A forensic audit of the fiat-to-crypto infrastructure utilized by the blacklisted crypto exchange MEXC has identified a highly sophisticated, multi-layered payment rail. By nesting Finetix Limited S.R.L. (Romania) within the French electronic money infrastructure of HEURO SAS (formerly Harmoniie SAS), MEXC has successfully constructed a “Red Shield” network to mask high-risk crypto flows behind legitimate-looking SEPA and SEPA Instant transfers by utilizing deceptive branding and a cadre of executives with deep roots in Chinese fintech conglomerates. The Dual-Rail Architecture Our investigation confirms that Finetix Limited S.R.L. acts as the universal “Contractual Recipient” for all Euro deposits on the MEXC mirror platform (mexc.co). Depending on the payment speed selected by the user, the flow is routed through two distinct financial arteries: 1. The SEPA Instant Rail (French Axis) When users select “SEPA Instant,” the transaction is processed through HEURO SAS, doing business under the brand OuiTrust, and the Romanian Finetix Ltd S.R. L. The Trap: Users must consent to the Terms of Service of both Finetix (as the commercial gateway) and HEURO SAS (as the EMI processor). The Deception: By presenting the destination as “Heuro Bank” at a Paris address, the platform suggests institutional banking safety. In reality, it is a virtual account managed by an EMI whose primary purpose in this chain is the settlement of high-risk crypto liquidity. In the checkbox, the MEXC customer making the deposit must confirm that they agree to the MEXC Terms, whereby the link to the Terms actually leads to the Finetix Terms. The user is therefore not making a deposit to MEXS, but to Finetix (see screenshot above). We assume that Finetix is part of the MEXC scheme. 2. The Standard Bank Transfer Rail (Lithuanian Axis) Standard SEPA transfers are routed via Paytend Europe UAB (Lithuania). As previously established, Finetix acts as the named payee here as well, ensuring that the “MEXC” brand remains invisible to the sending bank’s AML monitoring systems. Read our report on the MEXC – Finetix – Paytend Europe Rail here. The Corporate Dimension: Rebranding and Asian Influence The HEURO Transformation On December 16, 2025, the French institution Harmoniie SAS (formerly Easyeuro and Unirpay) officially rebranded as HEURO SAS. They are still doing business as OiuTrust. The name change has not yet been implemented on the OuiTrust website. Harmoniie SAS is still listed as the operator there. (This move appears to be a strategic pivot to adopt a more “bank-like” identity (“Heuro Bank”) to facilitate its expanding Banking-as-a-Service (BaaS) partnerships with offshore exchanges. Despite the branding, it remains an Electronic Money Institution (EMI) under ACPR supervision, currently operating at the limits of its regulatory mandate. The Chinese-Asian Connection Both the technology and the leadership of this rail originate from the mainland Chinese fintech sector. HEURO SAS Leadership: Controlled by individuals such as Chuan Chen and Haixiang Li, whose professional pedigrees include senior roles at Ant Financial (Alibaba), Huawei, and HSBC China. MEXC Ownership: Founded by Chinese blockchain veterans (e.g., Sheen Xin Hu) and currently managed by Singapore-based John Chen. Strategic Sync: This shared background allows for a unified operational logic. The “Shadow Rail” is not merely a service but a synchronized export of Chinese fintech bypass technology into European regulated shells. Summary Table: The French-Romanian SEPA Instant Rail LayerEntity / BrandJurisdictionRolePlatformMEXCOffshore (Seychelles)Mutated/Ghost ExchangeContractual GatewayFinetix Limited S.R.L.Finetix Ltd S.R.L.RomaniaUniversal Recipient / Legal ShieldEMI ProcessorHEURO SAS (ex-Harmoniie)FranceSEPA Instant Rail ProviderBrand Identity“Heuro Bank” / OuiTrustFranceDeceptive Trade BrandingCollection IBANFR761747800 0010 0016 6962 3202FranceFrench-to-Offshore Settlement Account Export to Sheets The HEURO Evolution We tracked the transformation of a single French corporate vehicle (SIREN 833 165 863) as it rebranded and repositioned itself within the European payment landscape, maintaining a consistent core of Chinese-origin leadership throughout its pivot toward high-risk crypto-shadow banking. 1. Timeline of Corporate Metamorphosis EraEntity NamePrimary BrandCore Strategic Focus2017 – 2018Unirpay SASUnirpayInitial entry into French fintech; cross-border payments.2018 – 2020Easyeuro SASEasyEuroRebranding to target “Easy” Euro-Chinese business settlements.2020 – 2025Harmoniie SASOuiTrustExpansion into EMI services and VASP-adjacent processing.Dec 2025 – PresentHEURO SASCompany dataHeuro BankOuiTrustFull pivot to high-speed crypto-rails for offshore exchanges (MEXC, Tap) Export to Sheets 2. The Shared Executive “DNA” The following individuals have served as the “Red Thread” connecting these entities, ensuring operational continuity despite the frequent name changes. Chuan CHEN (The Architect) Role: Founder and President He stepped down from the board in 2019 during the Easyeuro transition. Significance: Former senior executive at Ant Financial (Alibaba). He is the primary link between Chinese digital payment logic and the French regulatory environment. Haixiang LI (The Infrastructure Lead) Role: Director General (DG) of HEURO SAS; previously key leadership in Harmoniie. Significance: Background in Huawei and HSBC China. He manages the technical “pipes” that allow the SEPA Instant system to interface with the Finetix/MEXC infrastructure. Xue DINGSHENG & Xue LU (The Founding Board) Role: Original board members of Unirpay SAS. Significance: Instrumental in the initial licensing phase with the French ACPR. Their involvement established the original “corridor” between Paris and the Chinese tech sector. 3. The “Chinese Fintech Pedigree” Diagram The corporate structure of HEURO is not typical for a French EMI. It is built as a “Gateway for Export”—specifically designed to allow offshore entities (like MEXC) to tap into the European Banking Union. 4. Compliance Risk: The Persistence of Control The fact that the same individuals have remained in control through four different rebrandings is a major compliance signal. In AML/KYC terminology, this is known as “Permanent Entity Control” used to mask a shifting business model. Risk Pattern: While the name on the license changes to avoid historical scrutiny, the beneficial ownership and executive intent remain static. The Finetix Tie-In: By the time the company became HEURO, it had fully integrated with Compliance Verdict: High-Velocity Risk Status: CRITICAL VIOLATION (RED SIGNAL) The payment architecture orchestrated by MEXC, Finetix Limited S.R.L., and HEURO SAS (dba Heuro Bank / OuiTrust) represents a deliberate attempt to circumvent the Markets in Crypto-Assets (MiCA) framework and Anti-Money Laundering (AML) directives. This infrastructure is not merely high-risk; it is a textbook case of Transaction Laundering and Regulatory Arbitrage. Key Compliance Violations: Unlicensed Crypto Service Provision (MiCA Violation): MEXC operates within the EU without the mandatory MiCA authorization. Simultaneously, Finetix Limited S.R.L. (Romania) markets itself at www.finetix.net as a crypto service provider despite being unregistered as a VASP in Romania. The fact that the Finetix website is currently non-functional (“ghosting”) further indicates a lack of operational substance (Shell Company risk). Facilitation of Unlicensed Entities (HEURO SAS): As a French-regulated EMI, HEURO SAS is legally obligated under 5AMLD/6AMLD to perform rigorous Know Your Business (KYB). Processing SEPA Instant transfers for an unlicensed, offshore exchange (MEXC) via an unregistered Romanian shell (Finetix) constitutes a massive failure in institutional oversight and potential complicity in unlicensed financial intermediation. Deceptive Payment Labeling & “Shadow Banking”: The use of the “Heuro Bank” trade name by an EMI to process funds for a blacklisted entity is a deceptive practice designed to bypass the automated AML filters of the users’ sending banks. This obscures the high-risk nature of the destination (Crypto) behind an institutional “Banking” facade. Jurisdictional Layering: By inserting a Romanian “Terms Holder” between a French processor and a Seychelles exchange, the participants have created a fragmented legal trail. This prevents a single national regulator from having a clear view of the end-to-end transaction, a common tactic in laundering criminal proceeds or bypassing sanctions. Summary of Institutional Risk EntityPrimary ViolationRegulatory ExposureMEXC GlobalUnlicensed operation in EUMiCA Enforcement / Asset FreezingFinetix LtdUnregistered VASP activitiesRomanian Police / AML InvestigationHEURO SASKYB Failure / Processing for Unlicensed EntitiesACPR License Revocation / Fines Export to Sheets Call to Whistleblowers Are you an employee of HEURO SAS in Paris or Finetix in Bucharest? Do you have internal documentation regarding the profit-sharing agreements between these entities and MEXC? We are specifically seeking: KYB files submitted by Finetix to HEURO SAS. Transaction logs showing the daily settlement volumes from the French FR76 IBAN to MEXC-controlled wallets. Communication between HEURO executives and MEXC’s John Chen. Share your information securely and anonymously via our platform. Share Information via Whistle42

Investigative forensics have unmasked the sophisticated “shadow rail” powering the Euro-denominated on-ramps for the globally blacklisted exchange MEXC. By deploying a complex layering strategy across Romania and Lithuania, MEXC avoids regulatory scrutiny and banking blocks, utilizing a “ghost” payment gateway that effectively launders the identity of the merchant from the financial system. The Anatomy of Deception While regulators across Europe issue warnings against MEXC Global, the exchange continues to process millions in Euro deposits via its “mutated” mirror domain, MEXC.co and its main domain MEXC.com. One rail behind this bypass is the Romanian Finetix Ltd S.R.L. via the Lithuanian Paytend Europe UAB. By using a Romanian shell company as the payee and a Lithuanian EMI for the banking pipes, MEXC ensures that bank compliance systems remain blind to the destination of the funds. Forensic Compliance & Risk Analysis 1. The “Ghost” Payee: Finetix Limited S.R.L. When a registered MEXC user initiates a bank transfer, they are directed to send funds not to MEXC, but to Finetix Ltd S.R.L. aka Finetix Limited S.R.L. This entity, registered in Bucharest, Romania (Strada BUZESTI, Nr. 75-77), is a not registered or regulated Romanian crypto service provider and serves as a contractual shield. It is a standard limited liability company with no financial or crypto license. Its primary purpose is to act as the “Merchant of Record,” ensuring the name “MEXC” never appears on a user’s bank statement. Based on the wording on the MEXC website, the processes as well as look and feel of both websites, we assume that Finetix is closely affiliated with or controlled by MEXC. We also found that the Finetix website (www.finetix.net) does not work. Officially, the website offers the purchase of crypto. However, in our review, it was not possible to register or complete a transaction. It is very obvious that the website is just a front for MEXC. 2. The Financial Pipe: Paytend Europe UAB The actual funds land in a Lithuanian IBAN (LT48 3120 0108 5320 6016) held at Paytend Europe UAB. Paytend, a licensed Electronic Money Institution (EMI) in Lithuania, provides the virtual IBAN (vIBAN) infrastructure. Curiously, the payment instructions list the “bank address” as the Romanian office of the payee, a highly irregular practice designed to confuse automated AML triggers that look for jurisdictional consistency. 3. The Anatomy of the Shadow Flow Our forensic investigation into the specific payment instructions (IBAN LT483120010853206016) reveals a deliberate “Triple-Masking” strategy: The Address Deception: In a highly irregular move, the payment instructions list the Romanian address (Strada BUZESTI, Nr. 75-77) as the “Bank Address” for a Lithuanian IBAN. This is a classic tactic to confuse automated AML filters that would otherwise flag a cross-border mismatch between a Romanian payee and a Lithuanian bank (Note: This address is a high-density “virtual office” hub often used by fintech and IT services firms.) The Romanian Shell: The payee is Finetix Limited S.R.L., registered in Bucharest. This is a standard commercial entity with zero financial or crypto-asset licenses. It acts as a “Merchant of Record” to hide the name “MEXC” from bank audits. The Lithuanian Pipe: The funds land at Paytend Europe UAB, a Lithuanian Electronic Money Institution (EMI). Paytend provides the IBAN, but importantly, Paytend is not a crypto exchange. It is a bank-like entity being used as a blind passthrough. Compliance & Risk Analysis Verdict: CRITICAL RISK (BLACK) There is no registered VASP (Virtual Currency Exchange Operator) in this transaction chain. Users are sending money to a Romanian IT shell which then presumably funnels the liquidity to MEXC’s offshore accounts. ComponentEntityRoleStatusBrandMEXC The public interface. High RiskContractual PayeeFinetix Limited S.R.L.Romanian Shell (Bucharest)Payee for Deposits UnlicensedFinancial RailPaytend Europe UAB(www.finetix.net)Lithuanian EMI (Vilnius)IBAN provider IntermediaryCrypto LicenseNONEMissing VASP Anchor CRITICAL FAILURE Export to Sheets The Trap: Registered MEXC users believe they are utilizing a “secure” EU bank transfer. In reality, they are participating in an unregulated “shadow settlement” that has no consumer protection, no insurance, and no MiCA compliance. Risk Verdict: CRITICAL (RED) The Finetix-MEXC partnership is a textbook example of Transaction Masking. By decoupling the brand (MEXC) from the payee (Finetix) and the bank (Paytend), the group facilitates unlicensed financial services to EU residents. Under the MiCA 2026 framework, such “shadow rails” are illegal and subject to severe penalties for both the exchange and the facilitators. Whistle42 Call to Action Insiders at Finetix Limited S.R.L. or MEXC are encouraged to come forward. We are seeking internal documentation from Paytend Europe compliance officers or Finetix Limited S.R.L. employees. What is the volume of “Digital Asset Purchase” traffic moving through IBAN LT483120010853206016? Who is the ultimate beneficial owner (UBO) of the Romanian shell? Share Information via Whistle42

