South Korean crypto exchange Bithumb has blocked all virtual-asset deposits and withdrawals involving the overseas crypto payment platform Heleket, citing suspected money laundering and terrorist-financing exposure. The move follows TRM Labs’ assessment that Heleket is likely operationally connected to the Russia-linked processor Cryptomus, which was hit by Canada’s FINTRAC with a record CAD 176.96 million AML penalty in October 2025. 1-Minute Briefing South Korean crypto exchange Bithumb has imposed an immediate block on all virtual-asset deposit and withdrawal transactions involving Heleket, an overseas crypto payment processor. According to Bithumb’s official notice dated 21 May 2026, the platform cited suspected involvement of Heleket in money laundering and terrorist-financing-related illegal activity and referred to South Korean AML and virtual-asset user-protection rules as the legal basis for the measure. The case is not merely another exchange compliance update. It points to a broader risk pattern: crypto payment processors that present themselves as merchant-service infrastructure may, in practice, function as cross-border laundering and sanctions-evasion rails for high-risk users, darknet markets, cybercrime service providers, and sanctioned ecosystems. Key Findings Bithumb has blocked Heleket immediately. The Korean exchange’s notice states that all deposits and withdrawals involving Heleket are restricted from 21 May 2026 with immediate effect. TRM Labs links Heleket to Cryptomus. In April 2026, TRM Labs assessed with high confidence that Cryptomus or its ultimate controllers likely created and launched Heleket, citing common architecture, timing, shared personnel, branding, and extensive on-chain connections. Cryptomus already carries heavy regulatory baggage. Canada’s FINTRAC imposed a CAD 176,960,190 administrative penalty on Xeltox Enterprises Ltd., operating as Cryptomus, for widespread AML/CFT failures, including failures to file suspicious transaction reports and large virtual-currency transaction reports. Garantex exposure is a major red flag. TRM reported that early liquidity into Heleket wallets came from Garantex, the Russia-linked crypto exchange sanctioned by OFAC and later disrupted by international law-enforcement action. OFAC designated Garantex in April 2022, and the U.S. DOJ announced a coordinated disruption of Garantex infrastructure in March 2025. Bithumb itself is under compliance pressure. Earlier in 2026, South Korean authorities imposed a 36.8 billion won penalty on Bithumb over AML violations, including transfers involving unregistered overseas virtual-asset service providers. A Seoul court later stayed the six-month partial business suspension, while public reporting left the status of the monetary fine less clear. Compliance Analysis The Heleket case demonstrates how crypto payment processors can become the operational layer between regulated exchanges and high-risk counterparties. Unlike a traditional crypto exchange, a processor may appear as neutral infrastructure: merchant checkout, API layer, settlement wallet, or cross-border payment gateway. But where KYC controls are weak or selectively applied, the processor can become a compliance shield for users who would otherwise be rejected by regulated venues. TRM’s assessment is particularly significant because it does not rely on a single indicator. The reported connection between Cryptomus and Heleket is based on a combination of infrastructure, personnel, branding, timing, and on-chain activity. In compliance terms, this is the difference between a name change and a continuity-of-control scenario. If correct, Heleket may not be a new clean provider but a parallel rail designed to preserve access for users affected by Cryptomus’s increased regulatory scrutiny. The FINTRAC case against Cryptomus adds further gravity. The Canadian regulator found 2,593 contraventions across six violation types, including failures to report suspicious transactions linked to darknet markets, fraud proceeds, ransomware payments, child sexual-abuse-material trafficking indicators, and sanctions evasion. FINTRAC also stated that Cryptomus failed to comply with obligations relating to transactions associated with Iran. For regulated exchanges, the lesson is clear: blocking sanctioned entities is no longer enough. Exchanges must identify successor platforms, clone processors, parallel brands, shared-wallet clusters, and migration flows. A processor that emerges after another provider tightens KYC controls should trigger enhanced due diligence, not routine onboarding. Red Flags For Exchanges And Banks The Heleket/Cryptomus pattern contains several compliance red flags: use of a new payment brand after regulatory pressure on a related processor; shared infrastructure or personnel between supposedly separate entities; initial or material liquidity from sanctioned or disrupted exchanges; exposure to darknet markets, cybercrime services, ransomware, CSAM-related flows, or sanctions evasion; use of offshore or mailbox-style corporate structures; cross-border merchant payments without transparent beneficial ownership and merchant-risk controls. These are not merely crypto-sector risks. They matter to banks, EMIs, payment institutions, stablecoin issuers, wallet providers, and VASPs that touch settlement, fiat ramps, merchant accounts, or liquidity channels. FinTelegram Assessment Bithumb’s move should be read as part of a wider market shift. The compliance perimeter is expanding from “listed exchange” to payment infrastructure, wallet clusters, merchant gateways, and processor networks. Heleket is now a test case for how exchanges respond when blockchain intelligence firms identify a potentially high-risk processor before a regulator has issued a formal sanctions designation. For FinTelegram, the case confirms a recurring thesis: the most relevant financial-crime exposure in crypto increasingly sits not only at exchanges, but in the rails between exchanges, merchants, processors, OTC liquidity, and sanctioned ecosystems. The next generation of AML/CFT enforcement will focus on these rails. Call For Information FinTelegram invites insiders, compliance officers, former employees, affected users, and payment-industry sources with information on Heleket, Cryptomus, Garantex-related flows, merchant onboarding, processor wallets, or exchange integrations to contact us via Whistle42. Share Information via Whistle42

The Vienna conviction of former Austrian intelligence officer Egisto Ott adds a new and explosive layer to the Wirecard saga. Court reporting and prosecutorial accounts indicate that Ott passed sensitive information to Jan Marsalek and Russian handlers, reinforcing the view that Marsalek operated far beyond the role of a rogue corporate executive. This matters for the ongoing Munich proceedings against former Wirecard CEO Markus Braun. While Marsalek remains a fugitive and is now widely described in investigative and prosecutorial reporting as a Russian intelligence-linked operative, Braun continues to face trial in Germany in a case whose factual backdrop appears increasingly intertwined with espionage rather than ordinary corporate misconduct alone. Egisto Ott’s Role According to Reuters and other reporting on the Vienna proceedings, Ott was accused and ultimately convicted of using his former intelligence and police access to retrieve confidential information for Russia. Those activities allegedly included obtaining personal data, checking official databases, and supplying information to Jan Marsalek, who had become a crucial intermediary between criminal, financial, and intelligence circles. Link to Marsalek Ott’s relevance to the Wirecard context lies in his operational relationship with Marsalek. The case reporting indicates that Marsalek relied on Austrian insiders such as Ott to procure data, facilitate contacts, and support clandestine activities, suggesting that the former Wirecard COO was running networks that reached directly into state institutions. Wirecard Implications Ott’s conviction supports a wider interpretation of the Wirecard scandal. If Marsalek was already functioning as a Russian asset while serving as Wirecard’s chief operating officer, then the company may have been exploited as a cover structure, intelligence access point, or logistics channel in addition to being the site of one of Europe’s biggest postwar corporate frauds. The Braun Asymmetry That creates a legally awkward asymmetry. Markus Braun remains in custody and on trial in Munich, while the executive now most strongly associated with covert Russian operations—Marsalek—remains beyond the reach of German justice. Reuters reported that the Wirecard trial began in December 2022, and as of 21 May 2026 it has been running for 1,261 days, or roughly 41.4 months. The proceedings had already exceeded 100 trial days some time ago, underlining the exceptional length and complexity of the case. Legal and Compliance View For compliance analysts, Ott’s conviction is not a side story. It strengthens the argument that Wirecard should be assessed not only through the lenses of accounting fraud, market deception, and supervisory failure, but also through counterintelligence, sanctions-risk, political exposure, and infiltration vulnerabilities. The central unresolved issue is whether key legal narratives around Wirecard were framed too narrowly at the outset. As more evidence emerges around Marsalek’s intelligence role and his Austrian support network, the boundary between financial crime and state-linked covert activity appears increasingly artificial. Call for Information FinTelegram calls on whistleblowers, former insiders, service providers, investigators, compliance professionals, and other knowledgeable sources to submit information concerning Wirecard, Egisto Ott, Jan Marsalek, associated intelligence contacts, facilitators, payment structures, and cross-border networks. Information can be provided securely and confidentially through FinTelegram’s whistleblower platform Whistle42. In cases involving financial crime, espionage exposure, sanctions evasion, or regulatory capture, even fragments of internal documentation or timeline evidence may prove decisive. Share Information via Whistle42

Baltic FIUs Publish Landmark Study On Payment Rails And AML Risk The Estonian Financial Intelligence Unit, together with the FIUs of Latvia and Lithuania and with support from the Bank of Lithuania, has published a major regional strategic study titled “Evolving Payment Landscapes and AML Challenges in the Baltic States.” The study covers the period from 2021 to the first half of 2024 and analyses payment service providers, credit institutions, payment institutions, e-money institutions, cross-border payment accounts, suspicious transaction reports, and emerging money-laundering typologies across the Baltic States. For FinTelegram, the study is highly relevant. It confirms what our investigations into illegal casino payment rails, investment scam payment infrastructures, crypto on-ramp structures, and open-banking routes have repeatedly shown: the modern AML battlefield is no longer limited to traditional banks. It is increasingly located in the opaque interaction between digital banks, EMIs, PIs, VIBAN structures, embedded finance platforms, crypto platforms, and cross-border payment accounts. The study does not read like a theoretical risk paper. It reads like an official confirmation of the new payment-rail reality. Key Findings The Baltic FIUs identify clear structural differences between the three jurisdictions. Estonia and Latvia remain largely bank-dominated markets with predominantly domestic client bases, while Lithuania has developed into a regional FinTech payment centre with materially higher foreign-client activity and cross-border exposure. The study states that Lithuania’s growth in digital banking, EMI and PI services has deepened integration with the EU financial system but has also increased ML/TF risks linked to complex transactions and non-face-to-face service delivery. The study also confirms that Estonia and Latvia have reduced exposure to high-risk non-resident clients through de-risking and stronger AML controls. However, this did not eliminate risk. Instead, some risk appears to have migrated. The FIUs note that client off-boarding by traditional banks helped drive customers toward Lithuanian PSPs and other alternative digital providers. A central finding is that Lithuanian FinTech PSP accounts stand out in suspicious transaction reporting by Estonian and Latvian FIUs. Fraud schemes, tax evasion, and attempts to circumvent EU sanctions dominate the regional ML landscape and are often facilitated through digital banks, EMIs, and VASPs. The study further highlights transit accounts, shell companies, strawmen, and VIBAN structures as recurring obstacles to identifying beneficial owners and tracing illicit funds. Lithuania: Regional FinTech Hub — And Regional Risk Magnet Lithuania’s strategy to become an EU FinTech hub has succeeded. According to the study, Lithuania has attracted a significant number of payment and e-money institutions and hosts a materially larger PI/EMI market than Estonia or Latvia. The study also notes that Lithuania’s PI/EMI sector has been assessed as high-risk because of non-resident portfolios, international transactions, high-risk industries, remote onboarding, and pass-through payments. This is not a condemnation of Lithuania’s FinTech strategy. It is a warning about its consequences. The study shows that Lithuania’s role as a regional hub comes with structural AML pressure. Lithuanian PSPs process very large volumes for non-domestic clients. In 2024, Estonian and Latvian clients overwhelmingly used a single Lithuanian digital bank, both in terms of client numbers and transaction volumes. The study does not name the institution, but the concentration finding is significant for regulators, supervisors, and investigative journalists alike. This concentration matters because FinTelegram’s own Rail Atlas investigations have repeatedly encountered Lithuanian-regulated or Lithuania-linked digital banking and FinTech structures in payment chains serving high-risk sectors, including offshore gambling, crypto on-ramps, and cross-border investment schemes. Estonia: BaaS, VIBANs And Crypto Correspondent Risk The study also identifies Estonia-specific vulnerabilities. Although Estonia remains bank-dominated, the FIUs point to risks arising from a BaaS model used by a market participant and from correspondent-style services involving foreign virtual-asset and FinTech platforms. The study states that suspicious funds are often channelled through the Estonian financial system using VIBANs, which may obscure the beneficial owner and the transaction origin. The numbers are striking. According to the study, cross-border payment volumes of respondent financial institutions in Estonia rose from €105 billion in 2021 to €136 billion in 2024. Of this, PI/EMI respondent payments reached €84 billion in 2024, while VASP-related transactions reached €33.5 billion. Approximately 89% of the total cross-border payment volume involved non-resident respondents, mostly from the EEA and the United Kingdom. This aligns closely with FinTelegram’s investigative focus on payment chokepoints. The critical issue is not only whether a bank, EMI, or payment institution is licensed. The issue is whether its business model creates nested, opaque, or insufficiently monitored rails for third-party operators, crypto platforms, offshore merchants, or high-risk digital businesses. VIBANs And Embedded Finance: The New Opacity Layer The study gives particular attention to VIBANs, open-banking structures, embedded finance, and BaaS. Latvia’s NRA flags VIBANs and open-banking structures as emerging risks because of sub-account opacity, unclear responsibility for CDD and transaction monitoring, and difficulties for FIUs or law enforcement when requesting information or freezing assets across jurisdictions. Estonia’s NRA also flags VIBAN services offered to financial intermediaries without sufficient risk assessment of their clients, as well as bundled transaction files that may prevent adequate risk profiling. This is exactly the problem FinTelegram has described in its casino and scam payment-rail investigations: the payment chain becomes fragmented. The consumer sees one interface, the bank sees another counterparty, the real merchant or beneficial operator may sit behind several gateways, and the final economic purpose may be diluted or hidden. In practice, this creates what FinTelegram calls payment-purpose dilution: the further the payment travels through gateways, processors, VIBAN layers, open-banking intermediaries, crypto ramps, and offshore merchants, the harder it becomes to determine what the transaction was really for. Fraud, Tax Evasion And Sanctions Circumvention Dominate The Baltic FIUs identify three dominant predicate offence categories: fraud, tax evasion, and sanctions circumvention. The study notes that payment services in Estonia, Latvia, and Lithuania are frequently used in the layering stage of money-laundering schemes, including fraud-related flows, tax evasion schemes, and sanctions evasion, often through digital banks, EMIs, and VASPs. For Latvia, STRs referencing Lithuania increased between 2022 and 2024, suggesting growing risk exposure or at least growing reporting attention in relation to Lithuanian-linked financial flows. For Estonia, STRs referencing Lithuanian accounts also increased significantly, and the study states that Lithuanian accounts held by Estonian entities and individuals formed a major share of Estonian STRs concerning foreign accounts. The study also notes that crypto-related risks appear more pronounced in Lithuanian FinTech PSPs. Around 7% of Estonian STRs involving payment-account transactions included cryptocurrency-related activity on average, but by 2024 that share rose to around 12%. For Lithuanian accounts, the proportion was higher, at roughly 18% of STRs related to payment accounts. FinTelegram Interpretation: The Baltic Region As A Payment-Rail Laboratory The Baltic region is becoming a test case for the future of European AML supervision. The region has strong digital infrastructure, advanced FinTech ecosystems, close Nordic banking links, EU passporting dynamics, crypto exposure, and significant cross-border activity. This makes it innovative — but also vulnerable. The official study confirms four FinTelegram working theses: First, de-risking does not remove risk; it relocates it. When traditional banks off-board clients, the business may move to digital banks, EMIs, PIs, VIBAN providers, or crypto-friendly intermediaries. Second, licensing is not the same as transparency. A licensed EMI or digital bank can still become a chokepoint for high-risk payment flows if it serves opaque intermediaries or relies on insufficiently transparent third-party structures. Third, crypto risk increasingly enters through payment rails, not only through crypto exchanges. The interaction between bank accounts, VIBANs, EMIs, VASPs, and on/off-ramp structures is now one of the most important AML risk zones. Fourth, cross-border payment flows require cross-border supervision. National supervision is structurally insufficient where clients, beneficial owners, PSPs, VASPs, merchants, and victims are spread across different jurisdictions. The Casino Payment-Rail Angle Although the study is not specifically about illegal online casinos, its findings are directly relevant to FinTelegram’s ongoing investigations into offshore gambling payment rails. Illegal casino operators frequently rely on exactly the type of structures highlighted by the FIUs: payment intermediaries, cross-border PSPs, non-transparent payees, VIBAN-like account structures, crypto on-ramps, open-banking flows, and payment-purpose dilution. In these ecosystems, the player may believe they are making a casino deposit, while the banking layer may see a transfer to a payment processor, gateway, wallet provider, or unrelated commercial descriptor. The Baltic FIU study therefore provides an official AML framework for understanding why these rails matter. They are not merely technical payment channels. They are potential financial-crime infrastructure. Regulatory Takeaway The Baltic FIUs recommend regional indicators for PSP-related STRs, detailed sector-specific typology studies focusing on digital banking, embedded finance, PI/EMI and virtual-asset segments, better dissemination of red flags, enhanced staff training, and stronger data harmonisation across the region. FinTelegram would go one step further: European regulators should treat payment-rail opacity as a standalone compliance risk. Where the consumer-facing merchant, payment descriptor, technical gateway, account holder, beneficial operator, and economic purpose do not align, enhanced due diligence should be mandatory. The key question is no longer simply: Is the PSP licensed? The better question is: What payment rail is the PSP enabling — and for whom? FinTelegram Conclusion The Baltic FIUs have delivered an important and unusually relevant study. It confirms that AML risk in the Baltic region has moved into a more complex phase: less cash, fewer traditional non-resident banking scandals, but more digital rails, more cross-border accounts, more FinTech concentration, more VIBAN opacity, more crypto adjacency, and more rapid movement of funds. For FinTelegram, this is a strong validation of the Rail Atlas approach. To understand modern financial crime, investigators, regulators, banks, and victims must follow the rails — from the consumer interface to the gateway, from the gateway to the PSP, from the PSP to the VIBAN or correspondent layer, and from there into crypto, offshore accounts, or settlement structures. The Baltic States are not merely a regional AML case study. They are a preview of Europe’s payment-risk future. Share Information via Whistle42

