Norway’s strict payment ban on unlicensed gambling is being quietly undermined by a new, layered payments stack. Using Revolut as an “entry wallet” and Payoro as a withdrawal hub, offshore casinos and their affiliates appear to have created a de facto alternative banking route for Norwegian players—far from the reach of domestic banks and regulators. Key Findings Revolut functions as the primary on‑ramp for Norwegian users to fund accounts at illegal offshore casinos, bypassing bank‑level gambling blocks via e‑wallet and open‑banking transfers. Payoro is widely used as the core payout processor for offshore operators such as White Star B.V., Rhino Entertainment Group, and Boabet, channeling EUR and NOK withdrawals back to Revolut. Many offshore casino brands reviewed by FinTelegram list Revolut—often via open banking providers like Yapily Connect and Bulgarian platform Contiant—as the preferred “go‑to bank” for Norwegian players. MCC misclassification and suspected transaction laundering appear to mask gambling transactions as non‑gambling payments, allowing them to flow through Revolut and partner PSPs without triggering standard gambling blocks. Payoro’s KYC (including BankID) is effectively leveraged by operators as a shortcut: once a player is verified with Revolut and Payoro, deposits and withdrawals are largely frictionless across multiple illegal offshore brands. Analysis And Interpretation Norway’s regime prohibits payment intermediaries from processing transactions to unlicensed gambling operators, and banks have implemented extensive blocking lists for high‑risk processors and merchant accounts. However, domestic banks have been told they cannot impose general blocks on transfers to neutral third parties such as Revolut, generic e‑wallets, and crypto‑friendly platforms. This legal nuance has turned Revolut into a structural weak point in the Norwegian enforcement architecture. The flows described by insiders are straightforward: Norwegian players move funds from their local bank to Revolut, and from there to offshore operators via card, e‑wallet, or open‑banking initiations. For withdrawals, Payoro (website) and similar intermediaries route funds from casino accounts back to Revolut, often after a one‑time KYC check that uses Norwegian BankID. At that point, the domestic bank only “sees” a transfer to or from Revolut—not a gambling transaction. FinTelegram’s previous reviews of illegal offshore casinos repeatedly show Revolut positioned at the center of their payment pages. In combination with open‑banking layers like Yapily Connect and Contiant, Revolut in practice acts as the de facto banking hub for Norwegian high‑risk gambling activity. The frequent reports of MCC misclassification and transaction laundering indicate that both issuers and regulators may be presented with a sanitized version of these flows, while the underlying economic activity remains clearly gambling‑related. Compliance Hypothesis Our working hypothesis is that Revolut and Payoro, together with upstream open‑banking providers and acquirers, form a multi‑layered payment stack that systematically circumvents Norway’s payment ban on illegal offshore gambling. Even if each layer claims to be “agnostic” to end‑use, the cumulative design and marketing towards Norwegian players—combined with MCC manipulation and reliance on third‑party KYC—suggest a concerted architecture of regulatory arbitrage rather than incidental misuse. This raises serious questions about the adequacy of their risk assessments, merchant onboarding, and AML/CTF controls in high‑restriction markets such as Norway. Call For Whistleblowers FinTelegram is continuing its investigation into Revolut’s and Payoro’s roles in offshore gambling payment flows. We call on players, insiders, compliance professionals, and affiliates with knowledge of these structures, including use of Yapily Connect, Contiant, and similar platforms, to provide further information via our secure whistleblower platform Whistle42. Share Information via Whistle42

Revolut has announced on X that it is now a “fully licensed bank” in the UK, confirming that the PRA has lifted the restrictions attached to its 2024 authorisation and allowed the launch of Revolut Bank UK Ltd. The move is a major strategic milestone for the fintech group, but it does not end the regulatory scrutiny around how Revolut’s rails appear across high-risk crypto and offshore-gambling flows. Key Findings Revolut says it is now a fully licensed bank in the UK; the PRA has approved its exit from mobilisation. The UK licence enables FSCS-protected deposit accounts and opens the door to broader lending products. Revolut’s latest official annual-report metrics show 52.5 million retail customers at year-end 2024, £3.1 billion revenue, £1.089 billion profit before tax, and £1 trillion transaction volume; more recent company statements say it now serves more than 70 million customers globally. In the EU, Revolut combines a Lithuanian bank, a Lithuanian MiFID investment firm, and a Cyprus MiCA CASP entity. FinTelegram continues to see Revolut embedded in fiat-to-crypto and offshore-casino payment chains, including via Onramper and open-banking layers. The Compliance Report Compliance Situation in UK Revolut, founded in 2015, has grown from a payments app into one of Europe’s largest fintech groups. Official 2024 figures show 52.5 million retail customers, £3.1 billion in revenue, £1.089 billion in profit before tax, £790 million net profit, and £1 trillion transaction volume. In March 2026, Revolut said it serves more than 70 million customers globally. The immediate significance of the UK licence is straightforward: Revolut can now operate as a full UK bank rather than an e-money institution plus a bank-in-waiting. Its UK bank can offer eligible customers FSCS protection on deposits and can expand into current accounts, credit, and other balance-sheet products. That materially upgrades customer protection, funding flexibility, and regulatory credibility in its home market. Read our Revolut reports here. Compliance Situation in EU In the EU, however, Revolut remains a multi-entity regulatory stack. Banking services are anchored in Revolut Bank UAB in Lithuania, licensed by the ECB and regulated by the Bank of Lithuania; since 2024, Revolut’s Lithuanian banking group has been under direct ECB supervision as a significant institution. Investment services are provided by Revolut Securities Europe UAB, a Lithuanian investment firm subject to MiFID II. Crypto services for EEA clients are now routed through Revolut Digital Assets Europe Ltd in Cyprus, licensed as a CASP under MiCA. Revolut’s own rules also state that tokens qualifying as MiFID II financial instruments are excluded from Revolut X, showing the fault line between MiCA crypto services and securities regulation. High-Risk Payment Facilitator From a FinTelegram compliance perspective, that stronger licence perimeter in the UK does not neutralise the risk created by Revolut’s recurring appearance in high-risk rails. Onramper publicly lists Revolut among its ramp providers, and Onramper announced an Axiom integration for fiat-to-crypto access. FinTelegram recently found Revolut presented as a primary rail in Axiom-related “Buy Crypto” journeys, while in the casino segment Revolut-linked rails and open-banking layers repeatedly surface in offshore payment architectures, often alongside intermediaries such as Yapily-type providers. The compliance issue is therefore not Revolut’s licence status alone, but whether its controls sufficiently detect and restrict repeated exposure to unregulated brokers, DeFi perimeter-risk flows, and offshore gambling conversion chains. Compliance Conclusion Revolut’s full UK banking licence is a genuine milestone. But the stronger the licence, the stronger the expectation that its AML, merchant-risk, transaction-monitoring, and partner-oversight frameworks will prevent its rails from becoming repeat infrastructure for regulatory arbitrage. Revolut Key Data FieldDetailsBrandRevolutMain domainrevolut.comFounded2015Current customer base70m+ globally (company, Mar 2026)2024 revenue£3.1bn2024 profit before tax£1.089bn2024 transaction volume£1tnUK entityRevolut Bank UK Ltd / PRA-regulated UK bank launch; Revolut Ltd remains FCA-authorised EMI (FRN 900562)EU banking entityRevolut Bank UAB, Lithuania, ECB/Bank of Lithuania supervisedMiFID II entityRevolut Securities Europe UAB, LithuaniaMiCA entityRevolut Digital Assets Europe Ltd, Cyprus, CASP licence 001/2025 Call to Whistleblowers If you have information on Revolut’s role in high-risk payment processing, open-banking routing, crypto on-ramping, offshore gambling, merchant monitoring, or AML escalation failures, contact FinTelegram confidentially. Share Information via Whistle42

AXIOM markets itself as a decentralised, on-chain trading platform, but its own materials describe a far more structured and monetised service: a branded trading interface, hybrid wallet, no-KYC crypto purchases up to $500 per week via Coinbase, yield-style features, and perpetuals trading via Hyperliquid with leverage up to 50x and a 0.01% AXIOM fee per trade. For compliance analysts, the question is no longer whether such platforms call themselves “DeFi,” but whether they are in substance providing crypto-asset services through an identifiable operator in a way that places them inside the EU’s MiCA perimeter. Key Findings AXIOM describes itself as a trading platform and “hybrid crypto trading app and wallet,” not merely as neutral code or a passive interface. AXIOM says users can buy up to $500 of crypto per week, no-KYC, through its Coinbase-linked flow. AXIOM’s perpetuals documentation says trading is powered by Hyperliquid, allows leverage of up to 50x, and charges a 0.01% AXIOM fee per transaction. AXIOM’s privacy policy identifies Axiom Innovations Inc. as the entity behind the service. Under MiCA Recital 22, services provided, performed, or controlled by legal or natural persons can still fall within scope even if part of the activity is performed in a decentralised manner; only services provided in a fully decentralised manner without any intermediary are outside scope. The January 2025 EBA/ESMA report expressly warns that industry labels such as “DeFi protocols” should not be treated as a legal conclusion on actual decentralisation for MiCA purposes. The same EBA/ESMA report flags significant ML/TF risks in DeFi channels due to weak or absent AML/CFT controls and the ability of users to transact without effective identification and verification. Recent reporting by CoinDesk described allegations by ZachXBT that an AXIOM employee misused internal tools and user-linked wallet data; AXIOM reportedly said access was revoked and an internal investigation was opened. These are allegations, not proven findings, but they raise governance and market-integrity concerns. Compliance Analysis And Interpretation From a FinTelegram compliance perspective, AXIOM is important because it illustrates the shrinking distance between so-called DeFi interfaces and regulated brokerage-like activity. AXIOM does not present itself simply as open-source software or a non-commercial protocol layer. Its own documentation describes a consumer-facing environment that bundles wallet functionality, trading tools, token discovery, funding rails, yield-style features, and perpetuals trading into one branded product. That matters under MiCA. The AMF’s public MiCA guidance, reflecting Recital 22, is clear that the Regulation applies to services and activities performed, provided, or controlled directly or indirectly by identifiable persons, including where part of the service is performed in a decentralised manner. Only crypto-asset services delivered in a fully decentralised manner without an intermediary fall outside MiCA’s scope. The same AMF page also states that the CASP regime applies from 30 December 2024, subject to transitional arrangements for providers already operating lawfully under national regimes. This is why the “we are DeFi” label is not enough. AXIOM’s materials point to an identifiable operator, branded customer acquisition, fee extraction, integrated third-party relationships, and a managed user journey. Even if execution or settlement is routed through decentralised infrastructure, that does not by itself remove perimeter risk. The stronger compliance reading is that AXIOM presents a serious MiCA scope question, especially where it appears to package access to crypto trading and leveraged perpetual exposure for end users through a centralised commercial layer. The January 2025 joint EBA/ESMA report reinforces that view. The supervisors explicitly state that industry terminology such as “DeFi protocols” should not be read as a view on actual decentralisation under MiCA. They also identify several businesses that provide access to DeFi, including application interfaces and self-custodial wallets, and highlight significant AML/CFT, ICT, and consumer-protection risks in those models. Particularly relevant is their finding that DeFi channels present significant ML/TF risk because users may transact in practice without adequate identification and verification. Against that background, AXIOM’s “no-KYC” purchase flow for up to $500 per week is not a trivial marketing detail. Nor is the combination of wallet functionality, “up to 15% APY” yield messaging, and high-risk perpetuals trading with leverage up to 50x. Taken together, these features create the profile of a high-velocity, highly monetised crypto access point rather than a minimalist software wrapper. That does not prove that AXIOM is already in breach of MiCA or other EU rules. But it does support the view that the platform warrants close supervisory attention under the CASP perimeter, AML/CFT expectations, and broader conduct-risk analysis. The governance angle adds another layer. CoinDesk’s late-February 2026 reporting on allegations that an AXIOM employee misused internal tools and sensitive wallet-linked information goes to the heart of a recurring compliance problem in hybrid crypto platforms: they often want the branding advantages of decentralisation while retaining enough internal visibility, control, and data access to optimise trading behaviour, monetisation, and user growth. Even where the allegations remain unproven, the episode raises legitimate questions about internal access controls, information barriers, surveillance, auditability, and how user-sensitive data is handled inside platforms that market themselves as sophisticated trading venues. For FinTelegram, the core issue is therefore not semantic but structural. If a platform controls the front end, curates the user journey, integrates the funding rails, monetises the activity, and packages leveraged trading for retail-style users, then regulators and compliance analysts are likely to look through the “DeFi” label and focus on the economic reality of intermediation. AXIOM looks much closer to that reality than its decentralisation narrative would suggest. Conclusion AXIOM should be viewed as a serious MiCA perimeter-risk case. Its own disclosures point to an identifiable operator, commercial fee capture, integrated wallet and trading functionality, low-friction no-KYC onboarding for smaller purchases, yield promotion, and leveraged perpetuals trading through Hyperliquid. None of that automatically establishes illegality. But together these features create a strong basis for regulatory scrutiny under MiCA’s CASP framework and raise further concerns around AML/CFT, market conduct, governance, and consumer protection. In FinTelegram’s view, AXIOM is best analysed not by the label it uses, but by the brokerage-like service stack it delivers to end users. Here is a compact summarizing AXIOM key-data table you can insert into the FinTelegram report. Compliance Summary Table CategoryAXIOM Key DataCompliance RelevancePlatform nameAXIOM / axiom.tradeConsumer-facing crypto trading platform with broker-like presentation.Self-descriptionAXIOM says it is a “trading platform” designed to be the only application needed to trade on-chain.Suggests an organised service layer, not merely passive code.Wallet functionAXIOM says it is a “hybrid crypto trading app and wallet” and currently supports Solana.Relevant to MiCA perimeter analysis where wallet + trading functions are bundled.Operator / legal entityAXIOM’s privacy materials identify Axiom Innovations Inc. as the operator. Its terms describe a web-hosted user interface provided by the company.Important because the presence of an identifiable operator weakens a pure “fully decentralised” positioning.Buy-crypto flowAXIOM says users can buy up to $500 worth of crypto per week, no-KYC, through its partnership with Coinbase.Raises AML/CFT and onboarding-friction questions.Yield featureAXIOM says it offers up to 15% APY and links this feature to Marginfi.Adds product-complexity and conduct-risk considerations.Decentralisation claimAXIOM states: “Yes, Axiom is decentralized” and says it integrates directly with decentralised protocols and applications.Core claim to test against MiCA Recital 22 and actual control/intermediation.Perpetuals venueAXIOM docs state perpetuals are powered by Hyperliquid.Indicates reliance on third-party execution infrastructure while retaining branded user access.LeverageAXIOM says it allows up to 50x leverage on its platform.High-risk retail-style trading exposure; relevant for conduct and consumer-protection analysis.Trading feeAXIOM says it takes a 0.01% fee per transaction when trading perpetuals on its platform.Evidence of direct monetisation of trading activity.Trading analytics toolsDocs reference tools such as Bundle Checker, Wallet Tracking, Tweet Monitor, and Trader Scan.Supports the view that AXIOM provides an integrated trading intelligence environment, not just execution access.Key compliance issueAXIOM combines branded interface control, wallet functionality, low-friction onboarding, monetised trading access, and leveraged products.Creates a serious MiCA perimeter-risk profile and raises AML/CFT, conduct, and governance questions. Call To Whistleblowers If you have information about AXIOM, its operators, internal controls, wallet analytics, trading surveillance, compliance setup, or relationships with third-party execution and funding providers, contact us confidentially via Whistle42. We are particularly interested in documents, screenshots, internal policies, legal opinions, onboarding procedures, KYC/AML workflows, governance records, and evidence relating to access to user-linked wallet data or market-sensitive internal tools. Share Information via Whistle42

