The notorious Galaktika N.V. network, operating through its Slotoro and Boomerang-Bet brands, has been caught utilizing sophisticated “cloaking” techniques and fraudulent portals to infiltrate the mobile ecosystems of Apple and Google. While Slotoro masquerades as a harmless puzzle game named “Lines and Knots: Puzzle World” on the App Store, both brands employ deceptive “Google Play” badges to funnel users through “Ghost” domains to download unverified, high-risk malware designed to harvest sensitive KYC data for identity theft. The Analysis: Harvesting KYC Data & Identity Theft The App Store Infiltration Strategy Open‑source information indicates that Slotoro (https://slotoro.bet) is operated by Wiraon B.V. under a Curaçao license and promoted via the V.Partners affiliate network, which also markets several Galaktika N.V. casinos. Investigative sources and insider information suggests that Slotoro shares backend infrastructure and payment channels with Galaktika‑branded casinos. The distribution model of Slotoro (linked to Galaktika N.V.) represents a masterclass in regulatory evasion. Our analysis of the links provided reveals a two-pronged attack on mobile ecosystems: 1. The Apple App Store “Shell” App Slotoro has successfully bypassed Apple’s rigorous review process by submitting a “shell app.” The Disguise: On the official Apple App Store, the app is listed as “Lines and Knots: Puzzle World” (ID: 6738087359), developed by an entity called KATO Oy. The Bait-and-Switch: While the App Store description promises a “fantastic way to solve puzzles,” the actual application—once installed and connected to the operator’s servers—transforms into the Slotoro casino interface. This is achieved through “cloaking” or “code-switching,” where the app displays a different UI based on the user’s IP address or a server-side trigger. Compliance Violation: This is a direct violation of Apple’s Guideline 5.3 (Gambling), which requires valid licensing for all jurisdictions and strictly prohibits deceptive app behavior. 2. The Android “Ghost” Pipeline For Android, Slotoro avoids the Google Play Store entirely, likely due to previous bans. The Domain: Users are directed to https://fisodao2.com/ to download a raw .apk file. The Risk: Direct APK downloads are a primary vector for the “Identity Theft Cycle” previously reported. By bypassing the Play Store’s “Play Protect,” the operator can embed the malicious code that players have identified as the source of his compromised KYC data and bank details. The Boomerang-Bet Fraudulent App Distribution The Deceptive Badge: Screenshots from the Boomerang-Bet interface show a prominent “GET IT ON Google Play” badge. This is a psychological “trust anchor” designed to make users believe they are downloading a verified, secure app from the official Google store. The Redirection to Unverified APKs: Instead of linking to the official Google Play Store, these badges lead to unauthorized domains such as https://boomerang-bet-android.com/. On these sites, users are prompted to download a raw .apk file (e.g., Boomerang-Bet.apk). Bypassing Security: By forcing users to download an APK directly, the operator bypasses “Google Play Protect” and other standard mobile security filters. This is the exact mechanism used to install the malicious code that harvests the KYC data (passports) and banking details reported by the victim. Operational Overlap: The documents show that both brands share this specific technical infrastructure. For example, Slotoro uses the domain slotoro36.bet for its APK downloads, while Boomerang-Bet uses boomerang-bet-android.com or boomerang-bet0101.com. Conclusion: A Unified Fraud Scheme The use of the domain https://boomerang-bet-android.com/ is not a legitimate service but a malicious distribution node. This confirms that the fraudulent app strategy is a core operational pillar for the entire Galaktika N.V. / Wiraon B.V. network. Both Slotoro and Boomerang-Bet function as “trapdoors” where the promise of a mobile gaming experience is used to facilitate high-level identity theft and transaction laundering. Connecting the Dots: Galaktika N.V. and Cyperion While Slotoro and Boomerang-Bet operate under offshore Curaçao licenses (Wiraon B.V./Galaktika N.V.), they utilize the Affilka tracking infrastructure provided by SoftSwiss. This highlights a critical regulatory failure: an MGA-regulated entity (SoftSwiss) providing the technical “backbone” for brands engaged in documented identity theft and unlicensed payment processing. This obfuscated distribution network is the “top of the funnel” for the financial scheme involving Cyperion Solutions Limited, and NGPayments. The Download: Victim installs the “Puzzle” app or the “Ghost” APK. The Deposit: The victim is prompted to deposit via NGPayments, which masks the transaction to various receiving entities. The Fraud: Funds are diverted to unauthorized “Shadow Skrill” accounts while the player is presented with rigged games. The use of KATO Oy as a front developer in the Apple App Store for the Slotoro app confirms that the Galaktika N.V. network is expanding its infrastructure to include proxy developers to protect its primary brands from being de-platformed. We urge Apple’s compliance team to investigate ID 6738087359 and its developer immediately. ased on the detailed examination of the Skrill confirmation emails and bank statements provided, Paygate is indeed a critical technical recipient and routing agent within this financial network. While entities like Cyperion Solutions Limited and Briantie Limited are named as the primary legal beneficiaries in the email headers, the documentation confirms that Paygate functions alongside NGPayments as the underlying technical payment instrument. Financial Architecture of The “Shadow skr*Skrill.com” Scheme The evidence from the player’s Skrill notifications reveals that Paygate serves as a core technical receiver or gateway through which funds are funneled before reaching the offshore casino. Technical Distribution: Paygate appears in the “Payment Instrument” or “Transaction Details” section of the confirmation emails, often interchangeable with NGPayments. Layered Recipients: The transaction flow is designed so that a single deposit of, for example, €20.00 is initiated via a fraudulent app, routed through Paygate, and settled to a merchant account like Novaforge Limited or Briantie Limited, all while being masked as “SKR*Skrill.com” on the user’s bank statement. Fraud Persistence: By naming Paygate as a technical receiver, the operators can distribute payment traffic across multiple “shadow” accounts. This explains why the victim receives official Skrill emails mentioning these entities, yet their own Skrill account remains empty—the funds were never intended for the victim’s account but were instead processed through a third-party merchant account managed by Paygate. Given that key beneficiaries are registered as consulting companies rather than licensed payment agents or gambling operators, and that merchant coding/branding concealed the link to offshore casinos (Slotoro, Boomerang‑Bet, beef.casino), the pattern is consistent with transaction‑laundering and misuse of e‑money infrastructure to disguise high‑risk gambling and possible identity‑theft activity Overview Table: Payment Entities & Roles Entity / InstrumentDocumentation SourceRole in the SchemePaygateSkrill Confirmation Emails Technical Receiver/Gateway: Operates as the “shadow” routing agent for fund transfers.NGPaymentsBank Statements / Skrill Emails Payment Instrument: The technical rail used to mask illegal gambling deposits.Briantie LimitedBank Statement Primary Merchant Account: Cyprus-based shell receiving high-volume deposits. Operates as a “Payment Agent” but often uses generic business descriptions to bypass bank filters.Cyperion SolutionsTransaction ID Logs PayFac Shell: Registered as “Management consultancy” (SIC 70229).Disguises casino deposits as “IT consultancy” services.Novaforge LimitedSkrill Confirmation Logs Secondary Shell: Active beneficiary when primary accounts are throttled. Export to Sheets This documentation definitively places Paygate at the center of the Galaktika/Wiraon financial engine. It acts as the technical “glue” that allows these diverse shell companies to interface with legitimate payment giants like Skrill without triggering immediate fraud alerts. Warning for Victims If you receive a Skrill confirmation email but cannot find the transaction in your official app history, your data has been used to create a ‘Shadow Account.’ Do not contact the casino support—contact your bank and law enforcement immediately. The victim reporting this case had to replace his National ID card and reset all banking credentials. Whistleblower Call to Action: Do you have information about KATO Oy or the developers behind the Slotoro/Galaktika app shells? Are you an app store reviewer who has seen similar cloaking patterns? Contact us via Whistle42. Share Information via Whistle42

A massive escalation in the Galaktika N.V. fraud case reveals that stolen KYC data is being used to create “Shadow Skrill” accounts. Victims are lured via fake Google Play Store interfaces into downloading malicious APKs, while their identities are laundered through a web of shell companies including Cyperion Solutions and Novaforge. Read our initial report on Cyperion and NGPayments here. Analysis: The “Double-Sided” Fraud Architecture The latest evidence provided by a player exposes a level of sophistication that moves beyond simple unlicensed gambling into organized cybercrime. The “Galaktika Scheme” now shows a clear two-stage lifecycle: Data Harvesting and Financial Hijacking. According to the website Slotoro.bet is owned and operated by Wiraon B.V., Curaçao, while payments are managed by Briantie Limited. 1. The “Fake Play Store” Malware Trap The investigation confirms that brands like Boomerang-Bet and Slotoro are using fraudulent “Get it on Google Play” badges. Instead of the secure Play Store, users are redirected to download a raw .apk file. The Malware: These files are designed to bypass device security to harvest SMS codes (for 2FA) and personal files. The Verification Scam: The “mandatory verification” is a front for identity theft. Once the victim uploads their passport, the data is immediately sold or reused within the network. 2. The “Shadow Skrill” Phenomenon The most alarming discovery is the discrepancy between the player’s bank statements and their official Skrill history. The Mechanism: The victim receives “official” Skrill confirmation emails, but their app history shows “Data not found.” The Interpretation: This confirms that the operators are using the victim’s card details on a third-party Skrill account (a “mule” account). By using a different account, they ensure the victim cannot easily charge back the transaction through the Skrill interface, while still using Skrill’s “clean” branding to pacify the victim’s bank. 3. Definitive Proof of Identity Laundering The support logs from beef.casino provide a “smoking gun.” Seeing a personal billing account linked to suspicious addresses like jony35@inbox.lv and ieva.gustina07@gmail.com proves that the Galaktika N.V. ecosystem operates a shared database of stolen identities. These identities are likely used to: Bypass “one account per person” rules for bonus abuse. Layer transactions to hide the volume of money flowing to offshore entities. Learn more about the Briantie Group here. The Shadow Skrill Accounts Explained Based on the documentation provided by the player, the existence of “Shadow Skrill” accounts (unauthorized Skrill accounts created using stolen identities to process third-party cards) has moved beyond a working hypothesis and is a documented fact in this specific case. The certainty of this claim is supported by three primary pieces of evidence found in the player’s files: The Transaction Discrepancy: The player provided official transaction confirmation emails from no-reply@email.skrill.com for payments totaling hundreds of euros to entities like Cyperion Solutions Limited and Briantie Limited. However, the player’s official Skrill app and web history show “Data not found” or no record of these transactions. This confirms that while the player’s card was charged via Skrill’s infrastructure, it was not processed through their personal Skrill account. Direct Proof of Identity Hijacking: Evidence from the support area of beef.casino (an associated brand) shows the player’s internal billing profile linked to multiple unauthorized third-party email addresses, such as jony35@inbox.lv, ieva.gustina07@gmail.com, and kaltinieks@inbox.lv. This is definitive proof that their KYC (Know Your Customer) data and payment information are being used by the operator to manage a network of “mule” accounts. The “NGPayments” / “Paygate” Rail: The documentation shows that the payments were routed through technical instruments labeled NGPayments and Paygate. These gateways act as the bridge that allows the fraudulent accounts to interface with regulated processors like Skrill and Paysafe while using misleading descriptors like “SKR*Skrill.com” on bank statements to pacify the victim’s bank. The documentation proves a deliberate bypass of the player’s own Skrill account. By using stolen identity data harvested through malicious APK files (masquerading as Google Play apps), the operators have successfully created a parallel financial structure where they control both the “player” account and the “merchant” entity, leaving the victim with no recourse through standard consumer protection channels. The Payment Rail: Mapping the Shells The transaction flow utilizes a rotating cast of “Payment Agents” to stay ahead of bank blacklists. The current active nodes in this network include: Cyperion Solutions Limited: (UK/Cyprus) The primary conduit for “NGPayments.” Novaforge Limited / Briantie Limited: Secondary shells used when primary accounts are throttled. Paygate: The technical switchboard for these transactions. Conclusion & Regulatory Warning This case proves that Paysafe (Skrill/Rapid Transfer) has a critical vulnerability: their infrastructure is being used to facilitate “unauthorized account” processing. Regulators like the FCA and CySEC must investigate why merchant accounts for “consultancies” like Cyperion Solutions are permitted to process third-party cards without matching the account owner’s identity. Whistleblower Call to Action: Are you a victim of the Galaktika N.V. network? Did you find your identity used on unauthorized emails? Please send your evidence to Whistle42. We are especially looking for internal communications from the “V.Partners” or “Galaktika” affiliate teams. Share Information via Whistle42