FinTelegram’s Rail Atlas reviews show a recurring pattern in offshore casino payment flows: the player starts a deposit at an online casino, but the bank-facing payment screen names a payment processor — such as CAPITOLIO INC. or Domus Payment Solutions — as the payee. In card payments, players may at least have chargeback routes. In Pay-by-Bank and open-banking account-to-account rails, those protections are materially weaker. This architecture creates a serious compliance and consumer-protection problem: if the casino operator disappears from the payment screen, how can players enforce refund claims against illegally or unauthorised gambling operators? 2-Minutes Briefing FinTelegram’s recent Payment Rail Atlas reviews of offshore casino cashiers, including 1Go Casino and Winnita, have identified a recurring payment architecture: the player initiates what is economically a casino deposit, but the bank-facing payment screen names a payment processor or infrastructure company as the payee rather than the casino operator. In the 1Go Casino review, CAPITOLIO INC. appeared as payee in a Revolut/Yapily open-banking rail, while Domus Payment Solutions appeared as payee in a separate Pay-by-Bank rail. In the Winnita review, FinTelegram again found Domus Payment Solutions as named payee in a Pay-by-Bank flow involving InstantBankPayment, Token GmbH/Token.io, and Revolut. Read our Winnita payment rail review here. This is not merely a technical detail. In card payments, consumers may have card-scheme chargeback routes. Open-banking payments are different. They are account-to-account transfers initiated from the customer’s bank account, and industry sources describe them as bypassing card-network rails with no card-scheme chargeback mechanism; disputes depend on merchant refund policies and any protections offered by the payment-initiation provider. The timing matters. In Case C-440/23, the Court of Justice of the European Union held that EU law does not prevent a Member State from prohibiting online gambling services even where the operator holds a licence in another Member State, and the case expressly concerned recovery of lost stakes and abuse-of-law arguments. In Case C-77/24 Wunner, the CJEU addressed cross-border claims linked to unlicensed online gambling and confirmed the relevance of the player’s country of participation/residence for determining where the damage occurred. Against that legal backdrop, processor-as-payee architectures become especially problematic. If the player cannot clearly identify the actual casino operator or ultimate gambling beneficiary from the payment flow, recovery claims may become practically difficult, even where national law gives the player a right to reclaim deposits or losses from an unauthorised gambling operator. Key Findings FinTelegram has observed processor-as-payee structures in several casino rails. In 1Go Casino, CAPITOLIO INC. and Domus Payment Solutions appeared in different rails; in Winnita, Domus Payment Solutions appeared as payee in a Pay-by-Bank rail. The casino operator may disappear from the bank-facing payment flow. The player sees the casino cashier at the start, but the bank or open-banking authorisation screen may show a processor, MSB, wallet platform, or collection entity. Processor-as-payee is not automatically unlawful. A processor may lawfully appear as merchant of record, payment facilitator, collection agent, or technical payee. But in gambling-origin payments, this is only defensible if the underlying merchant, payment purpose, processor role, refund route, and licensing status are clearly disclosed and properly monitored. The risk is payment-purpose dilution. The payment starts as a casino deposit but may arrive at the bank layer as an ordinary account-to-account transfer to a payment infrastructure company. Open-banking rails weaken card-style recovery options. PXP’s open-banking explainer states that open-banking payments bypass card networks and have no card-scheme chargeback mechanism; disputes fall to merchant refund policies and any PISP protections. CJEU case law increases the importance of payment transparency. Case C-440/23 confirms that EU law does not automatically shield cross-border operators from national gambling restrictions and restitution consequences; Case C-77/24 Wunner strengthens the relevance of the player’s country for claims linked to unlicensed online gambling. Opaque payment architecture can impair player protection. If the bank statement shows CAPITOLIO INC. or Domus Payment Solutions rather than the casino operator, the player may face practical obstacles in proving the link between deposits and the illegal or unauthorised gambling service. The Observed Architecture Typical Processor-as-Payee Casino Flow LayerWhat the Player SeesWhat FinTelegram ObservedCompliance Concern1Casino cashier1Go Casino / Winnita deposit pageGambling purpose is clear at the start.2GatewayInstantBankPayment, BillBlend, SegoPay, Tryzto, Token.io or similarThe casino brand begins to disappear behind intermediaries.3Open-banking / PISP layerYapily, Token.io, Bridge/SaltEdge or similarA regulated or semi-regulated chokepoint initiates/supports the A2A payment.4Bank authenticationRevolut, Wise or another bankPlayer authenticates a push payment.5Payee screenCAPITOLIO INC. or Domus Payment SolutionsNon-casino payee appears instead of the operator.6Economic destinationCasino account / player balance creditedUltimate gambling beneficiary may not be transparent. The central issue is not that processors exist. Payment processors are normal in digital commerce. The issue is merchant substitution at the visibility layer: the consumer-facing merchant is an offshore casino, while the bank-facing payee is a processor. Is It Allowed To Show a Processor Instead of the Casino Operator? The Compliance Answer A processor may be shown as payee in a lawful merchant-of-record, payment facilitator, collection-agent, or technical on-ramp model. But where the player is not clearly informed that the processor receives funds for, or on behalf of, the casino — and where the bank-facing transaction no longer identifies the gambling merchant or the gambling purpose — the structure creates serious transparency, AML, payment-compliance, and consumer-protection risk. In other words: processor-as-payee is lawful in principle, but high-risk in practice when used for casino-origin deposits. A compliant model would need to answer the basic questions: Who is the actual gambling operator? Is the operator licensed in the player’s jurisdiction? Is the processor collecting funds for that operator? Does the player understand whom they are paying? Does the bank or PISP receive the gambling context? Does the player have a clear refund or complaint route? Is the payment purpose preserved through the rail? If those questions cannot be answered, the model becomes a transparency problem. Why It May Breach Consumer Protection Principles EU consumer law is built around clear, timely and understandable information. Consumers must know the identity of the trader and the essential characteristics of the service before making a transactional decision. The Unfair Commercial Practices Directive treats omissions of material information as potentially misleading where the average consumer needs that information to make an informed decision. In a casino deposit context, the identity of the casino operator and the fact that the payment funds gambling activity are material. If the consumer-facing casino disappears from the payment screen and is replaced by a processor name, the player may not know: who actually operates the gambling service; who receives or controls the funds; who is responsible for refunds; where to direct a restitution claim; whether the transaction is classified as gambling or as an ordinary transfer. That does not automatically prove a legal breach in every case. But it creates a strong misleading-omission and transparency risk, especially where the casino is not authorised in the player’s jurisdiction. Payment Compliance Analysis 1. Payee vs. Ultimate Merchant Under payment law, the payee shown in an A2A payment may be the entity designated to receive funds. In platform models, that entity may be a processor or collection agent. But from a compliance perspective, the ultimate merchant and economic purpose cannot disappear. In gambling, this is critical. Banks, PISPs, PSPs and MSBs must know whether they are facilitating gambling-related transactions, particularly where the underlying operator targets jurisdictions requiring local authorisation. If CAPITOLIO INC., Domus Payment Solutions, or similar entities appear as payees for casino-origin deposits, their role should be transparent: Are they merchant of record, agent, processor, settlement provider, on-ramp provider, or simply a technical collection account? 2. AML/KYB Risk Casino-origin payments are high-risk because gambling is a regulated sector and can involve fraud, chargeback abuse, money-laundering typologies, affordability concerns, and consumer-harm issues. If a processor receives funds from players, its KYB file should show: the upstream casino operator; the contractual counterparty; the target jurisdictions; licensing analysis; merchant-category classification; transaction-monitoring logic; complaint and refund handling; whether funds are settled onward to the casino, affiliate, wallet, crypto rail, or another processor. Without those controls, the processor-as-payee model becomes a collection layer for unauthorised gambling. 3. Payment-Purpose Dilution FinTelegram uses the term payment-purpose dilution for the process by which a transaction that starts as a casino deposit appears downstream as an ordinary transfer to a payment processor. That is the key danger. Banks and PISPs may screen the visible payee and payment reference but not the upstream gambling context. In that case, the risk model sees a processor; the economic reality is an offshore casino deposit. Consumer and Player Protection Impact No Card Chargeback Layer Card payments are embedded in card-scheme dispute and chargeback frameworks. Pay-by-Bank and open-banking payments are account-to-account push payments authenticated by the payer. They do not use card networks, and PXP describes the absence of card-scheme chargebacks as one of the key differences and risk trade-offs of open banking. For a casino player, this creates a harsh combination: the payment is difficult to reverse; the bank statement may show a processor, not the casino; the casino operator may be offshore and difficult to sue; the processor may deny responsibility as “technical infrastructure”; the bank may argue that the customer authorised the transfer. This weakens practical enforcement of player rights. Refund Claims After Recent CJEU Case Law The CJEU’s recent gambling jurisprudence makes this problem more important. In C-440/23 European Lotto and Betting and Deutsche Lotto- und Sportwetten, the Court’s judgment concerned national authorisation requirements for online games of chance, overriding reasons in the public interest, online slot machines, secondary lotteries, recovery of lost stakes, and abuse of law. The Court’s press release summarises the outcome as recognising that a consumer may bring a claim for restitution of lost stakes against operators established in another Member State, and that EU law does not prevent Member States from maintaining authorisation requirements in the public interest. This should be stated precisely: the CJEU did not create a blanket EU-wide automatic refund right for every player in every case. Rather, it confirmed that EU law does not prevent Member States from attaching civil-law consequences — including nullity and restitution claims — to online gambling offered without the required national authorisation. In C-77/24 Wunner, the Court addressed cross-border liability claims linked to unlicensed online gambling and the country where damage occurs. The case listing describes the issue as the country from which the player participates, and legal commentary summarises the judgment as confirming that players may generally rely on the law of their habitual-residence Member State when pursuing claims linked to foreign operators lacking the required local licence. Together, these cases make payment transparency crucial. If national law gives the player a restitution route, the payment evidence must allow the player to prove who received funds, for whose benefit, and for which gambling operator. Processor-as-payee rails can obstruct that proof. The Practical Enforcement Problem The player’s legal position may be strong on paper but weak in practice. Player Needs To ProveWhat Processor-as-Payee Rails May ShowThe payment funded an illegal or unauthorised casino depositBank screen shows a transfer to CAPITOLIO INC. or Domus Payment Solutions.The casino operator received the fundsOperator is not shown as payee.The casino lacked required local authorisationPayment record does not identify the gambling operator.The claim should be directed to the operatorThe visible payee may say it was only a processor or on-ramp.The bank should treat it as gambling-relatedBank may classify it as ordinary A2A transfer to a corporate payee.The transaction can be disputedNo card-scheme chargeback layer exists. This is the consumer-protection conflict: The law may give the player a refund claim.The payment architecture may make that claim difficult to enforce. Compliance Classification Risk AreaAssessmentPayment transparencyHigh risk if the casino operator and gambling purpose are not clearly disclosed.Consumer protectionHigh risk where players cannot identify the trader/operator or enforce refund claims.AML/KYBHigh risk where processors collect funds for offshore gambling merchants.Gambling complianceHigh risk where casinos target jurisdictions without local authorisation.Bank monitoringImpaired if the visible beneficiary is a processor rather than the gambling operator.Chargeback / dispute rightsWeaker than card rails because A2A payments lack universal card-style chargebacks.Litigation / restitutionPlayer claims may be obstructed by lack of clear payment evidence linking deposits to the casino operator.Regulatory reportingWeak if processors and PISPs do not preserve upstream merchant and payment-purpose data. FinTelegram Position Processor-as-payee architecture is not automatically illegal. But in offshore casino rails it is a major red flag. A compliant model would require at least: clear disclosure of the casino operator; clear disclosure that the processor receives funds for or on behalf of the casino; clear payment purpose shown to the player and, where possible, to the bank/PISP; documented merchant onboarding and KYB; evidence that the casino is authorised in the target jurisdiction; effective blocking of jurisdictions where the casino is not licensed; refund and complaint routes identifying the actual merchant and responsible processor; transaction monitoring that preserves the upstream gambling context; audit trails showing how funds move from processor payee to ultimate casino beneficiary. Without these safeguards, the architecture may amount to practical concealment of the true merchant and payment purpose. Questions for Processors, PISPs and Banks FinTelegram believes the following questions should be asked whenever a processor appears as payee in a casino-origin open-banking rail: Who is the actual gambling operator behind the deposit? Does the processor receive funds for or on behalf of that operator? Is the operator licensed in the player’s jurisdiction? What merchant category and risk classification is used? What does the payer’s bank see — processor only, or casino context? What does the PISP see — processor only, or upstream merchant context? Is the player told that the processor is collecting funds for the casino? Who handles refund and restitution claims? Can the processor provide an audit trail from player deposit to casino settlement? Are unauthorised gambling jurisdictions blocked? If the answer to these questions is unclear, the rail should be treated as high-risk. Conclusion The processor-as-payee model observed in 1Go Casino and Winnita shows a serious weakness in modern open-banking casino payments. The player thinks he is depositing into a casino. The bank-facing screen may show a payment processor. The card chargeback layer is absent. The underlying casino operator may be offshore, opaque, or not locally licensed. Yet recent CJEU case law confirms that EU law does not prevent Member States from attaching civil-law consequences, including restitution claims, to gambling services offered without required national authorisation. That creates the core consumer-protection conflict: The law may give the player a refund claim.The payment architecture may make that claim difficult to enforce. For payment processors, PISPs, banks, and gambling regulators, this is no longer theoretical. If processors such as CAPITOLIO INC. or Domus Payment Solutions appear as named payees in casino-origin Pay-by-Bank or open-banking rails, they should be expected to explain exactly whose funds they collect, for which merchant, under which licence, in which jurisdiction, and with what disclosure to the player. Open banking is a payment innovation. It must not become an opacity layer for unauthorised offshore gambling. FinTelegram will continue to document these rails because payment transparency is now central to player protection. Call for Information FinTelegram invites casino players, payment insiders, PSP employees, compliance officers, banking staff, and former employees of offshore gambling operators to provide information about processor-as-payee casino rails. We are particularly interested in payment confirmations, bank screenshots, open-banking consent screens, payee names, merchant descriptors, refund correspondence, casino KYC files, PSP onboarding documents, settlement records, and internal compliance communications involving CAPITOLIO INC., Domus Payment Solutions, InstantBankPayment, Token GmbH/Token.io, Yapily, SaltEdge/Bridge, Revolut, and related casino payment flows. Information can be submitted confidentially via Whistle42. Share Information via Whistle42

After the Bank of Lithuania revoked Paytend Europe UAB’s EMI licence for serious and systematic AML/CFT failures — including a mishandled relationship with an unnamed high-risk customer — MEXC appears to have re-engineered its Euro deposit rail. FinTelegram’s fresh deposit simulation (screenshots on file) shows Legend Trading now embedded as the fiat service layer inside MEXC’s “Bank Transfer” flow, including KYC onboarding and terms acceptance — yet the rail still routes deposit logic through Finetix Ltd S.R.L. as the contractual counterparty. Combined with whistleblower-supplied bank transfer evidence from Italy showing 2024 deposits to MEXC Estonia OÜ via Lithuanian infrastructure and additional on-ramp rails via ClearJunction-prefixed accounts, a consistent pattern emerges: MEXC systematically swaps providers while preserving an obfuscation-first architecture designed to keep the “MEXC” beneficiary out of the sending bank’s line of sight. Key Findings (Compliance Signals) Whistleblower evidence (Italy, 2024): bank transfer receipts show EUR deposits routed to MEXC Estonia OÜ via a Lithuanian IBAN (masked in publication), and additional rails via Banxa and MoonPay using ClearJunction-prefixed accounts (CLJU). FinTelegram rail mapping (Feb 2026): FinTelegram documented a dual architecture with Finetix Ltd S.R.L. as the universal contractual recipient, with routing via HEURO SAS / OuiTrust for SEPA Instant and Paytend Europe UAB for standard bank transfer. Open Letter escalation (18 Feb 2026): FinTelegram publicly put Paytend on notice and stated that Paytend was processing Euro deposits for MEXC via Finetix; Paytend’s continued facilitation was framed as a compliance and governance failure. Regulatory enforcement (6 Mar 2026): Bank of Lithuania revoked Paytend’s licence after inspection found serious and systematic deficiencies and referenced incorrect information and missing correspondence tied to a high-risk customer relationship. New rail shift (today’s simulation): FinTelegram observed Legend Trading replacing Paytend/OuiTrust as the user-facing “Bank Transfer” fiat service layer inside MEXC — while Finetix remains present in the legal/contractual wording of the deposit flow (screenshots on file). Critical inference (defensible): MEXC’s rail is not “one provider.” It is a provider-swappable obfuscation stack with a persistent contractual shield layer — the compliance risk does not disappear when one EMI or processor disappears. Evidence Pack (Whistleblower — anonymized) FinTelegram reviewed supporting documents from an Italian retail user (identity withheld; personal data not published). The documents include: Banxa deposit instructions referencing a ClearJunction-prefixed IBAN (CLJU) and bank details for Clear Junction Limited. BBVA transfer receipt showing a EUR bank transfer to Banxa using a CLJU-prefixed account (masked in publication). BBVA transfer receipt showing a EUR bank transfer to MoonPay Technology Services Limited using a CLJU-prefixed account (masked in publication). BBVA transfer receipt showing a EUR bank transfer to MEXC Estonia OÜ using a Lithuanian IBAN (masked). BBVA transfer receipt showing a later EUR bank transfer to “Mexc” using the same Lithuanian IBAN pattern (masked). Why it matters: this is not “forum chatter.” These are bank-level payment artifacts that demonstrate how EU retail funds were routed to MEXC-linked beneficiaries and/or MEXC-adjacent on-ramp partners through structured rails. What Changed: From Paytend/OuiTrust to Legend Trading — Without Changing the Core Design 1) The older model (documented by FinTelegram) In February 2026, FinTelegram described a dual-rail architecture: Finetix Ltd S.R.L. acting as the universal “contractual recipient,” routing through HEURO SAS / OuiTrust for SEPA Instant, and routing through Paytend Europe UAB for standard bank transfers. FinTelegram’s Open Letter (18 Feb 2026) stated that Paytend continued to process Euro deposits for MEXC via Finetix. 2) The enforcement shock (Bank of Lithuania) On 6 March 2026, the Bank of Lithuania revoked Paytend’s EMI licence after inspection findings that included systemic AML/CFT and internal control failures and an explicit reference to a mishandled high-risk customer relationship. 3) The new model (today’s simulation — screenshots on file) FinTelegram’s new deposit simulation indicates: Legend Trading (webiste) is now the embedded fiat service layer inside MEXC’s “Bank Transfer” flow, including integrated onboarding/KYC and “Legend” terms acceptance. Despite the provider swap, the Romanian payment agent Finetix still appears in the deposit rail’s contractual wording — consistent with Finetix’s historical role as “contractual recipient / legal shield” previously documented by FinTelegram. The flow appears engineered to avoid showing a static IBAN to the user and instead pushes users into an “online banking login / hand-off” style transfer initiation, where payment details can be auto-populated and less transparent to the end user (and often harder for the public to audit). On MEXC’s SEPA deposit rail, the beneficiary is now shown as SecureSwap s.r.o. (secureswap.exchange), a Czech-registered entity presented inside a P2P-style “notify seller” flow. In our deposit simulation (screenshot on file), MEXC instructs users to transfer funds to a Lithuanian IBAN starting with “LT…3130…,” which corresponds to the Lithuanian financial-institution code 31300 = UAB ZEN.COM—meaning the SEPA collection leg is routed via ZEN.COM’s Lithuanian EMI infrastructure, not directly to an account transparently labelled “MEXC.” Compliance takeaway: this looks like rail refactoring, not remediation. Legend Trading: Why This Provider Swap Raises New Questions Legend Trading’s own EU site positions “Legend Trading EU” as an institutional liquidity provider with products such as “Legend Gateway,” and it lists exchange showcases (including KuCoin). The site also states: “Legend Ireland Financial Limited … is regulated by the Central Bank of Ireland.” This creates a very direct compliance question: If a regulated or regulated-adjacent provider is deeply integrated into MEXC’s EU fiat deposit flow, what is the exact compliance perimeter being applied to the MEXC relationship and its downstream payment architecture? FinTelegram is not alleging wrongdoing by Legend Trading based solely on integration. But in a post-Paytend world — where a Lithuanian supervisor has just revoked a licence citing serious AML/CFT deficiencies and a high-risk customer relationship — a provider stepping into the same rail inherits the same core risks unless the architecture itself changes. Finetix: The Constant Node FinTelegram’s February 2026 rail analysis called Finetix the universal contractual gateway/recipient in MEXC euro deposits and noted that it functions as a “legal shield” layer in the stack. The whistleblower evidence from 2024 further supports that MEXC-linked collections existed before the later “Finetix-fronted” evolution: earlier rails show direct beneficiary naming (“MEXC Estonia OÜ” / “Mexc”) and additional third-party on-ramps (Banxa/MoonPay) — consistent with a strategy of multi-rail redundancy. Compliance interpretation: when a stack keeps the same contractual shield while swapping the pipe, the intent is typically continuity under pressure — not improved transparency. Updated Rail Map PeriodUser-facing railContractual / named recipientPipe / Provider layer2024 (whistleblower Italy)Bank transfer + on-ramp purchases“MEXC Estonia OÜ” / “Mexc” (bank receipts) + Banxa/MoonPayLithuanian IBAN rail + ClearJunction-prefixed accounts for Banxa/MoonPayFeb 2026 (FinTelegram)Standard bank transfer + SEPA InstantFinetix as contractual recipientPaytend (standard bank transfer) + HEURO/OuiTrust (SEPA Instant)Feb 2026 (Open Letter)Euro deposits for MEXCFinetixPaytendMar 2026 (Regulator)——Paytend licence revoked; “high-risk customer” referenceMay 2026 (FinTelegram simulation)Bank Transfer “Legend …” + bank-login initiationFinetix still present in rail wordingLegend Trading as embedded service layer Compliance Verdict This is now a pattern with a signature: MEXC uses EU-facing rails to pull retail fiat. It keeps a contractual shield layer (Finetix) or other intermediating structures that reduce beneficiary transparency. When a facilitator becomes exposed or sanctioned, MEXC hot-swaps the provider and refactors the UI/flow to reduce auditability. Whistleblower bank artifacts show the rails were operational in 2024 and routed to MEXC-linked beneficiaries and/or MEXC on-ramp partners. Paytend’s revocation does not “end the story.” It demonstrates that the risk was real, and the provider swap suggests that MEXC’s priority is operational continuity, not compliance clarity. What FinTelegram Will Now Investigate (and what regulators should ask) Legend Trading → MEXC: What is the exact scope of Legend’s services (pure gateway vs. MoR vs. settlement orchestration)? Finetix’s continuing role: Why does Finetix remain in the contractual layer even after the “pipe” changes? Bank-login payment initiation: Which AIS/PIS or open-banking infrastructure is being used? Who is the PISP? Where is the consent stored? Downstream settlement: Which banks/EMIs now hold the accounts that previously sat behind Paytend / HEURO? Consumer disclosure: Is the ultimate beneficiary relationship sufficiently disclosed for AML/CTF and consumer protection expectations? Call for Whistleblowers (MEXC, Legend, Finetix, and EU Banking Partners) If you are: a MEXC customer who used “Bank Transfer / Easybank / Legend …” deposit routes, a current or former employee/contractor of Legend Trading, Finetix, HEURO/OuiTrust, Paytend, or any integrated PSP/PISP, or a compliance professional at a bank that processed these flows, we want evidence: deposit instructions, settlement details, beneficiary data, IBANs (privately), on-chain TXIDs, support tickets, and contractual documentation. Submit via Whistle42. FinTelegram follows the conversions — and the pipes. If you know what replaced Paytend behind the scenes, help us map it. Share Information via Whistle42

FinTelegram publicly confronted Lithuanian EMI Paytend Europe UAB on 18 February 2026, warning that Paytend’s payment rails were facilitating the red-listed crypto exchange MEXC—and that this ecosystem was operating with a striking mix of opacity, regulatory friction, and disregard for basic compliance hygiene. On 6 March 2026, the Bank of Lithuania announced it had revoked Paytend’s EMI licence after an inspection found serious and systematic AML/CFT and internal-control failures. The BoL anncouncement includes a damning line: Paytend provided incorrect information about a business relationship with a high-risk customer and failed to retain and submit correspondence related to that relationship. The regulator did not name the customer. But FinTelegram had already mapped the rails, named the entities, and put the facilitator on notice. This enforcement action is not only a blow to Paytend—it is a public validation of FinTelegram’s CyberFinance Intelligence model and a fresh warning flare over MEXC’s European fiat access. Key Findings FinTelegram documented the rail early (May 2024): FinTelegram reported that MEXC processed fiat flows for crypto purchases via MEXC Estonia OÜ, which in turn used Paytend Europe UAB (Lithuanian EMI) for bank-transfer handling. FinTelegram escalated publicly (18 Feb 2026): In an open letter, FinTelegram said Paytend continued to process euro deposits for MEXC via Finetix Ltd S.R.L. and highlighted traffic/referral signals indicating a material MEXC → Paytend linkage. Regulator struck (6 Mar 2026): The Bank of Lithuania revoked Paytend’s licence after an inspection found serious and systematic deficiencies in business-relationship monitoring, AML/CFT risk management, and internal controls—plus failure to submit suspicious transaction reports despite escalation indicators. The “high-risk customer” sentence matters: The Bank of Lithuania stated Paytend provided incorrect information about its relationship with a high-risk customer and failed to retain/submit correspondence related to that relationship. The customer was not named. Strategic implication: This enforcement outcome materially strengthens FinTelegram’s credibility against recurring legal intimidation: the core compliance warnings published by FinTelegram were aligned with—and later echoed by—regulatory findings. What Happened: FinTelegram’s MEXC–Paytend Coverage, Then Enforcement This is not just another supervisory action in the Baltic payments sector. It is a regulatory event that strongly suggests FinTelegram once again identified a high-risk cyberfinance structure before the authorities formally intervened. FinTelegram has repeatedly assessed MEXC as a high-risk (“red-listed”) exchange and focused on the operational question that matters most to regulators and banks: who keeps the fiat rails open, and how is the risk being laundered into “legitimate” infrastructure? In its May 2024 whistleblower request, FinTelegram described the structure as MEXC → MEXC Estonia OÜ → Paytend Europe UAB, with Paytend functioning as the regulated payment layer enabling bank-transfer fiat flows. On 18 February 2026, FinTelegram escalated from reporting into formal public accountability with an Open Letter to Paytend Europe UAB. FinTelegram stated it had sent an urgent notification to Paytend’s compliance/board and warned that Paytend’s rails were facilitating MEXC. The open letter further asserted that forensic tests confirmed Paytend was still processing Euro deposits for MEXC via Finetix Ltd S.R.L., and pointed to referral-traffic signals tying Paytend’s inbound audience to MEXC properties. Less than three weeks later, the Bank of Lithuania published its inspection outcome: Paytend Europe UAB lost its licence. The Bank stated that Paytend’s monitoring measures were insufficient across all stages, internal investigations were incomplete or formalistic, and suspicious transaction reports were not submitted despite escalation indicators. Read our Paytend Europe reports here. Then came the line that should make every compliance officer sit up: Paytend provided the supervisor incorrect information about its relationship with a high-risk customer and failed to retain/submit the correspondence related to that relationship. FinTelegram’s Role: Not “Cause,” But a Public Record That Matters Let’s be precise—and strong. FinTelegram does not claim to be the regulator. The Bank of Lithuania acted under its own statutory mandate, based on its own inspection. But FinTelegram did three things that are strategically decisive: Mapped the rail and named the facilitator early.FinTelegram identified Paytend’s role in MEXC’s European fiat access long before the enforcement action—turning a vague “crypto risk” story into a traceable compliance architecture. Put the facilitator on notice and made it public.The open letter placed Paytend’s compliance posture under public scrutiny and created a timestamped record of FinTelegram’s concerns—explicitly referencing the MEXC rail and the intermediating structure described in FinTelegram’s testing. Built evidence-led pressure that is hard to SLAPP away.The Bank of Lithuania’s later findings—systemic monitoring deficiencies, failure to escalate STRs, internal-control failures, and the “high-risk customer correspondence” issue—are exactly the type of supervisory language that validates the direction and seriousness of FinTelegram’s prior warnings. In short: FinTelegram did not “revoke the licence.” FinTelegram did what a CyberFinance Intelligence platform is supposed to do—identify the rail, name the node, and force the compliance question into daylight. Was the “High-Risk Customer” MEXC? The Bank of Lithuania did not name the customer. Full stop. However, FinTelegram has publicly documented Paytend’s relationship with MEXC-linked rails since 2024 and reiterated it in February 2026 with specific references (including Finetix as the front-layer and Paytend as the regulated pipe). On that basis, FinTelegram assesses that MEXC is a plausible candidate for the unnamed “high-risk customer” referenced in the revocation announcement. This remains an inference until the underlying supervisory file becomes public or is otherwise confirmed. What This Means for MEXC and the Ecosystem Even without naming MEXC, the Paytend revocation has immediate ecosystem implications: Fiat access fragility: When a core EMI node is removed, high-risk platforms must scramble for replacement rails—often through weaker intermediaries, more opaque shells, or riskier PSPs. Regulatory heat transfer: Enforcement against the facilitator is frequently a prelude to deeper scrutiny of the downstream customer relationships that created the risk. Validation effect: This event strengthens FinTelegram’s earlier characterization of MEXC as structurally problematic from a compliance standpoint—because the rails described by FinTelegram now intersect with a regulator’s declaration of serious and systematic AML/CFT failure and a mishandled “high-risk customer” relationship. Conclusion The Bank of Lithuania’s revocation of Paytend Europe UAB’s EMI licence is a major compliance event in its own right. But it is also a reputation event for FinTelegram: a demonstration that rigorous rail mapping, evidence-led escalation, and public accountability can anticipate and align with regulatory outcomes. FinTelegram will continue to publish structured CyberFinance Intelligence that identifies not only the schemes—but also the facilitators who keep them operational. Call for Whistleblowers and MEXC Customers If you are a current or former MEXC customer, or a current/former employee or service provider connected to Paytend, Finetix, MEXC Estonia OÜ, or any MEXC fiat on-ramp/payment orchestration stack, we want evidence. We are especially looking for: bank transfer beneficiary details and payment instructions used for MEXC deposits/withdrawals Paytend/Finetix-linked correspondence, contracts, onboarding packs, or compliance questionnaires screenshots of MEXC deposit flows, KYC/AML interactions, freezes, and withdrawal denials payment processor identifiers: PSP names, acquirers, IBANs, descriptors, merchant entities, routing screenshots internal compliance/risk decisions (where available) Submit securely via Whistle42. Share Information via Whistle42