The EU has implemented MiCA as a fully operational, passportable crypto licensing regime. The UK, by contrast, is constructing a phased, FCA-driven framework under traditional financial services law. For crypto providers, merchants, and regulators, understanding these structural differences is essential for cross-border strategy, licensing, and risk management. Key Findings The EU’s MiCA regime is fully applicable and introduces a harmonized CASP license with passporting across Member States. The UK does not have MiCA; it operates an AML registration regime while building a broader authorization framework under FSMA. MiCA authorization is mandatory now in the EU; full UK authorization for core crypto activities is expected to apply from 2027. The UK framework is likely broader in scope (including lending and certain DeFi intermediation). MiCA includes dedicated token issuance rules (ARTs/EMTs); the UK regulates stablecoins under payment and systemic frameworks. Cross-border providers must pursue separate authorization tracks in the EU and the UK. Market-abuse and consumer protection regimes differ in structure but converge in intensity. 1. The EU Framework: MiCA as a Unified Licensing Regime MiCA (Markets in Crypto-Assets Regulation) establishes a comprehensive regulatory framework across the EU. Licensing Path (EU – MiCA) Who must be licensed?Crypto-Asset Service Providers (CASPs), including: Exchanges (trading platforms) Custodians Brokers Portfolio managers Transfer services Placement services Authorization Process: Application to national competent authority (e.g., BaFin, AMF, Bank of Lithuania). Assessment of governance, capital, AML systems, IT resilience. Once approved → EU passporting rights. Capital Requirements: Tiered own-funds requirements depending on service type. Ongoing prudential monitoring. Timeline: Transitional regimes expired or are expiring across Member States. Grandfathering windows (e.g., Lithuania end-2025) have closed. By 2026, full MiCA compliance will be the norm across the EU. Reporting & Consumer Protection (EU) Whitepaper requirements for token issuance. Strict marketing disclosure obligations. Complaint handling mechanisms. Segregation of client assets. Prudential reporting to national authorities. ESG disclosure obligations for certain tokens. Market Abuse (EU) MiCA introduces a crypto market-abuse framework: Prohibition of insider dealing. Prohibition of unlawful disclosure of inside information. Prohibition of market manipulation. Surveillance obligations for trading platforms. However, the EU crypto MAR regime is somewhat lighter than traditional securities MAR. 2. The UK Framework: AML Registration Today, Full Authorization Tomorrow The UK currently operates a two-stage regulatory structure: Stage 1: AML Registration (Active) Crypto firms must register with the Financial Conduct Authority (FCA) under AML regulations to operate legally. This is not full authorization but compliance with: KYC/AML controls Suspicious activity reporting Financial crime risk management The FCA has rejected a high percentage of applicants, demonstrating strict supervisory scrutiny. Stage 2: Full FSMA Authorization (Planned, ~2027) The UK government is implementing a broader regime under the Financial Services and Markets Act (FSMA). Activities likely to require authorization: Operating trading platforms Dealing in cryptoassets Custody services Lending and staking intermediation Arranging transactions Certain centralized DeFi models This will transform crypto firms into FCA-authorized financial services entities. Key Differences Between MiCA and the UK Model FeatureEU (MiCA)UK (FSMA Regime)Legal StructureEU RegulationDomestic financial services lawPassportingYes (EU-wide)No EU passport; UK-onlyStablecoinsART/EMT regimeStablecoins treated as payment instruments; systemic focusMarket AbuseDedicated crypto MARLikely closer to traditional financial MARScopeCASPs + issuersPotentially broader incl. lending/stakingTimelineActiveFull regime by ~2027 3. Strategic Impact for Cross-Border Crypto Providers Providers operating in both jurisdictions must prepare for: Dual authorization processes Separate prudential capital requirements Distinct reporting obligations Divergent consumer-protection regimes No passport equivalence between EU and UK The UK is deliberately not mirroring MiCA. Instead, it is embedding crypto into the traditional financial regulatory architecture. This could lead to: Higher governance expectations in the UK More granular supervisory engagement Broader enforcement perimeter 6. Regulatory Convergence or Competitive Divergence? The EU model prioritizes harmonization and passporting. The UK model prioritizes supervisory control and integration into mainstream financial regulation. While objectives are aligned (consumer protection, market integrity), execution differs. There is currently no regulatory equivalence regime between MiCA and the UK framework. Cross-border crypto activity therefore requires parallel compliance architecture. Conclusion: Two Systems, One Compliance Reality The EU offers regulatory clarity through MiCA, but with strict filtration and capital requirements. The UK offers phased integration into traditional financial regulation, potentially with broader activity coverage. Crypto providers must now operate as regulated financial institutions — not experimental technology platforms. The era of light-touch crypto regulation in Europe and the UK is over. Call for Information If you have insight into MiCA licensing bottlenecks, FCA authorization challenges, transitional failures, or regulatory migration strategies, share information confidentially via Whistle42.com. Your information helps ensure transparency and market integrity. Share Information via Whistle42

The global crypto market chill of late 2025, highlighted by Coinbase’s significant Q4 losses, has collided with the unforgiving reality of Europe’s new regulatory framework. The European Union is no longer just facing a “crypto winter” of falling prices; it is entering an ice age of regulatory enforcement. As the Markets in Crypto-Assets (MiCA) regulation enters its critical transition phase, the “Lithuanian laboratory” has already demonstrated the fatal consequences for non-compliant entities. This briefing analyzes the inevitable mass shakeout of EU crypto companies in 2026 and outlines the severe risks for investors and merchants navigating this collapsing landscape. Key Findings: The European Purge The Dual Crisis: EU crypto service providers are caught in a deadly pincer movement: a collapse in trading revenues due to the market crash (Bitcoin <%2490k) and skyrocketing costs to meet MiCA’s quasi-banking standards. The Lithuanian Precedent: The expiration of Lithuania’s grandfathering period at the end of 2025 led to the immediate disappearance of numerous entities, including Utrg, dba utPay, and Dream Finance, dba CoinsPaid and CryptoProcessing, serving as a grim preview for the rest of the EU. The Regulatory Bottleneck: Early data from Czechia indicates a massive disparity, with reports of over 240 MiCA license applications yielding only 6 granted licenses, highlighting the immense difficulty of compliance. End of the Arbitrage Era: The window for moving operations to more lenient jurisdictions like Poland (currently operating under a lighter VASP regime) will slam shut by the end of 2026, guaranteeing a final, massive market consolidation. Elevated Counterparty Risk: The convergence of financial strain and regulatory shock creates an extreme risk environment. We anticipate a wave of both “quiet bankruptcies” (voluntary shutdowns) and forced “regulatory bankruptcies” throughout 2026. Analysis: The Great EU Market Transformation The financial distress signaled by Coinbase’s Q4 2025 results is being magnified across the Atlantic by a unique catalyst: MiCA. For years, Europe was a patchwork of regulations where companies could engage in jurisdiction shopping to find the path of least resistance. That path has now become a dead end. Lithuania as the Canary in the Coal Mine Lithuania, once heralded as a crypto-friendly hub with enormous numbers of registered Virtual Asset Service Providers (VASPs), has become the first casualty of the new era. The mass deregistration at the start of 2026 proves that the vast majority of these players were either shell companies or incapable of meeting robust anti-money laundering (AML) and capital requirements. The closure of firms like utPay and Dream Finance (note: distinct from major global players) are not isolated incidents but the first dominoes in a continent-wide chain reaction. Read our report on the Lithuanian MiCA situation here. The Czech Reality Check & The Polish Illusion The reported situation in Czechia—hundreds of applications for a handful of licenses—reveals the true nature of MiCA. It is designed to filter out all but the most professional, well-capitalized, and compliant entities. Currently, we observe a desperate migration of smaller crypto firms relocating to Poland to operate under its existing VASP framework. This is a temporary illusion of safety. This regulatory arbitrage is a ticking time bomb. When MiCA becomes fully applicable across all member states at the end of 2026, the Polish lifeboat will sink, likely triggering the single largest event of company disappearances in EU crypto history. The market is heading toward an oligopoly of a few dozen large, regulated players, with thousands of smaller entities facing extinction. Briefing: Critical Risks for Merchants and Investors The environment in 2026 is defined by extreme counterparty risk. The entity holding your assets or processing your payments today may not exist tomorrow due to either insolvency or regulatory shutdown. For EU Merchants Accepting Crypto: Counterparty risk: Treat every EU crypto facilitator as a potential default candidate unless they can demonstrate a credible MiCA authorisation path (filed application, regulator feedback, realistic timelines, documented capital and governance). Jurisdictional mapping: Identify where your current crypto partners are regulated (Lithuania, Poland, Czechia, etc.) and what their transition status is; entities still relying on Lithuanian VASP registrations without MiCA licences are already in the danger zone. Immediate Audits Required: Do not assume your current crypto payment processor will survive 2026. Demand proof of their MiCA transition plan and capital adequacy. Risk of Fund Seizure: If your processor is shut down by regulators (a “regulatory bankruptcy”), your unsettled funds could be frozen indefinitely as part of legal proceedings. Operational continuity plans: Implement redundancy across multiple CASPs, including at least one provider with an already granted MiCA licence in a core jurisdiction, and plan technical fallbacks to avoid being trapped in a single‑provider failure. Contractual protections: Tighten SLAs and merchant contracts to include: segregation of client funds, clear termination triggers upon loss of licence, and obligations to notify you of any supervisory actions, restriction orders, or licence denials. Expect Higher Costs: The few surviving, MiCA-compliant processors will pass their high compliance costs onto you. The era of cheap crypto payment processing is over. For EU Crypto Investors: Get Off the “Long Tail”: If your funds are on a small, obscure, or offshore-based European exchange that is relying on regulatory arbitrage (e.g., currently hiding in Poland without a clear MiCA strategy), withdraw them immediately. These platforms are prime candidates for “quiet bankruptcies”—shutting down websites and vanishing overnight. Verify, Don’t Trust: Only deal with platforms that are transparently pursuing MiCA licensure in stringent jurisdictions (e.g., France, Germany) and provide verifiable proof of reserves. The Liquidity Trap: As smaller exchanges die, liquidity for niche altcoins will evaporate, potentially making it impossible to sell your positions even at depressed prices. Consolidate holdings into major assets on major, regulated platforms. A Call to Insiders: Expose the Cracks Are you working for an EU crypto firm that is faking its MiCA readiness? Is your company secretly insolvent, using customer funds to stay afloat while planning a “quiet” exit before regulators step in? Do not let investors and merchants become victims of the next collapse. Provide us with the information needed to expose malpractice before it’s too late. Submit your evidence securely and anonymously via our whistleblower platform. Share Information via Whistle42

The “Up-Only” narrative of 2025 hit a brutal wall in the final quarter, as the leading U.S. crypto exchange, Coinbase, reported a staggering $667 million net loss for Q4. Despite a record-breaking year overall, the sudden plummet of Bitcoin from its $120,000+ peak to sub-$90,000 levels triggered a liquidity vacuum and massive book losses. While Coinbase remains anchored by its $11.3 billion cash pile, the results signal a systemic stress test for the entire industry. As we enter 2026, the question is no longer about the “moon,” but about who survives the descent. Key Findings: The Q4 Reality Check Financial Red Ink: Coinbase posted a $667 million net loss in Q4 2025, primarily driven by marking down its crypto asset portfolio and a 5% sequential decline in total revenue ($1.78 billion). The BTC Slide: Bitcoin’s retreat from $122,000 to approximately $90,000 (and further stabilization around $63,000 in early 2026) wiped out nearly $19 billion in leveraged positions across the market. Subscription Safety Net: In a rare bright spot, subscription and services revenue grew by 23% year-over-year, proving that “steady” income from staking and USDC is the industry’s new life jacket. Infrastructure Cracks: While Coinbase held firm, competitors like Binance and Kraken faced significant outages and “flash crash” anomalies during the October 2025 volatility. Stock Market Punishment: COIN shares dropped nearly 8% immediately following the earnings miss, drifting toward 52-week lows. Deep Dive: Analysis of the 2025 Crash Coinbase results for Q4 2025 The Q4 loss isn’t just a Coinbase problem; it’s a mirror of the “October Black Swan.” In late 2025, a combination of macroeconomic tightening and a massive liquidation event on Binance—driven by faulty oracle pricing for stablecoins like USDe—sent shockwaves through the ecosystem. Unlike the 2022 collapse, which was fueled by the “Terra-Luna” death spiral, the 2025 drawdown appears to be a liquidity-driven reset. Coinbase’s loss is largely “on paper” (unrealized book losses), but the underlying drop in transaction volume suggests retail fatigue. High-frequency traders and market makers pulled back as spreads widened, leaving the market vulnerable to the “air pockets” that saw Bitcoin drop 30% in a matter of weeks. However, the “Everything Exchange” strategy is paying off. Coinbase isn’t just a casino anymore; it’s becoming a bank. With 1 million paid “Coinbase One” subscribers and a heavy focus on its Base Layer-2 network, the company is attempting to decouple its survival from the daily price of Bitcoin. Hypothesis: 2026 Outlook and Bankruptcy Risks Will 2026 see a repeat of the 2022 bankruptcies? Our hypothesis suggests a “Bifurcated Recovery.” Unlike 2022, we have not yet seen a major “Terra moment”—a systemic failure of a top-tier stablecoin or a massive lender like Celsius. The “Too Big to Fail” Tier: Platforms like Coinbase and Kraken, which have spent years on regulatory compliance and building cash reserves, are likely to survive 2026, albeit with “belt-tightening” measures (layoffs and reduced marketing). The Danger Zone: High-leverage offshore exchanges and smaller altcoin-heavy platforms are at extreme risk. If Bitcoin fails to reclaim the $100k level by mid-2026, we anticipate a wave of “Quiet Bankruptcies“—smaller entities being absorbed by giants or simply shutting down due to unsustainable burn rates. The 2026 Pivot: We expect the first half of 2026 to be a period of “maturation.” The speculative “meme-coin” frenzy is likely dead for this cycle, replaced by Stablecoin Payments and Tokenized Real-World Assets (RWA). Q4 2025 Performance Comparison: The Survivors vs. The Stunned The fourth quarter of 2025 created a massive divide between companies that operate as market infrastructure (like Coinbase) and those that operate as proxy holding companies for Bitcoin (like Strategy/MicroStrategy). While Coinbase struggled with lower volumes, Strategy faced a massive balance sheet hit due to the new “Fair Value” accounting rules. MetricCoinbase (COIN)Strategy (MSTR)Galaxy Digital (GLXY)Q4 Total Revenue$1.78 Billion$123 Million$10.2 Billion*Q4 Net Income / (Loss)($667 Million)($17.4 Billion)($482 Million)Primary Loss DriverLow trading volume & book asset markdownUnrealized BTC impairment ($17.4B)Asset depreciation & infrastructure costsCash/Liquidity Pile$11.3 Billion$2.6 Billion (available capital)$2.6 Billion (Cash & Stablecoins)Crypto ExposureBrokerage & Custody Fees713,502 BTC ($54.2B cost)Asset Management & Mining“Safety Net” SegmentSubscription & Services ($727M)Software Licenses ($52M)Institutional Staking ($5B under stake)Stock Market ReactionFell 7.9% post-earningsRemained volatile; tied to BTC priceDropped 6% on earnings miss Export to Sheets *Note: Galaxy’s revenue includes high-velocity trading and principal investments, leading to much higher top-line figures that don’t always translate to bottom-line profit. Strategic Analysis: Infrastructure vs. Treasury Coinbase (The Utility): Coinbase’s loss is largely reflective of retail exhaustion. When Bitcoin fell from $120k to $90k, the “casual” trader stopped clicking “buy.” However, their $11.3 billion cash reserve is a massive fortress. They aren’t going bankrupt; they are simply waiting for the next cycle while collecting interest on their USDC reserves. Strategy (The Proxy): MicroStrategy (now simply Strategy) reported a terrifying $17.4 billion loss, but it is important to note this is an unrealized “paper” loss. Because of 2025’s accounting changes (ASU 2023-08), companies must mark their Bitcoin to market prices every quarter. When BTC dropped 30%, their balance sheet “lost” billions, even though they didn’t sell a single satoshi. Galaxy Digital (The Hybrid): Galaxy’s $482 million loss shows the danger of being “too diversified.” While they have a massive institutional business, their direct exposure to mining infrastructure and proprietary trading meant they were hit by both falling prices and rising energy costs in Q4. Final Verdict on Bankruptcy Risk Unlike 2022, where companies like FTX and Celsius failed due to fraud and lack of collateral, the losses of 2025 are primarily market-driven and accounting-based. Coinbase and Strategy have high debt, but it is structured as long-term convertible notes, not short-term “run-on-the-bank” liabilities. The real risk in 2026: Smaller offshore exchanges that lack Coinbase’s $11 billion “war chest” and didn’t hedge against the Q4 volatility. Those are the entities most likely to vanish in the coming months. The Verdict: We are not in a 2022-style apocalypse, but a “Darwinian Winter.” Only the platforms with diversified, non-transactional revenue will see the spring of 2027. A Call to Insiders: Help Us Uncover the Truth Is your platform hiding a liquidity gap? Are internal “risk management” protocols being ignored to cover Q4 losses? The public deserves to know if another 2022-style disaster is brewing behind closed doors. If you have information regarding financial instability, mismanagement, or security vulnerabilities at major crypto exchanges, reach out to us. Your identity remains protected. Share Information via Whistle42

