payments, merchant collection, exchange, custody, Web3 accounts, trading and partner infrastructure. Klickl Pay adds a payment-system dimension. Klickl Pay markets merchant payments, global transfers and stablecoin payments, and says it integrates fiat and crypto payment modes into wallet or API infrastructure for domestic and cross-border collection and payment needs. That is directly relevant to the OpenPayd victim-fund flows. The network extends beyond the EU. Klickl’s broader map includes a Polish EU node, an ADGM/UAE node through Klickl International Limited, a Canadian FINTRAC-linked IDCM Exchange node, U.S. SEC-linked vehicles including Crypto 1 Acquisition Corp and C1 Fund, and Hong Kong/China-linked blockchain and crypto-payment connections. This is a global crypto-finance network, not a local Polish startup. The control question leads to Xu Zhao / Michael Xu Zhao. Polish register data identifies Xu Zhao as the controlling person behind Klickl Europe. Public and SEC-linked materials connect Michael Xu Zhao to the broader Klickl / IDCM / VGPay / Crypto 1 / C1 Fund ecosystem. The identity and control structure must be explained by Klickl, OpenPayd and regulators. The fraud-front exposure is no longer isolated. Klickl Europe appears in victim flows connected to fake investment fronts including KXTRA / KKR Global Investment and fake Peel Hunt / Peelhuntaicore. The evidence points to more than one scam brand using the same OpenPayd–Klickl rail. Klickl must hold the downstream data. If Klickl Europe was “only” an on-ramp, it should know the customer, ledger entries, wallets, exchanges, OTC desks, settlement partners and conversion records. If it cannot identify where the victim money went, the suspicion deepens. Read our report on the KXTRA and Peel Hunt scams here. The Key People Behind Klickl Michael (Xu) Zhao — The Control Person Behind The Polish Klickl Entity And The Global Klickl Network Michael (Xu) Zhao is the central control figure in the Klickl scheme (formerly known as the International Digital Currency Markets). In Poland, he appears as Xu Zhao, the control person behind Klickl Europe. In the global market, he appears as Michael Zhao / Michael Xu Zhao, founder and CEO of Klickl and Co-Founder / Managing Partner of C1 Fund in Dubai. This makes Klickl Europe the EU-facing rail node of a wider Zhao-controlled crypto-finance network — not an isolated Polish VASP. The hard corporate fact is in Poland: Xu Zhao is listed as president of the management board, beneficial owner, shareholder, and holder of the entire shareholding of Klickl Europe Sp. z o.o. Klickl Europe was the merchant/client entity in the OpenPayd rail that facilitated the investment scams KXTRA and Peel Hunt / peelhuntaicore. If victim funds were swept to Klickl Europe, the Polish control person is not a footnote. C1 Fund’s SEC materials identify Michael (Xu) Zhao as Vice Chairman and also Founder & CEO of Klickl. SEC filings for Crypto 1 Acquisition Corp identify Michael (Xu) Zhao as founder, CEO and director. The filing states that he began investing in crypto in 2016, served as founder/executive chairman of International Digital Currency Markets (IDCM), and founded/led VGPay, a crypto-payment business serving crypto exchanges and their clients. FinTelegram’s working position: Xu Zhao and Michael (Xu) Zhao appear to be the same control identity or directly connected control identity for Klickl Europe and the broader Klickl group. If Klickl disputes this, it should provide documentary clarification. Ben Huang, Dermot Mayes, Sanne Ke And The Public Team Klickl lists Ben Huang as President, Dermot Mayes as CEO of Klickl UAE, Shawn Xie as Head of KlicklONE, Alihan Ekesan as Head of Payments, Andrea Gay as Chief Strategy Officer, Jane Record as VP of Corporate Affairs, and Sanne Ke as Head of Compliance / MLRO. It also lists advisors including Dr. Najam Kidwai, Andrew Au, Nina Shapiro, and Mo Shaikh. This places Klickl in a broader crypto-finance network, not a simple Polish VASP box. Summary Table Person / EntityRoleJurisdiction / LinkEvidenceRed FlagXu Zhao akaMichael (Xu) ZhaoLinkedInPresident, UBO, full shareholder; Founder/CEO of Klickl; Crypto 1 founder/CEO/directorPoland / China-linked; US filings / crypto networkPolish register; C1 Fund SEC; LinkedIn profileControls entity receiving funds; DCM/VGPay crypto-payment backgroundBen HuangLinkedInPresident listed by KlicklKlickl public siteKlickl ExchangeNeeds clarification on role and oversightShawn XieLinkedInHead of KlicklONESingaporeKlickl ExchangeKlickl not listed in his LinkedIn profileSanne KeLinkedInHead of Compliance / MLRO listed by KlicklKlickl public siteKlickl ExchangeMust explain compliance controls; Klickl not mentioned in her LinkedIn profileDermot MayesLinkedInCEO, Klickl UAE listed by KlicklKlickl public siteKlickl ExchangeNeeds independent verification and role clarity; Alihan EkesanLinkedInHead of PaymentsKlicks public site Klickl ExchangeDr. Najam KidwaiLinkedInC1 Fund / advisor networkC1 Fund / KlicklC1 Fund, SEC,Klickl ExchangeLinks to broader digital-assets finance network FinTelegram does not allege that these persons operated any scam. The issue is governance accountability. If these individuals are publicly presented as leadership, payments, compliance, or advisory figures, then they should clarify what they know about Klickl Europe’s OpenPayd rails, onboarding, transaction monitoring, and victim-fund flows. Dr. Najam Kidwai And C1 Fund Links SEC materials for C1 Fund identify Dr. Najamul Kidwai as founder/chairman/director and refer to his digital-assets, blockchain, and software-investment background. Klickl Exchange also lists him in its board/advisor section as President and CEO of C1 Fund. This places Klickl in a broader crypto-finance network, not a simple Polish VASP box. Summary Table – The Klickl / Zhao Network The table should be used to frame Klickl as a multi-entity crypto-finance scheme, not merely as a Polish VASP. The Polish entity, Klickl Europe Sp. z o.o., is the entity repeatedly appearing in OpenPayd victim files as the recipient of swept funds. Klickl’s own disclosures also identify Klickl International Limited in ADGM and state that, unless otherwise specified, products and services on klickl.com are provided by Klickl Europe. SEC filings then connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, and C1 Fund, creating a broader crypto-exchange, payment, and capital-markets network. CategoryEntity / DomainJurisdiction / StatusRole / RelevanceSource / EvidenceCore EU rail entityKlickl Europe Sp. z o.o.Poland; KRS 0001053580; VASP register RD WWW-930EU-facing Klickl entity. Identified in OpenPayd victim files as recipient of swept funds. Klickl says it provides services on klickl.com unless otherwise stated.Klickl disclosure states KRS 0001053580 and RD WWW-930; OpenPayd victim files identify Klickl Europe as receiver.Regulated ADGM entityKlickl International LimitedAbu Dhabi Global Market; FSRA firm; FSP No. 220070; activeADGM entity in the Klickl Group. Relevant to MENA positioning and regulated-crypto branding.ADGM register lists active financial firm, FSP date 16 Apr 2024; Klickl also discloses this entity.Legacy / broader group entityKlickl, Inc.SEC filings / Zhao-linkedC1 Fund filings say Zhao served as Executive Chairman of Klickl, Inc., formerly known as International Digital Currency Markets (IDCM).SEC / C1 Fund filing.Canadian MSB nodeIDCM Exchange LimitedCanada; FINTRAC-registered MSBRelevant because Klickl Pay’s disclosures reference IDCM Exchange Limited and the broader Zhao-linked IDCM legacy.FINTRAC-derived public registry data identifies IDCM Exchange Limited in Vancouver; Legacy crypto-exchange entityInternational Digital Currency Markets / IDCMInternational / Zhao-linkedCrypto exchange / digital-asset trading infrastructure. Reported predecessor or former name of Klickl, Inc.SEC / C1 Fund filing links Zhao to IDCM.Crypto-payment businessVGPayZhao-linked crypto-payment businessCrypto-payment operation; important because the OpenPayd/Klickl case concerns payment rails and crypto on-ramping.SEC / C1 Fund filing says Zhao was CEO of VGPay crypto-payment business.US SPAC vehicleCrypto 1 Acquisition CorpUnited States; SEC filer / SPACCapital-markets vehicle focused on digital assets / crypto / blockchain. Michael (Xu) Zhao identified as founder, CEO and director.SEC / C1 Fund filing.US fund structureC1 Fund Inc.United States; SEC filerDigital-asset / crypto-linked fund structure. Public materials identify Michael (Xu) Zhao as Vice Chairman and connect him to Klickl.SEC filing and Klickl/C1 public materials.Industry association linkHong Kong Blockchain AssociationHong Kong / industry associationNetwork node around Zhao and several public Klickl-linked persons; relevant to the China/Hong Kong crypto ecosystem.SEC/C1 materials and Klickl public-team context link Zhao and other named persons to HK blockchain circles.Group Domains / Brandsklickl.comklickluae.com/klicklpay.com / Klickl