The EU Commission is circulating a proposal to ban all cryptocurrency transactions linked to Russia, arguing that Moscow increasingly uses crypto rails, stablecoins and alternative payment networks to route value outside traditional banking and around sanctions. The initiative is framed as part of the EU’s 20th sanctions package and would require unanimous member-state approval. Key points From “service bans” to “transaction bans”: the EU already restricts crypto-asset wallet/account/custody services for Russian persons/entities under the Russia sanctions regime; the new move aims to sever the entire transaction pipeline, not just specific providers. “Heirs problem”: rather than chasing individual exchanges that can rebrand or relocate (e.g., successor structures to Garantex), the concept targets any Russia-linked crypto activity. Named rails: the draft reportedly flags the A7 platform and its stablecoin A7A5, and also seeks to prohibit transactions involving the planned digital rouble. Anti-circumvention expansion: the package also leans into third-country chokepoints (e.g., measures tied to Kyrgyzstan routes) and adds further banks/actors to listings. What this means for CASPs, fintechs, and banks If adopted, compliance programs would need to treat “Russia nexus” crypto flows like a hard sanctions perimeter: tighter customer/counterparty screening, stronger geo/IP controls, enhanced wallet risk scoring, and escalation rules for indirect exposure (beneficial ownership, intermediaries, OTC desks, payment hubs, stablecoin issuers). Actionable insight Start mapping your Russia-touchpoints now (customers, counterparties, wallets, liquidity venues, stablecoin rails). If your controls still assume “named entity” sanctions only, you’re already behind the enforcement curve. Call for Information Have you seen Russia-linked on/off-ramps, stablecoin corridors, or “shadow PayFac” structures used to bypass EU restrictions? Share evidence via Whistle42 (anonymity respected). Share Information via Whistle42

It is one of the largest European cybercrime cases, with dozens of indictments and victim lawsuits. In its center – the Dutch payment facilitator Payvision. Fresh excerpts from criminal files obtained by FinTelegram put Payvision’s then-CEO Rudolf Booker uncomfortably close to the Lenhoff–Barak scam machine. These are not the fingerprints of a “neutral payment processor,” but the voice of an anxious, hands-on gatekeeper—tracking media risk, debating how to contain exposure, and negotiating the survival of a relationship that should have been shut down. Key Points A wiretapped call transcript shows Booker explicitly worrying what a FinTelegram reporter would “write about me now—about Payvision.” Lenhoff’s answer: “Maybe that you’re doing business on the grey market.” In parallel Telegram evidence, Lenhoff tells Barak in December 2018: “Rudolf is a pussy… he will become very famous on this page (FinTelegram)… [They will] dig deeper in PV.” These excerpts align with years of allegations that Payvision functioned as a critical payment “chokepoint” for the Barak/Lenhoff fraud ecosystem. ING acquired a 75% stake in Payvision at a stated valuation of €360m and later announced a wind-down of Payvision’s PSP/acquiring services. In April 2024, the Dutch prosecution service Openbaar Ministerie issued penalty orders (fines of €150k and €180k) against two former Payvision directors for long-standing, structural AML/CFT (Wwft) violations. The central question remains: if the file excerpts show knowledge and operational entanglement, why is there still no public, courtroom-level accountability for the executive decision-makers? The Lenhoff–Barak Cybercrime Network German and Austrian law enforcement investigations established that German national Uwe Lenhoff and Israeli national Gal Barak ran a pan‑European cybercrime network of online trading, binary options, and gambling scams that defrauded tens of thousands of victims out of more than EUR 100 million. Barak, identified as a principal of the E&G Bulgaria organization, was finally convicted in Vienna in 2020 for investment fraud and money laundering and sentenced to several years in prison, with courts confirming the criminal nature of the schemes operated via numerous online brands. Lenhoff, who had been arrested after extensive investigations and EU‑wide coordination in January 2019, died in custody in Germany in 2020, with his death reported as sudden and unexplained, leaving many victims and open questions behind. These criminal cases did not arise in a vacuum. They sat on top of a payment infrastructure that made high‑velocity fraud collection and laundering possible – and here Payvision and its founder and CEO Rudolf Booker enter center stage. Read our Payvision reports here. Payvision’s Role and the DNB Findings Payvision, a Dutch card acquirer and payment processor founded and led by Rudolf Booker, positioned itself in high‑risk segments such as online gambling, forex, and similar verticals – sectors that law enforcement and regulators repeatedly associate with elevated fraud and money‑laundering risks. In 2018, ING acquired a 75% stake in Payvision at a valuation of around €360 million, a transaction that turned Payvision’s high‑risk volume – including the Lenhoff–Barak flows – into a lucrative exit for its founders and managers. The Dutch central bank (DNB) later issued a devastating supervisory investigation report on Payvision, describing systematic violations of the Dutch Money Laundering and Terrorist Financing Act and serious, long‑running failings in customer due diligence and ongoing monitoring. DNB’s findings make clear that Payvision continued to onboard and maintain high‑risk, fraud‑prone merchants despite glaring red flags, large volumes of suspicious transactions, and hundreds of internal alerts and suspicious activity indications; the watchdog found that Payvision effectively suspended or ignored its compliance obligations in pursuit of transaction volume. According to DNB‑related reporting, the central bank even filed a criminal complaint in 2021 against Payvision and Rudolf Booker personally, and ING consequently decided to wind down Payvision and surrender its license by mid‑2023. For the founders, however, the damage was already monetized: ING’s purchase price rewarded years of high‑risk growth, including the revenues generated from the Lenhoff and Barak fraud schemes. Under standard AML and criminal‑law doctrines in Europe, a financial institution (and its responsible managers) that knowingly provides payment rails to fraudulent organizations, in spite of red flags and supervisory warnings, risks liability as an aider and abettor to fraud and as a perpetrator of money‑laundering offenses Analysis: A “Laundromat” for Scammers Newly obtained wiretapped calls and digital communications paint a devastating picture of the relationship between Rudolf Booker, the founder and former CEO of Payvision, and the late Uwe Lenhoff. Far from a standard arm’s-length business relationship, the records show a close personal bond; Lenhoff even referred to Booker as his “friend” and hosted him at his luxury birthday celebrations. The evidence suggests that Booker was not merely a negligent executive but a knowing facilitator of large-scale investment fraud: Awareness of Fraud: Booker was fully aware that Lenhoff and Gal Barak (the “Wolf of Sofia”) were operating scam platforms like Option888 and XTraderFX. Despite hundreds of suspicious activity reports (SARs) and high chargeback rates from victims, Booker continued to provide the infrastructure necessary for these organizations to launder over €131 million. Active Manipulation: When chargebacks—claims from defrauded victims trying to claw back their money—became too frequent, the “good friend” Booker reportedly suggested using false transaction codes and new legal entities to evade detection by credit card networks. Profiting from Crime: Payvision didn’t just process the funds; it exploited the scammers. Booker reportedly imposed a sort of private “penalties” on the schemes of Lenhoff and Barak for chargebacks, effectively “ripping off the rippers” to inflate Payvision’s earnings ahead of its acquisition by ING. The chats: “Rudolf is a pussy… he will become very famous on this page” The WhatsApp from 25–26 December 2018 shows chat traffic between “UL” (Uwe Lenhoff) and “Gal” (Gal Barak).​ Shortly after a Payvision call informing Barak that his business was being shut down, Lenhoff writes that “one guy from Pay Vision tried to call me” and then delivers the key line: “Rudolf is a pussy and I told him that now he will become very famous on this page, cause when this WB [FinTelegram editor] is seeing that he is right, he will dig deeper in PV.”​ This message is explosive for several reasons: It shows that Lenhoff understood FinTelegram (“this page”) as a leverage tool against Booker and Payvision, threatening that further reporting would uncover more wrongdoing at the processor (“dig deeper in PV”).​ It indicates that Booker was already “affected” by the reporting and was trying to pull back under pressure, prompting Lenhoff to retaliate by weaponizing his knowledge of Payvision’s conduct.​ It suggests an environment in which scam operators and their payment facilitator CEO were locked in a mutual‑blackmail dynamic, each aware of the other’s exposure; this is inconsistent with any portrayal of Payvision as a misled victim of sophisticated clients.​ In other words, the criminals themselves perceived Payvision’s CEO as someone who could be pressured for money or favorable treatment precisely because of the media and regulatory risks around his conduct.​ Legal Conclusion: Contributing Perpetrator The findings of the Dutch Central Bank (DNB) confirm that Payvision’s compliance was systematically suspended or ignored. While two former directors were eventually issued penalty orders, the evidence suggests a more severe legal reality: Rudolf Booker knowingly and willingly supported a global cybercrime organization as a contributing perpetrator. Booker enriched himself personally through the sale to ING—a transaction valued at €360 million based on volumes built largely on the backs of defrauded consumers. While Lenhoff died in prison and Barak was sentenced to years behind bars, Booker has largely escaped the full weight of criminal prosecution. The ING Connection and Ongoing Lawsuits ING eventually shuttered Payvision in 2021 after realizing the “dark business” was incompatible with any ethical or regulatory framework. However, the fallout continues. Victims, represented by organizations like EFRI, are still pursuing millions in damages through courts in Austria, Germany, and the Netherlands. CALL FOR INSIDERS: WE NEED YOUR HELP The investigation into the “Payvision Laundromat” is far from over. We are looking for additional information regarding: Internal communications at Payvision or ING regarding the Lenhoff/Barak accounts. Details on the “private penalties” and fees charged to scam operators. Knowledge of deliberate compliance overrides directed by the board. Help us hold those who profited from cybercrime accountable. Submit your information securely via our Whistle42 system. Your anonymity is our priority. Share Information via Whistle42

A U.S. federal court has sentenced Daren Li in absentia to 20 years in prison for his role in a $73+ million global cryptocurrency “investment” scam allegedly run from scam centers in Cambodia. Prosecutors say the scheme blended romance/social-engineering with spoofed crypto trading sites—then relied on U.S. shell companies and banking access to convert victims’ wires into crypto rails. Key Points Sentence: 20 years’ imprisonment (statutory maximum) + 3 years’ supervised release, sentenced in absentia. Status: Li is a fugitive after allegedly cutting off an ankle monitor and absconding in December 2025. Plea: Li pleaded guilty on November 12, 2024 to conspiring to launder proceeds from crypto scams and related fraud. Scale: Li admitted the conspiracy caused at least $73.6M in victim funds to be deposited into accounts tied to him and co-conspirators (incl. $59.8M routed via U.S. shell companies). Modus operandi: Victims were approached via social media/dating platforms; scammers used encrypted messaging, spoofed “trading” sites, and sometimes fake “tech support” narratives to trigger wires/crypto deposits. Short Narrative According to U.S. Department of Justice, the operation was not “just” an online scam—it was an end-to-end cybercrime supply chain. The front end was social engineering: unsolicited outreach, relationship-building, and carefully staged “investment dashboards” hosted on spoofed domains mimicking legitimate crypto platforms. The back end was financial infrastructure abuse. Li admitted he helped orchestrate the laundering layer by directing others to open U.S. bank accounts for shell companies, monitoring incoming interstate and international wires, and overseeing conversion of victim funds into virtual currency. In other words: the scam’s profitability depended on converting emotional manipulation into banked money—and then into crypto settlement. Extended Analysis 1) “Cambodia scam centers” are only half the story. The other half is access to Western finance.The DOJ framing is revealing: the fraud is “carried out from scam centers” in Cambodia, but the laundering hinges on U.S.-based enablers—shell entities, bank onboarding, and payment routing that can absorb large inbound wires without triggering effective interdiction. 2) The case maps cleanly onto the “pig-butchering” typology—then adds a laundering spine.In the earlier charging phase, DOJ explicitly described the schemes as “pig butchering” and alleged a laundering syndicate moving $73M+ through U.S. financial institutions and onward—partly via offshore banking and conversion to Tether (USDT).This matters for compliance teams: when USDT (or other stablecoins) becomes the settlement rail, the scam economy gains speed, finality, and cross-border portability—exactly what traditional AML friction is supposed to prevent. 3) The fugitive problem is a feature, not a bug, for transnational fraud networks.Li’s alleged absconding in December 2025 underscores a recurring operational pattern: once a laundering node is identified, networks shift personnel, wallets, and corporate wrappers faster than mutual legal assistance and extradition timelines can move. Sentencing in absentia delivers deterrence messaging—but it also signals how difficult physical custody can be in globally distributed scam ecosystems. Call for Information FinTelegram is tracking the laundering infrastructure behind Cambodia-linked scam centers: shell-company formation, bank onboarding pathways, crypto off-ramps, and stablecoin settlement routes. If you have documents, compliance alerts, bank memos, exchange/KYC records, wallet intelligence, or insider information tied to this network, please submit securely via Whistle42.com (anonymous submissions welcome). Share Information via Whistle42