In a brazen display of lawlessness, the crypto exchange MEXC Global has transitioned from regulatory evasion to active content piracy. Our investigation reveals that MEXC, primarily through its mutated domain mexc.co, has been systematically scraping and republishing FinTelegram’s investigative articles in their entirety without authorization. By creating a dedicated “Author Page” for FinTelegram (found at mexc.co/en-PH/news/author/fintelegram/306), MEXC is not only infringing on copyright but is performing a strategic Brand Hijack—using our intelligence to lure users into their ecosystem while ignoring all legal cease-and-desist requests. The “Author 306” Scheme: A New Layer of Deception The existence of a FinTelegram author profile on a platform we have repeatedly warned against is a calculated move by MEXC to confuse the public and lend a false veneer of “compliance transparency” to their mirror domains. The Theft: Every major investigation into the “MiCA Guillotine” and “Shadow Rails” published by FinTelegram is instantly mirrored on MEXC.co. The Motive: By republishing critical reports about other high-risk entities, MEXC attempts to position itself as an “educational hub,” distracting users from its own lack of regulatory standing and the warnings issued against it by BaFin, the FCA, and CONSOB. The Silence: Formal requests from FinTelegram for the immediate removal of our intellectual property have been met with total silence. MEXC’s support channels refuse to acknowledge the existence of the news aggregator, a classic hallmark of a platform operating outside the reach of international law. Hidden in Anonymity The MEXC.co mutated domain has completely scrubbed all information regarding its legal operator from its interface. Unlike the primary mexc.com site—which has historically claimed various offshore registrations (Seychelles, Estonia, or the British Virgin Islands)—the MEXC.co platform provides no legal imprint, no terms of service identifying a corporate entity, and no physical address. The “Anonymity-as-a-Service” Architecture The deliberate omission of operator data on MEXC.co is a strategic maneuver designed to create a “legal vacuum.” By operating as a Ghost Platform, MEXC achieves three critical goals for its shadow operations: Evading Cease-and-Desist Orders: Without a named operator, regulators like BaFin or CONSOB struggle to serve formal legal notices directly to the domain. Shielding the Lithuanian Hub: By not mentioning Finetix, UAB on the front-end, MEXC protects its primary European payment rail from being immediately associated with the banned “MEXC” brand by bank compliance automated crawlers. Denying Liability: If a user’s funds are frozen or “lost” on the .co mirror, there is no legal “person” or “corporation” for the user to sue in any jurisdiction. Forensic Identification: Finetix as the Only “Paper Trail” While the website remains a ghost, the money trail remains visible. Our investigation confirms that the only identifiable corporate footprint for MEXC.co within the European Union is Finetix, UAB. The Link: When a user initiates a deposit on the anonymous MEXC.co site, the payment instructions lead directly to IBAN LT483120010853206016. The Reality: That IBAN is legally registered to Finetix, UAB (Vilnius, Lithuania). In essence, Finetix acts as the “de facto” operator for the fiat-gateways of this ghost platform, providing a regulated Lithuanian face to a completely unregulated and anonymous digital interface. Investor Warning: Credibility as a Weapon We urge our readers to be extremely cautious. If you see a FinTelegram article on a MEXC-affiliated domain, it is stolen property. MEXC is using our research into the “dark side” of the industry to camouflage its own shadow operations. “When an exchange starts stealing the work of the very investigators who expose them, they have entered a terminal phase of ethical bankruptcy,” says a FinTelegram legal representative. Whistle42 Call to Action Are you an employee of the MEXC “News” or “Content” department? We are seeking information on the automated scraping tools and mirror-server locations used to facilitate this content theft. Share Information via Whistle42

As European regulators tighten the noose on Virtual Asset Service Providers (VASPs) ahead of MiCA implementation, the UTORG Group—a key payment facilitator for offshore casinos via SoftSwiss—has executed a strategic jurisdictional shift. Following the suspension of its Lithuanian operations, evidence points to a migration toward Poland via Chain Valley Sp. z o.o., signaling a “whack-a-mole” approach to maintaining high-risk payment rails. Key Findings Executive Smoking Gun: Ilie Cernişev, identified in regulatory filings as the CEO of Utorg OÜ (Estonia), is currently the Chairman/CEO of Chain Valley Sp. z o.o. (Poland). Operational Successor: Chain Valley has replaced the suspended Lithuanian entity UAB Utrg (utPay) as the primary crypto-to-fiat processor for the FinteqHub (SoftSwiss) casino ecosystem. The “wrapper” Technique: The group utilizes a “Crypto Purchase” wrapper (operating via the chain-valley.pro domain) to process credit card and Open Banking payments for unlicensed offshore casinos, appearing on player bank statements as a neutral IT service rather than gambling. Holding Structure: The group is ultimately controlled by UTORG LABS HOLDING LTD in Abu Dhabi, which owns the branding, intellectual property, and global domains (utorg.com, utorg.pro). UTORG discloses a holding / ownership layer tied to the UTORG website/app stack. UTORG’s own Terms of Use link “Buy Crypto” directly to app.chainvalley.pro. Regulatory Arbitrage: The move to Poland (VASP Registration RDWW-765) exploits a transitional period in Polish AML oversight compared to the now-strict Lithuanian and Estonian regimes. Compliance Analysis While no public registry or filing yet confirms a direct ownership or group‑company link between UTORG LABS HOLDING LTD / UAB Utrg and Chain Valley sp. z o.o., the temporal substitution of utPay by Chain Valley in identical casino integrations, the close mirroring of product and infrastructure, and the documented movement of a former Utorg CEO into the top role at Chain Valley together form a relational signature that makes an operational connection highly probable and the hypothesis of pure coincidence remote.” The connection between UTORG and Chain Valley is highly probable based on a “preponderance of evidence” rather than a single smoking gun. In compliance terms, this is often referred to as a “Relational Signature”—where technical, corporate, and temporal data points align so perfectly that the likelihood of coincidence is negligible. 1. The “Whack-a-Mole” Temporal Alignment The most compelling evidence is the timing. As UAB Utrg (utPay) faced regulatory pressure and eventual suspension in Lithuania, Chain Valley Sp. z o.o. simultaneously appeared as the primary crypto-processing alternative for the exact same merchant network (SoftSwiss/FinteqHub). The Switch: In the source code of platforms like LuckyDreams, the data-method-id attributes shifted from referencing utorg or utpay endpoints to chain-valley or rastpay (a brand associated with the Polish migration) while maintaining the exact same UI layout for the user. 1. Structural Evolution and Executive Continuity The investigation into the UTORG Group reveals a highly agile corporate structure designed to navigate the tightening EU regulatory landscape. The group’s journey from Estonia (Utorg OÜ) to Lithuania (UAB Utrg) and now Poland (Chain Valley Sp. z o.o.) is not a series of independent failures, but a strategic “license migration.” The most definitive link is the role of Ilie Cernişev (LinkedIn). Corporate records from 2022 confirm him as the CEO of the Estonian branch during its peak expansion. His reappearance as the head of Chain Valley in Poland (KRS 0001036419) as of August 2023 provides irrefutable evidence that Chain Valley is the current operational arm of the UTORG ecosystem. 2. The FinteqHub / SoftSwiss Nexus Source code of Lucky Dreams payment page showing payment rail FinteqHub -> utorg The group’s primary revenue driver is its partnership with SoftSwiss, specifically through its payment aggregator FinteqHub. Historically, “utPay” was the preferred method for “Crypto via Card” transactions on casino sites like LuckyDreams and Rooli. The screenshot on the left shows the payment rail in the code of the Lucky Dreams payment page, with a direct connection between SoftSwiss FinteqHub and UTORG. When Lithuania’s FCIS tightened requirements, “utPay” was phased out. Real-time transaction monitoring and source code analysis of the LuckyDreams payment page (see uploaded image) show that Chain Valley now occupies the exact technical slot previously held by utPay, using identical API structures and user interface elements. A digital “DNA” test of the two services reveals nearly identical technical fingerprints: API Architecture: The way Chain Valley’s payment widget interacts with the FinteqHub aggregator mirrors the legacy utPay integration. Customer Support & Documentation: Internal support documents for merchants transitioning from utPay to Chain Valley used similar language, and in some cases, shared the same technical support channels or desk-level contact points. 3. The Abu Dhabi Command Center While the EU entities change, the core remains stable in the UAE. UTORG LABS HOLDING LTD (Abu Dhabi Global Market) acts as the intellectual and legal “mother ship.” It manages: Mikhail Zhuchkov (Chairman) and Eugene Petrakov (CEO) as the group’s strategic leaders. The centralized development of the “fiat-to-crypto” technology stack. The legal ownership of the group’s brand and domains. 4. AML/CFT Risk & “Merchant of Record” Masking For financial institutions, Chain Valley presents a significant Transaction Laundering risk. By acting as a “Virtual Asset Service Provider,” the company allows banks to see a “crypto purchase” rather than a “casino deposit.” Under PSD2 and upcoming MiCA rules, this “masking” is a high-risk typology for circumventing national gambling bans. Compliance & Regulatory Implications 1) “VASP registration” is not a fiat payments licence ChainValley’s RDWW listing is a virtual-currency activities registration, not a PSD2 payment institution licence. If the same entity (or stack) effectively initiates/receives/aggregates fiat flows for merchant purposes (e.g., casino deposits masked as “crypto purchases”), regulators will ask: who is the authorised payment service provider in the chain, and where is the safeguarded client money? 2) Terms banning “illegal gambling” are meaningless without controls ChainValley explicitly bans use for “illegal gambling operations.” If offshore casinos are a major source of inbound traffic and conversion flow (as FinTelegram’s Rail Atlas work repeatedly indicates), then either: compliance is not implemented, compliance is deliberately bypassed, or the model relies on formal “terms” for regulators while the commercial reality is different. 3) MiCA transition creates “migration incentives” (Lithuania → Poland) ESMA’s published overview shows different national transitional windows for MiCA across Member States (e.g., Lithuania vs Poland). That matters because high-risk payment layers tend to re-platform to the jurisdiction where onboarding friction is lowest—without changing the underlying customer base (Germany-first, in your observed casino rails). 4) Historic Estonia → Lithuania shift is a known pattern Utorg OÜ’s licence invalidation in Estonia is a notable marker in the “move the entity, keep the business” playbook. Lithuania’s register confirms UAB Utrg’s declared VASP activities, which fits the observed “regulatory transition” narrative. Summary Table: Connected Entities & Brands Entity / BrandJurisdictionDomains observedRegulatory posture (public)Role in rail hypothesisUTORG LABS HOLDING LTDUAE (Abu Dhabi)utorg.com stackDisclosed as ownership layer for UTORG app/site stackBrand/ownership layerUtorg OÜEstoniautorg.pro (site owner references)Estonia FIU lists licence invalidated (historic)Prior EU operating layer / legacyUAB UtrgLithuaniautpay.io Declared as VASP activities in LT register bulletinEU operating layer (crypto services)Chain Valley Sp. z o.o. (ChainValley)Polandchainvalley.pro / app.chainvalley.proKRS 0000984860 (Chain Valley); Listed in Poland RDWW (VASP register)Conversion backend; “crypto purchase / fake-FIAT” node Export to Sheets Whistleblower Call to Action Are you an insider? We are seeking further information regarding the internal transfer of merchant contracts from UAB Utrg to Chain Valley and the specific roles of the Abu Dhabi holding company in managing EU fiat flows. Report anonymously via Whistle42. Your identity is protected by end-to-end encryption. Sources & Links FinTelegram Reports: Chain Valley & Utorg Coverage Lithuanian Register of Legal Entities: UAB Utrg Status Polish VASP Register: Chain Valley Sp. z o.o. Registration Corporate Records: KRS 0000984860 (Chain Valley) UTORG Legal Pages: About UTORG Group