Payklicklone.com / KlicklONEklicklx.com / KlicklXklicklcustody.com / merchant.klicklcustody.comPublic websites & brandsProduct and service related websitespublic sourcesApp / related domaincryptoeasy.appApp/domainPreviously identified related app/domain; requires further verification of ownership and operational link.Investigative lead; verify before stating as confirmed group entity. Klickl Europe is the Polish entity that appears in the OpenPayd victim files, but the Klickl structure is broader. Klickl’s own disclosures point to a Polish VASP entity and an ADGM-regulated entity. SEC filings connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp and C1 Fund. In other words, the Polish company appears to be the EU rail node of a wider Zhao-linked crypto-finance network. The open question is whether that network was merely used by fraud operators — or whether parts of it were closer to the victim-fund flows than they now admit. FinTelegram Assessment — Global Klickl Dimension Established Facts Klickl Europe Sp. z o.o. is the entity repeatedly identified in OpenPayd victim-payment files as the recipient of funds swept from named OpenPayd vIBANs. The recurring pattern is clear: victim Payins entered the OpenPayd rail, were transferred out, and were swept to Klickl Europe with the reference “Sweep to Primary Account.” OpenPayd’s GDPR response confirms that the vIBAN structure was linked to Klickl Europe as corporate client and that credited funds became the property of Klickl Europe. Klickl Europe is the EU-facing entity in this structure. Beyond Poland, the Klickl/Zhao network extends into a broader international crypto-finance structure. Klickl’s own disclosures and public materials identify entities and domains outside Poland, including Klickl International Limited in ADGM/UAE and several product domains such as KlicklX, KlicklONE, Klickl Pay, Klickl Custody and the exchange-facing Klickl environment. SEC and C1 Fund materials connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, C1 Fund, and Hong Kong blockchain networks. Klickl’s Role in Scam Schemes – Working Hypotheses Working Hypothesis 1 — EU Rail Node: Klickl Europe was used as the EU-facing rail for victim funds collected through OpenPayd vIBANs from German-speaking and other European victims. Working Hypothesis 2 — On-Ramp / Settlement Layer: Klickl Europe acted as a crypto on-ramp, settlement intermediary, or account layer for operators behind KXTRA, fake Peel Hunt / Peelhuntaicore, and possibly other scam frontends. Working Hypothesis 3 — Broader Network Link: The Polish entity was not acting in isolation but as part of a broader Klickl/Zhao ecosystem spanning Poland, ADGM/UAE, Hong Kong-linked crypto networks, and U.S.-linked capital-market vehicles. Working Hypothesis 4 — Control And Knowledge: If Klickl Europe received and controlled the victim funds, the broader Klickl control structure — including Michael/Xu Zhao and the publicly listed management and compliance personnel — should be able to identify the downstream customers, wallets, exchanges, OTC desks, and settlement partners. These hypotheses are not final criminal findings. They are the logical investigative direction created by the documents. FinTelegram Position FinTelegram’s position is that Klickl Europe must not be viewed in isolation. The Polish VASP is the entity appearing in the OpenPayd victim files, but it sits inside a broader international Klickl/Zhao crypto-finance network. The structure looks like this: EU market access: Klickl Europe Sp. z o.o. / Poland / RD WWW-930Payment rail: OpenPayd Malta vIBANs / CFTEMTM1Victim source: German-speaking and European retail investorsScam frontends: KXTRA, fake Peel Hunt / Peelhuntaicore, possibly othersCrypto layer: Klickl on-ramp / settlement / exchange or wallet infrastructureGlobal network layer: Michael/Xu Zhao, Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, C1 Fund, ADGM/UAE and Hong Kong-linked structures That is the real compliance and law-enforcement issue: a global crypto-finance network appears to have used a Polish VASP as its EU rail node, while OpenPayd provided the vIBAN infrastructure through which victim funds were collected and swept. If Klickl Europe was merely abused, the broader Klickl group should prove it by disclosing the downstream trail. If the group cannot explain where the money went, regulators should treat the Polish entity not as a standalone Polish VASP problem, but as the EU-facing node of a cross-border crypto-payment network exposed to suspected fraud flows. Whistleblower Call FinTelegram asks victims, Klickl insiders, OpenPayd staff, exchange employees, compliance officers, wallet-tracing firms and law-enforcement sources to contact Whistle42. We need: Klickl onboarding files, OpenPayd/Klickl contracts, wallet addresses, exchange accounts, transaction hashes, SAR/STR records, compliance emails, screenshots from KXTRA or Peelhuntaicore, Klickl platform records, and any information on Xu Zhao, Michael (Xu) Zhao, Ben Huang, Sanne Ke, Dermot Mayes, Alihan Ekesan, IDCM, VGPay, Crypto 1, or C1 Fund. Share Information via Whistle42

FinTelegram’s Malina Casino review exposes a geo-domain payment-rail layer targeting EU players through jurisdiction-specific deposit routes. Austrian and Italian test flows revealed Revolut Open Banking, Perspecteev SAS, RAPID, Finmesh, Skrill, MiFinity, ChainValley-style fake-FIAT crypto conversion, Zentoria, and the newly surfaced mixfind.com payee. The evidence points to a classic offshore casino rail model: the casino brand stays in the front window, while rotating payment facilitators, payees, gateways and open-banking actors move the money underneath. 2-Minute Briefing The strongest evidence is inside the payment flow: Malina Casino deposits from EU players did not resolve to one transparent casino merchant. They surfaced different third-party payees and routing layers — including Zentoria Limited and mixfind.com in Skrill card verification screens, and Perspecteev SAS inside Revolut Open Banking. FinTelegram tested Malina Casino via the geo-domain malinacasino-2836.com, which presented German, English and Italian user flows. The SimilarWeb screenshot reviewed by FinTelegram shows EU traffic concentration for that geo-domain, with Germany as the largest visible traffic source, followed by Czech Republic, Greece, France and Belgium. The cashier offered the familiar offshore casino menu: PlayID, VISA/Mastercard, Pay by Card, Paysafecard, Revolut, Bank Transfer, RAPID, Jetonbank, MiFinity, Neteller/Skrill and crypto deposits. But the real story is not the menu. The real story is what happens after the player clicks. In the Skrill Prepaid Mastercard verification flow, FinTelegram observed pending €20 transactions showing two different payees: “zentoria limited” and “mixfind.com.” Zentoria Limited has already appeared in several FinTelegram illegal casino payment-rail reviews. MixFind is new and significant. Its own website presents it as a payment lookup and statement inquiry portal designed to identify charges, merchant names, contact information and receipts attached to payments; its terms describe the portal as a billing inquiry tool for charges executed by “authorized billing partners,” while stating that MixFind is not a bank or financial institution and does not process payments through the portal. The Revolut rail was also exposed twice. In one path, Malina routed the player through Finmesh / redirect-gate to Revolut Open Banking, where Perspecteev SAS appeared as the authorization party. Perspecteev’s Bridge legal page states that Perspecteev is a French payment institution authorized by the ACPR for payment initiation and account information services. In a second path, the RAPID rail routed Austrian users to a bank-selection page and then to Revolut Open Banking, where the player had to authorize Rapid Transfer. Public information on Malina’s operator and licensing perimeter is inconsistent. Some review sources currently attribute Malina Casino to Stellar Ltd, registered in Anjouan and operating under an Anjouan license, while other casino-review ecosystems have associated Malina or related brands with Rabidi/Liernin or NovaForge-style offshore clusters. CasinoTest24, for example, states that Malina launched in 2024, is operated by Stellar Ltd, and is licensed by the Anjouan Gaming Authority under license number ALSI-202411077-FI2. That does not solve the EU question. An Anjouan license is not permission to target Italy, Austria, Germany or other EU markets. The rail evidence shows EU-facing payment access; the regulatory issue is whether payment institutions, gateways, wallet providers and merchant-layer entities are enabling an offshore casino to collect EU player funds without local authorization. Key Findings Malina uses a geo-domain payment layer.EU players were routed through malinacasino-2836.com, with localized cashier flows for Austria, Italy and other EU-facing language versions. The cashier is jurisdiction-aware.Austrian