A follow-up review of SpinFin Casino (operating via SpinFin5.com) reveals a sophisticated evolution in payment routing designed to circumvent EU and UK regulatory oversight. The current infrastructure relies heavily on “Fake FIAT” rails—on-ramping processes where user deposits are instantly converted into cryptocurrencies (primarily USDC) via third-party agents before reaching the operator. Key shifts include the displacement of Lithuanian payment facilitators by Polish entities (e.g., ChainValley, ARI10) in response to the MiCA crackdown, and the persistent use of Cypriot banking (ISX Financial) for anonymous gateway processing. The Payment Rails: Detailed Breakdown 1. The MiFinity & Costa Rican Connection Our analysis confirms that EU and UK player deposits via MiFinity are routed to 102-945295 SRL, an entity registered in Costa Rica. Regulatory Status: Registered with the Tobique Gaming Commission (TGC). Compliance Note: The TGC has no legal standing to authorize gambling operations within the EU or UK. This entity functions as the primary “payment agent” and operator node for the SpinFin carousel. Read our SpinFin PayFac analysis here. 2. Sofort Uber: The Cypriot Gateway Pipeline The “Sofort Uber” rail is a shell for four anonymously operated gateways that shield the final recipient. Gateways: api.PWay.com, debitly.tech, transactionhandler.com, and sofortuberweisung.com. Banking Infrastructure: Funds are ultimately settled at ISX Financial EU PLC (Cyprus) via IBAN CY44 9040 0001 0009 7008 3170 1000. Insight: Despite regulatory pressure in Cyprus, ISX Financial continues to serve as a hub for these high-risk offshore flows. 3. Bank Transfer: The “Tink-to-Daxchain” On-Ramper The “Bank Transfer” option is a classic Fake FIAT rail. While the player sees a standard bank interface, the transaction is an immediate purchase of USDC stablecoins. On-Ramper: DAXCHAIN OÜ (Estonia). Open Banking Provider: Tink (a VISA subsidiary). Mechanism: Tink facilitates the FIAT transfer to Daxchain, which then issues crypto to the casino, effectively laundering the nature of the transaction from the player’s bank statement. 4. Revolut & The Polish ARI10 Axis For Revolut users, the on-ramping is handled by the Polish group ARI10 (operating via Bitcan / Bitcoin Sp. z o.o.). Operational Flow: Funds are sent to a transient wallet (0xf79...) and immediately transferred to the operator’s address (0x97b...). Compliance Note: The transaction is explicitly labeled as “irreversible,” a hallmark of crypto-based gambling deposits disguised as consumer payments. 5. The “Polish Shift”: ChainValley Replacing utPay Since late 2025, Lithuanian crypto providers have faced severe pressure due to MiCA implementation. Consequently, utPay has been replaced by ChainValley (Poland). Scope: ChainValley now powers the Skrill / Neteller / Rapid Transfer rails. Regulatory Context: Poland’s MiCA “grandfathering” period provides a temporary safe haven for these PayFacs to continue servicing illegal offshore operators. Fake FIAT Status: Like the Bank Transfer rail, these e-wallet deposits are now converted into crypto-orders via ChainValley before being credited to the casino. Read our ChainValley reports here. 6. SegoPay & PaySafeCard The PaySafeCard rail is routed through a series of gateway redirects: Path: api.pgway.com → tx.segopay.com → PaySafeCard. Provider: SegoPay, a gateway frequently associated with high-risk merchant accounts and offshore gambling. PayFac & Agent Summary Table Payment RailPrimary PayFac / AgentJurisdictionRoleCompliance StatusMiFinity102-945295 SRLCosta RicaPayment AgentUnlicensed (TGC only)Sofort UberISX Financial EU PLCCyprusSettlement BankEU Regulated / High-RiskBank TransferDAXCHAIN OÜEstoniaCrypto On-RamperVASP / FIU RegulatedRevolutBitcan / ARI10PolandCrypto On-RamperVASP (KNF Registered)Skrill/Net/RapidChainValleyPolandCrypto On-RamperVASP (Successor to utPay)PaySafeCardSegoPay / PGWAYVariousGatewayHigh-Risk AggregatorISX Financial EU PLC Sofort Uber RailCyprusSettlement BankEMI authorized by the Central Bank of Cyprus Export to Sheets Strategic Conclusion The “SpinFin Model” represents the current gold standard for offshore evasion: moving the regulatory friction point from the casino to regulated crypto on-rampers in jurisdictions like Poland and Estonia. By the time a regulator looks at the transaction, it has already been “cleaned” by its conversion into USDC. Call for Information If you have documentation showing (a) the contracting entity behind SpinFin5/SpinFin, (b) merchant-of-record disclosures, (c) wallet destination reuse across other casinos, or (d) bank/EMI accounts linked to these rails, please share it securely via Whistle42.com. Screenshots, email confirmations, and bank descriptors are particularly valuable. Share Information via Whistle42

A fresh cashier review of the SpinFin offshore casino (accessed via SpinFin5.com) shows a familiar pattern: “FIAT” deposit labels that actually route players into fiat-to-crypto purchases and onward transfers to operator wallets. Screenshots confirm multiple on-ramping layers — including **DAXCHAIN OÜ using Tink, Chain Valley Sp. z o.o. issuing “exchange orders” behind Skrill/Neteller/Rapid, and Bitcan sp. z o.o. converting deposits into USDC while the UI still reads like a bank payment flow. Key Points (evidence-led) Confirmed (screenshots): MiFinity deposits are directed to “3-102-945295 SRL” (shown as payee/recipient in the MiFinity overlay). Confirmed (screenshots): “Bank Transfer” routes into DAXCHAIN OÜ with a payment step stating: “DAXCHAIN OU uses Tink to make your payment” (open-banking payment initiation via Tink, now owned by Visa). Confirmed (screenshots): “Revolut” deposits open a gateway page that discloses a fiat→USDC conversion and an irreversible transfer to specified wallet addresses; the consent text references Bitcan sp. z o.o.. Confirmed (screenshots): Skrill/Neteller/Rapid routes into a ChainValley “Exchange order” flow (app.chainvalley.pro) — we captured an exchange order page + a “temporarily restricted” notice with support contact. Change vs. Dec 2025 review (internal comparison): utPay is no longer visible in the cashier; ChainValley appears to have replaced the Skrill/Neteller/Rapid rail and is operated as a “fake FIAT” on-ramp (crypto purchase first, operator funding second). Macro driver: the replacement of Baltic-linked rails with Polish rails fits the broader MiCA transitional “timing gap” dynamic across EU member states. Short Narrative SpinFin’s cashier is not just a list of payment buttons — it’s a routing layer. Players click “Bank Transfer,” “Revolut,” “Skrill,” or “MiFinity,” but the transaction logic quickly shifts into crypto on-ramps (USDC conversion, exchange orders, and wallet settlement). The resulting effect is predictable: regulated bank rails do the collection, while crypto rails do the delivery — often with the casino deposit narrative preserved on the front-end. Your uploaded “SpinFin On-Ramping Rails (Fake FIAT)” graphic captures this dissolution well: multiple cashier labels converge into an on-ramping layer (DAXCHAIN / Bitcan-ARI10 / ChainValley), and only then into the branded payment systems (Tink / Revolut / Skrill). Extended Analysis: Rail-by-rail compliance picture 1) MiFinity → “3-102-945295 SRL” (payee shown) The MiFinity overlay in your screenshot shows “Deposit to 3-102-945295 SRL” (EUR 50). This strongly suggests the player is not depositing to a transparently identified EU/UK-licensed gambling operator but to an intermediary/agent entity. This number-based Costa Rica-based entity is associated with the Tobique Gaming Commission (TGC) ecosystem. The TGC positions itself as a gaming regulator supporting Tobique First Nation economic development. Compliance angle: Regardless of any offshore licensing narrative, this does not equate to a national gambling licence for the European Union or the United Kingdom — and the MiFinity UI provides no obvious “who is the gambling operator” disclosure at the moment of payment. 2) “Bank Transfer” → DAXCHAIN + Tink (open-banking initiation) Your screenshot shows the intermediate step: “DAXCHAIN OU uses Tink to make your payment.”This is a classic PIS/open-banking handoff: the player believes they are performing a bank transfer deposit confirming an amount; the rail actually routes to a crypto gateway that can complete a fiat-to-crypto conversion downstream. Why this matters: open-banking payments are often treated as “safer” and “more bank-like” by consumers, but in this pattern they become collection rails for high-risk merchant categories (offshore gambling), with crypto used as the settlement path. 3) “Revolut” → Bitcan/ARI10 gatewaycpay flow (explicit USDC conversion) This is the cleanest “fake FIAT” evidence in the set. The gateway page discloses: deposit amount (EUR 20), fee, conversion to USDC, transfer to a first wallet, then to a recipient wallet, and “irreversible transfer” language — while the UI still reads like a payment method choice. FinTelegram has already documented this Bitcan/ARI10 stack (same gateway family) in other offshore casino contexts. 4) Skrill/Neteller/Rapid → ChainValley exchange order (replacement for utPay) The ChainValley screenshot shows an exchange order (EUR 100) and a restriction banner — consistent with an on-ramp workflow rather than a pure wallet-to-merchant “casino deposit.” ChainValley’s own disclosures identify Chain Valley Sp. z o.o. and provide governance/AML language (including the ability to suspend/freeze transactions). Additionally, ChainValley’s KYC policy indicates one-off transactions up to EUR 1,000 can be processed without establishing a “formal business relationship” (per their wording). Key compliance read: If a casino cashier button quietly triggers a crypto purchase, then an onward transfer to an operator wallet, the “Skrill/Neteller/Rapid” labels risk becoming misdirection for: consumer understanding, bank AML monitoring, and regulator enforcement narratives (“we only take X method”). Summary Table: PayFacs / On-Ramp Operators and Roles (SpinFin cashier) PayFac / On-RampLegal entity & jurisdictionWhat the user seesWhat the rail appears to doEvidence gradeMiFinityPayee shown as “3-102-945295 SRL” (claimed offshore operator/agent; jurisdictional context points to Costa Rica in your review)“MiFinity” depositDeposit routed to a third-party SRL entity (operator/agent carousel pattern)Confirmed (screenshot)DAXCHAINDAXCHAIN OÜ (Estonia)“Bank Transfer”Open-banking initiation via Tink (Visa group), consistent with fiat-to-crypto on-rampConfirmed (screenshot) + ownership contextBitcan / ARI10Bitcan sp. z o.o. + ARI10 Sp. z o.o. (Poland)“Revolut”Explicit disclosure of EUR→USDC conversion + wallet settlement chainConfirmed (screenshot) + backgroundChainValleyChain Valley Sp. z o.o. (Poland)“Skrill / Neteller / Rapid”“Exchange order” flow; appears to be crypto purchase first, casino funding second (“fake FIAT”)Confirmed (screenshot) + company disclosuresSofort Uber (as reported in review)Destination cited as ISX Financial EU Plc (Cyprus), EMI regulated by Central Bank of Cyprus“Sofort Uber”Multiple gateway hops → bank account at a Cyprus EMI (collection layer)Indicated (needs screenshot)PaySafeCard (as reported in review)SegoPay / pgway stack (domains provided)“PaySafeCard”Redirect through gateway domains to complete paymentIndicated (needs screenshot) Actionable Insight for regulators, banks, and PSPs SpinFin’s cashier design suggests a standard laundering risk pattern: consumer-facing “payment method branding” + back-end crypto settlement. For compliance teams, the control point is not the casino UI — it’s the on-ramp entity and its bank/PIS providers. Practical next steps: Bank/PSP monitoring: treat “casino deposit” narratives masked as “crypto purchase” as high-risk merchant behaviour, especially where stablecoins are the settlement instrument. Regulatory triage: focus on (a) cross-border offering to EU/UK users, (b) unclear merchant-of-record, and (c) systematic stablecoin routing to operator wallets. Evidence hardening: capture full checkout disclosures (T&Cs, payee identity, wallet destination) for each rail, and preserve session metadata. Call for Information If you have documentation showing (a) the contracting entity behind SpinFin5/SpinFin, (b) merchant-of-record disclosures, (c) wallet destination reuse across other casinos, or (d) bank/EMI accounts linked to these rails, please share it securely via Whistle42.com. Screenshots, email confirmations, and bank descriptors are particularly valuable. Share Information via Whistle42

U.S. prosecutors in New York City have filed a superseding indictment charging Kalder founder Gökçe Güven with securities fraud, wire fraud, visa fraud, and aggravated identity theft. Authorities allege she raised roughly $7 million using inflated revenue and partner claims—then reused the same narrative (and forged “support” letters) to obtain a U.S. O-1A visa. Key Facts Charged by U.S. Attorney’s Office for the Southern District of New York (SDNY) with securities fraud, wire fraud, visa fraud, and aggravated identity theft in a superseding indictment. Prosecutors allege ~$7M was raised from “seed round” investors via material misrepresentations about revenue, brand partners, and paying customers. The indictment describes two sets of books: accurate financials prepared by an outside accounting firm and a second, inflated set shared with investors. Visa angle: after a student visa expired, authorities allege Güven sought an O-1A and submitted letters purportedly from executives that were allegedly digitally signed by her without consent, triggering the identity-theft count. Maximum exposure cited by prosecutors: 20 years (securities fraud), 20 years (wire fraud), 10 years (visa fraud), plus a mandatory consecutive 2 years (aggravated identity theft). Short Analysis Kalder sits in a fintech-adjacent sweet spot: rewards, affiliate monetization, and card-linked/embedded offers—an area where “traction” can be marketed with ambiguous language (pilots vs. paying customers; “live freemium” vs. no agreement at all). Prosecutors allege that ambiguity was weaponized: the pitch deck reportedly claimed dozens of brands were “using Kalder” and revenue had climbed to an ARR figure around $1.2M—claims the government says were false or misleading. The cyber-enabled element isn’t ransomware or mixers—it’s document fraud at scale: versioned metrics, parallel ledgers, and allegedly forged digital signatures used to create “proof” for investors and immigration authorities. This is the same playbook pattern regulators and prosecutors increasingly target across startup fraud cases: synthetic credibility (logos/partners + growth charts + third-party “support”) used as a substitute for verifiable commercial reality. Finally, the “Under 30 halo” problem: the indictment itself notes she was named to the Forbes “30 Under 30” list after touting Kalder to the magazine—illustrating how media validation can become an accelerant in fundraising narratives. That doesn’t make lists “bad,” but it does underline a due-diligence reality: awards are not controls. Call for Information Are you a current/former employee, investor, vendor, brand partner, or due-diligence provider connected to Kalder—or have documentation showing how customer/ARR claims were presented in fundraising? Share verifiable materials securely via Whistle42.com (confidential source handling available). Share Information via Whistle42