MiCA is now the legal gate for crypto-asset service providers (CASPs) across the EU — but the licensing rollout is uneven, political, and increasingly competitive. Czech National Bank confirmed on 11 February 2026 that it issued the first six CASP authorisations, after receiving 248 applications. Meanwhile, Austrian Financial Market Authority (FMA) has already authorised multiple “EU hub” entities since spring 2025, reinforcing the perception of an emerging licensing race inside the single market. Key points MiCA timeline: rules for ART/EMT “stablecoins” have applied since 30 June 2024; CASP authorisation regime since 30 December 2024. EU scoreboard exists: European Securities and Markets Authority (ESMA) publishes an Interim MiCA Register (updated weekly) including authorised CASPs and non-compliant entities (last update shown: 9 Feb 2026). Czechia: first six authorisations issued 11 Feb 2026; 248 applications received; transitional regime runs no later than 1 July 2026 for timely applicants. Austria: multiple Article 63 CASP authorisations already granted (examples below), feeding the “Vienna hub” narrative. Regulatory concern is explicit: a joint paper by CONSOB, Autorité des marchés financiers (AMF), and the Austrian regulator warns of major supervisory differences and calls for direct ESMA supervision of major CASPs to prevent “opportunistic choices” for authorisation. MiCA “marketing abuse” risk: ESMA has warned CASPs not to mislead customers by implying all platform products are regulated just because the firm is licensed. What happened in Czechia (and why it matters) Czech Republic has moved from “reportedly” to confirmed: the CNB says it issued the first six MiCA/CASP authorisations on 11 Feb 2026. It also disclosed an eye-catching pipeline: 248 applications, with most filed just before the end-July 2025 deadline for transitional treatment. Two compliance takeaways: This is not a boutique regime — the volume indicates a large legacy market migrating into MiCA. Timing pressure is real: CNB states the transitional ability to operate ends no later than 1 July 2026 (for those relying on it). The CNB also signals a “throughput” strategy (including internal AI tooling for document review) — exactly what you’d expect in a jurisdiction trying to avoid being seen as slow or hostile to licensing. Austria’s FMA: Early Mover, Visible “MiCA Hub” Signals Austria has produced a steady stream of published authorisation notices. Four concrete examples (all Article 63 MiCA authorisations): KuCoin EU Exchange GmbH obtained a CASP authorisation from the FMA on 27 November 2025, under Article 63 MiCA, via its Vienna‑based entity (FN 641084x). Bitpanda GmbH — decision dated 9 Apr 2025 (custody; crypto/fiat exchange; crypto/crypto exchange; execution; placing; RTO; transfers). Bybit EU GmbH — decision dated 28 May 2025 (custody; exchange; placing; transfers). AMINA (Austria) AG — decision dated 29 Oct 2025 (custody; exchange; portfolio management; transfers). Coinfinity GmbH — decision dated 19 Dec 2025 (custody; exchange; advice; transfers). Notably, the Austrian notices also show how MiCA authorisation replaces prior national AML-only “VASP registration” status (a regulatory step-up that many market participants still blur in their marketing). EU-Wide Status: The “Single Licence” is Real — The Supervision is Not (Yet) MiCA creates passporting: a CASP authorised in one Member State can serve others cross-border under MiCA notification mechanics. That’s why the licensing jurisdiction matters and why “hub competition” is not just PR — it is single-market gatekeeping. Three data-backed signals that the EU is worried about fragmentation: ESMA’s Interim MiCA Register exists specifically to centralise visibility (authorised CASPs + non-compliant entities), and is being updated weekly pending full IT integration by mid-2026. ESMA peer review on Malta’s licensing found unresolved issues at authorisation time and warns all NCAs to focus on growth, conflicts, governance, intragroup arrangements, ICT architecture, and promotion of unregulated services. Consob/AMF/FMA joint proposal (Sept 2025) explicitly calls out “major differences” and pushes the politically explosive fix: direct ESMA supervision of major CASPs to prevent jurisdiction shopping. Meanwhile, Member States are still exercising transitional discretion differently (e.g., France communicating 1 July 2026 as the end of its transitional window; Spain reportedly extending to July 2026 due to pending files). Actionable insight for compliance teams Treat ESMA’s register as the source of truth for “licensed” claims (and screenshot it for audit files when onboarding high-risk CASPs). Pressure-test scope creep: if a CASP advertises MiCA status, force product-by-product classification (MiCA vs non-MiCA) and document disclosures — ESMA is explicitly watching “MiCA-washing.” Watch hub dynamics: Czechia’s sudden throughput (248 files) and Austria’s early approvals are exactly where cross-border business will cluster — and where supervisory capacity gets stressed first. Call for Information FinTelegram is tracking MiCA authorisation pipelines, “licence shopping” strategies, and cases where firms market unregulated products under a regulated halo. If you have internal information (application status, regulator correspondence, remediation plans, or evidence of misleading “MiCA licensed” claims), submit it via Whistle42.com. Share Information via Whistle42

In a chilling convergence of “White Front” FinTech and Eastern European boiler rooms, newly unearthed criminal records reveal how Payvision CEO Rudolf Booker allegedly hand-picked a reputation expert to “de-google” whistleblowers. Using stolen victim funds, cybercrime masterminds Uwe Lenhoff and Gal Barak paid to bury the truth, proving that for the architects of the €131 million Payvision scandal, silence wasn’t just golden—it was bought. Key Findings The Unholy Alliance: Between 2016 and 2019, Payvision served as the primary money-laundering engine for Uwe Lenhoff’s Winslet EOOD and Gal Barak’s E&G Bulgaria, processing over €131 million in stolen consumer funds. Booker’s Recommendation: Criminal files indicate that Payvision CEO Rudolf Booker personally recommended the Amsterdam-based reputation expert Marco Juffermans to help the scammers suppress FinTelegram’s investigative reports. The “De-Google” Contract: On December 12, 2018, Lenhoff and Barak discussed hiring Juffermans via Telegram; by the next day, Barak confirmed payment had been sent to “Marco”. Victims Paid for Their Own Silence: The funds used to hire Juffermans’ agency, White Canvas, were the direct proceeds of the binary options and CFD scams perpetrated against tens of thousands of victims. Regulatory Fallout: Despite the attempt to bury the truth, the subsequent arrests of Lenhoff and Barak led to the 2021 closure of Payvision. The Wiretapped Communication Exposure FinTelegram has received copies of the criminal files from a whistleblower containing the intercepted communications of cybercrime masterminds Uwe Lenhoff and Gal Barak, who were arrested in 2019. We have verified the authenticity of the documents. The wiretap extract from Lenhoff’s Samsung phone is unusually explicit about the role of reputation management in the Payvision–Lenhoff–Barak ecosystem.​ On 12 December 2018, Lenhoff sends Barak a name and number via Telegram: “Marco Juffermans…” followed by Dutch mobile number +31 6 5588 5858.​ Lenhoff instructs: “Speak with him, he can help to clean up Google with all bullshit. Its from Rudolf.”​ The next day, 13 December 2018, Barak reports back: “done, please let Rudolf know, i will send payment today.”​ Lenhoff asks: “Welch payment? To Marco?” – Barak replies: “yes.”​ Lenhoff reassures Barak: “Marco is close with Rudolf.”​ These lines establish several crucial points: Originator: The initiative and contact come “from Rudolf” – clearly referencing Payvision CEO Rudolf Booker as the one who brought Juffermans in.​ Purpose: The task is plainly described as “clean up Google with all bullshit,” an unambiguous reference to removing or burying critical online content, including FinTelegram’s reporting.​ Payment flow: Barak, who financed his operations with victim funds, explicitly states he will send the payment the same day.​​ Proximity: “Marco is close with Rudolf” places Juffermans in Booker’s immediate business and personal orbit, not as an incidental third-party vendor.​ In parallel, FinTelegram reports that Booker personally worried about FinTelegram’s revelations and discussed how to “stop” FinTelegram from covering Payvision’s gray market business. In late 2018, Payvision was under mounting pressure: regulators had issued warnings against Lenhoff/Barak brands, victims and NGOs like EFRI raised complaints, and FinTelegram systematically connected the dots between the scams and Payvision’s acquiring activity. Against this backdrop, the decision to engage a reputation specialist to manipulate search results is not simply a PR move; it looks like a deliberate attempt to: shield Payvision from further reputational and regulatory fallout preserve the ongoing flow of illicit transactional volume weaken and neutralize early-warning reporting for prospective victims The moral inversion is striking: stolen customer funds were used not to compensate victims, but to suppress the very warnings that could have reduced further harm.​ Weaponizing “Reputation Management” to Mask Cybercrime The fall of the Payvision cybercrime enabler scheme has long been framed as a failure of KYC (Know Your Customer) protocols, but the latest evidence from criminal files suggests something far more predatory: active collusion to silence truth-tellers. As FinTelegram systematically exposed the fraudulent “boiler rooms” operated by Uwe Lenhoff and Gal Barak, the exposure became an existential threat to Payvision’s lucrative laundering business. Internal communications show that the scammers and their FinTech facilitators viewed FinTelegram as “Public Enemy Number 1”. By late 2018, the walls were closing in. Rather than terminating the relationship upon the discovery of criminal activity, Payvision CEO Rudolf Booker allegedly took a proactive role in the scammers’ defense. He introduced Lenhoff and Barak to Marco Juffermans, a specialist in “the right to be forgotten”. The cynicism of this move is profound. Wiretap transcripts from December 2018, confirm that Gal Barak moved swiftly to fund Juffermans’ efforts to manipulate Google search results, effectively using the money stolen from victims to ensure no more warnings could reach the public. This was not a standard corporate reputation fix; it was a tactical strike intended to keep the scam operational by pushing FinTelegram’s warnings into digital obscurity. Ultimately, the strategy failed. The sheer scale of the fraud—reaching a valuation of €360 million when ING acquired Payvision—could not be hidden by SEO manipulation. While Lenhoff and Barak were eventually arrested, the role of “reputation guards” in facilitating these crimes remains a dark chapter that investigators are only now fully unravelling in 2026. Payvision, ING, and the evolving criminal exposure FinTelegram and later Dutch media have shown that Payvision functioned as a “Wirecard mini‑me” – a payment hub heavily exposed to high‑risk merchant portfolios, especially fraudulent online brokers, binary options, and gambling schemes. Key elements of Payvision’s role include: Volume and awareness: Lenhoff and Barak’s operations processed tens to hundreds of millions through Payvision, with extremely high chargeback ratios that clearly signaled fraud and victim distress. Ignored compliance: DNB’s findings, cited in Dutch coverage and FinTelegram, indicate that Payvision’s compliance staff wanted to file SARs, freeze funds, and terminate these clients, but management – allegedly including Booker – pushed to continue the relationships. Value extraction and exit: Booker used Payvision’s inflated transaction volumes, much of it from high‑risk or fraudulent merchants, to sell the company to ING in 2018 for approximately €360 million.​ After the sale: Victims and EFRI began filing civil claims and money laundering complaints against Payvision and ING in various jurisdictions, accusing them of knowingly facilitating fraudulent broker schemes. DNB investigated Payvision and sanctioned the company for serious AML and financial law violations, while the Dutch FIOD conducted raids and seized data for criminal investigations. ING eventually shut down Payvision in 2021, publicly framing it as a strategic cleanup of non‑core, ethically problematic business. In 2024 and 2025, the Payvision case gained renewed attention as examples of Dutch “double standards” in financial crime enforcement: while privacy‑focused crypto developers faced harsh prosecution, Payvision’s top management, including Booker, remained at liberty despite extensive evidence of facilitation and alleged advisory support to scammers.​ In addition, victims of the Lenhoff and Barak Payvision scams and the parent company ING are suing for damages. The victims are also being represented by the European Funds Initiative (EFRI) in a planned class action lawsuit. It therefore seems certain that the Payvision criminal case will not be closed for some time yet. As of 2026: Civil litigation by victims against Payvision/ING continues and expands, leveraging the rich criminal files from Austria and Germany on Lenhoff and Barak’s operations. New criminal complaints and investigative initiatives are underway in several EU jurisdictions, re‑evaluating Payvision’s and ING’s liability in light of these files and cross‑border AML obligations. EFRI continues to coordinate lawsuits against Payvision, ING and the involved individuals. In this evolving context, the reputation management campaign orchestrated via Juffermans is no longer a side episode; it might become probative evidence of: intent and knowledge (the need to “clean up” specific investigative reporting) a pattern of obstructive behavior toward regulators, media, and victims Portrait: Reputation Guard Marco Juffermans The reputation guard Marko Huffermans Marco Juffermans (LinkedinIn profile) is the CEO and founder of White Canvas Reputation Guards (formerly White Canvas International). He has marketed himself as the pioneer of the “ontgooglen” (de-googling) concept, specializing in online reputation management and the “right to be forgotten”. The Agency: White Canvas (website) operates as a “reputation guard,” offering services to individuals and corporations to remove or suppress negative content from search engines. Juffermans has publicly argued that everyone has a right to move past their mistakes, even claiming he would help those who have “served their time”. The Dilemma: While Juffermans speaks of “moral dilemmas” and integrity in his public interviews, the Payvision files suggest a more mercenary application of his craft: helping active cybercriminals hide their tracks from current and future victims. The Connection: In the communication between Lenhoff and Barak, Juffermans was described as being “very close” to Rudolf Booker, positioning his agency as a preferred tool for the Payvision inner circle. Whistleblowers Wanted: Help Us Finish the Investigation The Payvision scandal is far from over. As criminal charges and victim lawsuits continue to develop in 2026 against ING and the former Payvision leadership, your information is more critical than ever. Were you an employee at Payvision or White Canvas during the 2016–2019 period? Do you have information regarding the internal discussions about FinTelegram or the suppression of scam-related warnings? Share your information securely and anonymously via Whistle42. Your evidence could be the final piece in the puzzle to bring full justice to the tens of thousands of victims whose lives were destroyed by this syndicate. Share Information via Whistle42