and Italian players saw different payment availability and different backend handling. This is not a static cashier; it is adaptive payment routing. Skrill exposed Zentoria Limited as payee.In our Skrill Prepaid Mastercard deposit we found “zentoria limited” as the payee. Zentoria has already appeared in multiple FinTelegram casino-rail investigations. Skrill also exposed mixfind.com as payee.A second Skrill Prepaid Mastercard transaction showed mixfind.com as the payee. MixFind is not presented publicly as a casino merchant. Its website describes a charge-identification and billing inquiry portal, making its appearance as a payment payee a major descriptor/payee red flag. MixFind must explain its role.The key question is whether MixFind is a merchant descriptor, billing-support layer, payment facilitator interface, chargeback-reduction tool, merchant-of-record wrapper, or portal connected to another processor. Revolut Open Banking appeared through multiple paths.Malina’s direct Revolut rail and its RAPID rail both reached Revolut Open Banking screens in the tested flows. Perspecteev SAS appeared inside the Revolut rail.The Revolut rail asked the player to authorize Perspecteev SAS. Perspecteev’s Bridge page identifies it as an ACPR-authorized payment institution for payment initiation and account information services. RAPID behaved differently by jurisdiction.For Austrian users, RAPID routed to bank selection and then Revolut Open Banking. For Italian users, RAPID was unavailable and the player was pushed toward Skrill Wallet, with MHSL shown as recipient. MiFinity showed CME as recipient.The MiFinity deposit screen displayed CME as payee. CME must explain whether it is merchant, processor, wallet recipient, or descriptor-layer entity. Paysafecard and Neteller labels concealed alternative backend rails in Italy.For Italian players, FinTelegram again observed the ChainValley-style fake-FIAT pattern: a familiar FIAT/wallet label at the cashier, but a backend flow that appears to involve crypto purchase and transfer to the casino environment. Zentoria remains a recurring casino payee.The Malina evidence reinforces Zentoria Limited as a recurring payee or merchant-layer participant in offshore casino flows. The operator story remains fragmented.Current public review sources point to Stellar Ltd and Anjouan licensing, while the broader Malina/Rabidi/NovaForge ecosystem remains inconsistent across casino-review databases. Fragmented operator history is a regulatory red flag, not an answer. Key Data Table Entity / DomainRoleJurisdictionEvidenceRed FlagMalina Casino / malinacasino-2836.comEU-facing casino geo-domainOffshore / unclearFinTelegram test access; screenshots; SimilarWeb screenshotEU player acquisition through geo-domain layerStellar LtdPublicly cited current operatorAnjouan / ComorosCasinoTest24 attributes Malina to Stellar Ltd and Anjouan license ALSI-202411077-FI2Offshore license does not equal EU market authorizationZentoria LimitedSkrill/card payee; recurring casino payeeIrelandSkrill verification screenshot: “zentoria limited: EUR 20,00”Already observed in several illegal/offshore casino payment flowsmixfind.com / MixFindSkrill/card payee or descriptor-support layerNot clearly disclosed on siteSkrill verification screenshot: “mixfind.com: EUR 20,00”; MixFind site describes charge lookup and billing inquiryNew opaque payee; public site does not present normal casino merchant rolepayment-gateway.ioCard gatewayUnknownFinTelegram VISA/Mastercard test findingOpaque payment-gateway layerFinmesh.net / DirectPayPayment-link / redirect-gateway layerUnknownPayment screenshot; Malina deposit flow; expired-link error page; source title “DirectPay”; production app configOperator not disclosed; session-based routing; sits between casino cashier and bank/open-banking railsredirect-gate.netRedirect layerUnknownFinTelegram test findingObscures first-hop routingPerspecteev SAS / Bridgehttps://www.bridgeapi.io/Open Banking / PISP layerFranceRevolut authorization screen; Bridge legal page confirms ACPR payment institution statusRegulated open-banking firm appears in casino funding flowRevolut(Open Banking – OBA)ASPSP/API access layerUK/EU groupRevolut authorization screenshotsReached via multiple Malina railsRAPID Transfer /RAPIDPayment method / routing layerUnknownAustrian flow reaches bank selection and Revolut OBA; Italian flow falls back to SkrillSame label produces different jurisdictional outcomesSkrill / MHSLWallet fallback / recipientUnknownItalian RAPID screenshot shows MHSL as recipientRecipient mismatch; requires merchant-role explanationMiFinity / CMEE-wallet rail / recipientUnknownMiFinity screenshot: “Deposita su CME”Recipient is not Malina; merchant role unclearChainValleyhttps://app.chainvalley.proCrypto conversion layerPolandFinTelegram review finding in Italian Paysafecard/Neteller flowsFake-FIAT deposit patternPaysafecard / Neteller labelsFront-end cashier labelsEU/UK wallet brandsDisplayed in cashier; backend differs by jurisdictionLabel does not necessarily describe real backend flowJetonbankWallet railUK/otherAvailable in both country cashiersHigh-risk casino funding rail Rail Map A. Skrill / Card Verification Rail Player → Malina Casino Cashier → Pay by Card / Card Deposit → Skrill Prepaid Mastercard verification → Payee shown as “zentoria limited” or “mixfind.com” → Casino funding layer Assessment: This is one of the strongest evidence blocks. The player is funding Malina Casino, but the Skrill verification screen shows third-party payees. Zentoria Limited fits an already observed offshore casino payment pattern. MixFind is new and more problematic: its own website presents a payment lookup and statement support portal, while the Skrill verification screen shows it as the payee in a casino deposit transaction. Read our reports on Zentoria here. B. Direct Card Rail Player → Malina Cashier → VISA/Mastercard → payment-gateway.io → Zentoria Limited / other payee layer → Casino funding layer Assessment: The card rail exposes a payee layer separate from the casino brand. Zentoria Limited must explain whether it acts as merchant of record, payment agent, processing counterparty, descriptor holder, or settlement intermediary. C. Revolut / Perspecteev Rail Player → Malina Cashier → Revolut option → Finmesh / redirect-gate → Revolut Open Banking → Perspecteev SAS authorization → Payment initiation → Casino funding layer Assessment: This is a regulated open-banking choke point. Perspecteev is not an anonymous shell; it is a French payment institution authorized for payment initiation and account information services. Its appearance in a Malina Casino deposit path creates immediate merchant-onboarding and transaction-monitoring questions. Finmesh.net appears to operate as a production payment-link or redirect layer under the application title “DirectPay.” A tested link expired into a “Link not available” page, consistent with session-based payment routing. The source code uses Sentry monitoring, but does not disclose the legal operator, merchant, acquirer, PSP, or payment facilitator behind the gateway. D. RAPID Rail — Austria Player → Malina Cashier → RAPID → payment.onlinebanktransfer.com → Austrian bank selection → Revolut → Revolut Open Banking → Authorize Rapid Transfer → Payment initiation Assessment: RAPID is not merely a brand label. It functions as a routing layer that can still reach Revolut Open Banking. The same Revolut endpoint is therefore accessible both through the cashier’s Revolut button and through the RAPID path. E. RAPID Rail — Italy Player → Malina Cashier → RAPID → Skrill page → “Rapid Transfer non è disponibile” → Skrill Wallet fallback → Recipient: MHSL Assessment: When RAPID is unavailable for Italian users, the system does not stop the payment attempt. It offers an alternative wallet route and displays MHSL as recipient. That is adaptive payment routing, not transparent cashier design. F. MiFinity Rail Player → Malina Cashier → MiFinity → MiFinity payment screen → Recipient: CME → Casino funding layer Assessment: MiFinity’s screen shows CME, not Malina, as the deposit recipient. CME must be identified and mapped against PSP, merchant and settlement records. G. Fake-FIAT Crypto Rail Italian player → Paysafecard / Neteller label → ChainValley-style crypto purchase → crypto transfer to casino environment Assessment: This is the now-standard fake-FIAT casino deposit pattern. The player sees a familiar payment label, but the backend appears to execute a crypto conversion. The label suggests a FIAT wallet/card rail; the underlying economics point to crypto funding. FinTelegram Assessment Established Facts Malina Casino was accessible through the reviewed geo-domain malinacasino-2836.com and displayed EU-facing cashier options, including PlayID, VISA/Mastercard, Pay by Card, Paysafecard, Revolut, Bank Transfer, RAPID, Jetonbank, MiFinity, Neteller/Skrill and USDT ERC20. Austrian and Italian player flows differed. Austrian players saw Bank Transfer