A recent cross-border investigation by Investigative Europe reveals how high-profile YouTube and Twitch influencers are steering millions of consumers to blacklisted, unlicensed online casinos. Earning up to 60% of their followers’ gambling losses, these influencers operate in a massive regulatory gray area, raising severe compliance, anti-money laundering (AML), and consumer protection concerns. FinTelegram examines the legal liability of these digital promoters and calls on whistleblowers to expose the illicit affiliate networks funding them. Key Findings Affiliate economics appear central: Investigate Europe describes revenue-share and CPA-style schemes where streamers earn per referred player and, per whistleblower documents, sometimes a percentage of losses—a direct incentive to drive high-risk play. Cross-border scale: The investigation identifies influencers in Italy, Portugal, Greece, Poland, Germany, Spain and Sweden promoting casinos “not licensed in Europe,” often with links embedded on-screen, in video descriptions, or comments. Soft2bet gravity: Investigate Europe says many promoted sites “ultimately connect back” to a European gambling tech firm and links this ecosystem to 100+ blacklisted casinos previously reported. “House money” streaming: A whistleblower described “non-withdrawable” balances or funded accounts provided to affiliates, turning livestream gambling into a performance with muted personal downside—while viewers face real loss risk. Regulatory action exists but is uneven: Italy’s AGCOM has sanctioned major platforms for illegal gambling advertising content; separately, national regulators (e.g., Netherlands) have taken action against influencer promotion of illegal operators. Platforms are now in scope (EU): Under the DSA, large platforms have duties around illegal content reporting/handling and systemic risk mitigation—relevant when illegal gambling promotion is persistent and scalable. Compliance & Liability Analysis: Why This is not “Just Marketing” Offshore casinos, unable to legally advertise in strict European jurisdictions, effectively outsource their marketing to influencers and streamers. The tech platforms hosting these streamers are currently shielded by the Digital Services Act (DSA), which exempts them from actively monitoring user-generated content for illegal activity. 1) Influencers as “unregulated affiliates” — but functionally a high-risk outsourcing layer In regulated markets, affiliate marketing is already a known risk surface. Investigate Europe’s evidence suggests illegal operators (or their marketing intermediaries) use creators as a front-end distribution channel: the influencer supplies trust, community, and attention; the operator supplies the product; the affiliate scheme supplies tracking + payout. That looks like a structured acquisition pipeline, not incidental mention. Compliance implication: from a risk perspective, these creators behave like “introducers/affiliates” in other financial-crime typologies—paid traffic brokers who should trigger enhanced scrutiny (KYC of affiliates, audit rights, geo/legal gating, ad library transparency, payment traceability). 2) Criminal/administrative exposure: “advertising unlawful gambling” is a real legal category Jurisdictions differ, but the UK is illustrative: Gambling Act 2005, s.330 makes it an offence to advertise unlawful gambling. While each case depends on facts/jurisdiction, creators who target audiences in a regulated market while promoting unlicensed operators can walk into advertising-offence territory—especially if the promotion is paid and uses tracking links. Practical liability pattern: regulators can pursue (a) the operator, (b) marketing intermediaries/affiliates, and increasingly (c) the distribution nodes (influencers) and sometimes (d) platforms hosting the content—depending on local law and enforcement appetite. 3) Consumer protection + AML: unlicensed casinos are a “controls vacuum” Investigate Europe stresses that unlicensed casinos lack the consumer protections of regulated operators and can put funds at risk. From an AML and harm-prevention lens, the influencer funnel is dangerous precisely because it pushes users into a space with weaker KYC, weaker affordability controls, and weaker dispute resolution. 4) Platform liability and the DSA: “illegal services” at scale are a systemic risk, not a moderation footnote The DSA framework (especially for very large platforms) is designed around scalable harms: reporting mechanisms, transparency, and mitigation of systemic risks. Persistent promotion of unlicensed gambling services to EU users can qualify as illegal services advertising, forcing the question: what did platforms know, and what did they do once notified? Italy’s AGCOM example demonstrates that national authorities are willing to sanction platforms for illegal gambling advertising content targeting domestic audiences. Working hypothesis: Influencers are the “conversion layer” of Europe’s illegal casino economy Hypothesis: In 2024–2026, the illegal casino segment has professionalized its go-to-market strategy. Influencers/streamers are not merely promoters; they are performance-based acquisition partners who (1) launder legitimacy via parasocial trust, (2) convert audiences through “live proof” gambling content, and (3) monetize through affiliate mechanisms that may be economically aligned with player losses. This turns the influencer into a risk-bearing node in the compliance chain—comparable to an unregulated broker in finance: high reach, low oversight, and strong incentives to optimize conversions. Prediction: expect more “two-track enforcement”: regulators target (a) operators and (b) the marketing stack (affiliates, processors, platforms, influencers), because that is the only way to disrupt scale. Call for Information Do you have information about influencers, agencies, affiliate programs, tracking links, payment flows (CPA/rev-share), “house-money” streaming accounts, or platform takedown patterns linked to unlicensed casinos targeting EU/UK users? Send tips (anonymously if needed) via Whistle42.com. Include screenshots, referral URLs, invoices, Telegram/Discord outreach, or payment proofs. Share Information via Whistle42

Kraken is one of the leading US crypto exchanges. It’s banking arm, Kraken Financial, has reportedly secured a limited-purpose Federal Reserve account with access to core payment infrastructure, including Fedwire. If confirmed as implemented as reported, this is a landmark step in the institutional integration of crypto infrastructure into U.S. sovereign payment rails—but it is not the same as full banking parity. Key Findings Historic Access: Kraken Financial, the Wyoming-chartered Special Purpose Depository Institution (SPDI) and subsidiary of Payward, is the first digital asset bank in U.S. history to gain direct access to the U.S. Fed’s payment infrastructure. Direct Fedwire Settlement: The exchange can now move institutional U.S. dollars and settle directly on the Fed’s rails, entirely bypassing third-party correspondent banks. The “Skinny” Account Model: The approval is structured as a limited-purpose, one-year pilot. It does not grant full commercial banking privileges, explicitly excluding access to the Fed’s lending facilities or interest on reserves. Full-Reserve Backing: Crucial to the Fed’s approval is Kraken’s Wyoming SPDI charter, which mandates a strict full-reserve model where liquid assets equal or exceed 100% of client fiat deposits. Regulatory Paradigm Shift: Arriving after five years of intense regulatory scrutiny, this approval underscores a broader macro shift—spurred by the new administration and the legislative momentum of the GENIUS Act—favoring bringing digital assets into the regulated financial mainstream. Analysis: Integrating the Crypto Scene into TradFi From a financial analysis standpoint, Kraken’s acquisition of a Federal Reserve master account is not just a regulatory victory; it is a structural evolution for the market. Elimination of Counterparty Friction Historically, crypto exchanges have been highly vulnerable to the whims of the traditional banking sector. The phenomenon of “de-risking”—where partner banks abruptly sever ties with crypto firms due to regulatory pressure—has long been a systemic vulnerability. By securing direct access to Fedwire, Kraken immunizes itself against this operational risk. It can now guarantee its institutional clients faster, cheaper, and fundamentally more secure fiat transfers without the bottleneck of a correspondent bank. The Convergence of Sovereign and Digital Rails This development serves as a vital bridge between TradFi and decentralized finance. Direct central bank access lays the groundwork for institutional-grade cash management seamlessly integrated with digital asset custody. Over time, this architecture enables the Holy Grail of institutional crypto trading: atomic settlement between fiat and digital assets. When sovereign U.S. dollars can move at the exact same speed and on parallel institutional rails as tokenized assets, the capital efficiency for market makers and hedge funds increases exponentially. Traditional Banking Pushback The significance of this integration is perhaps best measured by the resistance it is generating from the TradFi establishment. Lobbying groups like the Bank Policy Institute have already expressed concern. Traditional banks view this “skinny” master account framework as a potential Trojan horse, giving fintech and crypto firms the core utility of the banking system (payment routing) without the equivalent capital requirements and regulatory burdens of a traditional depository institution. Ultimately, Kraken’s master account is a pilot program that will serve as the stress-test for the future. If successful, it paves the way for crypto infrastructure to mature permanently into core financial infrastructure. Actionable Insight For compliance analysts, investors, and institutional counterparties, the key diligence question is no longer just “Does a crypto firm have banking partners?” but: What level of direct payment-rail access does its regulated entity actually have, under what restrictions, for how long, and for which client segments?This will become a core differentiator in crypto market-structure risk assessments. Call for Information FinTelegram invites bankers, payment specialists, former regulators, and institutional treasury professionals with insight into Fed account access structures, payment-rail restrictions, or crypto-bank onboarding controls to share information securely via Whistle42.com. Confidential submissions can help assess whether this is a one-off exception, a pilot model, or the start of a broader structural shift. Share Information via Whistle42