A new whistleblower leak adds technical detail to FinteqHub’s role in the SoftSwiss & Dream Finance (dba CoinsPaid, CryptoProcessing) ecosystem: card and Apple Pay transactions at the Lucky Dreams casino are allegedly cascaded through a stack of third‑party processors, raising acute transparency and AML concerns for regulators and banks dealing with these rails. Key findings FinteqHub markets itself as a PCI DSS‑certified “payment orchestration” platform with 50+ integrated providers and smart routing for card and alternative payments. A whistleblower claims that at LuckyDreams casino, card payments flow via FinteqHub through: pay.spoynt.com (Spoynt gateway), transactions.decta.com (Decta), rapyd.net (Rapyd),and that Cardaq may also be involved (as discussed on Casinoguru). Separate sources confirm Spoynt (Estonia‑based), Decta (global card acquirer), Rapyd (major cross‑border payments/Wallets provider) and Rastpay (Apple Pay‑capable PSP) as active payment providers that can be integrated by orchestration layers like FinteqHub. The previous FinTelegram investigation already showed: FinteqHub is a SoftSwiss‑built gateway product. Its EU trademark and IP sit in Dream Transaction Lda, Madeira, whose shareholders are Pavel Kashuba, PrimeFuture Ltd and Bitcapital Ltd, all linked to the Dream Finance / SoftSwiss circle.​ Dream Finance entities in Lithuania, Poland and El Salvador have been suspended or liquidated in regulatory context and amid money‑laundering allegations. The whistleblower’s network‑trace narrative (FinteqHub → Spoynt → Decta → Rapyd, with Rastpay for Apple Pay) is technically plausible for a stacked orchestration model, but cannot yet be independently verified for LuckyDreams without direct log evidence or traffic captures. Read our initial FINTEQHUB report here. Interpretive analysis FinteqHub’s own sales pitch is that it is a “payment orchestration” hub sitting between merchants (including iGaming) and dozens of PSPs, acquirers and wallets via a unified API and smart routing engine. This architecture naturally supports cascading flows of the type described by the whistleblower: initial card request at the casino front‑end, then redirect or API hand‑off to FinteqHub, which in turn routes the transaction to connected gateways such as Spoynt, Decta, Rapyd or others depending on risk and approval‑rate logic. Spoynt markets transaction cascading and multi‑gateway routing specifically to improve approval ratios and support high‑risk merchants. Decta and Rapyd provide card acquiring, wallets and cross‑border settlement capabilities that are widely used by gaming and high‑risk e‑commerce. Rastpay positions itself as a gateway offering card and mobile‑wallet payments, including Apple Pay, and is available as a pluggable provider via integration platforms like Corefy. In other words, each of the PSPs cited by the whistleblower does operate in a way that is technically compatible with being nested under a top‑level orchestrator such as FinteqHub. When this technical picture is overlaid on yesterday’s structural findings, the risk profile becomes sharper: Screenshota screenshot of the source code of the deposit page on Lucky Dreams listing various payment methods, including Spoynt and Rastpay – each with a direct link to Finteqhub. The ownership and control of FinteqHub are rooted in the Dream Finance / SoftSwiss group via Dream Transaction Lda and Cyprus shareholders tied to Ivan Montik and Pavel Kashuba.​ The regulatory perimeter around Dream Finance has already been breached: MiCA‑driven suspension in Lithuania, liquidation of Poland and El Salvador entities, and allegations of casino‑driven laundering and tax evasion. the involved third‑party providers may be unknowingly servicing high‑risk SoftSwiss casinos through an intermediate gateway, complicating their own KYC/KYB and merchant‑of‑record assessments. At this stage, FinTelegram cannot publicly state as fact that LuckyDreams payments follow the exact sequence described in the whistleblower’s message; that would require corroboration via payment‑page code analysis, network captures, or PSP‑side documentation. However, the combination of: FinteqHub’s documented orchestration model, Spoynt’s and Rapyd’s own positioning as cascading / multi‑method gateways, and the known SoftSwiss / Dream Finance control over FinteqHub,​​ makes the whistleblower’s description credible and consistent with how this stack is likely configured for iGaming merchants. Summarizing Table Here is a concise summary table of the alleged FINTEQHUB rails, the processors involved, and their roles in the stack: Layer in flow (alleged)Domain / EntityRole in the stack (function)Public profile / capabilities relevant here1. Frontend casinofor example:luckydreams.comOnline casino front‑end where player initiates card or Apple Pay deposit; integrates with FinteqHub API/checkout (alleged).SoftSwiss‑style iGaming brand; uses third‑party gateways for payments (not independently confirmed for FinteqHub).2. Orchestration layerFinteqHubPayment orchestration and routing engine; receives requests from casino, selects downstream PSP/acquirer based on rules, risk, and approval rates.Positions itself as a “payment gateway & orchestration platform” with 50+ providers, smart routing, PCI DSS, focus on iGaming.3. Gateway / PSPpay.spoynt.com (Spoynt)Card gateway / PSP endpoint allegedly called by FinteqHub; handles checkout, tokenisation, and forwarding to acquirer(s).Spoynt markets a full payment gateway with multi‑acquirer routing and high‑risk merchant support.4. Acquirer / processortransactions.decta.com (Decta)Card acquiring and processing; authorisation, clearing and settlement between card schemes, issuing banks and merchant accounts.Decta is a Visa/Mastercard acquirer and certified processor offering gateway + acquiring + issuing; full card‑scheme connection.5. Global PSP / networkrapyd.net (Rapyd)Global card acquiring and alternative methods; may serve as another route or fallback for cross‑border card and wallet payments.Rapyd provides global card acquiring and 100+ country payment methods via one platform, widely used in iGaming/online services.6. Additional card PSPCardaq (alleged)Possible additional card gateway/acquirer in the chain, e.g. for specific corridors or merchant IDs (mentioned on CasinoGuru per whistleblower).Cardaq is an EMI‑licensed payment and card‑issuing provider, PCI DSS‑certified; public complaints allege involvement in miscoding casino transactions.7. Apple Pay PSPRastpay (rastpay.com)Dedicated PSP for Apple Pay and possibly cards; FinteqHub allegedly routes Apple Pay deposits to Rastpay for tokenisation and processing.Rastpay advertises itself as a secure payment gateway offering cards and mobile wallets like Apple Pay, and is integrated as a provider on platforms such as Corefy. This table is built from the whistleblower’s account (for the specific routing and LuckyDreams use) combined with public information on each processor’s general role and capabilities; the exact sequence and merchant‑of‑record relationships for LuckyDreams remain alleged and are not yet independently verified. Call to players, insiders and PSP staff FinTelegram is continuing to map the payment stack behind FinteqHub and the SoftSwiss / Dream Finance Group, including the role of Spoynt, Decta, Rapyd, Rastpay, Cardaq and other processors in handling casino deposits and withdrawals for brands such as LuckyDreams. We urgently invite: Players who used card, Apple Pay or alternative methods at LuckyDreams or other SoftSwiss‑powered casinos, Current and former employees of FinteqHub, SoftSwiss, Dream Finance, Spoynt, Decta, Rapyd, Rastpay or Cardaq, Bank and PSP compliance officers who have seen unusual traffic patterns or onboarding documents involving these entities, to submit screenshots, bank statements, payment URLs, technical logs, routing diagrams, contracts or internal communications through our secure whistleblower platform Whistle42. Share Information via Whistle42 Your evidence can help regulators and financial institutions understand how this layered orchestration is used to disguise merchant identities, circumvent gambling restrictions, or facilitate suspicious flows, and will be handled with strict source‑protection standards.

A whistleblower dossier exposed that FINTEQHUB (finteqhub.com) is operated via Dream Transaction Lda (Portugal) and sits inside the same ownership orbit as the CoinsPaid/CryptoProcessing cluster. We validated core elements: Dream Transaction’s shareholder register includes the same holding vehicles and individuals repeatedly appearing in em; FINTEQHUB, meanwhile, markets itself as “headquartered” in Lithuania. Key findings (validated & relevant) Dream Transaction Lda (Portuguese corporate gazette) shows a €5,000 company with shareholders in the SoftSwiss & Dream Finance network: Pavel Kashuba (40%), Primefuture Limited (40%), and Bitcapital Limited (20%). In a BVI court judgment, Primefuture and Bitcapital are described as the vehicles through which Dzmitry Yaikau and Ivan Montik held beneficial ownership in a key SoftSwiss holding structure. FINTEQHUB itself claims it is “headquartered in Lithuania” with representation in other jurisdictions and R&D centers (incl. Portugal). FINTEQHUB’s privacy policy contains an unusual cross-border data statement (“transfer … to Belarus”), a material GDPR/compliance red flag in any high-risk payments context. FINTEQHUB has been publicly framed as a SoftSwiss-built payments product: SoftSwiss stated that its PSP team developed “FinteqHub.” CoinsPaid’s Legal Hub states Dream Finance UAB (LT) has suspended all crypto-asset services (onboarding, transactions, new agreements), while listing other group entities (EE/US/CA). Trademark aggregators list Dream Transaction Lda as owner of a FINTEQHUB mark (we treat this as corroborative, not standalone proof). Compliance analysis: why FINTEQHUB is Now a Chokepoint Worth Scrutinizing 1) “Headquartered in Lithuania” vs. Portuguese ownership + SoftSwiss holding vehiclesA Lithuania-facing brand (LinkedIn), paired with a Portuguese IP/ownership layer and shareholders tied (via court-described holding structures) to the SoftSwiss ecosystem, is a classic regulatory-distance architecture. It does not prove wrongdoing—but it does increase the likelihood of opacity around beneficial ownership, contracting entity, and AML accountability. 2) PSD2/PayFac question: is it “software” or “payment services”?FINTEQHUB markets payment gateway + payment method integrations and explicitly targets high-risk verticals (iGaming/Forex/Adult). If it provides payment services (PayFac-style orchestration, settlement flows, or “open bank account” onboarding) rather than mere software, licensing/agent structure and AML role-splitting become critical: Who is the regulated PSP/acquirer? Where does KYC sit? Who screens merchants and monitors transactions? 3) Post-MiCA “replacement rail” hypothesisWith Dream Finance UAB’s crypto services suspended, the ecosystem’s incentive to “route around” EU chokepoints rises. FINTEQHUB’s positioning (Lithuania-facing) and ownership trail makes it a plausible candidate for continuity of high-risk merchant processing—a hypothesis that now needs transaction-level evidence. Dream Finance Group — Known Entities Map Entity (known name)JurisdictionRole (publicly stated / reported)Status / notesDream Finance OÜEECoinsPaid operator (site disclosures)Active; VASP license referenced on CoinsPaid pagesDream Finance UABLTCoinsPaid entity (Legal Hub)Crypto services temporarily suspendedDream Finance US LLCUS (DE)Group entity listed by CoinsPaidListed in Legal Hub as MSBDream Finance Processing Inc.CAGroup entity listed by CoinsPaidListed in Legal Hub as MSBDream Payments Sp. z o.o.PLCryptoProcessing expansion vehiclePublicly referenced in PL rollout coverageDream Finance S.A. de C.V.SVLocal operating entity (reported)Reported liquidation/controlled wind-downDream Transaction LdaPTShareholder-controlled company tied to FINTEQHUB (per whistleblower + filings)Share register confirmed in PT gazetteBitcapital Ltd CYShareholder Dream Transaction LdaSuggested UBO: Ivan MontikPrimefuture LtdCYShareholder Dream Transaction LdaSuggested UBO: Dzmitry Yaikau Call for information If you have contracts, bank/PSP onboarding packs, merchant emails, gateway dashboards, settlement instructions, or transaction evidence showing how FINTEQHUB routes funds (PSP/acquirer names, beneficiary entities, IBANs, crypto settlement addresses), please share it securely via Whistle42.com. We are specifically seeking proof of who actually contracts merchants and who actually settles payments behind the FINTEQHUB brand. Share Information via Whistle42