and RAPID routes that led into bank-selection and Revolut Open Banking flows. Italian players saw different fallback behavior, including Skrill Wallet routing and crypto-conversion patterns behind wallet labels. The Skrill app screenshots show pending Skrill Prepaid Mastercard transactions connected to the Malina deposit review. One displays “zentoria limited: EUR 20,00.” Another displays “mixfind.com: EUR 20,00.” MixFind’s public website states that users who do not recognize a transaction can enter details to retrieve merchant and order information attached to a payment. It also describes itself as a “Payment Support Portal.” MixFind’s terms describe the portal as a billing inquiry tool for statement descriptors, debits and credit card charges executed by “authorized billing partners,” while stating that MixFind is not a bank, credit union or financial institution and does not process payments through the portal. The Revolut authorization screenshots show two separate authorization parties in different paths: Perspecteev SAS and Rapid Transfer. Perspecteev’s Bridge legal page states that Perspecteev SAS is registered in Paris and authorized by the ACPR as a payment institution for payment initiation and account information services. The MiFinity screenshot shows a €50 transaction with CME as the recipient. The Skrill/RAPID screenshot for Italy shows MHSL as recipient and tells the player that RAPID is unavailable, recommending payment through Skrill Wallet. The SimilarWeb screenshot reviewed by FinTelegram shows EU traffic to the geo-domain, including Germany, Czech Republic, Greece, France and Belgium. Strong Inferences The evidence points to jurisdiction-aware payment routing. Malina’s cashier is not a neutral list of payment options. It adapts the available rail and backend payment counterparty depending on where the player is located. The evidence points to merchant/payee opacity. The player-facing casino brand is Malina, but the payment verification layers show Zentoria Limited, mixfind.com, MHSL and CME. The evidence points to regulated infrastructure being used as access rails into offshore casino funding flows. Perspecteev and Revolut are not the casino operator, but their infrastructure appears in tested funding chains. The evidence points to Zentoria Limited as a recurring casino payment participant. Its appearance in Malina is not isolated; it fits a broader FinTelegram evidence pattern across illegal/offshore casino schemes. The appearance of mixfind.com as a payee is a high-value red flag. MixFind’s public-facing function is charge identification and billing inquiry, yet it appears as the named payee in a Skrill Prepaid Mastercard verification screen connected to a casino deposit. Working Hypotheses Working Hypothesis 1: Malina Casino is part of a broader offshore casino operator/payment ecosystem where the public operator name, payee layer, merchant descriptor and settlement path can differ from one another. Working Hypothesis 2: Zentoria Limited functions as a recurring merchant-layer or payee-layer participant in multiple offshore casino flows, including Malina. Working Hypothesis 3: MixFind is connected to a billing partner or descriptor-management layer used to reduce chargeback friction, identify card charges, or route payment-support inquiries for high-risk merchants. Working Hypothesis 4: ChainValley-style crypto conversion is being used when certain named payment rails are unavailable, blocked, risky or unsuitable in specific EU jurisdictions. Working Hypothesis 5: Finmesh, redirect-gate and payment.onlinebanktransfer.com function as routing layers that allow Malina’s cashier to access regulated endpoints without presenting the full chain to the player. Open Questions Who is the current legal operator of Malina Casino for EU-facing players? Which entity owns or controls malinacasino-2836.com? What is the contractual relationship between Malina Casino, Stellar Ltd, Zentoria Limited, MixFind, Finmesh, RAPID, Perspecteev, ChainValley, MiFinity, Skrill, payment-gateway.io and redirect-gate? Why does mixfind.com appear as a payee in a Skrill Prepaid Mastercard verification screen for a Malina Casino deposit? What is MixFind’s legal entity, jurisdiction, ownership and acquiring/PSP relationship? Which “authorized billing partner” is connected to the MixFind transaction shown in the Skrill app? Is MixFind a merchant descriptor, billing-support portal, payment facilitator interface, chargeback-reduction tool, merchant-of-record wrapper, or front-end for another payment processor? Did Skrill classify the zentoria limited and mixfind.com transactions as gambling, gaming, digital services, payment support, crypto purchase or generic e-commerce? What MCC was assigned to the Skrill Prepaid Mastercard transactions? Did Perspecteev onboard a direct merchant, payment facilitator, technical gateway or another intermediary that ultimately served the Malina flow? Did Revolut classify these flows as gambling, wallet funding, payment initiation, crypto purchase or generic transfer? What exactly are MHSL and CME in these flows? Were Italian and Austrian players properly informed that certain “FIAT” deposit labels may execute crypto purchases or route funds through third-party payees unrelated to Malina Casino? Conclusion Malina Casino is not just an offshore casino brand. It is a payment-rail case. The screenshots show the model in action: the casino sits in front, the geo-domain adapts the flow, and the player is pushed through whichever payment rail still works in that jurisdiction. The new Skrill evidence makes the case sharper. Zentoria Limited appears again as a casino payment payee. mixfind.com appears as a new payee, despite presenting itself publicly as a payment lookup and billing inquiry portal. Add Revolut Open Banking, Perspecteev SAS, RAPID, Finmesh, MiFinity/CME, Skrill/MHSL and ChainValley-style fake-FIAT conversion, and the picture is clear. Malina Casino shows the offshore casino payment model: offshore license on the front, EU payment infrastructure underneath, rotating payees in the middle, and the player left guessing who actually took the money. 8. Whistleblower Call FinTelegram is seeking documents from players, insiders, PSP staff, open-banking providers, wallet operators, acquirers, compliance officers and former employees with knowledge of Malina Casino and its payment rails. Victims and insiders can contact FinTelegram securely through Whistle42. Share Information via Whistle42

FinTelegram has received a new player complaint involving alleged illegal casino deposits processed through opaque merchant descriptors and regulated payment infrastructure. The complainant claims that payments connected to online casinos including Malina Casino and Wazbee Casino were routed through payment processors including Smartflow Payments/SENDS, xpate Ltd and Finthesis Ltd/PAIO. The case is not an insider leak. It is a player-side payment complaint — but one with transaction-level documentation: ARN numbers, dates, amounts, descriptors, screenshots of processor correspondence, and partial refund evidence. The player alleges that the disputed transactions were casino deposits disguised as non-gambling merchant payments, including alleged classification under MCC 7372 rather than gambling-related merchant categories. FinTelegram has not yet independently verified the MCC coding from raw card-network records. However, the submitted material raises serious red flags around merchant transparency, acquiring-chain accountability and payment-processor monitoring. The Complaint According to the complainant, 42 transactions were processed between October and December 2025 through a network of obscure merchant descriptors. The alleged casino brands named by the complainant are: Malina Casino Wazbee Casino The complainant says the casinos did not respond to his refund requests and that he therefore escalated the matter to the payment processors and acquiring-chain entities identified in the transaction records. The core allegation: illegal casino deposits were allegedly routed through non-transparent merchant descriptors and misclassified as non-gambling activity. The Payment Processors Named The complaint names the following entities: EntityRole alleged by complainantStatus in evidence reviewedSmartflow Payments Ltd / SENDShttps://sends.co/Processor/acquirer chain for INNTCIT and CL2SK transactionsTransaction list shows 13 transactions totaling €2,000; three INNTCIT transactions marked refunded.xpate Ltd /XPATEhttps://xpate.com/Processor/acquirer chain for multiple opaque descriptorsTransaction list shows 13 transactions totaling €1,306 involving vercs2, calcal, jusdot5, tokdom, jusski6 and paypay.Finthesis Ltd / PAIOhttps://paio.company/Alleged processor/acquirer for SKINMODE and CYBGEU flowsReferenced in screenshots and complaint; further clean transaction data requested.Helaba / HELADEFFhttps://www.helaba.com/German banking / a receiving-side or settlement-side banking referenceAnnex repeatedly references HELADEFF and a German IBAN beginning DE97 5005.Libergos LimitedCyprus-based payment agent in the HELADEFF / German IBAN routing environmentCyprus casino-sector entity, publicly linked to Hollycorn N.V.