Winnita’s Pay-by-Bank deposit flow routes player funds through an opaque chain in which the player sees neither the offshore casino operator nor the ultimate economic beneficiary. Instead, the visible payment journey runs through the anonymous gateway payment  checkout.instantbankpayment.com, the regulated open-banking provider Token GmbH/Token.io, the customer bank Revolut, and the named payee Domus Payment Solutions, creating material compliance, AML, and consumer-protection concerns. Key findings Winnita’s Pay-by-Bank deposit rail uses the generic gateway checkout.instantbankpayment.com, not a clearly identified casino-branded payment page, which immediately reduces transparency for the player.​ In the Revolut authorization flow, Token GmbH appears as the regulated third-party provider initiating the payment via open-banking APIs. In the payment review screen, the named payee is Domus Payment Solutions rather than the casino operator or disclosed gambling merchant. Public materials show Token GmbH/Token.io is a regulated PISP/AISP open-banking provider active in Pay-by-Bank services across Europe, including the iGaming sector. Public materials show Domus Payment Solutions presents itself as a payment platform and wallet provider, while external compliance-focused profiles link it to high-risk payment activity and historical regulatory questions. From the player’s perspective, the transaction is economically a casino deposit but operationally appears to be a transfer to a payment processor, making complaints, disputes, and forensic tracing materially harder. From the bank’s perspective, the visible beneficiary is the processor, not the casino merchant, which can impair risk classification, transaction monitoring, and gambling-related controls. Because Pay-by-Bank is an account-to-account push payment rail, players generally do not benefit from card-scheme chargeback rights, which increases the consequences of merchant opacity. Overview This report analyzes the Pay-by-Bank deposit rail used by the offshore casino Winnita, with a focus on the transaction chain Winnita -> InstantBankPayment -> Token GmbH -> Revolut -> Domus Payment Solutions. The evidence indicates a payment flow in which the player initiates a casino deposit, but the visible payment counterparties are a generic gateway, a regulated open-banking payment initiator, and a payment processor acting as payee rather than the underlying gambling operator. From a compliance and consumer-protection standpoint, this structure is problematic because it obscures the identity of the ultimate merchant from both the player and, at least on the face of the payment instruction, the executing bank. This undermines transparency, complicates complaints and refunds, and may weaken the effectiveness of merchant due diligence, AML screening, and transaction monitoring across the payment chain. Rail description The observable Winnita Pay-by-Bank flow begins in the casino cashier and redirects the player to checkout.instantbankpayment.com, a generic payment interface that does not itself disclose the gambling merchant in the manner players would reasonably expect.​ The player is then redirected into a Revolut authentication and consent flow in which Revolut asks the user to authorize Token GmbH, indicating that Token is the third-party provider invoking open-banking access and payment initiation. A subsequent review screen shows the beneficiary as Domus Payment Solutions and states that Token.io is initiating the payment.​ The result is a multi-layer structure in which the player’s bank account is debited for a casino deposit, but the visible beneficiary is a processor and not the casino operator or receiving merchant itself. Condensed rail view EntityVisible to playerApparent role in Winnita railCompliance relevanceWinnitaYes​Offshore casino / deposit originator​Source of the payment intent; gambling context is clear at cashier stage but disappears downstream.​InstantBankPayment (checkout.instantbankpayment.com)Yes​Generic checkout gateway / front-end payment router​Anonymous or minimally branded gateway design reduces merchant transparency and frustrates user understanding.​Token GmbHToken.ioYes, at bank consent stageRegulated open-banking PISP/AISP initiating the bank paymentFCA & BaFinregulated, Key regulated chokepoint; responsible for partner due diligence, governance, and risk controls proportionate to high-risk sectors.RevolutYes​ASPSP / executing bank for the player account​Executes authenticated push payment, but may only see processor-level beneficiary data rather than the underlying casino merchant.Domus Payment SolutionsDomuspay.ioYes, as payee​Named beneficiary / merchant-of-record / payment processorProcessor intermediation can mask the economic purpose and ultimate gambling merchant from players and banks.Underlying casino operator / merchantNo​Ultimate economic recipient or beneficiary of casino deposit​Non-disclosure creates consumer-protection, AML, and merchant-identification concerns. Token GmbH The BaFin and FCA-regulated Germen Token GmbH, commonly branded as Token.io within the group structure, is publicly presented as a regulated open-banking provider offering payment initiation and account information services across Europe and the UK. The Open Banking directory lists Token GmbH and Token.io Ltd as regulated providers, and Token.io markets itself as account-to-account payments infrastructure for PSPs, gateways, acquirers, and banks. Token also publicly identifies iGaming as one of the verticals it serves, which is significant in the present context because Winnita’s deposit rail appears to use Token’s infrastructure as the regulated payment-initiation layer between the checkout gateway and Revolut. This does not make Token the casino merchant, but it places Token at a central compliance chokepoint in the rail. Domus Payment Solutions Domus Payment Solutions (Domuspay.io) appears in the Winnita rail as the named payee on the payment review screen rather than the casino operator (screenshot left).​ Publicly available Domus materials present the company as a payment platform, wallet, and international payments provider, while external compliance-oriented profiles describe it as a payment processor active in high-risk environments and note regulatory-history issues around its Canadian MSB status. For the purposes of the Winnita rail, Domus is the immediate beneficiary visible to the player and likely the payment-facing entity visible to the bank. That role is highly significant because it separates the payer from the actual gambling merchant and can obstruct both consumer understanding and effective transaction classification. Compliance analysis Merchant opacity The most serious issue is the disappearance of the actual merchant from the payment journey. The player begins at an offshore casino cashier and intends to fund gambling activity, yet the payment instruction presented in the banking flow identifies Domus Payment Solutions as payee and the German Token GmbH as the initiator, not the casino operator. This is a classic merchant-opacity problem: the commercial reality of the payment is not accurately reflected in the payment-facing presentation. This creates several compliance consequences. First, it frustrates the principle that payers should understand whom they are paying and for what purpose. Second, it may impair the bank’s ability to identify the transfer as gambling-related if the beneficiary descriptor and routing logic point primarily to a processor rather than the underlying merchant. Third, it weakens auditability because the user-facing evidence chain no longer clearly ties the debit to the underlying casino operator. Consumer protection From the player’s perspective, the payment is functionally a casino deposit but legally and operationally resembles a transfer to a processor. That distinction matters because account-to-account open-banking payments generally do not provide the chargeback protections associated with card rails, and industry materials around Pay-by-Bank explicitly market lower chargeback exposure as a merchant benefit. As a result, players face a particularly adverse combination of risks: no clearly disclosed gambling merchant, no intuitive route for complaint against the ultimate recipient, and limited post-transaction recourse once the push payment has been authenticated and executed. In practical terms, the player may only see “Domus Payment Solutions” on the payment screen or account record, making it difficult to contest the transaction as a casino deposit or to connect it to the offshore operator behind the gambling site. AML and transaction monitoring Merchant opacity also matters for AML, sanctions screening, and high-risk merchant controls. When the visible beneficiary is a processor rather than the actual gambling merchant, the payment chain may appear cleaner or less risky than the underlying economic activity justifies. This can reduce the effectiveness of customer-risk and merchant-risk models at multiple points in the chain, particularly if onboarding and monitoring focus on the direct processor relationship rather than the downstream casino portfolio. For regulated actors such as Token and Revolut, that raises questions about how downstream merchant activity is identified, classified, and monitored where processors or gateway operators stand between the bank and the underlying offshore casino. For Domus, the issue is even more direct: acting as named payee for deposits that are economically casino transactions may amount to systematic concealment of the true merchant context from the payer and possibly from bank-side controls. Regulatory Chokepoints The Winnita rail demonstrates that regulated entities remain embedded in the chain even where the gambling merchant is offshore. Revolut is the customer-facing bank, and Token is the regulated PISP/AISP facilitating the initiation layer.  That means the rail is not outside supervisory reach simply because the casino is offshore; rather, the key compliance question becomes whether the regulated participants are adequately identifying and managing the downstream merchant risk. In high-risk sectors such as offshore gambling, regulators and payment partners would reasonably ask whether onboarding, due diligence, and ongoing monitoring sufficiently identify the ultimate merchants, the jurisdictions served, the legality of the gambling offer, and the transparency of the payee information shown to end users. The evidence in the Winnita flow suggests those questions are not merely theoretical. Comparison with other rail cases The Winnita findings fit a broader pattern observed in other offshore casino payment-rail investigations, where processors rather than gambling operators appear as visible payees in open-banking deposit flows.​ FinTelegram’s 1Go Casino rail investigation documented another layered flow involving InstantBankPayment and processor intermediation, including a route in which Domus Payment Solutions appeared as payee rather than the casino operator.​ That recurrence strengthens the inference that processor-level payee substitution is a systematic feature rather than an isolated technical artifact. Read our 1Go casino rail analysis here. Conclusions The Winnita Pay-by-Bank rail is not merely a neutral payment architecture. It is an opaque, processor-mediated structure in which the player initiates a casino deposit but is shown neither the ultimate merchant nor, apparently, the true gambling beneficiary in the bank payment flow. That opacity creates material consumer-protection harm, weakens payment transparency, complicates complaints and recovery efforts, and raises significant AML and merchant-monitoring questions for every regulated participant in the chain. The central compliance consequence is straightforward: when the visible payee is a processor such as Domus Payment Solutions instead of the actual casino merchant, both the payer and the executing bank lose sight of the true economic counterparty. In a high-risk sector such as offshore gambling, that is a serious red flag because it can conceal merchant identity, impair risk controls, and deprive players of meaningful post-transaction remedies. Call for information Players, insiders, payment professionals, and counterparties with knowledge of Winnita or similar offshore casino rails are encouraged to submit additional material to FinTelegram via the Whistle42 whistleblower platform. Relevant evidence includes payment confirmations, bank statements, screenshots of deposit and payout flows, merchant descriptors, support correspondence, KYC or onboarding documents, and any records showing which processor or beneficiary actually received the funds. Share Information via Whistle42

Editorial Note: The legal notice was signed by a person identifying himself as Hennadii Postnov, Director of Capitolio Inc. FinTelegram has not yet been able to independently verify this individual’s director status from publicly accessible sources. Capitolio is invited to provide an Alberta corporate registry extract, director resolution, or other evidence confirming Mr. Postnov’s authority to act for the company. After FinTelegram identified CAPITOLIO INC. as the visible payee in a tested 1Go Casino Revolut/Yapily open-banking deposit flow, the Canadian MSB demanded removal of the report. But Capitolio’s own notice does not refute the key payment-rail finding. On the contrary, it confirms that Capitolio appears as named payee in transactions processed through its open-banking on-ramp infrastructure. Since publication, Capitolio appears to have corrected regulatory information on its website, and 1Go Casino appears to have removed the Revolut option from its cashier. This is precisely why FinTelegram’s Rail Atlas matters. 2-Minutes Briefing FinTelegram’s Rail Atlas was created to document how offshore casino deposit flows travel through payment gateways, open-banking providers, wallets, crypto rails, and regulated chokepoints before reaching the final bank-facing payment screen. The recent 1Go Casino / Capitolio case provides a useful methodology example. Read the 1Go Casino rail analysis here. In the original FinTelegram review, a tested 1Go Casino deposit flow led from the casino cashier through several gateway layers and ultimately to a Revolut/Yapily open-banking screen where CAPITOLIO INC. appeared as the visible payee. Capitolio later sent FinTelegram a formal legal notice demanding removal of the article. The notice alleges defamation and demands full removal, but it does not appear to refute the central screenshot-based finding. Instead, Capitolio states that it appears as named payee in transactions processed through its Open Banking on-ramp infrastructure, describing this as standard technical architecture. That statement is important. It means the core issue is not whether FinTelegram correctly saw Capitolio as payee. Capitolio’s position appears to confirm that this can be the normal setup for its on-ramp infrastructure. The real question is whether open-banking rails, PISPs, PSPs, MSBs, and banks can detect the underlying commercial purpose when the user starts inside an offshore casino cashier but the bank-facing payee is a payment-infrastructure entity. Since the publication, two further developments strengthen the Rail Atlas thesis: First, Capitolio appears to have modified its website. Earlier screenshots showed Capitolio displaying CSSF registration number B00000408 and RCS number B222310 under the headline “Company Registered in Canada.” Those identifiers match Banking Circle’s Luxembourg regulatory references; Banking Circle’s own website identifies Banking Circle S.A. as a Luxembourg credit institution supervised by the CSSF and lists financial registration number LUB00000408 and trade register number B222.310, with its footer also showing CSSF registration number B00000408 and RCS number B222310. Capitolio’s current public pages now present the Canadian registration and FINTRAC information, including FINTRAC registration M24928320 and Corporate Access Number 2025599024. Second, a fresh review of the 1Go Casino cashier indicates that the Revolut rail has apparently been removed, while other open-banking / Pay by Bank rails remain available. In the updated review, FinTelegram again found Domus Payment Solutions as payee in a Pay by Bank rail, and an additional open-banking route led via secure.bankgate.io toward a bank login interface showing Bridge SaltEdge API. Salt Edge publicly markets payment initiation and open-banking products, and Bridge documentation describes open-banking payment initiation functionality. This is the broader message: payment-rail reporting works. It creates visibility. It forces processors to respond. It causes infrastructure changes. And it exposes the structural weakness in open-banking casino payments: the visible payee may not be the player-facing casino brand. Key Findings Capitolio demanded removal of FinTelegram’s report but did not identify a clear factual error in the core rail evidence. The notice mainly objects to categorisation, framing, lack of pre-publication contact, and personal-data handling. Capitolio appears to confirm the central payee finding. Its notice states that Capitolio appears as named payee in transactions processed through its Open Banking on-ramp infrastructure. This confirmation is methodologically important. It supports FinTelegram’s core Rail Atlas concern: in open-banking rails, the bank-facing payee may be the infrastructure/on-ramp provider rather than the underlying merchant or casino brand. FinTelegram made proportionate editorial adjustments. The category “Illegal Payment Services” was removed, a personal name was removed, and the word “scheme” was replaced with “operating model.” These changes do not alter the core payment-rail finding. Capitolio appears to have corrected its website after publication. Earlier evidence showed CSSF/RCS identifiers matching Banking Circle references; the currently visible Capitolio pages now present Canadian and FINTRAC registration details. Capitolio identifies itself as an Alberta corporation and FINTRAC-registered MSB with registration number M24928320. The original CSSF/RCS issue was real and relevant. Banking Circle’s official regulatory-information page lists the same Luxembourg-style identifiers: CSSF registration number B00000408 and RCS number B222310. The 1Go Casino cashier appears to have changed after FinTelegram’s report. A fresh FinTelegram review indicates that the Revolut option was removed from the cashier, while Pay by Bank and crypto-related rails remained visible. Domus Payment Solutions still appeared as payee in a Pay by Bank rail. This means the non-casino-payee issue did not disappear; it shifted to another rail. Bridge / SaltEdge appeared in the updated open-banking route. The updated review showed a bank login page referencing Bridge SaltEdge API, reached after routing through secure.bankgate.io. Salt Edge and Bridge both publicly describe open-banking / payment-initiation infrastructure. What Capitolio’s Notice Actually Says Capitolio’s notice is framed as a formal legal demand. It alleges that FinTelegram’s article is inaccurate, misleading, and defamatory, and it demands complete removal. It relies on Alberta defamation law, Austrian law, EU platform rules, and GDPR arguments. However, from a Rail Atlas perspective, the most important sentence is not the legal threat. It is this position: Capitolio states that it appears as named payee in all transactions processed through its Open Banking on-ramp infrastructure. Capitolio presents this as a defence: it says the payee appearance is a standard technical architecture and not a compliance violation. FinTelegram’s interpretation is different. The fact that Capitolio appears as payee may indeed be part of its technical model. But that is exactly why the case matters. If the technical architecture of an open-banking on-ramp means that the infrastructure provider appears as the visible payee for casino deposits, then the decisive compliance question becomes: Does the bank, PISP, MSB, processor, and transaction-monitoring system still see the upstream casino context? If not, open banking can create payment-purpose dilution. Capitolio’s Position vs. FinTelegram’s Interpretation IssueCapitolio’s PositionFinTelegram’s InterpretationPayee appearanceCapitolio says it appears as named payee in transactions processed through its Open Banking on-ramp infrastructure.This confirms the observed payee role. The unresolved question is whether the upstream casino context was visible and monitored.Technical architectureCapitolio argues this is standard and not a violation.Standard architecture can still create systemic compliance risk if it masks the underlying merchant purpose.1Go Casino connectionCapitolio disputes FinTelegram’s framing and demands removal.The screenshot-based finding remains: a tested 1Go Casino flow showed CAPITOLIO INC. as payee.Article categoriesCapitolio objected to “Illegal Gambling” and “Illegal Payment Services.”FinTelegram removed “Illegal Payment Services” and can keep the focus on payment-rail evidence, not adjudicated liability.“Scheme” wordingCapitolio objected to the word “scheme.”FinTelegram replaced it with “operating model.”Compliance officer nameCapitolio objected to personal-data use.FinTelegram removed the personal name.Core Rail Atlas issueCapitolio says no compliance violation is established.FinTelegram says the structure raises legitimate questions about merchant visibility, KYB, payment-purpose classification, and casino-origin funds. Why the Capitolio Response is Interesting The Capitolio letter is important because it illustrates a recurring pattern in payment-rail investigations. Payment processors and infrastructure providers may not deny the architecture. Instead, they may argue that the architecture is standard, technical, or necessary. That is not the end of the inquiry. It is the beginning. If the architecture causes a bank-facing payee to differ from the consumer-facing merchant, then compliance teams must ask: Who is the real merchant? Who onboarded the merchant? Who knows the payment is casino-related? What does the bank see? What does the PISP see? What does the MSB see? What does the consumer see? Is the payment classified as gambling, gaming, crypto, or ordinary services? Are high-risk jurisdictions and unlicensed gambling markets blocked? The answer cannot simply be: “This is how open banking works.” If open banking works in a way that removes the casino brand from the bank-facing payee layer, then regulators should examine whether the model creates a blind spot. The Website Correction: Why the CSSF/RCS Issue Matters One of FinTelegram’s findings in the Capitolio article concerned an unusual regulatory-information issue. Earlier screenshot evidence showed Capitolio’s website displaying: Company Registered in CanadaCSSF registration number: B00000408RCS number: B222310 That was problematic because CSSF/RCS identifiers are Luxembourg regulatory/company references, not Canadian corporate identifiers. Banking Circle’s official regulatory page lists Banking Circle S.A. as a Luxembourg credit institution supervised by the CSSF and provides financial registration number LUB00000408 and trade register number B222.310; its footer also displays CSSF registration number B00000408 and RCS number B222310. FinTelegram did not claim that Capitolio was connected to Banking Circle. The issue was website integrity and regulatory representation. A Canadian MSB should not display unexplained Luxembourg banking identifiers that appear to correspond to another financial institution. After the FinTelegram report, Capitolio appears to have modified the website. The currently visible Capitolio pages now present Canadian registration information, including FINTRAC registration number M24928320 and Alberta Corporate Access Number 2025599024. That is a concrete impact. FinTelegram identified an apparent regulatory-information anomaly. The website appears to have been corrected. That is precisely what compliance reporting is supposed to achieve. The Updated 1Go Casino Cashier: Revolut Removed, Rails Remain A fresh FinTelegram review of the 1Go Casino cashier indicates that the Revolut tile has apparently disappeared from the visible payment options. The updated cashier still showed: Crypto Currency; ByBit; Pay by Bank; another Pay by Bank-style rail; This suggests that the specific Revolut rail identified in the original report may have been removed or disabled after publication. If so, that would be another meaningful impact of the Rail Atlas report. However, the broader rail problem remains. The updated 1Go Casino review found Domus Payment Solutions as payee in the Pay by Bank rail. In addition, the open-banking route now led through secure.bankgate.io and into a bank login page that displayed Bridge SaltEdge API. Salt Edge publicly describes payment-initiation services as enabling payments through open-banking channels, and Bridge’s documentation describes open-banking payment initiation via payment requests. This means the 1Go cashier may have changed rails, not necessarily reduced risk. The names may change. The methodology remains the same: follow the rail from the casino cashier to the bank-facing authorisation screen and identify the real payee, the PISP, the gateway, and the responsible processor. The Updated 1Go Rail Map Original Revolut / Yapily / Capitolio Rail LayerObserved ElementCompliance RelevanceCasino front-end1Go Casino cashierUser starts a casino deposit.Gateway layerBillBlendFirst visible payment-routing layer.Gateway layerSegoPayAdditional payment-routing layer.Gateway layerTryztoOpaque intermediary layer.Open-banking bridgeInstantBankPaymentBridge into bank/open-banking flow.Regulated PISP layerYapily Connect UABUser authorised Yapily through Revolut OBA.Bank-facing endpointRevolut OBAFinal authorisation interface.Visible payeeCAPITOLIO INC.Non-casino payee shown at bank-facing layer. Updated Pay by Bank / Bridge / SaltEdge Route LayerObserved ElementCompliance RelevanceCasino front-end1Go Casino cashierUser starts a casino deposit.Payment optionPay by BankAccount-to-account deposit rail remains available.Gatewayssecure.bankgate.iocheckout.instantbankpayment.comRouting layer into bank-authentication flow.Open-banking interfaceBridge SaltEdge APINew or alternative open-banking layer observed in the updated review.Open banking facilitatorsBridge by Perspecteev(https://bridgeapi.io) SaltEdge (https://saltedge.com)Bridge (Perspecteev) and SaltEdge are operated by regulated financial service providers in the UK and France and should not facilitate illegal casinos.Bank loginSelected bank login screenUser is directed into bank authentication.Visible payee in related Pay by Bank flowDomus Payment SolutionsNon-casino payee issue remains present in the 1Go cashier environment. Rail Atlas Methodology: The Lesson From Capitolio The Capitolio case demonstrates why FinTelegram does not merely report “payment options.” It maps payment rails. A casino cashier screenshot is only the starting point. The relevant questions emerge only after following the user journey: Which gateway appears first? Which intermediary domains are used? Which regulated PISP or open-banking provider appears? Which bank authorisation screen appears? Who is the visible payee? Is the payee the casino brand, the operator, a payment agent, an MSB, or a third-party collection entity? Does the payment purpose remain visible as gambling? Do the rails change after public exposure? The Capitolio case answers one of these questions in a particularly important way. Capitolio’s notice states that Capitolio appears as named payee in its open-banking on-ramp transactions. That may be technically standard for Capitolio. But in a casino-origin flow, it raises exactly the compliance issue FinTelegram identified. The question is not merely whether the payee name is technically correct. The question is whether the payment ecosystem understands that the money started as a casino deposit. Why This Matters for Payment Processors FinTelegram’s reporting is designed to create visibility and accountability across high-risk payment rails. The objective is not to attack legitimate payment innovation. The objective is to ensure that regulated and semi-regulated payment infrastructure is not used to support offshore casinos that target users in jurisdictions where they do not hold the required local licence. 1Go Casino is publicly associated with Galaktika N.V. and a Curaçao licence. Public casino pages identify Galaktika N.V. as the operator and reference Curaçao licence OGL/2024/169/0146. The Cyprus-based Unionstar Limited is named as the casinos payment agent. A Curaçao licence does not automatically authorise an operator to target players in every EU jurisdiction. In many European markets, online gambling requires local authorisation, national licensing, or strict compliance with domestic gambling rules. This is where payment processors become relevant. If a casino cannot lawfully operate in a target jurisdiction, payment processors should not provide hidden or indirect funding channels into that market. The key compliance expectation is simple: Do not let payment architecture turn an illegal or unauthorised casino deposit into an ordinary-looking bank transfer to a payment-infrastructure company. Regulatory Questions Raised The Capitolio response and the updated 1Go cashier raise several questions for regulators and payment firms: If an open-banking on-ramp provider appears as named payee, how is the underlying merchant shown to the user, the bank, and the PISP? If the payment originates in a casino cashier, who is responsible for classifying the transaction as gambling-related? Can banks detect casino-origin deposits where the visible payee is an MSB, PSP, or payment agent? Do PISPs and open-banking aggregators receive upstream merchant-category information from gateways and payment orchestrators? Are processors required to block merchants that target jurisdictions where the casino lacks local authorisation? What happens when a rail is removed after media exposure? Is the merchant terminated, migrated, or simply re-routed? Does the replacement of one rail with another indicate genuine compliance remediation or merely payment-rail rotation? Should open-banking consent screens disclose the underlying merchant and commercial purpose, not only the technical payee? These are not theoretical questions. They are now visible in live casino payment flows. Conclusion Capitolio’s legal notice did not undermine FinTelegram’s Rail Atlas reporting. It strengthened the methodology. The central finding was that CAPITOLIO INC. appeared as the visible payee in a tested 1Go Casino Revolut/Yapily open-banking deposit flow. Capitolio’s response did not clearly refute that. Instead, it stated that Capitolio appears as named payee in transactions processed through its open-banking on-ramp infrastructure. That is exactly the point. The payment industry may regard this as normal technical architecture. FinTelegram regards it as a critical compliance question when the upstream transaction originates from an offshore casino cashier. If the casino brand disappears before the transaction reaches the bank-facing layer, payment-purpose dilution has occurred. The aftermath is also telling. Capitolio appears to have corrected its website after FinTelegram highlighted the CSSF/RCS anomaly. 1Go Casino appears to have removed the Revolut rail after FinTelegram exposed the Revolut/Yapily/Capitolio flow. But other rails remain, including Pay by Bank routes, Domus Payment Solutions as payee, and a newly observed Bridge/SaltEdge route through secure.bankgate.io. That is the Rail Atlas lesson: The rail may change.The payee may change.The gateway may change.The compliance question remains. FinTelegram will continue following the payment rails, documenting the chokepoints, and asking payment processors, PISPs, MSBs, banks, and regulators the same question: Do your systems know when an ordinary-looking account-to-account payment is actually an offshore casino deposit? Call for Information If you, as a player or insider, have information about Capitolio or other payment facilitators in the casino industry, please share it with us via our whistleblower platform, Whistle42. If you have any relevant payment documents or screenshots, please send them to us. Share Information via Whistle42