A seismic shift is occurring in the high-risk payment landscape. Following the MiCA-driven regulatory “cliff-edge” in Lithuania on December 31, 2025, illegal offshore casinos have found a new haven: ChainValley. This Polish Virtual Asset Service Provider (VASP) has seen a staggering 362% explosion in traffic, effectively replacing the suspended utPay as the primary “fake FIAT” rail for German players. Operating in a regulatory vacuum created by Poland’s recent veto of its national MiCA framework, ChainValley appears to be facilitating millions in unlicensed gambling transactions while its official terms of service—which prohibit such activity—remain a mere paper shield. KEY FINDINGS Explosive Traffic Surge: Similarweb data reveals that app.chainvalley.pro visits skyrocketed from approximately 250,000 in December 2025 to over 1 million in January 2026. The utPay Replacement: As Lithuanian regulator Lietuvos Bankas enforced the MiCA transition, utPay (formerly a dominant iGaming facilitator) saw a 75% collapse in traffic. ChainValley has almost perfectly absorbed this volume. German Player Focus: Nearly 80% of ChainValley’s traffic originates from Germany, targeting players at illegal offshore casinos like DudeSpin. Shadow Partnerships: Traffic analysis identifies PPRO (accounting for 90% of outgoing links) and the blacklisted Smartpayz as critical infrastructure partners for ChainValley’s payment flows. Regulatory Arbitrage: ChainValley is exploiting Poland’s status as the “lone MiCA holdout” in the EU following the December 2025 presidential veto of the Polish Crypto-Asset Market Act. COMPLIANCE & RISK ANALYSIS 1. The “Fake FIAT” Mechanism ChainValley functions as a “fake FIAT” rail. In this setup, players believe they are making a standard bank transfer or card payment for a service. In reality, ChainValley acts as an on-ramper, instantly converting these FIAT deposits into cryptocurrency to fund offshore casino accounts. This obfuscates the transaction’s true nature from the player’s bank, bypassing gambling blocks. 2. PSD2 / Payment services perimeter: If ChainValley (a VASP registrant) is functionally acting as a fiat receiving agent or money remitter for casino deposits, the obvious question is: under what PSD2 authorisation chain? Poland’s RDWW register is not a financial licence, and Polish tax/treasury communications have been clear that registered virtual currency activity is not “licensed or supervised” like regulated financial services (oversight is primarily AML/CFT control) 3. Regulatory Migration: Lithuania to Poland The “Lithuanian Blackout” of early 2026—which saw major players like utPay and CoinsPaid (Dream Finance) suspend services—was the catalyst for ChainValley’s growth. While Lithuania now requires a rigorous MiCA license (€125k capital, “Fit and Proper” checks), Poland remains under a simplified VASP registration regime. Read our ChainValley reports here. 4. What This Likely Is: “Gambling-by-Conversion” Let’s be explicit: the core activity behind these rails is not “payments innovation.” It is regulated gambling evasion. Many of the casinos feeding these gateways are unauthorised in key EU jurisdictions, yet they localise language, present EU-friendly payment options, and accept EU deposits. The payment rail then performs the real trick: a casino deposit is operationally reframed as something else—often a crypto purchase—before value is moved to the casino operator. That is not a neutral technicality. It is a compliance design choice. Working Hypothesis: Compliance at ChainValley is likely non-existent or “theatrical.” The company’s Terms & Conditions explicitly forbid illegal gambling, yet the data shows they are the primary gateway for it. This suggests a deliberate circumvention of AML/KYC protocols to capture the displaced utPay market. Partner Risk: PPRO and Smartpayz The high concentration of outgoing traffic to PPRO (approx. 90%) is alarming. It suggests that PPRO’s infrastructure is being used to process the underlying bank transfers for these crypto-purchases. Furthermore, the integration with Smartpayz—a gateway already blacklisted by RatEx42—solidifies ChainValley’s position within a network of high-risk, non-compliant entities. Compliance questions to be asked: PPRO (www.ppro.com): What is the contractual relationship (if any) with ChainValley? Which merchant(s) are onboarded? What MCC/merchant classification is used? What geoblocking / gambling policies apply? (PPRO positions itself as a platform enabling local payments for merchants.) Smartpayz (www.smartpayz.com): Why does cashier.smartpayz.com appear as a top referrer into the ChainValley flow (screenshot above)? Smartpayz’s own website contains disclaimers suggesting it is informational and does not process client funds—yet the “cashier” subdomain behaves like a transaction surface. Black-listed: Smartpayz Compliance Profile on RatEx42. Call for Information If you are a player, bank compliance employee, PSP insider, or have handled disputes linked to these deposits, we need documents—not anecdotes: deposit confirmations (screenshots) showing payee/beneficiary, bank statement line items (with references), any ChainValley “order” pages, crypto quotes, or wallet outputs, chargeback / complaint correspondence, casino cashier screens showing the advertised method vs. actual flow. Submit securely via Whistle42 (anonymous if needed). The more receipts we get, the faster we can map the merchant chain and identify the accountable regulated entities. Share Information via Whistle42

The EU Commission is circulating a proposal to ban all cryptocurrency transactions linked to Russia, arguing that Moscow increasingly uses crypto rails, stablecoins and alternative payment networks to route value outside traditional banking and around sanctions. The initiative is framed as part of the EU’s 20th sanctions package and would require unanimous member-state approval. Key points From “service bans” to “transaction bans”: the EU already restricts crypto-asset wallet/account/custody services for Russian persons/entities under the Russia sanctions regime; the new move aims to sever the entire transaction pipeline, not just specific providers. “Heirs problem”: rather than chasing individual exchanges that can rebrand or relocate (e.g., successor structures to Garantex), the concept targets any Russia-linked crypto activity. Named rails: the draft reportedly flags the A7 platform and its stablecoin A7A5, and also seeks to prohibit transactions involving the planned digital rouble. Anti-circumvention expansion: the package also leans into third-country chokepoints (e.g., measures tied to Kyrgyzstan routes) and adds further banks/actors to listings. What this means for CASPs, fintechs, and banks If adopted, compliance programs would need to treat “Russia nexus” crypto flows like a hard sanctions perimeter: tighter customer/counterparty screening, stronger geo/IP controls, enhanced wallet risk scoring, and escalation rules for indirect exposure (beneficial ownership, intermediaries, OTC desks, payment hubs, stablecoin issuers). Actionable insight Start mapping your Russia-touchpoints now (customers, counterparties, wallets, liquidity venues, stablecoin rails). If your controls still assume “named entity” sanctions only, you’re already behind the enforcement curve. Call for Information Have you seen Russia-linked on/off-ramps, stablecoin corridors, or “shadow PayFac” structures used to bypass EU restrictions? Share evidence via Whistle42 (anonymity respected). Share Information via Whistle42

It is one of the largest European cybercrime cases, with dozens of indictments and victim lawsuits. In its center – the Dutch payment facilitator Payvision. Fresh excerpts from criminal files obtained by FinTelegram put Payvision’s then-CEO Rudolf Booker uncomfortably close to the Lenhoff–Barak scam machine. These are not the fingerprints of a “neutral payment processor,” but the voice of an anxious, hands-on gatekeeper—tracking media risk, debating how to contain exposure, and negotiating the survival of a relationship that should have been shut down. Key Points A wiretapped call transcript shows Booker explicitly worrying what a FinTelegram reporter would “write about me now—about Payvision.” Lenhoff’s answer: “Maybe that you’re doing business on the grey market.” In parallel Telegram evidence, Lenhoff tells Barak in December 2018: “Rudolf is a pussy… he will become very famous on this page (FinTelegram)… [They will] dig deeper in PV.” These excerpts align with years of allegations that Payvision functioned as a critical payment “chokepoint” for the Barak/Lenhoff fraud ecosystem. ING acquired a 75% stake in Payvision at a stated valuation of €360m and later announced a wind-down of Payvision’s PSP/acquiring services. In April 2024, the Dutch prosecution service Openbaar Ministerie issued penalty orders (fines of €150k and €180k) against two former Payvision directors for long-standing, structural AML/CFT (Wwft) violations. The central question remains: if the file excerpts show knowledge and operational entanglement, why is there still no public, courtroom-level accountability for the executive decision-makers? The Lenhoff–Barak Cybercrime Network German and Austrian law enforcement investigations established that German national Uwe Lenhoff and Israeli national Gal Barak ran a pan‑European cybercrime network of online trading, binary options, and gambling scams that defrauded tens of thousands of victims out of more than EUR 100 million. Barak, identified as a principal of the E&G Bulgaria organization, was finally convicted in Vienna in 2020 for investment fraud and money laundering and sentenced to several years in prison, with courts confirming the criminal nature of the schemes operated via numerous online brands. Lenhoff, who had been arrested after extensive investigations and EU‑wide coordination in January 2019, died in custody in Germany in 2020, with his death reported as sudden and unexplained, leaving many victims and open questions behind. These criminal cases did not arise in a vacuum. They sat on top of a payment infrastructure that made high‑velocity fraud collection and laundering possible – and here Payvision and its founder and CEO Rudolf Booker enter center stage. Read our Payvision reports here. Payvision’s Role and the DNB Findings Payvision, a Dutch card acquirer and payment processor founded and led by Rudolf Booker, positioned itself in high‑risk segments such as online gambling, forex, and similar verticals – sectors that law enforcement and regulators repeatedly associate with elevated fraud and money‑laundering risks. In 2018, ING acquired a 75% stake in Payvision at a valuation of around €360 million, a transaction that turned Payvision’s high‑risk volume – including the Lenhoff–Barak flows – into a lucrative exit for its founders and managers. The Dutch central bank (DNB) later issued a devastating supervisory investigation report on Payvision, describing systematic violations of the Dutch Money Laundering and Terrorist Financing Act and serious, long‑running failings in customer due diligence and ongoing monitoring. DNB’s findings make clear that Payvision continued to onboard and maintain high‑risk, fraud‑prone merchants despite glaring red flags, large volumes of suspicious transactions, and hundreds of internal alerts and suspicious activity indications; the watchdog found that Payvision effectively suspended or ignored its compliance obligations in pursuit of transaction volume. According to DNB‑related reporting, the central bank even filed a criminal complaint in 2021 against Payvision and Rudolf Booker personally, and ING consequently decided to wind down Payvision and surrender its license by mid‑2023. For the founders, however, the damage was already monetized: ING’s purchase price rewarded years of high‑risk growth, including the revenues generated from the Lenhoff and Barak fraud schemes. Under standard AML and criminal‑law doctrines in Europe, a financial institution (and its responsible managers) that knowingly provides payment rails to fraudulent organizations, in spite of red flags and supervisory warnings, risks liability as an aider and abettor to fraud and as a perpetrator of money‑laundering offenses Analysis: A “Laundromat” for Scammers Newly obtained wiretapped calls and digital communications paint a devastating picture of the relationship between Rudolf Booker, the founder and former CEO of Payvision, and the late Uwe Lenhoff. Far from a standard arm’s-length business relationship, the records show a close personal bond; Lenhoff even referred to Booker as his “friend” and hosted him at his luxury birthday celebrations. The evidence suggests that Booker was not merely a negligent executive but a knowing facilitator of large-scale investment fraud: Awareness of Fraud: Booker was fully aware that Lenhoff and Gal Barak (the “Wolf of Sofia”) were operating scam platforms like Option888 and XTraderFX. Despite hundreds of suspicious activity reports (SARs) and high chargeback rates from victims, Booker continued to provide the infrastructure necessary for these organizations to launder over €131 million. Active Manipulation: When chargebacks—claims from defrauded victims trying to claw back their money—became too frequent, the “good friend” Booker reportedly suggested using false transaction codes and new legal entities to evade detection by credit card networks. Profiting from Crime: Payvision didn’t just process the funds; it exploited the scammers. Booker reportedly imposed a sort of private “penalties” on the schemes of Lenhoff and Barak for chargebacks, effectively “ripping off the rippers” to inflate Payvision’s earnings ahead of its acquisition by ING. The chats: “Rudolf is a pussy… he will become very famous on this page” The WhatsApp from 25–26 December 2018 shows chat traffic between “UL” (Uwe Lenhoff) and “Gal” (Gal Barak).​ Shortly after a Payvision call informing Barak that his business was being shut down, Lenhoff writes that “one guy from Pay Vision tried to call me” and then delivers the key line: “Rudolf is a pussy and I told him that now he will become very famous on this page, cause when this WB [FinTelegram editor] is seeing that he is right, he will dig deeper in PV.”​ This message is explosive for several reasons: It shows that Lenhoff understood FinTelegram (“this page”) as a leverage tool against Booker and Payvision, threatening that further reporting would uncover more wrongdoing at the processor (“dig deeper in PV”).​ It indicates that Booker was already “affected” by the reporting and was trying to pull back under pressure, prompting Lenhoff to retaliate by weaponizing his knowledge of Payvision’s conduct.​ It suggests an environment in which scam operators and their payment facilitator CEO were locked in a mutual‑blackmail dynamic, each aware of the other’s exposure; this is inconsistent with any portrayal of Payvision as a misled victim of sophisticated clients.​ In other words, the criminals themselves perceived Payvision’s CEO as someone who could be pressured for money or favorable treatment precisely because of the media and regulatory risks around his conduct.​ Legal Conclusion: Contributing Perpetrator The findings of the Dutch Central Bank (DNB) confirm that Payvision’s compliance was systematically suspended or ignored. While two former directors were eventually issued penalty orders, the evidence suggests a more severe legal reality: Rudolf Booker knowingly and willingly supported a global cybercrime organization as a contributing perpetrator. Booker enriched himself personally through the sale to ING—a transaction valued at €360 million based on volumes built largely on the backs of defrauded consumers. While Lenhoff died in prison and Barak was sentenced to years behind bars, Booker has largely escaped the full weight of criminal prosecution. The ING Connection and Ongoing Lawsuits ING eventually shuttered Payvision in 2021 after realizing the “dark business” was incompatible with any ethical or regulatory framework. However, the fallout continues. Victims, represented by organizations like EFRI, are still pursuing millions in damages through courts in Austria, Germany, and the Netherlands. CALL FOR INSIDERS: WE NEED YOUR HELP The investigation into the “Payvision Laundromat” is far from over. We are looking for additional information regarding: Internal communications at Payvision or ING regarding the Lenhoff/Barak accounts. Details on the “private penalties” and fees charged to scam operators. Knowledge of deliberate compliance overrides directed by the board. Help us hold those who profited from cybercrime accountable. Submit your information securely via our Whistle42 system. Your anonymity is our priority. Share Information via Whistle42

A U.S. federal court has sentenced Daren Li in absentia to 20 years in prison for his role in a $73+ million global cryptocurrency “investment” scam allegedly run from scam centers in Cambodia. Prosecutors say the scheme blended romance/social-engineering with spoofed crypto trading sites—then relied on U.S. shell companies and banking access to convert victims’ wires into crypto rails. Key Points Sentence: 20 years’ imprisonment (statutory maximum) + 3 years’ supervised release, sentenced in absentia. Status: Li is a fugitive after allegedly cutting off an ankle monitor and absconding in December 2025. Plea: Li pleaded guilty on November 12, 2024 to conspiring to launder proceeds from crypto scams and related fraud. Scale: Li admitted the conspiracy caused at least $73.6M in victim funds to be deposited into accounts tied to him and co-conspirators (incl. $59.8M routed via U.S. shell companies). Modus operandi: Victims were approached via social media/dating platforms; scammers used encrypted messaging, spoofed “trading” sites, and sometimes fake “tech support” narratives to trigger wires/crypto deposits. Short Narrative According to U.S. Department of Justice, the operation was not “just” an online scam—it was an end-to-end cybercrime supply chain. The front end was social engineering: unsolicited outreach, relationship-building, and carefully staged “investment dashboards” hosted on spoofed domains mimicking legitimate crypto platforms. The back end was financial infrastructure abuse. Li admitted he helped orchestrate the laundering layer by directing others to open U.S. bank accounts for shell companies, monitoring incoming interstate and international wires, and overseeing conversion of victim funds into virtual currency. In other words: the scam’s profitability depended on converting emotional manipulation into banked money—and then into crypto settlement. Extended Analysis 1) “Cambodia scam centers” are only half the story. The other half is access to Western finance.The DOJ framing is revealing: the fraud is “carried out from scam centers” in Cambodia, but the laundering hinges on U.S.-based enablers—shell entities, bank onboarding, and payment routing that can absorb large inbound wires without triggering effective interdiction. 2) The case maps cleanly onto the “pig-butchering” typology—then adds a laundering spine.In the earlier charging phase, DOJ explicitly described the schemes as “pig butchering” and alleged a laundering syndicate moving $73M+ through U.S. financial institutions and onward—partly via offshore banking and conversion to Tether (USDT).This matters for compliance teams: when USDT (or other stablecoins) becomes the settlement rail, the scam economy gains speed, finality, and cross-border portability—exactly what traditional AML friction is supposed to prevent. 3) The fugitive problem is a feature, not a bug, for transnational fraud networks.Li’s alleged absconding in December 2025 underscores a recurring operational pattern: once a laundering node is identified, networks shift personnel, wallets, and corporate wrappers faster than mutual legal assistance and extradition timelines can move. Sentencing in absentia delivers deterrence messaging—but it also signals how difficult physical custody can be in globally distributed scam ecosystems. Call for Information FinTelegram is tracking the laundering infrastructure behind Cambodia-linked scam centers: shell-company formation, bank onboarding pathways, crypto off-ramps, and stablecoin settlement routes. If you have documents, compliance alerts, bank memos, exchange/KYC records, wallet intelligence, or insider information tied to this network, please submit securely via Whistle42.com (anonymous submissions welcome). Share Information via Whistle42