-related casino operations and previously warned by ACMA for prohibited interactive gambling services. The Merchant Descriptor Map The submitted material does not show transparent casino merchant names on the payment records. Instead, it shows a series of obscure descriptors. DescriptorProcessor / acquirer indicatedCurrent assessmentINNTCITSmartflow Payments / SENDSThe UK corporate register shows Instantonit Limited registered with SIC code 62020 — IT consultancy activities (https://instantonit.com)CL2SKSmartflow Payments / SENDSHigh-priority descriptor. Repeated across Annex and Smartflow list.vercs2xpate LtdOpaque descriptor; UK Companies House record shows VERIDRA LTD with SIC codes for data processing, web portals, and other information services.calcalxpate Ltd / AnnexOpaque descriptor; needs merchant-of-record confirmation.jusdot5xpate Ltd / AnnexOpaque descriptor; needs acquirer clarification.tokdomxpate LtdOpaque descriptor; needs acquirer clarification.jusski6xpate Ltd / AnnexOpaque descriptor; needs acquirer clarification.paypayxpate LtdOpaque descriptor; requires clarification.SKINMODEFinthesis / PAIO allegedRequires clean ARN-level confirmation.CYBGEUFinthesis / PAIO allegedRequires clean ARN-level confirmation. The pattern is familiar: short, non-branded, non-consumer-facing descriptors; repeated round-number payments; obscure addresses; and PSPs distancing themselves from the underlying merchant. FinTelegram was not yet able to verify the legal merchant-of-record behind all descriptors. However, several descriptors resolve to opaque UK address clusters or match public player complaints about gambling-related card payments. These findings require clarification from Smartflow/SENDS, xpate, Finthesis/PAIO and the acquiring banks. SENDS: The Refund Question A Smartflow/SENDS transaction list seen by FinTelegram shows 13 transactions. Three INNTCIT transactions are marked as refunded. That does not prove guilt. But it raises a sharp question: If SENDS could process refunds for part of this flow, why did the remaining disputed transactions become a “contact the merchant” problem? FinTelegram will ask SENDS to explain: who the legal merchant of record was behind INNTCIT and CL2SK; why the INNTCIT transactions were refunded; what MCC was applied; whether 3DS/SCA was triggered; whether these payments were connected to Malina Casino, Wazbee Casino, or related operators. xpate: “Technology Provider” Is Not the End of the Story The complainant provided correspondence in which xpate reportedly stated that it is a payment processing technology provider and not the direct provider of goods or services. That answer may be contractually convenient. It is not sufficient. If xpate appears in the acquiring or processing chain, then the relevant questions remain: Who was onboarded? Who was monitored? Who approved the merchants? Who saw the descriptors? Who carried the risk? The xpate transaction list shows 13 transactions totaling €1,306 across multiple opaque descriptors. xpate’s own prohibited-activities document, submitted by the complainant, lists categories including offshore structures, unclear UBOs, unlicensed gambling, high-risk financials and unacceptable reputational-risk merchants. That makes the case obvious: xpate should explain how these descriptors passed its merchant-control framework. The MCC 7372 Allegation The palyer alleges that the casino-related payments were misclassified under MCC 7372, typically associated with computer programming / data processing / IT services, rather than a gambling-related category. This allegation is serious. It goes to the heart of transaction laundering: payments for one activity allegedly being processed as another. FinTelegram has not yet independently verified the MCC from raw card-network or issuer records. We therefore treat the MCC 7372 point as an allegation requiring confirmation. But the question is legitimate: Were gambling deposits processed under non-gambling merchant categories? If yes, this would raise major issues for acquiring banks, payment processors, card schemes and regulators. The German Settlement Layer The Annex repeatedly references HELADEFF and a German IBAN beginning DE97 5005, suggesting a German banking or settlement layer in the payment chain. FinTelegram makes no allegation that Helaba knowingly processed illegal casino payments. But where German banking infrastructure appears in a payment-rail complaint involving alleged illegal gambling, the institution should clarify the nature of the account relationship: settlement account, PSP account, acquiring account, correspondent function — or something else? FinTelegram Assessment This is not yet a final proof file. It is a credible player complaint with transaction-level evidence. The complaint shows: multiple payment processors; obscure merchant descriptors; ARN-level transaction records; alleged casino connection; partial refunds; possible MCC misclassification; repeated refusal or deflection by involved payment entities. The case fits a broader pattern FinTelegram has documented for years: offshore or illegal casino operators using payment intermediaries and opaque merchant descriptors to access card and banking rails while hiding the true gambling purpose from banks, issuers and players. Questions To SENDS, xpate, PAIO and the Casinos FinTelegram invites the named entities to answer: Were the disputed transactions connected to Malina Casino, Wazbee Casino, or related gambling operators? Who were the legal merchants of record behind INNTCIT, CL2SK, vercs2, calcal, SKINMODE and CYBGEU? Which MCCs were used? Was MCC 7372 used for any of the payments? Were 3DS and Strong Customer Authentication applied? Why were some SENDS-linked transactions refunded while others were not? Which regulated institution held the settlement account referenced by the German IBAN/HELADEFF records? Were suspicious activity reports or internal AML escalations filed? Call for Information FinTelegram is looking for further information from: players who deposited into Malina Casino or Wazbee Casino; players who see descriptors such as INNTCIT, CL2SK, vercs2, calcal, SKINMODE, CYBGEU, jusdot5, tokdom, jusski6 or paypay on bank/card statements; insiders at SENDS, Smartflow Payments, xpate, PAIO/Finthesis, acquiring banks, ISOs, payment facilitators or casino cashier providers; compliance officers with knowledge of MCC 7372 use in gambling flows. Submit information securely via the FinTelegram whistleblower platform. Player losses are one thing. Payment laundering is another. If regulated payment firms helped illegal casinos disguise deposits as IT services or other non-gambling transactions, this is not a private dispute — it is a regulatory matter. Share Information via Whistle42

FinTelegram has reviewed a new batch of OpenPayd payment summaries gathered by victims of fake investment schemes. The pattern is brutal and consistent: victim deposits hit OpenPayd vIBANs and are immediately transferred to Klickl Europe Sp. z o.o. with the reference “Sweep to Primary Account.” In the readable files reviewed, hundred of thousands of Euros flowed through this OpenPayd–Klickl rail. This is no longer a single-victim case. It is a payment machine. 2-Minute Briefing FinTelegram has reviewed a new batch of OpenPayd payment summaries received by victims after GDPR/DSAR requests. The documents show a repeated payment pattern: Payin from victim → immediate Transfer → Klickl Europe → “Sweep to Primary Account.” FinTelegram analyzed the batch of victim payment files. The payment summaries show that each victim payment to OpenPayd was transferred to KLICKL EUROPE SP.z.o.o., BIC CFTEMTM1, receiver account MT82CFTE28004000000000004379006. This confirms the core FinTelegram finding: OpenPayd provided the vIBAN collection infrastructure; Klickl Europe received the swept victim funds. OpenPayd’s own GDPR response to the victims confirmed the architecture. It states that OpenPayd provides services to corporate clients only, identifies Klickl Europe as the relevant client, explains that the IBAN was a named virtual IBAN linked to Klickl Europe’s payment account, and states that funds credited to that account became the property of Klickl Europe. The new batch of victim files makes the case bigger. The pattern is no longer limited to KXTRA or one Peel Hunt / Peelhuntaicore victim. It points to a scalable fraud rail used against mainly German-speaking victims. The legitimate Peel Hunt has publicly warned that it does not use WhatsApp, downloadable apps or social media channels for regulated investment activity and says apps and WhatsApp channels using its name are not associated with the firm. OCCRP’s Scam Empire reporting described how large investment-scam networks rely