On 5 March 2026, Hungarian counter-terrorism commandos ambushed two Oschadbank armoured vehicles on the M0 ring road near Budapest, seizing $40 million, €35 million, and nine kilograms of gold — a total haul of roughly $82 million. The man escorting the cash? A former SBU intelligence general. Zelensky’s response was to threaten Viktor Orbán‘s life. This was just one of several such money and gold transports from Austria via Hungary to Ukraine. KEY FINDINGS $82 million in mixed cash and gold seized from two Oschadbank armoured vehicles on the Hungarian M0 ring road on 5 March 2026. Among the seven detainees: a former general of Ukraine’s SBU (Security Service), Gennady Kuznetsov — not a typical bank courier profile. Hungary opened formal money-laundering criminal proceedings; Orbán ordered a 60-day asset freeze via emergency government decree. Hungarian minister János Lázár publicly admitted the raid was deliberate and tied to Ukraine’s suspension of Druzhba oil pipeline transit — a geopolitical act disguised as law enforcement. Zelensky publicly threatened Orbán, implying he would give the PM’s address to Ukrainian armed forces so they could “speak to him in their own language.” The EU rebuked Zelensky’s threat as “not acceptable” — but EU-country media largely buried or downplayed it. In 2026 alone, over $900 million, €420 million, and 146 kg of gold bars transited Hungary into Ukraine — all by road, all in cash. The cash originated from Austria’s Raiffeisen Bank International (RBI) — raising questions about RBI’s role in Ukraine’s parallel cash economy. Read more about the role of RBI in this case here. ANALYSIS: WHY WIRE TRANSFERS DON’T LIE — AND CASH DOESN’T HAVE TO Official website of the Hungarian Government Ukraine’s Oschadbank — the state-owned national savings bank — insists the shipment was routine. Since Russia’s full-scale invasion in February 2022, Ukraine’s airspace closure has forced banks to repatriate foreign currency by armoured road convoy rather than air freight or SWIFT transfer. Bloomberg sources confirm such runs occur weekly. This explanation, however, does not survive basic AML scrutiny. The FATF framework and EU’s 6AMLD are unambiguous: when a legitimate financial institution needs to move large sums of foreign currency, the instrument of choice is a SWIFT interbank transfer, a central bank-to-central bank settlement, or at minimum a documented correspondent banking arrangement — not a physical cash convoy. The question that neither Oschadbank nor its apologists have answered is elementary: why cash, not wire? AML red flags are stacked high. Physical cash — by definition — leaves no automatic audit trail. A former SBU counter-terrorism general serving as a cash courier is operationally indefensible for a routine bank transfer. The sheer scale ($82 million in a single run, with $900M+ transited in just the first two months of 2026) is far beyond any plausible retail liquidity requirement. The involvement of Raiffeisen Bank International (RBI) as the Austrian originator adds another layer: RBI has faced sustained regulatory scrutiny for its continued Russia exposure and has been under pressure from the ECB to exit the Russian market. Austria is also home to some of Europe’s most opaque private banking structures. Ukrainian investigative journalist Anatoliy Shariy, citing sources, alleged the funds did not belong to Oschadbank at all, but to “very specific people” — figures embedded in the Kyiv political establishment with links to Brussels. Hungarian Foreign Minister Péter Szijjártó was even blunter, raising the spectre of a “Ukrainian war mafia.” These are allegations, not proven facts — but the presence of an intelligence general at the wheel of a cash truck worth $82 million demands a credible counter-narrative that has not materialised. The geopolitical context is equally telling. Hungary seized the convoy on the same day Zelensky threatened Orbán. Budapest admitted the operation was deliberate retaliation for the Druzhba pipeline suspension. This collision of raw power politics and financial crime enforcement creates a legal no-man’s land: Hungary’s seizure may be politically motivated yet legally defensible on AML grounds. The money remains frozen, with Orbán holding it as collateral. Poland’s foreign minister called it theft. The EU called Zelensky’s death threat “unacceptable” — and then largely moved on. THE SILENCE OF EU MEDIA That a sitting head of state — a recipient of billions in EU and NATO military support — publicly implied he would send armed soldiers to the private address of an EU member state’s prime minister is, by any standard, an extraordinary event. It is precisely the kind of story that should dominate European front pages for days. Instead, Der Spiegel buried Zelensky’s threat in the penultimate paragraph of an article focused on Orbán. French, Italian, and Spanish outlets barely covered it. The narrative architecture of the European press — in which Zelensky is the heroic victim and Orbán the Kremlin’s useful idiot — left no editorial room for the inconvenient truth that Kyiv just threatened an EU capital. CONCLUSION Whether the $82 million seized in Budapest is war-chest funding for Ukrainian oligarchs, legitimate Oschadbank liquidity, or something murkier, the case exposes a critical gap in Europe’s financial crime architecture: billions in physical cash are moving through EU territory without triggering the oversight mechanisms that SWIFT transfers would automatically generate. The legality of Hungary’s seizure remains contested, but the AML questions raised are entirely legitimate — and they deserve serious answers, not diplomatic deflection and media silence. WHISTLEBLOWER APPEAL Do you have information about cash transfers between Ukrainian banks and European financial institutions? Do you know who the beneficial owners of these convoys really are? FinTelegram urges insiders, bank employees, compliance officers, or government officials with relevant knowledge to come forward. Submit information securely and anonymously via Whistle42 — our encrypted whistleblower platform. Your information protects European financial integrity. Share Information via Whistle42

► This is a follow-up to FinTelegram’s initial report: “Oschadbank’s Missing $82M: Did Kyiv’s Shadow Finance Just Get Caught in Budapest?” (11 March 2026). Readers are advised to review that report for full case background. Raiffeisen Bank International (RBI)confirmed it has a long-standing contract with Ukraine’s Oschadbank to physically transport foreign cash across EU territory — a practice that, Bloomberg confirms, runs weekly and has moved over $900 million and €420 million into Ukraine in the first two months of 2026 alone. RBI is simultaneously under ECB sanction pressure for its Russia business, has been fined by Austria’s FMA for AML failures, and is embedded in Austria’s ÖVP political network. The compliance questions this raises are not academic. They are urgent. KEY FINDINGS RBI confirmed to multiple outlets it operates a “long-standing” banknote distribution business across Europe — citing Austrian bank secrecy law to avoid disclosing specifics of the Oschadbank contract. The shipment originated from RBI’s Vienna headquarters under a formal international contract with Oschadbank — confirmed by Ukraine’s National Bank and Oschadbank’s own legal counsel. According to Hungarian Foreign Minister Szijjártó, over $900M, €420M, and 146 kg of gold transited Hungary into Ukraine in just the first two months of 2026 — implying RBI’s pipeline is substantial and systematic. RBI is the largest Western bank still operating in Russia. Its Russian profits exceeded those of all other foreign banks combined in Q1–Q3 2024, per BankTrack and B4Ukraine. The ECB has formally ordered RBI to accelerate its Russia exit; the US Treasury has warned RBI that access to the US financial system could be restricted due to its Russia dealings. Austria’s FMA fined RBI €2.7 million in 2018 for AML failures, and opened a further KYC investigation in 2024 into RBI’s correspondent banking. RBI has also been investigated over its role in the $967M Magnitsky-linked laundering scheme. The Raiffeisen banking group has historically close structural ties to Austria’s ÖVP — the dominant party in the Austrian government — raising questions about political protection of RBI’s compliance exposure. Hungary was evidently aware of these regular cash convoys — minister Lázár’s own admission that the seizure was deliberate implies prior knowledge of the pipeline. ANALYSIS: RBI, AUSTRIA, AND THE ARCHITECTURE OF PERMISSIBLE OPACITY RBI’s response to press inquiries was a study in deliberate minimalism. To the Kyiv Post, spokesman Christoph Danz confirmed RBI “operates a long-standing business involving the distribution of banknotes across Europe” while citing Austrian bank secrecy as the barrier to further comment. To Bloomberg, RBI stated its employees were not involved in the convoy — technically distancing Vienna from the physical operation while not denying the contractual relationship. To Telex, it noted it “regularly cooperates with central banks, the relevant authorities, and distributors” and claims to supply “extensive information” about trading volumes and destination countries to authorities. If true, this means Austrian regulators have been briefed on the scale and frequency of these cash runs. The question then is not whether they knew — it is whether they acted. RBI’s compliance record compounds this concern dramatically. The Austrian FMA has fined RBI twice for AML failings, the most recent formal investigation opened in 2024 targeting KYC deficiencies in correspondent banking — precisely the business line covering the Oschadbank contract. William Browder’s Hermitage Capital identified RBI’s predecessor entity as a conduit for $634 million of Magnitsky-linked funds. The OCCRP documented RBI’s role in the Troika Laundromat. These are not peripheral allegations — they constitute a documented pattern of AML permissiveness toward post-Soviet financial flows. The Russia dimension makes the picture even more troubling. While RBI has been publicly obliged by the ECB to wind down its Russian operations — and under threat from the US Treasury of being cut off from dollar clearing — it has simultaneously been profiting in Russia at a rate that outpaced all other Western banks combined. A bank managing a substantial, regular physical cash pipeline into Ukraine while simultaneously running Russia’s largest Western banking operation occupies a unique dual position in the geopolitics of the conflict. It is the financial institution most deeply embedded in both sides of the war. Compliance regulators across the EU should be asking what, precisely, RBI’s role is in the broader movement of war-related financial flows. The political context in Austria cannot be ignored. The Raiffeisen banking network — an interlocking structure of regional cooperative banks that feed up into RBI — has long been described as the financial arm of the ÖVP. Raiffeisen’s regional banks have historically provided preferential financing to ÖVP-aligned businesses and political figures; the BUWOG scandal implicated Raiffeisenlandes bank Oberösterreich in a politically sensitive privatisation deal. This structural entanglement raises a legitimate question: does Austria’s regulatory leniency toward RBI’s AML exposure reflect the independence of the FMA and the WKStA, or the political influence of a bank that is, in effect, co-terminus with the ruling party? Finally, the question of Hungary’s prior knowledge must be addressed. Minister Lázár’s admission that the March 5 seizure was deliberate, combined with Szijjártó’s detailed statistics on prior cash transits, strongly implies that Budapest was not surprised by the convoy — it was waiting for it. If Hungarian authorities had data on volumes and frequency, the question arises whether RBI’s self-reported “extensive information” flows to regulators crossed national intelligence boundaries. Were Hungarian authorities briefed by Austrian counterparts on this pipeline? CONCLUSION RBI is not a passive conduit in this story. As the originating institution of a weekly, multi-hundred-million-euro physical cash pipeline — operating under Austrian bank secrecy, under ongoing AML investigation, and in a bank group structurally entwined with the Austrian government — it is a central compliance actor. The $82 million seized in Budapest is the visible tip of a financial iceberg. The EU’s AML architecture was not designed to be defeated by armoured trucks and bank secrecy law. Austria’s regulators, the ECB, and the European Banking Authority need to answer whether RBI’s banknote distribution business has been subject to the same scrutiny as its Russia operations — and if not, why not. WHISTLEBLOWER APPEAL FinTelegram is seeking insiders with direct knowledge of RBI’s banknote distribution operations, its contractual arrangements with Ukrainian state banks, and its internal AML sign-off processes for these cash shipments. We are also seeking information from current or former employees of Austria’s FMA or WKStA regarding regulatory decisions on RBI’s Eastern European cash flows. Do you have knowledge of the political dimension of Austrian regulatory leniency toward RBI? Do you know who the beneficial owners of these cash convoys ultimately are? Report securely and anonymously via Whistle42 — FinTelegram’s encrypted whistleblower platform. Your information is protected. Share Information via Whistle42