A follow-up review of SpinFin Casino (operating via SpinFin5.com) reveals a sophisticated evolution in payment routing designed to circumvent EU and UK regulatory oversight. The current infrastructure relies heavily on “Fake FIAT” rails—on-ramping processes where user deposits are instantly converted into cryptocurrencies (primarily USDC) via third-party agents before reaching the operator. Key shifts include the displacement of Lithuanian payment facilitators by Polish entities (e.g., ChainValley, ARI10) in response to the MiCA crackdown, and the persistent use of Cypriot banking (ISX Financial) for anonymous gateway processing. The Payment Rails: Detailed Breakdown 1. The MiFinity & Costa Rican Connection Our analysis confirms that EU and UK player deposits via MiFinity are routed to 102-945295 SRL, an entity registered in Costa Rica. Regulatory Status: Registered with the Tobique Gaming Commission (TGC). Compliance Note: The TGC has no legal standing to authorize gambling operations within the EU or UK. This entity functions as the primary “payment agent” and operator node for the SpinFin carousel. Read our SpinFin PayFac analysis here. 2. Sofort Uber: The Cypriot Gateway Pipeline The “Sofort Uber” rail is a shell for four anonymously operated gateways that shield the final recipient. Gateways: api.PWay.com, debitly.tech, transactionhandler.com, and sofortuberweisung.com. Banking Infrastructure: Funds are ultimately settled at ISX Financial EU PLC (Cyprus) via IBAN CY44 9040 0001 0009 7008 3170 1000. Insight: Despite regulatory pressure in Cyprus, ISX Financial continues to serve as a hub for these high-risk offshore flows. 3. Bank Transfer: The “Tink-to-Daxchain” On-Ramper The “Bank Transfer” option is a classic Fake FIAT rail. While the player sees a standard bank interface, the transaction is an immediate purchase of USDC stablecoins. On-Ramper: DAXCHAIN OÜ (Estonia). Open Banking Provider: Tink (a VISA subsidiary). Mechanism: Tink facilitates the FIAT transfer to Daxchain, which then issues crypto to the casino, effectively laundering the nature of the transaction from the player’s bank statement. 4. Revolut & The Polish ARI10 Axis For Revolut users, the on-ramping is handled by the Polish group ARI10 (operating via Bitcan / Bitcoin Sp. z o.o.). Operational Flow: Funds are sent to a transient wallet (0xf79...) and immediately transferred to the operator’s address (0x97b...). Compliance Note: The transaction is explicitly labeled as “irreversible,” a hallmark of crypto-based gambling deposits disguised as consumer payments. 5. The “Polish Shift”: ChainValley Replacing utPay Since late 2025, Lithuanian crypto providers have faced severe pressure due to MiCA implementation. Consequently, utPay has been replaced by ChainValley (Poland). Scope: ChainValley now powers the Skrill / Neteller / Rapid Transfer rails. Regulatory Context: Poland’s MiCA “grandfathering” period provides a temporary safe haven for these PayFacs to continue servicing illegal offshore operators. Fake FIAT Status: Like the Bank Transfer rail, these e-wallet deposits are now converted into crypto-orders via ChainValley before being credited to the casino. Read our ChainValley reports here. 6. SegoPay & PaySafeCard The PaySafeCard rail is routed through a series of gateway redirects: Path: api.pgway.com → tx.segopay.com → PaySafeCard. Provider: SegoPay, a gateway frequently associated with high-risk merchant accounts and offshore gambling. PayFac & Agent Summary Table Payment RailPrimary PayFac / AgentJurisdictionRoleCompliance StatusMiFinity102-945295 SRLCosta RicaPayment AgentUnlicensed (TGC only)Sofort UberISX Financial EU PLCCyprusSettlement BankEU Regulated / High-RiskBank TransferDAXCHAIN OÜEstoniaCrypto On-RamperVASP / FIU RegulatedRevolutBitcan / ARI10PolandCrypto On-RamperVASP (KNF Registered)Skrill/Net/RapidChainValleyPolandCrypto On-RamperVASP (Successor to utPay)PaySafeCardSegoPay / PGWAYVariousGatewayHigh-Risk AggregatorISX Financial EU PLC Sofort Uber RailCyprusSettlement BankEMI authorized by the Central Bank of Cyprus Export to Sheets Strategic Conclusion The “SpinFin Model” represents the current gold standard for offshore evasion: moving the regulatory friction point from the casino to regulated crypto on-rampers in jurisdictions like Poland and Estonia. By the time a regulator looks at the transaction, it has already been “cleaned” by its conversion into USDC. Call for Information If you have documentation showing (a) the contracting entity behind SpinFin5/SpinFin, (b) merchant-of-record disclosures, (c) wallet destination reuse across other casinos, or (d) bank/EMI accounts linked to these rails, please share it securely via Whistle42.com. Screenshots, email confirmations, and bank descriptors are particularly valuable. Share Information via Whistle42

A fresh cashier review of the SpinFin offshore casino (accessed via SpinFin5.com) shows a familiar pattern: “FIAT” deposit labels that actually route players into fiat-to-crypto purchases and onward transfers to operator wallets. Screenshots confirm multiple on-ramping layers — including **DAXCHAIN OÜ using Tink, Chain Valley Sp. z o.o. issuing “exchange orders” behind Skrill/Neteller/Rapid, and Bitcan sp. z o.o. converting deposits into USDC while the UI still reads like a bank payment flow. Key Points (evidence-led) Confirmed (screenshots): MiFinity deposits are directed to “3-102-945295 SRL” (shown as payee/recipient in the MiFinity overlay). Confirmed (screenshots): “Bank Transfer” routes into DAXCHAIN OÜ with a payment step stating: “DAXCHAIN OU uses Tink to make your payment” (open-banking payment initiation via Tink, now owned by Visa). Confirmed (screenshots): “Revolut” deposits open a gateway page that discloses a fiat→USDC conversion and an irreversible transfer to specified wallet addresses; the consent text references Bitcan sp. z o.o.. Confirmed (screenshots): Skrill/Neteller/Rapid routes into a ChainValley “Exchange order” flow (app.chainvalley.pro) — we captured an exchange order page + a “temporarily restricted” notice with support contact. Change vs. Dec 2025 review (internal comparison): utPay is no longer visible in the cashier; ChainValley appears to have replaced the Skrill/Neteller/Rapid rail and is operated as a “fake FIAT” on-ramp (crypto purchase first, operator funding second). Macro driver: the replacement of Baltic-linked rails with Polish rails fits the broader MiCA transitional “timing gap” dynamic across EU member states. Short Narrative SpinFin’s cashier is not just a list of payment buttons — it’s a routing layer. Players click “Bank Transfer,” “Revolut,” “Skrill,” or “MiFinity,” but the transaction logic quickly shifts into crypto on-ramps (USDC conversion, exchange orders, and wallet settlement). The resulting effect is predictable: regulated bank rails do the collection, while crypto rails do the delivery — often with the casino deposit narrative preserved on the front-end. Your uploaded “SpinFin On-Ramping Rails (Fake FIAT)” graphic captures this dissolution well: multiple cashier labels converge into an on-ramping layer (DAXCHAIN / Bitcan-ARI10 / ChainValley), and only then into the branded payment systems (Tink / Revolut / Skrill). Extended Analysis: Rail-by-rail compliance picture 1) MiFinity → “3-102-945295 SRL” (payee shown) The MiFinity overlay in your screenshot shows “Deposit to 3-102-945295 SRL” (EUR 50). This strongly suggests the player is not depositing to a transparently identified EU/UK-licensed gambling operator but to an intermediary/agent entity. This number-based Costa Rica-based entity is associated with the Tobique Gaming Commission (TGC) ecosystem. The TGC positions itself as a gaming regulator supporting Tobique First Nation economic development. Compliance angle: Regardless of any offshore licensing narrative, this does not equate to a national gambling licence for the European Union or the United Kingdom — and the MiFinity UI provides no obvious “who is the gambling operator” disclosure at the moment of payment. 2) “Bank Transfer” → DAXCHAIN + Tink (open-banking initiation) Your screenshot shows the intermediate step: “DAXCHAIN OU uses Tink to make your payment.”This is a classic PIS/open-banking handoff: the player believes they are performing a bank transfer deposit confirming an amount; the rail actually routes to a crypto gateway that can complete a fiat-to-crypto conversion downstream. Why this matters: open-banking payments are often treated as “safer” and “more bank-like” by consumers, but in this pattern they become collection rails for high-risk merchant categories (offshore gambling), with crypto used as the settlement path. 3) “Revolut” → Bitcan/ARI10 gatewaycpay flow (explicit USDC conversion) This is the cleanest “fake FIAT” evidence in the set. The gateway page discloses: deposit amount (EUR 20), fee, conversion to USDC, transfer to a first wallet, then to a recipient wallet, and “irreversible transfer” language — while the UI still reads like a payment method choice. FinTelegram has already documented this Bitcan/ARI10 stack (same gateway family) in other offshore casino contexts. 4) Skrill/Neteller/Rapid → ChainValley exchange order (replacement for utPay) The ChainValley screenshot shows an exchange order (EUR 100) and a restriction banner — consistent with an on-ramp workflow rather than a pure wallet-to-merchant “casino deposit.” ChainValley’s own disclosures identify Chain Valley Sp. z o.o. and provide governance/AML language (including the ability to suspend/freeze transactions). Additionally, ChainValley’s KYC policy indicates one-off transactions up to EUR 1,000 can be processed without establishing a “formal business relationship” (per their wording). Key compliance read: If a casino cashier button quietly triggers a crypto purchase, then an onward transfer to an operator wallet, the “Skrill/Neteller/Rapid” labels risk becoming misdirection for: consumer understanding, bank AML monitoring, and regulator enforcement narratives (“we only take X method”). Summary Table: PayFacs / On-Ramp Operators and Roles (SpinFin cashier) PayFac / On-RampLegal entity & jurisdictionWhat the user seesWhat the rail appears to doEvidence gradeMiFinityPayee shown as “3-102-945295 SRL” (claimed offshore operator/agent; jurisdictional context points to Costa Rica in your review)“MiFinity” depositDeposit routed to a third-party SRL entity (operator/agent carousel pattern)Confirmed (screenshot)DAXCHAINDAXCHAIN OÜ (Estonia)“Bank Transfer”Open-banking initiation via Tink (Visa group), consistent with fiat-to-crypto on-rampConfirmed (screenshot) + ownership contextBitcan / ARI10Bitcan sp. z o.o. + ARI10 Sp. z o.o. (Poland)“Revolut”Explicit disclosure of EUR→USDC conversion + wallet settlement chainConfirmed (screenshot) + backgroundChainValleyChain Valley Sp. z o.o. (Poland)“Skrill / Neteller / Rapid”“Exchange order” flow; appears to be crypto purchase first, casino funding second (“fake FIAT”)Confirmed (screenshot) + company disclosuresSofort Uber (as reported in review)Destination cited as ISX Financial EU Plc (Cyprus), EMI regulated by Central Bank of Cyprus“Sofort Uber”Multiple gateway hops → bank account at a Cyprus EMI (collection layer)Indicated (needs screenshot)PaySafeCard (as reported in review)SegoPay / pgway stack (domains provided)“PaySafeCard”Redirect through gateway domains to complete paymentIndicated (needs screenshot) Actionable Insight for regulators, banks, and PSPs SpinFin’s cashier design suggests a standard laundering risk pattern: consumer-facing “payment method branding” + back-end crypto settlement. For compliance teams, the control point is not the casino UI — it’s the on-ramp entity and its bank/PIS providers. Practical next steps: Bank/PSP monitoring: treat “casino deposit” narratives masked as “crypto purchase” as high-risk merchant behaviour, especially where stablecoins are the settlement instrument. Regulatory triage: focus on (a) cross-border offering to EU/UK users, (b) unclear merchant-of-record, and (c) systematic stablecoin routing to operator wallets. Evidence hardening: capture full checkout disclosures (T&Cs, payee identity, wallet destination) for each rail, and preserve session metadata. Call for Information If you have documentation showing (a) the contracting entity behind SpinFin5/SpinFin, (b) merchant-of-record disclosures, (c) wallet destination reuse across other casinos, or (d) bank/EMI accounts linked to these rails, please share it securely via Whistle42.com. Screenshots, email confirmations, and bank descriptors are particularly valuable. Share Information via Whistle42