on payment providers and accounts to collect victim money. FinTelegram’s new OpenPayd/Klickl evidence fits that model. Key Findings The new files show a systematic payment pattern.Victim Payins into OpenPayd vIBANs were immediately matched by outgoing transfers to Klickl Europe with the reference “Sweep to Primary Account.” The same Klickl account appears repeatedly.The receiver account in the readable files is consistently MT82CFTE28004000000000004379006, BIC CFTEMTM1, receiver Klickl Europe Sp. z o.o. The current verified batch already exceeds €665,000.FinTelegram’s conservative review of readable Excel files plus two PDF summaries shows at least €665,733.74 in victim-fund flows through this rail. The victims are predominantly German-speaking.In the readable Excel files, sender accounts are mainly German IBANs, with additional Austrian accounts. This aligns with the Peel Hunt / Peelhuntaicore and KXTRA victim pattern. OpenPayd’s GDPR response confirms the structure.OpenPayd says the vIBANs are generated as reconciliation tools for corporate clients and that the relevant account belonged to Klickl Europe. It also says funds credited to that account became Klickl Europe’s property. Klickl Europe is not a random payee.Klickl discloses that Klickl Europe is incorporated in Poland under KRS 0001053580 and registered under Polish virtual-asset registration RD WWW-930 for exchange, brokerage and virtual-asset account activities. This is a fraud-rail issue, not a paperwork issue.If multiple scam frontends routed victims through OpenPayd vIBANs into Klickl Europe, regulators should treat this as a suspected payment-enabled investment-fraud network. Read our OpenPayd reports here. Key Data Table Entity / MechanismRoleJurisdictionEvidenceRed FlagOpenPayd Financial Services MaltavIBAN infrastructure / payment facilitatorwww.openpayd.comMaltaGDPR response; payment summaries; BIC CFTEMTM1Victim deposits routed through OpenPayd infrastructureNamed OpenPayd vIBANsVictim-facing deposit identifiersMalta railOpenPayd says vIBANs are reconciliation tools linked to corporate clientsCreates personal-account appearance while funding corporate accountKlickl Europe Sp. z o.o.Sweep recipient / corporate account holderPolandRepeated receiver in summaries; OpenPayd GDPR responseCentral recipient of victim fundsReceiver accountKlickl Europe accountMalta IBAN railMT82CFTE28004000000000004379006Same account across multiple victimsReferenceTransfer logicOpenPayd system“Sweep to Primary Account”Direct internal sweep patternScam frontendsKXTRA, fake Peel Hunt / Peelhuntaicore, possibly moreUnknown operatorsVictim files and Peel Hunt warningMultiple brands, same suspected rail Rail Map Victim bank account → OpenPayd named vIBAN → immediate transfer / “Sweep to Primary Account” → Klickl Europe corporate payment account → crypto/on-ramp or settlement layer → unknown scam operators Known scam frontends so far: KXTRA / KKR Global Investment → OpenPayd vIBAN → Klickl Europe Fake Peel Hunt / Peelhuntaicore → OpenPayd vIBAN → Klickl Europe Working hypothesis: Additional fake investment brands → same OpenPayd/Klickl rail FinTelegram Assessment Established Facts OpenPayd’s GDPR response confirms that the relevant vIBAN was linked to Klickl Europe’s payment account and that funds credited to it became Klickl Europe’s property. The Humer payment summary confirms Payins totaling €100,500 followed by transfers to Klickl Europe with the reference “Sweep to Primary Account.” The newly reviewed Excel summaries show the same pattern across multiple additional victims. Strong Inferences The evidence points to a structured victim-fund collection rail. OpenPayd provided the vIBAN infrastructure. Klickl Europe received the funds. The same receiver account and same sweep reference appear repeatedly. That is not random payment noise. Working Hypotheses Klickl Europe may have acted as an on-ramp or settlement layer for the operators behind KXTRA, Peelhuntaicore and related scam brands. A stronger hypothesis is that Klickl Europe may have been closer to the fraud operation than a passive processor. That remains to be proven. Open Questions Who was Klickl’s customer behind these flows? Were funds converted into crypto? Which wallets, exchanges or OTC desks received the money next? Did OpenPayd and Klickl file SARs/STRs? When did OpenPayd detect the pattern? Why was the rail not stopped earlier? Whistleblower / Victim Call FinTelegram is collecting: OpenPayd GDPR responses, OpenPayd “Summary of payments” Excel files, vIBANs, sender bank receipts, app screenshots, WhatsApp chats, fake Peel Hunt / Peelhuntaicore materials, KXTRA screenshots, wallet addresses, transaction hashes, Klickl responses, police reports, and regulator complaints. Victims should send files directly via Whistle42. If one victim collects files for others, written consent should be obtained. Share Information via Whistle42

FinTelegram has received another victim report involving a OpenPayd vIBAN, BIC CFTEMTM1, and crypto transfers into a suspected fake trading platform. The case differs from the OpenPayd/Klickl Europe files but confirms the same broader pattern: modern investment and romance scams depend on regulated or semi-regulated fiat-to-crypto payment rails. OpenPayd once again appears in the victim narrative as the payment facilitator. 2-Minute Briefing FinTelegram has received another victim report placing an OpenPayd Malta IBAN directly inside the payment path of a crypto-investment scam. This is not just another romance-scam story. It is another case where scam operators appear to have used OpenPayd’s fiat-entry infrastructure to move victim money into crypto. The victim was contacted through the dating app Bloom by a person using the name “Allen Wilson.” He allegedly posed as an experienced forex trader, groomed her via WhatsApp, sent step-by-step screenshots, pushed her into crypto trading, instructed her to use Crypto.com, guided her to create a Trust Wallet, and directed funds onward to the suspected fake trading platform Ubsdfx.com. The reported loss is approximately €60,000, including borrowed funds, between 29 April 2025 and early June 2025. According to the victim, Austrian police conducted blockchain analysis and found that the money was distributed across multiple crypto exchanges and wallets. A screenshot provided to FinTelegram shows a Crypto.com Cash Account deposit instruction using an OpenPayd Malta IBAN beginning MT58 CFTE…, with BIC/SWIFT CFTEMTM1. This is not an anonymous offshore bank detail. It is OpenPayd Malta’s payment infrastructure appearing in the victim’s fiat-to-crypto deposit path. The Payment Rail Victim → OpenPayd Malta IBAN / CFTEMTM1 → Crypto.com Cash Account → Trust Wallet → Ubsdfx.com → downstream wallets and exchanges It is an OpenPayd rail case. Once again, OpenPayd infrastructure appears where victim money enters the crypto ecosystem. Read our OpenPayd report on the KXTRA and Peel Hunt scam. That is the central issue. Crypto scams are not powered only by fake dating profiles, WhatsApp scripts, fake trading dashboards, and blocked withdrawals. They need fiat-entry rails. They need IBANs. They need crypto-exchange funding routes. They need infrastructure that turns a victim’s bank transfer into movable crypto. This case fits the pattern described by OCCRP’s Scam Empire reporting and reinforces FinTelegram’s previous coverage of OpenPayd and the corporate ecosystem of its founder Ozan Özerk. The question is no longer whether scammers use fake platforms. The question is why OpenPayd IBANs keep appearing in scam payment paths. OpenPayd must explain how its Malta IBAN infrastructure was used in this case, what transaction-monitoring alerts were triggered, whether suspicious activity reports were filed, and how many similar crypto-scam complaints involve CFTEMTM1. The fake romance profile was the bait.The WhatsApp instructions were the script.The OpenPayd IBAN was the fiat-entry rail.Crypto.com and Trust Wallet became the bridge.Ubsdfx.com was the fraud theatre. Read our reports on Ozan Ozerk here. What The Screenshot Shows The uploaded screenshot appears to show a Crypto.com EUR deposit instruction. The visible fields include: FieldVisible InformationAccount holderVictim’s nameIBANMT58 CFTE 2800 4000 0000 0000 45 31340 (OpenPayd)BIC/SWIFTCFTEMTM1Bank addressLevel 3, 137 Spinola Road, St Julian’s, MaltaBank countryMTPurposeEUR deposits into Crypto.com Cash Account via SEPA The wording is important. The screenshot of the payment page says: “Please use the information below to transfer EUR deposits into your Crypto.com Cash Account directly through your bank via SEPA.” That suggests the victim was instructed to deposit fiat into a crypto-exchange cash account using a Maltese named IBAN. The next steps, according to the victim, were Crypto.com → Trust Wallet → Ubsdfx.com. What Is A vIBAN? A virtual IBAN, or vIBAN, is a payment identifier that looks like a standard IBAN but is not necessarily a standalone bank account. In a