The notorious Galaktika N.V. network, operating through its Slotoro and Boomerang-Bet brands, has been caught utilizing sophisticated “cloaking” techniques and fraudulent portals to infiltrate the mobile ecosystems of Apple and Google. While Slotoro masquerades as a harmless puzzle game named “Lines and Knots: Puzzle World” on the App Store, both brands employ deceptive “Google Play” badges to funnel users through “Ghost” domains to download unverified, high-risk malware designed to harvest sensitive KYC data for identity theft. The Analysis: Harvesting KYC Data & Identity Theft The App Store Infiltration Strategy Open‑source information indicates that Slotoro (https://slotoro.bet) is operated by Wiraon B.V. under a Curaçao license and promoted via the V.Partners affiliate network, which also markets several Galaktika N.V. casinos. Investigative sources and insider information suggests that Slotoro shares backend infrastructure and payment channels with Galaktika‑branded casinos. The distribution model of Slotoro (linked to Galaktika N.V.) represents a masterclass in regulatory evasion. Our analysis of the links provided reveals a two-pronged attack on mobile ecosystems: 1. The Apple App Store “Shell” App Slotoro has successfully bypassed Apple’s rigorous review process by submitting a “shell app.” The Disguise: On the official Apple App Store, the app is listed as “Lines and Knots: Puzzle World” (ID: 6738087359), developed by an entity called KATO Oy. The Bait-and-Switch: While the App Store description promises a “fantastic way to solve puzzles,” the actual application—once installed and connected to the operator’s servers—transforms into the Slotoro casino interface. This is achieved through “cloaking” or “code-switching,” where the app displays a different UI based on the user’s IP address or a server-side trigger. Compliance Violation: This is a direct violation of Apple’s Guideline 5.3 (Gambling), which requires valid licensing for all jurisdictions and strictly prohibits deceptive app behavior. 2. The Android “Ghost” Pipeline For Android, Slotoro avoids the Google Play Store entirely, likely due to previous bans. The Domain: Users are directed to https://fisodao2.com/ to download a raw .apk file. The Risk: Direct APK downloads are a primary vector for the “Identity Theft Cycle” previously reported. By bypassing the Play Store’s “Play Protect,” the operator can embed the malicious code that players have identified as the source of his compromised KYC data and bank details. The Boomerang-Bet Fraudulent App Distribution The Deceptive Badge: Screenshots from the Boomerang-Bet interface show a prominent “GET IT ON Google Play” badge. This is a psychological “trust anchor” designed to make users believe they are downloading a verified, secure app from the official Google store. The Redirection to Unverified APKs: Instead of linking to the official Google Play Store, these badges lead to unauthorized domains such as https://boomerang-bet-android.com/. On these sites, users are prompted to download a raw .apk file (e.g., Boomerang-Bet.apk). Bypassing Security: By forcing users to download an APK directly, the operator bypasses “Google Play Protect” and other standard mobile security filters. This is the exact mechanism used to install the malicious code that harvests the KYC data (passports) and banking details reported by the victim. Operational Overlap: The documents show that both brands share this specific technical infrastructure. For example, Slotoro uses the domain slotoro36.bet for its APK downloads, while Boomerang-Bet uses boomerang-bet-android.com or boomerang-bet0101.com. Conclusion: A Unified Fraud Scheme The use of the domain https://boomerang-bet-android.com/ is not a legitimate service but a malicious distribution node. This confirms that the fraudulent app strategy is a core operational pillar for the entire Galaktika N.V. / Wiraon B.V. network. Both Slotoro and Boomerang-Bet function as “trapdoors” where the promise of a mobile gaming experience is used to facilitate high-level identity theft and transaction laundering. Connecting the Dots: Galaktika N.V. and Cyperion While Slotoro and Boomerang-Bet operate under offshore Curaçao licenses (Wiraon B.V./Galaktika N.V.), they utilize the Affilka tracking infrastructure provided by SoftSwiss. This highlights a critical regulatory failure: an MGA-regulated entity (SoftSwiss) providing the technical “backbone” for brands engaged in documented identity theft and unlicensed payment processing. This obfuscated distribution network is the “top of the funnel” for the financial scheme involving Cyperion Solutions Limited, and NGPayments. The Download: Victim installs the “Puzzle” app or the “Ghost” APK. The Deposit: The victim is prompted to deposit via NGPayments, which masks the transaction to various receiving entities. The Fraud: Funds are diverted to unauthorized “Shadow Skrill” accounts while the player is presented with rigged games. The use of KATO Oy as a front developer in the Apple App Store for the Slotoro app confirms that the Galaktika N.V. network is expanding its infrastructure to include proxy developers to protect its primary brands from being de-platformed. We urge Apple’s compliance team to investigate ID 6738087359 and its developer immediately. ased on the detailed examination of the Skrill confirmation emails and bank statements provided, Paygate is indeed a critical technical recipient and routing agent within this financial network. While entities like Cyperion Solutions Limited and Briantie Limited are named as the primary legal beneficiaries in the email headers, the documentation confirms that Paygate functions alongside NGPayments as the underlying technical payment instrument. Financial Architecture of The “Shadow skr*Skrill.com” Scheme The evidence from the player’s Skrill notifications reveals that Paygate serves as a core technical receiver or gateway through which funds are funneled before reaching the offshore casino. Technical Distribution: Paygate appears in the “Payment Instrument” or “Transaction Details” section of the confirmation emails, often interchangeable with NGPayments. Layered Recipients: The transaction flow is designed so that a single deposit of, for example, €20.00 is initiated via a fraudulent app, routed through Paygate, and settled to a merchant account like Novaforge Limited or Briantie Limited, all while being masked as “SKR*Skrill.com” on the user’s bank statement. Fraud Persistence: By naming Paygate as a technical receiver, the operators can distribute payment traffic across multiple “shadow” accounts. This explains why the victim receives official Skrill emails mentioning these entities, yet their own Skrill account remains empty—the funds were never intended for the victim’s account but were instead processed through a third-party merchant account managed by Paygate. Given that key beneficiaries are registered as consulting companies rather than licensed payment agents or gambling operators, and that merchant coding/branding concealed the link to offshore casinos (Slotoro, Boomerang‑Bet, beef.casino), the pattern is consistent with transaction‑laundering and misuse of e‑money infrastructure to disguise high‑risk gambling and possible identity‑theft activity Overview Table: Payment Entities & Roles Entity / InstrumentDocumentation SourceRole in the SchemePaygateSkrill Confirmation Emails Technical Receiver/Gateway: Operates as the “shadow” routing agent for fund transfers.NGPaymentsBank Statements / Skrill Emails Payment Instrument: The technical rail used to mask illegal gambling deposits.Briantie LimitedBank Statement Primary Merchant Account: Cyprus-based shell receiving high-volume deposits. Operates as a “Payment Agent” but often uses generic business descriptions to bypass bank filters.Cyperion SolutionsTransaction ID Logs PayFac Shell: Registered as “Management consultancy” (SIC 70229).Disguises casino deposits as “IT consultancy” services.Novaforge LimitedSkrill Confirmation Logs Secondary Shell: Active beneficiary when primary accounts are throttled. Export to Sheets This documentation definitively places Paygate at the center of the Galaktika/Wiraon financial engine. It acts as the technical “glue” that allows these diverse shell companies to interface with legitimate payment giants like Skrill without triggering immediate fraud alerts. Warning for Victims If you receive a Skrill confirmation email but cannot find the transaction in your official app history, your data has been used to create a ‘Shadow Account.’ Do not contact the casino support—contact your bank and law enforcement immediately. The victim reporting this case had to replace his National ID card and reset all banking credentials. Whistleblower Call to Action: Do you have information about KATO Oy or the developers behind the Slotoro/Galaktika app shells? Are you an app store reviewer who has seen similar cloaking patterns? Contact us via Whistle42. Share Information via Whistle42

A massive escalation in the Galaktika N.V. fraud case reveals that stolen KYC data is being used to create “Shadow Skrill” accounts. Victims are lured via fake Google Play Store interfaces into downloading malicious APKs, while their identities are laundered through a web of shell companies including Cyperion Solutions and Novaforge. Read our initial report on Cyperion and NGPayments here. Analysis: The “Double-Sided” Fraud Architecture The latest evidence provided by a player exposes a level of sophistication that moves beyond simple unlicensed gambling into organized cybercrime. The “Galaktika Scheme” now shows a clear two-stage lifecycle: Data Harvesting and Financial Hijacking. According to the website Slotoro.bet is owned and operated by Wiraon B.V., Curaçao, while payments are managed by Briantie Limited. 1. The “Fake Play Store” Malware Trap The investigation confirms that brands like Boomerang-Bet and Slotoro are using fraudulent “Get it on Google Play” badges. Instead of the secure Play Store, users are redirected to download a raw .apk file. The Malware: These files are designed to bypass device security to harvest SMS codes (for 2FA) and personal files. The Verification Scam: The “mandatory verification” is a front for identity theft. Once the victim uploads their passport, the data is immediately sold or reused within the network. 2. The “Shadow Skrill” Phenomenon The most alarming discovery is the discrepancy between the player’s bank statements and their official Skrill history. The Mechanism: The victim receives “official” Skrill confirmation emails, but their app history shows “Data not found.” The Interpretation: This confirms that the operators are using the victim’s card details on a third-party Skrill account (a “mule” account). By using a different account, they ensure the victim cannot easily charge back the transaction through the Skrill interface, while still using Skrill’s “clean” branding to pacify the victim’s bank. 3. Definitive Proof of Identity Laundering The support logs from beef.casino provide a “smoking gun.” Seeing a personal billing account linked to suspicious addresses like jony35@inbox.lv and ieva.gustina07@gmail.com proves that the Galaktika N.V. ecosystem operates a shared database of stolen identities. These identities are likely used to: Bypass “one account per person” rules for bonus abuse. Layer transactions to hide the volume of money flowing to offshore entities. Learn more about the Briantie Group here. The Shadow Skrill Accounts Explained Based on the documentation provided by the player, the existence of “Shadow Skrill” accounts (unauthorized Skrill accounts created using stolen identities to process third-party cards) has moved beyond a working hypothesis and is a documented fact in this specific case. The certainty of this claim is supported by three primary pieces of evidence found in the player’s files: The Transaction Discrepancy: The player provided official transaction confirmation emails from no-reply@email.skrill.com for payments totaling hundreds of euros to entities like Cyperion Solutions Limited and Briantie Limited. However, the player’s official Skrill app and web history show “Data not found” or no record of these transactions. This confirms that while the player’s card was charged via Skrill’s infrastructure, it was not processed through their personal Skrill account. Direct Proof of Identity Hijacking: Evidence from the support area of beef.casino (an associated brand) shows the player’s internal billing profile linked to multiple unauthorized third-party email addresses, such as jony35@inbox.lv, ieva.gustina07@gmail.com, and kaltinieks@inbox.lv. This is definitive proof that their KYC (Know Your Customer) data and payment information are being used by the operator to manage a network of “mule” accounts. The “NGPayments” / “Paygate” Rail: The documentation shows that the payments were routed through technical instruments labeled NGPayments and Paygate. These gateways act as the bridge that allows the fraudulent accounts to interface with regulated processors like Skrill and Paysafe while using misleading descriptors like “SKR*Skrill.com” on bank statements to pacify the victim’s bank. The documentation proves a deliberate bypass of the player’s own Skrill account. By using stolen identity data harvested through malicious APK files (masquerading as Google Play apps), the operators have successfully created a parallel financial structure where they control both the “player” account and the “merchant” entity, leaving the victim with no recourse through standard consumer protection channels. The Payment Rail: Mapping the Shells The transaction flow utilizes a rotating cast of “Payment Agents” to stay ahead of bank blacklists. The current active nodes in this network include: Cyperion Solutions Limited: (UK/Cyprus) The primary conduit for “NGPayments.” Novaforge Limited / Briantie Limited: Secondary shells used when primary accounts are throttled. Paygate: The technical switchboard for these transactions. Conclusion & Regulatory Warning This case proves that Paysafe (Skrill/Rapid Transfer) has a critical vulnerability: their infrastructure is being used to facilitate “unauthorized account” processing. Regulators like the FCA and CySEC must investigate why merchant accounts for “consultancies” like Cyperion Solutions are permitted to process third-party cards without matching the account owner’s identity. Whistleblower Call to Action: Are you a victim of the Galaktika N.V. network? Did you find your identity used on unauthorized emails? Please send your evidence to Whistle42. We are especially looking for internal communications from the “V.Partners” or “Galaktika” affiliate teams. Share Information via Whistle42

A leaked transaction receipt from a victim of the Galaktika N.V. casino scheme reveals the use of “NGPayments.” This technical layer acts as a cloaking device, allowing high-risk offshore casinos to exploit the Skrill and Rapid Transfer networks while masking the true destination of funds through UK and Cyprus-based shell companies. Key Facts Cyperion Solutions Limited (Cyprus, reg. no. HE 460916) acts as a merchant/payee for online casino deposits routed via Skrill/Rapid Transfer.​ Payments are processed over the NGPAYments infrastructure, which provides a white‑label cross‑border payment platform.​​ At least one victim reports misuse of KYC and payment data across multiple casino accounts and has allegedly filed complaints with law enforcement, the bank, and payment providers. While there are no shared directors between the two entities, compelling evidence suggests they function as coordinated components of the same financial infrastructure used to facilitate unlicensed gambling transactions. The Corporate Shell Game: Cyperion Solutions Limited Our research into Cyperion Solutions Limited reveals a classic “split-jurisdiction” strategy designed to confuse regulators and banks: The UK Entity (Cyperion Solutions Ltd): Incorporated on June 2, 2025 (Company No. 16488847), with a registered office in Northwich, England. It is registered under SIC code 70229 (“Management consultancy activities other than financial management”). This misclassification is a hallmark of transaction laundering—claiming to provide “consultancy” while actually processing millions in high-risk gambling funds. The Cyprus Entity (Cyperion Solutions Limited): (Reg. HE 460916) Incorporated in June 2024. This entity is often used to hold merchant accounts with European banks, providing the “legitimacy” needed to access the SEPA and Rapid Transfer networks. Factual Overlap of the Cyperion Entities FeatureCyperion Solutions Ltd (UK)Cyperion Solutions Limited (Cyprus)Company Number16488847HE 460916IncorporationJune 2, 2025June 4, 2024Key PersonnelPeter Joseph Hobson, Craig Robert ThomasKyriakos MavrommatisRegistered ActivityManagement consultancy (SIC 70229)Private Limited Company Export to Sheets Evidence of Operational Connection Identical Branding and Timeline: Both companies use the same name and were established within exactly one year of each other. This is a standard pattern in creating a “multi-layered” corporate structure to obscure the final destination of funds. The “PayFac” Model: Investigative evidence shows “Cyperion Solutions Limited” appearing as a beneficiary for payments to illegal gambling brands like Boomerang-Bet and Slotoro. The Cyprus entity typically holds the merchant account with European banks, while the UK entity provides a “legitimate” consultancy front to bypass automated compliance triggers at major processors like Skrill. Transaction Laundering Evidence: A player-provided bank statement explicitly links Cyperion Solutions Limited to a payment instrument where the bank statement entry appears as “SKR*Skrill.com” despite the funds being routed to Cyperion. This proves that one or both of these entities are being used to mask the true nature of high-risk gambling deposits. Geographic Arbitrage: Using British directors for the UK shell and a Cypriot director for the Cyprus arm is a tactical move to prevent immediate linking through simple database searches. This “distance” allows the network to keep one entity active if the other is flagged or “burned” by regulators. In summary: While they are legally distinct, their identical names, proximate incorporation dates, and shared role in the Galaktika N.V. payment rail strongly indicate they are sister shells in a professional money laundering operation. Technical Analysis: Decoding “NGPayments” In the context of the player’s report, NGPayments is not a consumer-facing bank but a technical payment gateway or aggregator. It serves as the “middleman” software that connects the illegal casino’s checkout page to regulated payment processors like Skrill. The Masking Layer: The receipt shows a payment of 20.00 EUR to Cyperion Solutions Limited, yet the statement note explicitly warns that it will appear as SKR*Skrill.com. This is a definitive indicator of Transaction Laundering (TL). The NGPayments Role: NGPayments likely operates as a “White Label” payment gateway. It allows the operator to swap merchant accounts (like Cyperion Solutions, Novaforge, or Briantie) instantly if one is flagged or “burned” by bank compliance teams. Bypassing KYC/AML: By using the NGPayments instrument, the Galaktika network can present a “clean” transaction to Skrill, making it appear as a standard e-commerce payment rather than a high-risk deposit into an unlicensed casino. The Cyperion Connection: A Professional Analysis The evidence suggests that Cyperion Solutions Limited acts as a specialized Payment Facilitator (PayFac) for the Galaktika N.V. brands (Boomerang-Bet, Slotoro). Identity Hijacking: The player’s report that their KYC data was reused across multiple unauthorized emails (e.g., jony35@inbox.lv) suggests that entities like Cyperion are not just processing money, but may be part of a broader “Mule” network. Regulatory Arbitrage: By utilizing NGPayments to route through a UK/Cyprus-registered entity (Cyperion), the operators exploit the trust associated with European jurisdictions to process funds from victims in Latvia and beyond. Conclusion for FinTelegram This receipt is the “smoking gun” for regulators. It proves that Skrill and Paysafe (Rapid Transfer) are being systematically bypassed by the NGPayments/Cyperion nexus. The technical manipulation reported by the victim—including rigged slots and malicious APKs—is funded entirely through this specific payment rail. Whistleblower Call to Action: Are you an employee of a payment gateway or bank who has flagged NGPayments or Cyperion Solutions Limited? We need to know which acquiring banks are providing the merchant IDs (MIDs) for these transactions. Contact us via Whistle42. Share Information via Whistle42