FinTelegram has received a victim-organized app list that changes the OpenPayd–Klickl case materially. The list identifies several dozen victim-app entries and at least 27 different app/front-end names allegedly used to lure victims into the same OpenPayd–Klickl payment rail. KXTRA and Peelhuntaicore were not isolated brands. They appear to be part of a disposable app-front-end layer feeding victim funds into OpenPayd Malta vIBANs / CFTEMTM1 and onward to Klickl Europe. 2-Minute Briefing The OpenPayd–Klickl fraud rail was evidently fed by a whole factory of fake investment apps. A victim-organized list reviewed by FinTelegram identifies 46 victim-app entries and at least 27 distinct app/front-end names, including Peelhuntaicore, KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT, KKRDE, kkr-am-pro, KzipPro, FD MIN, Quantanils, Phantom, Voya, SSIM INT, KIZ/Kl Zep variants, and others. This changes the case. We are no longer looking at one scam app or one impersonation scheme. The evidence points to a multi-app fraud architecture: disposable app frontends, WhatsApp/Telegram grooming, fake dashboards, blocked withdrawals — and a stable payment backend. The stable backend is the key. Previous OpenPayd payment summaries show victim Payins followed by immediate transfers to Klickl Europe Sp. z o.o. with the reference “Sweep to Primary Account.” OpenPayd’s GDPR response to victims confirmed the vIBAN architecture: OpenPayd’s corporate client was Klickl Europe; the victim-facing IBAN was a named virtual IBAN linked to Klickl Europe’s payment account; funds credited to that account became the property of Klickl Europe. Public warnings support the app-front-end pattern. Legitimate Peel Hunt warns that it does not use WhatsApp, downloadable apps or social-media channels for regulated investment activity and specifically names PEELHUNTAICORE and PHFINCORE as apps not associated with Peel Hunt. BaFin has warned about WhatsApp groups pushing alleged crypto trading through FintechX and FNTCX apps. Public scam reports also identify BMBEX/BMEBEX, MirrorTrd, SSGM Pro, and YHT as high-risk or scam-linked trading/app names. The frontends changed. The rail stayed the same. Key Findings The app list is “mindblowing” evidence of scale. The screenshot identifies dozens of victim-app entries and at least 27 distinct app/front-end names. This is not one rogue app. It is a repeatable app-front-end layer. Peelhuntaicore was only one face of the scheme. Seven listed victims are connected to Peelhuntaicore, but the list also includes KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT and many more. The payment backend is the common denominator. Prior OpenPayd summaries show Payin → Transfer → Klickl Europe, often with “Sweep to Primary Account.” The app names changed; the OpenPayd–Klickl rail remained stable. The apps match known scam typologies. Peel Hunt publicly denies any link to Peelhuntaicore and PHFINCORE, while BaFin and public scam warnings identify similar WhatsApp/app crypto-trading schemes involving FintechX, FNTCX, BMEBEX, MirrorTrd, SSGM Pro and YHT. Klickl Europe cannot credibly be treated as a passive recipient. If dozens of app-front schemes funded Klickl Europe through OpenPayd vIBANs, Klickl should have merchant/customer data, wallet destinations, conversion records, ledger entries and transaction-monitoring alerts. OpenPayd must explain the vIBAN exposure. OpenPayd provided the vIBAN infrastructure. It must explain how many Klickl-linked vIBANs were issued, how many app-front complaints were received, and why repeated retail deposits did not stop the rail earlier. Regulators should treat this as a payment-enabled investment-fraud network. Disposable apps plus stable payment rails are not “weak compliance.” They are the operating model of modern cyber-enabled investment fraud. Key Data Table Entity / App / MechanismRoleEvidenceRed FlagOpenPayd Malta / CFTEMTM1vIBAN infrastructure / payment facilitatorOpenPayd files and GDPR responseVictim-facing vIBANs used for scam depositsKlickl Europe Sp. z o.o.(part of Klickl Group)Corporate client / sweep recipientPayment summaries show transfers to Klickl EuropeFunds repeatedly swept to same Polish VASPPeelhuntaicoreFake Peel Hunt app frontendVictim list; Peel Hunt warningLegitimate Peel Hunt denies associationPHFINCOREFake Peel Hunt-related app frontendVictim list; Peel Hunt warningNamed by Peel Hunt as not associatedKXTRAFake investment app frontendVictim list; Humer fileLinked to KKR-style investment narrativeFinTechX / FintechXApp/frontendVictim list; BaFin warning about FintechX/FNTCX in WhatsApp groupsGerman regulator warning patternBMEBEX / BMBEXApp/frontendVictim list; public scam warningsIdentity/brand-shift patternMirrorTrd / Mirror TradeApp/frontendVictim list; public warning reportsTrading-app scam warningSSGM ProApp/frontendVictim list; public low-trust/scam-risk reportsDisposable app / download ecosystemYHTApp/frontendMultiple victims in list; public high-risk broker/app reportsRepeated victim count; fake investment patternOther listed appsAbrI3, AGAMK, CSCpro, FD MIN, Gimch Elite, KIZ/Kl Zep variants, KR, KKRDE, kkr-am-pro, KzipPro, Phantom, Quantanils, SSIM INT, Voya, Y-Max 2.01Victim-organized app listRequires further victim files and app screenshots Rail Map Fake investment app frontend → WhatsApp / Telegram grooming → OpenPayd Malta named vIBAN / CFTEMTM1 → Payin → immediate Transfer → “Sweep to Primary Account” → Klickl Europe Sp. z o.o. → crypto/on-ramp or settlement layer → unknown operators Short explanation: the apps appear to be the disposable victim interface. They create the fake balance, fake profits and fake withdrawal process. The rail is the money machine: OpenPayd vIBAN intake, Klickl Europe as recipient, and an unknown downstream crypto or settlement layer. Read our Klickl Europe reports here. FinTelegram Assessment Established Facts The victim-organized app list contains 46 victim-app entries and at least 27 distinct app/front-end names. Previous OpenPayd payment summaries show victim deposits being transferred to Klickl Europe with “Sweep to Primary Account.” OpenPayd’s GDPR response confirms that the relevant named vIBAN was linked to Klickl Europe’s payment account and that credited funds became Klickl Europe’s property. Strong Inferences The evidence points to a scalable fraud architecture: many frontends, one payment backend. KXTRA and Peelhuntaicore were not exceptions. They were part of a broader app-front layer feeding OpenPayd–Klickl rails. Working Hypotheses Klickl is a global crypto scheme controlled by Chinese nationals. Klickl Europe is the scheme’s Polish entity – registered as a VASP – that is used as payment facilitators for this vast scam network. The Polish Klickl entity is registered as a merchant at OpenPayd, a licensed EMI supervised by the MFSA in Malta. So we are not dealing here merely with anonymous scammers, but also with specific registered and licensed payment processors, whose beneficial owners and executives can be held responsible for the victims’ losses (read our “Who is behind Klickl report here“). The same applies to the relevant regulators. Klickl Europe was not merely an accidental recipient. It evidently acted as on-ramp, settlement layer, or merchant-account hub for operators behind multiple fake investment apps. Whether Klickl or related persons were closer to the fraud operators remains open — but the volume and repetition make ignorance hard to accept. Open Questions Who created or controlled the apps? Which merchants or customers did Klickl onboard? Were funds converted to crypto? Which wallets or exchanges received the money? What transaction-monitoring alerts did OpenPayd and Klickl generate? Why were the same rails active across so many app names? Whistleblower / Victim Call FinTelegram is collecting: OpenPayd GDPR / DSAR responses; OpenPayd payment-summary Excel files; app screenshots; app download links or APK files; WhatsApp / Telegram group screenshots; fake broker names and phone numbers; vIBANs and bank receipts; Klickl account references; wallet addresses and transaction hashes; police reports; BaFin / regulator complaints; emails or chats from Klickl or OpenPayd. We are especially interested in Peelhuntaicore, PHFINCORE, KXTRA, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT, KKRDE, kkr-am-pro, KzipPro, FD MIN, Quantanils, Phantom, Voya, SSIM INT, and KIZ/Kl Zep variants. Share Information via Whistle42

FinTelegram has identified mixfind.com as the named payee in a Skrill Prepaid Mastercard verification screen during a casino deposit review. MixFind publicly presents itself as a Payment Support Portal that helps users identify unknown card charges — but its website does not disclose a legal entity, jurisdiction, ownership, PSP role, acquiring relationship, or merchant portfolio. We are asking players, insiders, PSP staff, and compliance officers to help identify the operator behind MixFind. Key Findings MixFind appeared as a transaction payee. In a Skrill Prepaid Mastercard verification screen reviewed by FinTelegram, the payee appeared as “mixfind.com” for a EUR 20.00 transaction. The transaction arose inside a casino deposit review. FinTelegram observed MixFind in the context of a payment test connected to an offshore casino cashier flow. MixFind does not present itself as a casino merchant. The website describes itself as a payment lookup portal for users who do not recognize a transaction and want to retrieve merchant and order information. MixFind claims to cross-reference “millions of transactions.” Its homepage says its system “securely cross-references millions of transactions” and allows users to view merchant name, contact information, and receipt data associated with a charge. The legal operator is not disclosed. MixFind’s terms refer only to “Company,” “we,” and “us,” but do not identify a legal entity, registration number, address, directors, jurisdiction, or licensing status. MixFind acknowledges “authorized billing partners.” Its terms state that the portal helps identify statement descriptors, debits, or card charges executed by “authorized billing partners.” MixFind says it is not a financial institution and does not process payments through the portal. That statement does not explain why mixfind.com appeared as a payee in the Skrill verification flow. MixFind’s privacy policy says inquiry data may be transmitted to merchants, payment gateways, or acquiring banks. This confirms that MixFind claims to sit near the merchant/gateway/acquirer reconciliation layer. Only an email address is provided. MixFind lists info@mixfind.com for legal, privacy, compliance, and DPO-style correspondence, but does not disclose a company name or physical address. Brief Summary: What We Know About MixFind MixFind describes itself as a Payment Support Portal for identifying unknown card charges. The site asks users to submit their name, email address, first six and last four card digits, transaction date, amount, and comments in order to “pull up” merchant and order information attached to a payment. Its terms define the portal as a billing inquiry tool for statement descriptors and card charges executed by authorized billing partners, while simultaneously stating that MixFind is not a bank, credit union, or financial institution and does not process payments through the portal. Its privacy policy is more revealing. It says MixFind may share inquiry data with the specific merchant, payment gateway, or acquiring bank associated with the charge. That places MixFind, at minimum, close to the charge reconciliation, descriptor, merchant-support, gateway-support, or acquirer-support layer. Read our Malina casino payment rail review here. The MixFind source code adds another layer to the concern. The site is a noindex/nofollow WordPress-based “Payment Lookup” portal using a custom /wp-json/payment-lookup/v1/lookup endpoint to collect partial card data and transaction details. Yet it discloses no legal operator, no jurisdiction, no PSP/acquirer relationship and no merchant portfolio. In light of MixFind appearing as the payee in a Skrill card verification screen, this is a descriptor-layer red flag that requires explanation from Skrill, the acquirer, MixFind’s undisclosed operator and its “authorized billing partners.” What MixFind does not disclose is equally important: no legal entity, no jurisdiction, no beneficial owner, no management, no registration number, no acquiring partner, no PSP relationship, no merchant portfolio, and no explanation why mixfind.com appeared as the named payee in a Skrill Prepaid Mastercard transaction connected to a casino deposit test. Call to Action FinTelegram Request: Who Is Behind MixFind? FinTelegram is seeking information about MixFind, the anonymously operated payment-support portal at mixfind.com, after the domain surfaced as a named payee in a Skrill Prepaid Mastercard verification screen during an offshore casino deposit review. We are especially interested in documents showing whether MixFind is: a merchant descriptor layer; a payment support portal for high-risk merchants; a chargeback-reduction or transaction-reconciliation tool; a payment facilitator interface; a merchant-of-record wrapper; a gateway support layer; an acquirer-facing inquiry system; or a front-end for another payment processor. We are asking casino players, payment insiders, PSP staff, acquiring-bank employees, compliance officers, fraud analysts, former employees, and whistleblowers to submit information through Whistle42. Please send us: Skrill, Neteller, MiFinity, card, bank, or wallet receipts showing mixfind.com as payee or descriptor; screenshots of payment verification screens naming MixFind; bank or card statements showing MixFind-related descriptors; emails or support replies from MixFind; charge lookup results from mixfind.com; merchant names returned by MixFind after entering transaction details; MCC data, ARN numbers, authorization codes, transaction IDs, or acquiring-bank references; documents identifying MixFind’s legal entity, owners, directors, PSP partners, acquiring banks, processors, or “authorized billing partners”; internal onboarding, KYB, risk, compliance, chargeback, or monitoring records involving MixFind; evidence linking MixFind to online casinos, betting platforms, crypto purchases, fake-FIAT deposits, or high-risk merchants. The central question is simple: Why does an anonymous “Payment Support Portal” appear as the payee in a Skrill card transaction connected to a casino deposit flow? Players and insiders can submit documents securely via Whistle42. Share Information via Whistle42