A fresh Thursday test of LuckyWins’ “Playback Thursday” promotion shows the same core compliance pattern seen across offshore casino networks: jurisdictionally weak gambling licensing claims, domain mutation/redirect tactics, and payment rails that touch regulated EU/UK payment infrastructure. LuckyWins (operated by Costa Rica-based Novatrix SRL) presents a Tobique Gaming Commission licence, but this does not constitute local authorisation to offer gambling services in Europe, Great Britain, or most North American jurisdictions. Key Findings Unlicensed Operations & Domain Mutation: Operated by Costa Rica-registered Novatrix SRL, LuckyWins utilizes evasive mirror domains (e.g., www.luckywins2.com) and relies on the “Tobique Gaming Commission”—a self-regulatory body with zero legal authority in the UK, EU, or North America. Open Banking Abuse: LuckyWins exploits open banking rails via the unlicensed Bulgarian FinTech Contiant and the Lithuanian EMI Yapily Connect UAB, directly initiating payments from European banks like Revolut to the unlicensed offshore merchant. The “Fake FIAT” Crypto Pipeline: Traditional bank transfers are disguised using the Polish VASP ChainValley (the successor to the suspended utPay). Players execute fiat bank transfers that secretly purchase USDC stablecoins, which are then routed to the casino. Web traffic intelligence indicates that the Luxembourg/UK-regulated PPRO acts as the underlying fiat processor for these ChainValley transactions. Direct EMI Complicity: MiFinity, an e-wallet regulated by the UK FCA and Maltese MFSA, is actively facilitating direct deposits to Novatrix SRL, disregarding the merchant’s lack of regional licensing. Compliance Analysis: The Anatomy of a Shadow Rail 1. The Merchant: Novatrix SRL & The “Tobique” Facade To understand the severity of the payment rail violations, one must first understand the merchant’s illegality. Novatrix SRL is registered in Costa Rica, a jurisdiction that does not issue traditional, internationally recognized interactive gaming licenses. To project a veneer of legitimacy, LuckyWins displays a crest from the Tobique Gaming Commission (TGC). The TGC is essentially a self-regulatory or sovereign-nation registry based in Canada, holding no regulatory weight, oversight capability, or legal standing in major European markets. Consequently, LuckyWins illegally solicits players in the UK, EU, and North America in direct violation of local gaming and AML laws. The use of constantly rotating mirror domains (like luckywins2.com) is a deliberate tactic to bypass national ISP blacklists. 2. Open Banking Exploits (Contiant & Yapily) Open banking was designed to democratize financial data, but it is increasingly being hijacked for transaction laundering. When a user selects Revolut at the LuckyWins cashier, they are funneled through a multi-hop rail: The Gateway: Traffic hits paywith.contiant.com, operated by an unlicensed Bulgarian FinTech. The Initiator: The API call is passed to Yapily Connect UAB (a licensed EMI in Lithuania). The Settlement: Yapily triggers the deposit via oba.revolut.com, listing the unlicensed Novatrix SRL as the ultimate payee. By using an authorized Payment Initiation Service Provider (PISP) like Yapily, the transaction bypasses the standard risk-scoring mechanisms of the consumer’s bank. Read our Yapily reports here. 3. The “Fake FIAT” Pipeline (ChainValley & PPRO) Web traffic between ChainValley and PPRO suggests close cooperation To circumvent banking blocks on gambling Merchant Category Codes (MCC 7995), offshore casinos are shifting to “Fake FIAT” transactions. At LuckyWins, when a player selects a standard bank transfer, they are routed to app.chainvalley.pro. The ChainValley Pivot: ChainValley Sp. z o.o. is a registered Polish Virtual Asset Service Provider (VASP) that has seamlessly taken over the illicit market share of the recently suspended Lithuanian processor, utPay. The Mechanism: The player believes they are funding a casino account with fiat. In reality, ChainValley uses the player’s funds to execute an immediate crypto purchase (typically USDC stablecoins), which is auto-forwarded to Novatrix SRL’s decentralized wallets. The PPRO Connection: ChainValley cannot process fiat directly without banking partners. Our January web traffic analysis reveals that an overwhelming 88.5% of outgoing link traffic from the ChainValley gateway terminates at PPRO (ppro.com). PPRO, a massive B2B payment infrastructure provider regulated as a Payment Institution in Luxembourg and an EMI in the UK, appears to be the primary fiat engine fueling this Polish crypto-laundering machine. Read our ChainValley reports here. 4. The MiFinity Loophole While open banking and crypto rails rely on technical obfuscation, the presence of MiFinity (mifinity.com, mifinity.mt) is a glaring case of direct compliance failure. Regulated by both the MFSA (Malta) and the FCA (UK), MiFinity allows users to deposit funds directly to Novatrix SRL. Processing payments for an entity that explicitly targets UK and EU consumers without a local license is a direct violation of standard EMI operating conditions. Download the full LuckyWins Compliance Report here. Ecosystem Summary Entity / DomainJurisdictionRegulatory StatusRole in LuckyWins SchemeNovatrix SRL (luckywins.com, luckywins2.com)Costa RicaUnlicensed (Pseudo-license via Tobique GC)The Merchant / Casino OperatorContiant (paywith.contiant.com)BulgariaUnlicensedOpen Banking Aggregator / GatewayYapily Connect UABLithuaniaLicensed EMI (BoL)Payment Initiator (Revolut Open Banking)Chain Valley Sp. z o.o.ChainValley(app.chainvalley.pro)PolandRegistered VASPCrypto On-Ramp / “Fake FIAT” ProcessorPPRO (ppro.com)Lux / UKLicensed PI / EMIFiat Settlement Engine for ChainValleyMiFinity (mifinity.com)Malta / UKLicensed EMI (MFSA / FCA)Direct E-Wallet AcquirerSiti (checkout.siti.ws)UnknownUnknownSecondary SEPA Gateway Export to Sheets Whistle42 Call to Action: Help Us Expose the Network The flow of illegal gambling funds relies on the silent complicity of European compliance departments. FinTelegram is calling on industry insiders to step forward. We are specifically seeking actionable intelligence from: Employees at PPRO: Are your risk committees aware that your infrastructure is powering ChainValley’s “fake FIAT” pipeline for offshore casinos? Insiders at Yapily & MiFinity: Who approved the merchant accounts for the Costa Rican shell company Novatrix SRL? Payment Gateway Developers: Who operates the shadowy checkout.siti.ws and Contiant infrastructures? If you have processing agreements, internal compliance memos, or bank settlement records regarding LuckyWins, ChainValley, or Novatrix SRL, please share them with us. Your identity and security are strictly protected. Submit your tips securely via our whistleblower platform. Share Information via Whistle42

A German offshore-casino player has provided FinTelegram with a detailed account that directly supports our working hypothesis: ChainValley is replacing Lithuania’s suspended utPay/UTRG stack inside casino cashier flows—especially where deposits are branded as Skrill. The player describes a “Skrill payment” that is actually a crypto purchase + wallet transfer, and a refund/KYC workflow where ChainValley support allegedly sent the verification link—suggesting operational continuity behind the scenes. Key Findings (from the player’s email + FinTelegram context) Player-reported switch: Bassbet casino allegedly changed its embedded crypto exchange rail from Utorg/utPay to ChainValley, while continuing to present the flow as a normal “Skrill transfer.” Low-salience disclosure: The player describes a “small tab” in the Skrill corner stating they accept to buy crypto and send it to the stored address—a pattern FinTelegram has already documented in “fake-fiat” deposit flows where consent is minimally disclosed and often pre-ticked. Refund/KYC oddity: In a refund attempt, the player claims Utorg support required identity verification, but the verification link was sent by ChainValley support, which—if evidenced—would be a strong indicator of shared back-office tooling or a transition of operational control. Regulatory pressure backdrop: FinTelegram has reported that UTRG UAB d/b/a utPay suspended all crypto-asset services effective 1 Jan 2026, citing MiCA compliance and awaiting authorization from the Bank of Lithuania. Documented UTORG → ChainValley plumbing: UTORG’s own Terms/website navigation show “Buy Crypto” linking directly to app.chainvalley.pro, which is not a rumor—it’s first-party product routing. Terms vs observed reality: ChainValley’s Terms state users must not use the service for “illegal gambling operations” and list “illegal gambling services” as prohibited. Read our utPay reports here. Analysis & Interpretation 1) The “Skrill disguise” is the compliance trick The email describes the exact structure FinTelegram has been warning about: a casino cashier presents a familiar consumer payment brand (Skrill), but the user is pushed—quietly—into a different legal characterization: a crypto purchase that is then forwarded to a casino wallet. This “relabeling” matters because it can structurally weaken consumer redress and chargeback leverage (“you received the crypto you bought”). FinTelegram documented this pattern in the Legiano case, including a low-salience consent line (“buy crypto and send to the specified address”) and funding via Skrill/Neteller. We were able to confirm the player’s information insofar as we once again found ChainValley in Bassbet’s Skrill payment rail. Compliance implication: If a payment journey is designed so that a player believes they made a “casino deposit” but is legally processed as a “crypto purchase,” that raises immediate consumer protection, AML/KYB, and payment integrity questions—especially in jurisdictions where the underlying gambling offer is unauthorized. Read our ChainValley reports here. 2) The “verification link from ChainValley support” is a potentially critical signal Conceptually, this is exactly the kind of operational detail that breaks a rail case open: If Utorg/utPay refund workflows are being processed via ChainValley tooling (or vice versa), that suggests either shared operations, a migration, or a white-label continuation. ChainValley’s own Terms explicitly describe third-party/white-label access (“Third Parties may… deploy it as a white-label solution”). What we need: The original verification email (headers + full URL), any support ticket IDs, and screenshots of the KYC page branding. 3) Our working hypothesis (updated): ChainValley is the operational successor rail to utPay post-MiCA FinTelegram has reported utPay’s suspension effective 1 Jan 2026. In parallel, FinTelegram’s UTORG/ChainValley migration analysis notes a “Lithuania → Poland” shift and explicitly highlights UTORG’s direct linkage to app.chainvalley.pro. This whistleblower email fits that picture: a casino rail swaps out “Utorg/utPay” for “ChainValley” but keeps the front-end payment UX familiar (Skrill), while the back-end remains a crypto conversion and wallet-forwarding mechanism. Bottom line: this looks less like a new provider entering the market and more like the same rail evolving under regulatory pressure. Summary Table NodeBrands / Labels in casino cashierKey domainsLegal entity / jurisdictionRegulatory situation (high-level)Role in the railutPay / UTORG (legacy rail)“utPay” / “Utorg” often appearing behind cashier methodsutpay.io; app.utpay.io; utorg.com; utorg.proUTRG UAB (Lithuania) referenced in FinTelegram coverageFinTelegram reports utPay services suspended effective 1 Jan 2026 pending MiCA authorization.Crypto on-ramp / “fake-fiat” conversion rail into casinosChainValley (replacement rail)“Skrill / Neteller” branded flows leading into crypto purchasechainvalley.pro; app.chainvalley.proChain Valley Sp. z o.o. (Poland)Terms prohibit “illegal gambling operations/services”; positioning as compliant KYC/AML, but casino exposure is repeatedly observed.Crypto purchase + forwarding layer; apparent successor to utPay in many casino stacksUTORG → ChainValley linkage“Buy Crypto” routingutorg.comUTORG website links “Buy Crypto” to app.chainvalley.proFirst-party linkage visible on UTORG site navigation/terms.Evidence of technical/commercial couplingCasino example (player report)Bassbet cashier (Germany player)(player-provided)Offshore operator (unverified)Player claims casino was unlicensed/unknown to himRail switch (Utorg → ChainValley) while keeping “Skrill” UX What we’re asking players and insiders to send (Whistle42) If you have used Skrill/Neteller deposits at offshore casinos and saw utPay/Utorg replaced by ChainValley, we need evidence: Screenshots of the deposit screen showing Skrill branding + the small disclosure text Order pages (utPay/Utorg/ChainValley “exchange order” pages) Bank/Skrill statements showing descriptors, timestamps, and reference IDs Wallet transfer evidence (USDC/USDT tx hash, destination wallet, screenshots) Support emails (especially the claimed KYC/verification link sent by ChainValley support) Submit securely via Whistle42. This is the fastest way to map the true merchant-of-record chain and identify which regulated entities (and upstream partners) are enabling deposits into unauthorized gambling. Share Information via Whistle42