A leaked transaction receipt from a victim of the Galaktika N.V. casino scheme reveals the use of “NGPayments.” This technical layer acts as a cloaking device, allowing high-risk offshore casinos to exploit the Skrill and Rapid Transfer networks while masking the true destination of funds through UK and Cyprus-based shell companies. Key Facts Cyperion Solutions Limited (Cyprus, reg. no. HE 460916) acts as a merchant/payee for online casino deposits routed via Skrill/Rapid Transfer.​ Payments are processed over the NGPAYments infrastructure, which provides a white‑label cross‑border payment platform.​​ At least one victim reports misuse of KYC and payment data across multiple casino accounts and has allegedly filed complaints with law enforcement, the bank, and payment providers. While there are no shared directors between the two entities, compelling evidence suggests they function as coordinated components of the same financial infrastructure used to facilitate unlicensed gambling transactions. The Corporate Shell Game: Cyperion Solutions Limited Our research into Cyperion Solutions Limited reveals a classic “split-jurisdiction” strategy designed to confuse regulators and banks: The UK Entity (Cyperion Solutions Ltd): Incorporated on June 2, 2025 (Company No. 16488847), with a registered office in Northwich, England. It is registered under SIC code 70229 (“Management consultancy activities other than financial management”). This misclassification is a hallmark of transaction laundering—claiming to provide “consultancy” while actually processing millions in high-risk gambling funds. The Cyprus Entity (Cyperion Solutions Limited): (Reg. HE 460916) Incorporated in June 2024. This entity is often used to hold merchant accounts with European banks, providing the “legitimacy” needed to access the SEPA and Rapid Transfer networks. Factual Overlap of the Cyperion Entities FeatureCyperion Solutions Ltd (UK)Cyperion Solutions Limited (Cyprus)Company Number16488847HE 460916IncorporationJune 2, 2025June 4, 2024Key PersonnelPeter Joseph Hobson, Craig Robert ThomasKyriakos MavrommatisRegistered ActivityManagement consultancy (SIC 70229)Private Limited Company Export to Sheets Evidence of Operational Connection Identical Branding and Timeline: Both companies use the same name and were established within exactly one year of each other. This is a standard pattern in creating a “multi-layered” corporate structure to obscure the final destination of funds. The “PayFac” Model: Investigative evidence shows “Cyperion Solutions Limited” appearing as a beneficiary for payments to illegal gambling brands like Boomerang-Bet and Slotoro. The Cyprus entity typically holds the merchant account with European banks, while the UK entity provides a “legitimate” consultancy front to bypass automated compliance triggers at major processors like Skrill. Transaction Laundering Evidence: A player-provided bank statement explicitly links Cyperion Solutions Limited to a payment instrument where the bank statement entry appears as “SKR*Skrill.com” despite the funds being routed to Cyperion. This proves that one or both of these entities are being used to mask the true nature of high-risk gambling deposits. Geographic Arbitrage: Using British directors for the UK shell and a Cypriot director for the Cyprus arm is a tactical move to prevent immediate linking through simple database searches. This “distance” allows the network to keep one entity active if the other is flagged or “burned” by regulators. In summary: While they are legally distinct, their identical names, proximate incorporation dates, and shared role in the Galaktika N.V. payment rail strongly indicate they are sister shells in a professional money laundering operation. Technical Analysis: Decoding “NGPayments” In the context of the player’s report, NGPayments is not a consumer-facing bank but a technical payment gateway or aggregator. It serves as the “middleman” software that connects the illegal casino’s checkout page to regulated payment processors like Skrill. The Masking Layer: The receipt shows a payment of 20.00 EUR to Cyperion Solutions Limited, yet the statement note explicitly warns that it will appear as SKR*Skrill.com. This is a definitive indicator of Transaction Laundering (TL). The NGPayments Role: NGPayments likely operates as a “White Label” payment gateway. It allows the operator to swap merchant accounts (like Cyperion Solutions, Novaforge, or Briantie) instantly if one is flagged or “burned” by bank compliance teams. Bypassing KYC/AML: By using the NGPayments instrument, the Galaktika network can present a “clean” transaction to Skrill, making it appear as a standard e-commerce payment rather than a high-risk deposit into an unlicensed casino. The Cyperion Connection: A Professional Analysis The evidence suggests that Cyperion Solutions Limited acts as a specialized Payment Facilitator (PayFac) for the Galaktika N.V. brands (Boomerang-Bet, Slotoro). Identity Hijacking: The player’s report that their KYC data was reused across multiple unauthorized emails (e.g., jony35@inbox.lv) suggests that entities like Cyperion are not just processing money, but may be part of a broader “Mule” network. Regulatory Arbitrage: By utilizing NGPayments to route through a UK/Cyprus-registered entity (Cyperion), the operators exploit the trust associated with European jurisdictions to process funds from victims in Latvia and beyond. Conclusion for FinTelegram This receipt is the “smoking gun” for regulators. It proves that Skrill and Paysafe (Rapid Transfer) are being systematically bypassed by the NGPayments/Cyperion nexus. The technical manipulation reported by the victim—including rigged slots and malicious APKs—is funded entirely through this specific payment rail. Whistleblower Call to Action: Are you an employee of a payment gateway or bank who has flagged NGPayments or Cyperion Solutions Limited? We need to know which acquiring banks are providing the merchant IDs (MIDs) for these transactions. Contact us via Whistle42. Share Information via Whistle42

A coordinated “Jewels” operation involving Ukrainian nationals, London-based shell companies, and the SoftSwiss-powered RevDuck network has been unmasked. New evidence reveals how Lyntec Limited acts as a financial front for illegal fiat deposits, masking gambling transactions as “IT consultancy” services. The intelligence trail connects the HolyLuck / TrueLuck / Booms.bet casino cluster to a tightly controlled offshore operation fronted from London’s Great Portland Street – and wired into the SoftSwiss/Affilka infrastructure FinTelegram has already exposed. What looks like a loose affiliate constellation increasingly resembles a coordinated “Jewels” payment and branding scam operated by Ukrainian controllers. “GEMCEBR”: Decoding the Transaction Laundering Player bank statements show the descriptor “GEMCEBR LONDON GBR” on deposits that in reality fund unlicensed casinos such as HolyLuck and TrueLuck, not any legitimate “gems” marketplace. A key discovery in this intelligence report is the bank descriptor “GEMCEBR LONDON GBR.” This is a textbook example of Transaction Laundering (TL). The Mask: The descriptor mimics the name of the legitimate “Centre for Economics and Business Research” (CEBR) to avoid scrutiny from bank compliance algorithms. The Reality: The “GEM” prefix acts as a internal corporate signature for the “Jewels” syndicate, which includes offshore entities like Sapphire Summit S.R.L. and Gem Limitada. Independent player-discussion threads list “GEMCEBR, London” among descriptors encountered in disputes tied to Curaçao-licensed gambling sites and merchant-category concerns. This mirrors FinTelegram’s earlier findings that the RevDuck network reuses Sapphire Summit S.R.L. (reg. no. 3‑102‑903325) across multiple brands and regulatory actions, including the KSA fine against Booms.bet (read more about the TrueLuck sister sites here). The Great Portland Street Pipeline The network utilizes the “virtual office” hub at 167-169 and 85 Great Portland Street, London to create a veneer of UK legitimacy. Lyntec Limited (Company No. 15919943): Incorporated in August 2024, this entity is registered as an “IT consultancy.” Our research confirms it is controlled by Ukrainian nationals Maksym Buriachenko and Kyrylo Lehkodukh (until Nov 2025). The Shell Strategy: By registering as a consultancy, Lyntec can access the traditional banking system to process fiat deposits that would otherwise be flagged as high-risk gambling transactions. In FinTelegram’s risk taxonomy, such “IT/marketing” façades on Great Portland Street are typical of transaction‑laundering fronts that disguise gambling flows as benign B2B services. Ukrainian Control and the RevDuck–Lyntec Link The whistleblower’s claim that both “brains” (RevDuck) and “wallet” (Lyntec) are Ukrainian-controlled finds partial confirmation. Independent industry sources and FinTelegram’s previous RevDuck dossier describe RevDuck’s operational teams as Ukrainian and deeply embedded in the SoftSwiss/Affilka ecosystem. Read our report on the RevDuck network here. While public records do not (yet) formally link RevDuck and Lyntec, the shared nationality pattern, matching Great Portland Street environment, and overlapping casino cluster are strong circumstantial indicators of a coordinated structure rather than independent actors. Transaction Laundering via Lyntec and the SoftSwiss Layer From a compliance perspective, the GEMCEBR descriptor and London “IT consultancy” cover point to classic transaction laundering: Players from restricted markets (e.g., the Netherlands) deposit in fiat under a neutral London descriptor. Lyntec appears as the merchant of record, masking the underlying gambling nature from banks and card schemes. Funds are then routed to offshore operators such as Sapphire Summit S.R.L. (Costa Rica) and linked “Gem” entities behind TrueLuck, HolyLuck, and Booms.bet. FinTelegram’s earlier report already documented that RevDuck operates on SoftSwiss’s Affilka platform, with Affilka providing the tracking, reporting, and affiliate payment backbone for this cluster. The Lyntec thread now suggests that, in addition to crypto/payment rails linked to SoftSwiss’s broader “payment hub” allegations, dedicated UK shells are spun up to handle card traffic under misleading descriptors. Key Data EntityTypeRegistration / LicenseRoleBrands / ConnectionsSoftSwiss / Stable Aggregator LtdB2B Platform & AggregatorMalta: MGA/B2B/942/2022Technology hub; casino platform, game aggregation, Affilka affiliate system, payment orchestrationDama, N1 Interactive, Hollycorn, Stable Tech, Novatrix, RevDuckRevDuckwww.revduck.comAffiliate Network / OperatorCosta Rica (via rotating SRL entities)“Offshore projects” operator using Affilka; systematic Dutch market targetingHolyluck, Trueluck, KokobetHolyluckwww.holyluck.comwww.holyluckX.comwww.holy-luck.orgOffshoreOnline CasinoCosta Rica: Zephyr Holding SRL (3-102-926727) / Gem Limitada,Yakadea SRL Sapphire Summit SRLUK: Lyntec Limited(geo-switched)Unlicensed casino targeting Netherlands; geo-evasion via holyluck2.comRevDuck networkTrueluckhttps://thetrueluck.comOffshoreOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)UK: Lyntec LimitedUnlicensed casino; explicit NL marketing; same Costa Rica entity as KSA-fined Booms.betRevDuck networkKokobetwww.koko.betOffshoreOnline CasinoCosta Rica: 3-102-897762 LTDALate 2024 launch; RevDuck network brandRevDuck networkBooms.betOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)KSA fine: €840,000 (Jan 2026) for illegal NL operations; same reg. as TrueluckIndependent but structural parallelAffilkawww.affilka.comAffiliate PlatformSoftSwiss GroupCyprus: Zellero LimitedAffiliate management, tracking, reporting; powers RevDuck and 100+ casino brandsRevDuck, N1 Partners, and SoftSwiss client baseDream Finance GroupCoinsPaid / CryptoProcessingCrypto Payment ProcessorsEstonia: Dream Finance OÜ (Reg. 14783543, FIU licence FVT000166)Crypto rails for SoftSwiss casinos; co-founded by SoftSwiss founder Ivan MontikDama, Hollycorn, Stable Tech, RevDuck affiliatesLyntec LimitedPayment facilitatorUK / Company No: 15919943MD: Maksym Buriachenko and Kyrylo Lehkodukh (until Nov 2025)Payment layer for transaction launderingSoftSwiss, RevDuck, Affilka Conclusion and Call for Information The portrayal of RevDuck as “just an affiliate” is no longer credible. The jewel‑themed branding, the reuse of Sapphire Summit S.R.L., the Great Portland Street shell setup, Ukrainian beneficial ownership of Lyntec, and the Affilka integration together indicate a single, highly structured illegal iGaming enterprise, not a decentralized network. FinTelegram will continue to investigate Lyntec Limited (15919943), the GEMCEBR descriptor, and associated banking partners as potential transaction‑laundering channels for the RevDuck/SoftSwiss ecosystem. Industry insiders, current or former employees of Lyntec, RevDuck, SoftSwiss/Affilka clients, processors, or banks seeing GEMCEBR‑tagged flows are urgently invited to submit documents and intelligence via the secure Whistle42 platform. All submissions will be treated confidentially and may be decisive in enabling regulators and law enforcement to shut down this network. Share Information via Whistle42