A coordinated “Jewels” operation involving Ukrainian nationals, London-based shell companies, and the SoftSwiss-powered RevDuck network has been unmasked. New evidence reveals how Lyntec Limited acts as a financial front for illegal fiat deposits, masking gambling transactions as “IT consultancy” services. The intelligence trail connects the HolyLuck / TrueLuck / Booms.bet casino cluster to a tightly controlled offshore operation fronted from London’s Great Portland Street – and wired into the SoftSwiss/Affilka infrastructure FinTelegram has already exposed. What looks like a loose affiliate constellation increasingly resembles a coordinated “Jewels” payment and branding scam operated by Ukrainian controllers. “GEMCEBR”: Decoding the Transaction Laundering Player bank statements show the descriptor “GEMCEBR LONDON GBR” on deposits that in reality fund unlicensed casinos such as HolyLuck and TrueLuck, not any legitimate “gems” marketplace. A key discovery in this intelligence report is the bank descriptor “GEMCEBR LONDON GBR.” This is a textbook example of Transaction Laundering (TL). The Mask: The descriptor mimics the name of the legitimate “Centre for Economics and Business Research” (CEBR) to avoid scrutiny from bank compliance algorithms. The Reality: The “GEM” prefix acts as a internal corporate signature for the “Jewels” syndicate, which includes offshore entities like Sapphire Summit S.R.L. and Gem Limitada. Independent player-discussion threads list “GEMCEBR, London” among descriptors encountered in disputes tied to Curaçao-licensed gambling sites and merchant-category concerns. This mirrors FinTelegram’s earlier findings that the RevDuck network reuses Sapphire Summit S.R.L. (reg. no. 3‑102‑903325) across multiple brands and regulatory actions, including the KSA fine against Booms.bet (read more about the TrueLuck sister sites here). The Great Portland Street Pipeline The network utilizes the “virtual office” hub at 167-169 and 85 Great Portland Street, London to create a veneer of UK legitimacy. Lyntec Limited (Company No. 15919943): Incorporated in August 2024, this entity is registered as an “IT consultancy.” Our research confirms it is controlled by Ukrainian nationals Maksym Buriachenko and Kyrylo Lehkodukh (until Nov 2025). The Shell Strategy: By registering as a consultancy, Lyntec can access the traditional banking system to process fiat deposits that would otherwise be flagged as high-risk gambling transactions. In FinTelegram’s risk taxonomy, such “IT/marketing” façades on Great Portland Street are typical of transaction‑laundering fronts that disguise gambling flows as benign B2B services. Ukrainian Control and the RevDuck–Lyntec Link The whistleblower’s claim that both “brains” (RevDuck) and “wallet” (Lyntec) are Ukrainian-controlled finds partial confirmation. Independent industry sources and FinTelegram’s previous RevDuck dossier describe RevDuck’s operational teams as Ukrainian and deeply embedded in the SoftSwiss/Affilka ecosystem. Read our report on the RevDuck network here. While public records do not (yet) formally link RevDuck and Lyntec, the shared nationality pattern, matching Great Portland Street environment, and overlapping casino cluster are strong circumstantial indicators of a coordinated structure rather than independent actors. Transaction Laundering via Lyntec and the SoftSwiss Layer From a compliance perspective, the GEMCEBR descriptor and London “IT consultancy” cover point to classic transaction laundering: Players from restricted markets (e.g., the Netherlands) deposit in fiat under a neutral London descriptor. Lyntec appears as the merchant of record, masking the underlying gambling nature from banks and card schemes. Funds are then routed to offshore operators such as Sapphire Summit S.R.L. (Costa Rica) and linked “Gem” entities behind TrueLuck, HolyLuck, and Booms.bet. FinTelegram’s earlier report already documented that RevDuck operates on SoftSwiss’s Affilka platform, with Affilka providing the tracking, reporting, and affiliate payment backbone for this cluster. The Lyntec thread now suggests that, in addition to crypto/payment rails linked to SoftSwiss’s broader “payment hub” allegations, dedicated UK shells are spun up to handle card traffic under misleading descriptors. Key Data EntityTypeRegistration / LicenseRoleBrands / ConnectionsSoftSwiss / Stable Aggregator LtdB2B Platform & AggregatorMalta: MGA/B2B/942/2022Technology hub; casino platform, game aggregation, Affilka affiliate system, payment orchestrationDama, N1 Interactive, Hollycorn, Stable Tech, Novatrix, RevDuckRevDuckwww.revduck.comAffiliate Network / OperatorCosta Rica (via rotating SRL entities)“Offshore projects” operator using Affilka; systematic Dutch market targetingHolyluck, Trueluck, KokobetHolyluckwww.holyluck.comwww.holyluckX.comwww.holy-luck.orgOffshoreOnline CasinoCosta Rica: Zephyr Holding SRL (3-102-926727) / Gem Limitada,Yakadea SRL Sapphire Summit SRLUK: Lyntec Limited(geo-switched)Unlicensed casino targeting Netherlands; geo-evasion via holyluck2.comRevDuck networkTrueluckhttps://thetrueluck.comOffshoreOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)UK: Lyntec LimitedUnlicensed casino; explicit NL marketing; same Costa Rica entity as KSA-fined Booms.betRevDuck networkKokobetwww.koko.betOffshoreOnline CasinoCosta Rica: 3-102-897762 LTDALate 2024 launch; RevDuck network brandRevDuck networkBooms.betOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)KSA fine: €840,000 (Jan 2026) for illegal NL operations; same reg. as TrueluckIndependent but structural parallelAffilkawww.affilka.comAffiliate PlatformSoftSwiss GroupCyprus: Zellero LimitedAffiliate management, tracking, reporting; powers RevDuck and 100+ casino brandsRevDuck, N1 Partners, and SoftSwiss client baseDream Finance GroupCoinsPaid / CryptoProcessingCrypto Payment ProcessorsEstonia: Dream Finance OÜ (Reg. 14783543, FIU licence FVT000166)Crypto rails for SoftSwiss casinos; co-founded by SoftSwiss founder Ivan MontikDama, Hollycorn, Stable Tech, RevDuck affiliatesLyntec LimitedPayment facilitatorUK / Company No: 15919943MD: Maksym Buriachenko and Kyrylo Lehkodukh (until Nov 2025)Payment layer for transaction launderingSoftSwiss, RevDuck, Affilka Conclusion and Call for Information The portrayal of RevDuck as “just an affiliate” is no longer credible. The jewel‑themed branding, the reuse of Sapphire Summit S.R.L., the Great Portland Street shell setup, Ukrainian beneficial ownership of Lyntec, and the Affilka integration together indicate a single, highly structured illegal iGaming enterprise, not a decentralized network. FinTelegram will continue to investigate Lyntec Limited (15919943), the GEMCEBR descriptor, and associated banking partners as potential transaction‑laundering channels for the RevDuck/SoftSwiss ecosystem. Industry insiders, current or former employees of Lyntec, RevDuck, SoftSwiss/Affilka clients, processors, or banks seeing GEMCEBR‑tagged flows are urgently invited to submit documents and intelligence via the secure Whistle42 platform. All submissions will be treated confidentially and may be decisive in enabling regulators and law enforcement to shut down this network. Share Information via Whistle42

Explosive testimony from SoftSwiss founder Ivan Montik in the Munich Wirecard trial reveals the direct lineage between MGA-regulated entities and offshore shadow operations. Despite claims of being a mere B2B provider, the court’s rejection of Montik’s “not a PSP” defense highlights a massive, unlicensed financial scheme involving hundreds of millions of euros. Key Facts A court witness identified Direx N.V. as the former “Softswiss N.V.” and said it is now named “Dama N.V.”, all domiciled in Curaçao. Montik described Direx as a B2B provider that “forwarded income” received via Wirecard to casino “clients,” while denying PSP status. The presiding judge rejected the denial, lecturing that he “knows by now what a PSP is and what not.” Defense confronted the witness with a payments list totaling €422m into Direx and rounded outbound transfers; the witness claimed no knowledge and referenced a finance director “Ivan Schubowski (or similar).” FinTelegram previously linked SoftSwiss Direx/Dama Wirecard processing volumes and described the broader casino network structure. SoftSwiss is presented as operated via Stable Aggregator Limited under Malta Gaming Authority licence MGA/B2B/942/2022. The Court Testimony The testimony of Ivan Montik in September 2025 marks a watershed moment for regulatory transparency in the iGaming sector. For years, FinTelegram has exposed the intricate web connecting SoftSwiss, Direx N.V., and Dama N.V. In court, Montik finally confirmed under oath what investigators have long maintained: the seamless evolution and shared identity of these entities. This September 2025 courtroom episode matters because it moves the SoftSwiss/Dama/Wirecard discussion from “investigative reconstruction” to a business-model explanation given in a criminal trial setting. If an entity (Direx/Dama) receives aggregated player funds through a regulated processor (Wirecard) and then redistributes those funds to multiple third-party “casino clients,” that is functionally payment intermediation — whatever label is used on slides or contracts. Read our SoftSwiss reports here. The PSP Shell Game The most damning moment of the proceedings occurred when Montik attempted to distance his operations from financial intermediation. While Montik characterized his business as purely B2B software services, the presiding judge took the extraordinary step of lecturing the witness, stating he “knows by now what a PSP [Payment Service Provider] is.” This judicial intervention effectively classifies the SoftSwiss/Direx/Dama apparatus as an unlicensed PSP. By “forwarding income” from online gaming through Wirecard to offshore clients, the group operated as a shadow bank. This aligns with FinTelegram’s previous reports suggesting that SoftSwiss provides more than just code; it provides a non-transparent financial pipeline for high-risk gambling operations. Our investigations indicate that Dream Finance Group—operating the brands CoinsPaid and CryptoProcessing—is part of the wider business ecosystem associated with Ivan Montik, who has publicly presented himself as a co-founder. We further understand that the network around SoftSwiss and Dream Finance has expanded to include Russian investors. In parallel, whistleblowers and a growing number of online media reports have raised recurring allegations of money-laundering exposure linked to SoftSwiss-connected structures. Against that backdrop, Montik’s sworn testimony in the Wirecard criminal trial aligns with the pattern FinTelegram has been documenting: a tightly integrated “casino + white-label + payments” ecosystem. As previously reported, we consider Dream Finance to be a relevant component of this payment hub, particularly for crypto-payment routing. Most recently, Dream Finance was forced to suspend its crypto-asset related services in Lithuania, at least temporarily. The €422 Million Disconnect Evidence presented by Dr. Braun’s defense revealed a staggering €422 million flowing into Direx accounts. These funds were redistributed via “repeating regular rounded payments”—a classic red flag for money laundering or automated shadow accounting. Montik’s defense—claiming ignorance of these flows despite being the CEO and pointing toward a Finance Director—appears increasingly untenable given the scale of the transactions. Regulatory Contradictions: MGA vs. Curaçao The testimony creates a terminal conflict for the Malta Gaming Authority (MGA). SoftSwiss currently operates via the MGA-regulated Stable Aggregator Limited. However, Montik’s admission that this ecosystem is inextricably linked to Dama N.V. (a Curaçao-based entity frequently flagged for operating in “grey” markets) places the MGA in a precarious position. The court’s findings suggest that a regulated European entity is being used as a “clean” front for a massive offshore scheme. Conclusion Montik’s testimony validates FinTelegram’s long-standing warnings. The “White Label” model used by SoftSwiss is not merely a technical solution but a regulatory shield for unlicensed payment processing. As the Wirecard trial continues to peel back the layers of European fintech corruption, the focus must now shift to the regulators who allowed the SoftSwiss/Dama nexus to operate with impunity. Whistleblower Call to Action Do you have information regarding the internal financial structures of SoftSwiss, Dama N.V., or Stable Aggregator Limited? Help us expose the shadow economy. Please provide any documents or tips via the Whistle42 whistleblower platform. Your anonymity is our priority. Share Information via Whistle42

The Briantie Group, centered around Cyprus entity Briantie Limited and Curaçao‑licensed Wiraon B.V., illustrates a high‑risk model in which offshore casino operators leverage EU‑based payment agents and opaque crypto processors to target players in prohibited markets such as Italy. The group’s structure, domain practices, and payment setup raise significant regulatory and AML/CTF red flags. Corporate and operational setup Briantie Limited is a Cyprus‑registered private limited company that appears to act as an EU‑based payment and operational agent for Verde Casino and related brands, while core gambling licensing is outsourced to Curaçao entity Wiraon B.V. (license 8048/JAZ). Together, these entities form what can be described as the Briantie Group, combining EU and offshore components to distribute regulatory and enforcement risk. In this model, Curaçao provides the nominal gambling licence and hosting structure, while Cyprus offers access to SEPA banking, EU payment institutions, and a veneer of single‑market proximity to target European players, including those in restricted jurisdictions. Domain and targeting practices In the FinTelegram Verde Casino review, we identified the use of mutated and parameter‑stuffed URLs such as https://85verdecasino.com/it-it#https://85verdecasino.com/it-it# that are clearly tailored to Italian‑language users. This points to deliberate geo‑targeting of players in Italy, a jurisdiction where unlicensed online casinos are prohibited and subject to enforcement. The use of such mutated domains is a classic circumvention tactic: by deploying multiple, often short‑lived domains and URL variants, operators can evade blacklists, dilute brand traceability, and obfuscate the technical footprint of their illegal offerings. Crypto payments and TheDex Our Verde Casino review also revealed a broad range of crypto payment options routed through third‑party gateways, including the anonymous operator TheDex (thedex.cloud). TheDex presents itself as a crypto exchange or payment gateway but provides minimal, if any, corporate, licensing, or ownership transparency. The cyber rating agency RatEx42 has already black-listed TheDex over its facilitation of illegal casinos. We again identified the involvement of the Polish provider ChainValley, which appears to facilitate synthetic FIAT deposits: customer bank transfers are first used to purchase cryptocurrencies, which are then automatically routed by ChainValley to the casino operator as the ultimate beneficiary. From a compliance perspective, this combination of offshore casino operations, EU‑based payment agents, and unlicensed or opaque crypto gateways embedded in the EU payments ecosystem is highly problematic. It undermines customer due diligence, source‑of‑funds scrutiny, and effective transaction monitoring, and it increases exposure to money laundering and sanctions risks. Skrill classifies Briantie Limited as a non‑eligible merchant for its promotional programmes, as evidenced by its inclusion in Skrill’s ‘Non Eligible Skrill Merchants’ list. This classification indicates that established payment service providers actively distinguish and ring‑fence higher‑risk merchants, including operators associated with offshore online gambling, from standard customer reward and incentive schemes.” Compliance analysis Briantie Limited and its associated licensee Wiraon B.V., together with the Verde Casino brand, have been flagged on regulatory watchlists and technical blocklists in multiple jurisdictions, underscoring their status as illegal gambling operators. In particular, the ‘Lithuania Illegal Gambling Operators’ dataset maintained within the OpenSanctions framework lists Briantie Limited among unlicensed providers whose services are deemed unlawful in that jurisdiction. In Italy, the main Verde Casino domain is subject to administrative blocking measures by the Agenzia delle Dogane e dei Monopoli (ADM), which orders ISPs to prevent access to unlicensed gambling sites and routinely updates a national blacklist of prohibited domains. These measures demonstrate that competent authorities are not only aware of the Briantie/Verde setup but have already taken concrete steps—through sanctions-style listings, public blacklists, and technical blocking orders—to restrict its availability and to signal elevated legal and regulatory risk for both players and intermediaries. Our findings: The group structure indicates regulatory arbitrage: Curaçao for light‑touch gambling oversight, Cyprus for EU‑adjacent payments and perceived legitimacy. The apparent role of Briantie Limited as an EU payment agent creates potential supervisory gaps if financial flows are processed through EU banks or payment institutions without accurate merchant categorization and risk profiling. Targeting of players in prohibited markets (e.g., Italy) via mutated domains suggests willful evasion of national gambling regulators and website blocking measures. Use of anonymous or non‑transparent crypto processors such as TheDex significantly elevates AML/CTF risk, undermining FATF‑aligned controls, Travel Rule implementation, and effective tracing of funds. Overall, the Briantie Group exemplifies how illegal casino operators can operate “under the nose” of regulators by fragmenting their operations across offshore entities, EU‑based payment agents, and lightly regulated crypto intermediaries. Key structures and relationships ElementDetailsBrands (casinos)Verde Casino (core brand identified in our review; other white‑label or sister brands possible).Domains85verdecasino.com and mutated/parameterized variants targeting Italy (e.g., /it-it#…).Legal entitiesBriantie Limited (Cyprus, payment/operational agent); Wiraon B.V. (Curaçao, gambling licence holder).IndividualsUltimate beneficial owners and controlling persons not transparently disclosed; further mapping required.Regulatory frameworksCuraçao online gambling regime; Cypriot/EU financial and corporate law; national gambling laws in target markets (e.g., Italy).JurisdictionsOperational and licensing nexus: Curaçao; payment and corporate nexus: Cyprus/EU; targeted player markets: Italy and other EU/third‑country jurisdictions.Payment stackTraditional card/fiat channels plus crypto payment gateways, including the opaque TheDex (thedex.cloud) and Polish on-ramper ChainValley. We invite affected players, payment industry insiders, and former or current staff of Briantie, Verde Casino, TheDex, or connected intermediaries to share documents, experiences, or technical evidence with us confidentially via our whistleblower platform Whistle42. Share Information via Whistle42