FinTelegram has received a whistleblower tip alleging a coordinated network of roughly 40 crypto/investment platforms using Telegram and WhatsApp “mentors” to recruit victims, simulate profits, and then block withdrawals through escalating fee demands. Our initial review found multiple clusters of domains with strikingly similar structures, recycled narratives, and near-identical content—raising serious questions about a centralized operation behind rotating brands. The Whistleblower’s Alert A whistleblower recently contacted FinTelegram, providing an extensive Excel list of approximately 40 crypto trading platforms allegedly operating under the exact same fraudulent structure. According to the informant, these are not isolated cases but rather a highly organized syndicate designed to systematically drain victims’ funds while maintaining continuity through rapid domain changes. Our preliminary checks into platforms on the list—such as Prometheus Investment Alliance, ProfitShock Investment Alliance (link), LEXINOVA Trading Center, and Quantum Vault Trading Center—immediately triggered massive red flags. The websites share near-identical texts, backend structures, and operational behaviors. Key Findings: The Anatomy of a Mass Deception Based on the whistleblower’s data and our initial research, this network operates on a strict, ruthless playbook: Social Engineering via Messengers: Recruitment happens exclusively in private Telegram and WhatsApp groups that disguise themselves as “professional trading communities” or “investment alliances.” The “Mentor” Trap: Fraudsters pose as experienced “analysts” or “professors,” guiding victims through staged trades and urging them to deposit into affiliated platforms. Artificial Dashboards: The platforms project the illusion of high returns. The rapid, artificial profits displayed on internal dashboards are nothing but manipulated numbers designed to build false trust. Escalating Deposits & Extortion: Once initial trust is established, the pressure to deposit more escalates. When victims attempt to withdraw funds, they face sudden hurdles. The Advance Fee Fraud Exit: Withdrawals are blocked until the victim pays arbitrary “verification fees,” “tax obligations,” “compliance deposits,” or “VIP account upgrades.” Even if paid, the funds are never released. SEO Reputation Scrubbing: The network deploys coordinated reputation management, flooding search engines with automated spam pages (e.g., heavily manipulated “B1 Reviews” found on hijacked domains) to bury negative feedback and serve as “proof of legitimacy” in their chat groups. A large sub-group (many web. subdomains) loads the same JavaScript-only shell page with the same fallback text, including “Loading resources” and “Please wait patiently.” Several “Investment Alliance” domains (e.g., ProfitShock, Miqesia, Eramls, Acenix, Searel, Atrish, Scatil) show near-identical page structures and text blocks, including the same menu pattern and “Super Brain Lifeform” language. Analysis & Interpretation: The “Scam-as-a-Service” Model Our research strongly supports the hypothesis that this is a highly organized, heavily industrialized fraud network. The use of dozens of nearly identical websites indicates the deployment of “White Label” scam templates. These platforms act as digital Potemkin Villages. The trading charts, rising candles, and accumulated wealth are entirely fictitious. The “Mentors” act as psychological handlers, utilizing a technique commonly known as “Pig Butchering”—fattening the victim with fake profits and trust over weeks before the final slaughter, where the account is frozen. The most insidious element is their sophisticated use of SEO manipulation. By spamming search results with fake positive reviews and “guides,” the scammers successfully trick novice investors who try to perform due diligence. Furthermore, the constant rotation of branding and domain registrations (from Alliance to Center to Exchange) shows a calculated effort to outrun law enforcement and regulatory warnings. Already, platforms like Prometheus Investment Alliance are surfacing in fraud alerts in Europe, confirming the whistleblower’s urgent warnings. Domains Grouped by Suspected Template Cluster Suspected ClusterIndicative Pattern / NotesDomains (from Excel list)A. JS Loader / Web Subdomain “Exchange Shell” ClusterMany web. subdomains with similar JS-heavy loading screens (“Loading resources / Please wait patiently”), likely front-end shell or gated app entry points.web.pulsesun.com, web.liexs.com, web.beuce.com, web.ksaok.com, web.chobes.org, web.ktrowe.com, web.zeaks.org, web.lexinova.com, web.emeraldwisdom.com, web.hightitan.com, web.duralumen.com, web.qvtcoinese.com, web.wellingtonharborcap.cc, web.aixebit.com, web.yeahchain.comB. “Investment Alliance” Clone ClusterRepeated “Investment Alliance” branding logic, similar navigation/page architecture, near-identical marketing text blocks (including AI/brain/super-intelligence style wording).profitshock.com, miqesia.com, eramls.com, acenix.com, searel.com, atrish.com, scatil.comC. German-Language “Alliance” Variants (Probable Related Family)German-facing alliance sites with overlapping AI/quant/community framing; may be localized variants or adjacent template family.prometheus-alliance.de, tethys-alliance.deD. “Society / Academy / Community” ClusterEducation/community façade with institutional-style branding, AI/finance learning language, rewards/sweepstakes features, “society” naming.boilingpointsociety.com, harborstonesociety.com, oakstonesociety.comE. “Prosperity / Institutional Edition / Rewards” ClusterSimilar “Athena Institutional Edition / Personal Edition” menu logic and “white paper / participation / rewards” style trust framing.goldmanre.com, elitepalace.com, nalera.comF. “LucyAI / AI Trading / Global Markets” Promo ClusterSimilar hero messaging and AI-trading promo copy (“Driving Innovation in Global Financial Markets” / LucyAI-style narratives).eramix.com, mindzo.com, welcomeville.comG. Standalone / Unclear / Needs Deeper ReviewDomains not yet confidently mapped to a cluster from public landing-page checks alone; may be related through backend, payment rails, recruiter scripts, or shared assets.hjccoins.cc, gcgcgc.com, neoster.com, inningz.com, novacollfdn.com (listed twice in Excel), dualheart.com This clustering reflects observable front-end similarities only (design, wording, page structure, and navigation logic). It does not yet prove common ownership or operator identity. FinTelegram’s next investigative steps will focus on recruitment channels (Telegram/WhatsApp), payment instructions, wallet clustering, support contacts, and withdrawal-obstruction scripts to determine whether these domains form a coordinated fraud network. Extended Analysis The most important finding is not merely visual similarity—it is operational similarity at the presentation layer. Several domain groups appear to be built around reusable trust-conversion templates: institutional-sounding names, white-paper references, “academy” or “alliance” branding, rewards framing, and AI-themed language designed to signal sophistication. This matters because rotating domains and re-skinned brands are common risk indicators in organized online investment scams. If one domain becomes exposed, another can replace it while preserving the recruitment funnel, the script, and the psychological onboarding process. The whistleblower’s allegations about coordinated reputation management (e.g., strategically placed positive forum threads used as “proof” inside messaging groups) are also plausible within this framework and deserve deeper evidence-based investigation. At this stage, FinTelegram is not making final attribution to specific beneficial owners or legal entities. However, the website-level similarities are strong enough to justify a public alert and a structured evidence call. The key next step is to connect the front-end brands to payment rails, wallet addresses, Telegram recruiters, and withdrawal obstruction patterns. WARNING: Protect Your Assets If you are currently participating in a WhatsApp or Telegram group where a “mentor” or “analyst” is directing you to trade on an unfamiliar platform—STOP ALL ACTIVITY IMMEDIATELY. Do not deposit any further funds. Under no circumstances should you pay any “taxes,” “compliance fees,” or “withdrawal deposits.” Legitimate financial institutions and exchanges simply deduct necessary fees directly from your account balance; they will never ask you to send fresh crypto to unlock your existing funds. Any demand for an upfront fee is the final stage of the scam. Call to Action: We Need Your Information! The scale of this operation suggests millions of dollars are being laundered through this network. To disrupt this syndicate and help authorities trace the stolen funds, FinTelegram requires more data. If you are an investor, a victim, or even an insider with knowledge of this network, please come forward. We need: Wallet Addresses: Where were you instructed to send your USDT/BTC? Chat Logs & Screenshots: Evidence of the “Mentors,” their phone numbers, and their instructions. New Domain Names: Any new platforms that look or act similarly to the ones mentioned above. Please submit your information, documents, and experiences anonymously via our whistleblower platform, Whistle42. Your information is crucial to mapping this network, issuing targeted warnings, and assisting law enforcement in tracking down the operators behind the curtain. Don’t let them move on to their next victim—report them today. Share Information via Whistle42

The recently released 2025 whistleblower reports from the SEC and CFTC reveal a dramatic decline in both the volume and value of awards granted. As payouts shrink to levels not seen in years, we analyze whether this staggering drop reflects a temporary administrative bottleneck or a fundamental shift in regulatory and compliance priorities under the Trump administration. Key Findings: The 2025 Data at a Glance The fiscal year (FY) 2025 reports submitted to Congress in February 2026 paint a stark picture of the current regulatory landscape for whistleblowers: SEC Payouts Plummet: The SEC awarded roughly $60 million to 48 individual whistleblowers in FY 2025. This is a dramatic drop from the $255 million awarded in FY 2024 and the record-breaking $600 million in FY 2023. CFTC Awards Stagnate: The CFTC approved only two whistleblower awards totaling $4.6 million in FY 2025. In FY 2024, the agency awarded $42 million to 12 whistleblowers. Record Tips vs. Record Denials: Despite the drop in awards, the SEC received approximately 27,000 tips (an 8% increase year-over-year). Conversely, the SEC issued over 120 award denials, reaching a denial rate that spiked above 80% at points during the year. Headcount and Resource Cuts: The SEC experienced a reported 17% reduction in enforcement headcount, leading to consolidated field offices and disbanded enforcement units. Shadow Pipeline: The SEC’s 2025 Agency Financial Report set aside between $218 million and $655 million in “probable contingent liabilities” for future awards, indicating that while payouts have stalled, the financial footprint of the program remains active on the balance sheet. Comparative Analysis: A System Under Strain The juxtaposition of FY 2025 against the previous two fiscal years reveals a jarring disconnect. Historically, the SEC and CFTC whistleblower programs have been force multipliers for regulators. Between 2020 and 2024, the SEC accrued $1.8 billion in awards, with the program widely praised for detecting complex, well-hidden fraud. In 2025, however, the conversion rate from “tip” to “award” crashed. Prominent voices in the whistleblower advocacy space have expressed deep concern over this trend. Stephen M. Kohn, Chairman of the U.S. National Whistleblower Center, stated bluntly that the CFTC’s program is “in crisis,” noting that the failure to process cases and pay awards undermines the intent of the Dodd-Frank Act. Conversely, legal analysts like Dave Jochnowitz of Outten & Golden suggest that the program’s massive contingent liabilities prove its financial impact extends beyond a single year’s announcements. He argues that regulators are simply being “forced to do more with less” amid staffing cuts, leading to a severe processing bottleneck rather than a dismantling of the program. Interpretive Working Hypothesis The Hypothesis: The significant decline in whistleblower awards in FY 2025 is a sign that compliance and whistleblower programs have become less important under the Trump administration. Testing and Validation: Validating this hypothesis requires separating administrative realities from policy directives. Evidence Supporting the Hypothesis: The sheer magnitude of the drop—SEC awards falling by nearly 75% and CFTC awards by almost 90%—is impossible to ignore. Combined with a 17% reduction in SEC enforcement headcount and the disbanding of specific enforcement units, there is a clear shift toward a leaner, more conservative regulatory framework. The record number of claim denials also points to a significantly stricter application of award criteria. Evidence Countering the Hypothesis: The decline in payouts does not necessarily equate to a lack of importance. The SEC has earmarked up to $655 million for future whistleblower liabilities, suggesting that the money is waiting in the pipeline, delayed by a lack of manpower rather than a lack of intent. Furthermore, a portion of the backlog is attributed to an influx of frivolous tips (in FY 2024, over 14,000 tips came from just two individuals), which drains resources and inflates denial rates. Conclusion: The hypothesis is partially validated. The new administration’s approach explicitly favors leaner regulatory bodies and a reduction in enforcement headcount, which has consequentially crippled the efficiency and output of the whistleblower programs. However, it is premature to conclude that the programs themselves are being intentionally dismantled. The reality is a severe administrative bottleneck: regulators are strictly scrutinizing claims and processing them slower, reflecting a shift toward conservative enforcement rather than outright abandonment. Call to Action: Secure Your Voice with Whistle42 If regulatory bottlenecks and strict denial rates are discouraging you from exposing corporate fraud, you do not have to rely solely on federal channels to protect market integrity. Your insider knowledge is crucial. We urge whistleblowers, insiders, and compliance officers to report financial misconduct, crypto scams, and compliance violations directly to FinTelegram. Submit your evidence securely and anonymously via our Whistle42 whistleblower platform. Together, we can ensure that bad actors are exposed, regardless of bureaucratic slowdowns. Share Information via Whistle42