Explosive testimony from SoftSwiss founder Ivan Montik in the Munich Wirecard trial reveals the direct lineage between MGA-regulated entities and offshore shadow operations. Despite claims of being a mere B2B provider, the court’s rejection of Montik’s “not a PSP” defense highlights a massive, unlicensed financial scheme involving hundreds of millions of euros. Key Facts A court witness identified Direx N.V. as the former “Softswiss N.V.” and said it is now named “Dama N.V.”, all domiciled in Curaçao. Montik described Direx as a B2B provider that “forwarded income” received via Wirecard to casino “clients,” while denying PSP status. The presiding judge rejected the denial, lecturing that he “knows by now what a PSP is and what not.” Defense confronted the witness with a payments list totaling €422m into Direx and rounded outbound transfers; the witness claimed no knowledge and referenced a finance director “Ivan Schubowski (or similar).” FinTelegram previously linked SoftSwiss Direx/Dama Wirecard processing volumes and described the broader casino network structure. SoftSwiss is presented as operated via Stable Aggregator Limited under Malta Gaming Authority licence MGA/B2B/942/2022. The Court Testimony The testimony of Ivan Montik in September 2025 marks a watershed moment for regulatory transparency in the iGaming sector. For years, FinTelegram has exposed the intricate web connecting SoftSwiss, Direx N.V., and Dama N.V. In court, Montik finally confirmed under oath what investigators have long maintained: the seamless evolution and shared identity of these entities. This September 2025 courtroom episode matters because it moves the SoftSwiss/Dama/Wirecard discussion from “investigative reconstruction” to a business-model explanation given in a criminal trial setting. If an entity (Direx/Dama) receives aggregated player funds through a regulated processor (Wirecard) and then redistributes those funds to multiple third-party “casino clients,” that is functionally payment intermediation — whatever label is used on slides or contracts. Read our SoftSwiss reports here. The PSP Shell Game The most damning moment of the proceedings occurred when Montik attempted to distance his operations from financial intermediation. While Montik characterized his business as purely B2B software services, the presiding judge took the extraordinary step of lecturing the witness, stating he “knows by now what a PSP [Payment Service Provider] is.” This judicial intervention effectively classifies the SoftSwiss/Direx/Dama apparatus as an unlicensed PSP. By “forwarding income” from online gaming through Wirecard to offshore clients, the group operated as a shadow bank. This aligns with FinTelegram’s previous reports suggesting that SoftSwiss provides more than just code; it provides a non-transparent financial pipeline for high-risk gambling operations. Our investigations indicate that Dream Finance Group—operating the brands CoinsPaid and CryptoProcessing—is part of the wider business ecosystem associated with Ivan Montik, who has publicly presented himself as a co-founder. We further understand that the network around SoftSwiss and Dream Finance has expanded to include Russian investors. In parallel, whistleblowers and a growing number of online media reports have raised recurring allegations of money-laundering exposure linked to SoftSwiss-connected structures. Against that backdrop, Montik’s sworn testimony in the Wirecard criminal trial aligns with the pattern FinTelegram has been documenting: a tightly integrated “casino + white-label + payments” ecosystem. As previously reported, we consider Dream Finance to be a relevant component of this payment hub, particularly for crypto-payment routing. Most recently, Dream Finance was forced to suspend its crypto-asset related services in Lithuania, at least temporarily. The €422 Million Disconnect Evidence presented by Dr. Braun’s defense revealed a staggering €422 million flowing into Direx accounts. These funds were redistributed via “repeating regular rounded payments”—a classic red flag for money laundering or automated shadow accounting. Montik’s defense—claiming ignorance of these flows despite being the CEO and pointing toward a Finance Director—appears increasingly untenable given the scale of the transactions. Regulatory Contradictions: MGA vs. Curaçao The testimony creates a terminal conflict for the Malta Gaming Authority (MGA). SoftSwiss currently operates via the MGA-regulated Stable Aggregator Limited. However, Montik’s admission that this ecosystem is inextricably linked to Dama N.V. (a Curaçao-based entity frequently flagged for operating in “grey” markets) places the MGA in a precarious position. The court’s findings suggest that a regulated European entity is being used as a “clean” front for a massive offshore scheme. Conclusion Montik’s testimony validates FinTelegram’s long-standing warnings. The “White Label” model used by SoftSwiss is not merely a technical solution but a regulatory shield for unlicensed payment processing. As the Wirecard trial continues to peel back the layers of European fintech corruption, the focus must now shift to the regulators who allowed the SoftSwiss/Dama nexus to operate with impunity. Whistleblower Call to Action Do you have information regarding the internal financial structures of SoftSwiss, Dama N.V., or Stable Aggregator Limited? Help us expose the shadow economy. Please provide any documents or tips via the Whistle42 whistleblower platform. Your anonymity is our priority. Share Information via Whistle42

The Briantie Group, centered around Cyprus entity Briantie Limited and Curaçao‑licensed Wiraon B.V., illustrates a high‑risk model in which offshore casino operators leverage EU‑based payment agents and opaque crypto processors to target players in prohibited markets such as Italy. The group’s structure, domain practices, and payment setup raise significant regulatory and AML/CTF red flags. Corporate and operational setup Briantie Limited is a Cyprus‑registered private limited company that appears to act as an EU‑based payment and operational agent for Verde Casino and related brands, while core gambling licensing is outsourced to Curaçao entity Wiraon B.V. (license 8048/JAZ). Together, these entities form what can be described as the Briantie Group, combining EU and offshore components to distribute regulatory and enforcement risk. In this model, Curaçao provides the nominal gambling licence and hosting structure, while Cyprus offers access to SEPA banking, EU payment institutions, and a veneer of single‑market proximity to target European players, including those in restricted jurisdictions. Domain and targeting practices In the FinTelegram Verde Casino review, we identified the use of mutated and parameter‑stuffed URLs such as https://85verdecasino.com/it-it#https://85verdecasino.com/it-it# that are clearly tailored to Italian‑language users. This points to deliberate geo‑targeting of players in Italy, a jurisdiction where unlicensed online casinos are prohibited and subject to enforcement. The use of such mutated domains is a classic circumvention tactic: by deploying multiple, often short‑lived domains and URL variants, operators can evade blacklists, dilute brand traceability, and obfuscate the technical footprint of their illegal offerings. Crypto payments and TheDex Our Verde Casino review also revealed a broad range of crypto payment options routed through third‑party gateways, including the anonymous operator TheDex (thedex.cloud). TheDex presents itself as a crypto exchange or payment gateway but provides minimal, if any, corporate, licensing, or ownership transparency. The cyber rating agency RatEx42 has already black-listed TheDex over its facilitation of illegal casinos. We again identified the involvement of the Polish provider ChainValley, which appears to facilitate synthetic FIAT deposits: customer bank transfers are first used to purchase cryptocurrencies, which are then automatically routed by ChainValley to the casino operator as the ultimate beneficiary. From a compliance perspective, this combination of offshore casino operations, EU‑based payment agents, and unlicensed or opaque crypto gateways embedded in the EU payments ecosystem is highly problematic. It undermines customer due diligence, source‑of‑funds scrutiny, and effective transaction monitoring, and it increases exposure to money laundering and sanctions risks. Skrill classifies Briantie Limited as a non‑eligible merchant for its promotional programmes, as evidenced by its inclusion in Skrill’s ‘Non Eligible Skrill Merchants’ list. This classification indicates that established payment service providers actively distinguish and ring‑fence higher‑risk merchants, including operators associated with offshore online gambling, from standard customer reward and incentive schemes.” Compliance analysis Briantie Limited and its associated licensee Wiraon B.V., together with the Verde Casino brand, have been flagged on regulatory watchlists and technical blocklists in multiple jurisdictions, underscoring their status as illegal gambling operators. In particular, the ‘Lithuania Illegal Gambling Operators’ dataset maintained within the OpenSanctions framework lists Briantie Limited among unlicensed providers whose services are deemed unlawful in that jurisdiction. In Italy, the main Verde Casino domain is subject to administrative blocking measures by the Agenzia delle Dogane e dei Monopoli (ADM), which orders ISPs to prevent access to unlicensed gambling sites and routinely updates a national blacklist of prohibited domains. These measures demonstrate that competent authorities are not only aware of the Briantie/Verde setup but have already taken concrete steps—through sanctions-style listings, public blacklists, and technical blocking orders—to restrict its availability and to signal elevated legal and regulatory risk for both players and intermediaries. Our findings: The group structure indicates regulatory arbitrage: Curaçao for light‑touch gambling oversight, Cyprus for EU‑adjacent payments and perceived legitimacy. The apparent role of Briantie Limited as an EU payment agent creates potential supervisory gaps if financial flows are processed through EU banks or payment institutions without accurate merchant categorization and risk profiling. Targeting of players in prohibited markets (e.g., Italy) via mutated domains suggests willful evasion of national gambling regulators and website blocking measures. Use of anonymous or non‑transparent crypto processors such as TheDex significantly elevates AML/CTF risk, undermining FATF‑aligned controls, Travel Rule implementation, and effective tracing of funds. Overall, the Briantie Group exemplifies how illegal casino operators can operate “under the nose” of regulators by fragmenting their operations across offshore entities, EU‑based payment agents, and lightly regulated crypto intermediaries. Key structures and relationships ElementDetailsBrands (casinos)Verde Casino (core brand identified in our review; other white‑label or sister brands possible).Domains85verdecasino.com and mutated/parameterized variants targeting Italy (e.g., /it-it#…).Legal entitiesBriantie Limited (Cyprus, payment/operational agent); Wiraon B.V. (Curaçao, gambling licence holder).IndividualsUltimate beneficial owners and controlling persons not transparently disclosed; further mapping required.Regulatory frameworksCuraçao online gambling regime; Cypriot/EU financial and corporate law; national gambling laws in target markets (e.g., Italy).JurisdictionsOperational and licensing nexus: Curaçao; payment and corporate nexus: Cyprus/EU; targeted player markets: Italy and other EU/third‑country jurisdictions.Payment stackTraditional card/fiat channels plus crypto payment gateways, including the opaque TheDex (thedex.cloud) and Polish on-ramper ChainValley. We invite affected players, payment industry insiders, and former or current staff of Briantie, Verde Casino, TheDex, or connected intermediaries to share documents, experiences, or technical evidence with us confidentially via our whistleblower platform Whistle42. Share Information via Whistle42