Following our Feb 19, 2026 compliance report on Zentoria Limited and the NovaForge casino network (Robycasino/Spinsy), a whistleblower has provided email documentation indicating that the card billing descriptor “Spinsopotamia.com” is connected to xpate (xpate.com) — a payment services / e-money firm that states it is authorised by the UK Financial Conduct Authority (FCA) as an Electronic Money Institution (EMI). If accurate, this is a meaningful escalation: it suggests the “clean EU/UK-facing descriptor layer” described in our original report may be supported by an FCA-regulated payments perimeter, raising immediate questions around merchant onboarding, gambling exposure controls, card scheme monitoring, and transaction laundering red flags. Key Findings Whistleblower attribution: The whistleblower concluded that the descriptor “Spinsopotamia.com” belongs to xpate and relates to card deposits into Robycasino.com. Xpate Email Communication xpate response (documented): xpate support described xpate as a “payment processing technology provider,” stated it is generally unable to resolve claims directly, and said it “exceptionally forwarded” the matter to the “relevant merchant.” Original structure remains consistent: Our Feb 19 reporting connected Robycasino deposits to the descriptor “Spinsopotamia.com Dublin” and to Zentoria Limited as the Irish-facing entity in the scheme. Regulatory perimeter indicated: xpate’s public disclosures state xpate Ltd is authorised by the FCA (FRN shown on xpate’s site) to issue e-money and provide payment services; and xpate also references an EEA entity (xpate SIA) licensed in Latvia. Compliance Analysis: What This Update Changes In our original report, we described Zentoria Limited as the Trojan Horse payment layer: a seemingly legitimate, EU-anchored merchant identity (Spinsopotamia) used to route deposits for offshore casino brands (e.g., Robycasino) while avoiding bank/card-issuer gambling blocks. Read our reports on Zentoria here. The whistleblower documentation now adds a possible upstream payments node: The whistleblower contacted xpate seeking recovery of funds tied to “Spinsopotamia.com” charges and received a reply indicating xpate forwarded the complaint to the relevant merchant for review. This language is consistent with a scenario where xpate is embedded in the processing chain (e.g., as a PSP, facilitator, or platform providing payment rails/merchant services), while the “merchant of record” (or underlying merchant) is treated as a separate party. Why this matters from a compliance standpoint:If “Spinsopotamia.com” is indeed routed via an FCA-regulated EMI environment, then the expected control set is materially higher: KYC/KYB on the merchant, gambling policy enforcement, monitoring for MCC/descriptor manipulation, chargeback patterns, and high-risk merchant review (especially where the underlying service is unlicensed offshore gambling in multiple jurisdictions). The “Facade Casino” Strategy (Revisited With xpate in the Chain) Acquiring banks and card networks rely heavily on merchant identity signals (descriptor, website, category/MCC, jurisdiction, onboarding narrative) to detect and block illegal or high-risk gambling flows. The method described in our Feb 19 report remains the core pattern: a “front” domain/descriptor (Spinsopotamia) connected behind the scenes to offshore brands (e.g., Robycasino) The whistleblower emails strengthen the hypothesis that the scheme is not “just a domain trick,” but potentially a multi-party payment stack in which a regulated payments firm may be providing services to a merchant entity that is linked to, or used by, the offshore casino network. Read our reports on Novaforge here. How the Bait-and-Switch Works (Operational View) The transaction pattern described by FinTelegram remains the same, now with an added processing hypothesis: A player deposits funds at Robycasino.com. The card charge appears as “Spinsopotamia.com Dublin” on the statement (the “clean” facade). The whistleblower asserts the descriptor belongs to xpate, and xpate’s support acknowledges involvement by escalating the case to the “relevant merchant.” Xpate Email Communication The issuing bank approves a charge that does not obviously present as an offshore casino deposit. This is precisely the compliance blind spot that enables transaction laundering: the bank’s decisioning engine “sees” a benign-looking merchant identity while funds are ultimately used for restricted activity. Evidence Note: What the Whistleblower Documentation Shows Based on the uploaded email thread: The whistleblower lists multiple card transactions in Dec 2025 showing “spinsopotamia.com Dublin” (20–30 EUR amounts) and states the real recipient is Robycasino.com. In a response dated Feb 20, 2026, xpate support states xpate is not the direct provider of the goods/services and advises the cardholder to contact the merchant / card-issuing bank, while noting the complaint was forwarded to the relevant merchant “as an exception.” In a follow-up dated Feb 23, 2026, the whistleblower tells xpate no merchant contact/refund had occurred and urges xpate to take action, referencing FinTelegram’s reporting on Zentoria/NovaForge. This documentation does not by itself prove the full acquiring chain — but it is credible signal evidence that xpate is operationally close enough to the merchant setup to route escalation to the underlying party. Summary Data: Updated Nodes CategoryDetailsSuspected Front DescriptorSpinsopotamia.com / “Spinsopotamia.com Dublin”Irish-Facing Entity (per original report)Zentoria Limited (Ireland)Offshore Casino BrandRobycasino.com (NovaForge network)Newly Identified PSP Node (whistleblower claim)xpate (xpate.com) (Source: Xpate Email Communication)Regulatory Perimeter (public disclosure)xpate states FCA authorisation for xpate Ltd (UK) and an EEA EMI licence for xpate SIA (Latvia). Actionable Compliance Insight For regulators, card schemes, and banking compliance teams, the immediate next steps are straightforward: Merchant KYB review: Identify the legal merchant entity behind “Spinsopotamia.com” and any links to Zentoria Limited and/or NovaForge brands. Descriptor/MCC integrity check: Review whether the merchant category, descriptor, and website content accurately describe the underlying activity (and whether they mask gambling). Chargeback/fraud monitoring: Map chargeback ratios and complaint volumes tied to “Spinsopotamia.com” descriptors. Jurisdictional gambling exposure controls: If underlying activity targets EU/UK consumers without local gambling licences, this should trigger high-risk merchant remediation (restriction/termination) and SAR/STR assessment, depending on the facts and the jurisdiction. Call for Whistleblowers: Help Us Complete the Rail Map FinTelegram is expanding its dossier on Zentoria Limited, the NovaForge casino network, and the newly indicated xpate payment node. If you have: card/bank statements showing Spinsopotamia, Zentoria, Robycasino, or other NovaForge-related descriptors, onboarding emails, checkout screenshots, payment pages, or merchant receipts, insider knowledge of which acquirer/processor is enabling these rails, please submit securely via Whistle42. Share Information via Whistle42

A fresh opinion from the Court of Justice of the EU could materially shift the scam-loss battlefield across Europe. In Case C-70/25 (Tukowiecka), Advocate General Athanasios Rantos proposes that a bank must immediately refund an unauthorised payment once notified—even if the bank believes the customer acted with gross negligence. The bank’s remedy comes after the refund: pursue reimbursement through a separate claim. Key Findings Immediate refund is the rule: PSD2 requires banks to reimburse unauthorised transactions “as a first step.” Gross negligence is not a “refund blocker”: banks cannot refuse reimbursement upfront by alleging the user breached security duties. Only narrow exception flagged: if the bank has good reason to suspect payer fraud, it must report that suspicion to the competent national authority. Refund is not final: after refunding, the bank may seek to shift losses back to the customer if it can prove intentional breach or gross negligence (and may need to sue if the customer refuses). Case context: phishing via a sales platform link led to stolen credentials and an unauthorised payment; the Polish bank refused to refund; District Court in Koszalin asked the CJEU to interpret PSD2. Short Analysis This dispute sits at the heart of PSD2’s consumer-protection design: unauthorised payments are meant to be reversed quickly to prevent victims from financing fraud losses while banks and merchants argue fault. Rantos’ reading of Directive (EU) 2015/2366 (PSD2) treats “immediate reimbursement” as a hard requirement, leaving no room for national carve-outs that effectively turn refund duties into a negligence trial at the complaint desk. Operationally, the opinion pushes banks toward a two-step model: Refund fast (unless there is a documented fraud suspicion reported to authorities), then Litigate or recover later if gross negligence is provable. For compliance teams, the implication is blunt: the “customer was careless” narrative may remain relevant—but not at the refund stage. Expect pressure on banks to tighten real-time fraud detection, strong customer authentication controls, and post-incident evidence collection (device/IP telemetry, authentication logs, social-engineering indicators) to support any later recovery action. Important: Advocate General opinions are not binding; the CJEU will deliberate and issue judgment later. Still, these opinions often preview the direction of travel—and the compliance risk for banks that default to “deny first” practices may rise sharply if the Court follows Rantos. Meta Data Title tag: CJEU AG Rantos: Banks Must Refund Unauthorised Payments Immediately Under PSD2 Meta description: In Case C-70/25 (Tukowiecka), CJEU Advocate General Rantos says banks must refund unauthorised transactions immediately—even where customers were grossly negligent—then pursue recovery separately. Keywords: PSD2, unauthorised transaction, phishing, bank liability, CJEU, Advocate General Rantos, PKO BP, Koszalin Pub date: 2026-03-10 Author: FinTelegram Compliance Desk Tags: PSD2, Banking, Fraud, Phishing, Consumer Protection, CJEU Canonical URL: (set by editor) Image Alt Text Dark forensic compliance graphic: EU court building silhouette with a “REFUND IMMEDIATELY” stamp over a bank app showing an unauthorised transfer, plus a second layer reading “RECOVER LATER (if gross negligence proven)” and PSD2 article markers. Call for Information Have you been denied reimbursement after a phishing scam, APP fraud, SIM-swap, or “authorised push payment” manipulation—especially where a bank blamed “gross negligence”? FinTelegram is gathering EU-wide case patterns. Submit documents, timelines, and bank correspondence securely via Whistle42.com.

Juice.gg is an unlicensed CS2 skin-gambling platform owned and operated by Belize-registered Juice Holdings Ltd. Despite lacking any recognized iGaming license, the platform illegally targets global users, including minors. To circumvent strict European banking blocks and AML checks, the scheme utilizes a dual-entity structure, employing Cyprus-based JuiceGG Entertainment Ltd as its EU payment agent, while heavily relying on a deceptive third-party gift-card payment loop. Key Entity & Compliance Data Data PointDetailsBrand NameJuice.ggOperating Entity (Owner)Juice Holdings LtdEU Payment AgentJuiceGG Entertainment LtdRegistered JurisdictionsBelize (Operator) / Cyprus (Payment Agent)Claimed License(s)None (Unlicensed)Targeted / Illicit MarketsGlobal (including US, UK, and EU)Identified Payment ProcessorsSwapped.com, Kinguin, G2Play (via Gift Cards), Cyprus-based Acquirers, Crypto WalletsFinTelegram Risk Rating RED Export to Sheets Regulatory Framework & Operational Status Juice.gg explicitly states on its website that it is owned and operated by Juice Holdings Ltd, an offshore corporate entity registered in Belize. Crucially, the platform operates entirely outside the regulated iGaming perimeter, failing to hold any recognized gambling license—not even from permissive offshore jurisdictions like Curacao or Anjouan. Despite this lack of authorization, Juice.gg illegally targets players in strictly regulated markets, including the US, UK, and the European Union, without implementing effective geo-blocking or standard KYC/AML protocols. The platform’s reliance on CS2 skin unboxing appeals heavily to underage demographics, severely amplifying its regulatory hazard. To create a facade of European legitimacy and access local banking networks, the Belizean operator explicitly names JuiceGG Entertainment Ltd, registered in Cyprus, as its official EU payment agent. This dual-entity structure is a classic offshore maneuver designed to obscure the flow of illicit gambling funds from regulated financial networks. Payment Rails & Processor Analysis Juice.gg cashier with Swapped.com Because the unlicensed Belizean operator (Juice Holdings Ltd) cannot legally secure direct merchant accounts, Juice.gg employs a bifurcated, highly deceptive payment rail strategy to extract fiat from regulated markets. First, the integration of JuiceGG Entertainment Ltd (Cyprus) as an EU payment agent is a critical compliance red flag. By utilizing this European front company, the offshore operator can plug into the European SEPA network and acquire EU-based payment processing. The Cyprus entity acts as the “merchant of record,” absorbing player fiat deposits and subsequently funneling the funds offshore to Belize. This structural separation deceives European acquiring banks and e-wallets into processing payments for an unlicensed gambling operation under the guise of a legitimate Cyprus-based digital entertainment firm. Second, the platform weaponizes a “gift-card payment loop.” Users are directed to purchase digital Juice.gg vouchers on secondary marketplaces like Kinguin and G2Play using standard fiat methods (Visa, Mastercard, PayPal). The acquiring bank codes these transactions as generic digital goods, successfully bypassing Merchant Category Code (MCC 7995) gambling restrictions. Users then redeem these codes on Juice.gg, effectively laundering fiat into betting credits while destroying the AML audit trail. Furthermore, direct crypto deposits are actively processed without any verified fiat-to-crypto compliance gateways acting as an AML buffer. Third: Because the unlicensed Belizean operator (Juice Holdings Ltd) cannot legally secure direct merchant accounts, Juice.gg employs a highly deceptive, two-step “fake fiat” payment rail to extract funds from regulated markets. During our review, we discovered that the Danish fiat-to-crypto on/off-ramp Swapped.com acts as the sole FIAT payment facilitator for the platform. When a player initiates a fiat deposit, the transaction is routed through Swapped.com’s gateway. In the first step, the player unwittingly purchases USDC stablecoins via their credit card or bank account. Once the fiat transaction clears, the second step is triggered: Swapped.com automatically transfers the newly purchased USDC directly to Juice.gg’s crypto wallets. This structure effectively launders the gambling deposit as a standard retail cryptocurrency purchase, successfully bypassing issuing banks’ Merchant Category Code (MCC 7995) gambling restrictions and obfuscating the AML audit trail. We have prepared a separate, detailed compliance report examining Swapped.com’s specific role and regulatory exposure in this scheme. Read our report on Swapped’s Juicy payment rail here. Compliance Verdict Juice.gg presents an extreme regulatory and AML hazard. By combining a Cyprus-based payment agent scheme (JuiceGG Entertainment Ltd) with fake FIAT deposits via on/off-ramper Swappec.dom, and third-party digital marketplace gift cards, the Belizean operator (Juice Holdings Ltd) has constructed a sophisticated network to systematically bypass global banking blocks. Payment Service Providers, acquiring banks servicing Cyprus, and digital marketplaces like Kinguin are unwittingly acting as financial conduits for unlicensed, potentially underage gambling. Regulators and PSPs must immediately scrutinize transactions linked to this dual-entity structure to close this illicit fiat gateway. Did you deposit funds at Juice.gg? We need your input. To expose the hidden payment processors facilitating offshore gambling, we ask players to share their deposit experiences. Please check your bank or credit card statements: what is the exact merchant name that appears for your deposit? Share your receipts, screenshots, and bank statement descriptors with us securely and anonymously via our Whistleblower system. Share Information via Whistle42.com