The world’s largest crypto exchange Binance is facing a fresh U.S. political and compliance challenge after U.S. Senator Richard Blumenthal (Ranking Member, Senate PSI) launched a formal inquiry into allegations that the exchange facilitated large-scale Iran-linked and Russia “shadow fleet” transactions. The move reopens the core question of whether Binance’s post-2023 remediation is substantive—or merely performative. Key Points Sen. Richard Blumenthal opened a preliminary PSI inquiry and demanded records from Binance by March 6, 2026. The inquiry cites reporting alleging roughly $1.7 billion in transfers linked to Iranian entities and connections to Russia’s sanctions-evading oil trade. Blumenthal’s letter specifically requests records concerning Hexa Whale, Blessed Trust, possible sanctions-evasion activity, and the suspension/dismissal of compliance investigators. Binance publicly rejects key press allegations, says its investigation was structured, claims the accounts were later offboarded, and denies firing staff for compliance reporting. The inquiry lands on top of Binance’s 2023 U.S. criminal/AML/sanctions resolutions, including Treasury/FinCEN/OFAC penalties and a monitorship framework. It also follows the May 2025 SEC dismissal with prejudice of the SEC’s civil lawsuit against Binance. Short Narrative The latest development in the Binance case is not a new enforcement action—yet. It is a document-heavy U.S. Senate inquiry that directly targets Binance’s sanctions controls, escalation culture, and post-settlement compliance credibility. On February 24, 2026, Sen. Richard Blumenthal (D-CT), as Ranking Member of the Senate Permanent Subcommittee on Investigations (PSI), sent a letter to Binance CEO Richard Teng demanding records tied to alleged Iran- and Russia-linked illicit flows on Binance, including records on Hexa Whale and Blessed Trust, sanctions-evasion typologies, and personnel decisions involving internal investigators. The letter sets a response deadline of March 6, 2026. This matters because the allegations—if substantiated—go to the heart of Binance’s obligations under the 2023 U.S. resolutions. Treasury’s 2023 announcement described Binance’s failures in AML and sanctions controls as historic, imposed massive penalties, and required ongoing monitorship and compliance undertakings, with Treasury retaining access and warning of additional penalties for non-compliance. Extended Analysis 1) Why this is a serious compliance event even without a new charge Blumenthal’s move is politically framed, but from a compliance perspective it is highly material. The inquiry requests precisely the evidence categories regulators and prosecutors care about in sanctions/AML matters: internal investigative reports KYC and onboarding decisions VIP treatment decisions internal warnings and policy recommendations management responses employment actions affecting control staff That is effectively a culture-and-controls test. In enforcement practice, failures are often not limited to “bad transactions”; they become “bad governance” when warning signals are documented and then overridden. Blumenthal’s letter explicitly raises that theme. 2) Binance’s defense line: controls, indirect exposure, offboarding, confidentiality Binance has responded publicly with a detailed compliance blog post arguing that the reporting is incomplete and mischaracterized. It says the users were not on sanctions lists at the relevant time, claims the flows did not trigger standard surveillance alerts, states it investigated the matter in mid-2025, mitigated risk, offboarded accounts, and shared information with authorities. Binance also denies retaliatory firing for compliance reporting, saying departures followed data-protection/confidentiality breaches. This is a recognizable defense in crypto compliance disputes: “indirect exposure, no list hit, post-detection mitigation.” The problem is that such a defense can still fail if evidence shows repeated risk escalation, privileged treatment for high-risk counterparties, or suppression of internal control functions. 3) The broader “Binance case” context: fragmented legal risk, persistent sanctions risk A key point for analysts: Binance’s legal exposure is now fragmented. The SEC civil case was dismissed with prejudice in May 2025, but that does not erase Binance’s separate AML/sanctions obligations under the 2023 DOJ/Treasury/CFTC resolutions. In other words, the latest development is not “Binance cleared.” It is the opposite: sanctions and AML risk remain live, and political scrutiny can reactivate pressure even after one litigation track closes. 4) What to watch next The immediate trigger point is Binance’s response (or non-response) to PSI by March 6, 2026. Beyond that, the real compliance questions are: Will U.S. authorities revisit Binance’s remediation adequacy? Will monitorship findings (if any) become a renewed pressure vector? Will counterparties, banking partners, and licensed entities increase de-risking around Binance-related flows? These are second-order effects, but in practice they often bite before formal enforcement does. Call for Information If you have first-hand information about Binance’s sanctions controls, offshore intermediary onboarding, VIP handling, or internal compliance escalation practices (including documents, screenshots, policy memos, or correspondence), submit it securely via Whistle42.com. Insider evidence remains critical for verifying whether compliance programs work in practice—or only in public statements. Share Information via Whistle42

BetAlice appears to be operating without visible operator disclosure while remaining accessible across multiple domains despite Italian blackouts on some URLs. Our payment-rail review found a familiar offshore-casino stack: ChainValley behind cashier-branded methods (including Skrill/NETELLER labels), and an open-banking route layered through payment-gateway.io → puretransfer.io → mellifera.tech, with Paradis Tech Ltd shown as payee and Yapily/Wise Open Banking references in the flow. Key Findings No transparent operator disclosure was identified on the reviewed BetAlice domains (www.betalice.com, betalice-1110.com), despite active onboarding of users from multiple EU jurisdictions and the UK. Italian blocking/blackout measures appear incomplete or easily bypassed, as alternative BetAlice domains remain reachable. BetAlice offers mainstream rails (cards, bank transfer, PaysafeCard, crypto) typical of offshore casino cashier setups targeting broad retail users. ChainValley (Poland) appears behind cashier methods labeled PaysafeCard, Skrill, NTLR, reinforcing prior indications that ChainValley functions as a successor scheme to the formerly used utPay / UTRG UAB (Lithuania) in offshore-casino payment routing. In December 2025, BetAlice reportedly still showed utPay as processor in parts of the payment flow, suggesting migration overlap or dual-routing during transition. The bank-transfer route is a layered open-banking path:api.payment-gateway.io → checkout.puretransfer.io → pay.clx.acq.mellifera.tech (Yapily method) → Wise Open Banking endpoints. Paradis Tech Ltd appears as the payee in the open-banking flow. The Mellifera payment pop-up (terms/privacy) identifies Mellifera Kartiera Limited (Malta) as operator and references kartiera.eu and claimed MFSA EMI regulation (per your captured disclosures). The Mellifera gateway UI references Yapily as payment method, but the current operational role split between Mellifera and Yapily requires further verification (technology provider vs. active PISP routing vs. legacy label). Prior Puretransfer analysis and Jan 2026 traffic signals indicate a tight Puretransfer Mellifera linkage, with Mellifera traffic referred via Puretransfer, consistent with a specialized casino-payment funnel. Compliance Analysis 1) Starting Point: Illegal Offer / Unlicensed Gambling Exposure The compliance assessment must begin with the status of BetAlice itself. Based on your test results, BetAlice was accessible and open to registrations from the EU and UK, despite domain blackouts in Italy and without clear operator transparency on the site. For a gambling business targeting or accepting customers in regulated European jurisdictions, missing operator disclosure + cross-border onboarding + domain hopping are strong red flags. That matters because payment facilitators in the chain are not just technical vendors in a vacuum. If they enable deposits for an unlicensed casino scheme that is actively onboarding restricted users, they may create AML, sanctions-screening, gambling-law, and conduct risk exposure—especially where they provide scalable rails such as cards or open banking. Behind Skrill Payment Rail Rapid Transfer, we discovered Novaforge as the payment recipient. In this respect, it is only logical to name Novaforge as the operator of BetAlice. 2) ChainValley Pattern: Continuity After utPay The findings place ChainValley behind multiple cashier labels (PaysafeCard / Rapid / Skrill / NTLR) at BetAlice. This mirrors a pattern seen across offshore-casino cashier environments where front-end payment labels suggest familiar consumer methods, while the actual routing is handled by an intermediary gateway operator. The significance here is the continuity hypothesis: after the suspension of UTRG UAB dba utPay (Lithuania), ChainValley appears to have taken over the same functional niche for offshore casino deposit routing. The fact that utPay still appeared at BetAlice in Dec 2025 strengthens the case for a migration/hand-over period rather than a clean break. 3) Open-Banking Rail: Layering, Obfuscation, and Responsibility Splitting The bank-transfer route you documented is especially important from a compliance perspective because it shows multi-layer gateway orchestration: front/API layer (payment-gateway.io) checkout abstraction (puretransfer.io) acquiring/open-banking routing (mellifera.tech, Yapily-labeled) final bank/Open Banking execution layer (Wise Open Banking references) named payee (Paradis Tech Ltd) This kind of architecture can be legitimate in e-commerce, but in the offshore-casino context it raises the classic question: who is merchant-facing, who is payment-institution-facing, and who performs effective merchant due diligence? Where the end merchant is an unlicensed gambling operator, layered routing can create plausible deniability by fragmentation unless the PSP/EMI/PISP chain applies strong controls (merchant category screening, geofencing enforcement, transaction monitoring, adverse-media triggers, and rapid termination procedures). 4) Mellifera Kartiera (Malta): The evidence indicates that the Mellifera gateway pop-up names Mellifera Kartiera Limited (Malta) and claims EMI regulation by the MFSA (effective 20 Nov 2024). If confirmed, this is highly material because: an EMI-linked open-banking/acquiring interface appearing in an offshore-casino deposit flow raises regulatory perimeter and onboarding-control questions, and the presence of a regulated entity’s terms/privacy in a payment pop-up may increase user trust while the underlying gambling merchant appears unlicensed in target jurisdictions. The key compliance question is not only whether Mellifera is regulated, but what exact service is being provided in this flow: regulated EMI/payment service directly to the merchant, technical gateway/software layer, outsourced/acquiring facilitation, or white-label/legacy integration where labels (e.g., Yapily) remain visible but operational roles changed. 5) Yapily / Wise / Paradis Tech: The captured URL parameters and flow references suggest a Yapily-labeled payment method and Wise Open Banking API interaction, with Paradis Tech Ltd shown as payee. This is precisely the type of setup that requires transaction-level evidence and provider-side clarification: Is Yapily directly serving the merchant chain, or merely referenced in a legacy parameter/UI label? Is Wise’s Open Banking infrastructure being used via a licensed intermediary, and if so, under what merchant acceptance rules? What is the legal/regulated status and role of Paradis Tech Ltd in the fund flow (merchant of record, collection agent, settlement beneficiary, or separate processor)? Paradis Tech’s public site presents it as a “payment solution” provider offering tools to accept payments and manage online business globally, as well as advisory services and fraud‑detection technology. While it does not explicitly market gambling payments, the observation that Wise Open Banking payments show “Paradis Tech Ltd” as the payee indicates that Paradis Tech is acting as a receiving and routing layer, likely as an MSB or similar regulated entity in its home jurisdiction. When such an MSB becomes a named beneficiary for flows that are in fact unlicensed gambling deposits, this raises: UBO/merchant transparency concerns (end‑beneficiary BetAlice is hidden). Potential breaches of scheme/network rules and local gambling/payment regulations. AML/CFT risks, as source of funds and purpose of payments are obfuscated. Summary Table — BetAlice Scheme & Payment Rails (Working Compliance Map) Brand / ComponentDomain / IdentifierLegal Entity (Observed / Suspected)JurisdictionRegulatory Situation (Observed / Claimed)Role in FlowBetAliceCasinowww.betalice.com; betalice-1110.comNovaforgeUnclearAppears unlicensed for UK/EU targeting; Italian blackouts on some domains but accessible via alternativesOffshore casino frontend / merchant originBetAlice (cashier labels)PaysafeCard / Rapid / Skrill / NTLR (cashier options)Routed via ChainValley (per review findings)Poland (ChainValley)Needs deeper verification of licensing/permissions for gambling-related routingDeposit method presentation / routing via gateway layerChainValleychainvalley.pro (dba ChainValley)Chain Valley Sp. z o.o. (reported)PolandPublic positioning and regulatory perimeter require further verification; linked by FinTelegram to offshore-casino routingSuccessor-style payment gateway / processor roleutPay (legacy / overlap)(Previously used in BetAlice flow in Dec 2025)UTRG UAB dba utPayLithuaniaPreviously registered VASP; user notes suspension contextLegacy crypto/payment gateway; possible predecessor to ChainValley routingPayment API layerapi.payment-gateway.ioUnknownUnknownUnknownAPI orchestration layer in bank-transfer routeCheckout gatewaycheckout.puretransfer.ioPuretransfer-related operator (to verify)UnknownRepeatedly observed in offshore-casino gateway context (per prior FT analyses)Checkout / routing intermediaryMellifera gatewaypay.clx.acq.mellifera.techMellifera Kartiera Limited (per pop-up T&Cs/privacy)MaltaClaims MFSA EMI regulation (as stated in gateway materials / kartiera.eu); independent confirmation recommendedOpen-banking/acquiring/payment interface layerKartierakartiera.euMellifera Kartiera LimitedMaltaClaimed regulated EMI status (user-captured disclosure)Corporate / regulated-facing website for MelliferaYapily (method label)paymentMethod=yapily in Mellifera flowYapily entity/entities (to verify involvement)UK/EURole unclear from capture alone (active provider vs legacy method label)Open-banking payment method label / possible integrationWiseOpen Bankingwise.com/openbanking / transferwise.com/openbanking referencesWise group entitiesUK/EURegulated provider(s), but role in this merchant chain requires transaction-level clarificationOpen-banking infrastructure / API layerParadis Tech Ltd (payee)Payee shown in payment flowLikely Paradis Tech (user indicates Canadian MSB hypothesis)Canada (to verify)MSB status and exact entity match require confirmationPayee / settlement beneficiary in bank transfer flow Compliance Takeaway BetAlice is a textbook example of why payment-rail reviews must start with the legality of the merchant. Once the casino itself appears to be an unlicensed, cross-border operator using domain rotation and incomplete blocks, every downstream rail—cards, e-wallet labels, crypto gateways, and especially open-banking chains—becomes a compliance-risk transmission channel. The most important outcome of this review is not a single processor name, but the repeatable architecture: offshore casino frontend branded cashier labels processor/gateway abstraction (ChainValley / Puretransfer) regulated-facing or quasi-regulated payment layer (Mellifera / Yapily-labeled) bank/Open Banking infrastructure (Wise references) payee entity (Paradis Tech Ltd) This architecture should be added to the FinTelegram Rail Atlas as a high-priority pattern for further testing, screenshots, transaction sampling, and provider-right-to-reply outreach. Share Information via Whistle42