A bilingual witness statement describes an alleged “pay-to-borrow” mechanism at First Investment Bank (FIB): a €9.5 million loan tied to a forced €2 million purchase of a seemingly unrecoverable claim. An insider draft frames the transaction as a deliberate leverage tool in the broader Stoyan Staykov and Regent Capital ecosystem. We map what is alleged, what is verifiable, and what regulators should now demand. Key Points The witness alleges a loan condition: a €2m “cession purchase” embedded in a €9.5m facility to finance a strategic stake in Terminal Tiger AD. The claim allegedly sold by the bank is described as economically worthless and linked to companies that were insolvent / non-functional; the witness says a senior bank representative allegedly warned: “there is nothing to collect.” After distress and enforcement, pledged assets reportedly ended up at auction with buyers including INSA OIL and AA Consult Ltd; Public context: FIB’s history includes the 2014 bank-run and liquidity-support episode reviewed by EU institutions and the state-aid framework. FinTelegram has previously reported on Stoyan Staykov’s Vienna-centered network, including patterns of sub-10% stakes, nominee layers, and cross-border flows. The Strategic Investment The witness statement received by FinTelegram provides a granular look at how First Investment Bank (Fibank), under Executive Director Chavdar Zlatev, allegedly leveraged its position to enforce “extraordinary fraud.” In January 2018, NSA Bulgaria EOOD (NSA) initiated a formal application with First Investment Bank AD (PIB) for an earmarked loan to facilitate a major cross-border acquisition. The project centered on a capital increase within its subsidiary, NSA Investment EOOD, to fund the purchase of 72% of the shares in Terminal Tiger AD (AO) for EUR 7,350,000. The target company was then held by the Austrian entity E&A Beteiligungs GmbH (E&A). Regent Capital AD and Logistic Terminal Svilengrad AD (LTS) agreed to serve as co-debtors, pledging their corporate assets as collateral. According to the witness’s account, the responsible manager at Fibank demanded that NSA Bulgaria take out an additional €2 million loan on top of the loan for the purchase price, which was to be used to purchase an alleged claim from an unknown company. These €2 million then disappeared. The witness assumes fraud and kick-back. Read our reports on Stoyan Staykov here. Extended Analysis 1) The Kickback-Pattern If accurately documented, the mechanism resembles a classic disguised-fee / kickback pattern: the bank conditions credit on a separate purchase of an asset the borrower neither wants nor can value—effectively embedding an extra “charge” into the loan proceeds. That raises immediate issues under basic banking conduct and internal control frameworks (credit committee independence, conflicts of interest, related-party considerations, and audit trail integrity). From an AML/CFT standpoint, forcing an economically irrational purchase can function as a value transfer whose ultimate beneficiary is opaque—especially if the receivable traces to shells, insolvent entities, or politically exposed structures. The witness explicitly states it remained unclear who economically benefited from the payment. 2) The enforcement endgame: why auctions matter The witness describes a progression: the borrower struggles; the bank does not substantively engage; then enforcement proceeds via a private enforcement channel (named in the statement), and assets are auctioned. The witness names alleged buyers and links them to broader political/legal networks—exactly the kind of downstream “asset capture” pattern compliance teams should scrutinize: who financed the auction bids, which accounts were used, and whether any counterparties were screened as PEP-adjacent. 3) Regent Capital: The Strategic Lever The role of Regent Capital AD and its ultimate driver, Stoyan Staykov, is central to this architecture. Regent Capital acted as a co-debtor and “hinge” in the transaction. Our analysis suggests Regent Capital was not a mere participant but a “pressure amplifier” used to secure the loan’s approval while simultaneously burdening the borrower with the €2 million “fee”. This aligns with Staykov’s established reputation as a “power broker” who operates in the grey zones between Bulgarian banking interests and international financial structures. 4) Why this lands harder in the FIB context FIB is not a random small lender: it has a long public history that includes the June 2014 bank run and subsequent state liquidity support reviewed under EU state-aid rules.And while this does not validate the witness allegations, it increases the public-interest threshold for transparency about governance and credit practices. Notably, FIB disclosed that Chavdar Zlatev was dismissed as Executive Director and Management Board member effective October 2024. The Vienna Connection: Alpha Bulgaria and Vienna Privatbank Stoyan Staykov’s activities are not confined to Bulgaria. FinTelegram has previously exposed his deep-rooted ties to Vienna and Cyprus, often linked to suspected money laundering operations. Alpha Bulgaria & Wiener Privatbank: Staykov was a key figure behind Alpha Bulgaria, which famously sought to acquire a significant stake in Wiener Privatbank (report here). This move was viewed by compliance experts as a strategic attempt to gain a foothold in the EU banking system, potentially to facilitate the movement of “grey” capital from the Balkans. The Pattern: The Fibank “kickback” scheme fits the broader pattern of Staykov’s operations: using corporate vehicles (like Alpha Bulgaria or Regent Capital) to interface with established banks, creating complex layers of debt and receivables that obscure the true destination of funds. Conclusion and Risk Assessment The testimony is an “exceptional” piece of evidence. It describes a “kickback mechanism” where €2 million of loan tranches were immediately diverted into a pre-signed, illegitimate cession agreement. The fact that the eventual beneficiaries of the subsequent public sale of the pledged assets were entities linked to Delyan Peevski and Aleksandar Angelov further suggests that this could have been a coordinated “asset-stripping” operation enabled by the bank. Summarizing Table The following table summarizes the key individuals and legal entities identified in the witness statement and the analysis of the Stoyan Staykov and First Investment Bank (Fibank) case. Entity / IndividualJurisdictionRole / DescriptionStoyan StaykovBulgaria / AustriaAlleged central power broker and “ultimate driver” behind the corporate network.First Investment Bank (PIB)/FibankBulgariaThe lender accused of enforcing an illegitimate “cession agreement” as a condition for a loan.Chavdar ZlatevBulgariaExecutive Director of Fibank; allegedly dictated the extortionate loan conditions.Regent Capital ADBulgariaA company linked to Staykov; acted as a co-debtor and strategic “hinge” for the loan.NSA Bulgaria / NSA InvestmentBulgariaThe borrowing entities forced into the EUR 2 million “kickback” transaction.Terminal Tiger AD (AO)Russia / BulgariaThe target company of the acquisition financed by the loan.E&A Beteiligungs GmbHAustriaThe parent company of Terminal Tiger AD and seller of the shares.PST Group EADBulgariaOne of the “insolvent” companies from which the borrower was forced to buy a claim.Patishta Stara Zagora EADBulgariaThe second insolvent company involved in the allegedly fraudulent claim purchase.Logistic Terminal Svilengrad (LTS)BulgariaA co-debtor for the bank loan.Stoyan YakimovBulgariaPrivate enforcement agent (bailiff) who handled the public sale of the pledged assets.AA Consult Ltd. / Aleksandar AngelovBulgariaWinners of the public sale; Angelov is noted as a lawyer for Delyan Peevski.Alpha BulgariaBulgariaA vehicle used by Staykov in an attempt to acquire a stake in Vienna Privatbank. Export to Sheets Call for Information If you have information regarding Stoyan Staykov, Regent Capital AD, or the inner workings of First Investment Bank (Fibank), we want to hear from you. Help us expose the networks facilitating money laundering between Sofia, Vienna, and Cyprus. Share your information safely and anonymously via our whistleblower platform, Whistle42. Share Information via Whistle42

The Canadian MSB CenturaPay (Canamoney Exchange Ltd) has been slapped with a Red Risk Signal on RatEx42. Investigations reveal its pivotal role as a high-risk payment agent, facilitating illegal offshore gambling deposits by piggybacking on the infrastructure of established processors like MiFinity. As regulators tighten the noose, the “Canadian Bridge” is beginning to buckle. Analysis: CenturaPay, MiFinity, and the Architecture of Obfuscation The recent Red Listing of CenturaPay on the RatEx42 compliance platform is the result of a multi-month forensic deep-dive into the “Stellar” and “Spinbara” casino groups. Our findings establish a direct operational link between the Canadian-registered Canamoney Exchange Ltd and the notorious high-risk payment processor MiFinity. 1. The MiFinity Mutualism FinTelegram has identified a recurring pattern where MiFinity, an FCA-regulated e-wallet, is used as a “trusted front” for gambling deposits. However, when the “Direct Bank Transfer” or “Crypto-on-Ramp” options are selected within the MiFinity environment or alongside it in a casino’s cashier, CenturaPay often appears as the underlying settlement agent. The Tactic: CenturaPay utilizes its Canadian FINTRAC MSB license to provide the “fiat-to-crypto” bridge. By processing the transaction through a Canadian entity, the gambling-related Merchant Category Code (MCC) is stripped and replaced with a “Currency Exchange” or “Digital Asset Purchase” descriptor. The Benefit: This allows high-risk operators to process funds from “blocked” jurisdictions like Germany and Italy while maintaining the appearance of legitimate financial activity through MiFinity’s regulated rails. 2. Why the Red Listing? The RatEx42 Red Signal for CenturaPay is driven by three critical factors: Systemic Masking: The deliberate use of misleading transaction descriptors to bypass banking AML filters. Regulatory Arbitrage: Exploiting the relatively lax oversight of Canadian MSBs to facilitate European gambling deposits that would be illegal under MiCA or national laws. Entity Overlap: CenturaPay has been found in the same “payment cascades” as utPay and CoinsPaid, both of which were recently suspended or liquidated following regulatory intervention. 3. The “Stellar” Influence Our traffic intelligence indicates that CenturaPay is a preferred “dark rail” for the Stellar Group of casinos. These casinos use a rotating fleet of “mutated domains” to stay ahead of ISP blocks, but the underlying payment infrastructure—the CenturaPay API—remains a constant, providing the liquidity needed to move millions in player deposits every month. Call to Action: Players and Insiders FinTelegram and RatEx42 are actively mapping the bank accounts and settlement routes used by Canamoney Exchange Ltd (CenturaPay) and its partners. To Players: Have you deposited funds into an online casino (e.g., Frumzi, FatPirate, Spinbara) where CenturaPay or Canamoney appeared on your bank statement or credit card bill? Please send us a screenshot of the transaction descriptor. To Insiders: Do you have information on the fee-sharing agreements between CenturaPay and high-risk processors like MiFinity? Are you aware of the specific liquidity providers CenturaPay uses for its crypto on-ramps? Submit your evidence anonymously via the Whistle42.com whistleblower platform. Every piece of data helps us bring transparency to the shadow banking world. Share Information via Whistle42

A cache of internal communications leaked by a high-level whistleblower has finally shattered the wall of separation between CoinsPaid and the notorious AlphaPo. The evidence reveals a coordinated effort by CEO Max Krupyshev and Head of Legal Maria Akulenko to mask financial interdependencies, including a mysterious loan from AlphaPo and direct executive overlaps. As the MiCA “Guillotine” falls in Lithuania, the true scale of this “Shadow Rail” ecosystem is coming to light. Analysis: The Smoking Gun in the CoinsPaid-AlphaPo Connection For years, the Dream Finance Group (operating as CoinsPaid and CryptoProcessing) has maintained a public image of a regulated, security-first crypto processor. However, new evidence provided by a verified former manager—including WhatsApp and Slack screenshots—proves that CoinsPaid and AlphaPo (AP) were not just partners, but two arms of the same “shadow” infrastructure serving the high-risk iGaming industry. 1. Max Krupyshev: The Dual Executive Role The leaked WhatsApp communications show Max Krupyshev, CEO of CoinsPaid, directly discussing AlphaPo’s liquidity and operational status with Chainalysis investigators. The Evidence: The whistleblower confirms that Krupyshev held an executive role at AlphaPo simultaneously with his leadership at CoinsPaid. The Significance: This executive overlap is a massive conflict of interest and a regulatory red flag. It suggests that while CoinsPaid was the “clean” front-facing brand, AlphaPo served as the high-risk “underworld” rail. Krupyshev’s direct involvement in AlphaPo’s liquidity issues—especially around the time of the $60M Lazarus Group hack—indicates he was managing a single pool of risk across both entities. 2. Maria Akulenko: Compliance as a Mask Perhaps the most explosive evidence comes from Maria Akulenko (LinkedIn profile), former Head of Legal and Compliance at CoinsPaid. The Evidence: A Slack message shows Akulenko explicitly instructing staff to “never use AP [AlphaPo] and CoinsPaid issues in the same email communication.” The Analysis: Akulenko, who frequently represented CoinsPaid in MiCA regulatory discussions in Brussels, appears to have been actively engineering the “legal separation” of entities she knew were financially and operationally linked. Instead of ensuring transparency, the Head of Legal was actively coaching employees on how to avoid creating a “paper trail” that regulators or auditors could follow. This “siloing” of information is a classic hallmark of financial obfuscation. 3. The AlphaPo-Dream Finance “Loan” This insider evidence perfectly aligns with reports from FOCOS and El Salvador Now regarding a $1 million (or $2.1 million in some tranches) loan granted by AlphaPo to the Dream Finance entity in El Salvador. The Context: AlphaPo was used as a “fiat-to-crypto” buffer for offshore casinos. The loan to Dream Finance suggests that AlphaPo was not just a service provider but a source of capital for the group. The Danger: Using a high-risk entity (AlphaPo) that was later tied to North Korean money laundering (Lazarus Group) to fund a “regulated” EU group (Dream Finance) is the ultimate compliance nightmare. Context: The “Guillotine” and the Global Retreat The timing of these leaks is critical. With the RatEx42 Blacklisting of Dream Finance and the suspension of their Lithuanian license (Dream Finance UAB), it appears the group is in a frantic “de-risking” mode. The liquidation of their Polish and Salvadoran entities (as previously reported) is likely an attempt to destroy the very connections these screenshots now prove. The connection to SoftSwiss remains the core of the web. By using CoinsPaid and AlphaPo as captive rails, SoftSwiss created a closed-loop system where gambling funds could be processed, converted, and laundered away from the eyes of European regulators. Call to Action: Whistle42 The veil is lifting, but more information is needed to map the full flow of funds. We are looking for: Documentation regarding the SoftSwiss-AlphaPo-CoinsPaid triangular shareholding. Proof of other “loans” or inter-company transfers between Dream Finance OÜ (Estonia) and AlphaPo. Details on the “New Bridge” strategy being offered to merchants following the Lithuanian shutdown. Submit your evidence anonymously via Whistle42.com. Your identity is our highest priority. Share Information via Whistle42