FinTelegram’s latest OpenPayd files show a hard pattern: victim deposits into OpenPayd vIBANs were swept to Klickl Europe Sp. z o.o. The Polish entity is controlled by Xu Zhao, who appears linked to Michael (Xu) Zhao, founder/CEO of Klickl and a crypto-finance figure connected to IDCM, VGPay, Crypto 1 Acquisition Corp, and C1 Fund. This is not a faceless payment rail. It has names, entities, and control points. 2-Minute Briefing Klickl is not a small Polish VASP. The Polish entity is only the EU-facing rail node of a broader, Chinese-controlled crypto-finance system with multiple business units, websites, jurisdictions, and payment functions. FinTelegram has repeatedly identified Klickl Europe Sp. z o.o. in OpenPayd victim files. The payment pattern is consistent: victims paid into OpenPayd named vIBANs / CFTEMTM1, and the funds were then transferred to Klickl Europe with the reference “Sweep to Primary Account.” That places the Polish entity directly inside the victim-fund flow. But the Polish company is not the whole structure. It is the European access point. Klickl’s own ecosystem presents a much larger operation. Klickl Pay describes itself as a “multi-jurisdictional virtual asset service provider” operating across different licensing frameworks and hubs. It offers merchant payments, global transfers, stablecoin payments, and fiat/crypto collection and payout functionality through wallet and API infrastructure. In other words, Klickl is not merely registering as a Polish VASP. It markets itself as a cross-border fiat-and-crypto payment system. The wider Klickl footprint includes multiple domains and product lines: klickl.com, klickl.eu, klicklpay.com, klicklx.com, klicklone.com, klicklcustody.com, ex.klickl.com, futures.klicklx.com, alliance.klickl.com, and other related digital-asset interfaces. These are not decorative websites. They map to payments, exchange, custody, merchant infrastructure, trading, Web3 accounts, and partner networks. The control question leads back to Xu Zhao / Michael Xu Zhao. The Polish register identifies Xu Zhao as the control person behind Klickl Europe. Public and SEC-linked materials connect Michael Xu Zhao to the broader Klickl/IDCM/VGPay/Crypto 1/C1 Fund network. This gives Klickl an international dimension: Poland for EU market access, ADGM/UAE for MENA positioning, Canada through the IDCM Exchange / FINTRAC node, U.S. vehicles through SEC-linked structures, and Hong Kong/China-linked crypto networks. That is the core finding: Klickl Europe appears to be the EU rail node of a global Klickl/Zhao crypto-payment system. OpenPayd provided the vIBAN infrastructure. Klickl Europe received the victim funds. The broader Klickl network must now explain where the money went, which business unit handled it, and who controlled the downstream wallets, exchanges, or settlement accounts. Read our reports on Klickl Europe here. Key Findings Klickl is not merely a Polish VASP. Klickl Europe is the EU-facing entity that appears in OpenPayd victim files, but the broader Klickl structure presents itself as a multi-jurisdictional crypto-finance and payment system with payments, fiat/crypto collection, stablecoin payments, exchange, custody, merchant services, Web3 accounts and API infrastructure. Klickl Pay explicitly describes itself as a multi-jurisdictional virtual-asset service provider. OpenPayd files place Klickl Europe inside the victim-fund flow. The payment summaries show the same pattern: victim Payin into OpenPayd infrastructure, immediate Transfer, and funds routed to Klickl Europe with the reference “Sweep to Primary Account.” The Humer file alone shows four Payins totaling €100,500, each matched by a transfer to Klickl Europe. The OpenPayd GDPR response confirms the vIBAN architecture. OpenPayd confirmed that the victim-facing IBAN was not a normal personal account, but a named virtual IBAN linked to Klickl Europe’s corporate payment account. OpenPayd also stated that once funds were credited, they became the property of Klickl Europe. That makes Klickl the economic recipient, not a passive name in the background. The Polish entity appears to be the EU rail node. Klickl Europe Sp. z o.o. is incorporated in Poland, disclosed with KRS 0001053580 and Polish virtual-asset registration RD WWW-930. Its role in the OpenPayd files suggests that it was used as the EU collection and on-ramp point for European victim flows. The Klickl ecosystem is global and multi-domain. The network includes or references multiple domains and product lines: klickl.com, klickl.eu, klicklpay.com, klicklx.com, klicklone.com, klicklcustody.com, ex.klickl.com, futures.klicklx.com, alliance.klickl.com, and related digital-asset interfaces. These map to payments, merchant collection, exchange, custody, Web3 accounts, trading and partner infrastructure. Klickl Pay adds a payment-system dimension. Klickl Pay markets merchant payments, global transfers and stablecoin payments, and says it integrates fiat and crypto payment modes into wallet or API infrastructure for domestic and cross-border collection and payment needs. That is directly relevant to the OpenPayd victim-fund flows. The network extends beyond the EU. Klickl’s broader map includes a Polish EU node, an ADGM/UAE node through Klickl International Limited, a Canadian FINTRAC-linked IDCM Exchange node, U.S. SEC-linked vehicles including Crypto 1 Acquisition Corp and C1 Fund, and Hong Kong/China-linked blockchain and crypto-payment connections. This is a global crypto-finance network, not a local Polish startup. The control question leads to Xu Zhao / Michael Xu Zhao. Polish register data identifies Xu Zhao as the controlling person behind Klickl Europe. Public and SEC-linked materials connect Michael Xu Zhao to the broader Klickl / IDCM / VGPay / Crypto 1 / C1 Fund ecosystem. The identity and control structure must be explained by Klickl, OpenPayd and regulators. The fraud-front exposure is no longer isolated. Klickl Europe appears in victim flows connected to fake investment fronts including KXTRA / KKR Global Investment and fake Peel Hunt / Peelhuntaicore. The evidence points to more than one scam brand using the same OpenPayd–Klickl rail. Klickl must hold the downstream data. If Klickl Europe was “only” an on-ramp, it should know the customer, ledger entries, wallets, exchanges, OTC desks, settlement partners and conversion records. If it cannot identify where the victim money went, the suspicion deepens. Read our report on the KXTRA and Peel Hunt scams here. The Key People Behind Klickl Michael (Xu) Zhao — The Control Person Behind The Polish Klickl Entity And The Global Klickl Network Michael (Xu) Zhao is the central control figure in the Klickl scheme (formerly known as the International Digital Currency Markets). In Poland, he appears as Xu Zhao, the control person behind Klickl Europe. In the global market, he appears as Michael Zhao / Michael Xu Zhao, founder and CEO of Klickl and Co-Founder / Managing Partner of C1 Fund in Dubai. This makes Klickl Europe the EU-facing rail node of a wider Zhao-controlled crypto-finance network — not an isolated Polish VASP. The hard corporate fact is in Poland: Xu Zhao is listed as president of the management board, beneficial owner, shareholder, and holder of the entire shareholding of Klickl Europe Sp. z o.o. Klickl Europe was the merchant/client entity in the OpenPayd rail that facilitated the investment scams KXTRA and Peel Hunt / peelhuntaicore. If victim funds were swept to Klickl Europe, the Polish control person is not a footnote. C1 Fund’s SEC materials identify Michael (Xu) Zhao as Vice Chairman and also Founder & CEO of Klickl. SEC filings for Crypto 1 Acquisition Corp identify Michael (Xu) Zhao as founder, CEO and director. The filing states that he began investing in crypto in 2016, served as founder/executive chairman of International Digital Currency Markets (IDCM), and founded/led VGPay, a crypto-payment business serving crypto exchanges and their clients. FinTelegram’s working position: Xu Zhao and Michael (Xu) Zhao appear to be the same control identity or directly connected control identity for Klickl Europe and the broader Klickl group. If Klickl disputes this, it should provide documentary clarification. Ben Huang, Dermot Mayes, Sanne Ke And The Public Team Klickl lists Ben Huang as President, Dermot Mayes as CEO of Klickl UAE, Shawn Xie as Head of KlicklONE, Alihan Ekesan as Head of Payments, Andrea Gay as Chief Strategy Officer, Jane Record as VP of Corporate Affairs, and Sanne Ke as Head of Compliance / MLRO. It also lists advisors including Dr. Najam Kidwai, Andrew Au, Nina Shapiro, and Mo Shaikh. This places Klickl in a broader crypto-finance network, not a simple Polish VASP box. Summary Table Person / EntityRoleJurisdiction / LinkEvidenceRed FlagXu Zhao akaMichael (Xu) ZhaoLinkedInPresident, UBO, full shareholder; Founder/CEO of Klickl; Crypto 1 founder/CEO/directorPoland / China-linked; US filings / crypto networkPolish register; C1 Fund SEC; LinkedIn profileControls entity receiving funds; DCM/VGPay crypto-payment backgroundBen HuangLinkedInPresident listed by KlicklKlickl public siteKlickl ExchangeNeeds clarification on role and oversightShawn XieLinkedInHead of KlicklONESingaporeKlickl ExchangeKlickl not listed in his LinkedIn profileSanne KeLinkedInHead of Compliance / MLRO listed by KlicklKlickl public siteKlickl ExchangeMust explain compliance controls; Klickl not mentioned in her LinkedIn profileDermot MayesLinkedInCEO, Klickl UAE listed by KlicklKlickl public siteKlickl ExchangeNeeds independent verification and role clarity; Alihan EkesanLinkedInHead of PaymentsKlicks public site Klickl ExchangeDr. Najam KidwaiLinkedInC1 Fund / advisor networkC1 Fund / KlicklC1 Fund, SEC,Klickl ExchangeLinks to broader digital-assets finance network FinTelegram does not allege that these persons operated any scam. The issue is governance accountability. If these individuals are publicly presented as leadership, payments, compliance, or advisory figures, then they should clarify what they know about Klickl Europe’s OpenPayd rails, onboarding, transaction monitoring, and victim-fund flows. Dr. Najam Kidwai And C1 Fund Links SEC materials for C1 Fund identify Dr. Najamul Kidwai as founder/chairman/director and refer to his digital-assets, blockchain, and software-investment background. Klickl Exchange also lists him in its board/advisor section as President and CEO of C1 Fund. This places Klickl in a broader crypto-finance network, not a simple Polish VASP box. Summary Table – The Klickl / Zhao Network The table should be used to frame Klickl as a multi-entity crypto-finance scheme, not merely as a Polish VASP. The Polish entity, Klickl Europe Sp. z o.o., is the entity repeatedly appearing in OpenPayd victim files as the recipient of swept funds. Klickl’s own disclosures also identify Klickl International Limited in ADGM and state that, unless otherwise specified, products and services on klickl.com are provided by Klickl Europe. SEC filings then connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, and C1 Fund, creating a broader crypto-exchange, payment, and capital-markets network. CategoryEntity / DomainJurisdiction / StatusRole / RelevanceSource / EvidenceCore EU rail entityKlickl Europe Sp. z o.o.Poland; KRS 0001053580; VASP register RD WWW-930EU-facing Klickl entity. Identified in OpenPayd victim files as recipient of swept funds. Klickl says it provides services on klickl.com unless otherwise stated.Klickl disclosure states KRS 0001053580 and RD WWW-930; OpenPayd victim files identify Klickl Europe as receiver.Regulated ADGM entityKlickl International LimitedAbu Dhabi Global Market; FSRA firm; FSP No. 220070; activeADGM entity in the Klickl Group. Relevant to MENA positioning and regulated-crypto branding.ADGM register lists active financial firm, FSP date 16 Apr 2024; Klickl also discloses this entity.Legacy / broader group entityKlickl, Inc.SEC filings / Zhao-linkedC1 Fund filings say Zhao served as Executive Chairman of Klickl, Inc., formerly known as International Digital Currency Markets (IDCM).SEC / C1 Fund filing.Canadian MSB nodeIDCM Exchange LimitedCanada; FINTRAC-registered MSBRelevant because Klickl Pay’s disclosures reference IDCM Exchange Limited and the broader Zhao-linked IDCM legacy.FINTRAC-derived public registry data identifies IDCM Exchange Limited in Vancouver; Legacy crypto-exchange entityInternational Digital Currency Markets / IDCMInternational / Zhao-linkedCrypto exchange / digital-asset trading infrastructure. Reported predecessor or former name of Klickl, Inc.SEC / C1 Fund filing links Zhao to IDCM.Crypto-payment businessVGPayZhao-linked crypto-payment businessCrypto-payment operation; important because the OpenPayd/Klickl case concerns payment rails and crypto on-ramping.SEC / C1 Fund filing says Zhao was CEO of VGPay crypto-payment business.US SPAC vehicleCrypto 1 Acquisition CorpUnited States; SEC filer / SPACCapital-markets vehicle focused on digital assets / crypto / blockchain. Michael (Xu) Zhao identified as founder, CEO and director.SEC / C1 Fund filing.US fund structureC1 Fund Inc.United States; SEC filerDigital-asset / crypto-linked fund structure. Public materials identify Michael (Xu) Zhao as Vice Chairman and connect him to Klickl.SEC filing and Klickl/C1 public materials.Industry association linkHong Kong Blockchain AssociationHong Kong / industry associationNetwork node around Zhao and several public Klickl-linked persons; relevant to the China/Hong Kong crypto ecosystem.SEC/C1 materials and Klickl public-team context link Zhao and other named persons to HK blockchain circles.Group Domains / Brandsklickl.comklickluae.com/klicklpay.com / Klickl Payklicklone.com / KlicklONEklicklx.com / KlicklXklicklcustody.com / merchant.klicklcustody.comPublic websites & brandsProduct and service related websitespublic sourcesApp / related domaincryptoeasy.appApp/domainPreviously identified related app/domain; requires further verification of ownership and operational link.Investigative lead; verify before stating as confirmed group entity. Klickl Europe is the Polish entity that appears in the OpenPayd victim files, but the Klickl structure is broader. Klickl’s own disclosures point to a Polish VASP entity and an ADGM-regulated entity. SEC filings connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp and C1 Fund. In other words, the Polish company appears to be the EU rail node of a wider Zhao-linked crypto-finance network. The open question is whether that network was merely used by fraud operators — or whether parts of it were closer to the victim-fund flows than they now admit. FinTelegram Assessment — Global Klickl Dimension Established Facts Klickl Europe Sp. z o.o. is the entity repeatedly identified in OpenPayd victim-payment files as the recipient of funds swept from named OpenPayd vIBANs. The recurring pattern is clear: victim Payins entered the OpenPayd rail, were transferred out, and were swept to Klickl Europe with the reference “Sweep to Primary Account.” OpenPayd’s GDPR response confirms that the vIBAN structure was linked to Klickl Europe as corporate client and that credited funds became the property of Klickl Europe. Klickl Europe is the EU-facing entity in this structure. Beyond Poland, the Klickl/Zhao network extends into a broader international crypto-finance structure. Klickl’s own disclosures and public materials identify entities and domains outside Poland, including Klickl International Limited in ADGM/UAE and several product domains such as KlicklX, KlicklONE, Klickl Pay, Klickl Custody and the exchange-facing Klickl environment. SEC and C1 Fund materials connect Michael (Xu) Zhao to Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, C1 Fund, and Hong Kong blockchain networks. Klickl’s Role in Scam Schemes – Working Hypotheses Working Hypothesis 1 — EU Rail Node: Klickl Europe was used as the EU-facing rail for victim funds collected through OpenPayd vIBANs from German-speaking and other European victims. Working Hypothesis 2 — On-Ramp / Settlement Layer: Klickl Europe acted as a crypto on-ramp, settlement intermediary, or account layer for operators behind KXTRA, fake Peel Hunt / Peelhuntaicore, and possibly other scam frontends. Working Hypothesis 3 — Broader Network Link: The Polish entity was not acting in isolation but as part of a broader Klickl/Zhao ecosystem spanning Poland, ADGM/UAE, Hong Kong-linked crypto networks, and U.S.-linked capital-market vehicles. Working Hypothesis 4 — Control And Knowledge: If Klickl Europe received and controlled the victim funds, the broader Klickl control structure — including Michael/Xu Zhao and the publicly listed management and compliance personnel — should be able to identify the downstream customers, wallets, exchanges, OTC desks, and settlement partners. These hypotheses are not final criminal findings. They are the logical investigative direction created by the documents. FinTelegram Position FinTelegram’s position is that Klickl Europe must not be viewed in isolation. The Polish VASP is the entity appearing in the OpenPayd victim files, but it sits inside a broader international Klickl/Zhao crypto-finance network. The structure looks like this: EU market access: Klickl Europe Sp. z o.o. / Poland / RD WWW-930Payment rail: OpenPayd Malta vIBANs / CFTEMTM1Victim source: German-speaking and European retail investorsScam frontends: KXTRA, fake Peel Hunt / Peelhuntaicore, possibly othersCrypto layer: Klickl on-ramp / settlement / exchange or wallet infrastructureGlobal network layer: Michael/Xu Zhao, Klickl, Inc., IDCM, VGPay, Crypto 1 Acquisition Corp, C1 Fund, ADGM/UAE and Hong Kong-linked structures That is the real compliance and law-enforcement issue: a global crypto-finance network appears to have used a Polish VASP as its EU rail node, while OpenPayd provided the vIBAN infrastructure through which victim funds were collected and swept. If Klickl Europe was merely abused, the broader Klickl group should prove it by disclosing the downstream trail. If the group cannot explain where the money went, regulators should treat the Polish entity not as a standalone Polish VASP problem, but as the EU-facing node of a cross-border crypto-payment network exposed to suspected fraud flows. Whistleblower Call FinTelegram asks victims, Klickl insiders, OpenPayd staff, exchange employees, compliance officers, wallet-tracing firms and law-enforcement sources to contact Whistle42. We need: Klickl onboarding files, OpenPayd/Klickl contracts, wallet addresses, exchange accounts, transaction hashes, SAR/STR records, compliance emails, screenshots from KXTRA or Peelhuntaicore, Klickl platform records, and any information on Xu Zhao, Michael (Xu) Zhao, Ben Huang, Sanne Ke, Dermot Mayes, Alihan Ekesan, IDCM, VGPay, Crypto 1, or C1 Fund. Share Information via Whistle42

FinTelegram’s Malina Casino review exposes a geo-domain payment-rail layer targeting EU players through jurisdiction-specific deposit routes. Austrian and Italian test flows revealed Revolut Open Banking, Perspecteev SAS, RAPID, Finmesh, Skrill, MiFinity, ChainValley-style fake-FIAT crypto conversion, Zentoria, and the newly surfaced mixfind.com payee. The evidence points to a classic offshore casino rail model: the casino brand stays in the front window, while rotating payment facilitators, payees, gateways and open-banking actors move the money underneath. 2-Minute Briefing The strongest evidence is inside the payment flow: Malina Casino deposits from EU players did not resolve to one transparent casino merchant. They surfaced different third-party payees and routing layers — including Zentoria Limited and mixfind.com in Skrill card verification screens, and Perspecteev SAS inside Revolut Open Banking. FinTelegram tested Malina Casino via the geo-domain malinacasino-2836.com, which presented German, English and Italian user flows. The SimilarWeb screenshot reviewed by FinTelegram shows EU traffic concentration for that geo-domain, with Germany as the largest visible traffic source, followed by Czech Republic, Greece, France and Belgium. The cashier offered the familiar offshore casino menu: PlayID, VISA/Mastercard, Pay by Card, Paysafecard, Revolut, Bank Transfer, RAPID, Jetonbank, MiFinity, Neteller/Skrill and crypto deposits. But the real story is not the menu. The real story is what happens after the player clicks. In the Skrill Prepaid Mastercard verification flow, FinTelegram observed pending €20 transactions showing two different payees: “zentoria limited” and “mixfind.com.” Zentoria Limited has already appeared in several FinTelegram illegal casino payment-rail reviews. MixFind is new and significant. Its own website presents it as a payment lookup and statement inquiry portal designed to identify charges, merchant names, contact information and receipts attached to payments; its terms describe the portal as a billing inquiry tool for charges executed by “authorized billing partners,” while stating that MixFind is not a bank or financial institution and does not process payments through the portal. The Revolut rail was also exposed twice. In one path, Malina routed the player through Finmesh / redirect-gate to Revolut Open Banking, where Perspecteev SAS appeared as the authorization party. Perspecteev’s Bridge legal page states that Perspecteev is a French payment institution authorized by the ACPR for payment initiation and account information services. In a second path, the RAPID rail routed Austrian users to a bank-selection page and then to Revolut Open Banking, where the player had to authorize Rapid Transfer. Public information on Malina’s operator and licensing perimeter is inconsistent. Some review sources currently attribute Malina Casino to Stellar Ltd, registered in Anjouan and operating under an Anjouan license, while other casino-review ecosystems have associated Malina or related brands with Rabidi/Liernin or NovaForge-style offshore clusters. CasinoTest24, for example, states that Malina launched in 2024, is operated by Stellar Ltd, and is licensed by the Anjouan Gaming Authority under license number ALSI-202411077-FI2. That does not solve the EU question. An Anjouan license is not permission to target Italy, Austria, Germany or other EU markets. The rail evidence shows EU-facing payment access; the regulatory issue is whether payment institutions, gateways, wallet providers and merchant-layer entities are enabling an offshore casino to collect EU player funds without local authorization. Key Findings Malina uses a geo-domain payment layer.EU players were routed through malinacasino-2836.com, with localized cashier flows for Austria, Italy and other EU-facing language versions. The cashier is jurisdiction-aware.Austrian and Italian players saw different payment availability and different backend handling. This is not a static cashier; it is adaptive payment routing. Skrill exposed Zentoria Limited as payee.In our Skrill Prepaid Mastercard deposit we found “zentoria limited” as the payee. Zentoria has already appeared in multiple FinTelegram casino-rail investigations. Skrill also exposed mixfind.com as payee.A second Skrill Prepaid Mastercard transaction showed mixfind.com as the payee. MixFind is not presented publicly as a casino merchant. Its website describes a charge-identification and billing inquiry portal, making its appearance as a payment payee a major descriptor/payee red flag. MixFind must explain its role.The key question is whether MixFind is a merchant descriptor, billing-support layer, payment facilitator interface, chargeback-reduction tool, merchant-of-record wrapper, or portal connected to another processor. Revolut Open Banking appeared through multiple paths.Malina’s direct Revolut rail and its RAPID rail both reached Revolut Open Banking screens in the tested flows. Perspecteev SAS appeared inside the Revolut rail.The Revolut rail asked the player to authorize Perspecteev SAS. Perspecteev’s Bridge page identifies it as an ACPR-authorized payment institution for payment initiation and account information services. RAPID behaved differently by jurisdiction.For Austrian users, RAPID routed to bank selection and then Revolut Open Banking. For Italian users, RAPID was unavailable and the player was pushed toward Skrill Wallet, with MHSL shown as recipient. MiFinity showed CME as recipient.The MiFinity deposit screen displayed CME as payee. CME must explain whether it is merchant, processor, wallet recipient, or descriptor-layer entity. Paysafecard and Neteller labels concealed alternative backend rails in Italy.For Italian players, FinTelegram again observed the ChainValley-style fake-FIAT pattern: a familiar FIAT/wallet label at the cashier, but a backend flow that appears to involve crypto purchase and transfer to the casino environment. Zentoria remains a recurring casino payee.The Malina evidence reinforces Zentoria Limited as a recurring payee or merchant-layer participant in offshore casino flows. The operator story remains fragmented.Current public review sources point to Stellar Ltd and Anjouan licensing, while the broader Malina/Rabidi/NovaForge ecosystem remains inconsistent across casino-review databases. Fragmented operator history is a regulatory red flag, not an answer. Key Data Table Entity / DomainRoleJurisdictionEvidenceRed FlagMalina Casino / malinacasino-2836.comEU-facing casino geo-domainOffshore / unclearFinTelegram test access; screenshots; SimilarWeb screenshotEU player acquisition through geo-domain layerStellar LtdPublicly cited current operatorAnjouan / ComorosCasinoTest24 attributes Malina to Stellar Ltd and Anjouan license ALSI-202411077-FI2Offshore license does not equal EU market authorizationZentoria LimitedSkrill/card payee; recurring casino payeeIrelandSkrill verification screenshot: “zentoria limited: EUR 20,00”Already observed in several illegal/offshore casino payment flowsmixfind.com / MixFindSkrill/card payee or descriptor-support layerNot clearly disclosed on siteSkrill verification screenshot: “mixfind.com: EUR 20,00”; MixFind site describes charge lookup and billing inquiryNew opaque payee; public site does not present normal casino merchant rolepayment-gateway.ioCard gatewayUnknownFinTelegram VISA/Mastercard test findingOpaque payment-gateway layerFinmesh.net / DirectPayPayment-link / redirect-gateway layerUnknownPayment screenshot; Malina deposit flow; expired-link error page; source title “DirectPay”; production app configOperator not disclosed; session-based routing; sits between casino cashier and bank/open-banking railsredirect-gate.netRedirect layerUnknownFinTelegram test findingObscures first-hop routingPerspecteev SAS / Bridgehttps://www.bridgeapi.io/Open Banking / PISP layerFranceRevolut authorization screen; Bridge legal page confirms ACPR payment institution statusRegulated open-banking firm appears in casino funding flowRevolut(Open Banking – OBA)ASPSP/API access layerUK/EU groupRevolut authorization screenshotsReached via multiple Malina railsRAPID Transfer /RAPIDPayment method / routing layerUnknownAustrian flow reaches bank selection and Revolut OBA; Italian flow falls back to SkrillSame label produces different jurisdictional outcomesSkrill / MHSLWallet fallback / recipientUnknownItalian RAPID screenshot shows MHSL as recipientRecipient mismatch; requires merchant-role explanationMiFinity / CMEE-wallet rail / recipientUnknownMiFinity screenshot: “Deposita su CME”Recipient is not Malina; merchant role unclearChainValleyhttps://app.chainvalley.proCrypto conversion layerPolandFinTelegram review finding in Italian Paysafecard/Neteller flowsFake-FIAT deposit patternPaysafecard / Neteller labelsFront-end cashier labelsEU/UK wallet brandsDisplayed in cashier; backend differs by jurisdictionLabel does not necessarily describe real backend flowJetonbankWallet railUK/otherAvailable in both country cashiersHigh-risk casino funding rail Rail Map A. Skrill / Card Verification Rail Player → Malina Casino Cashier → Pay by Card / Card Deposit → Skrill Prepaid Mastercard verification → Payee shown as “zentoria limited” or “mixfind.com” → Casino funding layer Assessment: This is one of the strongest evidence blocks. The player is funding Malina Casino, but the Skrill verification screen shows third-party payees. Zentoria Limited fits an already observed offshore casino payment pattern. MixFind is new and more problematic: its own website presents a payment lookup and statement support portal, while the Skrill verification screen shows it as the payee in a casino deposit transaction. Read our reports on Zentoria here. B. Direct Card Rail Player → Malina Cashier → VISA/Mastercard → payment-gateway.io → Zentoria Limited / other payee layer → Casino funding layer Assessment: The card rail exposes a payee layer separate from the casino brand. Zentoria Limited must explain whether it acts as merchant of record, payment agent, processing counterparty, descriptor holder, or settlement intermediary. C. Revolut / Perspecteev Rail Player → Malina Cashier → Revolut option → Finmesh / redirect-gate → Revolut Open Banking → Perspecteev SAS authorization → Payment initiation → Casino funding layer Assessment: This is a regulated open-banking choke point. Perspecteev is not an anonymous shell; it is a French payment institution authorized for payment initiation and account information services. Its appearance in a Malina Casino deposit path creates immediate merchant-onboarding and transaction-monitoring questions. Finmesh.net appears to operate as a production payment-link or redirect layer under the application title “DirectPay.” A tested link expired into a “Link not available” page, consistent with session-based payment routing. The source code uses Sentry monitoring, but does not disclose the legal operator, merchant, acquirer, PSP, or payment facilitator behind the gateway. D. RAPID Rail — Austria Player → Malina Cashier → RAPID → payment.onlinebanktransfer.com → Austrian bank selection → Revolut → Revolut Open Banking → Authorize Rapid Transfer → Payment initiation Assessment: RAPID is not merely a brand label. It functions as a routing layer that can still reach Revolut Open Banking. The same Revolut endpoint is therefore accessible both through the cashier’s Revolut button and through the RAPID path. E. RAPID Rail — Italy Player → Malina Cashier → RAPID → Skrill page → “Rapid Transfer non è disponibile” → Skrill Wallet fallback → Recipient: MHSL Assessment: When RAPID is unavailable for Italian users, the system does not stop the payment attempt. It offers an alternative wallet route and displays MHSL as recipient. That is adaptive payment routing, not transparent cashier design. F. MiFinity Rail Player → Malina Cashier → MiFinity → MiFinity payment screen → Recipient: CME → Casino funding layer Assessment: MiFinity’s screen shows CME, not Malina, as the deposit recipient. CME must be identified and mapped against PSP, merchant and settlement records. G. Fake-FIAT Crypto Rail Italian player → Paysafecard / Neteller label → ChainValley-style crypto purchase → crypto transfer to casino environment Assessment: This is the now-standard fake-FIAT casino deposit pattern. The player sees a familiar payment label, but the backend appears to execute a crypto conversion. The label suggests a FIAT wallet/card rail; the underlying economics point to crypto funding. FinTelegram Assessment Established Facts Malina Casino was accessible through the reviewed geo-domain malinacasino-2836.com and displayed EU-facing cashier options, including PlayID, VISA/Mastercard, Pay by Card, Paysafecard, Revolut, Bank Transfer, RAPID, Jetonbank, MiFinity, Neteller/Skrill and USDT ERC20. Austrian and Italian player flows differed. Austrian players saw Bank Transfer and RAPID routes that led into bank-selection and Revolut Open Banking flows. Italian players saw different fallback behavior, including Skrill Wallet routing and crypto-conversion patterns behind wallet labels. The Skrill app screenshots show pending Skrill Prepaid Mastercard transactions connected to the Malina deposit review. One displays “zentoria limited: EUR 20,00.” Another displays “mixfind.com: EUR 20,00.” MixFind’s public website states that users who do not recognize a transaction can enter details to retrieve merchant and order information attached to a payment. It also describes itself as a “Payment Support Portal.” MixFind’s terms describe the portal as a billing inquiry tool for statement descriptors, debits and credit card charges executed by “authorized billing partners,” while stating that MixFind is not a bank, credit union or financial institution and does not process payments through the portal. The Revolut authorization screenshots show two separate authorization parties in different paths: Perspecteev SAS and Rapid Transfer. Perspecteev’s Bridge legal page states that Perspecteev SAS is registered in Paris and authorized by the ACPR as a payment institution for payment initiation and account information services. The MiFinity screenshot shows a €50 transaction with CME as the recipient. The Skrill/RAPID screenshot for Italy shows MHSL as recipient and tells the player that RAPID is unavailable, recommending payment through Skrill Wallet. The SimilarWeb screenshot reviewed by FinTelegram shows EU traffic to the geo-domain, including Germany, Czech Republic, Greece, France and Belgium. Strong Inferences The evidence points to jurisdiction-aware payment routing. Malina’s cashier is not a neutral list of payment options. It adapts the available rail and backend payment counterparty depending on where the player is located. The evidence points to merchant/payee opacity. The player-facing casino brand is Malina, but the payment verification layers show Zentoria Limited, mixfind.com, MHSL and CME. The evidence points to regulated infrastructure being used as access rails into offshore casino funding flows. Perspecteev and Revolut are not the casino operator, but their infrastructure appears in tested funding chains. The evidence points to Zentoria Limited as a recurring casino payment participant. Its appearance in Malina is not isolated; it fits a broader FinTelegram evidence pattern across illegal/offshore casino schemes. The appearance of mixfind.com as a payee is a high-value red flag. MixFind’s public-facing function is charge identification and billing inquiry, yet it appears as the named payee in a Skrill Prepaid Mastercard verification screen connected to a casino deposit. Working Hypotheses Working Hypothesis 1: Malina Casino is part of a broader offshore casino operator/payment ecosystem where the public operator name, payee layer, merchant descriptor and settlement path can differ from one another. Working Hypothesis 2: Zentoria Limited functions as a recurring merchant-layer or payee-layer participant in multiple offshore casino flows, including Malina. Working Hypothesis 3: MixFind is connected to a billing partner or descriptor-management layer used to reduce chargeback friction, identify card charges, or route payment-support inquiries for high-risk merchants. Working Hypothesis 4: ChainValley-style crypto conversion is being used when certain named payment rails are unavailable, blocked, risky or unsuitable in specific EU jurisdictions. Working Hypothesis 5: Finmesh, redirect-gate and payment.onlinebanktransfer.com function as routing layers that allow Malina’s cashier to access regulated endpoints without presenting the full chain to the player. Open Questions Who is the current legal operator of Malina Casino for EU-facing players? Which entity owns or controls malinacasino-2836.com? What is the contractual relationship between Malina Casino, Stellar Ltd, Zentoria Limited, MixFind, Finmesh, RAPID, Perspecteev, ChainValley, MiFinity, Skrill, payment-gateway.io and redirect-gate? Why does mixfind.com appear as a payee in a Skrill Prepaid Mastercard verification screen for a Malina Casino deposit? What is MixFind’s legal entity, jurisdiction, ownership and acquiring/PSP relationship? Which “authorized billing partner” is connected to the MixFind transaction shown in the Skrill app? Is MixFind a merchant descriptor, billing-support portal, payment facilitator interface, chargeback-reduction tool, merchant-of-record wrapper, or front-end for another payment processor? Did Skrill classify the zentoria limited and mixfind.com transactions as gambling, gaming, digital services, payment support, crypto purchase or generic e-commerce? What MCC was assigned to the Skrill Prepaid Mastercard transactions? Did Perspecteev onboard a direct merchant, payment facilitator, technical gateway or another intermediary that ultimately served the Malina flow? Did Revolut classify these flows as gambling, wallet funding, payment initiation, crypto purchase or generic transfer? What exactly are MHSL and CME in these flows? Were Italian and Austrian players properly informed that certain “FIAT” deposit labels may execute crypto purchases or route funds through third-party payees unrelated to Malina Casino? Conclusion Malina Casino is not just an offshore casino brand. It is a payment-rail case. The screenshots show the model in action: the casino sits in front, the geo-domain adapts the flow, and the player is pushed through whichever payment rail still works in that jurisdiction. The new Skrill evidence makes the case sharper. Zentoria Limited appears again as a casino payment payee. mixfind.com appears as a new payee, despite presenting itself publicly as a payment lookup and billing inquiry portal. Add Revolut Open Banking, Perspecteev SAS, RAPID, Finmesh, MiFinity/CME, Skrill/MHSL and ChainValley-style fake-FIAT conversion, and the picture is clear. Malina Casino shows the offshore casino payment model: offshore license on the front, EU payment infrastructure underneath, rotating payees in the middle, and the player left guessing who actually took the money. 8. Whistleblower Call FinTelegram is seeking documents from players, insiders, PSP staff, open-banking providers, wallet operators, acquirers, compliance officers and former employees with knowledge of Malina Casino and its payment rails. Victims and insiders can contact FinTelegram securely through Whistle42. Share Information via Whistle42