The Danish fiat-to-crypto on/off-ramper Swapped (www.swapped.com) is systematically acting as an integrated payment facilitator for illegal offshore gambling schemes. Following our discoveries of Swapped embedded in illicit casinos like Roobet and GamDom, our latest review of the Juice.gg scheme reveals Swapped operating as the platform’s sole FIAT payment processor. By utilizing a deceptive two-step “fake fiat” rail, Swapped funnels European retail funds through its Banking Circle accounts in Munich directly into unlicensed offshore casino wallets, deliberately bypassing standard AML and banking restrictions. Key Findings Systemic Offshore Facilitator: Swapped’s business model appears heavily reliant on servicing the illegal offshore casino segment. It operates as the integrated on-ramper for major unlicensed platforms including Juice, Roobet, and GamDom. The Fake Fiat Rail: Swapped provides a two-step “Buy Crypto” disguise. Players deposit fiat (e.g., EUR) via credit card, SEPA bank transfer, or e-wallets to Swapped, which automatically converts the funds to USDC and forwards them instantly to the casino’s wallet. Banking Circle Connection: SEPA bank transfers funding these offshore casino deposits are routed directly to Swapped’s corporate account at Banking Circle in Munich—a banking partner frequently appearing in high-risk fiat rails. Algorithmic Symbiosis: Traffic data confirms a deep integration between the ramper and the casino. In February 2026, the unlicensed casino Juice.gg was the third-largest referring website to the widget.swapped.com payment portal, accounting for nearly 15.7% of its total traffic. Opaque Compliance: Swapped’s Legal & Compliance team ignored FinTelegram’s requests for a statement regarding their involvement in the Juice.gg scheme. Key Entity & Compliance Data Data PointDetailsBrand NameSwapped(prev. Bitinvestor)Primary Domainwww.swapped.com (widget.swapped.com)Legal EntitiesSwapped ApS (Denmark)Swapped ASP NUF (Norway)Swappedcom Inc. (US), FinCEN (MSB Registration Number: 31000300023305)Key ExecutiveThomas Franklin (CEO & Founder)Registered JurisdictionDenmarkKnown Illicit Merchant ConnectionsJuice.gg, Roobet, GamDomIdentified Banking PartnerBanking Circle (Munich, Germany)FinTelegram Risk Rating REDRatEx42 Risk Signal RED (high risk) Export to Sheets Compliance Analysis: Swapped’s Activities and the Juice.gg Payment Rails The Danish tech firm Swapped markets itself as a frictionless platform to buy and sell digital assets. However, FinTelegram’s ongoing investigations indicate that Swapped has positioned itself as the go-to payment gateway for the illegal offshore gambling sector. We have previously detailed how Swapped circumvents European regulatory perimeters for giants like Roobet and GamDom. Our latest review of the Juice scheme (Juice.gg) confirms this is not an isolated oversight, but a systemic operational model. As noted in our recent FinTelegram compliance report on Juice.gg, the platform is operated by the Belize-registered Juice Holdings Ltd, utilizing a Cyprus-based payment agent (JuiceGG Entertainment Ltd). Juice deceptively markets itself as offering “no real money gambling,” a claim easily debunked by examining its payment infrastructure. Cryptocurrencies are widely classified as monetary assets, and Juice actively solicits fiat deposits through its integration with Swapped. Read our Juice.gg review here. Juice.gg cashier with Swapped.com As evidenced by our captured screenshots of the Juice cashier, the “CASH” section offers Bank Transfer, Paysafecard, Skrill, Neteller, and RAPID Transfer options—all explicitly labeled as being processed by “SWAPPED” (see screenshot left). When a player initiates a fiat deposit (e.g., a €34.25 Bank Transfer), the Swapped widget takes over. This initiates a highly orchestrated “fake fiat” loop: The Fiat Capture: The player transfers fiat to Swapped to purchase stablecoins (USDC ERC-20). Crucially, our transaction evidence proves that these SEPA deposits are routed to Swapped’s corporate bank account at Banking Circle in Munich. The Auto-Forward: Once the fiat clears Banking Circle, Swapped converts it to USDC and automatically transfers the crypto directly to the Juice casino wallet. This two-step process effectively launders the gambling deposit into a standard retail cryptocurrency purchase. By sitting in the middle, Swapped shields the issuing banks from Merchant Category Code (MCC 7995) triggers, masking the fact that they are funding an unlicensed Belizean gambling operation. The fact that Juice alone drives 15.7% of all referring traffic to Swapped’s widget underscores that illegal gambling is a primary revenue driver for the Danish entity. Read our Swapped.com reports here. Compliance Verdict Swapped represents a critical AML and compliance failure within the European fiat-to-crypto pipeline. By embedding its payment widget into unregulated offshore casinos, Swapped is deliberately acting as a financial buffer, enabling illegal gambling operators to drain fiat from protected European markets. In our view, Banking Circle must urgently audit the transaction volume flowing into Swapped’s Munich accounts, as it is heavily polluted with illicit, miscoded gambling deposits. Swapped’s failure to respond to our compliance inquiries further cements their disregard for regulatory transparency. Call to Action: Whistleblowers Wanted Do you have inside information on Swapped.com? To expose the hidden payment processors facilitating illegal offshore gambling, we need your input. Are you a former employee of Swapped, or do you have insights into their merchant onboarding processes, their relationship with Banking Circle, or their direct API integrations with casinos like Juice, Roobet, and GamDom? Please share your information, documents, or insights securely and anonymously via our Whistleblower system. Share Information via Whistle42

Oro.gg is presented as a non-crypto-only casino offering cards, e-wallet brands, bank transfer and direct crypto deposits. Although it relies on an offshore Anjouan gaming licence, our review indicates EU/UK residents can register and deposit. The main compliance exposure sits in (i) card deposits routed via third-party gateway domains and (ii) a recurring fiat→crypto funding pattern linked to ChainValley, plus direct wallet deposits. SNAPSHOT RISK RATING Risk to PSP/EMI: HighConfidence: Medium-HighRationale: EU/UK access observed + obfuscating fiat→crypto typology + opaque gateway domains. KEY DATA TABLE ItemSummaryCasino brand / domainsOro.gg / www.oro.gg (launched in Summer 2025)Claimed operator & jurisdictionTusitier Ltd (Belize) — Indicated (site claim)Licence claim + verification statusAnjouan Gaming register lists Tusitier Limited with licence ALSI-202505043-FI2 incl. oro.gg — Confirmed.Target markets observedEU/UK residents could register & deposit — Confirmed (review)KYC/age gate indicatorsUnknown (inputs not provided)Deposit methods shownCards; Skrill; RAPID; Neteller; PaysafeCard; Revolut; bank transfer; crypto — Confirmed (review)Card gateways/PSPs observedpayments.dinopower.tech; 3dsgatepath.com — Confirmed (review)OB/bank transfer actors observedRevolut + “bank transfer” offered; underlying payee/IBAN Unknown — Indicated (review)Fiat→crypto / onramp actors observedChainValley (PL) across multiple methods (Skrill/RAPID etc.) — CorroboratedCrypto rails summaryDirect to casino wallet (no visible processor) — Confirmed (review)Top 3 red flagsEU/UK access; gateway opacity; fiat→crypto purpose-obfuscation — Confirmed/CorroboratedEvidence tier + last checked dateMixed; last checked Feb–Mar 2026 (inputs) REGULATORY BASELINE Licence reality: Oro.gg appears under Tusitier Limited in Anjouan Gaming’s public licence register (licence ALSI-202505043-FI2, valid 2025-05-10 to 2026-05-09). Jurisdictional gap: An offshore gaming licence is not an EU/UK gambling authorization framework. Market access: EU/UK onboarding and deposits were possible in your review (Confirmed).This combination creates facilitation exposure for payment intermediaries where local authorisation is absent: PSP/acquirer gambling policy enforcement, AML/CFT monitoring, and consumer protection duties become directly relevant once EU/UK residents can fund play. REGULATORY HOOKS Potential triggers: Unlicensed gambling facilitation exposure (EU/UK access observed) Merchant-of-record / acquirer policy risk (card rails via gateway domains) Transaction-purpose obfuscation (fiat→crypto deposit structure) Layering/rapid pass-through indicators (auto-forward to casino) PAYMENT RAILS MAP Rail A – Cards: oro.gg → payments.dinopower.tech / 3dsgatepath.com → card/3DS routing → casino funding Rail B – Fiat→crypto (“fake fiat”): Skrill/RAPID (+ others) → ChainValley crypto sale → auto-forward to casino Rail C – Direct crypto: player wallet → casino wallet address RAIL-BY-RAIL FINDINGS RAIL A: Credit/Debit Cards — Confirmed Observed flow: oro.gg → payments.dinopower.tech / 3dsgatepath.com → card processing/3DS → casino funding Actors surfaced: gateway domains; legal entities behind them Unknown. Compliance exposure: potential opacity around merchant-of-record, gambling MCC/descriptor integrity, and jurisdictional controls (EU/UK acceptance). Evidence: cashier flow observed in your review (Feb–Mar 2026). RAIL B: Fiat→Crypto via ChainValley + Skrill/RAPID — Corroborated/Confirmed Observed flow: oro.gg cashier method → crypto purchase via ChainValley → crypto auto-forwarded to casino Actors surfaced: Chain Valley Sp. z o.o. (Poland) identified in its Privacy Policy (KRS 0001036419, Warsaw address). Compliance exposure: purpose obfuscation (“crypto purchase” masking gambling funding), possible third-party settlement and rapid pass-through typologies. Evidence: your review + player documents indicating prior Skrill/RAPID deposits via UTRG UAB (utPay). RAIL C: Direct Crypto Deposits — Confirmed Observed flow: player wallet → casino wallet (assets/chains/wallets Unknown). Actors surfaced: casino deposit wallets not provided. Compliance exposure: reduced intermediary visibility; upstream monitoring shifts to on/off-ramps and wallet screening. Evidence: direct wallet deposit behavior observed in review. Read our ChainValley reports here. PROCESSOR & MERCHANT RISK NOTES Gateways likely act as payment routing/3DS endpoints; map merchant-of-record/acquirer behind each domain. ChainValley appears as fiat→crypto bridge; typology is consistent with gambling-adjacent purpose obfuscation. utPay publicly states it has temporarily suspended MiCA crypto-asset services and would resume after Bank of Lithuania authorization, supporting an ecosystem migration pattern. SUMMARIZING COMPLIANCE ASSESSMENT Based on our review and quick public checks, Oro.gg combines offshore licensing with EU/UK-accessible onboarding and a mixed funding stack (card gateways + fiat→crypto conversion + direct wallet deposits). Anjouan Gaming’s register confirms Tusitier Limited holds licence ALSI-202505043-FI2 and lists oro.gg among numerous authorized URLs—suggesting Oro.gg is part of a multi-brand portfolio rather than a standalone site. The observed rails are consistent with reduced transparency over merchant-of-record and transaction purpose and warrant enhanced due diligence, monitoring, and jurisdictional controls by PSPs/EMIs and related providers. EXTERNAL VERIFICATION NOTES Licence register entry found? Y Operator identity corroborated? Y (Tusitier Limited listed) Conflicting licence claims on site? Unknown (not verified from provided page view) Gateway ownership/hosting identified? Unknown Regulator warnings/enforcement found? Unknown RED FLAGS CHECKLIST EU/UK accepted (weak geo-block) Offshore licence not equivalent to EU/UK authorization Merchant descriptor mismatch / third-party beneficiaries (Unknown) OB routed via unrelated domains (Unknown) Fiat→crypto obfuscation pattern (Corroborated) Mirror domains / rotation (Unknown) KYC absent/post-deposit (Unknown) Withdrawal friction/fee demands (Unknown) INDICATORS & SEARCH STRINGS oro.gg, www.oro.gg Tusitier Limited; ALSI-202505043-FI2 payments.dinopower.tech; 3dsgatepath.com chainvalley.pro; “Chain Valley Sp. z o.o.”; KRS 0001036419 utpay / UTRG UAB ACTIONABLE TAKEAWAYS For regulators: trace the controlling entities behind the gateway domains and assess acquiring relationships; review Tusitier Limited’s broader domain portfolio in the Anjouan register for cross-brand patterns.For PSPs/merchants: treat ChainValley-style fiat→crypto funding as a gambling typology requiring EDD; reconcile merchant-of-record and descriptor/MCC integrity for card rails; add monitoring for gateway domains and rapid pass-through behavior. KNOWN UNKNOWNS Unknowns: merchant descriptors; payee/beneficiary/IBAN; KYC timing; withdrawal behavior; crypto assets/chains; wallet addresses. CALL FOR INFORMATION Deposited or attempted withdrawals at Oro.gg? We need evidence to map the rails precisely: bank/card descriptors, receipts, Skrill/RAPID confirmations, beneficiary/IBAN details, Revolut/bank-transfer screens, and any crypto tx hashes + destination wallet addresses. Please include timestamps and screenshots of the cashier flow and any withdrawal communications. Submit confidentially via Whistle42.com (anonymity options available). Share Information via Whistle42