A breakthrough in the Dream Finance investigation reveals a global retreat. Following the MiCA-triggered blackout in Lithuania, new insider intel and local reports confirm the liquidation of the group’s entities in El Salvador and Poland. From mysterious loans from AlphaPo to UBO links with SoftSwiss, the veil of transparency is finally being lifted on the Dream Finance empire. Analysis: The Fragmentation of a High-Risk Payment Empire Following our recent report on the “MiCA Guillotine” falling on Dream Finance UAB in Lithuania, FinTelegram has received critical insider intelligence that paints a picture of a global corporate “clean-up.” This information, corroborated by external investigative reports from FOCOS and El Salvador Now, suggests that the Dream Finance Group (operating as CoinsPaid and CryptoProcessing) is systematically dissolving secondary entities to bury toxic financial trails. 1. The El Salvador Exit: Shadow Loans and Offshore Havens The liquidation of Dream Finance (El Salvador), which reportedly began in March 2024, is more than a routine closure. According to investigations by FOCOS, the entity was utilized to “safeguard” over $2.1 million from offshore casinos located in tax havens. Most alarming for compliance officers is the revelation of a “weird loan” taken from AlphaPo. AlphaPo (website), a crypto processor notorious for its involvement in high-risk gambling and for being the target of a massive $60M hack (linked to the Lazarus Group), has long been rumored to be part of the same ecosystem as CoinsPaid. A direct financial link—in the form of a loan—suggests a level of commingling and mutual dependency that exceeds a standard business relationship. 2. The Polish Liquidation: Proving the SoftSwiss UBO Link The dissolution of Dream Finance (Poland) provides the “smoking gun” regarding the group’s beneficial ownership. The naming of Pavel Kashuba and Dmitry Yatzkau, aka Dmitry Yaikau aka Dzmitry Yaikau, close partners of SoftSwiss and CoinsPaid founder Ivan Montik, as the UBOs of the Polish entity confirms what FinTelegram has asserted for years: CoinsPaid and SoftSwiss are two sides of the same coin. Pavel Kashuba is a well-known figure in the SoftSwiss executive structure (often cited as CFO). This connection validates the hypothesis that CoinsPaid serves primarily as a “captive” payment rail for the SoftSwiss iGaming empire, designed to process gambling funds under the guise of an independent crypto service provider. 3. Contextualizing the Pattern: Why the Retreat? This news provides vital context to the RatEx42 “Black” listing of Dream Finance. The pattern is clear: Lithuania: Suspended due to MiCA’s inability to tolerate high-risk gambling flows. El Salvador: Liquidated after being exposed for shielding casino funds. Poland: Liquidated after UBO links became too visible. For compliance analysts, this looks like a “Controlled Demolition.” By liquidating these entities, the group likely seeks to terminate legal trails, making it harder for regulators to map the historical flow of funds between offshore casinos, AlphaPo, and the SoftSwiss core. Go to the Dream Finance listing on RatEx42 here. The Compliance Verdict: Transparency via Whistleblowers The information provided by our community is proving more effective than official registries. The collapse of the El Salvador and Polish entities, combined with the Lithuanian shutdown, indicates that the “Shadow Rail” model is under existential threat. The RatEx42 Critical (Black) Rating for Dream Finance is hereby reinforced. Any financial institution still interacting with the remaining Estonian or North American entities of this group must account for the high probability of hidden liabilities and toxic history involving AlphaPo. Read our AlphaPo reports here. Whistle42: A Call to the Inner Circle We thank the whistleblowers who are helping to bring transparency to the Dream Finance/SoftSwiss web. Your information is vital for protecting the integrity of the European financial market. Do you have documents related to the AlphaPo loan? Are you aware of where the $2.1 million in El Salvador was moved after liquidation? Do you have internal emails regarding the MiCA transition strategy for the Estonian entity? Share Information via Whistle42 Submit your evidence anonymously via Whistle42.com. Help us map the truth.

Our ongoing monitoring of the Lithuanian VASP register and the high-risk payment landscape shows that the “MiCA Guillotine” has claimed several other entities that previously served as key rails for the iGaming and offshore sectors. We are currently tracking a “Shadow Rail Contagion” where several other processors have either gone “dark,” relocated to less stringent jurisdictions, or are operating in a legal gray zone. This seems to be the first wave of a systemic regulatory purge in the Baltics.Below is our analysis of other high-risk VASPs and payment processors currently under pressure or having recently “pivoted” due to the January 1, 2026, MiCA enforcement deadline. The “Shadow Rail” Contagion: Affected Entities & Regulatory Refugees 1. Match2Pay (Match2Pay UAB) Status: High Risk / Under Review. * Analysis: Historically one of the most prominent “card-to-crypto” on-ramps for the gambling industry in Lithuania. While Match2Pay UAB previously boasted of its Lithuanian registration, our latest data indicates it was not among the small group of ~30 companies that successfully secured a MiCA CASP license by the deadline. We are currently seeing “Technical Maintenance” notices on several of its integration points. 2. Ari10 (Ari10 UAB) Status: Jurisdictional Migration. Analysis: A significant player in the Polish and Baltic crypto-fiat exchange market. Following the Bank of Lithuania’s tightening, Ari10 has increasingly shifted its operational weight to its Polish VASP registration. Poland currently offers a temporary “regulatory shelter” as its MiCA enforcement timeline is slightly behind Lithuania’s “cliff-edge” approach. 3. CryptoProcessing (Dream Finance UAB) Status: Technically Suspended (Lithuania). Analysis: As the B2B brand of the Dream Finance/CoinsPaid group, CryptoProcessing’s Lithuanian infrastructure is officially offline. Merchants who relied on this rail are being redirected to “alternative group entities” in Estonia (OÜ) or Canada, though these entities cannot legally provide passported services into the EU without a MiCA CASP license. 4. Paymero & SegoPay Status: “Ghost Gateways” (Deregistered). Analysis: These entities have historically functioned as anonymized “Front-End” gateways for high-risk traffic. Our December 2025 traffic analysis showed a massive drop-off in their Lithuanian-hosted endpoints. They appear to have moved to “Sovereign/Self-Hosted” models (using protocols like PayRam or BTCPay Server) to avoid the custodial regulatory requirements of MiCA. Comparative Analysis: The “Polish Shelter” Strategy Our research shows a massive migration of high-risk VASPs from Vilnius to Warsaw. In the last quarter of 2025, over 22 Lithuanian VASPs relocated their “regulatory base” to Poland. Compliance Warning: This is a temporary arbitrage. Poland’s “AML-only” registration will likely be invalidated by mid-2026 as ESMA (European Securities and Markets Authority) moves to harmonize enforcement. For banks and PSPs, accepting traffic from a Polish-registered VASP that was recently “flushed” out of Lithuania represents a Significant AML Red Flag. Actionable Intelligence for Regulators & Banks The following red flags are currently being observed as these suspended entities try to maintain operations: The “Technical Integration” Excuse: Entities claiming they no longer provide “crypto services” but only “technical payment software” while still facilitating gambling deposits. Descriptor Masking: A shift in bank statement descriptors from company names (e.g., “utPay”) to generic terms (e.g., “Online Service,” “Digital Topup”) to hide the connection to a suspended VASP. Non-EU “Pass-Throughs”: Using Canadian or UAE-based entities to process EU player deposits, which is a direct violation of MiCA’s reverse solicitation rules. Call for Information We are specifically looking for information on Match2Pay UAB and any other Lithuanian entities currently operating under “Consultancy” or “Software” agreements after losing their VASP status. Are you an operator who has been offered a “new rail” to replace utPay or CoinsPaid? Send the integration details and bank account info to Whistle42.com. Your identity will remain strictly confidential. Would you like me to generate a specific “Red Flag Alert” for the banking partners (like Postbank or Revolut) regarding these migration tactics? Share Information via Whistle42

The Lithuanian crypto landscape is undergoing a violent contraction. Following the suspension of utPay, the iGaming crypto giant Dream Finance UAB d/b/a CoinsPaid and CryptoProcessing has officially shuttered its Lithuanian operations. As the MiCA “grandfathering” period expires, the Bank of Lithuania is flushing out high-risk processors, leaving the SoftSwiss-linked empire to retreat to Estonian and North American strongholds. Key Facts CoinsPaid’s Legal Hub states: Dream Finance UAB (Lithuania) temporarily suspended all crypto-asset services, including onboarding, execution of transactions, and concluding new agreements; the site remains for legal/regulatory info and contacts. CoinsPaid lists Dream Finance US LLC (Delaware) and Dream Finance Processing Inc. (Canada) as additional group entities (MSB registrations referenced on its disclosures). The Bank of Lithuania warns Lithuania’s transitional period ends 31 Dec 2025; after that, providers without MiCA licensing lose the right to operate in Lithuania. Context: FinTelegram recently reported a MiCA-related suspension affecting another Lithuania-linked crypto and iGaming facilitator (utPay), suggesting a broader enforcement/clean-up wave. A Coordinated Exit or a Forced Retreat? The announcement by Dream Finance UAB (the Lithuanian arm of the Dream Finance Group headed by Max Krupyshev) of a “temporary suspension” of all crypto-asset services marks a watershed moment for the iGaming payment sector. As of early 2026, the “Wild West” era of Lithuanian crypto registration is definitively over. Our analysis explores the regulatory mechanics and the broader implications for the SoftSwiss/CoinsPaid ecosystem. 1. The “Cliff-Edge” of MiCA Compliance The suspension is no coincidence. December 31, 2025, served as the final “cliff-edge” for the Lithuanian VASP transition. Under the Markets in Crypto-Assets (MiCA) regulation, the Bank of Lithuania has replaced the previous low-barrier registration model with a rigorous CASP authorization process. Capital Thresholds: Firms must now demonstrate a minimum of €125,000 in fully paid-up capital. The “Fit and Proper” Filter: Regulators have intensified scrutiny on beneficial owners and management. The Pattern: Much like utPay (Utrg UAB), CoinsPaid’s decision to “suspend” rather than “obtain” a license suggests either a failed application or a strategic withdrawal to avoid a public license revocation. Read our utPay report on the shutdown here. 2. The SoftSwiss Connection and the iGaming Web CoinsPaid/Dream Finance is not merely a payment processor; it is the financial backbone of the SoftSwiss iGaming group. FinTelegram’s intelligence indicates that both entities are controlled by the same beneficial owners, positioning CoinsPaid as the primary crypto rail for thousands of online casinos. By processing an estimated €23 billion in transactions, CoinsPaid sits at the center of the high-risk “shadow banking” sector. The loss of a Lithuanian license—previously a badge of “EU regulation”—undermines the group’s perceived legitimacy and complicates its ability to maintain Euro-denominated fiat rails. Read our CoinsPaid reports here. 3. Jurisdictional Arbitrage: The Estonian and North American Pivot While the Lithuanian doors have closed, the Dream Finance Group is far from dormant. Estonia: Dream Finance OÜ remains active, banking on Estonia’s slightly different (though also tightening) regulatory timeline. North America: The existence of Dream Finance US LLC (Delaware) and Dream Finance Processing Inc. (Canada) indicates a calculated effort to preserve “Western” corporate identities to satisfy merchants and banking partners. However, under MiCA’s “passporting” rules, without a valid CASP license from a primary EU regulator (like the Bank of Lithuania), these entities cannot legally target or serve the broader EU market. The Compliance Verdict The “temporary” nature of this suspension is likely a euphemism for a permanent exit from the Lithuanian jurisdiction. For compliance officers and banking partners, the message is clear: The Dream Finance entities are currently operating outside the regulated perimeter of the Lithuanian financial system. Hopefully, the transition to MiCA is successfully “flushing” the high-risk gambling ecosystem out of the Baltics. The compliance question regulators and counterparties should ask is not only “did they apply?” but also “what happens to flows during the transition?” CoinsPaid markets itself as a major crypto payments ecosystem, widely used in high-risk verticals like iGaming. A Lithuania pause combined with a continuing Estonia hub creates a practical concern: service continuity may shift jurisdictionally, while risk exposure (merchant portfolio quality, KYB depth, transaction monitoring, downstream casino networks) remains the same problem—just routed differently Whistle42: Call for Information Are you an insider at Dream Finance or SoftSwiss with knowledge of the Bank of Lithuania’s specific enforcement actions? Do you have information on how funds are being rerouted through Estonian or North American entities to bypass EU restrictions? Submit your evidence anonymously via Whistle42.com. Your data is essential to maintaining transparency in the crypto-iGaming sector. Share Information via Whistle42