FinTelegram has received a new player complaint involving alleged illegal casino deposits processed through opaque merchant descriptors and regulated payment infrastructure. The complainant claims that payments connected to online casinos including Malina Casino and Wazbee Casino were routed through payment processors including Smartflow Payments/SENDS, xpate Ltd and Finthesis Ltd/PAIO. The case is not an insider leak. It is a player-side payment complaint — but one with transaction-level documentation: ARN numbers, dates, amounts, descriptors, screenshots of processor correspondence, and partial refund evidence. The player alleges that the disputed transactions were casino deposits disguised as non-gambling merchant payments, including alleged classification under MCC 7372 rather than gambling-related merchant categories. FinTelegram has not yet independently verified the MCC coding from raw card-network records. However, the submitted material raises serious red flags around merchant transparency, acquiring-chain accountability and payment-processor monitoring. The Complaint According to the complainant, 42 transactions were processed between October and December 2025 through a network of obscure merchant descriptors. The alleged casino brands named by the complainant are: Malina Casino Wazbee Casino The complainant says the casinos did not respond to his refund requests and that he therefore escalated the matter to the payment processors and acquiring-chain entities identified in the transaction records. The core allegation: illegal casino deposits were allegedly routed through non-transparent merchant descriptors and misclassified as non-gambling activity. The Payment Processors Named The complaint names the following entities: EntityRole alleged by complainantStatus in evidence reviewedSmartflow Payments Ltd / SENDShttps://sends.co/Processor/acquirer chain for INNTCIT and CL2SK transactionsTransaction list shows 13 transactions totaling €2,000; three INNTCIT transactions marked refunded.xpate Ltd /XPATEhttps://xpate.com/Processor/acquirer chain for multiple opaque descriptorsTransaction list shows 13 transactions totaling €1,306 involving vercs2, calcal, jusdot5, tokdom, jusski6 and paypay.Finthesis Ltd / PAIOhttps://paio.company/Alleged processor/acquirer for SKINMODE and CYBGEU flowsReferenced in screenshots and complaint; further clean transaction data requested.Helaba / HELADEFFhttps://www.helaba.com/German banking / a receiving-side or settlement-side banking referenceAnnex repeatedly references HELADEFF and a German IBAN beginning DE97 5005.Libergos LimitedCyprus-based payment agent in the HELADEFF / German IBAN routing environmentCyprus casino-sector entity, publicly linked to Hollycorn N.V.-related casino operations and previously warned by ACMA for prohibited interactive gambling services. The Merchant Descriptor Map The submitted material does not show transparent casino merchant names on the payment records. Instead, it shows a series of obscure descriptors. DescriptorProcessor / acquirer indicatedCurrent assessmentINNTCITSmartflow Payments / SENDSThe UK corporate register shows Instantonit Limited registered with SIC code 62020 — IT consultancy activities (https://instantonit.com)CL2SKSmartflow Payments / SENDSHigh-priority descriptor. Repeated across Annex and Smartflow list.vercs2xpate LtdOpaque descriptor; UK Companies House record shows VERIDRA LTD with SIC codes for data processing, web portals, and other information services.calcalxpate Ltd / AnnexOpaque descriptor; needs merchant-of-record confirmation.jusdot5xpate Ltd / AnnexOpaque descriptor; needs acquirer clarification.tokdomxpate LtdOpaque descriptor; needs acquirer clarification.jusski6xpate Ltd / AnnexOpaque descriptor; needs acquirer clarification.paypayxpate LtdOpaque descriptor; requires clarification.SKINMODEFinthesis / PAIO allegedRequires clean ARN-level confirmation.CYBGEUFinthesis / PAIO allegedRequires clean ARN-level confirmation. The pattern is familiar: short, non-branded, non-consumer-facing descriptors; repeated round-number payments; obscure addresses; and PSPs distancing themselves from the underlying merchant. FinTelegram was not yet able to verify the legal merchant-of-record behind all descriptors. However, several descriptors resolve to opaque UK address clusters or match public player complaints about gambling-related card payments. These findings require clarification from Smartflow/SENDS, xpate, Finthesis/PAIO and the acquiring banks. SENDS: The Refund Question A Smartflow/SENDS transaction list seen by FinTelegram shows 13 transactions. Three INNTCIT transactions are marked as refunded. That does not prove guilt. But it raises a sharp question: If SENDS could process refunds for part of this flow, why did the remaining disputed transactions become a “contact the merchant” problem? FinTelegram will ask SENDS to explain: who the legal merchant of record was behind INNTCIT and CL2SK; why the INNTCIT transactions were refunded; what MCC was applied; whether 3DS/SCA was triggered; whether these payments were connected to Malina Casino, Wazbee Casino, or related operators. xpate: “Technology Provider” Is Not the End of the Story The complainant provided correspondence in which xpate reportedly stated that it is a payment processing technology provider and not the direct provider of goods or services. That answer may be contractually convenient. It is not sufficient. If xpate appears in the acquiring or processing chain, then the relevant questions remain: Who was onboarded? Who was monitored? Who approved the merchants? Who saw the descriptors? Who carried the risk? The xpate transaction list shows 13 transactions totaling €1,306 across multiple opaque descriptors. xpate’s own prohibited-activities document, submitted by the complainant, lists categories including offshore structures, unclear UBOs, unlicensed gambling, high-risk financials and unacceptable reputational-risk merchants. That makes the case obvious: xpate should explain how these descriptors passed its merchant-control framework. The MCC 7372 Allegation The palyer alleges that the casino-related payments were misclassified under MCC 7372, typically associated with computer programming / data processing / IT services, rather than a gambling-related category. This allegation is serious. It goes to the heart of transaction laundering: payments for one activity allegedly being processed as another. FinTelegram has not yet independently verified the MCC from raw card-network or issuer records. We therefore treat the MCC 7372 point as an allegation requiring confirmation. But the question is legitimate: Were gambling deposits processed under non-gambling merchant categories? If yes, this would raise major issues for acquiring banks, payment processors, card schemes and regulators. The German Settlement Layer The Annex repeatedly references HELADEFF and a German IBAN beginning DE97 5005, suggesting a German banking or settlement layer in the payment chain. FinTelegram makes no allegation that Helaba knowingly processed illegal casino payments. But where German banking infrastructure appears in a payment-rail complaint involving alleged illegal gambling, the institution should clarify the nature of the account relationship: settlement account, PSP account, acquiring account, correspondent function — or something else? FinTelegram Assessment This is not yet a final proof file. It is a credible player complaint with transaction-level evidence. The complaint shows: multiple payment processors; obscure merchant descriptors; ARN-level transaction records; alleged casino connection; partial refunds; possible MCC misclassification; repeated refusal or deflection by involved payment entities. The case fits a broader pattern FinTelegram has documented for years: offshore or illegal casino operators using payment intermediaries and opaque merchant descriptors to access card and banking rails while hiding the true gambling purpose from banks, issuers and players. Questions To SENDS, xpate, PAIO and the Casinos FinTelegram invites the named entities to answer: Were the disputed transactions connected to Malina Casino, Wazbee Casino, or related gambling operators? Who were the legal merchants of record behind INNTCIT, CL2SK, vercs2, calcal, SKINMODE and CYBGEU? Which MCCs were used? Was MCC 7372 used for any of the payments? Were 3DS and Strong Customer Authentication applied? Why were some SENDS-linked transactions refunded while others were not? Which regulated institution held the settlement account referenced by the German IBAN/HELADEFF records? Were suspicious activity reports or internal AML escalations filed? Call for Information FinTelegram is looking for further information from: players who deposited into Malina Casino or Wazbee Casino; players who see descriptors such as INNTCIT, CL2SK, vercs2, calcal, SKINMODE, CYBGEU, jusdot5, tokdom, jusski6 or paypay on bank/card statements; insiders at SENDS, Smartflow Payments, xpate, PAIO/Finthesis, acquiring banks, ISOs, payment facilitators or casino cashier providers; compliance officers with knowledge of MCC 7372 use in gambling flows. Submit information securely via the FinTelegram whistleblower platform. Player losses are one thing. Payment laundering is another. If regulated payment firms helped illegal casinos disguise deposits as IT services or other non-gambling transactions, this is not a private dispute — it is a regulatory matter. Share Information via Whistle42

FinTelegram has reviewed a new batch of OpenPayd payment summaries gathered by victims of fake investment schemes. The pattern is brutal and consistent: victim deposits hit OpenPayd vIBANs and are immediately transferred to Klickl Europe Sp. z o.o. with the reference “Sweep to Primary Account.” In the readable files reviewed, hundred of thousands of Euros flowed through this OpenPayd–Klickl rail. This is no longer a single-victim case. It is a payment machine. 2-Minute Briefing FinTelegram has reviewed a new batch of OpenPayd payment summaries received by victims after GDPR/DSAR requests. The documents show a repeated payment pattern: Payin from victim → immediate Transfer → Klickl Europe → “Sweep to Primary Account.” FinTelegram analyzed the batch of victim payment files. The payment summaries show that each victim payment to OpenPayd was transferred to KLICKL EUROPE SP.z.o.o., BIC CFTEMTM1, receiver account MT82CFTE28004000000000004379006. This confirms the core FinTelegram finding: OpenPayd provided the vIBAN collection infrastructure; Klickl Europe received the swept victim funds. OpenPayd’s own GDPR response to the victims confirmed the architecture. It states that OpenPayd provides services to corporate clients only, identifies Klickl Europe as the relevant client, explains that the IBAN was a named virtual IBAN linked to Klickl Europe’s payment account, and states that funds credited to that account became the property of Klickl Europe. The new batch of victim files makes the case bigger. The pattern is no longer limited to KXTRA or one Peel Hunt / Peelhuntaicore victim. It points to a scalable fraud rail used against mainly German-speaking victims. The legitimate Peel Hunt has publicly warned that it does not use WhatsApp, downloadable apps or social media channels for regulated investment activity and says apps and WhatsApp channels using its name are not associated with the firm. OCCRP’s Scam Empire reporting described how large investment-scam networks rely on payment providers and accounts to collect victim money. FinTelegram’s new OpenPayd/Klickl evidence fits that model. Key Findings The new files show a systematic payment pattern.Victim Payins into OpenPayd vIBANs were immediately matched by outgoing transfers to Klickl Europe with the reference “Sweep to Primary Account.” The same Klickl account appears repeatedly.The receiver account in the readable files is consistently MT82CFTE28004000000000004379006, BIC CFTEMTM1, receiver Klickl Europe Sp. z o.o. The current verified batch already exceeds €665,000.FinTelegram’s conservative review of readable Excel files plus two PDF summaries shows at least €665,733.74 in victim-fund flows through this rail. The victims are predominantly German-speaking.In the readable Excel files, sender accounts are mainly German IBANs, with additional Austrian accounts. This aligns with the Peel Hunt / Peelhuntaicore and KXTRA victim pattern. OpenPayd’s GDPR response confirms the structure.OpenPayd says the vIBANs are generated as reconciliation tools for corporate clients and that the relevant account belonged to Klickl Europe. It also says funds credited to that account became Klickl Europe’s property. Klickl Europe is not a random payee.Klickl discloses that Klickl Europe is incorporated in Poland under KRS 0001053580 and registered under Polish virtual-asset registration RD WWW-930 for exchange, brokerage and virtual-asset account activities. This is a fraud-rail issue, not a paperwork issue.If multiple scam frontends routed victims through OpenPayd vIBANs into Klickl Europe, regulators should treat this as a suspected payment-enabled investment-fraud network. Read our OpenPayd reports here. Key Data Table Entity / MechanismRoleJurisdictionEvidenceRed FlagOpenPayd Financial Services MaltavIBAN infrastructure / payment facilitatorwww.openpayd.comMaltaGDPR response; payment summaries; BIC CFTEMTM1Victim deposits routed through OpenPayd infrastructureNamed OpenPayd vIBANsVictim-facing deposit identifiersMalta railOpenPayd says vIBANs are reconciliation tools linked to corporate clientsCreates personal-account appearance while funding corporate accountKlickl Europe Sp. z o.o.Sweep recipient / corporate account holderPolandRepeated receiver in summaries; OpenPayd GDPR responseCentral recipient of victim fundsReceiver accountKlickl Europe accountMalta IBAN railMT82CFTE28004000000000004379006Same account across multiple victimsReferenceTransfer logicOpenPayd system“Sweep to Primary Account”Direct internal sweep patternScam frontendsKXTRA, fake Peel Hunt / Peelhuntaicore, possibly moreUnknown operatorsVictim files and Peel Hunt warningMultiple brands, same suspected rail Rail Map Victim bank account → OpenPayd named vIBAN → immediate transfer / “Sweep to Primary Account” → Klickl Europe corporate payment account → crypto/on-ramp or settlement layer → unknown scam operators Known scam frontends so far: KXTRA / KKR Global Investment → OpenPayd vIBAN → Klickl Europe Fake Peel Hunt / Peelhuntaicore → OpenPayd vIBAN → Klickl Europe Working hypothesis: Additional fake investment brands → same OpenPayd/Klickl rail FinTelegram Assessment Established Facts OpenPayd’s GDPR response confirms that the relevant vIBAN was linked to Klickl Europe’s payment account and that funds credited to it became Klickl Europe’s property. The Humer payment summary confirms Payins totaling €100,500 followed by transfers to Klickl Europe with the reference “Sweep to Primary Account.” The newly reviewed Excel summaries show the same pattern across multiple additional victims. Strong Inferences The evidence points to a structured victim-fund collection rail. OpenPayd provided the vIBAN infrastructure. Klickl Europe received the funds. The same receiver account and same sweep reference appear repeatedly. That is not random payment noise. Working Hypotheses Klickl Europe may have acted as an on-ramp or settlement layer for the operators behind KXTRA, Peelhuntaicore and related scam brands. A stronger hypothesis is that Klickl Europe may have been closer to the fraud operation than a passive processor. That remains to be proven. Open Questions Who was Klickl’s customer behind these flows? Were funds converted into crypto? Which wallets, exchanges or OTC desks received the money next? Did OpenPayd and Klickl file SARs/STRs? When did OpenPayd detect the pattern? Why was the rail not stopped earlier? Whistleblower / Victim Call FinTelegram is collecting: OpenPayd GDPR responses, OpenPayd “Summary of payments” Excel files, vIBANs, sender bank receipts, app screenshots, WhatsApp chats, fake Peel Hunt / Peelhuntaicore materials, KXTRA screenshots, wallet addresses, transaction hashes, Klickl responses, police reports, and regulator complaints. Victims should send files directly via Whistle42. If one victim collects files for others, written consent should be obtained. Share Information via Whistle42

FinTelegram has received another victim report involving a OpenPayd vIBAN, BIC CFTEMTM1, and crypto transfers into a suspected fake trading platform. The case differs from the OpenPayd/Klickl Europe files but confirms the same broader pattern: modern investment and romance scams depend on regulated or semi-regulated fiat-to-crypto payment rails. OpenPayd once again appears in the victim narrative as the payment facilitator. 2-Minute Briefing FinTelegram has received another victim report placing an OpenPayd Malta IBAN directly inside the payment path of a crypto-investment scam. This is not just another romance-scam story. It is another case where scam operators appear to have used OpenPayd’s fiat-entry infrastructure to move victim money into crypto. The victim was contacted through the dating app Bloom by a person using the name “Allen Wilson.” He allegedly posed as an experienced forex trader, groomed her via WhatsApp, sent step-by-step screenshots, pushed her into crypto trading, instructed her to use Crypto.com, guided her to create a Trust Wallet, and directed funds onward to the suspected fake trading platform Ubsdfx.com. The reported loss is approximately €60,000, including borrowed funds, between 29 April 2025 and early June 2025. According to the victim, Austrian police conducted blockchain analysis and found that the money was distributed across multiple crypto exchanges and wallets. A screenshot provided to FinTelegram shows a Crypto.com Cash Account deposit instruction using an OpenPayd Malta IBAN beginning MT58 CFTE…, with BIC/SWIFT CFTEMTM1. This is not an anonymous offshore bank detail. It is OpenPayd Malta’s payment infrastructure appearing in the victim’s fiat-to-crypto deposit path. The Payment Rail Victim → OpenPayd Malta IBAN / CFTEMTM1 → Crypto.com Cash Account → Trust Wallet → Ubsdfx.com → downstream wallets and exchanges It is an OpenPayd rail case. Once again, OpenPayd infrastructure appears where victim money enters the crypto ecosystem. Read our OpenPayd report on the KXTRA and Peel Hunt scam. That is the central issue. Crypto scams are not powered only by fake dating profiles, WhatsApp scripts, fake trading dashboards, and blocked withdrawals. They need fiat-entry rails. They need IBANs. They need crypto-exchange funding routes. They need infrastructure that turns a victim’s bank transfer into movable crypto. This case fits the pattern described by OCCRP’s Scam Empire reporting and reinforces FinTelegram’s previous coverage of OpenPayd and the corporate ecosystem of its founder Ozan Özerk. The question is no longer whether scammers use fake platforms. The question is why OpenPayd IBANs keep appearing in scam payment paths. OpenPayd must explain how its Malta IBAN infrastructure was used in this case, what transaction-monitoring alerts were triggered, whether suspicious activity reports were filed, and how many similar crypto-scam complaints involve CFTEMTM1. The fake romance profile was the bait.The WhatsApp instructions were the script.The OpenPayd IBAN was the fiat-entry rail.Crypto.com and Trust Wallet became the bridge.Ubsdfx.com was the fraud theatre. Read our reports on Ozan Ozerk here. What The Screenshot Shows The uploaded screenshot appears to show a Crypto.com EUR deposit instruction. The visible fields include: FieldVisible InformationAccount holderVictim’s nameIBANMT58 CFTE 2800 4000 0000 0000 45 31340 (OpenPayd)BIC/SWIFTCFTEMTM1Bank addressLevel 3, 137 Spinola Road, St Julian’s, MaltaBank countryMTPurposeEUR deposits into Crypto.com Cash Account via SEPA The wording is important. The screenshot of the payment page says: “Please use the information below to transfer EUR deposits into your Crypto.com Cash Account directly through your bank via SEPA.” That suggests the victim was instructed to deposit fiat into a crypto-exchange cash account using a Maltese named IBAN. The next steps, according to the victim, were Crypto.com → Trust Wallet → Ubsdfx.com. What Is A vIBAN? A virtual IBAN, or vIBAN, is a payment identifier that looks like a standard IBAN but is not necessarily a standalone bank account. In a legitimate exchange setup, the vIBAN allows the payment provider or exchange to identify which customer made a deposit. The payer sees an IBAN assigned in their name, but the money is technically routed through a payment institution or master-account structure and then reconciled internally. In the prior OpenPayd/Klickl Europe files, OpenPayd itself explained this model: a named virtual IBAN is a digital identifier linked to a main corporate account and used for reconciliation; it is not a standalone account. OpenPayd also stated in that GDPR response that the relevant vIBAN was linked to Klickl Europe’s corporate payment account. In the present case, the screenshot does not show Klickl Europe. It appears to show a Crypto.com deposit rail using a Malta CFTE IBAN. The fraud risk is still clear: scammers can instruct victims to fund a real crypto-exchange account and then manipulate them into sending crypto onward to Trust Wallet or scam-controlled wallets. This is the vIBAN-to-crypto trap: Personal-looking IBAN → crypto exchange funding → self-custody wallet → fake trading platform → stolen funds Key Data Table CategoryDetailsCase typeRomance / pig-butchering crypto-investment scamInitial contactOnline dating app BloomAlleged scammer identity“Allen Wilson,” allegedly AmericanGrooming channelWhatsApp, with screenshot-based instructionsFraud narrativeForex / crypto trading with high-profit promisePayment rail shownMalta-based IBAN beginning MT58 CFTE…BIC/SWIFTCFTEMTM1Deposit contextCrypto.com Cash Account / SEPA EUR depositCrypto exchange layerCrypto.comWallet layerTrust WalletScam destinationUbsdfx.comReported lossApproximately €60,000Timeframe29 April 2025 to approximately 4 June 2025Law enforcementAustrian police complaint filedBlockchain tracingVictim says police analysis found funds distributed across multiple exchanges/walletsOpenPayd relevanceVictim states she was guided to an OpenPayd bank account in Malta; screenshot shows CFTE Malta vIBAN/BIC structure consistent with OpenPayd-style railsKlickl relevanceNo evidence in this file so far; should not be presented as a Klickl caseRisk classificationHigh-risk vIBAN-enabled crypto scam rail Payment Rail Table LayerEntity / ToolApparent FunctionRisk PointVictim acquisitionBloom dating appRomance-scam entry pointSocial engineering and emotional dependencyFraud grooming“Allen Wilson” / WhatsAppStep-by-step crypto instructionsVictim controlled through screenshots and trust manipulationFiat entryOpenPayd Malta SEPA deposit into crypto-exchange cash accountPersonal-looking IBAN can create false confidenceCrypto exchangeCrypto.comFiat-to-crypto entry pointLegitimate exchange infrastructure used as entry railWallet layerTrust WalletSelf-custody wallet created under scammer guidanceOnce funds leave exchange, recovery becomes harderScam platformUbsdfx.comFake trading / forex-crypto platformNo withdrawal; funds allegedly dispersedDownstream launderingMultiple exchanges / walletsFragmentation of crypto proceedsPolice blockchain analysis reportedly found wide distribution FinTelegram Assessment This case should be treated as a related vIBAN-enabled crypto scam rail, not as a Klickl Europe case. The difference matters: In the KXTRA and Peel Hunt / Peelhuntaicore files, OpenPayd/Klickl evidence indicates that funds were linked to Klickl Europe’s corporate payment account. In the present Ubsdfx.com case, the screenshot points to Crypto.com funding through an OpenPayd Malta IBAN, followed by Trust Wallet and onward scam routing. But the common pattern is obvious: scammers exploit payment and crypto infrastructure that appears legitimate to victims. The fraudsters do not need to operate the payment institution or the exchange. They need to weaponize the rails. That is why OpenPayd remains relevant. FinTelegram has repeatedly reported on OpenPayd’s role in high-risk payment flows, and OCCRP’s Scam Empire investigation documented how global scam networks depend on payment providers, bank accounts, and intermediaries to collect and move victim funds. OCCRP reported that leaked data showed fraud payments running through dozens of companies, including two owned by Özerk, while noting there was no evidence those companies knew the payments derived from fraud. This new case again raises the same core questions: How are fraud victims being instructed into Malta-based vIBAN rails? What monitoring is performed when large retail deposits enter crypto-exchange cash accounts? When victims report fraud, are funds frozen fast enough? Are payment facilitators and crypto exchanges preserving complete transaction trails for victims and law enforcement? How often does the same CFTE/OpenPayd-style infrastructure appear in crypto fraud cases? Conclusion This new case adds another layer to FinTelegram’s OpenPayd and vIBAN investigation. It is not currently a Klickl Europe case. It is a Crypto.com / Trust Wallet / Ubsdfx.com crypto-scam case using a Malta CFTE vIBAN-style fiat entry rail. But the bigger pattern is the same. Fake profiles lure victims.WhatsApp scripts guide them.vIBANs bring fiat into crypto.Trust Wallet moves funds out.Fake platforms show profits.Withdrawals never happen.The money disappears across wallets and exchanges. OCCRP called it the Scam Empire. FinTelegram is following the rails. And once again, OpenPayd-style infrastructure appears in the victim’s payment path. Share Information If you have any information about OpenPayd or its activities, please let us know. If you have been a victim of a scam and lost money to scammers via OpenPayd, please share this information with us. To do so, please use our Whistle42 whistleblower system. Share Information via Whistle42