A bilingual witness statement describes an alleged “pay-to-borrow” mechanism at First Investment Bank (FIB): a €9.5 million loan tied to a forced €2 million purchase of a seemingly unrecoverable claim. An insider draft frames the transaction as a deliberate leverage tool in the broader Stoyan Staykov and Regent Capital ecosystem. We map what is alleged, what is verifiable, and what regulators should now demand. Key Points The witness alleges a loan condition: a €2m “cession purchase” embedded in a €9.5m facility to finance a strategic stake in Terminal Tiger AD. The claim allegedly sold by the bank is described as economically worthless and linked to companies that were insolvent / non-functional; the witness says a senior bank representative allegedly warned: “there is nothing to collect.” After distress and enforcement, pledged assets reportedly ended up at auction with buyers including INSA OIL and AA Consult Ltd; Public context: FIB’s history includes the 2014 bank-run and liquidity-support episode reviewed by EU institutions and the state-aid framework. FinTelegram has previously reported on Stoyan Staykov’s Vienna-centered network, including patterns of sub-10% stakes, nominee layers, and cross-border flows. The Strategic Investment The witness statement received by FinTelegram provides a granular look at how First Investment Bank (Fibank), under Executive Director Chavdar Zlatev, allegedly leveraged its position to enforce “extraordinary fraud.” In January 2018, NSA Bulgaria EOOD (NSA) initiated a formal application with First Investment Bank AD (PIB) for an earmarked loan to facilitate a major cross-border acquisition. The project centered on a capital increase within its subsidiary, NSA Investment EOOD, to fund the purchase of 72% of the shares in Terminal Tiger AD (AO) for EUR 7,350,000. The target company was then held by the Austrian entity E&A Beteiligungs GmbH (E&A). Regent Capital AD and Logistic Terminal Svilengrad AD (LTS) agreed to serve as co-debtors, pledging their corporate assets as collateral. According to the witness’s account, the responsible manager at Fibank demanded that NSA Bulgaria take out an additional €2 million loan on top of the loan for the purchase price, which was to be used to purchase an alleged claim from an unknown company. These €2 million then disappeared. The witness assumes fraud and kick-back. Read our reports on Stoyan Staykov here. Extended Analysis 1) The Kickback-Pattern If accurately documented, the mechanism resembles a classic disguised-fee / kickback pattern: the bank conditions credit on a separate purchase of an asset the borrower neither wants nor can value—effectively embedding an extra “charge” into the loan proceeds. That raises immediate issues under basic banking conduct and internal control frameworks (credit committee independence, conflicts of interest, related-party considerations, and audit trail integrity). From an AML/CFT standpoint, forcing an economically irrational purchase can function as a value transfer whose ultimate beneficiary is opaque—especially if the receivable traces to shells, insolvent entities, or politically exposed structures. The witness explicitly states it remained unclear who economically benefited from the payment. 2) The enforcement endgame: why auctions matter The witness describes a progression: the borrower struggles; the bank does not substantively engage; then enforcement proceeds via a private enforcement channel (named in the statement), and assets are auctioned. The witness names alleged buyers and links them to broader political/legal networks—exactly the kind of downstream “asset capture” pattern compliance teams should scrutinize: who financed the auction bids, which accounts were used, and whether any counterparties were screened as PEP-adjacent. 3) Regent Capital: The Strategic Lever The role of Regent Capital AD and its ultimate driver, Stoyan Staykov, is central to this architecture. Regent Capital acted as a co-debtor and “hinge” in the transaction. Our analysis suggests Regent Capital was not a mere participant but a “pressure amplifier” used to secure the loan’s approval while simultaneously burdening the borrower with the €2 million “fee”. This aligns with Staykov’s established reputation as a “power broker” who operates in the grey zones between Bulgarian banking interests and international financial structures. 4) Why this lands harder in the FIB context FIB is not a random small lender: it has a long public history that includes the June 2014 bank run and subsequent state liquidity support reviewed under EU state-aid rules.And while this does not validate the witness allegations, it increases the public-interest threshold for transparency about governance and credit practices. Notably, FIB disclosed that Chavdar Zlatev was dismissed as Executive Director and Management Board member effective October 2024. The Vienna Connection: Alpha Bulgaria and Vienna Privatbank Stoyan Staykov’s activities are not confined to Bulgaria. FinTelegram has previously exposed his deep-rooted ties to Vienna and Cyprus, often linked to suspected money laundering operations. Alpha Bulgaria & Wiener Privatbank: Staykov was a key figure behind Alpha Bulgaria, which famously sought to acquire a significant stake in Wiener Privatbank (report here). This move was viewed by compliance experts as a strategic attempt to gain a foothold in the EU banking system, potentially to facilitate the movement of “grey” capital from the Balkans. The Pattern: The Fibank “kickback” scheme fits the broader pattern of Staykov’s operations: using corporate vehicles (like Alpha Bulgaria or Regent Capital) to interface with established banks, creating complex layers of debt and receivables that obscure the true destination of funds. Conclusion and Risk Assessment The testimony is an “exceptional” piece of evidence. It describes a “kickback mechanism” where €2 million of loan tranches were immediately diverted into a pre-signed, illegitimate cession agreement. The fact that the eventual beneficiaries of the subsequent public sale of the pledged assets were entities linked to Delyan Peevski and Aleksandar Angelov further suggests that this could have been a coordinated “asset-stripping” operation enabled by the bank. Summarizing Table The following table summarizes the key individuals and legal entities identified in the witness statement and the analysis of the Stoyan Staykov and First Investment Bank (Fibank) case. Entity / IndividualJurisdictionRole / DescriptionStoyan StaykovBulgaria / AustriaAlleged central power broker and “ultimate driver” behind the corporate network.First Investment Bank (PIB)/FibankBulgariaThe lender accused of enforcing an illegitimate “cession agreement” as a condition for a loan.Chavdar ZlatevBulgariaExecutive Director of Fibank; allegedly dictated the extortionate loan conditions.Regent Capital ADBulgariaA company linked to Staykov; acted as a co-debtor and strategic “hinge” for the loan.NSA Bulgaria / NSA InvestmentBulgariaThe borrowing entities forced into the EUR 2 million “kickback” transaction.Terminal Tiger AD (AO)Russia / BulgariaThe target company of the acquisition financed by the loan.E&A Beteiligungs GmbHAustriaThe parent company of Terminal Tiger AD and seller of the shares.PST Group EADBulgariaOne of the “insolvent” companies from which the borrower was forced to buy a claim.Patishta Stara Zagora EADBulgariaThe second insolvent company involved in the allegedly fraudulent claim purchase.Logistic Terminal Svilengrad (LTS)BulgariaA co-debtor for the bank loan.Stoyan YakimovBulgariaPrivate enforcement agent (bailiff) who handled the public sale of the pledged assets.AA Consult Ltd. / Aleksandar AngelovBulgariaWinners of the public sale; Angelov is noted as a lawyer for Delyan Peevski.Alpha BulgariaBulgariaA vehicle used by Staykov in an attempt to acquire a stake in Vienna Privatbank. Export to Sheets Call for Information If you have information regarding Stoyan Staykov, Regent Capital AD, or the inner workings of First Investment Bank (Fibank), we want to hear from you. Help us expose the networks facilitating money laundering between Sofia, Vienna, and Cyprus. Share your information safely and anonymously via our whistleblower platform, Whistle42. Share Information via Whistle42

The Canadian MSB CenturaPay (Canamoney Exchange Ltd) has been slapped with a Red Risk Signal on RatEx42. Investigations reveal its pivotal role as a high-risk payment agent, facilitating illegal offshore gambling deposits by piggybacking on the infrastructure of established processors like MiFinity. As regulators tighten the noose, the “Canadian Bridge” is beginning to buckle. Analysis: CenturaPay, MiFinity, and the Architecture of Obfuscation The recent Red Listing of CenturaPay on the RatEx42 compliance platform is the result of a multi-month forensic deep-dive into the “Stellar” and “Spinbara” casino groups. Our findings establish a direct operational link between the Canadian-registered Canamoney Exchange Ltd and the notorious high-risk payment processor MiFinity. 1. The MiFinity Mutualism FinTelegram has identified a recurring pattern where MiFinity, an FCA-regulated e-wallet, is used as a “trusted front” for gambling deposits. However, when the “Direct Bank Transfer” or “Crypto-on-Ramp” options are selected within the MiFinity environment or alongside it in a casino’s cashier, CenturaPay often appears as the underlying settlement agent. The Tactic: CenturaPay utilizes its Canadian FINTRAC MSB license to provide the “fiat-to-crypto” bridge. By processing the transaction through a Canadian entity, the gambling-related Merchant Category Code (MCC) is stripped and replaced with a “Currency Exchange” or “Digital Asset Purchase” descriptor. The Benefit: This allows high-risk operators to process funds from “blocked” jurisdictions like Germany and Italy while maintaining the appearance of legitimate financial activity through MiFinity’s regulated rails. 2. Why the Red Listing? The RatEx42 Red Signal for CenturaPay is driven by three critical factors: Systemic Masking: The deliberate use of misleading transaction descriptors to bypass banking AML filters. Regulatory Arbitrage: Exploiting the relatively lax oversight of Canadian MSBs to facilitate European gambling deposits that would be illegal under MiCA or national laws. Entity Overlap: CenturaPay has been found in the same “payment cascades” as utPay and CoinsPaid, both of which were recently suspended or liquidated following regulatory intervention. 3. The “Stellar” Influence Our traffic intelligence indicates that CenturaPay is a preferred “dark rail” for the Stellar Group of casinos. These casinos use a rotating fleet of “mutated domains” to stay ahead of ISP blocks, but the underlying payment infrastructure—the CenturaPay API—remains a constant, providing the liquidity needed to move millions in player deposits every month. Call to Action: Players and Insiders FinTelegram and RatEx42 are actively mapping the bank accounts and settlement routes used by Canamoney Exchange Ltd (CenturaPay) and its partners. To Players: Have you deposited funds into an online casino (e.g., Frumzi, FatPirate, Spinbara) where CenturaPay or Canamoney appeared on your bank statement or credit card bill? Please send us a screenshot of the transaction descriptor. To Insiders: Do you have information on the fee-sharing agreements between CenturaPay and high-risk processors like MiFinity? Are you aware of the specific liquidity providers CenturaPay uses for its crypto on-ramps? Submit your evidence anonymously via the Whistle42.com whistleblower platform. Every piece of data helps us bring transparency to the shadow banking world. Share Information via Whistle42

A cache of internal communications leaked by a high-level whistleblower has finally shattered the wall of separation between CoinsPaid and the notorious AlphaPo. The evidence reveals a coordinated effort by CEO Max Krupyshev and Head of Legal Maria Akulenko to mask financial interdependencies, including a mysterious loan from AlphaPo and direct executive overlaps. As the MiCA “Guillotine” falls in Lithuania, the true scale of this “Shadow Rail” ecosystem is coming to light. Analysis: The Smoking Gun in the CoinsPaid-AlphaPo Connection For years, the Dream Finance Group (operating as CoinsPaid and CryptoProcessing) has maintained a public image of a regulated, security-first crypto processor. However, new evidence provided by a verified former manager—including WhatsApp and Slack screenshots—proves that CoinsPaid and AlphaPo (AP) were not just partners, but two arms of the same “shadow” infrastructure serving the high-risk iGaming industry. 1. Max Krupyshev: The Dual Executive Role The leaked WhatsApp communications show Max Krupyshev, CEO of CoinsPaid, directly discussing AlphaPo’s liquidity and operational status with Chainalysis investigators. The Evidence: The whistleblower confirms that Krupyshev held an executive role at AlphaPo simultaneously with his leadership at CoinsPaid. The Significance: This executive overlap is a massive conflict of interest and a regulatory red flag. It suggests that while CoinsPaid was the “clean” front-facing brand, AlphaPo served as the high-risk “underworld” rail. Krupyshev’s direct involvement in AlphaPo’s liquidity issues—especially around the time of the $60M Lazarus Group hack—indicates he was managing a single pool of risk across both entities. 2. Maria Akulenko: Compliance as a Mask Perhaps the most explosive evidence comes from Maria Akulenko (LinkedIn profile), former Head of Legal and Compliance at CoinsPaid. The Evidence: A Slack message shows Akulenko explicitly instructing staff to “never use AP [AlphaPo] and CoinsPaid issues in the same email communication.” The Analysis: Akulenko, who frequently represented CoinsPaid in MiCA regulatory discussions in Brussels, appears to have been actively engineering the “legal separation” of entities she knew were financially and operationally linked. Instead of ensuring transparency, the Head of Legal was actively coaching employees on how to avoid creating a “paper trail” that regulators or auditors could follow. This “siloing” of information is a classic hallmark of financial obfuscation. 3. The AlphaPo-Dream Finance “Loan” This insider evidence perfectly aligns with reports from FOCOS and El Salvador Now regarding a $1 million (or $2.1 million in some tranches) loan granted by AlphaPo to the Dream Finance entity in El Salvador. The Context: AlphaPo was used as a “fiat-to-crypto” buffer for offshore casinos. The loan to Dream Finance suggests that AlphaPo was not just a service provider but a source of capital for the group. The Danger: Using a high-risk entity (AlphaPo) that was later tied to North Korean money laundering (Lazarus Group) to fund a “regulated” EU group (Dream Finance) is the ultimate compliance nightmare. Context: The “Guillotine” and the Global Retreat The timing of these leaks is critical. With the RatEx42 Blacklisting of Dream Finance and the suspension of their Lithuanian license (Dream Finance UAB), it appears the group is in a frantic “de-risking” mode. The liquidation of their Polish and Salvadoran entities (as previously reported) is likely an attempt to destroy the very connections these screenshots now prove. The connection to SoftSwiss remains the core of the web. By using CoinsPaid and AlphaPo as captive rails, SoftSwiss created a closed-loop system where gambling funds could be processed, converted, and laundered away from the eyes of European regulators. Call to Action: Whistle42 The veil is lifting, but more information is needed to map the full flow of funds. We are looking for: Documentation regarding the SoftSwiss-AlphaPo-CoinsPaid triangular shareholding. Proof of other “loans” or inter-company transfers between Dream Finance OÜ (Estonia) and AlphaPo. Details on the “New Bridge” strategy being offered to merchants following the Lithuanian shutdown. Submit your evidence anonymously via Whistle42.com. Your identity is our highest priority. Share Information via Whistle42

