FinTelegram has reviewed an email chain from a player alleging delayed withdrawals, repeated stalling, blocked live-chat access, and unresolved account-closure issues involving Super Spin and sister brand Rolly Spin. The complaint identifies Belize-registered Comentive Ltd as operator and points to a Cyprus payment-agent structure disclosed on the casino side, raising wider compliance questions around offshore gambling operations, consumer harm, and payment facilitation. Key Findings A player complaint reviewed by FinTelegram alleges that Super Spin delayed a £1,500 withdrawal for an extended period despite prior successful withdrawals and completed KYC. The same source alleges that support first cited technical issues or review processes, then became non-responsive while live chat repeatedly promised resolution “asap.” The complaint identifies Comentive Ltd as the Belize operator behind Super Spin and Rolly Spin and states that Norvelic Limited in Cyprus acts as payment agent. The player names Revolut, Mercuryo, Gwaypayment, Rillpay, and “Krypotonim” as payment channels or processors allegedly connected to the casino flows. FinTelegram treats these as allegations requiring clarification. The complaint also raises potential responsible-gambling and consumer-protection concerns, alleging that Rolly Spin failed to close an account despite repeated requests. A Player Complaint That Fits a Familiar Pattern According to the emails reviewed by FinTelegram, the player says she joined Super Spin, deposited funds, passed KYC, and won just over £20,000 without using a bonus. She says the casino’s published withdrawal limits were £1,500 a day, £4,000 a week, and £12,000 a month, but that she was only able to withdraw £4,000 over several weeks and had to fight repeated delays and excuses even for those payments. She further alleges that one £1,500 withdrawal remained outstanding well beyond the stated timelines, while support first cited technical issues and later stopped responding. In later emails, she says there were multiple outstanding withdrawals and that live chat repeatedly told her the matter would be resolved “asap” before allegedly blocking her again. That pattern matters. In many offshore casino disputes, the real friction begins not when players deposit, but when they try to cash out. Super Spin, Rolly Spin, Comentive Ltd, and the Payment-Agent Structure The complaint identifies Comentive Ltd as the operator behind Super Spin and links the same company to Rolly Spin. The reviewed material describes Super Spin as operated by Comentive Ltd, a Belize company, while Norvelic Limited, registered in Nicosia, Cyprus, is described as acting as a payment agent for Comentive Ltd. That disclosure is important. Offshore casinos often rely on European payment-side structures, agents, intermediaries, or merchant-routing arrangements to maintain access to payment rails even when the gambling operation itself sits outside major regulated jurisdictions. In this case, the player complaint places a Belize operator, an offshore licensing presentation, and a Cyprus payment-agent layer into the same picture. The existence of such a structure does not in itself prove unlawful conduct by every named entity. But it clearly raises questions that deserve answers. The Payment-Rail Questions In her messages to FinTelegram, the player names Revolut, Mercuryo, Gwaypayment, and Rillpay, as payment channels or processors she believes were involved in deposits or withdrawals connected to Super Spin. She also alleges that deposits were miscoded and routed to unrelated merchants. FinTelegram treats those statements as player allegations requiring documentation and response, not as established fact. RollySpin cashier with UTRG and ChainValley (previously UTRG) for fake FIAT deposits via Skrill and Neteller In our review of RollySpin in the context of this complaint, we once again identified UTRG and its Polish successor scheme, ChainValley (https://app.chainvalley.pro), as facilitators of FAKE FIAT transactions via Skrill and Neteller via the anonymously operated payment gateway app.gwaypayment.com. Still, the central compliance question is straightforward: who is actually processing player payments, under what merchant description, and for whose economic benefit? That question becomes particularly important when a player alleges delayed withdrawals while also identifying multiple payment intermediaries and a disclosed Cyprus payment agent in the background structure. Consumer-Harm and Responsible-Gambling Concerns The material reviewed by FinTelegram also points to potential consumer-protection and responsible-gambling issues beyond the withdrawal dispute itself. The player says she also held an account with Rolly Spin and that the operator failed to close that account despite repeated requests. She further told FinTelegram that other players were allegedly being ignored when trying to close accounts, including cases involving disclosed gambling addiction. If substantiated, that would move the issue well beyond poor customer service. A casino that allegedly delays withdrawals while also failing to process closure requests is exposing itself to serious credibility and compliance questions. Review Pressure and Reputation Management Allegations The player also alleges that Super Spin attempted to influence review behavior. In one email, she claims that the casino had previously made a “deal” under which removing a negative Trustpilot review would help ensure smoother future withdrawals, and that any further negative reviews would move her withdrawals “down the priority list.” These are serious allegations and, at this stage, remain allegations. But if supported by screenshots or correspondence, such conduct would suggest not only payout friction, but active pressure on players to moderate public criticism while funds remain pending. That combination is precisely why the case deserves closer scrutiny. Right to Comment FinTelegram has invited Comentive Ltd, Super Spin, Rolly Spin, and Norvelic Limited to comment on the allegations and clarify the precise role of the entities involved in payment processing and player-account handling. At the time of publication, no response had been received. Here is a compact summary table you can drop into the report. I’ve phrased the regulation column as site-disclosed / claimed rather than validated regulatory status. The uploaded email chain identifies the same operator and Cyprus payment-agent structure, and the current site disclosures for both brands match that. Summarizing Table Entity typeBrand / EntityDomainSite-disclosed regulationOperator / roleJurisdictionCasino brandSuper Spinsuper-spin.comClaims to be licensed and regulated by the Government of the Autonomous Island of Anjouan, Union of Comoros, under License No. ALSI-202505024-FI1.Operated by Comentive LTD (reg. no. 000047924).Brand targets players online; operator disclosed as Belize.Casino brandRolly Spinrollyspin.comClaims to be licensed and regulated by the Government of the Autonomous Island of Anjouan, Union of Comoros, under License No. ALSI-202505024-FI1.Site disclosure and player material link it to Comentive LTD.Brand targets players online; operator disclosed as Belize.OperatorComentive LTDn/an/aSite-disclosed owner/operator of Super Spin; same structure also used for Rolly Spin in the source material. Belize registration no. 000047924; source material says formed 9 April 2025 and active.Belize — Sea Urchin Street, San Pedro Town, Ambergris Caye, Belize.Payment agentNorvelic LIMITEDn/an/aDisclosed by both casino sites as payment agent of Comentive LTD;EU/Cyprus payment handler for Super Spin and Rolly Spin. Reg No HE 475930.Cyprus — Avlonos 1, Maria House, 1075 Nicosia, Cyprus.Director Georgia Chrysostomo A careful editorial note you could place under the table: Editorial note: The licensing information above reflects operator website disclosures and source material reviewed by FinTelegram. It should be read as claimed regulatory positioning, not as an independent endorsement of the effectiveness or legitimacy of that regulatory framework. Recent reporting by Le Monde described the broader Anjouan licensing ecosystem as facing serious credibility questions and cited the Comorian central bank’s earlier position that certain supposed offshore authorities and approvals were illegal. Call for Information Whistleblowers, affected players, compliance insiders, and payment professionals: if you have information on Super Spin, Rolly Spin, Comentive Ltd, Norvelic Limited, or the payment rails behind these brands, contact FinTelegram or submit your information via Whistle42. Documented evidence helps identify the financial intermediaries and operational structures behind offshore casino schemes. Share Information via Whistle42

Key Findings Perspecteev SAS is a real, regulated French payment institution operating under the Bridge brand, with public corporate registration and institutional backing from Groupe BPCE and Truffle Capital. Bridge/Perspecteev appears in the final authorization stage of deposit flows linked to offshore casino brands targeting German users, according to the submitted rail-map evidence. The intermediary layer includes “SaferSEPA”, a public-facing label with little or no meaningful legal disclosure, creating a transparency gap in the merchant-facing part of the payment chain. Germany’s gambling framework explicitly prohibits participation in payments connected to unauthorized gambling, and violations can trigger enforcement and significant fines. France’s gambling regulator ANJ has publicly stated that payment service providers are part of the illegal-gambling enforcement perimeter, especially where offshore operators target French or European players. The case fits a broader Rail Atlas pattern: illegal front end → opaque gateway/intermediary → regulated payments touchpoint → bank authorization. A Regulated French PISP Turns Up in Illegal-Casino Payment Rails FinTelegram has reviewed a detailed source memorandum on Perspecteev SAS and the use of its Bridge payment-initiation infrastructure in deposit flows tied to offshore casinos targeting German users. The submitted material documents step-by-step deposit journeys in which the end user is ultimately asked by Revolut to authorize PERSPECTEEV SAS, while the merchant layer presented by Bridge is labeled “SaferSepa.com.” Perspecteev SAS is not an obscure shell. It is a French payment institution registered under SIREN 529 196 313, headquartered at 4 rue de la Pierre Levée, 75011 Paris, and publicly listed as an active company in the French business register. Public corporate records also show that Anna Maj has served as president since June 2025 and Alexis Roque as directeur général since October 2024. Bridge’s own 2022 funding round was substantial: €20 million from Truffle Capital and Groupe BPCE, the latter describing itself in the announcement as France’s second-largest banking group. The same release described Bridge as the brand of Perspecteev SAS and said the company was the first European player approved under PSD2 by the French regulator. That makes the appearance of Perspecteev in offshore gambling deposit rails especially relevant. This is not a fringe provider at the edge of the market. It is a regulated, institutionally backed open-banking player operating inside mainstream European payments. Rail Atlas Findings: Phantom SaferSEPA as Bridge Merchant The expert report submitted to FinTelegram documents real‑money deposit flows from users in Germany into two SOFTSWISS‑connected offshore casinos: Jet4Bet (Hollycorn N.V.) and Bitkingz (Dama N.V.). Both operators are Curacao‑registered, have no German GGL license, and thus qualify as illegal gambling offers under the German Interstate Treaty on Gambling 2021 (GlüStV 2021).​ At the core of the payment chain is SaferSEPA, which appears as Bridge’s merchant on the Bridge consent page (pay.bridgeapi.io), where “SaferSepa.com” is displayed together with the transaction amount and an internal ID. Publicly, safersepa.com does not identify a corporate entity, license number, registered office, or management. At the time of review, the site displayed only sparse text telling users to reference a transaction subject line such as “2616 SaferSEPA.com eWallet Payment” when making inquiries. No meaningful legal disclosure is visible in the captured page text. That matters because under the EBA’s AML framework, where a PISP has a business relationship with a payee or merchant, the merchant is the relevant customer for CDD purposes. In EBA Q&A 2021_6048, the EBA states that PISPs are not expected to perform CDD on both the payer and the payee at the same time and indicates that, in this scenario, the customer is the online merchant (payee). If Bridge onboarded SaferSEPA or a similar intermediary as a merchant, the obvious question is: who exactly was onboarded? If it did not, then a different question follows: how is Perspecteev’s regulated initiation layer being inserted into this payment journey at all? Perspecteev on the open-banking authorization page The investigation shows that SaferSEPA controls the customer journey before and after the Bridge consent step, receiving the hand‑off from the casino, performing bank selection (pay303.com), and then routing to Bridge and onward to the player’s bank. On Revolut’s open‑banking authorization page (oba.revolut.com), German users are explicitly asked to authorize PERSPECTEEV SAS, closing the loop between the unlicensed casino, the phantom gateway, and the regulated French PISP.​ Read our reports on Perspecteev here. Rail Map: From Curacao Casinos to EU Banks The material reviewed by FinTelegram documents two deposit journeys from Germany involving offshore casino brands Jet4Bet and Bitkingz. In both cases, the payment flow ends with the user being redirected to a Revolut authorization screen naming PERSPECTEEV SAS as the entity to be authorized. In one of the flows, the Bridge consent page itself reportedly displays “SaferSepa.com” as merchant. The following flows were recorded from Germany using actual deposits, with each redirect documented step‑by‑step.​ Flow A – Jet4Bet (Hollycorn N.V.) Start at jet4bet.com – deposit modal, “Open Banking”, €50.​ Redirect to secure.bankgate.io – German bank selection page showing Postbank, Commerzbank, Revolut, N26, TARGOBANK, ING (DiBa), Deutsche Bank, Berliner Sparkasse.​ User selects Revolut and is sent to oba.revolut.com – consent screen “to authorise PERSPECTEEV SAS”.​ Flow B – Bitkingz (Dama N.V.) Start at bitkingz.com – Quick Deposit, method “Mandato Direct”, €50.​ Redirect to pay303.com – SaferSEPA‑branded loading screen.​ Redirect to pay.bridgeapi.io – Bridge consent page showing “SaferSepa.com”, €50.00, internal ID 1588662, with options “Pay with QR” and “Pay online”.​ After “Pay online”, return to pay303.com – SaferSEPA‑branded bank selection.​ Selection of Revolut triggers redirect to trx.safersepa.com (“Revolut – Payment processing”), followed by oba.revolut.com – again asking the user to authorize PERSPECTEEV SAS as PISP.​ These observations demonstrate a layered structure in which Curacao casinos front German‑language offers, SaferSEPA/pay303 act as opaque conduits, Perspecteev’s Bridge handles the regulated open‑banking initiation, and EU banks execute the underlying SEPA transfers.​​ Entities and Domains in the Rail The evidence maps a layered structure that is by now familiar in the offshore gambling world: illegal front end, opaque gateway brand, regulated payments touchpoint, then bank authorization. LayerObserved entity / domainRoleCasino front‑endJet4Bet (jet4bet.com), BitKingz (bitkingz.com)Deposit UI (“Open Banking” / “Mandato Direct”) for German users.​GatewaySaferSEPA / pay303.comSaferSEPA‑branded loading screens and bank selection.​PISP consentpay.bridgeapi.ioBridge payment page showing “SaferSepa.com” as merchant.