Our latest Stellar-casino reviews (WinBay, AllySpin, LuckyMax, Spinbara and related “domain mutations”) show a familiar pattern: unlicensed casino access + rail obfuscation. Players are routed through anonymous open-banking checkout domains and “gateway cascades,” while “fake bank deposits” appear to be executed via crypto purchases routed through ChainValley and other on/off-ramp infrastructure. Traffic intelligence suggests the system is heavily Germany-skewed, with mainstream banks repeatedly appearing in the journey. I. Payment Infrastructure as Crime Facilitator Open banking was designed to revolutionize European payments through transparency, security, and consumer empowerment. Account-to-account transfers authenticated via bank-grade biometrics, instant settlement, and financial data sharing for KYC verification promised to create safer, more efficient payment ecosystems. What FinTelegram has documented is the systematic perversion of this infrastructure. FinTelegram identified three payment gateways—operating with domain carousel without disclosed beneficial ownership, regulatory oversight, or transparent corporate structures—have hijacked open banking rails to process what traffic intelligence suggests are well over one million casino deposit transactions monthly, predominantly from German players to operators holding no German gambling licenses. The operational architecture is elegant in its deception: Players see: “Bank Transfer,” “Instant Banking,” or “Sofortüberweisung” options in casino cashiers—familiar, trusted payment methods. Banks process: Generic account-to-account transfers to entities presenting as financial technology providers or payment processors, not gambling merchants. Regulators encounter: Payment flows categorized as “financial services” or “technology services,” evading gambling-specific Merchant Category Codes (MCCs) and payment blocking orders. Casino operators receive: Instant settlement of player deposits without traditional payment processor oversight, chargeback risk, or meaningful AML scrutiny. The result is a parallel payment infrastructure that systematically undermines three years of German enforcement efforts under the Glücksspielstaatsvertrag 2021, Dutch KSA payment blocking initiatives, and Italian ADM concession requirements—while leveraging the trust and security of European banks to facilitate illegal activity at industrial scale. II. The Anonymized Gateway Network: TransactGrid, PayByBank, & BankLayer Our analysis reveals a highly centralized “Gateway Stack” designed for obfuscation. TransactGrid (checkout.transactgrid.com): The core “Black Rail” of the operation. With 760,000+ monthly visits, it serves as the final settlement point for multiple referring sites. PayByBank (openbanking.paybybank.net): A specialized “feeder” gateway. Our data shows 100% of its destination traffic is funneled directly into TransactGrid. This indicates that PayByBank acts as a “white-label” front to provide a veneer of legitimacy to the underlying TransactGrid infrastructure. BankLayer (checkout.banklayer.org): Focused almost exclusively on the Stellar Group (Frumzi, Allyspin, Supabet). This gateway serves as a dedicated rail for Stellar’s “mutated” domains—disposable URLs (e.g., frumzi756723.com) used to evade ISP blocks. Target Market Analysis Despite holding only an Anjouan license—which explicitly does not authorize service to German, Dutch, or Italian players—Stellar casinos generate 92%+ of their open banking traffic from Germany. This geographic concentration, combined with German-language interfaces, Euro as primary currency, and integration with German banking infrastructure (Postbank, Sparkasse branding in payment flows), demonstrates active and deliberate targeting of German players in direct violation of the Glücksspielstaatsvertrag 2021. Aggregate Traffic Analysis: The Scale of Illegal Deposit Infrastructure GatewayDec 2025 VisitsAvg. DurationGermany %Merchant Profilecheckout.transactgrid.com760,0004-8 min97%+Multi-casinoopenbanking.paybybank.net78,0004-8 min87%Multi-casinocheckout.banklayer.org400,0004-8 min92%+Stellar exclusiveTOTAL1,238,000~6 min~95%Illegal offshore Interpretation Framework The 4-8 minute average visit duration is a critical data point. Open banking payment flows require: Gateway landing and bank selection (30-60 seconds) Redirect to bank authentication portal (10-20 seconds) Bank credential entry and 2FA/biometric authentication (1-3 minutes) Payment consent review and authorization (30-60 seconds) Return redirect to merchant and deposit confirmation (30-60 seconds) Total expected duration for completed transactions: 4-7 minutes. The observed 4-8 minute average strongly suggests that the vast majority of these 1.2+ million visits represent completed or attempted payment transactions, not casual browsing or abandoned flows. Combined with the exclusive casino referral sources and 95%+ German traffic concentration, the evidence supports the conclusion that these gateways processed approximately 1.2 million illegal casino deposit transactions from German, Dutch, and Italian players in December 2025 alone.​ Annualized estimate: 14+ million transactions processed through anonymous open banking gateways to unlicensed offshore casinos. III. The “Fake Fiat” Bridge: ChainValley & The VASP Exploit Some casinos, like Spinbara (Spinbara1.com) utilize (additionally) a more deceptive technique known as “Crypto-on-Ramp Laundering” via the Polish VASP ChainValley (app.chainvalley.pro). The Deception: Players are prompted to make a “bank deposit.” In reality, they are redirected to ChainValley to purchase USDT or BTC, which is instantly transferred to the casino. Regulatory Loophole: ChainValley exploits the Polish VASP Registry, which has been criticized by European regulators for its low barrier to entry. By operating under a “Virtual Asset” license, they process fiat-to-crypto flows that the player believes are simple fiat deposits. Volume: Over 217,000 visits in December 2025. The 5-minute average stay duration strongly correlates with the time required to complete a 3D-Secure bank transfer and a crypto-on-ramp purchase. IV. The utPay Shutdown: A MiCA Success Story? As previously reported, utPay (app.utpay.io) was a major player in this ecosystem, handling 610,000 visits in December. The suspension of their crypto services in January 2026, citing MiCA (Regulation EU 2023/1114), is a significant event. Analysis: It is highly probable that the Bank of Lithuania intervened after identifying utPay’s role as a facilitator for high-risk gambling. Under MiCA, VASPs face significantly higher scrutiny regarding their “Merchant Base.” A provider whose traffic is 80% gambling-related (as our data suggests) would likely fail the “fit and proper” test required for a MiCA-compliant CASP license. V. Compliance Assessment & Red Flags This multi-layered architecture is designed to bypass the “Gambling Merchant Category Code” (MCC 7995). By using Open Banking: Merchant Identity is Hidden: The bank sees a transfer to “TransactGrid” or “ChainValley,” not “WinBay Casino.” No Chargeback Protection: Unlike card payments, bank-to-bank transfers via these gateways offer players zero protection, making them the preferred method for predatory offshore operators. Call to Action for Players & Insiders FinTelegram is actively mapping the bank accounts used by TransactGrid, BankLayer, and ChainValley. Have you made a deposit to these sites? Check your bank statement. What was the name of the recipient? Insiders: Do you have information on the beneficial owners of the TransactGrid or PayByBank domains? Submit your evidence anonymously via Whistle42.com. Help us protect the European financial system from shadow banking. Share Information via Whistle42