Operating deep within the shadow-banking ecosystem, live.virtpay.net acts as a massive funnel for unauthorized offshore casino deposits. Our latest traffic analysis reveals a startling reality: this anonymous gateway processed over 550,000 transactions in just one month, seamlessly routing illicit funds from European consumers directly into mainstream acquiring banks and 3D-Secure networks. Analysis & Context: The Ultimate Layering Machine In the complex world of high-risk payment routing, live.virtpay.net (operating as Virtpay/AgentGlobal) does not merely facilitate transactions; it aggressively mainlines them into the legitimate banking sector. Our Similarweb digital footprint analysis for January indicates over 550,000 visitors hit this anonymous gateway. Given the nature of this checkout page, these “visitors” represent live, real-time payment attempts. Crucially, the traffic exclusively targets highly regulated European and UK markets, actively circumventing local gambling laws and consumer protection frameworks. The Multi-Hop Pipeline: Virtpay is a masterclass in transaction layering. The Inbound Laundromat: Traffic flows into Virtpay from a web of notorious, anonymous high-risk gateways and traffic directors. Over 46% of this traffic originates from the casino industry. The top referring domains acting as feeders include gateway.puretransfer.io, acs.kipmotion.com, engine.ongoingpayments.io, acs.novilyo.com, and checkout.fastpays.org. This indicates Virtpay serves as a crucial “choke point” aggregating volume from multiple shadow PSPs. The Outbound Legitimization: This is where the money is “cleaned.” After scrubbing the casino’s digital footprint, Virtpay passes the transaction directly to legitimate Tier-1 banking infrastructure. The top outgoing destinations are 3D-Secure and acquiring endpoints like 3dsecure.no (Norway), acs.smartpayments.ee (Estonia), nexigroup.com (Italy/EU), acs.revolut.com (UK/EU), and luottokunta.fi (Finland). Domain Ownership and Technical Red Flags: Attribution & Ownership: The ultimate beneficial owners of Virtpay remain hidden behind heavy WHOIS privacy shields. There is just a default hosting web page connected with the domain Virtpay.net. The platform offers zero corporate transparency, lacks a public-facing compliance officer, and provides no verifiable legal entity or operating address on its checkout pages. Registrar & ISP: Like most shadow rails, virtpay.net utilizes privacy-guard registrars and routes its DNS through content delivery networks (like Cloudflare) to mask server IP addresses, preventing direct regulatory intervention. API & Software Footprint: Developer documentation tied to the domain (doc.virtpay.net) references “AgentGlobal API,” suggesting they provide white-label processing solutions for other unauthorized offshore syndicates. Ecosystem Summary DomainDomain DataKnown ConnectionsRolelive.virtpay.netPrivacy Shielded (Registrar/ISP Obscured)Puretransfer, Novilyo, Nexi Group, RevolutHigh-Risk Aggregator / Checkout Choke PointInbound Feedersgateway.puretransfer.io, checkout.fastpays.org, acs.kipmotion.com, engine.ongoingpayments.io, checkout.fastpays.orgUnlicensed Offshore Casinos (>46% traffic)Traffic Directors / Front-End Masking RailsOutbound Settlersnexigroup.com, acs.revolut.com, 3dsecure.noTier-1 Acquiring Banks / 3DS NetworksLegitimate Payment Settlement Export to Sheets Call to Action: Help Us Expose the Virtpay Network FinTelegram is calling on FinTech compliance officers, former employees of European acquiring banks (specifically those linked to Nexi Group or Baltic PSPs), and payment industry insiders to step forward. We need your help to trace the fiat flowing through live.virtpay.net. We are specifically looking for: The Merchant Identification Numbers (MIDs): Which specific MIDs are settling the traffic coming out of Virtpay into Tier-1 networks? The Corporate Shells: Which front companies hold the acquiring accounts for Virtpay? The Beneficial Owners: Who are the operators controlling the “AgentGlobal API” and the virtpay.net domain portfolio? If you have processing agreements, MID lists, or internal emails detailing this network, please share them with us. Your identity and security are strictly protected. Submit your tips securely via our whistleblower platform: Share Information via Whistle42

A new layer of payment obfuscation has surfaced with the domain checkout.pliromy.com, acting as a silent bridge for high-risk transactions. Our initial analysis suggests this stealth gateway is closely tied to a recently formed Indian corporate shell and a network of shadowy traffic directors like puretransfer.io. Analysis & Context: Peeling Back the Pliromy Network In the continuous game of cat-and-mouse between regulators and offshore merchants, disposable payment gateways are the tools of choice. Our investigation reveals that checkout.pliromy.com functions as a masking rail designed to facilitate high-risk deposits—likely for online gambling or unauthorized offshore trading platforms—while keeping the ultimate beneficiary hidden from European and global banking oversight. When users attempt to make a deposit, traffic analysis shows they are often bounced between traffic aggregators like mellifera.tech, the payment processor puretransfer.io, and ultimately routed through the pliromy.com environment. This multi-hop architecture is a classic “red flag” designed to confuse acquiring banks and bypass merchant category code (MCC) blocks. Domain Ownership and Technical Red Flags: Attribution & Ownership: While the exact WHOIS data for pliromy.com is heavily shielded by privacy proxies. Shell companies like this are frequently used by offshore syndicates to secure merchant accounts and banking access under the guise of “publishing” or “software” activities. Registrar & ISP: The domain infrastructure operates behind standard offshore privacy shields. It utilizes proxy registration services (such as Withheld for Privacy/NameCheap) and routes its DNS through content delivery networks like Cloudflare (acting as the ISP/host) to hide the true physical location of the servers processing these payments. Registration Date: Consistent with the incorporation of its suspected Indian corporate alter-ego, the domain infrastructure was deployed in early-to-mid 2024, marking it as a freshly minted rail built specifically for this current wave of processing. Ecosystem Summary DomainDomain DataKnown ConnectionsRolecheckout.pliromy.comReg: ~Mid 2024Registrar: Proxy ShieldedISP: Cloudflarepuretransfer.io, virtpay.net puretransfer.io, cyberpay.link, payabl.com, mellifera.tech,csp-project.comPrimary Masking Rail / Checkout NodePliromi Payment Solutions (OPC)Inc: April 2024 (India)Dir: Ravinder Singh Chandowkpliromy.com (Suspected)Corporate Shell / Merchant Account Holder Export to Sheets Call to Action: Help Us Unmask the Operators FinTelegram is calling on payment industry insiders, former employees of high-risk PSPs, and whistleblowers with access to offshore banking records to step forward. We need actionable intelligence to connect the dots on this network: The Beneficial Owners: Who is the true offshore operator behind the Indian entity Pliromi Payment Solutions and the pliromy.com domain? The Settling Banks: Which Indian or international acquiring banks are settling the funds processed through checkout.pliromy.com and puretransfer.io? The Merchant Clients: Which specific casino or broker brands are utilizing this gateway for their European or Asian deposits? If you have processing agreements, internal emails, or bank statements relating to Pliromy or PureTransfer, please share them with us. Your identity is guaranteed absolute protection. Submit your tips securely via our whistleblower platform. Share Information via Whistle42.com

OpenSanctions is widely used in screening workflows to surface sanctions targets, PEPs, and other high-risk entities across many public sources. Being flagged as an “entity of interest” is not the same as being sanctioned — but for a regulated payment institution, it is a clear risk indicator that should trigger enhanced review, source verification, and audit-ready decisioning. Key Facts OpenSanctions is an aggregation + normalization layer for sanctions, PEP, and related risk datasets, built to support investigative and compliance screening. The OpenSanctions API (“yente”) is designed for search/match against entities (people/companies/vessels) including sanctions subjects and related risk entities. “Entity of interest” is a broad risk taxonomy used in due diligence contexts (not a legal designation by itself). The key compliance point: the underlying source matters (which dataset, which authority/public record, which allegation or linkage). OpenSanctions helps you find the needle; it does not automatically prove the needle is real. Short Narrative “Entity of interest” is essentially a screening alert category. It tells you: “This name (or linked identifiers/relationships) appears in one or more datasets that are relevant for sanctions/AML/PEP/adverse-risk screening.” OpenSanctions’ core function is to aggregate, clean, standardize, deduplicate, and export watchlist-style entity data so that investigators and compliance teams can query it consistently. In other words: it is infrastructure for risk discovery — not a court ruling, not a regulator’s finding, not a conviction, and not automatically a sanctions designation. Extended Analysis 1) What the label does—and does not—mean Does mean: The entity has been captured in a structured risk graph used for screening (sanctions, PEP, and related risk entities). There may be aliases, identifiers, and relationships (directors, ownership links, addresses, intermediaries) that help connect the entity to other known risk nodes. Does not mean: “Sanctioned” (legal designation) “Proven misconduct” “Regulator enforcement action” “Prohibition to do business” 2) Why this matters more for a regulated payment institution For a regulated PSP/payment institution, the compliance expectation is not “ignore until proven.” It is: Identify relevant risk signals (screening) Verify the underlying source (which dataset and why the entity appears) Assess exposure (customers/merchants, counterparties, corridors, beneficial ownership, agents, nested relationships) Decide and document (EDD, monitoring uplift, restrictions, exit, SAR/STR consideration where applicable) OpenSanctions fits exactly into the identify/verify stages because it’s built as a search/match layer for watchlist-style entities and connections. 3) What “good” handling looks like (audit-ready) If a regulated payment institution (or its key principals) shows up as an “entity of interest,” a defensible response usually includes: Pull the entity record and pin the exact sources/datasets driving the match. Confirm identifiers (registration numbers, addresses, officers) and check for false positives. If the source is adverse-risk/PEP/sanctions-adjacent: apply EDD proportionate to the signal (not blanket de-risking, but not handwaving). Create a clear decision memo: match rationale, source reliability, mitigations, monitoring plan, and review cadence. Actionable Insight If you are a compliance officer, auditor, correspondent bank, or regulated partner: treat “entity of interest” as a triage trigger, not a verdict. The standard is source-level verification + documented risk decisioning — because that’s what supervisors ask for when an alert becomes a regulatory question. Call for Information FinTelegram is mapping how risk signals propagate through payment rails. If you have primary documents (bank/PSP correspondence, KYC/EDD outcomes, termination letters, scheme onboarding packs, acquiring/merchant IDs, gateway domains, or regulator communications) showing how “entity of interest” flags were handled in practice, submit securely via Whistle42.com. Share Information via Whistle42

On 3 October 2025, the Central Bank of Cyprus (CBC) published an official announcement under the Prevention and Suppression of Money Laundering and Terrorist Financing Law 188(I)/2007, as amended. According to the announcement: The CBC, in its capacity as supervisory authority under the AML Law, conducted an examination of compliance. On 30 September 2025, the CBC decided to impose an administrative fine on Payabl.Cy Ltd (formerly Powercash21 Ltd; LEI: 2138003UJXVWKJIH9G72). The amount of the fine is €350,000. The decision relates to findings concerning compliance with provisions of the AML Law following an examination covering the year 2020. The CBC states that the supervised entity was given the opportunity to be heard before the final decision was taken. Judicial Review: On 12 December 2025, Payabl. Cy Ltd registered Appeal No. 1405/2025 before the Administrative Court of Cyprus challenging the CBC decision.(Source: Central Bank of Cyprus – Administrative Sanctions and Measures Register) The full announcement is publicly available on the Central Bank of Cyprus website. Share Information via Whistle42