​Processingtrx.safersepa.comSaferSEPA‑branded payment processing.​Bank gateway (A)secure.bankgate.ioBank selection (German banks) for Jet4Bet flow.​Bank authorizationoba.revolut.comEnd‑user bank consent UI.​Authorized PISPPERSPECTEEV SASNamed on Revolut consent screen in both flows.​ Casino Operators and SOFTSWISS Context Both Jet4Bet and Bitkingz are part of the wider SOFTSWISS casino ecosystem, which operates dozens of Curacao‑licensed brands targeting European markets. Jet4Bet is operated by Hollycorn N.V. (Curacao #144359, license OGL/2023/176/0095) with more than 70 casino brands, while Bitkingz belongs to Dama N.V. (Curacao #152125, license OGL/2023/174/0082), successor of Direx N.V., running 100+ brands.​ Under GlüStV 2021, neither operator is authorized by the German GGL; their offers are therefore classified as illegal gambling for German residents. According to GGL reporting, the authority investigated around 1,864 websites and initiated more than 130 prohibition proceedings against Curacao‑licensed operators in 2023 alone, confirming a broad enforcement campaign against offshore gambling platforms.​ Summary Data on Perspecteev SAS CategoryDetailsLegal EntityPerspecteev SAS (France).​​Domainhttps://www.bridgeapi.io/RatEx42Compliance ProfileLinkedInBridge APIRegistrationSIREN 529 196 313; address: 4 rue de la Pierre Levée, 75011 Paris, France.​​FoundersJoan Burkovic (CEO), Emmanuel Costa (CTO), Robin Dauzon, David Sabbatini.​Current leadershipAnna Maria Maj (Présidente, since Aug 2025), Alexis Roque (DG).​OwnershipTruffle Capital and Groupe BPCE (BPCE Digital & Payments); ~€20M Series A in July 2022.​​LicenseACPR Payment Institution, REGAFI #72649, Agreement #16918 (PISP + AISP).​​Key milestoneFirst European entity to receive PSD2 approval (Jan 2018).​​Holding evidenceMORPHIC FINANCIAL GROUP LTD present on UK Companies House as related corporate entity.​Scale>€1.5B payments initiated; 300+ B2B clients; 8M+ accounts connected daily.​​Observed roleProvides PISP services to SaferSEPA; named on bank consent screen in illegal casino deposit flows.​ Regulatory Exposure: Under EBA Guidelines on ML/TF risk factors (EBA/GL/2021/02) and EBA Q&A 2021_6048, a PISP that maintains a business relationship with a payee must treat the merchant as its customer for AML and customer due diligence purposes. This implies that Bridge must identify, verify, and risk‑assess SaferSEPA/pay303, including license status, ultimate beneficial ownership, and exposure to prohibited sectors like unlicensed gambling.​ German law: PISPs are subject to payment-blocking In the present case, SaferSEPA/pay303 have no visible legal identity and no disclosed payment or gambling license, yet control payment flows from clearly illegal German‑facing casinos to EU‑based banks via Bridge. If Bridge has formally onboarded SaferSEPA as a merchant, this points to serious deficiencies in KYB and ongoing monitoring; if not, it raises equally serious questions about the security and integrity of Bridge’s API access, including the possibility of unauthorized third‑party use.​ From a German law perspective, § 4(1) sentence 2 GlüStV 2021 prohibits participation in payments related to unlicensed gambling, and § 9(1) sentence 3 no. 4 GlüStV 2021 empowers the GGL to impose payment‑blocking orders on all participants in the payment chain, including PISPs, backed by fines of up to €500,000 per infringement.​ Three decisions have significantly clarified this position: OVG Sachsen‑Anhalt (Oct 2023) – upheld a GGL payment‑blocking order against a PSP cooperating with PlatinCasino’s operator, confirming the broad reach of GlüStV enforcement.​ VG Halle (Oct 2024) – confirmed a blanket prohibition against a Swiss PSP for all unlicensed gambling transactions, underscoring that foreign PSPs are not shielded from German measures.​​ OVG Magdeburg (2 Dec 2024, 3 M 169/24) – explicitly addressed a Zahlungsauslösedienst (PISP) and held that PISPs are fully covered by the participation ban; the court noted that payment initiation on a gambling site typically presupposes an acceptance contract between the PISP and the operator, enabling the PISP to check national compliance.​​ The Magdeburg ruling also confirmed that German gambling law applies extraterritorially where foreign operators and payment providers target German consumers, and foreign payment providers must respect GGL prohibitions even if they are domiciled outside Germany. This interpretation places Perspecteev/Bridge squarely in the crosshairs if German regulators connect the documented SaferSEPA rails to their wider payment‑blocking practice.​ The French Regulatory Dimension Bridge is supervised in France, and France has its own strong public-policy stance against illegal online gambling. French law generally prohibits unlicensed online casino activity, and the ANJ has become increasingly aggressive against the illegal market. In December 2023, the ANJ said that, in the illegal market it studied, 50% of identified illegal-offer sites belonged to companies registered in Curaçao. It also stressed that it intended to act not only against illegal operators but also against payment service providers enabling the financial flows between illegal operators and players. The same ANJ page notes that since March 2022 it has had administrative powers to block and delist illegal sites and had already issued 300 blocking acts covering 1,230 URLs. That gives the Perspecteev matter a second regulatory dimension: even if the operational harm is focused on Germany, the home-state supervisor cannot simply ignore how a French-regulated institution’s payment-initiation layer is being used. Call for Information FinTelegram is currently deepening its investigation into Perspecteev SAS / Bridge, SaferSEPA, pay303.com, and related intermediaries in the illegal casino payment chain. Current and former employees of Perspecteev, BPCE‑related payment entities, SaferSEPA/pay303, SOFTSWISS operators, and partner PSPs are invited to share internal documents, onboarding records, merchant risk assessments, contractual arrangements, and technical integration details with us. Reports can be filed securely and anonymously via our whistleblower platform, where every submission is handled confidentially and evaluated for inclusion in ongoing Rail Atlas investigations.​ Share Information via Whistle42

While European gambling regulators intensify their crackdown on illegal offshore casinos, a more uncomfortable question is emerging for the banking sector: are major retail banks, through rigid chargeback practices and weak scrutiny of miscoded card transactions, helping illegal gambling networks stay operational? Complaints involving shell merchants, false MCC coding, and rejected disputes suggest a systemic compliance gap that deserves closer regulatory scrutiny. Key Findings Major retail banks may be processing card payments linked to illegal offshore casinos through shell merchants using allegedly false Merchant Category Codes (MCC). Transactions that should raise immediate AML and card-scheme red flags can appear on card statements as “digital goods” or ordinary retail purchases rather than gambling activity. Consumers who report the true gambling context of such transactions allegedly face dispute rejection, even where there are indicators of miscoding or transaction laundering. This creates a perverse incentive structure in which accurate disclosure may reduce the chance of recovery, while generic “goods not delivered” complaints may have a better chance of success. The alleged mismatch between internal bank dispute logic, card-scheme rules, and AML obligations deserves scrutiny by financial regulators, not only gambling authorities. The Banking Paradox: How Tier-1 European Banks May Be Enabling Illegal Offshore Casinos Through Transaction Laundering Blind Spots Across Europe, regulators are stepping up enforcement against illegal offshore gambling operators. National gambling authorities are issuing fines, publishing warnings, and ordering access restrictions against unlicensed casino websites targeting local consumers. Yet one critical question remains insufficiently examined: how are deposits to these operators still being processed so easily through mainstream banking channels? According to information shared with FinTelegram, part of the answer may lie in the intersection of card acquiring, dispute handling, and compliance failures at major European retail banks. The allegation is not that banks openly support illegal gambling. The more troubling concern is that some banks, including Revolut, may be structurally ignoring obvious warning signs of transaction laundering and merchant misrepresentation, thereby allowing illegal offshore casino ecosystems to continue operating in plain sight. The Hidden Payment Layer Behind Illegal Gambling When consumers deposit funds with offshore casinos, the transaction does not always appear as gambling. Instead, the charge may be routed through an intermediary merchant or shell company that presents itself as a software seller, digital goods provider, e-commerce business, or other innocuous commercial entity. In such cases, the transaction may be processed under a Merchant Category Code other than the gambling MCC 7995. Market participants and affected consumers have repeatedly pointed to MCC 5816 and similar retail-oriented classifications as examples of how gambling-related payments may be disguised. Regulators and supervisors already warn about illegal gambling payment risk, shell/sub-merchant opacity, and transaction laundering. What remains insufficiently addressed is the specific role of false or misleading MCC allocation in helping those flows evade bank controls (read also “Gambling and Gaming Good Practices for Payment Institutions and Good Practices Sub-Merchants published by the Dutch DNB). From a compliance perspective, that is not a minor technical issue. If a gambling transaction is deliberately disguised through a false merchant identity and misleading MCC coding, this may amount to transaction laundering. It is also a serious AML, KYC, and card-scheme risk indicator. Why the Chargeback Process Matters The compliance issue becomes especially visible when the consumer later tries to dispute the transaction. A typical scenario described to FinTelegram is this: a consumer deposits funds with an offshore casino, later loses access to the account, faces withholding of winnings, or discovers that the merchant description on the card statement does not match the actual service received. The consumer then approaches the issuing bank to request a chargeback. At that point, the dispute is allegedly assessed not through the lens of merchant misrepresentation, transaction laundering, or scheme-rule compliance, but through a simplified internal script: the customer intended to gamble, the funds reached the casino environment, therefore the service was rendered and the dispute is rejected. The problem is not merely poor customer service. This approach indicates a deeper structural failure: the bank may be refusing to examine whether the named merchant was false, whether the MCC was manipulated, whether the acquirer onboarded the merchant properly, and whether the entire payment chain was designed to circumvent gambling controls. The Compliance Red Flags Banks Should Not Ignore From an AML and card-compliance perspective, several red flags should trigger enhanced scrutiny: 1. Merchant-description mismatch The merchant shown on the statement allegedly does not correspond to the casino brand actually used by the consumer. 2. Suspicious MCC allocation The payment may be classified as digital goods, software, or general retail rather than gambling, despite the underlying transaction being casino-related. 3. Use of shell entities The named merchant is often an obscure corporate vehicle with no meaningful public-facing commercial activity consistent with the transaction description. 4. Dispute logic detached from merchant truth Instead of examining whether the transaction was honestly represented, banks may focus only on the consumer’s subjective intent to gamble. 5. Possible scheme-rule avoidance Where acquiring-side documentation, merchant identity, and service representation do not align, the matter may implicate card-scheme compliance, not just customer dissatisfaction. These are not exotic issues. They go to the heart of AML controls, merchant due diligence, and the integrity of the card-payment ecosystem. The Perverse Incentive: Honesty May Hurt the Consumer Perhaps the most disturbing aspect of the allegations is the incentive structure they create. Consumers report that when they fully explain the offshore casino context in an attempt to expose merchant deception, the bank may reject the dispute on moralistic or policy grounds linked to gambling. However, when the same transaction is framed in generic commercial terms — for example, as software or digital goods not delivered — the dispute may have a better chance of succeeding, simply because the shell merchant cannot prove delivery of the supposed product. This suggests a highly problematic outcome: banks may be encouraging concealment while discouraging honest reporting of suspicious payment conduct. In other words, the system may be better at processing simplified consumer scripts than at confronting potential transaction laundering. A Regulatory Blind Spot Beyond Gambling Enforcement This is why the issue should not remain confined to gambling regulators. Authorities such as the Dutch KSA, the UK Gambling Commission, and other national gambling watchdogs can act against unlicensed casino operators. But they do not supervise the internal dispute-handling logic of major retail banks. That is where financial regulators and AML supervisors enter the picture. The real compliance question is whether retail banks and their card-dispute departments are sufficiently trained, required, and incentivized to identify transaction laundering indicators when consumers present evidence of merchant mismatch, false MCC coding, and shell-company routing. If not, banks risk becoming passive infrastructure providers for illegal gambling networks while publicly maintaining zero-tolerance rhetoric. Read our report on Revolut and the Norway situation here. Why ING, Rabobank, and Other Banks Deserve Closer Scrutiny The institutions mentioned by the source — including ING and Rabobank — are not singled out here as proven wrongdoers. However, they are cited as examples of major banks whose internal handling of such cases deserves closer examination. For FinTelegram, the central question is whether the alleged failures are isolated case-management problems or signs of a broader structural pattern across European consumer banking. If dispute teams systematically ignore transaction laundering indicators because the underlying consumer activity involved gambling, that would represent a serious governance issue. It would also raise questions about how banks interpret their obligations under AML frameworks, card-scheme rules, and consumer-protection standards. FinTelegram’s Preliminary Assessment The allegations presented to FinTelegram point to a potentially important enforcement gap at the intersection of illegal gambling, acquiring, retail banking, and card-dispute operations. Even where a consumer knowingly engaged with a gambling website, that does not eliminate the need to examine whether the transaction was deceptively presented, processed through a false merchant, or intentionally miscoded to bypass controls. A bank that refuses to engage with those elements may be overlooking precisely the kind of conduct that AML and card-compliance frameworks are meant to detect. This is not merely a consumer-rights issue. It is a potential payment-integrity issue. Call for Whistleblowers and Insiders FinTelegram is investigating how banks, acquirers, PSPs, and card-dispute departments handle suspicious card transactions linked to illegal offshore casinos, shell merchants, and false MCC coding. We invite insiders, compliance officers, former dispute-team staff, acquirer employees, payment specialists, and affected consumers to share information, documents, merchant descriptors, chargeback correspondence, or internal guidance through our whistleblower platform, Whistle42. If you have evidence of transaction laundering, miscoded gambling transactions, shell merchants, or internal bank policies that systematically ignore these red flags, please submit your information securely and confidentially via Whistle42. Share Information via Whistle42