FinTelegram’s investigation has moved beyond the KXTRA investment scam. A new OpenPayd GDPR response confirms that victim deposits were routed through named virtual IBANs linked to Klickl Europe’s corporate account. One victim file concerns KXTRA / KKR Global Investment; another concerns fake Peel Hunt / Peelhuntaicore. Different scam brands, same suspected rail: OpenPayd vIBAN infrastructure feeding Klickl Europe. 2-Minute Briefing FinTelegram’s OpenPayd–Klickl investigation has materially expanded. We are no longer looking only at the KXTRA / KKR Global Investment scam. New victim communication and OpenPayd GDPR material show that the same OpenPayd/Klickl Europe payment architecture also appears in a fake Peel Hunt / Peelhuntaicore investment scam. This changes the case. A single scam frontend can be dismissed by payment processors as “merchant abuse.” Multiple fake investment frontends using the same underlying payment structure point to something more serious: a repeatable fraud-collection rail. OpenPayd’s GDPR response confirms the mechanics. OpenPayd states that it provides services only to corporate clients, not individuals, and identifies Klickl Europe as the relevant corporate client. It says the victim-facing IBAN was not a standard IBAN, but a named virtual IBAN linked to Klickl Europe’s corporate payment account. It further states that funds sent to that vIBAN were received into Klickl Europe’s corporate payment account and, once credited, became the property of Klickl Europe. That confirms the core FinTelegram thesis: OpenPayd provided the vIBAN collection infrastructure; Klickl Europe was the corporate account holder and recipient of the victim funds. The new case is not KXTRA. The victim’s correspondence to OpenPayd was explicitly titled “Fraud via Peel Hunt / Peelhuntaicore.” In that message, she told OpenPayd that she had become a victim of investment fraud and demanded the return of the transfers. That aligns with Peel Hunt’s own public fraud warning. The legitimate Peel Hunt states that it does not use WhatsApp, LinkedIn, downloadable applications or social-media channels for regulated investment activities, and it specifically identifies PEELHUNTAICORE as an app not associated with Peel Hunt. The picture is now clearer: KXTRA / KKR Global Investment appears to be one fake investment frontend. Peel Hunt / Peelhuntaicore appears to be another. OpenPayd → Klickl Europe appears to be the common payment rail. What OpenPayd Confirmed OpenPayd’s GDPR response is the strongest document so far because it confirms the architecture from inside the payment provider’s own system. 1. OpenPayd’s client was Klickl Europe — not the victim OpenPayd states that it only provides services to corporate clients and has no direct contractual relationship with individuals. It identifies the relevant OpenPayd client as Klickl Europe. 2. The IBAN was a named vIBAN, not a real personal account OpenPayd states that the assigned IBAN was “not a standard IBAN,” but a named virtual IBAN linked to a main corporate account. It says the specific virtual IBAN was linked to the payment account belonging to Klickl Europe. 3. Klickl Europe provided victim data OpenPayd says it received personal data from the sending bank and from Klickl Europe. From Klickl Europe, OpenPayd received the victim’s name, address and date of birth. It also states that the victim was onboarded onto the Klickl Europe platform and that a virtual IBAN was allocated in her name to receive payments made on her behalf to fund Klickl Europe’s account. 4. The funds became Klickl Europe’s property OpenPayd states that the funds sent to the vIBAN were received into Klickl Europe’s corporate payment account and, once credited, became the property of Klickl Europe. This is the key line. It places Klickl Europe squarely at the economic center of the victim-fund flow. Read our OpenPayd reports here What Is A vIBAN? A virtual IBAN, or vIBAN, is a payment identifier that looks like a normal IBAN but is not a standalone bank account. It is usually linked to a master account or corporate payment account. The corporate client uses the vIBAN to identify who sent a payment and to reconcile incoming funds quickly. In this case, the practical effect was: Victim sees a named IBAN → victim believes the payment is personalized → money is credited to Klickl Europe’s corporate account → Klickl reconciles the deposit internally A vIBAN is therefore powerful in fraud cases because it can create a false sense of safety. The payer sees a name-linked IBAN and may believe they are funding “their own” account. In reality, the money can be routed into the corporate account of the platform client. That is the vIBAN trap. Scam Frontends Now Identified Scam FrontendImpersonated / Claimed BrandVictim-Acquisition PatternPayment Rail IdentifiedCurrent Evidence StatusKXTRA / KKR Global InvestmentKKR-style IPO / private-equity investment narrativeFacebook advertising, WhatsApp grooming, fake advisers, KXTRA app, fake profits, blocked withdrawalsVictim transfers to OpenPayd Malta; Klickl Europe identified in payment structureAustrian criminal complaint reviewed by FinTelegram. The complaint lists OpenPayd Malta payments and names Klickl Europe in the payment-provider section.Peel Hunt / PeelhuntaicoreImpersonation of legitimate UK investment bank Peel HuntWhatsApp investment groups, fake app, alleged trading/investment activity, blocked access to fundsOpenPayd GDPR response confirms named vIBAN linked to Klickl Europe corporate accountOpenPayd GDPR response reviewed by FinTelegram; victim’s earlier email to OpenPayd was titled “Fraud via Peel Hunt / Peelhuntaicore.” Legitimate Peel Hunt publicly warns that PEELHUNTAICORE is not associated with Peel Hunt. Read our Klickl Europe reports here. Payment Rail System — OpenPayd And Klickl Europe LayerEntity / MechanismRole In The RailWhat The Evidence ShowsFraud frontendKXTRA / PeelhuntaicoreFake investment apps and interfaces used to lure victimsVictim files now point to at least two different scam brands using the same OpenPayd/Klickl payment architecture.Recruitment layerFacebook / WhatsApp groups / fake advisersVictim acquisition and psychological groomingBoth fraud types follow the social-media and WhatsApp investment-scam model.Payment infrastructure providerOpenPayd Financial Services MaltaProvides payment infrastructure and named vIBANs to corporate clientsOpenPayd confirms it provides services to corporate clients and does not provide direct services to individuals.OpenPayd clientKlickl EuropeCorporate client and account holderOpenPayd identifies Klickl Europe as its corporate client in the GDPR response.Victim-facing identifierNamed virtual IBANPersonalized payment identifier used to reconcile victim depositsOpenPayd states the IBAN was not a standard IBAN but a named vIBAN linked to Klickl Europe’s payment account.Economic recipientKlickl Europe corporate payment accountReceives the credited victim fundsOpenPayd states that funds sent to the vIBAN were received into Klickl Europe’s corporate payment account and became Klickl Europe’s property once credited.Data sourceKlickl EuropeProvides victim data to OpenPaydOpenPayd states it received the victim’s name, address and date of birth from Klickl Europe.Infrastructure providersProbanx / Bank of LithuaniaProcessing infrastructureOpenPayd says payments were processed through its infrastructure banking providers, including Probanx and the Bank of Lithuania.Downstream layerKlickl platform / wallets / exchanges / operatorsUnknown onward use, conversion, transfer or settlementOpenPayd says subsequent transfers, conversions or investments are outside its control and should be addressed to Klickl Europe. Revised Rail Map Common Collection Rail Victim → OpenPayd named vIBAN → Klickl Europe corporate payment account → Klickl platform credit / transfer / conversion / settlement → unknown downstream recipient Scam Frontend Variants KXTRA / KKR Global Investment → OpenPayd/Klickl vIBAN rail Peel Hunt / Peelhuntaicore → OpenPayd/Klickl vIBAN rail The frontends differ. The rail appears to be the same. Why The Peel Hunt / Peelhuntaicore Case Matters The legitimate Peel Hunt is a respected UK investment banking firm (website) specializing in mid and small-cap companies, listed on the London Stock Exchange, with offices at 100 Liverpool Street, London. The fraudulent Peel Hunt scam and the “PEELHUNTAICORE” and “PHFINCORE” apps have no connection to this licensed financial institution. The Peel Hunt / Peelhuntaicore evidence changes the risk assessment. If this were only KXTRA, OpenPayd and Klickl might attempt to frame the matter as an isolated merchant abuse case. But the Peelhuntaicore evidence indicates a second investment-fraud frontend feeding the same Klickl-linked vIBAN architecture. That points to a repeatable collection system. It also puts Klickl Europe under even more pressure. If Klickl Europe received victim funds from different scam fronts, it must explain whether the same customer, wallet, merchant, exchange account, OTC desk or internal ledger was behind these flows. The key question is no longer: Was Klickl accidentally exposed to one scam? The key question is: How did multiple fake investment scams end up funding Klickl Europe’s corporate account through OpenPayd vIBANs? FinTelegram Assessment FinTelegram’s assessment is that Klickl Europe must be treated as a central evidence holder and potential fraud-rail participant. There are three possible scenarios: ScenarioInterpretationWhat Klickl Must ProduceKlickl was only an on-rampKlickl processed funds for fraud operators without operating the scam frontendCustomer identity, wallet addresses, exchange accounts, conversion records, SAR/STR filings, termination recordsKlickl was a settlement intermediaryKlickl received funds and moved them onward for another processor, merchant or platformFull counterparty chain, settlement instructions, ledger entries, contractsKlickl was closer to the fraud operatorsKlickl or related parties had operational knowledge of the scam networkInternal communications, onboarding files, platform links, beneficial-owner and transaction-control records Even the most favorable scenario for Klickl — “only an on-ramp” — still leaves Klickl with the critical data. If it received the funds, it should know where they went. That data belongs in the hands of victims, law enforcement and regulators. Call For Victims And Whistleblowers FinTelegram is now collecting additional evidence on the broader OpenPayd / Klickl Europe vIBAN fraud rail. We are especially interested in victims of: KXTRA KKR Global Investment Peelhuntaicore fake Peel Hunt / Peel Hunt Europe WhatsApp groups any other investment app or WhatsApp group where deposits were made to an OpenPayd / CFTE / Malta IBAN any payment file showing Klickl Europe any DSAR / GDPR response from OpenPayd any transaction reference such as “Sweep to Primary Account” Victims should send: OpenPayd GDPR / DSAR responses; Summary of payments spreadsheets; assigned vIBANs; payment receipts; app screenshots; WhatsApp group screenshots; names and phone numbers of “advisers”; police reports; regulator complaints; crypto wallet addresses or transaction hashes; responses or non-responses from Klickl Europe. If one victim collects documents for others, each victim should preferably give written consent or submit their own file directly via Whistle42. Conclusion This investigation is no longer about one fake app. KXTRA was one frontend.Peelhuntaicore was another.The common denominator appears to be the OpenPayd/Klickl Europe vIBAN rail. OpenPayd has now confirmed that the victim-facing IBAN was a named virtual IBAN linked to Klickl Europe’s corporate payment account. OpenPayd has also confirmed that funds credited through that vIBAN became the property of Klickl Europe. That places Klickl at the center of the evidence. If Klickl was merely the on-ramp, it must disclose the downstream data.If Klickl was closer to the operators, regulators and law enforcement must act.If OpenPayd enabled a repeatable vIBAN structure for multiple scam frontends, it must explain how that happened under its transaction-monitoring and financial-crime controls. The victims want the data. FinTelegram will keep following the rail. Share Information via Whistle42

A Wise customer has accused the fintech of obscuring gambling-related card transactions by displaying Apple Pay or incomplete merchant information instead of the real payee, even though the transactions allegedly carried MCC 7995, the card-network code for gambling. The customer has already escalated the matter to the FCA and the Financial Ombudsman Service. FinTelegram has reviewed substantial material and sees a serious contradiction worth investigating: if Wise says it does not support gambling transactions, why did gambling-coded payments go through at all? And if they did, what exactly did Wise know internally about the real merchant? Key Findings The customer alleges that disputed Wise card transactions were internally associated with MCC 7995 (Gambling Transactions) while the customer-facing view did not clearly identify the underlying merchant. In support exchanges reviewed by FinTelegram, Wise support allegedly stated that Wise does not support gambling transactions. The same material appears to show internal-style merchant information referencing Applepay, Limassol, CY, and MCC 7995, raising questions about what Wise knew internally versus what was shown to the customer. The customer claims Wise relied on incomplete or simplified presentation layers, including Apple Pay / Applepay, while the true merchant remained obscured during the support process. Wise’s public documentation presents a more nuanced policy position than an absolute ban, including restrictions on gambling-related transfers and a statement that users cannot receive money to their Wise card from gambling or betting institutions. FinTelegram has received additional evidence that is still under review, including materials suggesting links between the gambling-side payment chain and Cyprus-linked processing environments. Article draft Wise & Gambling: If Wise Does Not Support Gambling Transactions, Why Did MCC 7995 Payments Go Through? A dispute between Wise and one of its customers is raising uncomfortable questions about how “clean” fintechs actually handle gambling-related payments. The payments cited by the player in the Wise case involve deposits made via a Wise card to casinos operating illegally in the EU and the UK. As the player’s documents show, these deposits were orchestrated through Payabl, which is regulated as an EMI in the UK and Cyprus.The recipients included, among others, the Irish company Zentoria Ltd and the Cypriot company NovaForge, which act as payment agents for casinos operating illegally and are merchants of Payabl. Payabl and Wise in a debosit transactions to an illegal casino operator According to extensive materials reviewed by FinTelegram, the customer repeatedly challenged Wise over a series of card transactions that were classified with MCC 7995 — Gambling Transactions but were not clearly presented to him as gambling payments at the customer-facing level. Instead, the disputed transactions allegedly appeared in a blurred or misleading way, including references such as Apple Pay or Applepay / Limassol, rather than a clear underlying merchant identity. That matters because, in support communications reviewed by FinTelegram, Wise support allegedly told the customer that Wise “does not support gambling transactions.” At the same time, the customer says his disputed transactions carried MCC 7995, the standard card-network category for gambling. If both things are true, then one obvious question follows: how did those transactions get through in the first place? Wise’s public materials present a more nuanced position than a simple blanket ban. Wise says gambling-related transfers must not involve certain listed countries under its position on gambling. Its Acceptable Use Policy also states that some unsupported-business restrictions do not apply to lawful transactions using the Wise Multi-Currency Card, while Wise separately says users cannot receive money to their Wise card from gambling or betting institutions. Data Manipulation Allegations The customer’s allegation goes further. He claims Wise did not simply mishandle the case, but obscured or manipulated the transaction information shown to him. The core allegation is not that backend data did not exist. It is that Wise allegedly had access to deeper merchant-level information — including merchant identifiers, structured merchant data, and gambling classification — while the customer-facing view remained vague, incomplete, or misleading. In materials reviewed by FinTelegram, the customer points to internal-style merchant information showing Applepay, Limassol, CY, and MCC 7995, while the real merchant allegedly remained hidden during the support process. This is where the case becomes genuinely interesting. If Wise publicly presents itself as a compliant, low-risk financial institution that does not support non-licensed and thus illegal gambling transactions, then it would have an obvious incentive to avoid a customer-facing record that openly shows a Cyprus-linked gambling merchant. In that context, the alleged appearance of Apple Pay as a front-facing label, while the real merchant allegedly sat behind a processor chain in Limassol, stops looking random and starts looking functional. It would make reputational and compliance sense. Whether that was legitimate wallet-display simplification, poor internal handling, or something more serious is the question. Wise & Illegal Casino Activities? The customer’s logic is not absurd. If Wise processed gambling-coded transactions related to illegal casino actitivies while publicly distancing itself from gambling, then concealing the true merchant behind Apple Pay, or reducing merchant visibility in the customer view, would at least have a motive. And motive matters. The material reviewed by FinTelegram suggests a widening contradiction: Wise allegedly says it does not support gambling transactions; the customer’s disputed transactions allegedly carry MCC 7995; internal-style merchant information allegedly pointed to Applepay / Limassol / Gambling Transactions; and the customer says he was left to reconstruct the merchant trail himself. The customer has already escalated the matter to the FCA and the Financial Ombudsman Service, and FinTelegram has received substantial further material that is still under review. At this stage, the Wise case should be seen as an initial warning signal, not a final verdict. But if it turns out that Wise was in fact handling illegal gambling-related payments while publicly presenting itself as a company that does not support gambling — and if it further turns out that customer-facing transaction data was shaped in a way that concealed the real merchant — then this would not be a minor support failure. It would be a major compliance scandal with the potential to damage Wise’s carefully cultivated clean-cut image. FinTelegram will continue to review the evidence. Further reports will follow. Share Information If you are a player, former employee, payments insider, or compliance professional with information about gambling-related transactions processed through Wise, Payabl, or related merchant/payment-agent structures, contact FinTelegram confidentially via Whistle42. Share Information via Whistle42