legitimate exchange setup, the vIBAN allows the payment provider or exchange to identify which customer made a deposit. The payer sees an IBAN assigned in their name, but the money is technically routed through a payment institution or master-account structure and then reconciled internally. In the prior OpenPayd/Klickl Europe files, OpenPayd itself explained this model: a named virtual IBAN is a digital identifier linked to a main corporate account and used for reconciliation; it is not a standalone account. OpenPayd also stated in that GDPR response that the relevant vIBAN was linked to Klickl Europe’s corporate payment account. In the present case, the screenshot does not show Klickl Europe. It appears to show a Crypto.com deposit rail using a Malta CFTE IBAN. The fraud risk is still clear: scammers can instruct victims to fund a real crypto-exchange account and then manipulate them into sending crypto onward to Trust Wallet or scam-controlled wallets. This is the vIBAN-to-crypto trap: Personal-looking IBAN → crypto exchange funding → self-custody wallet → fake trading platform → stolen funds Key Data Table CategoryDetailsCase typeRomance / pig-butchering crypto-investment scamInitial contactOnline dating app BloomAlleged scammer identity“Allen Wilson,” allegedly AmericanGrooming channelWhatsApp, with screenshot-based instructionsFraud narrativeForex / crypto trading with high-profit promisePayment rail shownMalta-based IBAN beginning MT58 CFTE…BIC/SWIFTCFTEMTM1Deposit contextCrypto.com Cash Account / SEPA EUR depositCrypto exchange layerCrypto.comWallet layerTrust WalletScam destinationUbsdfx.comReported lossApproximately €60,000Timeframe29 April 2025 to approximately 4 June 2025Law enforcementAustrian police complaint filedBlockchain tracingVictim says police analysis found funds distributed across multiple exchanges/walletsOpenPayd relevanceVictim states she was guided to an OpenPayd bank account in Malta; screenshot shows CFTE Malta vIBAN/BIC structure consistent with OpenPayd-style railsKlickl relevanceNo evidence in this file so far; should not be presented as a Klickl caseRisk classificationHigh-risk vIBAN-enabled crypto scam rail Payment Rail Table LayerEntity / ToolApparent FunctionRisk PointVictim acquisitionBloom dating appRomance-scam entry pointSocial engineering and emotional dependencyFraud grooming“Allen Wilson” / WhatsAppStep-by-step crypto instructionsVictim controlled through screenshots and trust manipulationFiat entryOpenPayd Malta SEPA deposit into crypto-exchange cash accountPersonal-looking IBAN can create false confidenceCrypto exchangeCrypto.comFiat-to-crypto entry pointLegitimate exchange infrastructure used as entry railWallet layerTrust WalletSelf-custody wallet created under scammer guidanceOnce funds leave exchange, recovery becomes harderScam platformUbsdfx.comFake trading / forex-crypto platformNo withdrawal; funds allegedly dispersedDownstream launderingMultiple exchanges / walletsFragmentation of crypto proceedsPolice blockchain analysis reportedly found wide distribution FinTelegram Assessment This case should be treated as a related vIBAN-enabled crypto scam rail, not as a Klickl Europe case. The difference matters: In the KXTRA and Peel Hunt / Peelhuntaicore files, OpenPayd/Klickl evidence indicates that funds were linked to Klickl Europe’s corporate payment account. In the present Ubsdfx.com case, the screenshot points to Crypto.com funding through an OpenPayd Malta IBAN, followed by Trust Wallet and onward scam routing. But the common pattern is obvious: scammers exploit payment and crypto infrastructure that appears legitimate to victims. The fraudsters do not need to operate the payment institution or the exchange. They need to weaponize the rails. That is why OpenPayd remains relevant. FinTelegram has repeatedly reported on OpenPayd’s role in high-risk payment flows, and OCCRP’s Scam Empire investigation documented how global scam networks depend on payment providers, bank accounts, and intermediaries to collect and move victim funds. OCCRP reported that leaked data showed fraud payments running through dozens of companies, including two owned by Özerk, while noting there was no evidence those companies knew the payments derived from fraud. This new case again raises the same core questions: How are fraud victims being instructed into Malta-based vIBAN rails? What monitoring is performed when large retail deposits enter crypto-exchange cash accounts? When victims report fraud, are funds frozen fast enough? Are payment facilitators and crypto exchanges preserving complete transaction trails for victims and law enforcement? How often does the same CFTE/OpenPayd-style infrastructure appear in crypto fraud cases? Conclusion This new case adds another layer to FinTelegram’s OpenPayd and vIBAN investigation. It is not currently a Klickl Europe case. It is a Crypto.com / Trust Wallet / Ubsdfx.com crypto-scam case using a Malta CFTE vIBAN-style fiat entry rail. But the bigger pattern is the same. Fake profiles lure victims.WhatsApp scripts guide them.vIBANs bring fiat into crypto.Trust Wallet moves funds out.Fake platforms show profits.Withdrawals never happen.The money disappears across wallets and exchanges. OCCRP called it the Scam Empire. FinTelegram is following the rails. And once again, OpenPayd-style infrastructure appears in the victim’s payment path. Share Information If you have any information about OpenPayd or its activities, please let us know. If you have been a victim of a scam and lost money to scammers via OpenPayd, please share this information with us. To do so, please use our Whistle42 whistleblower system. Share Information via Whistle42

FinTelegram’s investigation has moved beyond the KXTRA investment scam. A new OpenPayd GDPR response confirms that victim deposits were routed through named virtual IBANs linked to Klickl Europe’s corporate account. One victim file concerns KXTRA / KKR Global Investment; another concerns fake Peel Hunt / Peelhuntaicore. Different scam brands, same suspected rail: OpenPayd vIBAN infrastructure feeding Klickl Europe. 2-Minute Briefing FinTelegram’s OpenPayd–Klickl investigation has materially expanded. We are no longer looking only at the KXTRA / KKR Global Investment scam. New victim communication and OpenPayd GDPR material show that the same OpenPayd/Klickl Europe payment architecture also appears in a fake Peel Hunt / Peelhuntaicore investment scam. This changes the case. A single scam frontend can be dismissed by payment processors as “merchant abuse.” Multiple fake investment frontends using the same underlying payment structure point to something more serious: a repeatable fraud-collection rail. OpenPayd’s GDPR response confirms the mechanics. OpenPayd states that it provides services only to corporate clients, not individuals, and identifies Klickl Europe as the relevant corporate client. It says the victim-facing IBAN was not a standard IBAN, but a named virtual IBAN linked to Klickl Europe’s corporate payment account. It further states that funds sent to that vIBAN were received into Klickl Europe’s corporate payment account and, once credited, became the property of Klickl Europe. That confirms the core FinTelegram thesis: OpenPayd provided the vIBAN collection infrastructure; Klickl Europe was the corporate account holder and recipient of the victim funds. The new case is not KXTRA. The victim’s correspondence to OpenPayd was explicitly titled “Fraud via Peel Hunt / Peelhuntaicore.” In that message, she told OpenPayd that she had become a victim of investment fraud and demanded the return of the transfers. That aligns with Peel Hunt’s own public fraud warning. The legitimate Peel Hunt states that it does not use WhatsApp, LinkedIn, downloadable applications or social-media channels for regulated investment activities, and it specifically identifies PEELHUNTAICORE as an app not associated with Peel Hunt. The picture is now clearer: KXTRA / KKR Global Investment appears to be one fake investment frontend. Peel Hunt / Peelhuntaicore appears to be another. OpenPayd → Klickl Europe appears to be the common payment rail. What OpenPayd Confirmed OpenPayd’s GDPR response is the strongest document so far because it confirms the architecture from inside the payment provider’s own system. 1. OpenPayd’s client was Klickl Europe — not the victim OpenPayd states that it only provides services to corporate clients and has no direct contractual relationship with individuals. It identifies the relevant OpenPayd client as Klickl Europe. 2. The IBAN was a named vIBAN, not a real personal account OpenPayd states that the assigned IBAN was “not a standard IBAN,” but a named virtual IBAN linked to a main corporate account. It says the specific virtual IBAN was linked to the payment account belonging to Klickl Europe. 