For years, Payvision was sold to the market as a Dutch fintech success story. In reality, the newly published Payvision chat excerpts presented by EFRI point to something far uglier: a regulated payment institution that, according to criminal case materials cited by EFRI, did not merely process payments for scam networks around Uwe Lenhoff and Gal Barak, but allegedly helped keep those networks alive when fraud pressure, chargebacks, blocked accounts, and liquidity stress threatened to choke them. If these chats say what they appear to say, then Europe is not looking at a mere compliance lapse. It is looking at payment infrastructure turned into fraud infrastructure. Key Findings From processor to enabler: The EFRI chat exhibits suggest that Payvision did not merely process payments, but allegedly helped scam networks solve critical payment and settlement problems. Awareness of fraud risk: The published messages strongly indicate that Payvision knew it was dealing with merchant structures tied to fraudulent broker operations linked to Uwe Lenhoff and Gal Barak. Conversion over compliance: According to EFRI, Payvision allegedly facilitated higher card acceptance for scam merchants through high-risk setups, including MOTO processing and the use of MCC 6211. Keeping the scam machine alive: The chats show repeated urgency around blocked accounts, delayed settlements, and emergency transfers, underscoring how vital Payvision was to the continued operation of the fraud schemes. Top-level involvement: Several excerpts suggest that extraordinary transfers and exceptional payment decisions required approval at the highest level, allegedly involving founder and CEO Rudolf Booker. ING-linked money flows: EFRI’s report points to the use of Stichting Payvision accounts, including ING-linked accounts, to move or reroute funds when ordinary channels came under pressure. Profiting from toxicity: The evidence suggests that Payvision did not just profit from processing scam payments, but also from the fallout through chargeback fees and so-called fraud-risk premiums. Risk as a revenue stream: The “Chargeback and Fraud Risk Premiums” document supports the allegation that fraud-related distress was monetized rather than treated as a reason to exit the client relationship. More than an AML failure: While Dutch prosecutors established structural AML shortcomings, the EFRI materials suggest conduct that may have gone beyond weak controls into active operational support. A scandal that reaches ING: Because ING acquired Payvision at a premium valuation and later shut it down, the affair raises unresolved questions about due diligence, oversight, and institutional accountability. The payment layer as crime infrastructure: The wider lesson is stark: industrial-scale broker fraud could not have functioned without payment partners willing to keep funds flowing despite obvious red flags. Potential smoking-gun evidence: The Payvision chats may be among the most damaging documentary exhibits yet published in the wider Lenhoff-Barak cybercrime complex. The Chats Start Where The Scandal Really Starts: Conversion The first exhibit published by EFRI goes straight to the commercial heart of online broker fraud: payment acceptance. According to EFRI’s report and the cited court files, Payvision allegedly accepted MOTO transactions and used MCC 6211 for Lenhoff-linked schemes even though the operating entities did not hold a MiFID licence. EFRI further says a seized 19 February 2016 chat recorded Lenhoff celebrating that, after Payvision was introduced, the decline rate fell by 65% and acceptance rose by 80%. The accompanying image published by EFRI shows the message trail behind that claim. That is not a technical footnote. In scam economics, conversion is everything. Boiler rooms can lie all day, but if card payments do not clear, the fraud dies. EFRI’s second screenshot reinforces that point: in December 2015, Lenhoff allegedly complained that 3D Secure on Option888 was causing them to lose too many clients. The implication is devastating. According to the report, the fraud network needed fewer controls and easier card acceptance, and Payvision allegedly supplied exactly that. Then Came The Operational Support The scandal turns darker in the chats about blocked accounts and payment rerouting. EFRI says that after Wirecard Bank blocked the Payific Ltd account effective 1 November 2016 because of fraud complaints, the Lenhoff organisation came under severe pressure. The chat screenshots published by EFRI show the panic: “we are losing Tomer,” “we need it urgently,” and “Payvision cannot provide a swift of the transaction but that the money has left their account and will be with the beneficiary.” EFRI says these messages reflect direct intervention to keep a key creditor paid and the fraud machine running after its ordinary banking channel broke down. That is the point where the old defense — “we were just the processor” — starts to collapse. Processors do not normally become crisis managers for merchant groups drowning in fraud complaints. Yet EFRI’s report describes repeated “special” transfers, including direct payments from Stichting Payvision accounts to third parties, allegedly to preserve operational continuity for the Lenhoff network. If accurate, that is not neutral processing. That is active stabilisation of a criminal cashflow system. Booker’s Name Appears Where it Should Never Have Appeared One of the most toxic features of the published exhibits is not just the transfers themselves, but the reported need for top-level approval. EFRI states that these extraordinary payments required the approval of Rudolf Booker, Payvision’s founder and then CEO. One screenshot published by EFRI includes the lines: “that depends on what Rudolf agrees to do” and “ask Chang before, cause Rudolf is in Asia.” Another line says, “at least then we can do the big ones from there.” Even if one adopts the most cautious legal reading, those are not the optics of a processor trying to isolate itself from toxic merchants. They are the optics of a senior-management-controlled relationship in which the payment provider appears to be helping solve merchant liquidity and routing problems in a red-flagged fraud environment. That is precisely why these chats are so dangerous. They drag the scandal out of the realm of bad onboarding and into the realm of deliberate operational enablement. The ING Account Angle is Explosive EFRI moves from chats to flow evidence. According to the report, after another provider, MoneyNetInt, stopped cooperating because of suspicious settlement activity, millions paid by victims through Visa and Mastercard into Stichting Payvision accounts held at ING Bank N.V. and Deutsche Bank were allegedly redirected onward to Winslet Enterprises, a company EFRI identifies as being under Lenhoff’s control. The published tables show a series of transfers from an ING-linked Stichting Payvision account totaling roughly €3.08 million, followed by additional transfers from a Deutsche Bank-linked Stichting account totaling roughly €2.75 million. This is where the scandal stops being a Payvision-only story and becomes an ING legacy story. ING bought a 75% stake in Payvision in 2018 at a valuation of €360 million. Three years later, it announced it would phase the business out; Reuters reported that ING had already written down €188 million in goodwill and had previously sold half of Payvision’s operations for a nominal €1. ING itself said in 2021 that it had strengthened Payvision’s governance and compliance after the acquisition. But the public question is now much sharper: what exactly did ING buy, what did it know, and when did it know it? Payvision Did Not Just Process The Fraud But Charged For The Fallout EFRI’s fourth exhibit may be the most cynical of all. It includes a Payvision letter titled “Chargeback and Fraud Risk Premiums,” addressed to Hitchcliff Ltd and signed by Booker. The document says Payvision would impose an additional fee of €1 per euro of chargeback and fraud volume, and the published pages show a debit amount of €658,057.31. EFRI says these were not isolated fees but part of a broader commercial model in which Payvision allegedly processed more than €134 million for Barak- and Lenhoff-linked schemes while profiting from high processing fees, chargeback handling fees, and private penalty-style premiums. That is what makes the case morally and legally grotesque. According to EFRI’s presentation of the record, Payvision was allegedly not losing money because the merchants were toxic. It was making money because they were toxic. The more fraud risk materialised, the more the processor could bill around it. In that light, the “risk premium” begins to look less like prudent pricing and more like a monetised fraud externality. Dutch Enforcement Confirmed AML Failure — But Barely Touched The Scandal The Dutch Public Prosecution Service said in April 2024 that two former Payvision directors received fines of €150,000 and €180,000 because Payvision had, from 2016 through April 2020, carried out inadequate customer due diligence, failed to properly identify beneficial owners and the purpose of business relationships, and failed to maintain ongoing monitoring. The criminal investigation, the OM said, began after a report from De Nederlandsche Bank (DNB). That official statement is already damning. But compared with the picture painted by the EFRI chats, it also looks absurdly narrow. Because the EFRI material does not describe a processor sleepwalking through KYC failures. It describes, according to the cited court files, a firm embedded in the day-to-day payment problems of known scam networks, allegedly rerouting flows, supporting third-party payouts, approving exceptional transfers, and profiting heavily from chargeback-driven distress. If that evidentiary picture is broadly correct, then Europe is not dealing with a sloppy gatekeeper. It is dealing with a financial enabler. The Wider ING backdrop Makes The Payvision Affair Even Uglier The Payvision scandal also lands against a broader ING history of AML and control failures. In 2018, ING agreed to pay €775 million in the Netherlands after admitting that criminals had been able to launder money through its accounts for years; Reuters reported prosecutors said those shortcomings were structural and long-lasting. In 2020, Reuters also reported that a Milan court ordered ING to pay €30 million to settle an Italian money-laundering case. None of that proves liability for the conduct alleged in the EFRI report. But it does destroy any comforting fantasy that Payvision sat inside a pristine control culture. The Need to Cover-Up ING has every incentive to bury Payvision as an embarrassing failed acquisition. Payvision is dissolved, the executives took relatively modest fines, and the bank would prefer the market to remember only a bad M&A bet. But the EFRI chats threaten to turn that narrative inside out. They suggest that what ING bought was not just a fast-growing fintech, but a revenue machine allegedly fed by some of Europe’s most notorious scam brokers. According to EFRI, the same criminal case materials show not only awareness of the fraud environment but apparent assistance in solving the payment and settlement problems that kept those schemes alive. Rudolf Booker (left) and Gijs op de Weegh: the Payvision fintech cowboys and their crime merchants That is why this case matters for every regulator, court, and victim in Europe. Fraud does not scale without finance. Boiler rooms need cards, acquiring, settlement, merchant shells, trust accounts, and someone willing to keep the money moving when the red flags start flashing. The Payvision chats, as published by EFRI, go to the heart of that architecture. They show the payment layer not as a neutral bystander, but as the nervous system of the scam economy. Conclusion What emerges from the Payvision chats is not the picture of a negligent payment processor that failed to ask enough questions. It is the picture of a financial intermediary that, according to the documented communications and the surrounding case files, appears to have known exactly what kind of merchants it was dealing with and nonetheless helped keep their fraud operations running. If these chats withstand full judicial scrutiny, then Payvision was not standing at the edge of the scam economy — it was operating inside it, managing frictions, protecting flows, and profiting from the victims’ losses at every stage. That is why this case should not end with a few legacy fines, corporate silence, and selective amnesia at ING. Europe needs full accountability for the executives, institutions, and banking structures that turned payment processing into an instrument of industrial-scale fraud. Share Information via Whistle42

FinTelegram has now published its DeFi Compliance Perimeter as a permanent evergreen framework page. The reason is straightforward: we increasingly see DeFi brokers, DeFi investment schemes, and their supporting rails as the next major perimeter problem in digital finance. In phenomenological terms, this looks familiar. What binary options once represented for the convergence of gambling, speculative retail trading, and weakly supervised distribution, DeFi brokers and DeFi schemes may now represent for crypto-native markets. The labels have changed, the rails are more complex, and the structures are more technical. But the investor-protection logic is strikingly similar. FinTelegram’s published framework therefore focuses on the practical questions of Access Control, Flow Control, economic control, and governance control to assess when a DeFi-labeled model begins to look less like “pure DeFi” and more like a controlled, commercially organized financial service. Key Findings FinTelegram has published the DeFi Compliance Perimeter as a living evergreen framework on its website. The framework’s core thesis is that the decisive question is no longer whether a project calls itself “DeFi,” but when it becomes a controlled, commercially organized financial service. FinTelegram identifies Access Control and Flow Control as the first decisive indicators that a supposedly decentralized model may in fact sit inside the practical compliance perimeter. The framework also stresses that MiCA does not automatically exempt services merely because part of the activity is decentralized, and that MiFID II may also apply where crypto-assets or structures qualify as financial instruments. FinTelegram sees a strong phenomenological parallel between the historic binary-options segment and today’s DeFi broker and DeFi investment-scheme segment: fast-growing retail speculation, fragmented accountability, aggressive onboarding, and markets evolving faster than perimeter enforcement. The first practical applications of this framework were FinTelegram’s recent reviews of Hyperliquid and AXIOM, both of which raised questions about DeFi branding, leveraged retail access, and embedded funding rails. Compliance Analysis Why FinTelegram Has Created A DeFi Compliance Perimeter FinTelegram has now formally published its DeFi Compliance Perimeter because the DeFi segment is no longer a niche innovation story. It is becoming an investor-protection and perimeter-enforcement story. The framework page