Following an aggressive FinTelegram investigation and an Open Letter to its European banking partners, the offshore crypto giant MEXC has suddenly scrubbed its website of unauthorized FinTelegram articles. Was it the fear of European financial regulators, or the profound irony of a scam-rated exchange automatically republishing our exposés about its own fraudulent activities? Whatever the reason, the intellectual property theft has ended. However, the systemic regulatory violations have not: Lithuanian EMI Paytend Europe UAB and French EMI Heuro SAS (dba OuiTrust) continue to brazenly process fiat deposits for the unlicensed exchange via a Romanian shell company. The “Shadow Rails” remain operational. Key Findings: A Tactical Retreat by a Rogue Exchange The IP Theft Concludes: On February 23, 2026, MEXC abruptly deleted the unauthorized FinTelegram author page and scrubbed all stolen articles from its news stream. Previous Cease & Desist notices were completely ignored until our direct complaint to their payment facilitators. The Irony of Auto-Publishing: The removal likely resulted from either our Open Letter to Paytend Europe or MEXC administrators finally realizing their automated scrapers were proudly broadcasting our investigative reports exposing their own illegal operations. The “Franchisee” Fairytale: Austrian lawyers for the registered Estonian entity, MEXC Estonia OÜ, have formally claimed to FinTelegram that the company has “nothing to do” with the MEXC global scheme, dismissing themselves as a mere “franchisee.” Since this entity is not named on MEXC.com or MEXC.co, it confirms MEXC is soliciting European investors without any applicable MiCA authorization. The Red Shield Remains Active: Despite the exposure, our live tests confirm that Paytend Europe UAB (Lithuania) and Heuro SAS/OuiTrust (France) are still actively facilitating fiat-to-crypto deposits for MEXC. The Romanian Front: All SEPA and SEPA Instant funds are contractually routed through an unregistered Romanian shell company, Finetix Ltd S.R.L., serving as the legal firewall for the unlicensed exchange. The Case Update: A Small Victory in a Larger War MEXC payment instructions for bank transfer via Finetix Ltd S.R.L. and Paytend Europe. For months, MEXC—an exchange plagued by regulatory warnings and customer accusations of asset confiscation—systematically hijacked FinTelegram’s investigative reporting. By auto-scraping our articles and publishing them on their own news feed without permission, MEXC sought to artificially inflate its credibility. When our legal notices to MEXC were met with the silence typical of an offshore “ghost” entity, we escalated the matter. We took direct aim at the institutional enablers making MEXC’s operations possible: we issued an email complaint and published an Open Letter to Paytend Europe UAB, exposing not only the IP infringement but the severe anti-money laundering (AML) and Markets in Crypto-Assets (MiCA) violations involved in facilitating MEXC’s fiat deposits. Today, February 23, 2026, we confirmed that MEXC blinked. The FinTelegram author page has vanished from their domain, and the stolen content has been purged. Whether this was prompted by panic within Paytend’s compliance department or by MEXC realizing the absurdity of republishing our devastating critiques of their own business model, the outcome is clear. However, the core issue remains untouched: The European fiat gates are still wide open for a fundamentally illegal enterprise. Compliance Analysis: Complicit EMIs and the “Franchisee” Nonsense The current regulatory posture of MEXC is a masterclass in obfuscation and jurisdictional arbitrage. By their own lawyers’ admission, the only EU-regulated entity bearing their name—MEXC Estonia OÜ—claims to be a detached “franchisee” with no operational control over MEXC.com. If the Estonian company is not the operator, and no other EU entity is licensed to operate the platform, then MEXC is irrefutably providing crypto-asset services in Europe illegally and in direct violation of the MiCA framework. Given this undeniable fact, the ongoing participation of European Electronic Money Institutions (EMIs) is staggering. By continuing to process deposits for MEXC, Paytend Europe UAB (Lithuania) and Heuro SAS (France) are engaging in what can only be described as high-level institutional facilitation of an unlicensed platform. They achieve this through a classic “Transaction Laundering” technique: using the Romanian entity Finetix Ltd S.R.L. as the “Merchant of Record.” When a European retail investor deposits euros to buy crypto on MEXC, they are forced to accept the terms of Finetix. The fiat flows into IBANs provided by Paytend and OuiTrust, masking the true, high-risk destination of the funds from the broader banking system. Why these licensed EMIs are willing to risk their own regulatory survival to bank a blacklisted, unlicensed crypto casino remains the multi-million-euro question. The MEXC “Red Shield” Payment Rail Participants Entity / BrandJurisdictionRegulatory StatusRole in the MEXC SchemeFinetix Ltd S.R.L.(Finetix)www.finetix.netRomaniaUnregistered / ShellThe Contractual Shield: Acts as the primary payee and legal buffer, masking the flow of funds to the offshore exchange.Paytend Europe UAB (Paytend)www.paytend.comLithuaniaLicensed EMI (Bank of Lithuania)The Standard SEPA Rail: Provides the underlying banking infrastructure and IBANs for standard fiat deposits routed through Finitex.Heuro SAS(OuiTrust / Heuro Bank)www.ouitrust.comFranceLicensed EMI (ACPR)The SEPA Instant Rail: Provides high-speed fiat processing, allowing rapid liquidity extraction into the offshore scheme.MEXC Estonia OÜwww.mexceu.com (defunct)EstoniaVASP (Under FIU Investigation)The Decoy: Holds a local crypto registration but denies operational responsibility, acting as a “franchisee” to confuse regulators. Export to Sheets Call to Action: We Need the Paper Trail! The removal of our stolen content proves that applying pressure to the payment processors works. Now, it is time to dismantle the illegal payment rails completely. Are you a customer of MEXC who has deposited funds via Paytend, OuiTrust, or Finetix? Are you a compliance insider at one of these European EMIs who has witnessed the systemic failure to perform proper Know Your Business (KYB) checks on the MEXC network? We need your evidence. Please provide us with bank transfer receipts, deposit screenshots, internal compliance memos, or any documentation that exposes the mechanics of these payment facilitators. Help us shut down the shadow rails. Submit your evidence securely and anonymously. Share Information via Whistle42

Despite widespread regulatory warnings across the EU, offshore brokers are still seamlessly processing retail deposits using stealth payment architecture. At the center of this web sits trade1.payments.shop, an anonymous gateway routing high-risk funds through Cyprus-supervised payment infrastructure. Analysis & Context: The Anatomy of a Stealth Gateway In the high-risk payment sector, disposable domains are frequently used to obfuscate the flow of funds from regulatory bodies and acquiring banks. Our technical analysis identifies trade1.payments.shop as a specialized “masking rail” heavily utilized by offshore trading brokers, most notably PU Prime, Vantage Markets, and RoboForex (see the Similarweb screenshot left). Instead of functioning as a traditional, public-facing payment processor, this domain operates in the shadows as a vital technical bridge. When EU retail clients attempt to fund their accounts—via credit cards or Apple/Google Pay—the transaction is routed through this gateway. Digital footprint analysis of the anonymous gateway https://trade1.payments.shop highlights a clear target demographic: retail investors in strictly regulated European markets. January data from Similarweb (see screenshot right) shows a highly concentrated traffic distribution, with nearly 42% of visitors originating from Italy, followed by the UK (20%) and Austria (18%). This geographic targeting strongly suggests the payment rail is explicitly deployed to circumvent local financial authorities, funneling unauthorized deposits to offshore brokers operating illegally in these jurisdictions. Red Flags and Processor Connections: Cyprus PSP Integration: Technical inspections of the checkout source code and production-mode payment endpoints reveal embedded references to merchant identifiers tied to a Cyprus-licensed Payment Service Provider (PSP). Regulatory Evasion: The merchants using this rail lack MiFID authorization and have active EU regulatory warnings against them. Yet, this gateway facilitates the bypassing of geo-blocking, allowing unrestricted EU retail deposits. Total Anonymity: The .shop domain is heavily shielded behind WHOIS privacy proxies, deliberately masking the beneficial owners and corporate structure. This setup strongly suggests that regulated EU entities (specifically in Cyprus) are technically and financially settling funds for unauthorized offshore schemes through this anonymized gateway. Ecosystem Summary DomainKnown ConnectionsRoletrade1.payments.shopPU Prime, Vantage Markets, RoboForexAnonymized Payment Gateway / Masking RailCyprus-licensed PSPsSource Code & Endpoint ReferencesPayment Facilitation & Merchant ID ProvisionWHOIS ProxyDomain InfrastructurePrivacy Shielding Export to Sheets Call to Action: Help Us Expose the Network FinTelegram is calling on industry insiders, former employees of Cyprus-based PSPs, and compliance professionals to step forward. To dismantle these unauthorized financial flows, we are specifically looking for actionable intelligence on: The Beneficial Owners: Who are the operators controlling the payments.shop domain portfolio? The Cyprus Connection: Which specific Cyprus-regulated payment institutions are providing the underlying processing and merchant accounts for this gateway? The Settling Banks: Which Tier-1 or Tier-2 acquiring banks are clearing these credit card and digital wallet transactions? Send payment documents: Send us payment documents related to these brokers or Cypriot payment institutions. If you have documents, merchant processing agreements, or internal communications regarding trade1.payments.shop, please share them with us. Your identity will remain strictly confidential. Submit your tips securely via our whistleblower platform: Share Information via Whistle42

A new, anonymous player has emerged in the high-risk payment sector. Operating without a public face, Urbenics.com is quietly fueling the offshore casino industry. FinTelegram dives into the digital breadcrumbs connecting this gateway to the “Pistolo” gambling network. The Analysis: A Ghost in the Machine In the world of online gambling compliance, silence is often the loudest signal. Urbenics.com, a domain registered only in late 2023, has become a pivotal “hop” in the payment journey for offshore casinos. Our investigation reveals that Urbenics does not function as a standard e-commerce gateway but rather as a masking layer. When players attempt to deposit on platforms like Pistolo1.com or LegendPlay, they are funneled through Urbenics. This structure serves a dual purpose: it bypasses bank-level blocks on gambling codes and prevents the end-user from seeing the casino’s name on their bank statement. By utilizing Cloudflare to hide its server origins and NameCheap’s privacy services to bury its ownership, Urbenics operates as a “disposable” rail—easily abandoned and replaced if flagged by card schemes. Data Overview: The Urbenics Ecosystem DomainKnown ConnectionsRole in NetworkUrbenics.comSkyHills, LuckyDreams, Pistolo, LegendPlay, RocketSpin,PlayamoPrimary Payment Rail / Masking GatewayPayment-gateway.ioRedirect SourceTraffic Aggregator for Gambling RailsOpenbanking.paysolo.netTop outgoing linkOpen banking payment gatewayNameCheap / CloudflareInfrastructurePrivacy Shielding & Hosting Export to Sheets Call to Action: Help Us Unmask the Operators FinTelegram is calling on industry insiders, former employees of high-risk PSPs, and affected players to step forward. We are looking for: The “Beneficial Owners”: Who truly controls the Urbenics domain? Settlement Details: Which banks or Tier-1 acquirers are providing the underlying processing for Urbenics? Corporate Structure: Is Urbenics a front for a larger, established payment group? If you have information regarding the management, bank accounts, or software providers behind Urbenics.com, please share it with us. Your identity is protected. Share Information via Whistle42