A breakthrough in the Dream Finance investigation reveals a global retreat. Following the MiCA-triggered blackout in Lithuania, new insider intel and local reports confirm the liquidation of the group’s entities in El Salvador and Poland. From mysterious loans from AlphaPo to UBO links with SoftSwiss, the veil of transparency is finally being lifted on the Dream Finance empire. Analysis: The Fragmentation of a High-Risk Payment Empire Following our recent report on the “MiCA Guillotine” falling on Dream Finance UAB in Lithuania, FinTelegram has received critical insider intelligence that paints a picture of a global corporate “clean-up.” This information, corroborated by external investigative reports from FOCOS and El Salvador Now, suggests that the Dream Finance Group (operating as CoinsPaid and CryptoProcessing) is systematically dissolving secondary entities to bury toxic financial trails. 1. The El Salvador Exit: Shadow Loans and Offshore Havens The liquidation of Dream Finance (El Salvador), which reportedly began in March 2024, is more than a routine closure. According to investigations by FOCOS, the entity was utilized to “safeguard” over $2.1 million from offshore casinos located in tax havens. Most alarming for compliance officers is the revelation of a “weird loan” taken from AlphaPo. AlphaPo (website), a crypto processor notorious for its involvement in high-risk gambling and for being the target of a massive $60M hack (linked to the Lazarus Group), has long been rumored to be part of the same ecosystem as CoinsPaid. A direct financial link—in the form of a loan—suggests a level of commingling and mutual dependency that exceeds a standard business relationship. 2. The Polish Liquidation: Proving the SoftSwiss UBO Link The dissolution of Dream Finance (Poland) provides the “smoking gun” regarding the group’s beneficial ownership. The naming of Pavel Kashuba and Dmitry Yatzkau, aka Dmitry Yaikau aka Dzmitry Yaikau, close partners of SoftSwiss and CoinsPaid founder Ivan Montik, as the UBOs of the Polish entity confirms what FinTelegram has asserted for years: CoinsPaid and SoftSwiss are two sides of the same coin. Pavel Kashuba is a well-known figure in the SoftSwiss executive structure (often cited as CFO). This connection validates the hypothesis that CoinsPaid serves primarily as a “captive” payment rail for the SoftSwiss iGaming empire, designed to process gambling funds under the guise of an independent crypto service provider. 3. Contextualizing the Pattern: Why the Retreat? This news provides vital context to the RatEx42 “Black” listing of Dream Finance. The pattern is clear: Lithuania: Suspended due to MiCA’s inability to tolerate high-risk gambling flows. El Salvador: Liquidated after being exposed for shielding casino funds. Poland: Liquidated after UBO links became too visible. For compliance analysts, this looks like a “Controlled Demolition.” By liquidating these entities, the group likely seeks to terminate legal trails, making it harder for regulators to map the historical flow of funds between offshore casinos, AlphaPo, and the SoftSwiss core. Go to the Dream Finance listing on RatEx42 here. The Compliance Verdict: Transparency via Whistleblowers The information provided by our community is proving more effective than official registries. The collapse of the El Salvador and Polish entities, combined with the Lithuanian shutdown, indicates that the “Shadow Rail” model is under existential threat. The RatEx42 Critical (Black) Rating for Dream Finance is hereby reinforced. Any financial institution still interacting with the remaining Estonian or North American entities of this group must account for the high probability of hidden liabilities and toxic history involving AlphaPo. Read our AlphaPo reports here. Whistle42: A Call to the Inner Circle We thank the whistleblowers who are helping to bring transparency to the Dream Finance/SoftSwiss web. Your information is vital for protecting the integrity of the European financial market. Do you have documents related to the AlphaPo loan? Are you aware of where the $2.1 million in El Salvador was moved after liquidation? Do you have internal emails regarding the MiCA transition strategy for the Estonian entity? Share Information via Whistle42 Submit your evidence anonymously via Whistle42.com. Help us map the truth.

Our ongoing monitoring of the Lithuanian VASP register and the high-risk payment landscape shows that the “MiCA Guillotine” has claimed several other entities that previously served as key rails for the iGaming and offshore sectors. We are currently tracking a “Shadow Rail Contagion” where several other processors have either gone “dark,” relocated to less stringent jurisdictions, or are operating in a legal gray zone. This seems to be the first wave of a systemic regulatory purge in the Baltics.Below is our analysis of other high-risk VASPs and payment processors currently under pressure or having recently “pivoted” due to the January 1, 2026, MiCA enforcement deadline. The “Shadow Rail” Contagion: Affected Entities & Regulatory Refugees 1. Match2Pay (Match2Pay UAB) Status: High Risk / Under Review. * Analysis: Historically one of the most prominent “card-to-crypto” on-ramps for the gambling industry in Lithuania. While Match2Pay UAB previously boasted of its Lithuanian registration, our latest data indicates it was not among the small group of ~30 companies that successfully secured a MiCA CASP license by the deadline. We are currently seeing “Technical Maintenance” notices on several of its integration points. 2. Ari10 (Ari10 UAB) Status: Jurisdictional Migration. Analysis: A significant player in the Polish and Baltic crypto-fiat exchange market. Following the Bank of Lithuania’s tightening, Ari10 has increasingly shifted its operational weight to its Polish VASP registration. Poland currently offers a temporary “regulatory shelter” as its MiCA enforcement timeline is slightly behind Lithuania’s “cliff-edge” approach. 3. CryptoProcessing (Dream Finance UAB) Status: Technically Suspended (Lithuania). Analysis: As the B2B brand of the Dream Finance/CoinsPaid group, CryptoProcessing’s Lithuanian infrastructure is officially offline. Merchants who relied on this rail are being redirected to “alternative group entities” in Estonia (OÜ) or Canada, though these entities cannot legally provide passported services into the EU without a MiCA CASP license. 4. Paymero & SegoPay Status: “Ghost Gateways” (Deregistered). Analysis: These entities have historically functioned as anonymized “Front-End” gateways for high-risk traffic. Our December 2025 traffic analysis showed a massive drop-off in their Lithuanian-hosted endpoints. They appear to have moved to “Sovereign/Self-Hosted” models (using protocols like PayRam or BTCPay Server) to avoid the custodial regulatory requirements of MiCA. Comparative Analysis: The “Polish Shelter” Strategy Our research shows a massive migration of high-risk VASPs from Vilnius to Warsaw. In the last quarter of 2025, over 22 Lithuanian VASPs relocated their “regulatory base” to Poland. Compliance Warning: This is a temporary arbitrage. Poland’s “AML-only” registration will likely be invalidated by mid-2026 as ESMA (European Securities and Markets Authority) moves to harmonize enforcement. For banks and PSPs, accepting traffic from a Polish-registered VASP that was recently “flushed” out of Lithuania represents a Significant AML Red Flag. Actionable Intelligence for Regulators & Banks The following red flags are currently being observed as these suspended entities try to maintain operations: The “Technical Integration” Excuse: Entities claiming they no longer provide “crypto services” but only “technical payment software” while still facilitating gambling deposits. Descriptor Masking: A shift in bank statement descriptors from company names (e.g., “utPay”) to generic terms (e.g., “Online Service,” “Digital Topup”) to hide the connection to a suspended VASP. Non-EU “Pass-Throughs”: Using Canadian or UAE-based entities to process EU player deposits, which is a direct violation of MiCA’s reverse solicitation rules. Call for Information We are specifically looking for information on Match2Pay UAB and any other Lithuanian entities currently operating under “Consultancy” or “Software” agreements after losing their VASP status. Are you an operator who has been offered a “new rail” to replace utPay or CoinsPaid? Send the integration details and bank account info to Whistle42.com. Your identity will remain strictly confidential. Would you like me to generate a specific “Red Flag Alert” for the banking partners (like Postbank or Revolut) regarding these migration tactics? Share Information via Whistle42

The Lithuanian crypto landscape is undergoing a violent contraction. Following the suspension of utPay, the iGaming crypto giant Dream Finance UAB d/b/a CoinsPaid and CryptoProcessing has officially shuttered its Lithuanian operations. As the MiCA “grandfathering” period expires, the Bank of Lithuania is flushing out high-risk processors, leaving the SoftSwiss-linked empire to retreat to Estonian and North American strongholds. Key Facts CoinsPaid’s Legal Hub states: Dream Finance UAB (Lithuania) temporarily suspended all crypto-asset services, including onboarding, execution of transactions, and concluding new agreements; the site remains for legal/regulatory info and contacts. CoinsPaid lists Dream Finance US LLC (Delaware) and Dream Finance Processing Inc. (Canada) as additional group entities (MSB registrations referenced on its disclosures). The Bank of Lithuania warns Lithuania’s transitional period ends 31 Dec 2025; after that, providers without MiCA licensing lose the right to operate in Lithuania. Context: FinTelegram recently reported a MiCA-related suspension affecting another Lithuania-linked crypto and iGaming facilitator (utPay), suggesting a broader enforcement/clean-up wave. A Coordinated Exit or a Forced Retreat? The announcement by Dream Finance UAB (the Lithuanian arm of the Dream Finance Group headed by Max Krupyshev) of a “temporary suspension” of all crypto-asset services marks a watershed moment for the iGaming payment sector. As of early 2026, the “Wild West” era of Lithuanian crypto registration is definitively over. Our analysis explores the regulatory mechanics and the broader implications for the SoftSwiss/CoinsPaid ecosystem. 1. The “Cliff-Edge” of MiCA Compliance The suspension is no coincidence. December 31, 2025, served as the final “cliff-edge” for the Lithuanian VASP transition. Under the Markets in Crypto-Assets (MiCA) regulation, the Bank of Lithuania has replaced the previous low-barrier registration model with a rigorous CASP authorization process. Capital Thresholds: Firms must now demonstrate a minimum of €125,000 in fully paid-up capital. The “Fit and Proper” Filter: Regulators have intensified scrutiny on beneficial owners and management. The Pattern: Much like utPay (Utrg UAB), CoinsPaid’s decision to “suspend” rather than “obtain” a license suggests either a failed application or a strategic withdrawal to avoid a public license revocation. Read our utPay report on the shutdown here. 2. The SoftSwiss Connection and the iGaming Web CoinsPaid/Dream Finance is not merely a payment processor; it is the financial backbone of the SoftSwiss iGaming group. FinTelegram’s intelligence indicates that both entities are controlled by the same beneficial owners, positioning CoinsPaid as the primary crypto rail for thousands of online casinos. By processing an estimated €23 billion in transactions, CoinsPaid sits at the center of the high-risk “shadow banking” sector. The loss of a Lithuanian license—previously a badge of “EU regulation”—undermines the group’s perceived legitimacy and complicates its ability to maintain Euro-denominated fiat rails. Read our CoinsPaid reports here. 3. Jurisdictional Arbitrage: The Estonian and North American Pivot While the Lithuanian doors have closed, the Dream Finance Group is far from dormant. Estonia: Dream Finance OÜ remains active, banking on Estonia’s slightly different (though also tightening) regulatory timeline. North America: The existence of Dream Finance US LLC (Delaware) and Dream Finance Processing Inc. (Canada) indicates a calculated effort to preserve “Western” corporate identities to satisfy merchants and banking partners. However, under MiCA’s “passporting” rules, without a valid CASP license from a primary EU regulator (like the Bank of Lithuania), these entities cannot legally target or serve the broader EU market. The Compliance Verdict The “temporary” nature of this suspension is likely a euphemism for a permanent exit from the Lithuanian jurisdiction. For compliance officers and banking partners, the message is clear: The Dream Finance entities are currently operating outside the regulated perimeter of the Lithuanian financial system. Hopefully, the transition to MiCA is successfully “flushing” the high-risk gambling ecosystem out of the Baltics. The compliance question regulators and counterparties should ask is not only “did they apply?” but also “what happens to flows during the transition?” CoinsPaid markets itself as a major crypto payments ecosystem, widely used in high-risk verticals like iGaming. A Lithuania pause combined with a continuing Estonia hub creates a practical concern: service continuity may shift jurisdictionally, while risk exposure (merchant portfolio quality, KYB depth, transaction monitoring, downstream casino networks) remains the same problem—just routed differently Whistle42: Call for Information Are you an insider at Dream Finance or SoftSwiss with knowledge of the Bank of Lithuania’s specific enforcement actions? Do you have information on how funds are being rerouted through Estonian or North American entities to bypass EU restrictions? Submit your evidence anonymously via Whistle42.com. Your data is essential to maintaining transparency in the crypto-iGaming sector. Share Information via Whistle42