The fiat-to-crypto on-ramp sector is functionally divided into two distinct operational models with vastly different regulatory footprints. In this compliance report, we analyze the regulatory divergence between Ramp Network’s heavily licensed, direct-clearing approach and Onramper’s hands-off aggregator model. We examine their respective RatEx42 risk ratings, explain the licensing disparities, and assess how the EU’s Markets in Crypto-Assets (MiCA) framework will impact their operations moving forward. Key Findings The Aggregator Loophole: Onramper operates purely as a B2B technology layer, legally bypassing direct MSB or VASP licensing requirements by never taking custody of fiat or crypto, earning a ORANGE RatEx42 risk signal due to its indirect routing to high-risk merchants like offshore casinos. The Direct Clearer: Ramp Network acts as a primary financial institution, executing its own KYC/AML, clearing fiat, and settling crypto. This direct accountability necessitates strict global licensing (FCA, FinCEN, EU CASP), earning it a GREEN RatEx42 rating. MiCA’s Regulatory Cleaver: Under the EU’s MiCA regulation, Ramp Network’s newly acquired Crypto Asset Service Provider (CASP) license allows it to passport services seamlessly across 27 member states. Existential Risk for Aggregators: MiCA regulates the “reception and transmission of orders for crypto-assets.” If regulators determine that Onramper’s dynamic routing widget constitutes order transmission rather than a mere IT interface, the aggregator may be forced into the regulatory perimeter. Comparative Compliance Analysis The Two Models: Technology Layer vs. Financial Institution To understand why Onramper can operate globally without a single financial license while Ramp Network spends millions maintaining registrations across the US, UK, and EU, one must look at the mechanics of the transaction. Onramper (The Aggregator): Onramper is legally classified as a software provider. Its core product is a dynamic routing engine—an API and widget that digital wallets or merchants embed into their platforms. When a user buys crypto, Onramper’s algorithm evaluates the user’s location and payment method, then routes the user to a third-party gateway (like Swapped.com or MoonPay). Because Onramper never touches the user’s fiat, never holds the cryptocurrency, and does not conduct the KYC/AML checks, it shifts 100% of the regulatory liability to its underlying partners. However, this lack of direct oversight is exactly why RatEx42 assigns Onramper a ORANGE risk signal. The platform’s dynamic routing is frequently leveraged by high-risk merchants, such as offshore casinos, to seamlessly accept fiat deposits under the radar, muddying the waters of consumer protection. Ramp Network (The Direct Clearer): Conversely, Ramp Network operates as a B2B2C financial institution. When a user interacts with a Ramp Network widget inside a Web3 app, Ramp is the entity verifying the user’s identity (KYC), processing the credit card payment, and executing the crypto transfer from its own liquidity pools. Because Ramp Network handles the flow of funds and data directly, it cannot rely on technology exemptions. It must register as a Money Services Business (MSB) with FinCEN in the US, hold cryptoasset registration with the UK FCA, and maintain EU licenses. This direct control and accountability over the transaction lifecycle earns Ramp Network a GREEN RatEx42 risk signal. The Impact of MiCA on Both Schemes The EU’s Markets in Crypto-Assets (MiCA) framework is fundamentally reshaping this dynamic. For Ramp Network, MiCA is a massive operational advantage. Having secured authorization as a Crypto Asset Service Provider (CASP) from the Central Bank of Ireland, Ramp Network can now “passport” its services across all 27 EU member states. It replaces a fragmented patchwork of national VASP registrations with a single, harmonized rulebook, allowing for compliant, pan-European scaling. For Onramper, MiCA presents a complex challenge. While Onramper claims exemption as a pure IT provider, MiCA explicitly regulates the “reception and transmission of orders for crypto-assets on behalf of clients.” If European regulators classify Onramper’s dynamic routing widget as actively receiving and transmitting retail orders to underlying gateways, Onramper could find itself reclassified as a CASP, instantly requiring licensing, capital reserves, and direct AML obligations. Furthermore, under MiCA’s strict consumer protection rules, aggregators must ensure that every gateway they route EU citizens to is fully MiCA-compliant, drastically shrinking the pool of available regulatory arbitrage. Summary Table: Onramper vs. Ramp Network FeatureOnramper Technologies B.V.Ramp Network (Ramp Swaps)Business ModelB2B Aggregator / Tech LayerB2B2C Direct Fiat/Crypto ProcessorFiat/Crypto CustodyNone (Routed to 3rd parties)Direct handling and settlementKYC / AML ExecutionHandled by partner gatewaysHandled in-house by RampRegulatory LicensesNone (Software provider exemption)UK FCA, US FinCEN MSB, EU CASPMiCA ImpactPotential risk regarding “order transmission” rulesHighly positive; EU passporting enabledRatEx42 Risk Signal ORANGE (Elevated) GREEN (High Confidence)Primary Risk FactorHigh-risk merchant routing (e.g., casinos)External clone scams / Chargebacks Export to Sheets Whistle42 Call to Action The fiat-to-crypto gateway sector is evolving rapidly, and the line between software providers and financial transmitters is blurring. If you have insider information, merchant integration data, or evidence of regulatory circumvention regarding Onramper, Ramp Network, or any other crypto on/off-ramp, we want to hear from you. Help us expose the financial shadows. Submit your evidence anonymously via our Whistle42 secure portal today. Share Information via Whistle42

A recent cross-border investigation by Investigative Europe reveals how high-profile YouTube and Twitch influencers are steering millions of consumers to blacklisted, unlicensed online casinos. Earning up to 60% of their followers’ gambling losses, these influencers operate in a massive regulatory gray area, raising severe compliance, anti-money laundering (AML), and consumer protection concerns. FinTelegram examines the legal liability of these digital promoters and calls on whistleblowers to expose the illicit affiliate networks funding them. Key Findings Affiliate economics appear central: Investigate Europe describes revenue-share and CPA-style schemes where streamers earn per referred player and, per whistleblower documents, sometimes a percentage of losses—a direct incentive to drive high-risk play. Cross-border scale: The investigation identifies influencers in Italy, Portugal, Greece, Poland, Germany, Spain and Sweden promoting casinos “not licensed in Europe,” often with links embedded on-screen, in video descriptions, or comments. Soft2bet gravity: Investigate Europe says many promoted sites “ultimately connect back” to a European gambling tech firm and links this ecosystem to 100+ blacklisted casinos previously reported. “House money” streaming: A whistleblower described “non-withdrawable” balances or funded accounts provided to affiliates, turning livestream gambling into a performance with muted personal downside—while viewers face real loss risk. Regulatory action exists but is uneven: Italy’s AGCOM has sanctioned major platforms for illegal gambling advertising content; separately, national regulators (e.g., Netherlands) have taken action against influencer promotion of illegal operators. Platforms are now in scope (EU): Under the DSA, large platforms have duties around illegal content reporting/handling and systemic risk mitigation—relevant when illegal gambling promotion is persistent and scalable. Compliance & Liability Analysis: Why This is not “Just Marketing” Offshore casinos, unable to legally advertise in strict European jurisdictions, effectively outsource their marketing to influencers and streamers. The tech platforms hosting these streamers are currently shielded by the Digital Services Act (DSA), which exempts them from actively monitoring user-generated content for illegal activity. 1) Influencers as “unregulated affiliates” — but functionally a high-risk outsourcing layer In regulated markets, affiliate marketing is already a known risk surface. Investigate Europe’s evidence suggests illegal operators (or their marketing intermediaries) use creators as a front-end distribution channel: the influencer supplies trust, community, and attention; the operator supplies the product; the affiliate scheme supplies tracking + payout. That looks like a structured acquisition pipeline, not incidental mention. Compliance implication: from a risk perspective, these creators behave like “introducers/affiliates” in other financial-crime typologies—paid traffic brokers who should trigger enhanced scrutiny (KYC of affiliates, audit rights, geo/legal gating, ad library transparency, payment traceability). 2) Criminal/administrative exposure: “advertising unlawful gambling” is a real legal category Jurisdictions differ, but the UK is illustrative: Gambling Act 2005, s.330 makes it an offence to advertise unlawful gambling. While each case depends on facts/jurisdiction, creators who target audiences in a regulated market while promoting unlicensed operators can walk into advertising-offence territory—especially if the promotion is paid and uses tracking links. Practical liability pattern: regulators can pursue (a) the operator, (b) marketing intermediaries/affiliates, and increasingly (c) the distribution nodes (influencers) and sometimes (d) platforms hosting the content—depending on local law and enforcement appetite. 3) Consumer protection + AML: unlicensed casinos are a “controls vacuum” Investigate Europe stresses that unlicensed casinos lack the consumer protections of regulated operators and can put funds at risk. From an AML and harm-prevention lens, the influencer funnel is dangerous precisely because it pushes users into a space with weaker KYC, weaker affordability controls, and weaker dispute resolution. 4) Platform liability and the DSA: “illegal services” at scale are a systemic risk, not a moderation footnote The DSA framework (especially for very large platforms) is designed around scalable harms: reporting mechanisms, transparency, and mitigation of systemic risks. Persistent promotion of unlicensed gambling services to EU users can qualify as illegal services advertising, forcing the question: what did platforms know, and what did they do once notified? Italy’s AGCOM example demonstrates that national authorities are willing to sanction platforms for illegal gambling advertising content targeting domestic audiences. Working hypothesis: Influencers are the “conversion layer” of Europe’s illegal casino economy Hypothesis: In 2024–2026, the illegal casino segment has professionalized its go-to-market strategy. Influencers/streamers are not merely promoters; they are performance-based acquisition partners who (1) launder legitimacy via parasocial trust, (2) convert audiences through “live proof” gambling content, and (3) monetize through affiliate mechanisms that may be economically aligned with player losses. This turns the influencer into a risk-bearing node in the compliance chain—comparable to an unregulated broker in finance: high reach, low oversight, and strong incentives to optimize conversions. Prediction: expect more “two-track enforcement”: regulators target (a) operators and (b) the marketing stack (affiliates, processors, platforms, influencers), because that is the only way to disrupt scale. Call for Information Do you have information about influencers, agencies, affiliate programs, tracking links, payment flows (CPA/rev-share), “house-money” streaming accounts, or platform takedown patterns linked to unlicensed casinos targeting EU/UK users? Send tips (anonymously if needed) via Whistle42.com. Include screenshots, referral URLs, invoices, Telegram/Discord outreach, or payment proofs. Share Information via Whistle42

Kraken is one of the leading US crypto exchanges. It’s banking arm, Kraken Financial, has reportedly secured a limited-purpose Federal Reserve account with access to core payment infrastructure, including Fedwire. If confirmed as implemented as reported, this is a landmark step in the institutional integration of crypto infrastructure into U.S. sovereign payment rails—but it is not the same as full banking parity. Key Findings Historic Access: Kraken Financial, the Wyoming-chartered Special Purpose Depository Institution (SPDI) and subsidiary of Payward, is the first digital asset bank in U.S. history to gain direct access to the U.S. Fed’s payment infrastructure. Direct Fedwire Settlement: The exchange can now move institutional U.S. dollars and settle directly on the Fed’s rails, entirely bypassing third-party correspondent banks. The “Skinny” Account Model: The approval is structured as a limited-purpose, one-year pilot. It does not grant full commercial banking privileges, explicitly excluding access to the Fed’s lending facilities or interest on reserves. Full-Reserve Backing: Crucial to the Fed’s approval is Kraken’s Wyoming SPDI charter, which mandates a strict full-reserve model where liquid assets equal or exceed 100% of client fiat deposits. Regulatory Paradigm Shift: Arriving after five years of intense regulatory scrutiny, this approval underscores a broader macro shift—spurred by the new administration and the legislative momentum of the GENIUS Act—favoring bringing digital assets into the regulated financial mainstream. Analysis: Integrating the Crypto Scene into TradFi From a financial analysis standpoint, Kraken’s acquisition of a Federal Reserve master account is not just a regulatory victory; it is a structural evolution for the market. Elimination of Counterparty Friction Historically, crypto exchanges have been highly vulnerable to the whims of the traditional banking sector. The phenomenon of “de-risking”—where partner banks abruptly sever ties with crypto firms due to regulatory pressure—has long been a systemic vulnerability. By securing direct access to Fedwire, Kraken immunizes itself against this operational risk. It can now guarantee its institutional clients faster, cheaper, and fundamentally more secure fiat transfers without the bottleneck of a correspondent bank. The Convergence of Sovereign and Digital Rails This development serves as a vital bridge between TradFi and decentralized finance. Direct central bank access lays the groundwork for institutional-grade cash management seamlessly integrated with digital asset custody. Over time, this architecture enables the Holy Grail of institutional crypto trading: atomic settlement between fiat and digital assets. When sovereign U.S. dollars can move at the exact same speed and on parallel institutional rails as tokenized assets, the capital efficiency for market makers and hedge funds increases exponentially. Traditional Banking Pushback The significance of this integration is perhaps best measured by the resistance it is generating from the TradFi establishment. Lobbying groups like the Bank Policy Institute have already expressed concern. Traditional banks view this “skinny” master account framework as a potential Trojan horse, giving fintech and crypto firms the core utility of the banking system (payment routing) without the equivalent capital requirements and regulatory burdens of a traditional depository institution. Ultimately, Kraken’s master account is a pilot program that will serve as the stress-test for the future. If successful, it paves the way for crypto infrastructure to mature permanently into core financial infrastructure. Actionable Insight For compliance analysts, investors, and institutional counterparties, the key diligence question is no longer just “Does a crypto firm have banking partners?” but: What level of direct payment-rail access does its regulated entity actually have, under what restrictions, for how long, and for which client segments?This will become a core differentiator in crypto market-structure risk assessments. Call for Information FinTelegram invites bankers, payment specialists, former regulators, and institutional treasury professionals with insight into Fed account access structures, payment-rail restrictions, or crypto-bank onboarding controls to share information securely via Whistle42.com. Confidential submissions can help assess whether this is a one-off exception, a pilot model, or the start of a broader structural shift. Share Information via Whistle42