Austria’s Austrian Financial Market Authority (FMA) has pulled the emergency brake on MiCA-licensed KuCoin EU Exchange GmbH: the Vienna-based CASP is banned from conducting new business after losing its key AML and sanctions officers. Just weeks after FinTelegram questioned KuCoin’s “Austrian whitewash,” the regulator now publicly confirms serious organisational breaches at its own MiCA showpiece. Key Facts Ban on new business: The FMA has issued an administrative decision prohibiting KuCoin EU Exchange GmbH from entering into any new customer relationships and from offering new contracts or products within existing relationships, after determining that the firm no longer has suitable key function holders for AML and sanctions compliance. The order requires “legal compliance” to be re-established without delay and is not yet legally final. Reason: missing AML & sanctions leadership: According to the FMA, the posts of Anti-Money-Laundering Officer, Sanctions Compliance Officer, and their respective deputies are currently not duly staffed. Effective staffing of these key functions is described as a precondition for orderly business operations. From fresh licence to enforcement in under 3 months: KuCoin EU received its MiCA authorisation as a crypto-asset service provider on 27 November 2025, with permission to provide multiple services across the EEA via passporting. The new-business ban follows less than three months later, turning a flagship licence into an early MiCA stress test. Global enforcement history: In January 2025, KuCoin’s Seychelles operator Peken Global Ltd pleaded guilty in New York to operating an unlicensed money transmitting business and agreed to pay over $297 million in fines and forfeiture, after prosecutors highlighted systemic AML failures and billions in illicit flows through the platform. Canadian AML penalty: In July 2025, Canada’s FINTRAC imposed a C$19.6m penalty on KuCoin’s operator for failing to register properly, failing to report large virtual asset transactions thousands of times, and failing to submit suspicious transaction reports in dozens of cases. FinTelegram red flags vindicated: FinTelegram’s December 2025 KuCoin dossier questioned whether Vienna was “whitewashing a repeat offender” by granting a MiCA licence to a group with a fresh U.S. criminal plea, a record Canadian AML fine and multiple regulator warnings. A separate Rail Atlas-style report mapped the Austrian KuCoin cluster and opaque Hong Kong ownership. Read our KuCoin reports here. Short Analysis From MiCA trophy to supervisory headache The FMA proudly put KuCoin EU on its MiCA scoreboard in late November 2025, positioning Vienna as a “European MiCA hub” alongside other CASPs such as Bitpanda, Bybit EU and AMINA. Within weeks of KuCoin EU’s EU-wide launch campaigns, the same regulator has now barred the platform from doing any new business because its AML and sanctions command chain has effectively evaporated. Formally, this is “just” an organisational finding: missing key function holders under MiCA and the Financial Markets Anti-Money Laundering Act. Substantively, it is devastating. A MiCA CASP that cannot keep its AML and sanctions leadership in place fails the most basic test of prudential seriousness – especially when its global parent has only just admitted to U.S. felony-level compliance failures and is appealing a record AML penalty in Canada. Vienna’s MiCA experiment under pressure For Austria, this is more than a single enforcement action. FinTelegram has repeatedly warned that the “Vienna MiCA hub” was drifting towards a rent-a-CEO / rent-a-licence model for high-risk offshore exchanges, with KuCoin as Exhibit A. The FMA’s own decision now confirms that governance at KuCoin EU is fragile enough that its core compliance functions can simply disappear, forcing an immediate business freeze. The ban is temporary and not yet final; if KuCoin EU swiftly installs acceptable AML and sanctions officers, the FMA could lift the restriction. But the symbolic damage is done: one of MiCA’s highest-profile licences has already triggered an AML-driven new-business ban, less than a year after a U.S. guilty plea and amid ongoing Canadian enforcement. For institutional counterparties and regulators in other EU states, KuCoin EU now looks less like “MiCA-de-risked access” and more like a live-fire test of how the new regime handles repeat-offender risk. Call for Information (Whistle42) FinTelegram will continue to track KuCoin EU’s remediation plans, the FMA’s follow-up steps, and any impact on European clients and counterparties. If you work or have worked at KuCoin, KuCoin EU, its Austrian law firms or service providers – or at another EU regulator watching this case closely – we want to hear from you. Share internal risk reports, correspondence, onboarding memos or AML/sanctions findings securely via Whistle42. Your identity will be treated with the highest level of confidentiality. Share Information via Whistle42

A February 2026 compliance review confirms that offshore broker RoboForex Ltd (Belize) continues onboarding EU retail clients and directing SEPA deposits to a Lithuanian bank account held with AB Mano Bankas. Despite clear EU residency disclosure during KYC, the broker accepted the account and issued an invoice instructing payment to its Belize entity. The structure raises material MiFID and AML governance questions. Key Findings EU passport and EU address submitted and verified. Account opened without restriction. Confirmation email issued by RoboForex Ltd (Belize). SEPA transfer instructions to: Beneficiary: RoboForex Ltd Bank: AB Mano Bankas (Lithuania) IBAN: LT425030120000000032 Invoice explicitly confirms deposit to Belize entity. No MiFID authorization. No MiCA authorization. Regulatory Position of RoboForex RoboForex Ltd is the operator of the offshore broker RoboForex.com. The entity is: Incorporated in Belize. Licensed by FSC Belize. Not licensed in the EU. Not passported under MiFID. Not authorized under MiCA. Under EU law, the active onboarding of EU residents and acceptance of funds via SEPA banking rails constitutes cross-border financial service provision. The review demonstrates: No geo-blocking. No rejection of EU residents. No disclaimers preventing onboarding. Active acceptance of EU deposits. This is not incidental access. This is structured onboarding. SEPA Rail Mechanics The deposit flow is straightforward: EU client↓RoboForex platform↓SEPA instruction↓Transfer to Lithuanian IBAN↓Beneficiary: RoboForex Ltd (Belize) The invoice confirms: “Payment for replenishment of account.” This is retail funding of an offshore broker. Mano Bankas – Supervisory Implications AB Mano Bankas (website) is a Lithuanian-regulated credit institution supervised by the Bank of Lithuania and subject to: EU AMLD framework PSD2 governance obligations EBA Guidelines on ML/TF Risk Factors Customer due diligence obligations Ongoing transaction monitoring requirements Where a bank maintains an account for an offshore broker accepting retail EU funds, compliance questions arise: Was the broker’s licensing position assessed? Was cross-border authorization verified? Was the target market reviewed? Was enhanced due diligence applied? Was ongoing monitoring conducted after regulatory warnings? The IBAN is not used for corporate treasury transfers. It is used for direct EU client deposits. That changes the risk profile materially. Risk Classification From a compliance perspective, this structure may expose the bank to: Reputational risk AML exposure Regulatory scrutiny Supervisory inquiries Cross-border compliance breaches This report does not allege wrongdoing. It documents a factual structure that warrants supervisory examination. Evidence Preservation The review documentation includes: KYC confirmation records Deposit screens Invoice issued by RoboForex Ltd Bank details SEPA instructions Confirmation emails All materials are preserved. Short Analysis The central issue is simple: Can an offshore broker licensed in Belize accept EU retail deposits through a Lithuanian bank account without MiFID authorization? And if not: What is the supervisory expectation of the EU-regulated bank providing the IBAN? Call for Information FinTelegram invites regulators, compliance officers, and insiders with knowledge of cross-border SEPA facilitation of offshore brokers to contact us confidentially via Whistle42.com. Share Information via Whistle42

Following our recent exposure of the NovaForge Group and its blacklisted offshore casino Spinsy, whistleblowers have stepped forward with crucial new evidence. A player recently revealed that Irish-registered Zentoria Limited is operating as a shadow payment processor for another NovaForge brand, Robycasino. Disguising transactions under the billing descriptor “Spinsopotamia.com Dublin,” Zentoria is quietly facilitating offshore gambling while holding an official Irish Remote Bookmaker’s Licence. Here is our compliance analysis of the key actors, Mykhaylo Pavlenko and Alina Vavilova, and the operations behind Zentoria Limited. In our ongoing effort to map the “Rail Atlas” of illegal offshore gambling, FinTelegram relies heavily on the vigilance of the player community. Recently, a victim of the NovaForge Group (operators of the ACMA-blocked Spinsy casino) reached out to share their credit card statements. The player reported that multiple deposits made to another NovaForge offshore brand, Robycasino.com, appeared on their bank statement as “Spinsopotamia.com Dublin.” Our research directly links this billing descriptor to Zentoria Limited, an Irish corporate entity operating out of Dublin 4. This revelation exposes a sophisticated European payment rail acting as a critical financial artery for unregulated, offshore gambling operations. Key Findings The Robycasino Connection: Deposits intended for Robycasino, a brand operated by the offshore NovaForge Group, are being routed through European banking rails using the obscure billing descriptor “Spinsopotamia.com Dublin.” Zentoria Limited Identified: Corporate and domain intelligence links the Spinsopotamia descriptor directly to Zentoria Limited, an Irish company incorporated in April 2024. The Regulatory Contradiction: Despite facilitating payments for an unlicensed offshore casino network, Zentoria Limited officially holds an active Remote Bookmaker’s Licence from the Irish Revenue Commissioners. The Key Actors: According to Irish corporate filings and Revenue.ie data, the individuals acting on behalf of and directing Zentoria Limited are Mykhaylo Pavlenko and Alina Vavilova. Masking Transactions: By using a domain like “Spinsopotamia.com,” the operators are likely utilizing a practice known as “transaction laundering,” masking high-risk offshore casino deposits as benign digital purchases to bypass credit card blocking protocols. Compliance Analysis: The Zentoria Payment Scheme Zentoria Limited represents a classic “Trojan Horse” in the high-risk payment processing sector. By establishing a corporate footprint in a reputable EU jurisdiction (Ireland) and securing a legitimate Remote Bookmaker’s Licence, the operators, Mykhaylo Pavlenko and Alina Vavilova, gain unhindered access to top-tier European merchant accounts and acquiring banks. However, the whistleblower evidence suggests this Irish entity is not conducting legitimate, local bookmaking. Instead, it is being utilized as a shell payment gateway for the NovaForge Group. When a player deposits money into Robycasino (which operates under a weak offshore license), the transaction is diverted to Zentoria’s Irish merchant account. To ensure the player’s bank or credit card issuer doesn’t flag the transaction as illegal offshore gambling, Zentoria applies the descriptor “Spinsopotamia.com.” This setup presents a massive compliance breach. Irish regulatory frameworks require strict Anti-Money Laundering (AML) controls and fitness/probity checks for all directors. The fact that an Irish-licensed entity is acting as a payment funnel for NovaForge—a group whose brands have been formally blacklisted by the Australian Communications and Media Authority (ACMA)—should trigger immediate intervention by the Irish Department of Justice and the Revenue Commissioners. The “Facade Casino” Strategy Acquiring banks and credit card companies (like Visa and Mastercard) use automated systems to block transactions to blacklisted offshore casinos like Robycasino or Spinsy. To get around this, the NovaForge Group uses Zentoria Limited to set up a “clean” casino facade—in this case, Spinsopotamia.com. Because Zentoria holds an official Irish Remote Bookmaker’s Licence, they can easily go to a European bank and say: “We are a fully licensed, regulated Irish betting company operating Spinsopotamia.com. Please give us a merchant account to process credit cards.” The bank sees the Irish license, approves the merchant account, and gives them the ability to process payments under the billing descriptor “Spinsopotamia.com Dublin.” How the Bait-and-Switch Works Once that payment rail is established, the operators connect the backend of the illegal offshore casinos (Robycasino/Spinsy) to the legal Irish merchant account (Spinsopotamia). An player logs into Robycasino and deposits $100. The payment gateway silently routes that transaction to Zentoria’s merchant account in Dublin. The player’s bank sees a charge from “Spinsopotamia.com Dublin” (an EU-licensed entity) instead of “Robycasino” (a blacklisted offshore entity). The bank approves the transaction, completely unaware they just facilitated an illegal offshore deposit. This makes Spinsopotamia the ultimate Trojan Horse. It exists as a real website primarily to serve as a legitimate front, providing “cover” for the massive volume of illicit transactions flowing to NovaForge’s blacklisted brands. Summary Data: Zentoria Limited CategoryDetailsEntity NameZentoria LimitedCompany Number (CRO)761150Date of Incorporation04 April 2024Registered Address3rd Floor, Waterloo Exchange, Waterloo Road, Dublin 4, IrelandPrincipal Activity[9200] Gambling and Betting ActivitiesKey ExecutivesMykhaylo Pavlenko, Alina VavilovaKnown Billing DescriptorsSpinsopotamia.com DublinAssociated Casino NetworkNovaForge Group (Robycasino, Spinsy) Export to Sheets Call for Whistleblowers: Help Us Expose the Network The FinTelegram Investigative Team is actively expanding its dossier on Zentoria Limited, Mykhaylo Pavlenko, Alina Vavilova, and the NovaForge Group. We need to map every node of this payment network to present a complete case to European regulators and acquiring banks. Have you played at Robycasino, Spinsy, or other NovaForge brands? Do you have bank statements showing charges from “Spinsopotamia.com,” “Zentoria Ltd,” or other obscure European descriptors? Are you an insider in the payment processing industry with knowledge of how Zentoria Limited secures its merchant facilities? Your information is the most powerful tool we have to disrupt these shadow financial networks. Please provide any further information, documents, or personal experiences securely and anonymously via our whistleblower platform: Whistle42. Share Information via Whistle42