Our latest Stellar-casino reviews (WinBay, AllySpin, LuckyMax, Spinbara and related “domain mutations”) show a familiar pattern: unlicensed casino access + rail obfuscation. Players are routed through anonymous open-banking checkout domains and “gateway cascades,” while “fake bank deposits” appear to be executed via crypto purchases routed through ChainValley and other on/off-ramp infrastructure. Traffic intelligence suggests the system is heavily Germany-skewed, with mainstream banks repeatedly appearing in the journey. I. Payment Infrastructure as Crime Facilitator Open banking was designed to revolutionize European payments through transparency, security, and consumer empowerment. Account-to-account transfers authenticated via bank-grade biometrics, instant settlement, and financial data sharing for KYC verification promised to create safer, more efficient payment ecosystems. What FinTelegram has documented is the systematic perversion of this infrastructure. FinTelegram identified three payment gateways—operating with domain carousel without disclosed beneficial ownership, regulatory oversight, or transparent corporate structures—have hijacked open banking rails to process what traffic intelligence suggests are well over one million casino deposit transactions monthly, predominantly from German players to operators holding no German gambling licenses. The operational architecture is elegant in its deception: Players see: “Bank Transfer,” “Instant Banking,” or “Sofortüberweisung” options in casino cashiers—familiar, trusted payment methods. Banks process: Generic account-to-account transfers to entities presenting as financial technology providers or payment processors, not gambling merchants. Regulators encounter: Payment flows categorized as “financial services” or “technology services,” evading gambling-specific Merchant Category Codes (MCCs) and payment blocking orders. Casino operators receive: Instant settlement of player deposits without traditional payment processor oversight, chargeback risk, or meaningful AML scrutiny. The result is a parallel payment infrastructure that systematically undermines three years of German enforcement efforts under the Glücksspielstaatsvertrag 2021, Dutch KSA payment blocking initiatives, and Italian ADM concession requirements—while leveraging the trust and security of European banks to facilitate illegal activity at industrial scale. II. The Anonymized Gateway Network: TransactGrid, PayByBank, & BankLayer Our analysis reveals a highly centralized “Gateway Stack” designed for obfuscation. TransactGrid (checkout.transactgrid.com): The core “Black Rail” of the operation. With 760,000+ monthly visits, it serves as the final settlement point for multiple referring sites. PayByBank (openbanking.paybybank.net): A specialized “feeder” gateway. Our data shows 100% of its destination traffic is funneled directly into TransactGrid. This indicates that PayByBank acts as a “white-label” front to provide a veneer of legitimacy to the underlying TransactGrid infrastructure. BankLayer (checkout.banklayer.org): Focused almost exclusively on the Stellar Group (Frumzi, Allyspin, Supabet). This gateway serves as a dedicated rail for Stellar’s “mutated” domains—disposable URLs (e.g., frumzi756723.com) used to evade ISP blocks. Target Market Analysis Despite holding only an Anjouan license—which explicitly does not authorize service to German, Dutch, or Italian players—Stellar casinos generate 92%+ of their open banking traffic from Germany. This geographic concentration, combined with German-language interfaces, Euro as primary currency, and integration with German banking infrastructure (Postbank, Sparkasse branding in payment flows), demonstrates active and deliberate targeting of German players in direct violation of the Glücksspielstaatsvertrag 2021. Aggregate Traffic Analysis: The Scale of Illegal Deposit Infrastructure GatewayDec 2025 VisitsAvg. DurationGermany %Merchant Profilecheckout.transactgrid.com760,0004-8 min97%+Multi-casinoopenbanking.paybybank.net78,0004-8 min87%Multi-casinocheckout.banklayer.org400,0004-8 min92%+Stellar exclusiveTOTAL1,238,000~6 min~95%Illegal offshore Interpretation Framework The 4-8 minute average visit duration is a critical data point. Open banking payment flows require: Gateway landing and bank selection (30-60 seconds) Redirect to bank authentication portal (10-20 seconds) Bank credential entry and 2FA/biometric authentication (1-3 minutes) Payment consent review and authorization (30-60 seconds) Return redirect to merchant and deposit confirmation (30-60 seconds) Total expected duration for completed transactions: 4-7 minutes. The observed 4-8 minute average strongly suggests that the vast majority of these 1.2+ million visits represent completed or attempted payment transactions, not casual browsing or abandoned flows. Combined with the exclusive casino referral sources and 95%+ German traffic concentration, the evidence supports the conclusion that these gateways processed approximately 1.2 million illegal casino deposit transactions from German, Dutch, and Italian players in December 2025 alone.​ Annualized estimate: 14+ million transactions processed through anonymous open banking gateways to unlicensed offshore casinos. III. The “Fake Fiat” Bridge: ChainValley & The VASP Exploit Some casinos, like Spinbara (Spinbara1.com) utilize (additionally) a more deceptive technique known as “Crypto-on-Ramp Laundering” via the Polish VASP ChainValley (app.chainvalley.pro). The Deception: Players are prompted to make a “bank deposit.” In reality, they are redirected to ChainValley to purchase USDT or BTC, which is instantly transferred to the casino. Regulatory Loophole: ChainValley exploits the Polish VASP Registry, which has been criticized by European regulators for its low barrier to entry. By operating under a “Virtual Asset” license, they process fiat-to-crypto flows that the player believes are simple fiat deposits. Volume: Over 217,000 visits in December 2025. The 5-minute average stay duration strongly correlates with the time required to complete a 3D-Secure bank transfer and a crypto-on-ramp purchase. IV. The utPay Shutdown: A MiCA Success Story? As previously reported, utPay (app.utpay.io) was a major player in this ecosystem, handling 610,000 visits in December. The suspension of their crypto services in January 2026, citing MiCA (Regulation EU 2023/1114), is a significant event. Analysis: It is highly probable that the Bank of Lithuania intervened after identifying utPay’s role as a facilitator for high-risk gambling. Under MiCA, VASPs face significantly higher scrutiny regarding their “Merchant Base.” A provider whose traffic is 80% gambling-related (as our data suggests) would likely fail the “fit and proper” test required for a MiCA-compliant CASP license. V. Compliance Assessment & Red Flags This multi-layered architecture is designed to bypass the “Gambling Merchant Category Code” (MCC 7995). By using Open Banking: Merchant Identity is Hidden: The bank sees a transfer to “TransactGrid” or “ChainValley,” not “WinBay Casino.” No Chargeback Protection: Unlike card payments, bank-to-bank transfers via these gateways offer players zero protection, making them the preferred method for predatory offshore operators. Call to Action for Players & Insiders FinTelegram is actively mapping the bank accounts used by TransactGrid, BankLayer, and ChainValley. Have you made a deposit to these sites? Check your bank statement. What was the name of the recipient? Insiders: Do you have information on the beneficial owners of the TransactGrid or PayByBank domains? Submit your evidence anonymously via Whistle42.com. Help us protect the European financial system from shadow banking. Share Information via Whistle42