A fresh Thursday test of LuckyWins’ “Playback Thursday” promotion shows the same core compliance pattern seen across offshore casino networks: jurisdictionally weak gambling licensing claims, domain mutation/redirect tactics, and payment rails that touch regulated EU/UK payment infrastructure. LuckyWins (operated by Costa Rica-based Novatrix SRL) presents a Tobique Gaming Commission licence, but this does not constitute local authorisation to offer gambling services in Europe, Great Britain, or most North American jurisdictions. Key Findings Unlicensed Operations & Domain Mutation: Operated by Costa Rica-registered Novatrix SRL, LuckyWins utilizes evasive mirror domains (e.g., www.luckywins2.com) and relies on the “Tobique Gaming Commission”—a self-regulatory body with zero legal authority in the UK, EU, or North America. Open Banking Abuse: LuckyWins exploits open banking rails via the unlicensed Bulgarian FinTech Contiant and the Lithuanian EMI Yapily Connect UAB, directly initiating payments from European banks like Revolut to the unlicensed offshore merchant. The “Fake FIAT” Crypto Pipeline: Traditional bank transfers are disguised using the Polish VASP ChainValley (the successor to the suspended utPay). Players execute fiat bank transfers that secretly purchase USDC stablecoins, which are then routed to the casino. Web traffic intelligence indicates that the Luxembourg/UK-regulated PPRO acts as the underlying fiat processor for these ChainValley transactions. Direct EMI Complicity: MiFinity, an e-wallet regulated by the UK FCA and Maltese MFSA, is actively facilitating direct deposits to Novatrix SRL, disregarding the merchant’s lack of regional licensing. Compliance Analysis: The Anatomy of a Shadow Rail 1. The Merchant: Novatrix SRL & The “Tobique” Facade To understand the severity of the payment rail violations, one must first understand the merchant’s illegality. Novatrix SRL is registered in Costa Rica, a jurisdiction that does not issue traditional, internationally recognized interactive gaming licenses. To project a veneer of legitimacy, LuckyWins displays a crest from the Tobique Gaming Commission (TGC). The TGC is essentially a self-regulatory or sovereign-nation registry based in Canada, holding no regulatory weight, oversight capability, or legal standing in major European markets. Consequently, LuckyWins illegally solicits players in the UK, EU, and North America in direct violation of local gaming and AML laws. The use of constantly rotating mirror domains (like luckywins2.com) is a deliberate tactic to bypass national ISP blacklists. 2. Open Banking Exploits (Contiant & Yapily) Open banking was designed to democratize financial data, but it is increasingly being hijacked for transaction laundering. When a user selects Revolut at the LuckyWins cashier, they are funneled through a multi-hop rail: The Gateway: Traffic hits paywith.contiant.com, operated by an unlicensed Bulgarian FinTech. The Initiator: The API call is passed to Yapily Connect UAB (a licensed EMI in Lithuania). The Settlement: Yapily triggers the deposit via oba.revolut.com, listing the unlicensed Novatrix SRL as the ultimate payee. By using an authorized Payment Initiation Service Provider (PISP) like Yapily, the transaction bypasses the standard risk-scoring mechanisms of the consumer’s bank. Read our Yapily reports here. 3. The “Fake FIAT” Pipeline (ChainValley & PPRO) Web traffic between ChainValley and PPRO suggests close cooperation To circumvent banking blocks on gambling Merchant Category Codes (MCC 7995), offshore casinos are shifting to “Fake FIAT” transactions. At LuckyWins, when a player selects a standard bank transfer, they are routed to app.chainvalley.pro. The ChainValley Pivot: ChainValley Sp. z o.o. is a registered Polish Virtual Asset Service Provider (VASP) that has seamlessly taken over the illicit market share of the recently suspended Lithuanian processor, utPay. The Mechanism: The player believes they are funding a casino account with fiat. In reality, ChainValley uses the player’s funds to execute an immediate crypto purchase (typically USDC stablecoins), which is auto-forwarded to Novatrix SRL’s decentralized wallets. The PPRO Connection: ChainValley cannot process fiat directly without banking partners. Our January web traffic analysis reveals that an overwhelming 88.5% of outgoing link traffic from the ChainValley gateway terminates at PPRO (ppro.com). PPRO, a massive B2B payment infrastructure provider regulated as a Payment Institution in Luxembourg and an EMI in the UK, appears to be the primary fiat engine fueling this Polish crypto-laundering machine. Read our ChainValley reports here. 4. The MiFinity Loophole While open banking and crypto rails rely on technical obfuscation, the presence of MiFinity (mifinity.com, mifinity.mt) is a glaring case of direct compliance failure. Regulated by both the MFSA (Malta) and the FCA (UK), MiFinity allows users to deposit funds directly to Novatrix SRL. Processing payments for an entity that explicitly targets UK and EU consumers without a local license is a direct violation of standard EMI operating conditions. Download the full LuckyWins Compliance Report here. Ecosystem Summary Entity / DomainJurisdictionRegulatory StatusRole in LuckyWins SchemeNovatrix SRL (luckywins.com, luckywins2.com)Costa RicaUnlicensed (Pseudo-license via Tobique GC)The Merchant / Casino OperatorContiant (paywith.contiant.com)BulgariaUnlicensedOpen Banking Aggregator / GatewayYapily Connect UABLithuaniaLicensed EMI (BoL)Payment Initiator (Revolut Open Banking)Chain Valley Sp. z o.o.ChainValley(app.chainvalley.pro)PolandRegistered VASPCrypto On-Ramp / “Fake FIAT” ProcessorPPRO (ppro.com)Lux / UKLicensed PI / EMIFiat Settlement Engine for ChainValleyMiFinity (mifinity.com)Malta / UKLicensed EMI (MFSA / FCA)Direct E-Wallet AcquirerSiti (checkout.siti.ws)UnknownUnknownSecondary SEPA Gateway Export to Sheets Whistle42 Call to Action: Help Us Expose the Network The flow of illegal gambling funds relies on the silent complicity of European compliance departments. FinTelegram is calling on industry insiders to step forward. We are specifically seeking actionable intelligence from: Employees at PPRO: Are your risk committees aware that your infrastructure is powering ChainValley’s “fake FIAT” pipeline for offshore casinos? Insiders at Yapily & MiFinity: Who approved the merchant accounts for the Costa Rican shell company Novatrix SRL? Payment Gateway Developers: Who operates the shadowy checkout.siti.ws and Contiant infrastructures? If you have processing agreements, internal compliance memos, or bank settlement records regarding LuckyWins, ChainValley, or Novatrix SRL, please share them with us. Your identity and security are strictly protected. Submit your tips securely via our whistleblower platform. Share Information via Whistle42

A German offshore-casino player has provided FinTelegram with a detailed account that directly supports our working hypothesis: ChainValley is replacing Lithuania’s suspended utPay/UTRG stack inside casino cashier flows—especially where deposits are branded as Skrill. The player describes a “Skrill payment” that is actually a crypto purchase + wallet transfer, and a refund/KYC workflow where ChainValley support allegedly sent the verification link—suggesting operational continuity behind the scenes. Key Findings (from the player’s email + FinTelegram context) Player-reported switch: Bassbet casino allegedly changed its embedded crypto exchange rail from Utorg/utPay to ChainValley, while continuing to present the flow as a normal “Skrill transfer.” Low-salience disclosure: The player describes a “small tab” in the Skrill corner stating they accept to buy crypto and send it to the stored address—a pattern FinTelegram has already documented in “fake-fiat” deposit flows where consent is minimally disclosed and often pre-ticked. Refund/KYC oddity: In a refund attempt, the player claims Utorg support required identity verification, but the verification link was sent by ChainValley support, which—if evidenced—would be a strong indicator of shared back-office tooling or a transition of operational control. Regulatory pressure backdrop: FinTelegram has reported that UTRG UAB d/b/a utPay suspended all crypto-asset services effective 1 Jan 2026, citing MiCA compliance and awaiting authorization from the Bank of Lithuania. Documented UTORG → ChainValley plumbing: UTORG’s own Terms/website navigation show “Buy Crypto” linking directly to app.chainvalley.pro, which is not a rumor—it’s first-party product routing. Terms vs observed reality: ChainValley’s Terms state users must not use the service for “illegal gambling operations” and list “illegal gambling services” as prohibited. Read our utPay reports here. Analysis & Interpretation 1) The “Skrill disguise” is the compliance trick The email describes the exact structure FinTelegram has been warning about: a casino cashier presents a familiar consumer payment brand (Skrill), but the user is pushed—quietly—into a different legal characterization: a crypto purchase that is then forwarded to a casino wallet. This “relabeling” matters because it can structurally weaken consumer redress and chargeback leverage (“you received the crypto you bought”). FinTelegram documented this pattern in the Legiano case, including a low-salience consent line (“buy crypto and send to the specified address”) and funding via Skrill/Neteller. We were able to confirm the player’s information insofar as we once again found ChainValley in Bassbet’s Skrill payment rail. Compliance implication: If a payment journey is designed so that a player believes they made a “casino deposit” but is legally processed as a “crypto purchase,” that raises immediate consumer protection, AML/KYB, and payment integrity questions—especially in jurisdictions where the underlying gambling offer is unauthorized. Read our ChainValley reports here. 2) The “verification link from ChainValley support” is a potentially critical signal Conceptually, this is exactly the kind of operational detail that breaks a rail case open: If Utorg/utPay refund workflows are being processed via ChainValley tooling (or vice versa), that suggests either shared operations, a migration, or a white-label continuation. ChainValley’s own Terms explicitly describe third-party/white-label access (“Third Parties may… deploy it as a white-label solution”). What we need: The original verification email (headers + full URL), any support ticket IDs, and screenshots of the KYC page branding. 3) Our working hypothesis (updated): ChainValley is the operational successor rail to utPay post-MiCA FinTelegram has reported utPay’s suspension effective 1 Jan 2026. In parallel, FinTelegram’s UTORG/ChainValley migration analysis notes a “Lithuania → Poland” shift and explicitly highlights UTORG’s direct linkage to app.chainvalley.pro. This whistleblower email fits that picture: a casino rail swaps out “Utorg/utPay” for “ChainValley” but keeps the front-end payment UX familiar (Skrill), while the back-end remains a crypto conversion and wallet-forwarding mechanism. Bottom line: this looks less like a new provider entering the market and more like the same rail evolving under regulatory pressure. Summary Table NodeBrands / Labels in casino cashierKey domainsLegal entity / jurisdictionRegulatory situation (high-level)Role in the railutPay / UTORG (legacy rail)“utPay” / “Utorg” often appearing behind cashier methodsutpay.io; app.utpay.io; utorg.com; utorg.proUTRG UAB (Lithuania) referenced in FinTelegram coverageFinTelegram reports utPay services suspended effective 1 Jan 2026 pending MiCA authorization.Crypto on-ramp / “fake-fiat” conversion rail into casinosChainValley (replacement rail)“Skrill / Neteller” branded flows leading into crypto purchasechainvalley.pro; app.chainvalley.proChain Valley Sp. z o.o. (Poland)Terms prohibit “illegal gambling operations/services”; positioning as compliant KYC/AML, but casino exposure is repeatedly observed.Crypto purchase + forwarding layer; apparent successor to utPay in many casino stacksUTORG → ChainValley linkage“Buy Crypto” routingutorg.comUTORG website links “Buy Crypto” to app.chainvalley.proFirst-party linkage visible on UTORG site navigation/terms.Evidence of technical/commercial couplingCasino example (player report)Bassbet cashier (Germany player)(player-provided)Offshore operator (unverified)Player claims casino was unlicensed/unknown to himRail switch (Utorg → ChainValley) while keeping “Skrill” UX What we’re asking players and insiders to send (Whistle42) If you have used Skrill/Neteller deposits at offshore casinos and saw utPay/Utorg replaced by ChainValley, we need evidence: Screenshots of the deposit screen showing Skrill branding + the small disclosure text Order pages (utPay/Utorg/ChainValley “exchange order” pages) Bank/Skrill statements showing descriptors, timestamps, and reference IDs Wallet transfer evidence (USDC/USDT tx hash, destination wallet, screenshots) Support emails (especially the claimed KYC/verification link sent by ChainValley support) Submit securely via Whistle42. This is the fastest way to map the true merchant-of-record chain and identify which regulated entities (and upstream partners) are enabling deposits into unauthorized gambling. Share Information via Whistle42