Lithuanian virtual asset service provider UTRG UAB, operating as utPay, has suspended all crypto-asset services effective January 1, 2026, citing MiCA compliance requirements and awaiting authorization from the Bank of Lithuania. This suspension comes after extensive FinTelegram investigations documented utPay’s systematic role as the primary payment facilitator for a sprawling network of illegal offshore casinos targeting German and European players through deceptive “fake bank transfer” schemes. With 87% of its 720,000 monthly visitors originating from Germany and 58% of traffic driven by unlicensed casino operators—including entities connected to the collapsed Rabidi Group and the Marshall Islands-based NovaForge network—utPay’s sudden service interruption raises critical questions about whether years of facilitating illegal gambling operations directly precipitated its current regulatory predicament, leaving hundreds of casino merchants without payment infrastructure and potentially exposing the company’s leadership to criminal prosecution under Lithuanian law. Read our utPay reports here. The Suspension: A Regulatory Reckoning On January 1, 2026, visitors to utpay.io encountered a stark message that marked the end of one of Lithuania’s most controversial crypto payment operations. UTRG UAB, the Lithuanian virtual asset service provider operating under the utPay brand, announced the immediate suspension of all crypto-asset services, citing the need to “ensure full alignment with the requirements of Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA).” The company’s website now states that it “does not provide any crypto-asset services as defined in MiCA and does not carry out activities listed in Annex IV of the Regulation,” claiming instead to provide only “card section integration and provide technical integration with other partners.” This carefully worded statement represents a dramatic retreat for a payment processor that, just weeks earlier, was processing over 720,000 visits monthly through its primary domain app.utpay.io. The timing is no coincidence. Lithuania’s transitional period for virtual asset service providers (VASPs) to obtain MiCA licenses expired on December 31, 2025—one of the strictest deadlines in the EU. Unlike jurisdictions such as Latvia, Hungary, and Slovenia that opted for six-month transition periods, or countries like Spain that extended timelines to July 2026, Lithuania initially set its deadline for May 31, 2025, before extending it to year-end following intense industry lobbying. The Bank of Lithuania had been unequivocal about the consequences of non-compliance. In multiple public statements throughout late 2025, the central bank warned that after January 1, 2026, any provision of crypto-asset services without a MiCA license would constitute illegal financial activity. The penalties are severe: under the Lithuanian Criminal Code, unlicensed provision of financial services is punishable by public works, fines, restriction of liberty, or imprisonment for up to four years—escalating to seven years in cases involving money laundering. As of mid-2025, approximately 370 entities were registered in Lithuania’s VASP registry, but only 120 were actively operating and generating revenue. By July 2025, merely 30 companies had submitted MiCA license applications to the Bank of Lithuania, with just 10 applications under active assessment. The regulatory bottleneck was severe, and the clock was ticking. UTRG UAB, led by CEO Andrius Atkočaitis, did not publicly disclose whether it submitted a MiCA license application. What is clear is that when the deadline arrived, utPay’s services went dark, leaving its merchant clients—particularly a network of offshore casinos—without a critical payment processing lifeline.​ The Business Model: Fake Bank Transfers and Crypto Camouflage To understand why utPay’s suspension matters, one must first understand what utPay actually did—and for whom. FinTelegram’s compliance investigations, conducted throughout 2024 and 2025, revealed that utPay had evolved into a specialized payment facilitator for illegal offshore casinos, particularly those targeting German players in violation of Germany’s State Treaty on Gambling (Glücksspielstaatsvertrag, GlüStV 2021). The scale of this operation was staggering: in December 2025, app.utpay.io recorded approximately 610,000 visits, with a remarkable 81.06% originating from Germany. The “Fake-Fiat” Payment Scheme WinBay cashier with UTRG dba utPay and ChainValley FinTelegram documented a sophisticated deception mechanism that utPay employed at the heart of its casino integration strategy. When players attempted to deposit funds at participating casinos, utPay was presented on the casino cashier page as a standard “bank transfer” or card deposit option—methods familiar and trusted by European consumers. However, the actual transaction bore no resemblance to a bank transfer. Instead, players were seamlessly routed through a crypto-purchase flow that operated as follows: Initial presentation: The casino checkout displayed utPay as “Banküberweisung” (bank transfer), “Echtzeit-Überweisung” (real-time transfer), or specific bank brands like “Deutsche Postbank,” “Sparkasse,” or “Deutsche Bank.”​ Hidden crypto purchase: Behind this familiar interface, the transaction was actually a cryptocurrency purchase—typically USDC or USDT—from UTRG UAB in its capacity as a registered virtual currency exchange operator. Automatic routing via ChainValley: The purchased crypto was automatically routed through app.chainvalley.pro, a branded checkout interface that functioned as the technical bridge between UTRG’s exchange service and the casino’s wallet. Pre-ticked consent: A small consent line stating “buy crypto and send to the specified address” appeared in the checkout flow, typically already ticked by default. Attempts to change the destination wallet address triggered warnings or were effectively blocked.​ Direct casino delivery: The crypto was immediately transferred to wallet addresses controlled by the casino operator, completing the deposit without ever passing through traditional banking infrastructure. This structure delivered multiple strategic advantages to illegal casino operators—and created corresponding compliance disasters: Regulatory arbitrage: By categorizing transactions as “crypto exchange” rather than “gambling deposits,” the scheme circumvented German payment blocking measures implemented by the Gemeinsame Glücksspielbehörde der Länder (GGL), Germany’s unified gambling regulator. Germany’s payment blocking regime—one of the most aggressive enforcement tools available under GlüStV 2021—had issued over 30 payment blocking orders against payment service providers by mid-2025, cutting off revenue streams to unlicensed operators. utPay’s crypto-based structure rendered these orders ineffective. Bank-side gambling controls bypassed: German banks have implemented internal controls to identify and block gambling-related transactions, particularly to unlicensed operators. By disguising casino deposits as cryptocurrency purchases from a Lithuanian VASP, utPay transactions flew under these detection systems.​ Chargeback elimination: Traditional credit card and bank transfer deposits to online casinos carry chargeback rights—players can dispute transactions if services are not delivered or if the operator is unlicensed. Crypto transfers are irreversible. By converting fiat deposits into immediate crypto transfers, utPay systematically eliminated players’ financial recourse. KYC evasion: FinTelegram investigators documented instances where casino registration required no Know Your Customer (KYC) verification, allowing players to deposit funds via utPay without identity checks—a glaring violation of anti-money laundering requirements.​ Traffic Analysis: The Casino Connection The depth of utPay’s integration with illegal gambling operations becomes undeniable when examining traffic referral patterns. According to FinTelegram’s analysis of November 2025 data, at least 58% of observed traffic to app.utpay.io was driven by casino, gambling, and sports betting websites. The top five traffic referrers were all offshore casino domains:​ Legiano.com (21% of referral traffic) BetAlice.it (21% of referral traffic) Additional unlicensed casino operators including Betsolino, Wazamba, and Cazimbo SimilarWeb data confirmed the pattern: 63.47% of utPay’s desktop traffic originated from referrals, with 99.21% of outgoing links directing users to poker and gambling categories. The user demographics—76.87% male, with the largest age cohort being 35-44 years—precisely matched the profile of online gambling participants. This was not a diversified payment processor serving various legitimate e-commerce merchants. This was a purpose-built gambling payment gateway that had systematically positioned itself as the financial plumbing for a network of operators lacking authorization to serve European markets. The Casino Network: NovaForge, Rabidi, and the Marshall Islands Connection utPay’s client roster reads like a who’s who of illegal offshore gambling operations, with particularly deep connections to two infamous networks: the collapsed Rabidi Group and its suspected successor, NovaForge Ltd. Liernin Enterprises Ltd, which holds a PAGCOR (Philippine Amusement & Gaming Corporation) license, operates alongside NovaForge in managing the post-Rabidi casino portfolio. This licensing strategy is deliberate: PAGCOR licenses are considered legitimate by some regulators but do not authorize service to European or German markets, allowing operators to claim licensing while operating illegally in their primary target jurisdictions.​ FinTelegram’s traffic analysis revealed that casinos operated by NovaForge Ltd were among utPay’s largest clients:​ Legiano (NovaForge Ltd, Marshall Islands, PAGCOR license): Accounted for 21% of utPay’s referral traffic in November 2025. The casino’s deposit options explicitly list utPay under various “bank transfer” brands, routing players through the ChainValley crypto conversion system. BetAlice (NovaForge Ltd): Similarly contributed 21% of referral traffic, utilizing identical payment integration methods.​ Betsolino (Betsolino Limited, UK registration, claiming Curaçao license): Featured utPay as its primary payment gateway operator alongside MiFinity, Rapid, Changelly, and MoonPay. The UK Gambling Commission confirmed no license exists for Betsolino Limited. Wazamba (formerly Rabidi N.V., now operating anonymously): Continued to process payments through Mirata Services and other Cyprus-based agents, with connections to the broader utPay ecosystem.​ This client concentration—where the majority of a payment processor’s business derives from a network of interconnected illegal gambling operators—is not coincidental. It represents a deliberate business model where utPay positioned itself as the specialized financial infrastructure enabling operators to circumvent national gambling regulations and payment blocking regimes. The German Enforcement Landscape: Why utPay Mattered to Illegal Operators To understand why utPay was so valuable to illegal casino networks, one must understand the regulatory environment they faced in their primary target market: Germany. The GlüStV 2021 Framework Germany’s Fourth Interstate Treaty on Gambling (Glücksspielneuregulierungsstaatsvertrag, GlüStV 2021), which entered force in July 2021, established one of Europe’s most restrictive online gambling regimes. The treaty created the Gemeinsame Glücksspielbehörde der Länder (GGL), a centralized federal gambling regulator with sweeping enforcement powers.​ Under GlüStV 2021, online casino operators targeting German players must obtain a German license and comply with extensive restrictions: €1,000 monthly deposit limit per player across all operators €1 maximum stake per casino game spin Mandatory 5-second delay between slot machine spins Complete prohibition of live dealer games Ban on progressive jackpot slots Participation in centralized player database for cross-operator monitoring These restrictions make the German market economically unattractive for many operators, particularly those accustomed to high-volume, high-stake gameplay in other jurisdictions. Consequently, numerous offshore operators—including the NovaForge/Rabidi network—chose to serve German players illegally without licenses, circumventing the restrictions while capturing market share.​ Payment Blocking: The GGL’s Primary Weapon Recognizing that blocking access to illegal gambling websites through IP or DNS blocking faces technical and legal limitations (German courts limited the use of IP blocking via internet service providers in March 2024), the GGL shifted enforcement focus to payment blocking—orders issued to payment service providers prohibiting participation in transactions for unlicensed gambling operations. By mid-2025, the GGL had issued over 30 payment blocking orders and was monitoring 858 German-language gambling websites, with 212 hosting illegal content. This enforcement created significant operational challenges for unlicensed operators, who found traditional payment processors—credit card acquirers, bank transfer services, and established e-wallets—increasingly unwilling to process gambling transactions without verified German licensing. The payment blocking regime works because most traditional payment infrastructure involves German banks, German payment service providers, or international processors with German operations subject to GGL jurisdiction. When the GGL issues a payment blocking order, the vast majority of targeted payment service providers comply immediately, removing payment options from the illegal casino’s website.​ utPay as a Payment Blocking Countermeasure This is where utPay’s Lithuanian jurisdiction and crypto-based structure became strategically valuable to illegal operators. As FinTelegram analyzed:​ Jurisdictional arbitrage: UTRG UAB, registered in Lithuania and licensed only by Lithuanian authorities, was outside direct GGL enforcement reach. While the GGL could theoretically issue payment blocking orders against Lithuanian entities, cross-border enforcement is slower and more complex than domestic actions. Crypto categorization defense: By structuring transactions as cryptocurrency purchases rather than gambling deposits, utPay could claim its service was fundamentally different from traditional gambling payment processing. The player was “buying crypto” from a licensed Lithuanian VASP—that the crypto was immediately sent to a casino wallet was, in this framing, the player’s independent decision. SEPA access maintenance: Despite the crypto conversion backend, utPay’s frontend integrated with European SEPA banking infrastructure and credit card networks, allowing players to fund deposits using familiar, trusted payment methods. This combination—traditional payment rails on the user interface, crypto conversion in the backend—provided the operational advantages of cryptocurrency (irreversibility, jurisdictional opacity) while maintaining the user experience of traditional banking.​ Detection evasion: German banks’ internal gambling transaction detection systems typically flag payments to known casino merchant IDs or to payment processors in high-risk gambling jurisdictions like Malta, Curaçao, or Cyprus. Payments to UTRG UAB, categorized as cryptocurrency purchases from a regulated Lithuanian VASP, would not trigger these gambling-specific controls.​ The result was a payment processing architecture that systematically undermined German gambling enforcement while maintaining sufficient regulatory cover—a Lithuanian VASP registration—to claim legitimacy. MiCA Compliance Barriers The suspension of utPay’s services citing MiCA compliance requirements raises a critical question: Did utPay submit a MiCA license application to the Bank of Lithuania, and if so, why has authorization not been granted? MiCA’s authorization requirements for crypto-asset service providers (CASPs) are extensive: Sound governance frameworks: Demonstration of adequate operational capabilities and qualified management free from conflicts of interest. Capital adequacy: Sufficient capital to manage operational and market risks. AML/CFT compliance: Comprehensive anti-money laundering and counter-terrorism financing programs meeting EU standards. Consumer protection: Clear pricing, risk warnings, complaint resolution procedures, and segregation of client assets. Market abuse prevention: Real-time communication surveillance and controls to prevent market manipulation and insider trading.​ If utPay submitted a MiCA application and the Bank of Lithuania identified the merchant concentration in illegal gambling operations, the extensive German traffic patterns, or the deceptive payment flow structures during its assessment, authorization would likely be refused. The Bank of Lithuania has made clear its intention to maintain high standards and avoid becoming a “crypto haven” or forum-shopping destination. Alternatively, if utPay did not submit a MiCA application by the deadline, its operation of crypto-asset services after December 31, 2025, would constitute illegal financial activity. The company’s statement that it has “temporarily suspended” services “in order to ensure full alignment” with MiCA, combined with the assertion that it “intends to resume the provision of crypto-asset services only after obtaining the relevant authorisation,” suggests ongoing efforts to secure licensing. However, the past cannot be erased—if the Bank of Lithuania’s assessment of UTRG UAB’s historical activities reveals systemic facilitation of illegal gambling, the authority may conclude that the company’s management and governance do not meet MiCA’s “fit and proper” requirements. The Regulatory Cascade: Lithuania’s MiCA Crackdown and European Precedents utPay’s suspension is not an isolated incident but part of a broader regulatory reckoning for virtual asset service providers across the European Union as MiCA implementation accelerates. Lithuania’s Regulatory Posture Lithuania emerged in the late 2010s as a crypto-friendly jurisdiction, with relatively low barriers to VASP registration and a regulatory environment that attracted cryptocurrency businesses seeking EU market access. By 2025, however, the tone had shifted dramatically. The Bank of Lithuania’s statements throughout late 2025 reflected a deliberate policy choice: Lithuania would not become a “crypto haven” or participate in “forum shopping” by maintaining lax standards to attract businesses that could not obtain licenses in more rigorous jurisdictions. This positioning was reinforced by the central bank’s decision to extend the transitional period only to December 31, 2025 (rather than the maximum July 1, 2026, that MiCA permits), and by strong public warnings about criminal prosecution for unlicensed activity.​ Lietuvos Bankas mobilized additional resources to assess the wave of MiCA license applications, yet as of mid-2025, only approximately 30 of 370 registered VASPs had applied, with just 10 applications under assessment. This low conversion rate suggests that the majority of Lithuania’s registered VASPs either lacked the operational substance to meet MiCA requirements, were unable to demonstrate legitimate business models under enhanced scrutiny, or made strategic decisions to wind down rather than undergo rigorous licensing processes. The central bank’s authority to block website access, publish lists of unlicensed providers, and refer cases to law enforcement for criminal prosecution created a credible enforcement threat. For VASPs whose business models relied on regulatory arbitrage—operating in legal gray areas or facilitating activities that would face prohibitions in other jurisdictions—the MiCA transition represented an existential threat. Binance and High-Profile Enforcement The most prominent MiCA compliance crisis in Lithuania involves Bifinity UAB, the Lithuanian entity through which the Binance Group provides cryptocurrency services in Europe. Despite generating nearly €111 million in tax payments to Lithuania since 2022 (including €27.6 million in 2024 alone), Bifinity does not currently hold a MiCA license and therefore cannot legally provide crypto-asset services in Lithuania as of January 1, 2026. The Bank of Lithuania confirmed it is reviewing multiple applications from Binance-related entities but stated unequivocally that neither Bifinity nor Binance currently has authorization under MiCA procedures. If Lithuania’s largest and most prominent cryptocurrency taxpayer cannot secure timely MiCA authorization, the message to smaller, less compliant VASPs like UTRG UAB is clear: past registration under national regimes provides no guarantee of MiCA authorization, and historical economic contribution does not substitute for regulatory compliance.​ The Hypothesis Confirmed: Activities and Consequences Returning to the central question: Did utPay’s systematic facilitation of illegal casino operations cause its current regulatory suspension and potential criminal exposure? The evidence supports a strong affirmative answer across multiple causal pathways: 1. Business Model Incompatibility with MiCA Standards utPay’s core revenue model—processing hundreds of thousands of transactions monthly for unlicensed gambling operators, predominantly targeting German players in violation of German law, using deceptive payment interface design to circumvent regulatory controls—is categorically incompatible with MiCA’s governance, consumer protection, and market integrity requirements. When the Bank of Lithuania assesses MiCA license applications, it evaluates: Fit and proper management: Whether directors and key personnel demonstrate integrity and competence. Business model legitimacy: Whether the CASP’s activities comply with EU and Member State laws. Consumer protection: Whether the service provider implements fair dealing and transparent disclosure. AML/CFT effectiveness: Whether transaction monitoring and suspicious activity reporting meet standards. UTRG UAB’s historical operations fail on all dimensions. Management presided over a business model fundamentally dependent on facilitating violations of Member State gambling law. The “fake bank transfer” interface directly violated consumer protection principles by deceiving users about the nature of transactions. Transaction monitoring and suspicious activity reporting appear entirely absent given the overwhelming concentration of illegal casino clients. If UTRG UAB submitted a MiCA application, these deficiencies would surface during the Bank of Lithuania’s assessment, leading to application refusal. If the company did not submit an application, it would face immediate criminal liability for continuing operations past December 31, 2025. 2. Regulatory Scrutiny and Investigation Probability The extensive public documentation of utPay’s casino facilitation activities by FinTelegram—published reports, traffic analysis, merchant network mapping, and detailed technical documentation of the payment flow mechanisms—ensures that regulatory authorities, law enforcement agencies, and compliance professionals are aware of UTRG UAB’s activities. The Bank of Lithuania and Lithuanian Financial Crimes Investigation Service (FNTT) have explicit mandates to investigate VASPs suspected of facilitating financial crime, money laundering, or violations of EU and Member State regulations. Given the public evidence and the high-profile nature of illegal gambling enforcement in Europe, regulatory investigation of UTRG UAB is probable if not already underway. The suspension of services citing MiCA compliance—rather than a straightforward statement that a license application is pending approval—suggests potential complications in the authorization process or a strategic decision to cease operations rather than undergo scrutiny that could expose criminal liability. 3. Criminal Prosecution Risk Under Lithuanian Law Lithuanian criminal law provides clear penalties for unlicensed provision of financial services: public works, fines, restriction of liberty, or imprisonment up to four years, escalating to seven years for money laundering. Directors of entities engaged in such activities face personal liability and potential professional disqualification across the EU. If Lithuanian authorities conclude that UTRG UAB operated after December 31, 2025, without MiCA authorization, criminal prosecution is mandated. If investigations reveal that management knowingly facilitated illegal gambling operations, structured transactions to deceive users and evade regulatory controls, and failed to implement required AML/CFT measures, additional charges could follow. The German enforcement environment—where over 230 prohibition proceedings, 1,700+ website assessments, and 30+ payment blocking orders demonstrate aggressive pursuit of illegal gambling networks—increases the likelihood of cross-border cooperation. If German authorities identify utPay’s role in circumventing payment blocking and request Lithuanian cooperation through mutual legal assistance channels, the pressure on UTRG UAB intensifies.​ 4. Civil Liability and Reputational Destruction Even if criminal prosecution does not materialize, civil liability exposure is substantial. German and Austrian courts have established precedent for player recovery of losses from illegal gambling operations, with liability potentially extending to facilitators. If organized plaintiff law firms—already actively pursuing hundreds of millions in claims against Rabidi, NovaForge, and associated entities—identify utPay as a deep-pocket facilitator with greater asset recovery potential than offshore shell companies, civil litigation could follow.​ The reputational destruction is already complete. utPay is now publicly documented as a payment facilitator for illegal gambling networks, with detailed investigations published by FinTelegram and cited across compliance intelligence platforms. Any future business venture associated with UTRG UAB’s management, even if under different branding or corporate structures, will face intense scrutiny and association with this history. Conclusion: The Inevitable Collapse of Unsustainable Business Models The suspension of utPay’s crypto-asset services on January 1, 2026, represents far more than a routine regulatory compliance adjustment. It marks the collapse of a payment processing operation whose core business model—facilitating illegal gambling deposits through deceptive “fake bank transfer” mechanisms while exploiting Lithuanian VASP registration for regulatory cover—was fundamentally unsustainable in the post-MiCA enforcement environment. The evidence compiled by FinTelegram across 2024 and 2025 established a clear pattern: 87% of utPay’s 720,000 monthly visitors originated from Germany, despite German law prohibiting unlicensed gambling operations. 58% of traffic was driven by casino and gambling websites, with the top clients being illegal offshore operators connected to the collapsed Rabidi network and Marshall Islands-based NovaForge entities.​ The payment mechanism was deliberately designed to deceive users, presenting gambling deposits as “bank transfers” while actually executing crypto purchases automatically routed to casino wallets. The structure systematically circumvented German payment blocking enforcement, undermining regulatory authority and enabling large-scale violations of gambling law. Lithuania’s decision to enforce a strict December 31, 2025, MiCA transition deadline, combined with the Bank of Lithuania’s explicit stance against becoming a “crypto haven,” created a regulatory environment where VASPs with questionable business models faced binary choices: undergo rigorous licensing scrutiny with high likelihood of refusal, or cease operations and face potential criminal prosecution. For UTRG UAB, neither option was attractive. MiCA authorization would require demonstrating that its historical operations met EU governance, consumer protection, and AML/CFT standards—a demonstration that the public evidence renders impossible. Continuing operations without authorization after the deadline would constitute criminal activity with personal liability for management.​ The result was the only viable path: suspension of services with vague promises of resuming “only after obtaining the relevant authorisation”—authorization that may never come.​ For the illegal casino operators left without critical payment infrastructure, utPay’s shutdown represents a strategic inflection point. The era of regulatory arbitrage through Lithuanian VASPs providing fiat-to-crypto gateways while maintaining plausible legitimacy has ended. The remaining options—fully crypto-native deposit mechanisms, even higher-risk processors in non-EU jurisdictions, or actual licensing compliance—all involve greater friction, lower conversion, and increased legal exposure. European enforcement authorities, having spent years fighting a whack-a-mole battle against offshore casinos while payment facilitators operated with relative impunity, appear to have recognized that cutting the payment rails is more effective than blocking individual casino domains. The aggressive targeting of payment processors in Lithuania, Turkey, and across the EU signals a strategic shift with potentially transformative effects on the illegal gambling ecosystem. utPay’s collapse is not an accident of regulatory timing. It is the predictable consequence of building a business model on facilitating crime, disguising illegal activities through deceptive interface design, and betting that regulators would not look too closely at the traffic patterns, merchant profiles, and transaction flows. In the MiCA era, with European regulators coordinating enforcement and criminal penalties clearly articulated, that bet has failed catastrophically. The question now is not whether utPay will resume services—the evidence suggests resumption is unlikely—but whether criminal prosecutions will follow, how much civil liability will materialize, and whether other VASPs facilitating questionable activities will recognize the warning and wind down operations voluntarily before enforcement comes for them. Call to Action: Whistleblowers and Insiders FinTelegram’s investigation into UTRG UAB (utPay) and the NovaForge/Rabidi illegal casino network is ongoing. While substantial evidence has been compiled through open-source intelligence, corporate registry analysis, traffic data, and technical documentation, critical questions remain unanswered. Share Information via Whistle42