states the core thesis clearly: the decisive question is not whether a project uses the word “DeFi,” but when a DeFi-labeled scheme becomes a controlled and commercially organized service. That is the point at which existing regulatory logic — under MiCA, MiFID II, AML/CFT, and broader conduct standards — may begin to apply in substance, even where market participants continue to market the model as decentralized. Why We View DeFi Phenomenologically Like Binary Options FinTelegram does not argue that DeFi brokers are legally identical to binary options. The point is different and more important: the pattern looks familiar. Binary options emerged from a grey zone between gambling logic and financial speculation. For years, the sector industrialized retail losses through gamified trading interfaces, weakly supervised operators, aggressive marketing, payment intermediaries, and fragmented cross-border structures before regulators fully defined the perimeter. FinTelegram’s DeFi framework explicitly uses that history as a warning. Its published text notes that the binary-options era shows how long markets can operate in a grey zone before regulators fully define the perimeter, and it uses that history to explain why earlier scrutiny matters for investor protection. In phenomenological terms, the DeFi segment shows similar traits: speculative retail exposure, friction-reduced onboarding, complex but commercially orchestrated rails, fragmented accountability, and narratives that initially outrun supervisory interpretation. That is why FinTelegram views the DeFi segment not merely as crypto infrastructure, but as a potential successor to earlier high-risk retail trading ecosystems. The New Broker Problem: Same Game, New Rails The biggest difference between the old binary-options world and the new DeFi world is not necessarily the retail psychology. It is the architecture. Where offshore brokers once relied on card acquirers, shell PSPs, introducing agents, and jurisdictional arbitrage, DeFi brokers and DeFi investment schemes increasingly rely on: wallet-native onboarding, on/off-ramp partners, routing layers, embedded trading access, execution venues, yield mechanisms, and “interface-only” or “non-custodial” defenses. FinTelegram’s published framework argues that these structures should not be judged by labels alone. Instead, they should be assessed through four control layers: Access Control, Flow Control, Economic Control, and Governance & Risk Control. That is the practical lens FinTelegram will now use for systematic DeFi coverage. The logic is simple. Once identifiable actors control the front end, the client relationship, the funding route, the wallet logic, fee capture, or the emergency powers of a supposedly decentralized system, the claim of being fully outside the perimeter begins to weaken. Hyperliquid And AXIOM Were Only The Beginning FinTelegram’s earlier reporting on Hyperliquid and AXIOM already foreshadowed this shift. Those reviews were early case studies in what FinTelegram now describes more systematically through its DeFi Compliance Perimeter. Hyperliquid raised the question of whether a DeFi-labeled derivatives venue with broad retail accessibility and limited visible perimeter controls should really be treated as a credibly permissionless protocol. AXIOM then added another layer by showing how a branded front end can package leveraged DeFi trading, wallet integration, and buy-crypto rails into a more broker-like retail journey. Together, these cases made one thing clear: DeFi brokers and DeFi investment schemes deserve the same kind of structured scrutiny that FinTelegram once applied to binary options, offshore brokers, and their payment enablers. Why Investor Protection Requires A Public Framework One of the strongest parts of the published framework is its investor-protection logic. The page states that the lesson from binary options was not only that the products were risky, but that markets can scale retail harm faster than regulation can define the perimeter. That is precisely why FinTelegram is treating DeFi brokers, DeFi investment schemes, and their supporting rails as a developing investor-protection story rather than merely a technical crypto story. This is also why the framework is being published as a living framework. FinTelegram explicitly says it will evolve as new cases, legal interpretations, regulatory actions, and expert feedback emerge. That openness is deliberate. The perimeter is still moving, the segment is still changing, and many compliance professionals are still working through how MiCA, MiFID II, AML/CFT, and conduct rules intersect in these hybrid models. FinTelegram’s Strategy Going Forward Going forward, FinTelegram will use the DeFi Compliance Perimeter as the anchor for a more systematic review strategy. That means future coverage will increasingly focus on: DeFi brokers offering leverage, perpetuals access, or broker-like trading functionality; DeFi investment schemes built around staking, vaults, yield, or “earn” narratives; on/off-ramp and wallet rails that move users from fiat into high-risk speculative environments; and perimeter watch cases where “DeFi” branding appears to mask concentrated operational control. In this sense, the DeFi Compliance Perimeter is more than a framework page. It is also FinTelegram’s editorial roadmap for the next phase of compliance reporting. Summary Compliance Statement FinTelegram has published the DeFi Compliance Perimeter because the DeFi segment increasingly resembles a new perimeter challenge in investor protection. From our perspective, this segment should be approached phenomenologically in much the same way the binary-options segment once had to be approached: as a fast-growing retail-risk environment where commercial innovation and distribution speed can outpace perimeter enforcement. The new rails are more technical, the language is more sophisticated, and the structures are more fragmented. But the underlying compliance question is familiar: who controls access, who controls the flow, who monetizes the journey, and who bears responsibility when retail users are harmed? FinTelegram’s answer is to make that question visible through a public, living framework and to apply it systematically across DeFi brokers, DeFi investment schemes, and their supporting rails. Call To Insiders, Traders, And Whistleblowers If you are a trader, insider, builder, compliance officer, former employee, investor, payment provider, or infrastructure partner with relevant information about DeFi brokers, DeFi investment schemes, or their supporting rails, contact FinTelegram confidentially via Whistle42. We are particularly interested in: internal compliance assessments, rail and wallet-routing architecture, on/off-ramp integration, target-market and geo-blocking practices, admin-key and governance concentration, retail-investor complaints, and evidence showing how supposedly decentralized systems are commercially orchestrated in practice. Together, we can help make this developing segment more transparent, more understandable, and harder to game in the interest of investor protection. Share Information via Whistle42

ESMA’s February 2026 public statement is a watershed moment for the DeFi-perps segment. The EU regulator has now made explicit what many compliance analysts long suspected: derivatives marketed as “perpetual futures” or “perpetual contracts” are likely to fall within the EU’s existing CFD product-intervention perimeter when they provide leveraged exposure and are not exclusively physically settled. That matters directly for Hyperliquid, which offers perpetual derivatives with leverage of up to 40x and, according to FinTelegram’s earlier testing, remains accessible from EU jurisdictions without KYC or effective perimeter controls. In short, the label may be DeFi, but the regulatory logic is moving back toward the old broker world. Key Findings ESMA said on 24 February 2026 that derivatives marketed as “perpetual futures” or “perpetual contracts” are likely to fall within the scope of the EU’s existing national CFD product-intervention measures where they meet the CFD definition. ESMA also said the commercial name is irrelevant, that funding-rate mechanisms and voluntary safeguards such as insurance funds do not change the classification analysis, and that firms must assess these products under MiFID II and investor-protection rules. Under the long-standing EU CFD framework, crypto CFDs for retail clients are subject to a 2:1 leverage cap, margin close-out, negative balance protection, a standardised risk warning, and a ban on incentives. Hyperliquid’s own documentation says its perpetuals are derivatives without expiration, support per-wallet cross or isolated margin, cover 100+ assets, and offer leverage ranging from 3x to 40x. Hyperliquid’s contract specifications also state there are “no address-specific restrictions,” a statement that sits uncomfortably beside ESMA’s insistence on narrow target markets, appropriateness checks, and compliant distribution strategies for complex leveraged derivatives. FinTelegram previously documented that EU residents could fund, swap, and trade Hyperliquid perps without KYC, geo-blocking, or deposit limits, and separately argued that Hyperliquid functions more like a foundation-controlled trading venue than a credibly permissionless protocol. FinTelegram’s AXIOM review also showed how broker-like DeFi front ends can package Hyperliquid perpetuals into a branded retail interface with up to 50x leverage and direct fee capture. Finance Magnates correctly identified the practical significance of ESMA’s move: if crypto perpetuals are treated as CFDs in the EU, the implications for leverage, distribution, and retail targeting are profound. Compliance Analysis ESMA Has Now Closed The Naming Loophole The most important development is not political rhetoric but legal framing. ESMA’s February 2026 statement says that derivatives marketed as perpetual futures or perpetual contracts are likely to fall within the scope of the existing national CFD product-intervention measures where they meet the relevant definition. ESMA is explicit that the assessment must be made irrespective of the product’s commercial name. It adds that a derivative giving exposure to an underlying value that is not exclusively physically settled would likely fall within scope, and that features such as a funding-rate mechanism, negative balance protection, or insurance funds are not relevant to that classification analysis. That is a major perimeter signal for the entire crypto-perps sector. It means that the old trick of changing the label while preserving the economic substance is losing credibility in Europe. In FinTelegram terms: this is the same perimeter game, but with new rails. Why This Matters For Hyperliquid Hyperliquid is not a theoretical case. Its own documentation describes perpetuals as derivative products without expiration that rely on funding payments. It supports per-wallet cross or isolated margin, lists 100+ perpetual assets, and allows leverage that varies by asset from 3x to 40x. Its contract-specifications page also says there are “no address-specific restrictions.” Those are not the hallmarks of a narrow, professionally controlled derivatives distribution model for EU retail clients. They look far closer to a globally accessible high-leverage derivatives venue. That tension becomes sharper when read against ESMA’s statement. ESMA says leveraged derivatives require a very careful target-market assessment, are expected to have a narrow target market, require an appropriateness assessment in non-advised services, and raise conflicts-of-interest concerns where products are issued or traded within the same group ecosystem. ESMA also says such perpetual derivatives are packaged investment products for PRIIPs purposes, meaning a KID is needed when they are distributed to retail clients. In other words, the EU framework is moving in the exact opposite direction from the “connect wallet and start trading” logic that has fuelled the growth of crypto perpetuals. The Old CFD Logic Is Back This is where the comparison with the binary-options and CFD era becomes more than rhetorical. ESMA’s 2018 intervention measures for CFDs were adopted precisely because retail distribution of leveraged speculative products had become a major investor-protection problem. Those measures included leverage limits from 30:1 down to 2:1 depending on the asset class, margin close-out, negative balance protection, a ban on incentives, and standardised risk warnings. For cryptocurrencies, the cap was 2:1. Finance Magnates highlighted the practical consequence immediately after ESMA’s February 2026 statement: if crypto perpetuals are treated as CFDs, then the EU retail model for these products becomes drastically narrower than the high-leverage offshore-style norm. Its related coverage also framed the issue in the context of a market measured in the tens of trillions, while academic commentary from Cornell noted that cumulative crypto perpetual volume since 2020 had already surpassed $60 trillion. That is precisely why FinTelegram views this as a core DeFi compliance issue, not a niche product-classification debate. When a massive, fast-growing leveraged market collides with investor-protection rules built for CFDs, the perimeter question becomes strategic. Summary Table: CFDs vs Crypto Perpetual Futures Investor and Regulatory Comparison CharacteristicCFDsCrypto Perpetual FuturesInvestor PerspectiveRegulatory / Compliance PerspectiveBasic product logicA CFD is a derivative giving long or short exposure to price movements in an underlying, typically cash-settled. ESMA’s CFD definition focuses on economic exposure rather than branding.Crypto perpetuals are typically marketed as derivatives without expiry that provide ongoing leveraged exposure to crypto prices, usually via margin and a funding-rate mechanism. Hyperliquid’s docs describe perpetuals exactly in those terms.For investors, both products are primarily speculation tools rather than spot ownership.ESMA’s February 2026 statement makes clear that perpetuals can fall within the CFD perimeter if they meet the functional definition.Commercial labelHistorically marketed openly as CFDs.Often marketed as “perpetual futures” or “perpetual contracts.”Investors may perceive perpetuals as something materially different from CFDs because of the crypto-native branding.ESMA says the commercial name is irrelevant; firms must assess the substance of the instrument under MiFID II and CFD rules.Settlement logicTypically cash-settled or capable of cash settlement.Perpetuals often avoid traditional expiry and use mark prices plus funding flows rather than physical delivery. ESMA says a derivative not exclusively physically settled would likely fall within the CFD measures unless excluded.Investors may not care whether settlement is “cash” or “funding-rate based” if the economic result is leveraged price exposure.ESMA explicitly says that funding-rate mechanisms do not change the classification analysis.ExpiryCFDs do not have a classic futures expiry profile in the retail-broker model.Perpetuals are specifically designed to have no expiry date. Hyperliquid states its contracts are derivatives without expiration.No expiry makes perpetuals easier and more “casino-like” for continuous retail speculation.Lack of expiry does not remove them from the CFD perimeter if the functional criteria are met.LeverageIn the EU retail context, leverage is capped under the CFD intervention regime; crypto CFDs are limited to 2:1.Hyperliquid states that leverage on its perpetuals ranges from 3x to 40x depending on the asset.Higher leverage is commercially attractive to retail users but sharply increases liquidation and loss risk.This is one of the clearest tensions: EU CFD rules sharply restrict retail leverage, while crypto perpetual venues