3. Klickl Europe provided victim data OpenPayd says it received personal data from the sending bank and from Klickl Europe. From Klickl Europe, OpenPayd received the victim’s name, address and date of birth. It also states that the victim was onboarded onto the Klickl Europe platform and that a virtual IBAN was allocated in her name to receive payments made on her behalf to fund Klickl Europe’s account. 4. The funds became Klickl Europe’s property OpenPayd states that the funds sent to the vIBAN were received into Klickl Europe’s corporate payment account and, once credited, became the property of Klickl Europe. This is the key line. It places Klickl Europe squarely at the economic center of the victim-fund flow. Read our OpenPayd reports here What Is A vIBAN? A virtual IBAN, or vIBAN, is a payment identifier that looks like a normal IBAN but is not a standalone bank account. It is usually linked to a master account or corporate payment account. The corporate client uses the vIBAN to identify who sent a payment and to reconcile incoming funds quickly. In this case, the practical effect was: Victim sees a named IBAN → victim believes the payment is personalized → money is credited to Klickl Europe’s corporate account → Klickl reconciles the deposit internally A vIBAN is therefore powerful in fraud cases because it can create a false sense of safety. The payer sees a name-linked IBAN and may believe they are funding “their own” account. In reality, the money can be routed into the corporate account of the platform client. That is the vIBAN trap. Scam Frontends Now Identified Scam FrontendImpersonated / Claimed BrandVictim-Acquisition PatternPayment Rail IdentifiedCurrent Evidence StatusKXTRA / KKR Global InvestmentKKR-style IPO / private-equity investment narrativeFacebook advertising, WhatsApp grooming, fake advisers, KXTRA app, fake profits, blocked withdrawalsVictim transfers to OpenPayd Malta; Klickl Europe identified in payment structureAustrian criminal complaint reviewed by FinTelegram. The complaint lists OpenPayd Malta payments and names Klickl Europe in the payment-provider section.Peel Hunt / PeelhuntaicoreImpersonation of legitimate UK investment bank Peel HuntWhatsApp investment groups, fake app, alleged trading/investment activity, blocked access to fundsOpenPayd GDPR response confirms named vIBAN linked to Klickl Europe corporate accountOpenPayd GDPR response reviewed by FinTelegram; victim’s earlier email to OpenPayd was titled “Fraud via Peel Hunt / Peelhuntaicore.” Legitimate Peel Hunt publicly warns that PEELHUNTAICORE is not associated with Peel Hunt. Read our Klickl Europe reports here. Payment Rail System — OpenPayd And Klickl Europe LayerEntity / MechanismRole In The RailWhat The Evidence ShowsFraud frontendKXTRA / PeelhuntaicoreFake investment apps and interfaces used to lure victimsVictim files now point to at least two different scam brands using the same OpenPayd/Klickl payment architecture.Recruitment layerFacebook / WhatsApp groups / fake advisersVictim acquisition and psychological groomingBoth fraud types follow the social-media and WhatsApp investment-scam model.Payment infrastructure providerOpenPayd Financial Services MaltaProvides payment infrastructure and named vIBANs to corporate clientsOpenPayd confirms it provides services to corporate clients and does not provide direct services to individuals.OpenPayd clientKlickl EuropeCorporate client and account holderOpenPayd identifies Klickl Europe as its corporate client in the GDPR response.Victim-facing identifierNamed virtual IBANPersonalized payment identifier used to reconcile victim depositsOpenPayd states the IBAN was not a standard IBAN but a named vIBAN linked to Klickl Europe’s payment account.Economic recipientKlickl Europe corporate payment accountReceives the credited victim fundsOpenPayd states that funds sent to the vIBAN were received into Klickl Europe’s corporate payment account and became Klickl Europe’s property once credited.Data sourceKlickl EuropeProvides victim data to OpenPaydOpenPayd states it received the victim’s name, address and date of birth from Klickl Europe.Infrastructure providersProbanx / Bank of LithuaniaProcessing infrastructureOpenPayd says payments were processed through its infrastructure banking providers, including Probanx and the Bank of Lithuania.Downstream layerKlickl platform / wallets / exchanges / operatorsUnknown onward use, conversion, transfer or settlementOpenPayd says subsequent transfers, conversions or investments are outside its control and should be addressed to Klickl Europe. Revised Rail Map Common Collection Rail Victim → OpenPayd named vIBAN → Klickl Europe corporate payment account → Klickl platform credit / transfer / conversion / settlement → unknown downstream recipient Scam Frontend Variants KXTRA / KKR Global Investment → OpenPayd/Klickl vIBAN rail Peel Hunt / Peelhuntaicore → OpenPayd/Klickl vIBAN rail The frontends differ. The rail appears to be the same. Why The Peel Hunt / Peelhuntaicore Case Matters The legitimate Peel Hunt is a respected UK investment banking firm (website) specializing in mid and small-cap companies, listed on the London Stock Exchange, with offices at 100 Liverpool Street, London. The fraudulent Peel Hunt scam and the “PEELHUNTAICORE” and “PHFINCORE” apps have no connection to this licensed financial institution. The Peel Hunt / Peelhuntaicore evidence changes the risk assessment. If this were only KXTRA, OpenPayd and Klickl might attempt to frame the matter as an isolated merchant abuse case. But the Peelhuntaicore evidence indicates a second investment-fraud frontend feeding the same Klickl-linked vIBAN architecture. That points to a repeatable collection system. It also puts Klickl Europe under even more pressure. If Klickl Europe received victim funds from different scam fronts, it must explain whether the same customer, wallet, merchant, exchange account, OTC desk or internal ledger was behind these flows. The key question is no longer: Was Klickl accidentally exposed to one scam? The key question is: How did multiple fake investment scams end up funding Klickl Europe’s corporate account through OpenPayd vIBANs? FinTelegram Assessment FinTelegram’s assessment is that Klickl Europe must be treated as a central evidence holder and potential fraud-rail participant. There are three possible scenarios: ScenarioInterpretationWhat Klickl Must ProduceKlickl was only an on-rampKlickl processed funds for fraud operators without operating the scam frontendCustomer identity, wallet addresses, exchange accounts, conversion records, SAR/STR filings, termination recordsKlickl was a settlement intermediaryKlickl received funds and moved them onward for another processor, merchant or platformFull counterparty chain, settlement instructions, ledger entries, contractsKlickl was closer to the fraud operatorsKlickl or related parties had operational knowledge of the scam networkInternal communications, onboarding files, platform links, beneficial-owner and transaction-control records Even the most favorable scenario for Klickl — “only an on-ramp” — still leaves Klickl with the critical data. If it received the funds, it should know where they went. That data belongs in the hands of victims, law enforcement and regulators. Call For Victims And Whistleblowers FinTelegram is now collecting additional evidence on the broader OpenPayd / Klickl Europe vIBAN fraud rail. We are especially interested in victims of: KXTRA KKR Global Investment Peelhuntaicore fake Peel Hunt / Peel Hunt Europe WhatsApp groups any other investment app or WhatsApp group where deposits were made to an OpenPayd / CFTE / Malta IBAN any payment file showing Klickl Europe any DSAR / GDPR response from OpenPayd any transaction reference such as “Sweep to Primary Account” Victims should send: OpenPayd GDPR / DSAR responses; Summary of payments spreadsheets; assigned vIBANs; payment receipts; app screenshots; WhatsApp group screenshots; names and phone numbers of “advisers”; police reports; regulator complaints; crypto wallet addresses or transaction hashes; responses or non-responses from Klickl Europe. If one victim collects documents for others, each victim should preferably give written consent or submit their own file directly via Whistle42. Conclusion This investigation is no longer about one fake app. KXTRA was one frontend.Peelhuntaicore was another.The common denominator appears to be the OpenPayd/Klickl Europe vIBAN rail. OpenPayd has now confirmed that the victim-facing IBAN was a named virtual IBAN linked to Klickl Europe’s corporate payment account. OpenPayd has also confirmed that funds credited through that vIBAN became the property of Klickl Europe. That places Klickl at the center of the evidence. If Klickl was merely the on-ramp, it must disclose the downstream data.If Klickl was closer to the operators, regulators and law enforcement must act.If OpenPayd enabled a repeatable vIBAN structure for multiple scam frontends, it must explain how that happened under its transaction-monitoring and financial-crime controls. The victims want the data. FinTelegram will keep following the rail. Share Information via Whistle42