Lithuanian VASP utPay (Utrg UAB) has abruptly suspended crypto operations, citing MiCA compliance. But beneath the regulatory jargon lies a darker history: a persistent facilitator for illegal offshore casinos now caught in the crosshairs of the Bank of Lithuania. Is this a transition, or the end of a shadow-banking era? The Analysis: The Fall of a “Dark Rail” The sudden “voluntary” suspension of crypto services by utPay (Utrg UAB) marks a tectonic shift in the Baltic crypto landscape. While the official statement on utpay.io paints a picture of a responsible entity seeking “regulatory certainty” under the new Markets in Crypto-Assets (MiCA) framework, the context discovered by FinTelegram intelligence tells a far more aggressive story of regulatory bypass and high-risk facilitation. 1. The Hypothesis: Regulatory Choke-Point For years, utPay has been identified as a critical cog in the “payment stacks” of unlicensed offshore casinos. By acting as a fiat-to-crypto gateway, utPay allowed illegal gambling operators to bypass the traditional banking system’s anti-gambling filters. The Theory: The Bank of Lithuania, known for its tightening grip on the 500+ VASPs operating in its jurisdiction, likely signaled that utPay’s “business as usual”—facilitating high-risk, unvetted gambling flows—would render them ineligible for a MiCA license. The suspension is not a choice; it is a desperate attempt to “scrub” their ledger before the final audit. Read our utPay reports here. 2. The “Technical Integration” Trap Notably, utPay claims they still provide “card section integration” and “technical integration with other partners.” This is a classic obfuscation tactic. By claiming to be a mere technical service provider, they attempt to remain operational in the fiat space without the oversight of a crypto license. However, if these “partners” are simply other shadow-gateways (like the previously exposed SegoPay or Daxchain), utPay remains a primary AML/CFT threat. Read our Daxchain reports here. 3. The Impact: Merchants in the Cold For the “merchants”—largely unlicensed casinos and high-risk e-commerce entities—this blackout is catastrophic. Liquidity Freeze: Crypto-assets currently held in utPay’s ecosystem are likely trapped in a compliance vacuum. The “Cascade” Failure: As utPay was a key layer in many “cascading” payment gateways, their removal from the stack causes a domino effect, forcing illegal casinos to urgently find new “dark rails” in more lax jurisdictions like the Comoros or Anjouan. The Compliance Verdict The “MiCA compliance-driven transition” is, in our professional estimation, a white-flag surrender. A company that built its volume on the unregulated fringes of the gambling industry cannot simply “pivot” into the sunlight of a MiCA authorization without a total purging of its client base—a move that would likely destroy its business model. Whistle42: A Call to Insiders Do you have internal communications from Utrg UAB regarding the Bank of Lithuania’s intervention? Are you a merchant with frozen funds at utPay? We need your data to map the next evolution of these shadow rails. Submit your information anonymously via Whistle42.com. Your evidence could be the key to the next major enforcement action. Share Information via Whistle42

FinTelegram’s Rail Atlas reviews of Stellar-linked offshore casinos show a repeatable payments pattern: players are routed through “open banking” and wallet rails that do not pay the casino directly, but instead pay VASP-registered intermediaries—notably DAXCHAIN (Estonia) and ChainValley (Poland)—that appear to function as fiat collection points. This is not an edge case. It looks like a scalable operating model designed to keep the casino out of the payment line-of-fire. Key Points Multiple casino brands attributed to Stellar show “template-like” repetition in UX and payment architecture, consistent with FinTelegram’s earlier Stellar/Legiano findings. Italy’s regulator blocks at least some related domains (including AllySpin and Supabet variants), while operators rotate through domain “mutations,” diluting enforcement at the DNS layer. Open-banking flows route users through gateway cascades (per your review) culminating in payees such as DAXCHAIN OÜ (www.daxchain.eu), whose public posture is VASP/virtual-currency activity—not licensed payment institution activity. DAXCHAIN’s register data shows presents Olegs Bogdanovics a beneficial owner. It virtual currency license raises the obvious question: why is a VASP the payee for “bank deposits” into offshore casinos? ChainValley remains a recurring node: FinTelegram has documented “fake-fiat” deposits where Skrill/Neteller funding is converted into USDC/USDC.e and forwarded to casino wallets—presented to the player as if it were a normal “deposit.” Read our ChainValley reports here. Short Narrative Our latest casino reviews (WinBay, AllySpin, LuckyMax, Spinbara, Supabet) reinforce what the Legiano/Stellar investigations already suggested: offshore casino groups are industrializing “deposit rails” the same way they industrialize domain churn. The striking part is not just that open-banking is offered—it’s who receives the money. Instead of paying a clearly identified, licensed gambling operator, the flows terminate at intermediaries like DAXCHAIN (Estonia) and ChainValley (Poland). From a compliance perspective, that is a flashing red light: the “merchant of record” layer is being engineered so the casino is one step removed from the payment event. Extended Analysis: The Regulatory Problem isn’t “Open Banking” — it’s The Payee Design 1) PSD2 doesn’t disappear because the UI says “crypto” or “open banking” Under PSD2 (Directive (EU) 2015/2366), payment services in the EU are a regulated activity, and authorization/registration is tracked through national competent authorities and consolidated in EU-level registers. If an entity is functionally acting as a fiat collection agent (receiving consumer bank transfers that fund an offshore casino relationship), the natural questions are: Is it authorized/registered as a payment institution or e-money institution for that activity? If not, what is the legal characterization of the “payment” the consumer thinks they’re making? This is exactly where “fake-fiat” architecture becomes useful to operators: if the payment can be framed internally as a purchase of crypto (even if the user experience suggests a casino deposit), the intermediary tries to step out of the PSD2 payment-agent box and into the VASP box. 2) DAXCHAIN: Licensed for Virtual-Currency Activity, Yet Positioned as a Fiat Payee Public sources indicate DAXCHAIN holds an Estonian FIU virtual currency service authorization (listed with license number FVT000045 in FIU communications).Separately, Estonia’s business register discloses the company’s ownership/control information (including the beneficial owner name in the register view). None of that, on its face, answers the PSD2 question: why is a VASP the named recipient in a bank-transfer “deposit” flow that ultimately funds offshore gambling activity? If the true commercial purpose is gambling, routing fiat into a VASP payee looks less like innovation and more like perimeter-hopping. 3) ChainValley: The Repeatable “Fake-Fiat” Conversion Hub Poland’s virtual-currency activity register lists ChainValley, but Polish authorities have been explicit that entry in the VASP activity register is not equivalent to a financial services license/supervisory approval in the PSD2 sense. FinTelegram’s Legiano/Stellar reporting already documented how these flows can be structured: “deposit” → embedded crypto purchase (USDC/USDC.e) → automatic transfer to casino wallet, funded via Skrill/Neteller rails—leaving consumers with weaker dispute/chargeback leverage because they technically “received the crypto they ordered.” In our new Stellar set, ChainValley appears again—paired with classic consumer payment brands (Skrill/Neteller/PaysafeCard) and the Lithuanian UTRG d/b/a utPay that were never built to be silent feeders into offshore casino stablecoin transfers. Read our Stellar reports here. 4) The Visa/Tink question: when open banking becomes a gambling rail We found a cascade that includes Tink in the open-banking confirmation path. Visa publicly confirmed its acquisition of Tink and positions it as a payments/data platform for initiating payments and moving money via APIs. This creates an uncomfortable but necessary compliance question for the ecosystem: If a regulated open-banking stack is initiating payments to VASP payees that are then used to fund unlicensed offshore casinos, what merchant/category screening is actually being enforced? Are these payments being treated as “crypto purchases” (and therefore allowed), even when the downstream commercial purpose is gambling? If yes, is that a control failure—or a business model? Actionable Insight: compliance questions that require answers For DAXCHAIN / ChainValley: What is the exact contractual product here—casino deposit, payment facilitation, or crypto purchase/on-ramp? If it’s “crypto purchase,” why is the UX presented as a casino funding method? For open-banking intermediaries (incl. Tink stack participants): What enhanced due diligence is performed when the payee is a VASP that is repeatedly observed in offshore gambling deposit flows? For e-wallet rails (MiFinity pattern): Why do payees like CANAMONEY EXCHANGE LTD / CenturaPay keep appearing in offshore casino cashier flows—what merchant monitoring controls are actually preventing repeat exposure? For regulators & FIUs: Are VASP registrations being used as a backdoor to run de facto payment-agent services for high-risk merchants (illegal gambling, shadow trading)? If so, where is the enforcement line? Call for Information If you have internal documentation, merchant onboarding records, payee/descriptor data, settlement account details, wallet clusters, or evidence showing how DAXCHAIN and ChainValley categorize these “deposits” (casino funding vs. crypto purchase), share it securely via Whistle42. We are particularly interested in: (i) merchant-of-record identities; (ii) transaction narratives used for bank compliance; (iii) chargeback/complaints outcomes; (iv) the gateway switching logic between payment-gateway endpoints; and (v) any correspondence with regulators. Share Information via Whistle42