often market much higher leverage.Margin modelMargin is integral to CFDs, with EU rules requiring margin close-out protection.Hyperliquid documents both cross and isolated margin for perpetuals.Margin makes both products highly sensitive to volatility and liquidation cascades.ESMA highlights leverage and margin trading as core risk factors in target-market and investor-protection analysis.Risk controlsEU retail CFD rules require leverage limits, mandatory risk warnings, margin close-out, negative balance protection, and a ban on incentives.Crypto-perps venues may offer voluntary protections, insurance funds, or negative-balance-style language, but ESMA says such safeguards do not alter the classification analysis.Investors may wrongly assume that venue-level safeguards make the product “regulated enough.”ESMA says voluntary protections are not a substitute for compliance with the underlying product-intervention framework.Target marketUnder MiFID II product-governance logic, leveraged derivatives should have a narrow target market.Hyperliquid’s model appears globally accessible, and its docs say there are “no address-specific restrictions.”Retail investors experience these products as open-access speculation tools.ESMA warns that mass marketing to inexperienced investors is inconsistent with a narrow target market.Appropriateness assessmentRequired when complex derivatives are distributed on a non-advised basis to retail clients in the EU.Many DeFi-perps environments are designed for immediate wallet-based access, often without classic appropriateness workflows.Retail investors may enter a high-risk derivatives environment without any meaningful suitability friction.ESMA explicitly reminds firms that an appropriateness assessment is needed for complex derivatives in non-advised services.Disclosure regimeRetail distribution of CFDs in the EU comes with standardized warnings and conduct requirements.ESMA says perpetual derivatives are packaged investment products, so a PRIIPs KID is needed when distributed to retail clients.Investors in crypto perpetuals often do not receive a disclosure package comparable to traditional retail derivatives distribution.This is a major compliance issue for EU-facing distribution of crypto perpetuals.Conflicts of interestTraditional broker-CFD models have long raised execution and principal-risk conflicts.ESMA flags a prominent conflict where derivatives are issued by a group entity or traded on a group venue and then pushed to clients.Investors may not see how venue, issuer, front end, and fee capture can align against them.This point is especially relevant in vertically integrated DeFi ecosystems and front ends built around a single venue.Regulatory narrativeClearly recognized as regulated leveraged derivatives in the EU retail perimeter.Often presented as innovative DeFi-native instruments outside legacy broker logic.Investors may assume “DeFi” means a different, freer, or less intermediated risk model.ESMA’s message is that naming and crypto-native mechanics do not change the core regulatory analysis.FinTelegram compliance viewCFDs are the historical benchmark for leveraged retail-perimeter analysis.Crypto perpetuals, especially where offered through DeFi-style access layers, increasingly look like CFDs in new technical packaging.For investors, the economic reality may be closer to the old CFD world than the DeFi narrative suggests.For regulators and compliance analysts, the perimeter test is shifting decisively toward substance over form. Short Takeaway From an investor-protection perspective, the core difference between CFDs and crypto perpetuals is often less significant than the marketing suggests: both deliver leveraged exposure to price movements without true spot ownership, and both can generate rapid retail losses. From a regulatory perspective, ESMA’s February 2026 statement makes the key point explicit: where crypto perpetuals function like CFDs, they should increasingly be treated like CFDs, regardless of the DeFi or futures-style branding. Hyperliquid’s Structure Still Looks More Like A Venue Than A Pure Protocol FinTelegram has already argued that Hyperliquid should not be treated as a credibly permissionless DeFi scheme. In earlier reporting, we documented EU access to perpetuals without KYC, geo-blocking, or deposit limits. We also argued that Hyperliquid’s foundation-controlled infrastructure, concentrated validator structure, and discretionary intervention powers make it look functionally closer to a centrally steered trading venue than to a neutral autonomous protocol. ESMA’s new statement strengthens that compliance view. If the commercial name is irrelevant, if funding mechanisms do not change the analysis, and if the decisive issue is the substance of the derivative and the way it is distributed, then Hyperliquid’s DeFi branding no longer answers the core regulatory question. The real question becomes whether EU clients are being given access to what are, in substance, CFD-like leveraged derivatives without the controls, restrictions, and disclosures the EU framework requires. AXIOM Shows How The Hyperliquid Risk Gets Retail-Packaged The AXIOM case makes the issue even more urgent. FinTelegram recently showed that AXIOM packages Hyperliquid-powered perpetuals inside a branded retail-facing interface, advertises leverage up to 50x, and imposes its own 0.01% fee per transaction. That is exactly how a foundational derivatives venue can become part of a wider broker-like distribution stack: front-end branding, fiat onboarding, wallet orchestration, and a simplified user journey for leveraged trading. Read our Axiom reports here. So the Hyperliquid issue is not only about Hyperliquid itself. It is also about the growing ecosystem of DeFi brokers and DeFi gateways building retail-facing businesses on top of Hyperliquid’s derivatives rail. Once that happens, the perimeter problem becomes larger, not smaller. FinTelegram’s View FinTelegram’s working conclusion is that ESMA has now provided compliance analysts with a much clearer lens: many crypto perpetuals are no longer best understood as exotic DeFi novelties. They increasingly look like leveraged retail derivatives that belong in the same investor-protection conversation that once transformed the treatment of CFDs and binary options in Europe. Hyperliquid is one of the clearest test cases for that shift. Summary Compliance Statement ESMA’s February 2026 statement materially strengthens the case that crypto perpetuals offered to EU retail clients should be analysed through the existing CFD perimeter, not merely through DeFi marketing language. Hyperliquid’s own documentation describes leveraged perpetual derivatives with no expiration, funding-rate mechanics, broad asset coverage, and leverage up to 40x, while FinTelegram’s earlier reporting documented EU access without KYC or effective gating. In our view, that combination creates a serious MiFID II / CFD investor-protection issue. And where front ends such as AXIOM package Hyperliquid perps into simplified retail journeys, the old broker logic reappears in a new technical wrapper. Call To Whistleblowers If you have information about Hyperliquid, AXIOM, their EU-facing access controls, target-market assessments, appropriateness workflows, product-governance discussions, PRIIPs/KID analysis, or the way perpetuals are distributed to retail users, contact FinTelegram confidentially via Whistle42. We are particularly interested in internal compliance memos, legal assessments, geo-blocking logic, wallet and routing evidence, and discussions around how crypto perpetuals are classified under MiFID II and the CFD framework.

FinTelegram is expanding its compliance coverage. Alongside offshore casinos and their payment processors, we will increasingly focus on DeFi brokers and DeFi investment schemes. The reason is straightforward: the old perimeter game has not disappeared. It has evolved. Where binary options and offshore CFD brokers once used shell structures, payment agents, and weakly supervised cross-border rails, a new generation of platforms now uses DeFi branding, wallet-based onboarding, on/off-ramp layers, perpetuals venues, and “interface-only” narratives to reach retail users. MiCA was designed to address parts of this new reality, but the market is already moving faster than regulation and investor protection once again. Key Findings FinTelegram sees a clear strategic continuity between the old binary options / CFD perimeter game and the emerging DeFi broker model. ESMA intervened against binary options and CFDs in 2018 because of serious investor detriment, including a prohibition on the marketing, distribution, or sale of binary options to retail investors and restrictions on CFDs. MiCA does not exempt a service merely because part of it is performed in a decentralized manner; Recital 22 says MiCA applies where services are provided or controlled directly or indirectly by identifiable persons, and only fully decentralized services without an intermediary fall outside scope. EBA and ESMA have already warned that DeFi labels are not legal conclusions and that DeFi-related models present significant AML/CFT and other risks. FinTelegram’s recent reporting on Hyperliquid-related perimeter questions and AXIOM’s funding architecture shows that DeFi brokers and DeFi investment schemes deserve dedicated, systematic scrutiny. FinTelegram’s future coverage will therefore place greater emphasis on DeFi brokers, DeFi investment schemes, and the supporting rails that move users from fiat into high-risk crypto trading environments. Why FinTelegram Is Expanding Its Coverage FinTelegram was born in the era of binary options and offshore brokers. Back then, the pattern was painfully familiar: aggressive retail acquisition, opaque operators, outsourced payment flows, weak disclosures, and a business model built around staying one step ahead of regulation. ESMA’s 2018 intervention against binary options and CFDs did not come out of nowhere. It reflected serious investor-protection concerns and concrete market harm. Binary options were prohibited for retail investors, while CFDs were placed under restrictions such as leverage caps, negative balance protection, and standardized risk warnings. Today, the wrapper has changed, but the perimeter game looks strikingly familiar. Instead of offshore brokers offering binary options and CFDs through card acquirers, shell PSPs, and introducing agents, we increasingly see DeFi-branded interfaces, perpetuals access layers, wallet-linked trading environments, tokenized “earn” products, and multi-step on/off-ramp architectures. The language is newer and more technical. The legal positioning is more sophisticated. But the retail risk can be the same or worse: leverage, opacity, cross-border reach, and weak accountability. The Shift From Binary Options To DeFi The old broker world sold the illusion of easy returns through highly speculative products packaged for retail users. The new DeFi segment often does something similar, but with more layers. A modern DeFi broker or DeFi investment scheme may present itself as “just an interface,” “non-custodial,” or “decentralized.” Yet the practical user journey often includes a branded front end, a wallet setup, a fiat on-ramp or aggregator, a routing layer, a trading or yield venue, and one or more licensed or semi-regulated service providers embedded in the flow. That architecture makes responsibility harder to pin down. It also creates a false sense of legitimacy. A regulated on-ramp inside the chain does not automatically mean the destination platform itself sits safely inside the regulatory perimeter. That is precisely why MiCA matters. Recital 22 makes clear that crypto-asset services can still fall within scope even when part of the activity is performed in a decentralized manner. What matters is whether the service is provided or controlled, directly or indirectly, by identifiable persons. Only services that are fully decentralized and operate without any intermediary fall outside scope. This is the key compliance lens for FinTelegram going forward. The question is not whether a platform calls itself DeFi. The question is who controls the client journey, the money flow, the wallet logic, the fee extraction, and the risk exposure. New Rails, More Complex Structures The rails are what make the current phase more dangerous. In the binary-options era, the core enabling structures were payment processors, acquiring banks, shell companies, and offshore entities. In the DeFi era, the supporting rails are often more complex and harder to understand for ordinary investors. They can include fiat-to-crypto on-rampers, aggregator layers, self-custodial or quasi-custodial wallets, bridge-like mechanics, perpetuals venues, staking wrappers, and “earn” products routed through multiple providers. This complexity is not a side issue. It is central to the business model. It allows operators to fragment responsibility and tell a story in which nobody appears to be fully accountable. The interface says execution happens elsewhere. The on-ramp says it only processes the fiat leg. The protocol says it is decentralized. The user, meanwhile, sees one seamless trading journey. That is why recent FinTelegram work on Hyperliquid and AXIOM matters. These reports were not isolated pieces. They were early case studies in a broader structural shift. They showed how broker-like access to leveraged crypto trading can be embedded inside branded interfaces and supported by sophisticated on/off-ramp architecture. Markets Are Again Moving Faster Than Regulation This is another familiar lesson from the binary-options years. By the time regulators imposed emergency restrictions in 2018, the binary-options and CFD sectors had already caused large-scale retail harm. ESMA’s own intervention record shows how serious the investor-detriment problem had become. The same dynamic risks reappearing in the DeFi segment. Markets innovate faster than legal interpretation, and retail distribution evolves faster than investor-protection mechanisms. Even now, EBA and ESMA are still analyzing DeFi and related crypto models, warning that the term “DeFi” itself should not be treated as a legal conclusion and noting significant ML/TF and broader conduct risks in the sector. MiCA is an important step, but it is not a magic shield. It provides a regulatory framework, central registers, and authorization architecture for crypto-asset service providers, but the market is already testing the edges of that framework through front ends, access layers, hybrid models, and outsourced execution stacks. Why Investor Protection Requires Earlier Scrutiny The binary-options disaster should not be repeated. That market left a trail of victims, enforcement actions, broken lives, and enormous losses for unsuspecting retail investors. The lesson was not only that the products were risky. The lesson was that opacity, weak perimeter enforcement, and delayed scrutiny allowed those products to spread far too long before decisive action was taken. FinTelegram’s role is not to wait until the damage is complete. It is to identify risk patterns earlier, map the enabling rails, and make the economic reality of these structures visible before the next retail-investor disaster scales out of control. That is why DeFi brokers and DeFi investment schemes will now receive more sustained attention alongside offshore casinos. The underlying compliance logic is the same: retail users are being onboarded, monetized, and exposed through weakly supervised or strategically fragmented structures. What FinTelegram Will Cover In the months ahead, FinTelegram will expand its compliance coverage across four related lanes: DeFi brokers: platforms and interfaces offering leverage, perpetuals access, synthetic exposure, or broker-like crypto trading functionality. DeFi investment schemes: yield, staking, vault, “earn,” and other products that function economically like speculative investment schemes. On/off-ramp and wallet rails: the funding and conversion architecture that moves users from fiat into high-risk crypto environments. Perimeter watch: MiCA boundary cases, interface-only defenses, non-custodial claims, and the role of licensed firms inside higher-risk ecosystems. This is not anti-crypto coverage. It is compliance and investor-protection coverage. The target is not innovation. The target is perimeter gaming, opacity, and the monetization of retail risk without clear accountability. Summary Compliance Statement FinTelegram believes that DeFi brokers and DeFi investment schemes represent the next major perimeter challenge in digital finance. The migration from binary options and offshore brokers to DeFi-branded trading and investment structures does not reduce compliance risk. In many cases, it increases it by adding technical complexity, outsourced execution layers, and fragmented accountability. MiCA has created an important framework, but supervisory and investor-protection questions remain open, especially where identifiable operators organize access to crypto-asset services through branded interfaces and supporting rails. FinTelegram will therefore intensify its scrutiny of this segment in the same spirit that once drove its coverage of binary options, offshore brokers, and their payment enablers. Call To Whistleblowers And DeFi Investors If you are a DeFi investor, trader, insider, developer, service provider, or former employee with relevant information, contact FinTelegram confidentially via Whistle42. We are particularly interested in: internal compliance assessments, wallet and routing logic, on/off-ramp integration structures, KYC/AML workflows, hidden operators and control persons, partner contracts, geo-targeting practices, leverage and liquidation mechanics, and investor complaints or internal risk discussions. Together, we can monitor and track this evolving DeFi segment in the interest of investor protection. Because the lesson from binary options was clear: when markets evolve faster than transparency, retail investors pay the price. Share Information via Whistle42