Lithuanian virtual asset service provider UTRG UAB, operating as utPay, has suspended all crypto-asset services effective January 1, 2026, citing MiCA compliance requirements and awaiting authorization from the Bank of Lithuania. This suspension comes after extensive FinTelegram investigations documented utPay’s systematic role as the primary payment facilitator for a sprawling network of illegal offshore casinos targeting German and European players through deceptive “fake bank transfer” schemes. With 87% of its 720,000 monthly visitors originating from Germany and 58% of traffic driven by unlicensed casino operators—including entities connected to the collapsed Rabidi Group and the Marshall Islands-based NovaForge network—utPay’s sudden service interruption raises critical questions about whether years of facilitating illegal gambling operations directly precipitated its current regulatory predicament, leaving hundreds of casino merchants without payment infrastructure and potentially exposing the company’s leadership to criminal prosecution under Lithuanian law. Read our utPay reports here. The Suspension: A Regulatory Reckoning On January 1, 2026, visitors to utpay.io encountered a stark message that marked the end of one of Lithuania’s most controversial crypto payment operations. UTRG UAB, the Lithuanian virtual asset service provider operating under the utPay brand, announced the immediate suspension of all crypto-asset services, citing the need to “ensure full alignment with the requirements of Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA).” The company’s website now states that it “does not provide any crypto-asset services as defined in MiCA and does not carry out activities listed in Annex IV of the Regulation,” claiming instead to provide only “card section integration and provide technical integration with other partners.” This carefully worded statement represents a dramatic retreat for a payment processor that, just weeks earlier, was processing over 720,000 visits monthly through its primary domain app.utpay.io. The timing is no coincidence. Lithuania’s transitional period for virtual asset service providers (VASPs) to obtain MiCA licenses expired on December 31, 2025—one of the strictest deadlines in the EU. Unlike jurisdictions such as Latvia, Hungary, and Slovenia that opted for six-month transition periods, or countries like Spain that extended timelines to July 2026, Lithuania initially set its deadline for May 31, 2025, before extending it to year-end following intense industry lobbying. The Bank of Lithuania had been unequivocal about the consequences of non-compliance. In multiple public statements throughout late 2025, the central bank warned that after January 1, 2026, any provision of crypto-asset services without a MiCA license would constitute illegal financial activity. The penalties are severe: under the Lithuanian Criminal Code, unlicensed provision of financial services is punishable by public works, fines, restriction of liberty, or imprisonment for up to four years—escalating to seven years in cases involving money laundering. As of mid-2025, approximately 370 entities were registered in Lithuania’s VASP registry, but only 120 were actively operating and generating revenue. By July 2025, merely 30 companies had submitted MiCA license applications to the Bank of Lithuania, with just 10 applications under active assessment. The regulatory bottleneck was severe, and the clock was ticking. UTRG UAB, led by CEO Andrius Atkočaitis, did not publicly disclose whether it submitted a MiCA license application. What is clear is that when the deadline arrived, utPay’s services went dark, leaving its merchant clients—particularly a network of offshore casinos—without a critical payment processing lifeline.​ The Business Model: Fake Bank Transfers and Crypto Camouflage To understand why utPay’s suspension matters, one must first understand what utPay actually did—and for whom. FinTelegram’s compliance investigations, conducted throughout 2024 and 2025, revealed that utPay had evolved into a specialized payment facilitator for illegal offshore casinos, particularly those targeting German players in violation of Germany’s State Treaty on Gambling (Glücksspielstaatsvertrag, GlüStV 2021). The scale of this operation was staggering: in December 2025, app.utpay.io recorded approximately 610,000 visits, with a remarkable 81.06% originating from Germany. The “Fake-Fiat” Payment Scheme WinBay cashier with UTRG dba utPay and ChainValley FinTelegram documented a sophisticated deception mechanism that utPay employed at the heart of its casino integration strategy. When players attempted to deposit funds at participating casinos, utPay was presented on the casino cashier page as a standard “bank transfer” or card deposit option—methods familiar and trusted by European consumers. However, the actual transaction bore no resemblance to a bank transfer. Instead, players were seamlessly routed through a crypto-purchase flow that operated as follows: Initial presentation: The casino checkout displayed utPay as “Banküberweisung” (bank transfer), “Echtzeit-Überweisung” (real-time transfer), or specific bank brands like “Deutsche Postbank,” “Sparkasse,” or “Deutsche Bank.”​ Hidden crypto purchase: Behind this familiar interface, the transaction was actually a cryptocurrency purchase—typically USDC or USDT—from UTRG UAB in its capacity as a registered virtual currency exchange operator. Automatic routing via ChainValley: The purchased crypto was automatically routed through app.chainvalley.pro, a branded checkout interface that functioned as the technical bridge between UTRG’s exchange service and the casino’s wallet. Pre-ticked consent: A small consent line stating “buy crypto and send to the specified address” appeared in the checkout flow, typically already ticked by default. Attempts to change the destination wallet address triggered warnings or were effectively blocked.​ Direct casino delivery: The crypto was immediately transferred to wallet addresses controlled by the casino operator, completing the deposit without ever passing through traditional banking infrastructure. This structure delivered multiple strategic advantages to illegal casino operators—and created corresponding compliance disasters: Regulatory arbitrage: By categorizing transactions as “crypto exchange” rather than “gambling deposits,” the scheme circumvented German payment blocking measures implemented by the Gemeinsame Glücksspielbehörde der Länder (GGL), Germany’s unified gambling regulator. Germany’s payment blocking regime—one of the most aggressive enforcement tools available under GlüStV 2021—had issued over 30 payment blocking orders against payment service providers by mid-2025, cutting off revenue streams to unlicensed operators. utPay’s crypto-based structure rendered these orders ineffective. Bank-side gambling controls bypassed: German banks have implemented internal controls to identify and block gambling-related transactions, particularly to unlicensed operators. By disguising casino deposits as cryptocurrency purchases from a Lithuanian VASP, utPay transactions flew under these detection systems.​ Chargeback elimination: Traditional credit card and bank transfer deposits to online casinos carry chargeback rights—players can dispute transactions if services are not delivered or if the operator is unlicensed. Crypto transfers are irreversible. By converting fiat deposits into immediate crypto transfers, utPay systematically eliminated players’ financial recourse. KYC evasion: FinTelegram investigators documented instances where casino registration required no Know Your Customer (KYC) verification, allowing players to deposit funds via utPay without identity checks—a glaring violation of anti-money laundering requirements.​ Traffic Analysis: The Casino Connection The depth of utPay’s integration with illegal gambling operations becomes undeniable when examining traffic referral patterns. According to FinTelegram’s analysis of November 2025 data, at least 58% of observed traffic to app.utpay.io was driven by casino, gambling, and sports betting websites. The top five traffic referrers were all offshore casino domains:​ Legiano.com (21% of referral traffic) BetAlice.it (21% of referral traffic) Additional unlicensed casino operators including Betsolino, Wazamba, and Cazimbo SimilarWeb data confirmed the pattern: 63.47% of utPay’s desktop traffic originated from referrals, with 99.21% of outgoing links directing users to poker and gambling categories. The user demographics—76.87% male, with the largest age cohort being 35-44 years—precisely matched the profile of online gambling participants. This was not a diversified payment processor serving various legitimate e-commerce merchants. This was a purpose-built gambling payment gateway that had systematically positioned itself as the financial plumbing for a network of operators lacking authorization to serve European markets. The Casino Network: NovaForge, Rabidi, and the Marshall Islands Connection utPay’s client roster reads like a who’s who of illegal offshore gambling operations, with particularly deep connections to two infamous networks: the collapsed Rabidi Group and its suspected successor, NovaForge Ltd. Liernin Enterprises Ltd, which holds a PAGCOR (Philippine Amusement & Gaming Corporation) license, operates alongside NovaForge in managing the post-Rabidi casino portfolio. This licensing strategy is deliberate: PAGCOR licenses are considered legitimate by some regulators but do not authorize service to European or German markets, allowing operators to claim licensing while operating illegally in their primary target jurisdictions.​ FinTelegram’s traffic analysis revealed that casinos operated by NovaForge Ltd were among utPay’s largest clients:​ Legiano (NovaForge Ltd, Marshall Islands, PAGCOR license): Accounted for 21% of utPay’s referral traffic in November 2025. The casino’s deposit options explicitly list utPay under various “bank transfer” brands, routing players through the ChainValley crypto conversion system. BetAlice (NovaForge Ltd): Similarly contributed 21% of referral traffic, utilizing identical payment integration methods.​ Betsolino (Betsolino Limited, UK registration, claiming Curaçao license): Featured utPay as its primary payment gateway operator alongside MiFinity, Rapid, Changelly, and MoonPay. The UK Gambling Commission confirmed no license exists for Betsolino Limited. Wazamba (formerly Rabidi N.V., now operating anonymously): Continued to process payments through Mirata Services and other Cyprus-based agents, with connections to the broader utPay ecosystem.​ This client concentration—where the majority of a payment processor’s business derives from a network of interconnected illegal gambling operators—is not coincidental. It represents a deliberate business model where utPay positioned itself as the specialized financial infrastructure enabling operators to circumvent national gambling regulations and payment blocking regimes. The German Enforcement Landscape: Why utPay Mattered to Illegal Operators To understand why utPay was so valuable to illegal casino networks, one must understand the regulatory environment they faced in their primary target market: Germany. The GlüStV 2021 Framework Germany’s Fourth Interstate Treaty on Gambling (Glücksspielneuregulierungsstaatsvertrag, GlüStV 2021), which entered force in July 2021, established one of Europe’s most restrictive online gambling regimes. The treaty created the Gemeinsame Glücksspielbehörde der Länder (GGL), a centralized federal gambling regulator with sweeping enforcement powers.​ Under GlüStV 2021, online casino operators targeting German players must obtain a German license and comply with extensive restrictions: €1,000 monthly deposit limit per player across all operators €1 maximum stake per casino game spin Mandatory 5-second delay between slot machine spins Complete prohibition of live dealer games Ban on progressive jackpot slots Participation in centralized player database for cross-operator monitoring These restrictions make the German market economically unattractive for many operators, particularly those accustomed to high-volume, high-stake gameplay in other jurisdictions. Consequently, numerous offshore operators—including the NovaForge/Rabidi network—chose to serve German players illegally without licenses, circumventing the restrictions while capturing market share.​ Payment Blocking: The GGL’s Primary Weapon Recognizing that blocking access to illegal gambling websites through IP or DNS blocking faces technical and legal limitations (German courts limited the use of IP blocking via internet service providers in March 2024), the GGL shifted enforcement focus to payment blocking—orders issued to payment service providers prohibiting participation in transactions for unlicensed gambling operations. By mid-2025, the GGL had issued over 30 payment blocking orders and was monitoring 858 German-language gambling websites, with 212 hosting illegal content. This enforcement created significant operational challenges for unlicensed operators, who found traditional payment processors—credit card acquirers, bank transfer services, and established e-wallets—increasingly unwilling to process gambling transactions without verified German licensing. The payment blocking regime works because most traditional payment infrastructure involves German banks, German payment service providers, or international processors with German operations subject to GGL jurisdiction. When the GGL issues a payment blocking order, the vast majority of targeted payment service providers comply immediately, removing payment options from the illegal casino’s website.​ utPay as a Payment Blocking Countermeasure This is where utPay’s Lithuanian jurisdiction and crypto-based structure became strategically valuable to illegal operators. As FinTelegram analyzed:​ Jurisdictional arbitrage: UTRG UAB, registered in Lithuania and licensed only by Lithuanian authorities, was outside direct GGL enforcement reach. While the GGL could theoretically issue payment blocking orders against Lithuanian entities, cross-border enforcement is slower and more complex than domestic actions. Crypto categorization defense: By structuring transactions as cryptocurrency purchases rather than gambling deposits, utPay could claim its service was fundamentally different from traditional gambling payment processing. The player was “buying crypto” from a licensed Lithuanian VASP—that the crypto was immediately sent to a casino wallet was, in this framing, the player’s independent decision. SEPA access maintenance: Despite the crypto conversion backend, utPay’s frontend integrated with European SEPA banking infrastructure and credit card networks, allowing players to fund deposits using familiar, trusted payment methods. This combination—traditional payment rails on the user interface, crypto conversion in the backend—provided the operational advantages of cryptocurrency (irreversibility, jurisdictional opacity) while maintaining the user experience of traditional banking.​ Detection evasion: German banks’ internal gambling transaction detection systems typically flag payments to known casino merchant IDs or to payment processors in high-risk gambling jurisdictions like Malta, Curaçao, or Cyprus. Payments to UTRG UAB, categorized as cryptocurrency purchases from a regulated Lithuanian VASP, would not trigger these gambling-specific controls.​ The result was a payment processing architecture that systematically undermined German gambling enforcement while maintaining sufficient regulatory cover—a Lithuanian VASP registration—to claim legitimacy. MiCA Compliance Barriers The suspension of utPay’s services citing MiCA compliance requirements raises a critical question: Did utPay submit a MiCA license application to the Bank of Lithuania, and if so, why has authorization not been granted? MiCA’s authorization requirements for crypto-asset service providers (CASPs) are extensive: Sound governance frameworks: Demonstration of adequate operational capabilities and qualified management free from conflicts of interest. Capital adequacy: Sufficient capital to manage operational and market risks. AML/CFT compliance: Comprehensive anti-money laundering and counter-terrorism financing programs meeting EU standards. Consumer protection: Clear pricing, risk warnings, complaint resolution procedures, and segregation of client assets. Market abuse prevention: Real-time communication surveillance and controls to prevent market manipulation and insider trading.​ If utPay submitted a MiCA application and the Bank of Lithuania identified the merchant concentration in illegal gambling operations, the extensive German traffic patterns, or the deceptive payment flow structures during its assessment, authorization would likely be refused. The Bank of Lithuania has made clear its intention to maintain high standards and avoid becoming a “crypto haven” or forum-shopping destination. Alternatively, if utPay did not submit a MiCA application by the deadline, its operation of crypto-asset services after December 31, 2025, would constitute illegal financial activity. The company’s statement that it has “temporarily suspended” services “in order to ensure full alignment” with MiCA, combined with the assertion that it “intends to resume the provision of crypto-asset services only after obtaining the relevant authorisation,” suggests ongoing efforts to secure licensing. However, the past cannot be erased—if the Bank of Lithuania’s assessment of UTRG UAB’s historical activities reveals systemic facilitation of illegal gambling, the authority may conclude that the company’s management and governance do not meet MiCA’s “fit and proper” requirements. The Regulatory Cascade: Lithuania’s MiCA Crackdown and European Precedents utPay’s suspension is not an isolated incident but part of a broader regulatory reckoning for virtual asset service providers across the European Union as MiCA implementation accelerates. Lithuania’s Regulatory Posture Lithuania emerged in the late 2010s as a crypto-friendly jurisdiction, with relatively low barriers to VASP registration and a regulatory environment that attracted cryptocurrency businesses seeking EU market access. By 2025, however, the tone had shifted dramatically. The Bank of Lithuania’s statements throughout late 2025 reflected a deliberate policy choice: Lithuania would not become a “crypto haven” or participate in “forum shopping” by maintaining lax standards to attract businesses that could not obtain licenses in more rigorous jurisdictions. This positioning was reinforced by the central bank’s decision to extend the transitional period only to December 31, 2025 (rather than the maximum July 1, 2026, that MiCA permits), and by strong public warnings about criminal prosecution for unlicensed activity.​ Lietuvos Bankas mobilized additional resources to assess the wave of MiCA license applications, yet as of mid-2025, only approximately 30 of 370 registered VASPs had applied, with just 10 applications under assessment. This low conversion rate suggests that the majority of Lithuania’s registered VASPs either lacked the operational substance to meet MiCA requirements, were unable to demonstrate legitimate business models under enhanced scrutiny, or made strategic decisions to wind down rather than undergo rigorous licensing processes. The central bank’s authority to block website access, publish lists of unlicensed providers, and refer cases to law enforcement for criminal prosecution created a credible enforcement threat. For VASPs whose business models relied on regulatory arbitrage—operating in legal gray areas or facilitating activities that would face prohibitions in other jurisdictions—the MiCA transition represented an existential threat. Binance and High-Profile Enforcement The most prominent MiCA compliance crisis in Lithuania involves Bifinity UAB, the Lithuanian entity through which the Binance Group provides cryptocurrency services in Europe. Despite generating nearly €111 million in tax payments to Lithuania since 2022 (including €27.6 million in 2024 alone), Bifinity does not currently hold a MiCA license and therefore cannot legally provide crypto-asset services in Lithuania as of January 1, 2026. The Bank of Lithuania confirmed it is reviewing multiple applications from Binance-related entities but stated unequivocally that neither Bifinity nor Binance currently has authorization under MiCA procedures. If Lithuania’s largest and most prominent cryptocurrency taxpayer cannot secure timely MiCA authorization, the message to smaller, less compliant VASPs like UTRG UAB is clear: past registration under national regimes provides no guarantee of MiCA authorization, and historical economic contribution does not substitute for regulatory compliance.​ The Hypothesis Confirmed: Activities and Consequences Returning to the central question: Did utPay’s systematic facilitation of illegal casino operations cause its current regulatory suspension and potential criminal exposure? The evidence supports a strong affirmative answer across multiple causal pathways: 1. Business Model Incompatibility with MiCA Standards utPay’s core revenue model—processing hundreds of thousands of transactions monthly for unlicensed gambling operators, predominantly targeting German players in violation of German law, using deceptive payment interface design to circumvent regulatory controls—is categorically incompatible with MiCA’s governance, consumer protection, and market integrity requirements. When the Bank of Lithuania assesses MiCA license applications, it evaluates: Fit and proper management: Whether directors and key personnel demonstrate integrity and competence. Business model legitimacy: Whether the CASP’s activities comply with EU and Member State laws. Consumer protection: Whether the service provider implements fair dealing and transparent disclosure. AML/CFT effectiveness: Whether transaction monitoring and suspicious activity reporting meet standards. UTRG UAB’s historical operations fail on all dimensions. Management presided over a business model fundamentally dependent on facilitating violations of Member State gambling law. The “fake bank transfer” interface directly violated consumer protection principles by deceiving users about the nature of transactions. Transaction monitoring and suspicious activity reporting appear entirely absent given the overwhelming concentration of illegal casino clients. If UTRG UAB submitted a MiCA application, these deficiencies would surface during the Bank of Lithuania’s assessment, leading to application refusal. If the company did not submit an application, it would face immediate criminal liability for continuing operations past December 31, 2025. 2. Regulatory Scrutiny and Investigation Probability The extensive public documentation of utPay’s casino facilitation activities by FinTelegram—published reports, traffic analysis, merchant network mapping, and detailed technical documentation of the payment flow mechanisms—ensures that regulatory authorities, law enforcement agencies, and compliance professionals are aware of UTRG UAB’s activities. The Bank of Lithuania and Lithuanian Financial Crimes Investigation Service (FNTT) have explicit mandates to investigate VASPs suspected of facilitating financial crime, money laundering, or violations of EU and Member State regulations. Given the public evidence and the high-profile nature of illegal gambling enforcement in Europe, regulatory investigation of UTRG UAB is probable if not already underway. The suspension of services citing MiCA compliance—rather than a straightforward statement that a license application is pending approval—suggests potential complications in the authorization process or a strategic decision to cease operations rather than undergo scrutiny that could expose criminal liability. 3. Criminal Prosecution Risk Under Lithuanian Law Lithuanian criminal law provides clear penalties for unlicensed provision of financial services: public works, fines, restriction of liberty, or imprisonment up to four years, escalating to seven years for money laundering. Directors of entities engaged in such activities face personal liability and potential professional disqualification across the EU. If Lithuanian authorities conclude that UTRG UAB operated after December 31, 2025, without MiCA authorization, criminal prosecution is mandated. If investigations reveal that management knowingly facilitated illegal gambling operations, structured transactions to deceive users and evade regulatory controls, and failed to implement required AML/CFT measures, additional charges could follow. The German enforcement environment—where over 230 prohibition proceedings, 1,700+ website assessments, and 30+ payment blocking orders demonstrate aggressive pursuit of illegal gambling networks—increases the likelihood of cross-border cooperation. If German authorities identify utPay’s role in circumventing payment blocking and request Lithuanian cooperation through mutual legal assistance channels, the pressure on UTRG UAB intensifies.​ 4. Civil Liability and Reputational Destruction Even if criminal prosecution does not materialize, civil liability exposure is substantial. German and Austrian courts have established precedent for player recovery of losses from illegal gambling operations, with liability potentially extending to facilitators. If organized plaintiff law firms—already actively pursuing hundreds of millions in claims against Rabidi, NovaForge, and associated entities—identify utPay as a deep-pocket facilitator with greater asset recovery potential than offshore shell companies, civil litigation could follow.​ The reputational destruction is already complete. utPay is now publicly documented as a payment facilitator for illegal gambling networks, with detailed investigations published by FinTelegram and cited across compliance intelligence platforms. Any future business venture associated with UTRG UAB’s management, even if under different branding or corporate structures, will face intense scrutiny and association with this history. Conclusion: The Inevitable Collapse of Unsustainable Business Models The suspension of utPay’s crypto-asset services on January 1, 2026, represents far more than a routine regulatory compliance adjustment. It marks the collapse of a payment processing operation whose core business model—facilitating illegal gambling deposits through deceptive “fake bank transfer” mechanisms while exploiting Lithuanian VASP registration for regulatory cover—was fundamentally unsustainable in the post-MiCA enforcement environment. The evidence compiled by FinTelegram across 2024 and 2025 established a clear pattern: 87% of utPay’s 720,000 monthly visitors originated from Germany, despite German law prohibiting unlicensed gambling operations. 58% of traffic was driven by casino and gambling websites, with the top clients being illegal offshore operators connected to the collapsed Rabidi network and Marshall Islands-based NovaForge entities.​ The payment mechanism was deliberately designed to deceive users, presenting gambling deposits as “bank transfers” while actually executing crypto purchases automatically routed to casino wallets. The structure systematically circumvented German payment blocking enforcement, undermining regulatory authority and enabling large-scale violations of gambling law. Lithuania’s decision to enforce a strict December 31, 2025, MiCA transition deadline, combined with the Bank of Lithuania’s explicit stance against becoming a “crypto haven,” created a regulatory environment where VASPs with questionable business models faced binary choices: undergo rigorous licensing scrutiny with high likelihood of refusal, or cease operations and face potential criminal prosecution. For UTRG UAB, neither option was attractive. MiCA authorization would require demonstrating that its historical operations met EU governance, consumer protection, and AML/CFT standards—a demonstration that the public evidence renders impossible. Continuing operations without authorization after the deadline would constitute criminal activity with personal liability for management.​ The result was the only viable path: suspension of services with vague promises of resuming “only after obtaining the relevant authorisation”—authorization that may never come.​ For the illegal casino operators left without critical payment infrastructure, utPay’s shutdown represents a strategic inflection point. The era of regulatory arbitrage through Lithuanian VASPs providing fiat-to-crypto gateways while maintaining plausible legitimacy has ended. The remaining options—fully crypto-native deposit mechanisms, even higher-risk processors in non-EU jurisdictions, or actual licensing compliance—all involve greater friction, lower conversion, and increased legal exposure. European enforcement authorities, having spent years fighting a whack-a-mole battle against offshore casinos while payment facilitators operated with relative impunity, appear to have recognized that cutting the payment rails is more effective than blocking individual casino domains. The aggressive targeting of payment processors in Lithuania, Turkey, and across the EU signals a strategic shift with potentially transformative effects on the illegal gambling ecosystem. utPay’s collapse is not an accident of regulatory timing. It is the predictable consequence of building a business model on facilitating crime, disguising illegal activities through deceptive interface design, and betting that regulators would not look too closely at the traffic patterns, merchant profiles, and transaction flows. In the MiCA era, with European regulators coordinating enforcement and criminal penalties clearly articulated, that bet has failed catastrophically. The question now is not whether utPay will resume services—the evidence suggests resumption is unlikely—but whether criminal prosecutions will follow, how much civil liability will materialize, and whether other VASPs facilitating questionable activities will recognize the warning and wind down operations voluntarily before enforcement comes for them. Call to Action: Whistleblowers and Insiders FinTelegram’s investigation into UTRG UAB (utPay) and the NovaForge/Rabidi illegal casino network is ongoing. While substantial evidence has been compiled through open-source intelligence, corporate registry analysis, traffic data, and technical documentation, critical questions remain unanswered. Share Information via Whistle42