FinTelegram has received a whistleblower tip alleging a coordinated network of roughly 40 crypto/investment platforms using Telegram and WhatsApp “mentors” to recruit victims, simulate profits, and then block withdrawals through escalating fee demands. Our initial review found multiple clusters of domains with strikingly similar structures, recycled narratives, and near-identical content—raising serious questions about a centralized operation behind rotating brands. The Whistleblower’s Alert A whistleblower recently contacted FinTelegram, providing an extensive Excel list of approximately 40 crypto trading platforms allegedly operating under the exact same fraudulent structure. According to the informant, these are not isolated cases but rather a highly organized syndicate designed to systematically drain victims’ funds while maintaining continuity through rapid domain changes. Our preliminary checks into platforms on the list—such as Prometheus Investment Alliance, ProfitShock Investment Alliance (link), LEXINOVA Trading Center, and Quantum Vault Trading Center—immediately triggered massive red flags. The websites share near-identical texts, backend structures, and operational behaviors. Key Findings: The Anatomy of a Mass Deception Based on the whistleblower’s data and our initial research, this network operates on a strict, ruthless playbook: Social Engineering via Messengers: Recruitment happens exclusively in private Telegram and WhatsApp groups that disguise themselves as “professional trading communities” or “investment alliances.” The “Mentor” Trap: Fraudsters pose as experienced “analysts” or “professors,” guiding victims through staged trades and urging them to deposit into affiliated platforms. Artificial Dashboards: The platforms project the illusion of high returns. The rapid, artificial profits displayed on internal dashboards are nothing but manipulated numbers designed to build false trust. Escalating Deposits & Extortion: Once initial trust is established, the pressure to deposit more escalates. When victims attempt to withdraw funds, they face sudden hurdles. The Advance Fee Fraud Exit: Withdrawals are blocked until the victim pays arbitrary “verification fees,” “tax obligations,” “compliance deposits,” or “VIP account upgrades.” Even if paid, the funds are never released. SEO Reputation Scrubbing: The network deploys coordinated reputation management, flooding search engines with automated spam pages (e.g., heavily manipulated “B1 Reviews” found on hijacked domains) to bury negative feedback and serve as “proof of legitimacy” in their chat groups. A large sub-group (many web. subdomains) loads the same JavaScript-only shell page with the same fallback text, including “Loading resources” and “Please wait patiently.” Several “Investment Alliance” domains (e.g., ProfitShock, Miqesia, Eramls, Acenix, Searel, Atrish, Scatil) show near-identical page structures and text blocks, including the same menu pattern and “Super Brain Lifeform” language. Analysis & Interpretation: The “Scam-as-a-Service” Model Our research strongly supports the hypothesis that this is a highly organized, heavily industrialized fraud network. The use of dozens of nearly identical websites indicates the deployment of “White Label” scam templates. These platforms act as digital Potemkin Villages. The trading charts, rising candles, and accumulated wealth are entirely fictitious. The “Mentors” act as psychological handlers, utilizing a technique commonly known as “Pig Butchering”—fattening the victim with fake profits and trust over weeks before the final slaughter, where the account is frozen. The most insidious element is their sophisticated use of SEO manipulation. By spamming search results with fake positive reviews and “guides,” the scammers successfully trick novice investors who try to perform due diligence. Furthermore, the constant rotation of branding and domain registrations (from Alliance to Center to Exchange) shows a calculated effort to outrun law enforcement and regulatory warnings. Already, platforms like Prometheus Investment Alliance are surfacing in fraud alerts in Europe, confirming the whistleblower’s urgent warnings. Domains Grouped by Suspected Template Cluster Suspected ClusterIndicative Pattern / NotesDomains (from Excel list)A. JS Loader / Web Subdomain “Exchange Shell” ClusterMany web. subdomains with similar JS-heavy loading screens (“Loading resources / Please wait patiently”), likely front-end shell or gated app entry points.web.pulsesun.com, web.liexs.com, web.beuce.com, web.ksaok.com, web.chobes.org, web.ktrowe.com, web.zeaks.org, web.lexinova.com, web.emeraldwisdom.com, web.hightitan.com, web.duralumen.com, web.qvtcoinese.com, web.wellingtonharborcap.cc, web.aixebit.com, web.yeahchain.comB. “Investment Alliance” Clone ClusterRepeated “Investment Alliance” branding logic, similar navigation/page architecture, near-identical marketing text blocks (including AI/brain/super-intelligence style wording).profitshock.com, miqesia.com, eramls.com, acenix.com, searel.com, atrish.com, scatil.comC. German-Language “Alliance” Variants (Probable Related Family)German-facing alliance sites with overlapping AI/quant/community framing; may be localized variants or adjacent template family.prometheus-alliance.de, tethys-alliance.deD. “Society / Academy / Community” ClusterEducation/community façade with institutional-style branding, AI/finance learning language, rewards/sweepstakes features, “society” naming.boilingpointsociety.com, harborstonesociety.com, oakstonesociety.comE. “Prosperity / Institutional Edition / Rewards” ClusterSimilar “Athena Institutional Edition / Personal Edition” menu logic and “white paper / participation / rewards” style trust framing.goldmanre.com, elitepalace.com, nalera.comF. “LucyAI / AI Trading / Global Markets” Promo ClusterSimilar hero messaging and AI-trading promo copy (“Driving Innovation in Global Financial Markets” / LucyAI-style narratives).eramix.com, mindzo.com, welcomeville.comG. Standalone / Unclear / Needs Deeper ReviewDomains not yet confidently mapped to a cluster from public landing-page checks alone; may be related through backend, payment rails, recruiter scripts, or shared assets.hjccoins.cc, gcgcgc.com, neoster.com, inningz.com, novacollfdn.com (listed twice in Excel), dualheart.com This clustering reflects observable front-end similarities only (design, wording, page structure, and navigation logic). It does not yet prove common ownership or operator identity. FinTelegram’s next investigative steps will focus on recruitment channels (Telegram/WhatsApp), payment instructions, wallet clustering, support contacts, and withdrawal-obstruction scripts to determine whether these domains form a coordinated fraud network. Extended Analysis The most important finding is not merely visual similarity—it is operational similarity at the presentation layer. Several domain groups appear to be built around reusable trust-conversion templates: institutional-sounding names, white-paper references, “academy” or “alliance” branding, rewards framing, and AI-themed language designed to signal sophistication. This matters because rotating domains and re-skinned brands are common risk indicators in organized online investment scams. If one domain becomes exposed, another can replace it while preserving the recruitment funnel, the script, and the psychological onboarding process. The whistleblower’s allegations about coordinated reputation management (e.g., strategically placed positive forum threads used as “proof” inside messaging groups) are also plausible within this framework and deserve deeper evidence-based investigation. At this stage, FinTelegram is not making final attribution to specific beneficial owners or legal entities. However, the website-level similarities are strong enough to justify a public alert and a structured evidence call. The key next step is to connect the front-end brands to payment rails, wallet addresses, Telegram recruiters, and withdrawal obstruction patterns. WARNING: Protect Your Assets If you are currently participating in a WhatsApp or Telegram group where a “mentor” or “analyst” is directing you to trade on an unfamiliar platform—STOP ALL ACTIVITY IMMEDIATELY. Do not deposit any further funds. Under no circumstances should you pay any “taxes,” “compliance fees,” or “withdrawal deposits.” Legitimate financial institutions and exchanges simply deduct necessary fees directly from your account balance; they will never ask you to send fresh crypto to unlock your existing funds. Any demand for an upfront fee is the final stage of the scam. Call to Action: We Need Your Information! The scale of this operation suggests millions of dollars are being laundered through this network. To disrupt this syndicate and help authorities trace the stolen funds, FinTelegram requires more data. If you are an investor, a victim, or even an insider with knowledge of this network, please come forward. We need: Wallet Addresses: Where were you instructed to send your USDT/BTC? Chat Logs & Screenshots: Evidence of the “Mentors,” their phone numbers, and their instructions. New Domain Names: Any new platforms that look or act similarly to the ones mentioned above. Please submit your information, documents, and experiences anonymously via our whistleblower platform, Whistle42. Your information is crucial to mapping this network, issuing targeted warnings, and assisting law enforcement in tracking down the operators behind the curtain. Don’t let them move on to their next victim—report them today. Share Information via Whistle42

The recently released 2025 whistleblower reports from the SEC and CFTC reveal a dramatic decline in both the volume and value of awards granted. As payouts shrink to levels not seen in years, we analyze whether this staggering drop reflects a temporary administrative bottleneck or a fundamental shift in regulatory and compliance priorities under the Trump administration. Key Findings: The 2025 Data at a Glance The fiscal year (FY) 2025 reports submitted to Congress in February 2026 paint a stark picture of the current regulatory landscape for whistleblowers: SEC Payouts Plummet: The SEC awarded roughly $60 million to 48 individual whistleblowers in FY 2025. This is a dramatic drop from the $255 million awarded in FY 2024 and the record-breaking $600 million in FY 2023. CFTC Awards Stagnate: The CFTC approved only two whistleblower awards totaling $4.6 million in FY 2025. In FY 2024, the agency awarded $42 million to 12 whistleblowers. Record Tips vs. Record Denials: Despite the drop in awards, the SEC received approximately 27,000 tips (an 8% increase year-over-year). Conversely, the SEC issued over 120 award denials, reaching a denial rate that spiked above 80% at points during the year. Headcount and Resource Cuts: The SEC experienced a reported 17% reduction in enforcement headcount, leading to consolidated field offices and disbanded enforcement units. Shadow Pipeline: The SEC’s 2025 Agency Financial Report set aside between $218 million and $655 million in “probable contingent liabilities” for future awards, indicating that while payouts have stalled, the financial footprint of the program remains active on the balance sheet. Comparative Analysis: A System Under Strain The juxtaposition of FY 2025 against the previous two fiscal years reveals a jarring disconnect. Historically, the SEC and CFTC whistleblower programs have been force multipliers for regulators. Between 2020 and 2024, the SEC accrued $1.8 billion in awards, with the program widely praised for detecting complex, well-hidden fraud. In 2025, however, the conversion rate from “tip” to “award” crashed. Prominent voices in the whistleblower advocacy space have expressed deep concern over this trend. Stephen M. Kohn, Chairman of the U.S. National Whistleblower Center, stated bluntly that the CFTC’s program is “in crisis,” noting that the failure to process cases and pay awards undermines the intent of the Dodd-Frank Act. Conversely, legal analysts like Dave Jochnowitz of Outten & Golden suggest that the program’s massive contingent liabilities prove its financial impact extends beyond a single year’s announcements. He argues that regulators are simply being “forced to do more with less” amid staffing cuts, leading to a severe processing bottleneck rather than a dismantling of the program. Interpretive Working Hypothesis The Hypothesis: The significant decline in whistleblower awards in FY 2025 is a sign that compliance and whistleblower programs have become less important under the Trump administration. Testing and Validation: Validating this hypothesis requires separating administrative realities from policy directives. Evidence Supporting the Hypothesis: The sheer magnitude of the drop—SEC awards falling by nearly 75% and CFTC awards by almost 90%—is impossible to ignore. Combined with a 17% reduction in SEC enforcement headcount and the disbanding of specific enforcement units, there is a clear shift toward a leaner, more conservative regulatory framework. The record number of claim denials also points to a significantly stricter application of award criteria. Evidence Countering the Hypothesis: The decline in payouts does not necessarily equate to a lack of importance. The SEC has earmarked up to $655 million for future whistleblower liabilities, suggesting that the money is waiting in the pipeline, delayed by a lack of manpower rather than a lack of intent. Furthermore, a portion of the backlog is attributed to an influx of frivolous tips (in FY 2024, over 14,000 tips came from just two individuals), which drains resources and inflates denial rates. Conclusion: The hypothesis is partially validated. The new administration’s approach explicitly favors leaner regulatory bodies and a reduction in enforcement headcount, which has consequentially crippled the efficiency and output of the whistleblower programs. However, it is premature to conclude that the programs themselves are being intentionally dismantled. The reality is a severe administrative bottleneck: regulators are strictly scrutinizing claims and processing them slower, reflecting a shift toward conservative enforcement rather than outright abandonment. Call to Action: Secure Your Voice with Whistle42 If regulatory bottlenecks and strict denial rates are discouraging you from exposing corporate fraud, you do not have to rely solely on federal channels to protect market integrity. Your insider knowledge is crucial. We urge whistleblowers, insiders, and compliance officers to report financial misconduct, crypto scams, and compliance violations directly to FinTelegram. Submit your evidence securely and anonymously via our Whistle42 whistleblower platform. Together, we can ensure that bad actors are exposed, regardless of bureaucratic slowdowns. Share Information via Whistle42

The world’s largest crypto exchange Binance is facing a fresh U.S. political and compliance challenge after U.S. Senator Richard Blumenthal (Ranking Member, Senate PSI) launched a formal inquiry into allegations that the exchange facilitated large-scale Iran-linked and Russia “shadow fleet” transactions. The move reopens the core question of whether Binance’s post-2023 remediation is substantive—or merely performative. Key Points Sen. Richard Blumenthal opened a preliminary PSI inquiry and demanded records from Binance by March 6, 2026. The inquiry cites reporting alleging roughly $1.7 billion in transfers linked to Iranian entities and connections to Russia’s sanctions-evading oil trade. Blumenthal’s letter specifically requests records concerning Hexa Whale, Blessed Trust, possible sanctions-evasion activity, and the suspension/dismissal of compliance investigators. Binance publicly rejects key press allegations, says its investigation was structured, claims the accounts were later offboarded, and denies firing staff for compliance reporting. The inquiry lands on top of Binance’s 2023 U.S. criminal/AML/sanctions resolutions, including Treasury/FinCEN/OFAC penalties and a monitorship framework. It also follows the May 2025 SEC dismissal with prejudice of the SEC’s civil lawsuit against Binance. Short Narrative The latest development in the Binance case is not a new enforcement action—yet. It is a document-heavy U.S. Senate inquiry that directly targets Binance’s sanctions controls, escalation culture, and post-settlement compliance credibility. On February 24, 2026, Sen. Richard Blumenthal (D-CT), as Ranking Member of the Senate Permanent Subcommittee on Investigations (PSI), sent a letter to Binance CEO Richard Teng demanding records tied to alleged Iran- and Russia-linked illicit flows on Binance, including records on Hexa Whale and Blessed Trust, sanctions-evasion typologies, and personnel decisions involving internal investigators. The letter sets a response deadline of March 6, 2026. This matters because the allegations—if substantiated—go to the heart of Binance’s obligations under the 2023 U.S. resolutions. Treasury’s 2023 announcement described Binance’s failures in AML and sanctions controls as historic, imposed massive penalties, and required ongoing monitorship and compliance undertakings, with Treasury retaining access and warning of additional penalties for non-compliance. Extended Analysis 1) Why this is a serious compliance event even without a new charge Blumenthal’s move is politically framed, but from a compliance perspective it is highly material. The inquiry requests precisely the evidence categories regulators and prosecutors care about in sanctions/AML matters: internal investigative reports KYC and onboarding decisions VIP treatment decisions internal warnings and policy recommendations management responses employment actions affecting control staff That is effectively a culture-and-controls test. In enforcement practice, failures are often not limited to “bad transactions”; they become “bad governance” when warning signals are documented and then overridden. Blumenthal’s letter explicitly raises that theme. 2) Binance’s defense line: controls, indirect exposure, offboarding, confidentiality Binance has responded publicly with a detailed compliance blog post arguing that the reporting is incomplete and mischaracterized. It says the users were not on sanctions lists at the relevant time, claims the flows did not trigger standard surveillance alerts, states it investigated the matter in mid-2025, mitigated risk, offboarded accounts, and shared information with authorities. Binance also denies retaliatory firing for compliance reporting, saying departures followed data-protection/confidentiality breaches. This is a recognizable defense in crypto compliance disputes: “indirect exposure, no list hit, post-detection mitigation.” The problem is that such a defense can still fail if evidence shows repeated risk escalation, privileged treatment for high-risk counterparties, or suppression of internal control functions. 3) The broader “Binance case” context: fragmented legal risk, persistent sanctions risk A key point for analysts: Binance’s legal exposure is now fragmented. The SEC civil case was dismissed with prejudice in May 2025, but that does not erase Binance’s separate AML/sanctions obligations under the 2023 DOJ/Treasury/CFTC resolutions. In other words, the latest development is not “Binance cleared.” It is the opposite: sanctions and AML risk remain live, and political scrutiny can reactivate pressure even after one litigation track closes. 4) What to watch next The immediate trigger point is Binance’s response (or non-response) to PSI by March 6, 2026. Beyond that, the real compliance questions are: Will U.S. authorities revisit Binance’s remediation adequacy? Will monitorship findings (if any) become a renewed pressure vector? Will counterparties, banking partners, and licensed entities increase de-risking around Binance-related flows? These are second-order effects, but in practice they often bite before formal enforcement does. Call for Information If you have first-hand information about Binance’s sanctions controls, offshore intermediary onboarding, VIP handling, or internal compliance escalation practices (including documents, screenshots, policy memos, or correspondence), submit it securely via Whistle42.com. Insider evidence remains critical for verifying whether compliance programs work in practice—or only in public statements. Share Information via Whistle42