The UK Financial Conduct Authority (FCA) has permanently banned former FX and CFD trading CEO Kasim Garipoglu, a Turkish national, from the financial services industry. The regulator’s investigation exposed a shocking disregard for anti-money laundering (AML) controls, revealing a corporate culture where compliance frameworks were actively dismantled, leaving the firm highly vulnerable to financial crime. Key Findings AML Sabotage: Garipoglu deliberately undermined financial crime defenses by forcing junior staff to complete his mandatory AML competency exams on his behalf. Intentional Vulnerability: He systematically dismissed warnings from his own compliance team, treating the risk of facilitating illicit financial flows as an acceptable business expense. Regulatory Deception: He orchestrated the impersonation of himself during an official inquiry with a South African financial regulator. Document Forgery: To manipulate regulatory requirements, he fabricated his own university degree and forged an employee’s utility bill. Permanent Prohibition: He is indefinitely banned from performing any function related to regulated financial activities in the UK market. Description of the Case Between April 2012 and December 2022, Kasim Garipoglu served as the chief executive of an online retail FX and contract for difference (CFD) trading provider. One of the main firms associated with him was GKFX Financial Services Ltd (now Trive Credit Technology UK Limited), a London-based brokerage. Garipoglu also held directorships in a number of financial services and fintechs, including GK Investment Holdings Limited, Smart Capital Investments Limited, GKPay Limited, MyInvest Limited and Mercury Online Credit Ltd. Additional roles linked him to technology and financial infrastructure companies such as Interactive Technologies Limited and Trive Credit Technology UK Limited. Within the high-risk trading sector, robust AML controls are the critical first line of defense against the integration of illicit funds into the financial system. According to the FCA’s Final Notice, Garipoglu treated these vital safeguards with outright contempt. Rather than fostering a culture of compliance, Garipoglu actively dismantled the firm’s oversight mechanisms. He outright refused to engage with critical AML training, coercing subordinates to take his compliance tests and fraudulently presenting the results as his own. When his internal compliance department warned him that his commercial directives breached regulatory obligations and exposed the firm to severe money laundering risks, Garipoglu overruled them. He actively chose to prioritize profit over the legal obligation to prevent financial crime. His willingness to employ forgery and impersonation to bypass international regulatory scrutiny further underscores a calculated strategy to operate entirely outside the boundaries of financial law. Summary Conclusion Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, emphasized that Garipoglu’s behavior created a severe risk of facilitating serious money laundering. By actively subverting AML controls and neutralizing his compliance team, he fundamentally compromised the firm’s ability to detect and prevent financial crime. Although statutory time limits prevented the FCA from levying a financial penalty, this permanent industry ban neutralizes the ongoing threat he poses. It also serves as a stark warning to the industry: regulators will ruthlessly excise executives who treat anti-money laundering frameworks as optional. Call to Whistleblowers Do you have information regarding financial wrongdoing, AML evasion, or systemic compliance violations within the trading industry? Whistleblowers are the ultimate defense against illicit finance and institutional fraud. Share your knowledge with FinTelegram securely and anonymously. Contact us today via our secure whistleblowing channels to help us expose financial malpractice and protect market integrity. Share Information via Whistle42

AXIOM’s “Buy Crypto” function appears to be far more than a simple widget. In substance, it works as a fiat deposit rail into AXIOM’s DeFi-branded trading stack, using Dutch aggregator Onramper and licensed or registered onramp partners to move users from card, bank, or wallet-based payment into immediate crypto trading access. For regulators and compliance analysts, the key issue is obvious: when a platform structures, controls, and monetizes that funding journey, the “DeFi” label alone may no longer be enough to keep it outside MiCA’s reach. Key Findings FinTelegram’s March 13, 2026 review found that AXIOM could be accessed by EU users from multiple jurisdictions, with signup via email or Google and no meaningful onboarding friction before access to the deposit flow. AXIOM’s direct crypto deposit rail appears to accept transfers in multiple assets without platform-level KYC at the point of wallet funding. AXIOM’s fiat deposit path is effectively outsourced to Onramper, which dynamically routes users to third-party fiat gateways. Onramper publicly describes itself as a Netherlands-based fiat-to-crypto aggregator with 130+ payment methods, coverage in 190+ countries, and 30+ gateway partners. Onramper’s own terms say it is not a fiat gateway, is not party to the user’s transaction with the selected provider, and does not take custody of user funds. AXIOM and Onramper publicly announced their partnership in December 2025, describing the integration as a seamless way for AXIOM users to top up BNB and SOL with localized payment methods. Ramp Network states that Ramp Swaps (Ireland) Limited received MiCA CASP authorisation from the Central Bank of Ireland in December 2025, and the AMF’s whitelist confirms its passporting into France. Swapped publicly presents itself as registered with AUSTRAC, FinTRAC, FinCEN/NMLS, and Norway’s FSA, which supports the view that at least part of AXIOM’s rail is being executed by regulated or registered partners rather than by AXIOM itself. Topper is marketed by Uphold as a regulated fiat on-ramp product within the Uphold group. Link’s support materials say users can buy crypto on Link-supported sites from third-party exchange providers, which suggests Link acts as a checkout/payment layer rather than the crypto counterparty itself. Compliance Analysis AXIOM’s “Buy Crypto” Rail Is Functionally A Fiat Deposit Channel FinTelegram’s review indicates that AXIOM’s “Buy Crypto” feature should not be treated as a minor convenience tool. In substance, it operates as a fiat deposit rail into AXIOM’s trading environment. The user journey is simple and commercially coherent. A user enters AXIOM, chooses a fiat funding option, is routed through Onramper’s aggregation layer, completes payment and any partner-level KYC with the selected provider, and then receives crypto into the wallet environment used for AXIOM trading. That matters. Even if the fiat-to-crypto conversion is legally executed by third-party providers, the overall structure functions as a funding funnel into AXIOM. In practical terms, AXIOM’s “Buy Crypto” feature looks far less like a peripheral widget and far more like an integrated deposit mechanism. Read our initial AXIOM compliance report here. The Real MiCA Question Is Control, Not Branding This distinction is central under MiCA. Recital 22 does not create a safe harbor merely because parts of a service are decentralized or outsourced. The real question is whether crypto-asset services are performed, provided, or controlled, directly or indirectly, by identifiable persons. That is where AXIOM becomes problematic. AXIOM’s own materials identify Axiom Innovations Inc. as the company behind the service. At the same time, AXIOM markets itself as a trading platform and hybrid wallet product. This means it is not just a neutral protocol endpoint or a piece of passive software. It is an identifiable commercial interface that structures access to funding, wallets, and trading. From a compliance perspective, AXIOM therefore cannot rely on “DeFi” branding alone. The stronger and more defensible reading is that AXIOM presents a serious MiCA perimeter-risk case because it appears to organize access to crypto-asset services for users, including EU-based users, through a branded and operationally integrated front end. Onramper’s Formal Position: Aggregator, Not Gateway Onramper’s role is more nuanced. On paper, Onramper presents itself as a technical aggregation and routing layer. Its public materials describe a widget and API solution that compares providers dynamically based on geography, payment method, pricing, and conversion probability. Its legal positioning is drafted with care. Onramper says it is not itself the fiat gateway, not a party to the user transaction, does not settle the transaction, and does not take custody of user fiat or crypto. Formally, that is a classic infrastructure model. It is designed to keep Onramper outside the legal role of exchange, broker, or custodian. The Practical Reality Looks More Complicated The difficulty is that FinTelegram’s March 2026 testing suggests the practical reality may be more complex than the contractual wording implies. The AXIOM-Onramper flow appears to prefill the destination wallet. More importantly, the TopperPay payment confirmation (screenshot left) suggests that the purchased SOL was first sent to a wallet labeled for Onramper before appearing in the AXIOM context. That is a relevant compliance signal. If the purchased crypto is routed through an operational wallet, forwarding wallet, or omnibus wallet within the onramp stack, then the process may involve more than neutral comparison technology. It may amount to transaction orchestration with wallet-layer intermediation. That does not prove, on the currently available evidence, that Onramper legally acts as a custodian. But it does raise legitimate questions about who controls the destination wallet, who determines the delivery path, and whether any entity in the chain momentarily receives, directs, or operationally handles crypto on behalf of the user or AXIOM. Those questions are material under MiCA, AML/CFT analysis, and safeguarding logic. The Cleanest Reading Of The Rail Based on the available evidence, the clearest regulatory reading is this: The third-party onramp partners appear to be the regulated or registered execution entities for the fiat-to-crypto purchase. AXIOM appears to be the commercial destination platform that owns the user relationship and provides the trading environment. Onramper appears to be the technical routing and orchestration layer connecting users to execution partners. That structure is important because the presence of licensed or registered partners inside the payment rail does not solve AXIOM’s own perimeter problem. MiCA does not only concern the entity that books or settles the conversion. It can also capture the entity that commercially organizes access to crypto-asset services through a branded interface. That is precisely why AXIOM cannot simply point to Ramp Network, Topper, MoonPay, Swapped, or Link by Stripe and argue that compliance stops there. Read our reports on Swapped here. If AXIOM structures the rail, predefines the wallet logic, captures the client relationship, and converts fiat onboarding into immediate trading access on its own platform, regulators may reasonably ask whether AXIOM is operating as a brokerage-adjacent or platform-style access layer in substance. The stronger legal formulation is therefore not that AXIOM has already been definitively found to be an unauthorized CASP. It is that AXIOM presents a serious and visible MiCA perimeter-risk profile. Onramper Is A Material Boundary Case A similar logic applies to Onramper. Its terms are clearly designed to frame the business as technical infrastructure only. That may be correct as a matter of formal legal design. But supervisors do not assess risk solely through disclaimers. They also look at operational reality. If an aggregator goes beyond neutral comparison and becomes deeply embedded in user-flow control, provider recommendation, wallet handling, conversion optimization, and transaction routing inside third-party trading platforms, then it starts to move closer to a regulated intermediation problem. For now, the most defensible conclusion is that Onramper is a material boundary case. On the available evidence, it does not appear to be the principal crypto seller. But neither does it look like a trivial software plug-in. Its role appears central to AXIOM’s fiat entry architecture, and that alone makes it compliance-relevant. The Partner Layer Looks Stronger Than The Platform Layer The onramp partner layer appears stronger on paper. Ramp Network is MiCA-authorized in Ireland and passported into France. Swapped presents itself as registered across several jurisdictions. Topper sits within the Uphold group’s regulatory perimeter. Link by Stripe appears to function primarily as a payment and checkout layer rather than the direct crypto counterparty. That means the weakest link in the AXIOM rail is not necessarily the formal status of the payment partners themselves. The more sensitive issue is the combined AXIOM-Onramper model: a DeFi-branded trading platform using a localized, partner-driven fiat onboarding stack to feed users directly into a trading environment that does not appear to have visible EU authorization of its own. The Traffic Pattern Supports The Integrated-Rail Thesis Similarweb statistics for Onramper (Feb 2026) FinTelegram’s traffic findings support that interpretation. If AXIOM accounts for the overwhelming majority of referral traffic into buy.onramper.com, then Onramper is not incidental to AXIOM’s business model. It is a core access