In an explosive response to a victim’s complaint, payment giant Skrill has officially confirmed that documented shell companies Briantie Limited and Cyperion Solutions Limited are “on-boarded merchants” who passed its internal checks. While admitting it debited the victim’s bank account for 28 fraudulent transactions, Skrill denies all liability, claiming no “contractual agreement” exists with the payers using its gateway. The Skrill Gateway to Transaction Laundering Skrill’s formal response to the player’s complaint acts as a “smoking gun” for regulators. By refusing to reverse the disputed transactions while simultaneously confirming the status of the predatory merchants, Skrill has exposed a systemic vulnerability in the European payment landscape. 1. Official Confirmation of the Shell Network Skrill has confirmed that Cyperion Solutions Limited and Briantie Limited—entities identified in our investigation as financial shells for the Galaktika N.V. / SoftSwiss ecosystem—are official Skrill merchants. Skrill explicitly listed 28 specific transactions between December 2025 and January 2026 that were routed to these entities through its “Quick Checkout” gateway. Skrill’s email is very revealing and, despite rejecting the complaint, provides several strong angles for escalation. All disputed payments are “gateway payments” via Skrill Quick Checkout where Skrill acts only for the merchant, not for the payer; therefore they do not show in the user’s Skrill wallet history. The disputed transactions were processed for two Skrill merchants – Cyperion Solutions Limited and Briantie Limited – plus their “subsidiary companies, license holders or payment processors”. Skrill explicitly classifies Cyperion Solutions Limited and Briantie Limited as approved merchants that “have passed all relevant checks” and states it is “satisfied” with the business relationship. Skrill acknowledges the customer’s allegations of transaction laundering and illegal gambling, yet still declines to uphold the complaint and pushes responsibility to merchants and authorities. Skrill permanently closed the user’s wallet account and claims to have taken steps to prevent further use of his data, implicitly acknowledging the identity‑theft risk. Read our Shadow Skrill reports here. 2. The “No Contract” Loophole Skrill’s primary defense is a technicality: it claims that for “gateway payments,” it offers services only to the merchant and has no contractual agreement with the payer. This allows Skrill to: Debit a victim’s bank account (appearing as SKR*Skrill.com). Transmit those funds to offshore-linked shells. Wash its hands of the “quality, safety, or legality” of the services provided. This confirms our findings that the “Shadow Skrill” phenomenon is a deliberate feature of their “Quick Checkout” architecture, used by illegal operators to mask the final destination of funds. This is how Skrill frames its responsibility: They rely on a strict distinction between: Wallet payments (user–Skrill contractual relationship), and Gateway/Quick Checkout payments (merchant–Skrill only, payer is not their customer). On that basis, Skrill argues: It is merely providing a “technical environment”, It does not vouch for legality of underlying services, and All disputes should be directed at the merchants, not Skrill. This is a classic outsourcing-of-responsibility defence: they acknowledge processing the transactions, but deny any duty to investigate legality or victim compensation beyond closing the user’s account. 3. Victim Blaming: The Permanent Account Closure In a move described as a “security reason,” Skrill has permanently closed the victim’s account following his report of identity theft. While the merchants who allegedly facilitated the fraud remain “checked” and “satisfied” in Skrill’s eyes, the victim is de-platformed, cutting off his access to internal dispute tools. 4. The Impressive “KYC Check” Failure Skrill maintains that these merchants “passed all relevant checks”. However, our research shows Cyperion Solutions Ltd is registered as a “Management Consultancy” in the UK. The fact that an e-money institution allows a “consultancy” to process thousands of transactions for unlicensed Curaçao casinos (Slotoro/Boomerang-Bet) suggests a catastrophic failure in Skrill’s Know Your Business (KYB) and Merchant Monitoring protocols.+1 Conclusion: The Regulatory Imperative Skrill’s response proves that the Galaktika N.V. network is not operating in the shadows; it is operating through the front door of regulated European payment institutions. By providing the technical environment for transaction laundering while claiming zero liability, Skrill is effectively serving as the financial engine for the “Cloaked Casino Clan.” The Shadow Skrill Setting Entity / InstrumentDocumentation SourceRole in the SchemePaygateSkrill Confirmation Emails Technical Receiver/Gateway: Operates as the “shadow” routing agent for fund transfers.NGPaymentsBank Statements / Skrill Emails Payment Instrument: The technical rail used to mask illegal gambling deposits.Briantie LimitedBank Statement Primary Merchant Account: Cyprus-based shell receiving high-volume deposits. Operates as a “Payment Agent” but often uses generic business descriptions to bypass bank filters.Cyperion SolutionsTransaction ID Logs PayFac Shell: Registered as “Management consultancy” (SIC 70229).Disguises casino deposits as “IT consultancy” services.Novaforge LimitedSkrill Confirmation Logs Secondary Shell: Active beneficiary when primary accounts are throttled. Export to Sheets This documentation definitively places Paygate at the center of the Galaktika/Wiraon financial engine. It acts as the technical “glue” that allows these diverse shell companies to interface with legitimate payment giants like Skrill without triggering immediate fraud alerts. Whistleblower Call to Action: Are you a Skrill or Paysafe employee with knowledge of how Cyperion, Briantie, or Paygate bypassed merchant compliance? We need to know who approved these accounts. Contact us anonymously via Whistle42. Share Information via Whistle42

The Dutch gambling regulator KSA has ordered Polymarket’s operator to stop offering its crypto-based prediction markets to people in the Netherlands, backed by weekly penalty payments that can reach €840,000. The case matters far beyond the Dutch market: it’s a template for EU regulators to treat “event contracts” as illegal remote gambling unless licensed locally—regardless of whether the product is framed as “trading.” Key Points The KSA imposed a “last onder dwangsom” (order under penalty) on Polymarket operator Adventure One QSS Inc., demanding it stop offering unlicensed games of chance to Dutch residents; €420,000 per week, max €840,000. In its published decision, the KSA says Dutch residents could create an account, deposit, and participate without effective technical barriers (geo-blocking), following investigations in July and November 2025. Polymarket argued it is not gambling but a “market” where users trade positions and outcomes reflect information and market dynamics; the KSA rejected this and treated it as a Wok-prohibited offering without a Dutch licence. The UK has now publicly clarified that prediction markets offered in Great Britain would be treated as gambling products (and require appropriate licensing). In the US, the regulatory story is split: the Commodity Futures Trading Commission (CFTC) previously sanctioned Polymarket for offering event-based binary options/swaps via an unregistered facility (a 2022 order with a $1.4m penalty and wind-down requirements). Short Narrative The KSA’s message is blunt: if Dutch users can access the platform and stake money-like value on uncertain events, it is remote gambling—licence required. The regulator’s decision frames Polymarket as providing “opportunity to participate” in a game of chance without authorisation under Dutch law, and it backs the stop order with meaningful weekly penalties. This is also not just about consumer protection boilerplate. Dutch public debate has focused on politically sensitive markets (elections, coalition formation) and the risk that such markets can incentivize manipulation, insider behaviour, or public distrust—especially where crypto rails and pseudonymity complicate supervision. Extended Analysis 1) How Prediction Markets Work (and why regulators don’t buy the “it’s just trading” defence) Most prediction markets list “Yes/No” contracts on an event (e.g., “Candidate X wins”). A contract price (say, 0.63) is marketed as an implied probability (63%). Users can buy/sell positions before settlement; at resolution, a winning share pays out and a losing share goes to zero (or close), with settlement often relying on an oracle or defined data source. From a compliance lens, the functional test is simple: stake → chance/uncertainty → payout. Whether the UI says “trade” or “bet,” and whether pricing is formed by an order book or an AMM, regulators frequently classify the product as gambling (EU/UK) or as a derivative (US)—either way, it triggers licensing/authorisation. The KSA decision explicitly records Polymarket’s argument that outcomes are not “pure chance” because informed traders can act; it still treats the offering as a prohibited, unlicensed game of chance under Dutch law. 2) Why the KSA Banned Polymarket The published Dutch decision matters because it reads like an enforcement checklist for any cross-border prediction market: Market access from the Netherlands: the KSA’s investigators could register and participate from Dutch IP space; no effective blocking measures were in place. No Dutch remote-gambling licence: the operator was not authorised for online gambling in the Netherlands. Enforcement posture: the KSA justifies penalties by pointing to core objectives: consumer protection, addiction prevention, fraud/crime prevention, and safe payments—classic gambling-supervision pillars. In other words: this is not a nuanced “MiCA vs MiFID” debate. The KSA is treating the product as gambling first, crypto second. 3) US vs UK: Two Different Legal Boxes, Same Compliance Outcome United States: The CFTC has already acted against Polymarket’s earlier structure, treating its event-based binary options as “swaps” and sanctioning the platform for operating an unregistered facility / non-designated contract market (with a $1.4m penalty and wind-down obligations).Meanwhile, the US environment remains contested, with ongoing clashes between federal derivatives framing and state-level gambling enforcement narratives around event contracts. United Kingdom: The Gambling Commission has now set out that prediction markets, if offered in Great Britain, sit within existing gambling law and would need the appropriate permissions—pushing the model toward a “betting exchange” compliance posture rather than a “financial markets” one. 4) What this means for the EU The EU has no single “prediction market” passport. Gambling is largely regulated at member-state level, and the KSA action signals where enforcement is heading: availability + participation = local licensing exposure. Practical consequences for prediction markets operating (or marketed) into the EU: Geo-fencing becomes non-optional: regulators will test access, onboarding, deposits, and UX “market targeting” factors (language, local events, local marketing). The KSA’s investigation narrative shows exactly how. Crypto rails don’t reduce licensing risk—often the opposite: they raise AML/consumer-protection concerns and make “we’re not targeting you” arguments weaker when access is frictionless. EU expansion strategy shifts to regulated betting-exchange models: in practice, the UK’s position suggests the compliance route is gambling licensing (where available) rather than trying to free-ride on “financial product” narratives. Expect copycat enforcement across the EU: public reporting already notes blocking/illegality debates in neighbouring jurisdictions; the Dutch order adds a fresh, exportable enforcement pattern. Actionable Insight If you operate (or invest in) a prediction market touching the EU: treat the KSA decision as a regulatory routing signal. Your core risk is not “token compliance”—it’s unlicensed gambling distribution, with enforcement triggered by mere accessibility. The minimum viable compliance posture now looks like: hard geo-blocking, EU-market abstention by default, and a jurisdiction-by-jurisdiction licensing strategy (or a pivot into fully regulated betting exchange frameworks). Call for Information Have you used Polymarket (or similar prediction markets) from within the EU—especially the Netherlands—or seen payment facilitators, wallet rails, “localisation” tactics, or influencer campaigns aimed at EU users? Send evidence (screenshots, transaction trails, affiliate links, domain clones, onboarding flows) via Whistle42.com. Insiders at operators, PSPs, or marketing affiliates: we also want to hear how geo-blocking and market targeting decisions are made. Share Information via Whistle42