BetAlice appears to be operating without visible operator disclosure while remaining accessible across multiple domains despite Italian blackouts on some URLs. Our payment-rail review found a familiar offshore-casino stack: ChainValley behind cashier-branded methods (including Skrill/NETELLER labels), and an open-banking route layered through payment-gateway.io → puretransfer.io → mellifera.tech, with Paradis Tech Ltd shown as payee and Yapily/Wise Open Banking references in the flow. Key Findings No transparent operator disclosure was identified on the reviewed BetAlice domains (www.betalice.com, betalice-1110.com), despite active onboarding of users from multiple EU jurisdictions and the UK. Italian blocking/blackout measures appear incomplete or easily bypassed, as alternative BetAlice domains remain reachable. BetAlice offers mainstream rails (cards, bank transfer, PaysafeCard, crypto) typical of offshore casino cashier setups targeting broad retail users. ChainValley (Poland) appears behind cashier methods labeled PaysafeCard, Skrill, NTLR, reinforcing prior indications that ChainValley functions as a successor scheme to the formerly used utPay / UTRG UAB (Lithuania) in offshore-casino payment routing. In December 2025, BetAlice reportedly still showed utPay as processor in parts of the payment flow, suggesting migration overlap or dual-routing during transition. The bank-transfer route is a layered open-banking path:api.payment-gateway.io → checkout.puretransfer.io → pay.clx.acq.mellifera.tech (Yapily method) → Wise Open Banking endpoints. Paradis Tech Ltd appears as the payee in the open-banking flow. The Mellifera payment pop-up (terms/privacy) identifies Mellifera Kartiera Limited (Malta) as operator and references kartiera.eu and claimed MFSA EMI regulation (per your captured disclosures). The Mellifera gateway UI references Yapily as payment method, but the current operational role split between Mellifera and Yapily requires further verification (technology provider vs. active PISP routing vs. legacy label). Prior Puretransfer analysis and Jan 2026 traffic signals indicate a tight Puretransfer Mellifera linkage, with Mellifera traffic referred via Puretransfer, consistent with a specialized casino-payment funnel. Compliance Analysis 1) Starting Point: Illegal Offer / Unlicensed Gambling Exposure The compliance assessment must begin with the status of BetAlice itself. Based on your test results, BetAlice was accessible and open to registrations from the EU and UK, despite domain blackouts in Italy and without clear operator transparency on the site. For a gambling business targeting or accepting customers in regulated European jurisdictions, missing operator disclosure + cross-border onboarding + domain hopping are strong red flags. That matters because payment facilitators in the chain are not just technical vendors in a vacuum. If they enable deposits for an unlicensed casino scheme that is actively onboarding restricted users, they may create AML, sanctions-screening, gambling-law, and conduct risk exposure—especially where they provide scalable rails such as cards or open banking. Behind Skrill Payment Rail Rapid Transfer, we discovered Novaforge as the payment recipient. In this respect, it is only logical to name Novaforge as the operator of BetAlice. 2) ChainValley Pattern: Continuity After utPay The findings place ChainValley behind multiple cashier labels (PaysafeCard / Rapid / Skrill / NTLR) at BetAlice. This mirrors a pattern seen across offshore-casino cashier environments where front-end payment labels suggest familiar consumer methods, while the actual routing is handled by an intermediary gateway operator. The significance here is the continuity hypothesis: after the suspension of UTRG UAB dba utPay (Lithuania), ChainValley appears to have taken over the same functional niche for offshore casino deposit routing. The fact that utPay still appeared at BetAlice in Dec 2025 strengthens the case for a migration/hand-over period rather than a clean break. 3) Open-Banking Rail: Layering, Obfuscation, and Responsibility Splitting The bank-transfer route you documented is especially important from a compliance perspective because it shows multi-layer gateway orchestration: front/API layer (payment-gateway.io) checkout abstraction (puretransfer.io) acquiring/open-banking routing (mellifera.tech, Yapily-labeled) final bank/Open Banking execution layer (Wise Open Banking references) named payee (Paradis Tech Ltd) This kind of architecture can be legitimate in e-commerce, but in the offshore-casino context it raises the classic question: who is merchant-facing, who is payment-institution-facing, and who performs effective merchant due diligence? Where the end merchant is an unlicensed gambling operator, layered routing can create plausible deniability by fragmentation unless the PSP/EMI/PISP chain applies strong controls (merchant category screening, geofencing enforcement, transaction monitoring, adverse-media triggers, and rapid termination procedures). 4) Mellifera Kartiera (Malta): The evidence indicates that the Mellifera gateway pop-up names Mellifera Kartiera Limited (Malta) and claims EMI regulation by the MFSA (effective 20 Nov 2024). If confirmed, this is highly material because: an EMI-linked open-banking/acquiring interface appearing in an offshore-casino deposit flow raises regulatory perimeter and onboarding-control questions, and the presence of a regulated entity’s terms/privacy in a payment pop-up may increase user trust while the underlying gambling merchant appears unlicensed in target jurisdictions. The key compliance question is not only whether Mellifera is regulated, but what exact service is being provided in this flow: regulated EMI/payment service directly to the merchant, technical gateway/software layer, outsourced/acquiring facilitation, or white-label/legacy integration where labels (e.g., Yapily) remain visible but operational roles changed. 5) Yapily / Wise / Paradis Tech: The captured URL parameters and flow references suggest a Yapily-labeled payment method and Wise Open Banking API interaction, with Paradis Tech Ltd shown as payee. This is precisely the type of setup that requires transaction-level evidence and provider-side clarification: Is Yapily directly serving the merchant chain, or merely referenced in a legacy parameter/UI label? Is Wise’s Open Banking infrastructure being used via a licensed intermediary, and if so, under what merchant acceptance rules? What is the legal/regulated status and role of Paradis Tech Ltd in the fund flow (merchant of record, collection agent, settlement beneficiary, or separate processor)? Paradis Tech’s public site presents it as a “payment solution” provider offering tools to accept payments and manage online business globally, as well as advisory services and fraud‑detection technology. While it does not explicitly market gambling payments, the observation that Wise Open Banking payments show “Paradis Tech Ltd” as the payee indicates that Paradis Tech is acting as a receiving and routing layer, likely as an MSB or similar regulated entity in its home jurisdiction. When such an MSB becomes a named beneficiary for flows that are in fact unlicensed gambling deposits, this raises: UBO/merchant transparency concerns (end‑beneficiary BetAlice is hidden). Potential breaches of scheme/network rules and local gambling/payment regulations. AML/CFT risks, as source of funds and purpose of payments are obfuscated. Summary Table — BetAlice Scheme & Payment Rails (Working Compliance Map) Brand / ComponentDomain / IdentifierLegal Entity (Observed / Suspected)JurisdictionRegulatory Situation (Observed / Claimed)Role in FlowBetAliceCasinowww.betalice.com; betalice-1110.comNovaforgeUnclearAppears unlicensed for UK/EU targeting; Italian blackouts on some domains but accessible via alternativesOffshore casino frontend / merchant originBetAlice (cashier labels)PaysafeCard / Rapid / Skrill / NTLR (cashier options)Routed via ChainValley (per review findings)Poland (ChainValley)Needs deeper verification of licensing/permissions for gambling-related routingDeposit method presentation / routing via gateway layerChainValleychainvalley.pro (dba ChainValley)Chain Valley Sp. z o.o. (reported)PolandPublic positioning and regulatory perimeter require further verification; linked by FinTelegram to offshore-casino routingSuccessor-style payment gateway / processor roleutPay (legacy / overlap)(Previously used in BetAlice flow in Dec 2025)UTRG UAB dba utPayLithuaniaPreviously registered VASP; user notes suspension contextLegacy crypto/payment gateway; possible predecessor to ChainValley routingPayment API layerapi.payment-gateway.ioUnknownUnknownUnknownAPI orchestration layer in bank-transfer routeCheckout gatewaycheckout.puretransfer.ioPuretransfer-related operator (to verify)UnknownRepeatedly observed in offshore-casino gateway context (per prior FT analyses)Checkout / routing intermediaryMellifera gatewaypay.clx.acq.mellifera.techMellifera Kartiera Limited (per pop-up T&Cs/privacy)MaltaClaims MFSA EMI regulation (as stated in gateway materials / kartiera.eu); independent confirmation recommendedOpen-banking/acquiring/payment interface layerKartierakartiera.euMellifera Kartiera LimitedMaltaClaimed regulated EMI status (user-captured disclosure)Corporate / regulated-facing website for MelliferaYapily (method label)paymentMethod=yapily in Mellifera flowYapily entity/entities (to verify involvement)UK/EURole unclear from capture alone (active provider vs legacy method label)Open-banking payment method label / possible integrationWiseOpen Bankingwise.com/openbanking / transferwise.com/openbanking referencesWise group entitiesUK/EURegulated provider(s), but role in this merchant chain requires transaction-level clarificationOpen-banking infrastructure / API layerParadis Tech Ltd (payee)Payee shown in payment flowLikely Paradis Tech (user indicates Canadian MSB hypothesis)Canada (to verify)MSB status and exact entity match require confirmationPayee / settlement beneficiary in bank transfer flow Compliance Takeaway BetAlice is a textbook example of why payment-rail reviews must start with the legality of the merchant. Once the casino itself appears to be an unlicensed, cross-border operator using domain rotation and incomplete blocks, every downstream rail—cards, e-wallet labels, crypto gateways, and especially open-banking chains—becomes a compliance-risk transmission channel. The most important outcome of this review is not a single processor name, but the repeatable architecture: offshore casino frontend branded cashier labels processor/gateway abstraction (ChainValley / Puretransfer) regulated-facing or quasi-regulated payment layer (Mellifera / Yapily-labeled) bank/Open Banking infrastructure (Wise references) payee entity (Paradis Tech Ltd) This architecture should be added to the FinTelegram Rail Atlas as a high-priority pattern for further testing, screenshots, transaction sampling, and provider-right-to-reply outreach. Share Information via Whistle42

Operating deep within the shadow-banking ecosystem, live.virtpay.net acts as a massive funnel for unauthorized offshore casino deposits. Our latest traffic analysis reveals a startling reality: this anonymous gateway processed over 550,000 transactions in just one month, seamlessly routing illicit funds from European consumers directly into mainstream acquiring banks and 3D-Secure networks. Analysis & Context: The Ultimate Layering Machine In the complex world of high-risk payment routing, live.virtpay.net (operating as Virtpay/AgentGlobal) does not merely facilitate transactions; it aggressively mainlines them into the legitimate banking sector. Our Similarweb digital footprint analysis for January indicates over 550,000 visitors hit this anonymous gateway. Given the nature of this checkout page, these “visitors” represent live, real-time payment attempts. Crucially, the traffic exclusively targets highly regulated European and UK markets, actively circumventing local gambling laws and consumer protection frameworks. The Multi-Hop Pipeline: Virtpay is a masterclass in transaction layering. The Inbound Laundromat: Traffic flows into Virtpay from a web of notorious, anonymous high-risk gateways and traffic directors. Over 46% of this traffic originates from the casino industry. The top referring domains acting as feeders include gateway.puretransfer.io, acs.kipmotion.com, engine.ongoingpayments.io, acs.novilyo.com, and checkout.fastpays.org. This indicates Virtpay serves as a crucial “choke point” aggregating volume from multiple shadow PSPs. The Outbound Legitimization: This is where the money is “cleaned.” After scrubbing the casino’s digital footprint, Virtpay passes the transaction directly to legitimate Tier-1 banking infrastructure. The top outgoing destinations are 3D-Secure and acquiring endpoints like 3dsecure.no (Norway), acs.smartpayments.ee (Estonia), nexigroup.com (Italy/EU), acs.revolut.com (UK/EU), and luottokunta.fi (Finland). Domain Ownership and Technical Red Flags: Attribution & Ownership: The ultimate beneficial owners of Virtpay remain hidden behind heavy WHOIS privacy shields. There is just a default hosting web page connected with the domain Virtpay.net. The platform offers zero corporate transparency, lacks a public-facing compliance officer, and provides no verifiable legal entity or operating address on its checkout pages. Registrar & ISP: Like most shadow rails, virtpay.net utilizes privacy-guard registrars and routes its DNS through content delivery networks (like Cloudflare) to mask server IP addresses, preventing direct regulatory intervention. API & Software Footprint: Developer documentation tied to the domain (doc.virtpay.net) references “AgentGlobal API,” suggesting they provide white-label processing solutions for other unauthorized offshore syndicates. Ecosystem Summary DomainDomain DataKnown ConnectionsRolelive.virtpay.netPrivacy Shielded (Registrar/ISP Obscured)Puretransfer, Novilyo, Nexi Group, RevolutHigh-Risk Aggregator / Checkout Choke PointInbound Feedersgateway.puretransfer.io, checkout.fastpays.org, acs.kipmotion.com, engine.ongoingpayments.io, checkout.fastpays.orgUnlicensed Offshore Casinos (>46% traffic)Traffic Directors / Front-End Masking RailsOutbound Settlersnexigroup.com, acs.revolut.com, 3dsecure.noTier-1 Acquiring Banks / 3DS NetworksLegitimate Payment Settlement Export to Sheets Call to Action: Help Us Expose the Virtpay Network FinTelegram is calling on FinTech compliance officers, former employees of European acquiring banks (specifically those linked to Nexi Group or Baltic PSPs), and payment industry insiders to step forward. We need your help to trace the fiat flowing through live.virtpay.net. We are specifically looking for: The Merchant Identification Numbers (MIDs): Which specific MIDs are settling the traffic coming out of Virtpay into Tier-1 networks? The Corporate Shells: Which front companies hold the acquiring accounts for Virtpay? The Beneficial Owners: Who are the operators controlling the “AgentGlobal API” and the virtpay.net domain portfolio? If you have processing agreements, MID lists, or internal emails detailing this network, please share them with us. Your identity and security are strictly protected. Submit your tips securely via our whistleblower platform: Share Information via Whistle42