rail. That concentration strongly suggests that AXIOM’s “Buy Crypto” function is not a loose affiliate arrangement or a detached third-party tool. It is an integrated fiat onboarding funnel. Combined with AXIOM’s sizeable traffic and visible EU user participation, that increases the relevance of MiCA and UK perimeter questions, even if the formal fiat-to-crypto leg is executed by licensed partners. Summary Compliance Statement FinTelegram’s March 2026 review indicates that AXIOM’s “Buy Crypto” feature functions in substance as a fiat deposit rail into a DeFi-branded trading environment. While regulated or registered partners appear to execute the fiat-to-crypto leg, that does not remove AXIOM’s own MiCA perimeter risk. AXIOM captures the user relationship, structures the funding journey, and channels users directly into its trading stack. Onramper, meanwhile, appears to act as a central routing and orchestration layer and should be viewed as a material boundary case rather than a neutral plug-in. The overall result is a sophisticated fiat onboarding architecture feeding a platform that, on the currently visible facts, remains outside any clearly identifiable EU authorization framework. Summary Table: AXIOM And Its Payment Rails ElementObserved / Reported RoleRegulatory / Compliance ViewAXIOMTrading platform and hybrid wallet interface; destination environment for funded users.Serious MiCA perimeter-risk case if it is organizing access to crypto-asset services for EU users without authorisation.OnramperDutch aggregation/routing layer embedded in AXIOM’s “Buy Crypto” rail; selects provider/payment path dynamically.Publicly positions itself as non-custodial technical infrastructure, but in practice appears central to user onboarding and transaction flow.Topper, TopperPay / UpholdFiat-to-crypto execution partner observed in FinTelegram’s test purchase.Appears to sit within a more mature regulated environment than AXIOM itself.Ramp NetworkSuggested partner for bank transfer / Apple Pay / Google Pay flows in review.Ramp Swaps (Ireland) Limited states it holds MiCA CASP authorisation; AMF whitelist confirms passporting into France.SwappedSuggested onramp partner in reviewed flows.Publicly states registrations with AUSTRAC, FinTRAC, FinCEN/NMLS, and Norway FSA; not the same as saying it solves AXIOM’s perimeter issue.MoonPayPresented in AXIOM/Onramper flow for some payment methods and also referenced by AXIOM’s broader partner mix.Regulated partner model strengthens execution side, but not AXIOM’s own authorisation posture.Link by StripeCheckout/payment layer shown for debit-card crypto purchase routes.Appears to support crypto purchases from third-party providers rather than acting as the crypto exchange itself.User KYCPartner-level KYC observed in FinTelegram’s test, but not AXIOM-level KYC before accessing rail.Suggests compliance is pushed outward to providers, while AXIOM retains commercial front-end relationship.Wallet handlingReview screenshots suggest destination wallet data is prefilled via the rail and may involve an Onramper-labelled wallet in the payment path.Raises unresolved questions about custody, forwarding, settlement flow, and wallet control.Overall structureAXIOM front end → Onramper routing layer → licensed/registered onramp partner → crypto delivered into AXIOM trading context.Functionally resembles a fiat deposit funnel into a DeFi platform. Call To Whistleblowers Do you have internal information about AXIOM, Onramper, Topper, Ramp, Swapped, MoonPay, Link by Stripe, or other entities involved in AXIOM’s buy-crypto rail? FinTelegram is particularly interested in: internal routing logic and wallet-handling architecture, custody or forwarding arrangements, KYC/AML escalation procedures, partner contracts, country blocking or geo-targeting policies, compliance opinions on MiCA perimeter exposure, suspicious transaction monitoring and sanctions screening, how AXIOM users are classified inside the payment stack. Share information confidentially with FinTelegram via Whistle42. Share Information via Whistle42

Norway’s strict payment ban on unlicensed gambling is being quietly undermined by a new, layered payments stack. Using Revolut as an “entry wallet” and Payoro as a withdrawal hub, offshore casinos and their affiliates appear to have created a de facto alternative banking route for Norwegian players—far from the reach of domestic banks and regulators. Key Findings Revolut functions as the primary on‑ramp for Norwegian users to fund accounts at illegal offshore casinos, bypassing bank‑level gambling blocks via e‑wallet and open‑banking transfers. Payoro is widely used as the core payout processor for offshore operators such as White Star B.V., Rhino Entertainment Group, and Boabet, channeling EUR and NOK withdrawals back to Revolut. Many offshore casino brands reviewed by FinTelegram list Revolut—often via open banking providers like Yapily Connect and Bulgarian platform Contiant—as the preferred “go‑to bank” for Norwegian players. MCC misclassification and suspected transaction laundering appear to mask gambling transactions as non‑gambling payments, allowing them to flow through Revolut and partner PSPs without triggering standard gambling blocks. Payoro’s KYC (including BankID) is effectively leveraged by operators as a shortcut: once a player is verified with Revolut and Payoro, deposits and withdrawals are largely frictionless across multiple illegal offshore brands. Analysis And Interpretation Norway’s regime prohibits payment intermediaries from processing transactions to unlicensed gambling operators, and banks have implemented extensive blocking lists for high‑risk processors and merchant accounts. However, domestic banks have been told they cannot impose general blocks on transfers to neutral third parties such as Revolut, generic e‑wallets, and crypto‑friendly platforms. This legal nuance has turned Revolut into a structural weak point in the Norwegian enforcement architecture. The flows described by insiders are straightforward: Norwegian players move funds from their local bank to Revolut, and from there to offshore operators via card, e‑wallet, or open‑banking initiations. For withdrawals, Payoro (website) and similar intermediaries route funds from casino accounts back to Revolut, often after a one‑time KYC check that uses Norwegian BankID. At that point, the domestic bank only “sees” a transfer to or from Revolut—not a gambling transaction. FinTelegram’s previous reviews of illegal offshore casinos repeatedly show Revolut positioned at the center of their payment pages. In combination with open‑banking layers like Yapily Connect and Contiant, Revolut in practice acts as the de facto banking hub for Norwegian high‑risk gambling activity. The frequent reports of MCC misclassification and transaction laundering indicate that both issuers and regulators may be presented with a sanitized version of these flows, while the underlying economic activity remains clearly gambling‑related. Compliance Hypothesis Our working hypothesis is that Revolut and Payoro, together with upstream open‑banking providers and acquirers, form a multi‑layered payment stack that systematically circumvents Norway’s payment ban on illegal offshore gambling. Even if each layer claims to be “agnostic” to end‑use, the cumulative design and marketing towards Norwegian players—combined with MCC manipulation and reliance on third‑party KYC—suggest a concerted architecture of regulatory arbitrage rather than incidental misuse. This raises serious questions about the adequacy of their risk assessments, merchant onboarding, and AML/CTF controls in high‑restriction markets such as Norway. Call For Whistleblowers FinTelegram is continuing its investigation into Revolut’s and Payoro’s roles in offshore gambling payment flows. We call on players, insiders, compliance professionals, and affiliates with knowledge of these structures, including use of Yapily Connect, Contiant, and similar platforms, to provide further information via our secure whistleblower platform Whistle42. Share Information via Whistle42

Revolut has announced on X that it is now a “fully licensed bank” in the UK, confirming that the PRA has lifted the restrictions attached to its 2024 authorisation and allowed the launch of Revolut Bank UK Ltd. The move is a major strategic milestone for the fintech group, but it does not end the regulatory scrutiny around how Revolut’s rails appear across high-risk crypto and offshore-gambling flows. Key Findings Revolut says it is now a fully licensed bank in the UK; the PRA has approved its exit from mobilisation. The UK licence enables FSCS-protected deposit accounts and opens the door to broader lending products. Revolut’s latest official annual-report metrics show 52.5 million retail customers at year-end 2024, £3.1 billion revenue, £1.089 billion profit before tax, and £1 trillion transaction volume; more recent company statements say it now serves more than 70 million customers globally. In the EU, Revolut combines a Lithuanian bank, a Lithuanian MiFID investment firm, and a Cyprus MiCA CASP entity. FinTelegram continues to see Revolut embedded in fiat-to-crypto and offshore-casino payment chains, including via Onramper and open-banking layers. The Compliance Report Compliance Situation in UK Revolut, founded in 2015, has grown from a payments app into one of Europe’s largest fintech groups. Official 2024 figures show 52.5 million retail customers, £3.1 billion in revenue, £1.089 billion in profit before tax, £790 million net profit, and £1 trillion transaction volume. In March 2026, Revolut said it serves more than 70 million customers globally. The immediate significance of the UK licence is straightforward: Revolut can now operate as a full UK bank rather than an e-money institution plus a bank-in-waiting. Its UK bank can offer eligible customers FSCS protection on deposits and can expand into current accounts, credit, and other balance-sheet products. That materially upgrades customer protection, funding flexibility, and regulatory credibility in its home market. Read our Revolut reports here. Compliance Situation in EU In the EU, however, Revolut remains a multi-entity regulatory stack. Banking services are anchored in Revolut Bank UAB in Lithuania, licensed by the ECB and regulated by the Bank of Lithuania; since 2024, Revolut’s Lithuanian banking group has been under direct ECB supervision as a significant institution. Investment services are provided by Revolut Securities Europe UAB, a Lithuanian investment firm subject to MiFID II. Crypto services for EEA clients are now routed through Revolut Digital Assets Europe Ltd in Cyprus, licensed as a CASP under MiCA. Revolut’s own rules also state that tokens qualifying as MiFID II financial instruments are excluded from Revolut X, showing the fault line between MiCA crypto services and securities regulation. High-Risk Payment Facilitator From a FinTelegram compliance perspective, that stronger licence perimeter in the UK does not neutralise the risk created by Revolut’s recurring appearance in high-risk rails. Onramper publicly lists Revolut among its ramp providers, and Onramper announced an Axiom integration for fiat-to-crypto access. FinTelegram recently found Revolut presented as a primary rail in Axiom-related “Buy Crypto” journeys, while in the casino segment Revolut-linked rails and open-banking layers repeatedly surface in offshore payment architectures, often alongside intermediaries such as Yapily-type providers. The compliance issue is therefore not Revolut’s licence status alone, but whether its controls sufficiently detect and restrict repeated exposure to unregulated brokers, DeFi perimeter-risk flows, and offshore gambling conversion chains. Compliance Conclusion Revolut’s full UK banking licence is a genuine milestone. But the stronger the licence, the stronger the expectation that its AML, merchant-risk, transaction-monitoring, and partner-oversight frameworks will prevent its rails from becoming repeat infrastructure for regulatory arbitrage. Revolut Key Data FieldDetailsBrandRevolutMain domainrevolut.comFounded2015Current customer base70m+ globally (company, Mar 2026)2024 revenue£3.1bn2024 profit before tax£1.089bn2024 transaction volume£1tnUK entityRevolut Bank UK Ltd / PRA-regulated UK bank launch; Revolut Ltd remains FCA-authorised EMI (FRN 900562)EU banking entityRevolut Bank UAB, Lithuania, ECB/Bank of Lithuania supervisedMiFID II entityRevolut Securities Europe UAB, LithuaniaMiCA entityRevolut Digital Assets Europe Ltd, Cyprus, CASP licence 001/2025 Call to Whistleblowers If you have information on Revolut’s role in high-risk payment processing, open-banking routing, crypto on-ramping, offshore gambling, merchant monitoring, or AML escalation failures, contact FinTelegram confidentially. Share Information via Whistle42

AXIOM markets itself as a decentralised, on-chain trading platform, but its own materials describe a far more structured and monetised service: a branded trading interface, hybrid wallet, no-KYC crypto purchases up to $500 per week via Coinbase, yield-style features, and perpetuals trading via Hyperliquid with leverage up to 50x and a 0.01% AXIOM fee per trade. For compliance analysts, the question is no longer whether such platforms call themselves “DeFi,” but whether they are in substance providing crypto-asset services through an identifiable operator in a way that places them inside the EU’s MiCA perimeter. Key Findings AXIOM describes itself as a trading platform and “hybrid crypto trading app and wallet,” not merely as neutral code or a passive interface. AXIOM says users can buy up to $500 of crypto per week, no-KYC, through its Coinbase-linked flow. AXIOM’s perpetuals documentation says trading is powered by Hyperliquid, allows leverage of up to 50x, and charges a 0.01% AXIOM fee per transaction. AXIOM’s privacy policy identifies Axiom Innovations Inc. as the entity behind the service. Under MiCA Recital 22, services provided, performed, or controlled by legal or natural persons can still fall within scope even if part of the activity is performed in a decentralised manner; only services provided in a fully decentralised manner without any intermediary are outside scope. The January 2025 EBA/ESMA report expressly warns that industry labels such as “DeFi protocols” should not be treated as a legal conclusion on actual decentralisation for MiCA purposes. The same EBA/ESMA report flags significant ML/TF risks in DeFi channels due to weak or absent AML/CFT controls and the ability of users to transact without effective identification and verification. Recent reporting by CoinDesk described allegations by ZachXBT that an AXIOM employee misused internal tools and user-linked wallet data; AXIOM reportedly said access was revoked and an internal investigation was opened. These are allegations, not proven findings, but they raise governance and market-integrity concerns. Compliance Analysis And Interpretation From a FinTelegram compliance perspective, AXIOM is important because it illustrates the shrinking distance between so-called DeFi interfaces and regulated brokerage-like activity. AXIOM does not present itself simply as open-source software or a non-commercial protocol layer. Its own documentation describes a consumer-facing environment that bundles wallet functionality, trading tools, token discovery, funding rails, yield-style features, and perpetuals trading into one branded product. That matters under MiCA. The AMF’s public MiCA guidance, reflecting Recital 22, is clear that the Regulation applies to services and activities performed, provided, or controlled directly or indirectly by identifiable persons, including where part of the service is performed in a decentralised manner. Only crypto-asset services delivered in a fully decentralised manner without an intermediary fall outside MiCA’s scope. The same AMF page also