U.S. prosecutors in New York City have filed a superseding indictment charging Kalder founder Gökçe Güven with securities fraud, wire fraud, visa fraud, and aggravated identity theft. Authorities allege she raised roughly $7 million using inflated revenue and partner claims—then reused the same narrative (and forged “support” letters) to obtain a U.S. O-1A visa. Key Facts Charged by U.S. Attorney’s Office for the Southern District of New York (SDNY) with securities fraud, wire fraud, visa fraud, and aggravated identity theft in a superseding indictment. Prosecutors allege ~$7M was raised from “seed round” investors via material misrepresentations about revenue, brand partners, and paying customers. The indictment describes two sets of books: accurate financials prepared by an outside accounting firm and a second, inflated set shared with investors. Visa angle: after a student visa expired, authorities allege Güven sought an O-1A and submitted letters purportedly from executives that were allegedly digitally signed by her without consent, triggering the identity-theft count. Maximum exposure cited by prosecutors: 20 years (securities fraud), 20 years (wire fraud), 10 years (visa fraud), plus a mandatory consecutive 2 years (aggravated identity theft). Short Analysis Kalder sits in a fintech-adjacent sweet spot: rewards, affiliate monetization, and card-linked/embedded offers—an area where “traction” can be marketed with ambiguous language (pilots vs. paying customers; “live freemium” vs. no agreement at all). Prosecutors allege that ambiguity was weaponized: the pitch deck reportedly claimed dozens of brands were “using Kalder” and revenue had climbed to an ARR figure around $1.2M—claims the government says were false or misleading. The cyber-enabled element isn’t ransomware or mixers—it’s document fraud at scale: versioned metrics, parallel ledgers, and allegedly forged digital signatures used to create “proof” for investors and immigration authorities. This is the same playbook pattern regulators and prosecutors increasingly target across startup fraud cases: synthetic credibility (logos/partners + growth charts + third-party “support”) used as a substitute for verifiable commercial reality. Finally, the “Under 30 halo” problem: the indictment itself notes she was named to the Forbes “30 Under 30” list after touting Kalder to the magazine—illustrating how media validation can become an accelerant in fundraising narratives. That doesn’t make lists “bad,” but it does underline a due-diligence reality: awards are not controls. Call for Information Are you a current/former employee, investor, vendor, brand partner, or due-diligence provider connected to Kalder—or have documentation showing how customer/ARR claims were presented in fundraising? Share verifiable materials securely via Whistle42.com (confidential source handling available). Share Information via Whistle42

The notorious Galaktika N.V. network, operating through its Slotoro and Boomerang-Bet brands, has been caught utilizing sophisticated “cloaking” techniques and fraudulent portals to infiltrate the mobile ecosystems of Apple and Google. While Slotoro masquerades as a harmless puzzle game named “Lines and Knots: Puzzle World” on the App Store, both brands employ deceptive “Google Play” badges to funnel users through “Ghost” domains to download unverified, high-risk malware designed to harvest sensitive KYC data for identity theft. The Analysis: Harvesting KYC Data & Identity Theft The App Store Infiltration Strategy Open‑source information indicates that Slotoro (https://slotoro.bet) is operated by Wiraon B.V. under a Curaçao license and promoted via the V.Partners affiliate network, which also markets several Galaktika N.V. casinos. Investigative sources and insider information suggests that Slotoro shares backend infrastructure and payment channels with Galaktika‑branded casinos. The distribution model of Slotoro (linked to Galaktika N.V.) represents a masterclass in regulatory evasion. Our analysis of the links provided reveals a two-pronged attack on mobile ecosystems: 1. The Apple App Store “Shell” App Slotoro has successfully bypassed Apple’s rigorous review process by submitting a “shell app.” The Disguise: On the official Apple App Store, the app is listed as “Lines and Knots: Puzzle World” (ID: 6738087359), developed by an entity called KATO Oy. The Bait-and-Switch: While the App Store description promises a “fantastic way to solve puzzles,” the actual application—once installed and connected to the operator’s servers—transforms into the Slotoro casino interface. This is achieved through “cloaking” or “code-switching,” where the app displays a different UI based on the user’s IP address or a server-side trigger. Compliance Violation: This is a direct violation of Apple’s Guideline 5.3 (Gambling), which requires valid licensing for all jurisdictions and strictly prohibits deceptive app behavior. 2. The Android “Ghost” Pipeline For Android, Slotoro avoids the Google Play Store entirely, likely due to previous bans. The Domain: Users are directed to https://fisodao2.com/ to download a raw .apk file. The Risk: Direct APK downloads are a primary vector for the “Identity Theft Cycle” previously reported. By bypassing the Play Store’s “Play Protect,” the operator can embed the malicious code that players have identified as the source of his compromised KYC data and bank details. The Boomerang-Bet Fraudulent App Distribution The Deceptive Badge: Screenshots from the Boomerang-Bet interface show a prominent “GET IT ON Google Play” badge. This is a psychological “trust anchor” designed to make users believe they are downloading a verified, secure app from the official Google store. The Redirection to Unverified APKs: Instead of linking to the official Google Play Store, these badges lead to unauthorized domains such as https://boomerang-bet-android.com/. On these sites, users are prompted to download a raw .apk file (e.g., Boomerang-Bet.apk). Bypassing Security: By forcing users to download an APK directly, the operator bypasses “Google Play Protect” and other standard mobile security filters. This is the exact mechanism used to install the malicious code that harvests the KYC data (passports) and banking details reported by the victim. Operational Overlap: The documents show that both brands share this specific technical infrastructure. For example, Slotoro uses the domain slotoro36.bet for its APK downloads, while Boomerang-Bet uses boomerang-bet-android.com or boomerang-bet0101.com. Conclusion: A Unified Fraud Scheme The use of the domain https://boomerang-bet-android.com/ is not a legitimate service but a malicious distribution node. This confirms that the fraudulent app strategy is a core operational pillar for the entire Galaktika N.V. / Wiraon B.V. network. Both Slotoro and Boomerang-Bet function as “trapdoors” where the promise of a mobile gaming experience is used to facilitate high-level identity theft and transaction laundering. Connecting the Dots: Galaktika N.V. and Cyperion While Slotoro and Boomerang-Bet operate under offshore Curaçao licenses (Wiraon B.V./Galaktika N.V.), they utilize the Affilka tracking infrastructure provided by SoftSwiss. This highlights a critical regulatory failure: an MGA-regulated entity (SoftSwiss) providing the technical “backbone” for brands engaged in documented identity theft and unlicensed payment processing. This obfuscated distribution network is the “top of the funnel” for the financial scheme involving Cyperion Solutions Limited, and NGPayments. The Download: Victim installs the “Puzzle” app or the “Ghost” APK. The Deposit: The victim is prompted to deposit via NGPayments, which masks the transaction to various receiving entities. The Fraud: Funds are diverted to unauthorized “Shadow Skrill” accounts while the player is presented with rigged games. The use of KATO Oy as a front developer in the Apple App Store for the Slotoro app confirms that the Galaktika N.V. network is expanding its infrastructure to include proxy developers to protect its primary brands from being de-platformed. We urge Apple’s compliance team to investigate ID 6738087359 and its developer immediately. ased on the detailed examination of the Skrill confirmation emails and bank statements provided, Paygate is indeed a critical technical recipient and routing agent within this financial network. While entities like Cyperion Solutions Limited and Briantie Limited are named as the primary legal beneficiaries in the email headers, the documentation confirms that Paygate functions alongside NGPayments as the underlying technical payment instrument. Financial Architecture of The “Shadow skr*Skrill.com” Scheme The evidence from the player’s Skrill notifications reveals that Paygate serves as a core technical receiver or gateway through which funds are funneled before reaching the offshore casino. Technical Distribution: Paygate appears in the “Payment Instrument” or “Transaction Details” section of the confirmation emails, often interchangeable with NGPayments. Layered Recipients: The transaction flow is designed so that a single deposit of, for example, €20.00 is initiated via a fraudulent app, routed through Paygate, and settled to a merchant account like Novaforge Limited or Briantie Limited, all while being masked as “SKR*Skrill.com” on the user’s bank statement. Fraud Persistence: By naming Paygate as a technical receiver, the operators can distribute payment traffic across multiple “shadow” accounts. This explains why the victim receives official Skrill emails mentioning these entities, yet their own Skrill account remains empty—the funds were never intended for the victim’s account but were instead processed through a third-party merchant account managed by Paygate. Given that key beneficiaries are registered as consulting companies rather than licensed payment agents or gambling operators, and that merchant coding/branding concealed the link to offshore casinos (Slotoro, Boomerang‑Bet, beef.casino), the pattern is consistent with transaction‑laundering and misuse of e‑money infrastructure to disguise high‑risk gambling and possible identity‑theft activity Overview Table: Payment Entities & Roles Entity / InstrumentDocumentation SourceRole in the SchemePaygateSkrill Confirmation Emails Technical Receiver/Gateway: Operates as the “shadow” routing agent for fund transfers.NGPaymentsBank Statements / Skrill Emails Payment Instrument: The technical rail used to mask illegal gambling deposits.Briantie LimitedBank Statement Primary Merchant Account: Cyprus-based shell receiving high-volume deposits. Operates as a “Payment Agent” but often uses generic business descriptions to bypass bank filters.Cyperion SolutionsTransaction ID Logs PayFac Shell: Registered as “Management consultancy” (SIC 70229).Disguises casino deposits as “IT consultancy” services.Novaforge LimitedSkrill Confirmation Logs Secondary Shell: Active beneficiary when primary accounts are throttled. Export to Sheets This documentation definitively places Paygate at the center of the Galaktika/Wiraon financial engine. It acts as the technical “glue” that allows these diverse shell companies to interface with legitimate payment giants like Skrill without triggering immediate fraud alerts. Warning for Victims If you receive a Skrill confirmation email but cannot find the transaction in your official app history, your data has been used to create a ‘Shadow Account.’ Do not contact the casino support—contact your bank and law enforcement immediately. The victim reporting this case had to replace his National ID card and reset all banking credentials. Whistleblower Call to Action: Do you have information about KATO Oy or the developers behind the Slotoro/Galaktika app shells? Are you an app store reviewer who has seen similar cloaking patterns? Contact us via Whistle42. Share Information via Whistle42

A massive escalation in the Galaktika N.V. fraud case reveals that stolen KYC data is being used to create “Shadow Skrill” accounts. Victims are lured via fake Google Play Store interfaces into downloading malicious APKs, while their identities are laundered through a web of shell companies including Cyperion Solutions and Novaforge. Read our initial report on Cyperion and NGPayments here. Analysis: The “Double-Sided” Fraud Architecture The latest evidence provided by a player exposes a level of sophistication that moves beyond simple unlicensed gambling into organized cybercrime. The “Galaktika Scheme” now shows a clear two-stage lifecycle: Data Harvesting and Financial Hijacking. According to the website Slotoro.bet is owned and operated by Wiraon B.V., Curaçao, while payments are managed by Briantie Limited. 1. The “Fake Play Store” Malware Trap The investigation confirms that brands like Boomerang-Bet and Slotoro are using fraudulent “Get it on Google Play” badges. Instead of the secure Play Store, users are redirected to download a raw .apk file. The Malware: These files are designed to bypass device security to harvest SMS codes (for 2FA) and personal files. The Verification Scam: The “mandatory verification” is a front for identity theft. Once the victim uploads their passport, the data is immediately sold or reused within the network. 2. The “Shadow Skrill” Phenomenon The most alarming discovery is the discrepancy between the player’s bank statements and their official Skrill history. The Mechanism: The victim receives “official” Skrill confirmation emails, but their app history shows “Data not found.” The Interpretation: This confirms that the operators are using the victim’s card details on a third-party Skrill account (a “mule” account). By using a different account, they ensure the victim cannot easily charge back the transaction through the Skrill interface, while still using Skrill’s “clean” branding to pacify the victim’s bank. 3. Definitive Proof of Identity Laundering The support logs from beef.casino provide a “smoking gun.” Seeing a personal billing account linked to suspicious addresses like jony35@inbox.lv and ieva.gustina07@gmail.com proves that the Galaktika N.V. ecosystem operates a shared database of stolen identities. These identities are likely used to: Bypass “one account per person” rules for bonus abuse. Layer transactions to hide the volume of money flowing to offshore entities. Learn more about the Briantie Group here. The Shadow Skrill Accounts Explained Based on the documentation provided by the player, the existence of “Shadow Skrill” accounts (unauthorized Skrill accounts created using stolen identities to process third-party cards) has moved beyond a working hypothesis and is a documented fact in this specific case. The certainty of this claim is supported by three primary pieces of evidence found in the player’s files: The Transaction Discrepancy: The player provided official transaction confirmation emails from no-reply@email.skrill.com for payments totaling hundreds of euros to entities like Cyperion Solutions Limited and Briantie Limited. However, the player’s official Skrill app and web history show “Data not found” or no record of these transactions. This confirms that while the player’s card was charged via Skrill’s infrastructure, it was not processed through their personal Skrill account. Direct Proof of Identity Hijacking: Evidence from the support area of beef.casino (an associated brand) shows the player’s internal billing profile linked to multiple unauthorized third-party email addresses, such as jony35@inbox.lv, ieva.gustina07@gmail.com, and kaltinieks@inbox.lv. This is definitive proof that their KYC (Know Your Customer) data and payment information are being used by the operator to manage a network of “mule” accounts. The “NGPayments” / “Paygate” Rail: The documentation shows that the payments were routed through technical instruments labeled NGPayments and Paygate. These gateways act as the bridge that allows the fraudulent accounts to interface with regulated processors like Skrill and Paysafe while using misleading descriptors like “SKR*Skrill.com” on bank statements to pacify the victim’s bank. The documentation proves a deliberate bypass of the player’s own Skrill account. By using stolen identity data harvested through malicious APK files (masquerading as Google Play apps), the operators have successfully created a parallel financial structure where they control both the “player” account and the “merchant” entity, leaving the victim with no recourse through standard consumer protection channels. The Payment Rail: Mapping the Shells The transaction flow utilizes a rotating cast of “Payment Agents” to stay ahead of bank blacklists. The current active nodes in this network include: Cyperion Solutions Limited: (UK/Cyprus) The primary conduit for “NGPayments.” Novaforge Limited / Briantie Limited: Secondary shells used when primary accounts are throttled. Paygate: The technical switchboard for these transactions. Conclusion & Regulatory Warning This case proves that Paysafe (Skrill/Rapid Transfer) has a critical vulnerability: their infrastructure is being used to facilitate “unauthorized account” processing. Regulators like the FCA and CySEC must investigate why merchant accounts for “consultancies” like Cyperion Solutions are permitted to process third-party cards without matching the account owner’s identity. Whistleblower Call to Action: Are you a victim of the Galaktika N.V. network? Did you find your identity used on unauthorized emails? Please send your evidence to Whistle42. We are especially looking for internal communications from the “V.Partners” or “Galaktika” affiliate teams. Share Information via Whistle42