FinTelegram’s current assessment is clear: Klickl Europe Sp. z o.o. appears inside the KXTRA fraud rail, not outside it. Victim materials reviewed by FinTelegram indicate that funds deposited into OpenPayd-linked, victim-facing accounts were swept onward to Klickl Europe, with the transaction reference reportedly stating “Sweep to Primary Account.” This is not a minor payment-processing footnote. It identifies Klickl Europe as the apparent primary-account recipient in the alleged KXTRA / KKR Global Investment money trail. The 2-Minute Briefing Klickl is not a random payee. Its own websites present a broad Web3 finance and virtual-asset infrastructure group offering global accounts, wallet services, merchant payments, stablecoin payments, payment APIs, custody services, OTC/exchange services, asset-management products, card/spending services, and Web3 SaaS solutions. Klickl describes itself as a multi-jurisdictional virtual-asset services group and states that, unless otherwise specified, the products and services on klickl.com are provided by Klickl Europe. That makes the OpenPayd → Klickl sweep highly material: victim funds were allegedly routed into a crypto-financial operating structure, not into an incidental commercial recipient. Klickl’s Polish regulatory footing should not be overstated. Klickl states that Klickl Europe is incorporated in Poland under KRS 0001053580 and registered in Poland’s virtual-asset activity register under RD WWW-930. But Poland’s Ministry of Finance states explicitly that the register is record-keeping in nature, that entry is not equivalent to a licence or warranty, and that virtual-currency activity is not licensed or supervised in the way mainstream financial sectors are supervised. Control and governance are equally important. Polish register data identifies Xu Zhao as president of the management board and shareholder of Klickl Europe. SEC materials for Crypto 1 Acquisition Corp identify Michael (Xu) Zhao as founder, CEO and director, and describe his background in crypto trading, IDCM, and VGPay, a crypto-payment business. FinTelegram treats Michael Zhao / Michael Xu Zhao / Xu Zhao as the relevant control identity for the Klickl Europe analysis, subject to any clarification from Klickl. Read more on the KXTRA investment scam here. Key Findings 1. Klickl Europe appears inside the KXTRA money trail Victim materials reviewed by FinTelegram indicate that funds deposited into OpenPayd-linked accounts were swept to Klickl Europe Sp. z o.o. as the apparent primary-account recipient. That makes Klickl a central payment-rail actor in the KXTRA case. 2. Klickl is a crypto-financial infrastructure group, not a passive merchant Klickl markets services including accounts, fiat and crypto payments, global transfers, stablecoin payments, payment API, custody, cards, OTC/exchange services, asset management, and Web3 SaaS infrastructure. Its own disclaimer describes Klickl as a multi-jurisdictional virtual-asset services group. 3. Klickl Europe’s Polish registration is not a robust financial licence Klickl Europe discloses Polish KRS registration 0001053580 and virtual-asset register number RD WWW-930. However, Polish Ministry of Finance guidance states that the register is record-keeping in nature, that entry cannot be equated with a licence or warranty, and that virtual-currency activity is not licensed or supervised like mainstream financial institutions. 4. The “regulated” branding requires scrutiny Klickl markets itself as a regulated virtual-asset platform. Polish official guidance states that Polish virtual-currency register entries cannot market themselves as conducting licensed or supervised activity under Polish law. Any reliance on Polish registration as a substitute for prudential authorisation is misleading in substance. 5. The Michael Zhao / Xu Zhao control issue is material Polish register data reviewed by FinTelegram identifies Xu Zhao as president and shareholder of Klickl Europe. SEC filings identify Michael (Xu) Zhao as a crypto entrepreneur linked to IDCM and VGPay. This points to a broader China-linked crypto-payments network behind the Polish VASP. 6. Klickl’s public management presentation raises governance questions Klickl’s public pages identify senior figures including Ben Huang, Dermot Mayes, Sanne Ke, Shawn Xie, Alihan Ekesan, Andrea Gay, Jane Record and others. The older klickl.eu page presents a different team format, including Ben Huang as Chief Compliance Officer and several senior figures with first names only. This is not proof of fabrication, but it is a governance and identity-verification red flag. 7. Klickl should know where the KXTRA money went next If Klickl Europe received swept victim funds, it should know its customer, ledger entries, conversion records, wallet destinations, exchange accounts, OTC counterparties and settlement partners. “We do not know” would be an unacceptable answer for a crypto/on-ramp provider. 8. TFG Technology is a live hypothesis node TFG Technology Ltd allegedly appeared on the payout side of the KXTRA case. Companies House records show TFG Technology Ltd as controlled by Chinese national Libo Wang and subject to a section 1002A warning relating to misleading, false or deceptive incorporation information. The possible link between TFG and the same China-linked crypto-payment infrastructure around Klickl remains a hypothesis, not a proven fact. 9. RatEx42 Red / DAREX D is justified Klickl’s risk profile is severe: fraud-rail exposure, transitional Polish VASP status, opaque governance, China-linked control, broad crypto/on-ramp functionality, and unanswered downstream fund-flow questions. Summary Table FieldDetailsBrandKlicklCore entityKlickl Europe Sp. z o.o.Main domainsklickl.com, klickl.eu, klicklx.com, klicklone.com, klicklpay.com, klicklcustody.com, ex.klickl.com, futures.klicklx.com, alliance.klickl.com, cryptoeasy.appJurisdictionPolandPolish VASP registrationRD WWW-930Business model presented by KlicklWeb3 account, merchant payments, global transfers, stablecoin payments, payment API, custody, cards, OTC/exchange, asset management, SaaSControl / UBO issuePolish register data identifies Xu Zhao; SEC sources identify Michael (Xu) Zhao in crypto-payment and exchange businessesKnown payment-rail roleApparent recipient of funds swept from OpenPayd victim-facing accounts in KXTRA caseKXTRA connectionVictim evidence indicates OpenPayd → Klickl Europe sweep structureTFG Technology connectionWorking hypothesis only; TFG appears on payout side and is controlled by Chinese national Libo WangRatEx42 ratingRed with DAREX tier D Corporate And Regulatory Profile Klickl presents itself as a Web3 finance platform and virtual-asset group. Its website describes KlicklX as a Web3 digital financial account integrating wallet, digital assets, fiat accounts and card-based consumption services. KlicklONE is described as a digital finance system for corporates and merchants. Klickl Pay includes merchant payments, global transfers, stablecoin payments, POS terminals and payment API. The wider stack also includes custody, cards, OTC/exchange, asset management, professional trading, and listing applications. Klickl’s regulatory pages state that Klickl Europe is incorporated in Poland under KRS 0001053580 and registered in Poland’s virtual-asset activity register under RD WWW-930 for exchange, brokerage and virtual-asset account-maintenance activities. This registration must be read correctly. Poland’s Ministry of Finance has stated that only an application and declaration are needed for the register entry; the register is record-keeping in nature; and entry cannot be equated with a licence or warranty. The MiCA transition adds a second risk layer. UKNF has stated that Poland had not designated a national competent authority for CASPs due to the absence of implementing legislation. It also stated that virtual-currency register entities may operate under transitional arrangements, but after 1 July 2026 domestic operators lose that possibility unless authorisation exists under the MiCA framework. In compliance terms, Klickl Europe’s Polish VASP registration should be treated as a high-risk transitional registration, not as a strong prudential authorisation. Control And Governance The identity and control structure require close scrutiny. Polish register data reviewed by FinTelegram identifies Xu Zhao as president of the management board and shareholder of Klickl Europe Sp. z o.o. Public market filings identify Michael (Xu) Zhao as founder, CEO and director of Crypto 1 Acquisition Corp and describe him as having started International Digital Currency Markets (IDCM) and VGPay, a crypto-payment business. This matters because Klickl’s KXTRA exposure cannot be treated as a small Polish registration anomaly. The control person is linked to a broader crypto-exchange and crypto-payment history. Klickl’s governance presentation also deserves scrutiny. Klickl’s main site lists senior figures including Ben Huang as President, Dermot Mayes as CEO of Klickl UAE, Sanne Ke as Head of Compliance / MLRO, and other regional, business and functional leaders. The older klickl.eu page presents a different structure, naming Ben Huang as Chief Compliance Officer and listing several figures with minimal identifiers, including first-name-only entries. For a crypto/on-ramp entity handling cross-border payment flows, unclear or shifting management presentation is a governance red flag. FinTelegram does not state that Klickl’s listed executives are fake. The finding is narrower and stronger: Klickl’s public governance disclosures are inconsistent and require independent verification. Klickl In The KXTRA Fraud Rail The evidence-supported rail map is: Victim → OpenPayd victim-facing VIBAN / sub-account → sweep to Klickl Europe → suspected crypto/on-ramp or settlement layer → KXTRA operators That puts Klickl Europe in a critical position. The company’s own business model matches the functional role suggested by the evidence: fiat/crypto exchange, brokerage, account maintenance, payment API, stablecoin payments, global transfers and settlement infrastructure. Klickl therefore should be able to answer the essential question: what happened after the money hit Klickl Europe? Possible scenarios: ScenarioStatusImplicationKlickl acted as on-ramp processor for a KXTRA-related customerWorking hypothesisKlickl should identify the customer and downstream wallets / exchangesKlickl acted as settlement intermediary for another processor or merchantWorking hypothesisKlickl should identify the counterparty and transaction purposeKlickl was closer to the KXTRA operatorsOpen investigative questionRequires evidence from wallet trails, onboarding files, communications or internal recordsKlickl was abused by fraudstersPossible defenceKlickl should prove this by disclosing customer, monitoring, reporting and termination records The key point is non-negotiable: Klickl is not a random name in a bank statement. It appears to be the entity that received the swept funds. TFG Technology Ltd: Working Hypothesis TFG Technology Ltd is not proven to be a Klickl affiliate. It is, however, a serious hypothesis node. The UK Companies House records identify TFG TECHNOLOGY LTD, company number 16544033, and show a warning that the registrar is taking or has taken steps to strike off the company under section 1002A of the Companies Act 2006 due to incorporation information described as misleading, false or deceptive. Companies House records identify Libo Wang, a Chinese national resident in China, as director and person with significant control, with ownership of shares and voting rights of 75% or more and the right to appoint or remove directors. In the KXTRA case, TFG appears on the payout side as the sender of a partial victim payout through a Danish IBAN / Banking Circle-type rail. That fits the confidence-payout pattern seen in investment fraud: return a controlled amount to maintain trust, then block larger withdrawals or demand additional payments. Working hypothesis: TFG Technology Ltd may have been connected to the same China-linked or Asia-linked crypto-payment infrastructure orbit that intersects with Klickl and the KXTRA fraud rail. Status: hypothesis only. FinTelegram does not yet have evidence proving a corporate or ownership link between TFG Technology Ltd and Klickl Europe. Conclusion Klickl Europe is not peripheral to the KXTRA case. Based on victim evidence reviewed by FinTelegram, it appears as the recipient of funds swept from OpenPayd victim-facing accounts. That places Klickl inside the money trail. Klickl markets itself as a regulated Web3 finance platform. But the Polish regulatory basis it discloses is a record-keeping VASP registration, not a banking-style licence or prudential authorisation. Poland’s own Ministry of Finance says the register cannot be equated with a licence and that virtual-currency activity is not supervised like mainstream financial institutions. If Klickl was merely abused by the KXTRA operators, it should prove it. It should disclose the customer, the ledger trail, the wallet destinations, the exchanges, the settlement partners, the suspicious-activity filings, and the termination actions. If Klickl cannot or will not explain where the money went, the suspicion deepens. KXTRA was the bait. OpenPayd was the intake pipe. Klickl appears to have been the gateway. That is why RatEx42 flags Klickl Red and DAREX D. Whistleblower Call FinTelegram invites victims, former employees, compliance officers, payment staff, crypto-exchange personnel, OpenPayd insiders, Klickl insiders, Banking Circle contacts, law-enforcement officials, and other knowledgeable sources to contact Whistle42. We are specifically looking for: OpenPayd Excel files Klickl account statements Klickl wallet addresses crypto transaction hashes KXTRA app screenshots WhatsApp chats onboarding files internal compliance emails DSAR responses Banking Circle / Danish IBAN documentation TFG Technology payout records any information on Michael Xu Zhao / Xu Zhao any information on Libo Wang any evidence linking Klickl, OpenPayd, TFG Technology, or KXTRA operators Share Information via Whistle42 Source Notes Klickl About page — describes Klickl as a Web3 finance platform, sets out services, and lists management/team members.https://www.klickl.com/about Klickl Regulatory Information — states Klickl Europe’s KRS number, RD WWW-930 registration and Polish virtual-asset activities.https://www.klickl.com/help/detail?id=569113099598475264609f Klickl Europe legacy page — lists the Warsaw office, KRS, Polish tax ID and RD WWW-930 activities.https://klickl.eu/about.html Polish Ministry of Finance Communication No. 77 — states that Polish virtual-currency register entry is record-keeping, not a licence or warranty, and that virtual-currency activity is not licensed/supervised like mainstream financial sectors.https://www.gov.pl/web/finance/communication-no-77-on-the-status-of-virtual-currency-operators UKNF MiCA transition position — explains the absence of a Polish CASP competent authority and transitional-period issues.https://www.knf.gov.pl/knf/pl/komponenty/img/Stanowisko_UKNF_-_nadzor_nad_krypto_96996.pdf SEC Form S-1, Crypto 1 Acquisition Corp — identifies Michael (Xu) Zhao and his IDCM / VGPay background.https://www.sec.gov/Archives/edgar/data/1870471/000110465921138253/tm2124028d3_s1.htm Companies House — TFG Technology Ltd officers — identifies Libo Wang and the section 1002A warning.https://find-and-update.company-information.service.gov.uk/company/16544033/officers Companies House — TFG Technology Ltd PSC — identifies Libo Wang as person with significant control.https://find-and-update.company-information.service.gov.uk/company/16544033/persons-with-significant-control

A Dutch legal-forensic initiative has pushed the illegal-casino debate into a new phase. ITFY Legal has served a detailed forensic cluster report, a Casino Monitor infrastructure report, and a follow-up addendum concerning the HolyLuck-linked casino network on casino operators, payment facilitators, regulators, government agencies and infrastructure providers. The reports draw on FinTelegram’s earlier investigative findings but go deeper into technical infrastructure analysis, mapping shared domains, Cloudflare accounts, origin IP blocks, payment descriptors and apparent staging environments. Based on FinTelegram’s initial review, the ITFY findings align with and materially expand our own reporting on the HolyLuck / Booms.bet / Lyntec / SENDS payment-rail environment. Key Findings Dutch initiative against illegal casino rails: ITFY Legal, based in the Netherlands, has prepared and circulated forensic reports concerning the HolyLuck Casino Network and connected operators. CRUKS player at the center: The reports concern a Dutch CRUKS-registered player who allegedly lost €18,280 across HolyLuck, Spinstar, Spindog, Millioner2 and InstantCasino. Cluster, not isolated casinos: ITFY alleges that the relevant casino brands form part of a broader operational cluster sharing infrastructure, legal operators, payment-presentation layers and mirror-domain architecture. FinTelegram findings confirmed and expanded: The ITFY report expressly cites FinTelegram’s earlier investigations into RevDuck, Sapphire Summit, Lyntec, SENDS/Smartflow and the HolyLuck payment rails, but adds a deeper forensic infrastructure layer. Payment providers and regulators on notice: The reports were circulated to casino operators, PSPs, regulators, public authorities, card/payment actors and infrastructure providers, including Cloudflare and Google-related channels. Post-service reaction: Within 24 hours after service of the first reports, ITFY observed changes in the cluster: several domains became unreachable, while the shared origin infrastructure allegedly remained stable and the observed domain footprint increased. Read our reports on HolyLuck A Dutch Forensic Initiative Enters The Illegal Casino Battle FinTelegram has received a set of reports and correspondence from ITFY Legal, a Dutch legal-forensic initiative, concerning what it calls the HolyLuck Casino Network and Connected Operators. The material was transmitted through the Whistle42 whistleblower channel and is directly relevant to FinTelegram’s ongoing investigations into illegal offshore casinos, merchant opacity and payment-rail abuse. The first package consisted of a full forensic cluster report and a Casino Monitor infrastructure report. A one-page addendum followed one day later. According to the ITFY report, the matter concerns a Dutch resident registered in the Central Register for Self-Exclusion of Players (CRUKS), who was allegedly able to deposit funds with several unlicensed offshore casinos despite being barred from participating in remote gambling offers directed at Dutch residents. The report states an aggregate restitution position of €18,280. This is not merely a private player complaint. It is a structured escalation package directed at casino operators, payment facilitators, supervisory authorities, public agencies and infrastructure providers. The HolyLuck Cluster Allegation The report identifies five principal casino operators in the client’s loss calculation: HolyLuck Casino, Spinstar Casino, Spindog Casino, Millioner2 Casino and InstantCasino. It also links them to a wider network of brands including Booms.bet, TrueLuck, Kokobet, IgoBet, Winorio, Mega.bet, Bino, Fano, Moko, Starzino, Rakebit, Spinorhino, Casho-app, Luckygem, Baloo, Betory, Dragobet, Zazibet, Winhero and PlayMegaWin. ITFY forensic report on HolyLuck In a per-casino analysis, the ITFY report details, for each player, how the events unfolded and what actions the player took. See also the screenshot regarding the analysis of HolyLuck (right). The core allegation of the report is simple but explosive: ITFY says the relevant casino brands should not be treated as independent operators, but as parts of a single operational cluster. This assessment aligns with that of FinTelegram regarding payment rails as well, where there are not only isolated payment facilitators but also networks of multi-layered payment rails that facilitate these illegal activities through these casino and domain networks. The alleged losses of the player repretended by ITFY are broken down as follows: OperatorAlleged DepositsHolyLuck Casino€10,035Spinstar Casino€2,855Spindog Casino€1,805Millioner2 Casino€1,780InstantCasino€1,805Total€18,280 The report states that the claims are based on bank-reconciled deposit records and player-account data. From FinTelegram Reporting To Deeper Forensic Mapping The ITFY report explicitly draws on FinTelegram’s earlier reporting. This is important. FinTelegram had already investigated elements of the HolyLuck / Booms.bet / RevDuck / Sapphire Summit / Lyntec / SENDS ecosystem, including the alleged use of UK-linked merchant fronts, payment descriptors and PSP routing layers. ITFY takes that reporting and adds a deeper technical layer. The report states that its findings are supported by forensic infrastructure analysis, KSA sanction records, UK Companies House records, industry sister-site databases, operator disclosures and FinTelegram’s investigative series. Based on FinTelegram’s initial review, the ITFY findings are broadly consistent with our own investigations and appear to build upon them. The ITFY material does not merely repeat prior allegations. It attempts to reconstruct the casino cluster technically — through domains, nameservers, origin IPs, MX records, TLS fingerprints, HTML hashes and payment-presentation layers. That is where the report becomes particularly powerful. The Methodology: Follow The Infrastructure The Casino Monitor report describes a forensic clustering methodology based on public sources such as Certificate Transparency logs, urlscan.io, Wayback Machine records and manual additions. For each reachable domain, ITFY records infrastructure fingerprints including nameservers, IP addresses, /24 hosting blocks, MX records, SSL certificate hashes and HTML-body hashes. Domains sharing identical values are grouped as clusters. The full ITFY report then identifies several key infrastructure signals: multiple Cloudflare nameserver pairs, allegedly indicating several separate Cloudflare accounts; convergence on the same origin infrastructure, especially the 82.139.216.0/24 block; shared or unusual MX configurations; HTML-template congruence at the payment-presentation layer; exposed developer or staging deployments; tracking and analytics domains linked to casino brands. One of the most striking findings is the claimed use of multiple Cloudflare account-level compartments that nevertheless converge on the same origin block. ITFY interprets this as deliberate compartmentalisation: separate front-end exposure, shared underlying infrastructure. The Casino Monitor report separately shows HolyLuck, TrueLuck, Booms.bet, Spinstar, Moko and other domains resolving into the same 82.139.216.0/24 environment. The Payment-Rail Dimension The report is not limited to casino domains. It also targets payment rails and merchant presentation. According to ITFY, the disputed flows involve or touch several payment actors and routes, including Visa, Klarna, Skrill/Paysafe, Mangopay, SaferSepa / AB Mano Bankas, MiFinity, Trustly/Brite, Worldpay, Mollie, and others. The report states that several payment-side investigations or disputes were opened and that some initial findings were favourable to the client. The Lyntec / GEMCEBR element is especially relevant to FinTelegram. The report identifies Lyntec Limited as a UK-linked card-processing front associated with the descriptor “GEMCEBR LONDON GBR” and refers to the alleged use of MCC 5816 / Digital Goods instead of the gambling MCC 7995. If confirmed, this would be classic transaction-laundering territory: gambling payments dressed up as digital-goods transactions. The Addendum: Did The Cluster React? The most dramatic element came one day later. On 9 May 2026, ITFY circulated an addendum stating that material changes had been observed in the cluster within 24 hours after service of the original report. The addendum says the shared 82.139.216.0/24 origin block had increased from 67 domains to 79 domains, while several domains became unreachable, including instantcasino.com, millioner.com, millioner2.com, clickholyluck.com, clickwinorio.com, boomstrackers.com and trackingbino.bet. ITYF interprets this as active operator-side rotation, not dissolution of the cluster. In other words: some front-end or tracking domains may disappear, but the infrastructure beneath them allegedly remains stable. That is a key finding. Illegal casino networks are not static websites. They are adaptive conversion machines. Domains change. Mirrors appear. Trackers go dark. Payment fronts rotate. But the infrastructure pattern may survive. The addendum also reports a newly identified development pipeline involving lottopark.work and whitelotto.work, with exposed subdomains such as admin, aff, api, casino, manager, mailhog and phpmyadmin, plus Polish DevOps terminology in path strings. ITFY describes this as operationally significant for Dutch and Polish authorities. FinTelegram’s Initial Position FinTelegram has not adopted every legal conclusion in the ITFY report. However, based on our initial review, the forensic material is serious, structured and highly relevant. It aligns with and expands upon several findings previously published by FinTelegram concerning HolyLuck, Booms.bet, Sapphire Summit, Lyntec, SENDS/Smartflow, RevDuck and related payment infrastructure. The addendum is particularly important because it suggests that the report may already be producing operational consequences. If casino domains, trackers or staging endpoints move shortly after legal notice, regulators and PSPs should pay attention. FinTelegram will continue reviewing the material and expects to publish follow-up reports on specific aspects of the ITFY dossier, including payment facilitators, merchant descriptors, Cloudflare and Google infrastructure, Dutch CRUKS implications, Polish-linked domains and the broader offshore casino ecosystem. Call For Information FinTelegram invites insiders, former employees, payment-service providers, acquiring banks, compliance officers, affected players and technical investigators to provide information about the HolyLuck Casino Network, Booms.bet, Spinstar, Spindog, Millioner2, InstantCasino, Lyntec Limited, SENDS/Smartflow, Mangopay, Skrill/Paysafe, Klarna, SaferSepa, Brite, Trustly, Cloudflare-hosted casino infrastructure, or related merchant descriptors. Information can be submitted securely through the Whistle42 whistleblower platform. Share Information via Whistle42

The crypto winter continues to freeze out industry giants. In its Q1 2026 earnings report, leading U.S. cryptocurrency exchange Coinbase revealed a staggering $394 million net loss, following a similar slump in the previous quarter. Amid crashing retail trading volumes, CEO Brian Armstrong has initiated a drastic 14% reduction in the workforce—axing approximately 700 employees—under the guise of an “AI-native” corporate restructuring. FinTelegram analyzes the disastrous quarter and the controversial technological shift. Key Findings Massive Earnings Miss: Coinbase reported Q1 2026 total revenue of $1.41 billion, down 21% quarter-over-quarter, falling short of Wall Street’s $1.56 billion expectation. Deepening Losses: The exchange suffered a net loss of $394 million, with Earnings Per Share (EPS) plunging to -$1.49, against an anticipated positive EPS of $0.29. Drastic Layoffs: Roughly 14% of the global workforce (about 700 employees) is being laid off as management trims the organizational hierarchy down to just five levels below the executive suite. The “AI Pivot”: CEO Brian Armstrong claims the cuts are part of a strategic transition toward “AI-native pods,” utilizing artificial intelligence to write code and automate workflows, effectively replacing traditional human developer and management roles. Restructuring Costs: The massive operational overhaul will cost the struggling exchange between $50 million and $60 million in severance, equity vesting, and termination benefits. Read our Coinbase reports here. CyberFinance Analysis: A Smokescreen for Survival? Coinbase’s Q1 2026 financial disclosure paints a grim picture of an exchange struggling to retain its footing amid broader macroeconomic headwinds and a cyclical crypto market slump. Trading volumes and overall crypto market capitalization both plummeted over 20% in the quarter. Retail transaction revenue bore the absolute brunt of the hit, declining 23% alongside waning consumer spot volumes, heavily impacting the bottom line despite the company logging its 13th consecutive quarter of positive adjusted EBITDA ($303 million). However, the financial hemorrhage is only half the story. The abrupt termination of 700 employees, framed as an inevitable evolution into an “AI-native” corporate structure, has raised immediate red flags among industry analysts. Armstrong’s narrative suggests that AI agents can now perform engineering tasks in days rather than weeks, and that 40% to 50% of daily code will soon be AI-generated, rendering a significant chunk of the workforce obsolete. While flattening the corporate hierarchy to eliminate pure management roles might reduce operational bloat, critics and market insiders argue the “AI pivot” is a highly convenient smokescreen for panic-driven cost-cutting. The critical question remains whether the transition to a heavily automated, lean model can adequately substitute human oversight, security auditing, and compliance in a heavily regulated and historically volatile financial sector. Summary of Q1 2026 Performance MetricQ1 2026 ResultAnalyst ExpectationQuarter-over-Quarter TrendTotal Revenue$1.41 Billion$1.56 BillionDown 21%Net Income / Loss-$394 MillionPositive Net IncomeContinuing LossesEPS (Earnings Per Share)-$1.49$0.29Missed by $1.78Workforce Reduction~700 Employees (14%)N/AN/ARestructuring Costs$50M – $60MN/AN/A Hypothesis: The Future of Coinbase and the Crypto Sector FinTelegram hypothesizes that Coinbase’s drastic operational pivot is a bellwether for the broader digital asset sector. The transition to an “AI-native” workforce is likely less about technological utopianism and more about sheer corporate survival. As regulatory pressures from the SEC mount and retail trading volumes stagnate, crypto exchanges will increasingly rely on automated workflows to aggressively slash overhead. If Coinbase’s AI integration succeeds in maintaining platform stability without human engineers, we expect a massive wave of AI-driven layoffs across rival exchanges (such as Binance, Kraken, and Gemini) as they mimic this hyper-automated structure. However, if the removal of human oversight leads to smart contract vulnerabilities, code degradation, or compliance failures, Coinbase risks catastrophic systemic breaches and the loss of its dominant U.S. market share. Armstrong is betting the house that AI can navigate the extreme complexities of Web3 infrastructure—a high-stakes gamble with zero margin for error. Call to Action: Whistleblowers Wanted Are you a current or former employee of Coinbase? Do you have internal documents regarding the recent layoffs, the true functional reality of the “AI-native” pods, or undisclosed financial/security risks? FinTelegram urges insiders to come forward. We provide a secure, anonymous platform for whistleblowers to expose corporate malfeasance, regulatory circumvention, and hidden systemic risks. Submit your information securely to our research team via our whistleblower portal and help us bring necessary transparency to the opaque crypto ecosystem. Share Information via Whistle42