states that the CASP regime applies from 30 December 2024, subject to transitional arrangements for providers already operating lawfully under national regimes. This is why the “we are DeFi” label is not enough. AXIOM’s materials point to an identifiable operator, branded customer acquisition, fee extraction, integrated third-party relationships, and a managed user journey. Even if execution or settlement is routed through decentralised infrastructure, that does not by itself remove perimeter risk. The stronger compliance reading is that AXIOM presents a serious MiCA scope question, especially where it appears to package access to crypto trading and leveraged perpetual exposure for end users through a centralised commercial layer. The January 2025 joint EBA/ESMA report reinforces that view. The supervisors explicitly state that industry terminology such as “DeFi protocols” should not be read as a view on actual decentralisation under MiCA. They also identify several businesses that provide access to DeFi, including application interfaces and self-custodial wallets, and highlight significant AML/CFT, ICT, and consumer-protection risks in those models. Particularly relevant is their finding that DeFi channels present significant ML/TF risk because users may transact in practice without adequate identification and verification. Against that background, AXIOM’s “no-KYC” purchase flow for up to $500 per week is not a trivial marketing detail. Nor is the combination of wallet functionality, “up to 15% APY” yield messaging, and high-risk perpetuals trading with leverage up to 50x. Taken together, these features create the profile of a high-velocity, highly monetised crypto access point rather than a minimalist software wrapper. That does not prove that AXIOM is already in breach of MiCA or other EU rules. But it does support the view that the platform warrants close supervisory attention under the CASP perimeter, AML/CFT expectations, and broader conduct-risk analysis. The governance angle adds another layer. CoinDesk’s late-February 2026 reporting on allegations that an AXIOM employee misused internal tools and sensitive wallet-linked information goes to the heart of a recurring compliance problem in hybrid crypto platforms: they often want the branding advantages of decentralisation while retaining enough internal visibility, control, and data access to optimise trading behaviour, monetisation, and user growth. Even where the allegations remain unproven, the episode raises legitimate questions about internal access controls, information barriers, surveillance, auditability, and how user-sensitive data is handled inside platforms that market themselves as sophisticated trading venues. For FinTelegram, the core issue is therefore not semantic but structural. If a platform controls the front end, curates the user journey, integrates the funding rails, monetises the activity, and packages leveraged trading for retail-style users, then regulators and compliance analysts are likely to look through the “DeFi” label and focus on the economic reality of intermediation. AXIOM looks much closer to that reality than its decentralisation narrative would suggest. Conclusion AXIOM should be viewed as a serious MiCA perimeter-risk case. Its own disclosures point to an identifiable operator, commercial fee capture, integrated wallet and trading functionality, low-friction no-KYC onboarding for smaller purchases, yield promotion, and leveraged perpetuals trading through Hyperliquid. None of that automatically establishes illegality. But together these features create a strong basis for regulatory scrutiny under MiCA’s CASP framework and raise further concerns around AML/CFT, market conduct, governance, and consumer protection. In FinTelegram’s view, AXIOM is best analysed not by the label it uses, but by the brokerage-like service stack it delivers to end users. Here is a compact summarizing AXIOM key-data table you can insert into the FinTelegram report. Compliance Summary Table CategoryAXIOM Key DataCompliance RelevancePlatform nameAXIOM / axiom.tradeConsumer-facing crypto trading platform with broker-like presentation.Self-descriptionAXIOM says it is a “trading platform” designed to be the only application needed to trade on-chain.Suggests an organised service layer, not merely passive code.Wallet functionAXIOM says it is a “hybrid crypto trading app and wallet” and currently supports Solana.Relevant to MiCA perimeter analysis where wallet + trading functions are bundled.Operator / legal entityAXIOM’s privacy materials identify Axiom Innovations Inc. as the operator. Its terms describe a web-hosted user interface provided by the company.Important because the presence of an identifiable operator weakens a pure “fully decentralised” positioning.Buy-crypto flowAXIOM says users can buy up to $500 worth of crypto per week, no-KYC, through its partnership with Coinbase.Raises AML/CFT and onboarding-friction questions.Yield featureAXIOM says it offers up to 15% APY and links this feature to Marginfi.Adds product-complexity and conduct-risk considerations.Decentralisation claimAXIOM states: “Yes, Axiom is decentralized” and says it integrates directly with decentralised protocols and applications.Core claim to test against MiCA Recital 22 and actual control/intermediation.Perpetuals venueAXIOM docs state perpetuals are powered by Hyperliquid.Indicates reliance on third-party execution infrastructure while retaining branded user access.LeverageAXIOM says it allows up to 50x leverage on its platform.High-risk retail-style trading exposure; relevant for conduct and consumer-protection analysis.Trading feeAXIOM says it takes a 0.01% fee per transaction when trading perpetuals on its platform.Evidence of direct monetisation of trading activity.Trading analytics toolsDocs reference tools such as Bundle Checker, Wallet Tracking, Tweet Monitor, and Trader Scan.Supports the view that AXIOM provides an integrated trading intelligence environment, not just execution access.Key compliance issueAXIOM combines branded interface control, wallet functionality, low-friction onboarding, monetised trading access, and leveraged products.Creates a serious MiCA perimeter-risk profile and raises AML/CFT, conduct, and governance questions. Call To Whistleblowers If you have information about AXIOM, its operators, internal controls, wallet analytics, trading surveillance, compliance setup, or relationships with third-party execution and funding providers, contact us confidentially via Whistle42. We are particularly interested in documents, screenshots, internal policies, legal opinions, onboarding procedures, KYC/AML workflows, governance records, and evidence relating to access to user-linked wallet data or market-sensitive internal tools. Share Information via Whistle42

On 5 March 2026, Hungarian counter-terrorism commandos ambushed two Oschadbank armoured vehicles on the M0 ring road near Budapest, seizing $40 million, €35 million, and nine kilograms of gold — a total haul of roughly $82 million. The man escorting the cash? A former SBU intelligence general. Zelensky’s response was to threaten Viktor Orbán‘s life. This was just one of several such money and gold transports from Austria via Hungary to Ukraine. KEY FINDINGS $82 million in mixed cash and gold seized from two Oschadbank armoured vehicles on the Hungarian M0 ring road on 5 March 2026. Among the seven detainees: a former general of Ukraine’s SBU (Security Service), Gennady Kuznetsov — not a typical bank courier profile. Hungary opened formal money-laundering criminal proceedings; Orbán ordered a 60-day asset freeze via emergency government decree. Hungarian minister János Lázár publicly admitted the raid was deliberate and tied to Ukraine’s suspension of Druzhba oil pipeline transit — a geopolitical act disguised as law enforcement. Zelensky publicly threatened Orbán, implying he would give the PM’s address to Ukrainian armed forces so they could “speak to him in their own language.” The EU rebuked Zelensky’s threat as “not acceptable” — but EU-country media largely buried or downplayed it. In 2026 alone, over $900 million, €420 million, and 146 kg of gold bars transited Hungary into Ukraine — all by road, all in cash. The cash originated from Austria’s Raiffeisen Bank International (RBI) — raising questions about RBI’s role in Ukraine’s parallel cash economy. Read more about the role of RBI in this case here. ANALYSIS: WHY WIRE TRANSFERS DON’T LIE — AND CASH DOESN’T HAVE TO Official website of the Hungarian Government Ukraine’s Oschadbank — the state-owned national savings bank — insists the shipment was routine. Since Russia’s full-scale invasion in February 2022, Ukraine’s airspace closure has forced banks to repatriate foreign currency by armoured road convoy rather than air freight or SWIFT transfer. Bloomberg sources confirm such runs occur weekly. This explanation, however, does not survive basic AML scrutiny. The FATF framework and EU’s 6AMLD are unambiguous: when a legitimate financial institution needs to move large sums of foreign currency, the instrument of choice is a SWIFT interbank transfer, a central bank-to-central bank settlement, or at minimum a documented correspondent banking arrangement — not a physical cash convoy. The question that neither Oschadbank nor its apologists have answered is elementary: why cash, not wire? AML red flags are stacked high. Physical cash — by definition — leaves no automatic audit trail. A former SBU counter-terrorism general serving as a cash courier is operationally indefensible for a routine bank transfer. The sheer scale ($82 million in a single run, with $900M+ transited in just the first two months of 2026) is far beyond any plausible retail liquidity requirement. The involvement of Raiffeisen Bank International (RBI) as the Austrian originator adds another layer: RBI has faced sustained regulatory scrutiny for its continued Russia exposure and has been under pressure from the ECB to exit the Russian market. Austria is also home to some of Europe’s most opaque private banking structures. Ukrainian investigative journalist Anatoliy Shariy, citing sources, alleged the funds did not belong to Oschadbank at all, but to “very specific people” — figures embedded in the Kyiv political establishment with links to Brussels. Hungarian Foreign Minister Péter Szijjártó was even blunter, raising the spectre of a “Ukrainian war mafia.” These are allegations, not proven facts — but the presence of an intelligence general at the wheel of a cash truck worth $82 million demands a credible counter-narrative that has not materialised. The geopolitical context is equally telling. Hungary seized the convoy on the same day Zelensky threatened Orbán. Budapest admitted the operation was deliberate retaliation for the Druzhba pipeline suspension. This collision of raw power politics and financial crime enforcement creates a legal no-man’s land: Hungary’s seizure may be politically motivated yet legally defensible on AML grounds. The money remains frozen, with Orbán holding it as collateral. Poland’s foreign minister called it theft. The EU called Zelensky’s death threat “unacceptable” — and then largely moved on. THE SILENCE OF EU MEDIA That a sitting head of state — a recipient of billions in EU and NATO military support — publicly implied he would send armed soldiers to the private address of an EU member state’s prime minister is, by any standard, an extraordinary event. It is precisely the kind of story that should dominate European front pages for days. Instead, Der Spiegel buried Zelensky’s threat in the penultimate paragraph of an article focused on Orbán. French, Italian, and Spanish outlets barely covered it. The narrative architecture of the European press — in which Zelensky is the heroic victim and Orbán the Kremlin’s useful idiot — left no editorial room for the inconvenient truth that Kyiv just threatened an EU capital. CONCLUSION Whether the $82 million seized in Budapest is war-chest funding for Ukrainian oligarchs, legitimate Oschadbank liquidity, or something murkier, the case exposes a critical gap in Europe’s financial crime architecture: billions in physical cash are moving through EU territory without triggering the oversight mechanisms that SWIFT transfers would automatically generate. The legality of Hungary’s seizure remains contested, but the AML questions raised are entirely legitimate — and they deserve serious answers, not diplomatic deflection and media silence. WHISTLEBLOWER APPEAL Do you have information about cash transfers between Ukrainian banks and European financial institutions? Do you know who the beneficial owners of these convoys really are? FinTelegram urges insiders, bank employees, compliance officers, or government officials with relevant knowledge to come forward. Submit information securely and anonymously via Whistle42 — our encrypted whistleblower platform. Your information protects European financial integrity. Share Information via Whistle42

► This is a follow-up to FinTelegram’s initial report: “Oschadbank’s Missing $82M: Did Kyiv’s Shadow Finance Just Get Caught in Budapest?” (11 March 2026). Readers are advised to review that report for full case background. Raiffeisen Bank International (RBI)confirmed it has a long-standing contract with Ukraine’s Oschadbank to physically transport foreign cash across EU territory — a practice that, Bloomberg confirms, runs weekly and has moved over $900 million and €420 million into Ukraine in the first two months of 2026 alone. RBI is simultaneously under ECB sanction pressure for its Russia business, has been fined by Austria’s FMA for AML failures, and is embedded in Austria’s ÖVP political network. The compliance questions this raises are not academic. They are urgent. KEY FINDINGS RBI confirmed to multiple outlets it operates a “long-standing” banknote distribution business across Europe — citing Austrian bank secrecy law to avoid disclosing specifics of the Oschadbank contract. The shipment originated from RBI’s Vienna headquarters under a formal international contract with Oschadbank — confirmed by Ukraine’s National Bank and Oschadbank’s own legal counsel. According to Hungarian Foreign Minister Szijjártó, over $900M, €420M, and 146 kg of gold transited Hungary into Ukraine in just the first two months of 2026 — implying RBI’s pipeline is substantial and systematic. RBI is the largest Western bank still operating in Russia. Its Russian profits exceeded those of all other foreign banks combined in Q1–Q3 2024, per BankTrack and B4Ukraine. The ECB has formally ordered RBI to accelerate its Russia exit; the US Treasury has warned RBI that access to the US financial system could be restricted due to its Russia dealings. Austria’s FMA fined RBI €2.7 million in 2018 for AML failures, and opened a further KYC investigation in 2024 into RBI’s correspondent banking. RBI has also been investigated over its role in the $967M Magnitsky-linked laundering scheme. The Raiffeisen banking group has historically close structural ties to Austria’s ÖVP — the dominant party in the Austrian government — raising questions about political protection of RBI’s compliance exposure. Hungary was evidently aware of these regular cash convoys — minister Lázár’s own admission that the seizure was deliberate implies prior knowledge of the pipeline. ANALYSIS: RBI, AUSTRIA, AND THE ARCHITECTURE OF PERMISSIBLE OPACITY RBI’s response to press inquiries was a study in deliberate minimalism. To the Kyiv Post, spokesman Christoph Danz confirmed RBI “operates a long-standing business involving the distribution of banknotes across Europe” while citing Austrian bank secrecy as the barrier to further comment. To Bloomberg, RBI stated its employees were not involved in the convoy — technically distancing Vienna from the physical operation while not denying the contractual relationship. To Telex, it noted it “regularly cooperates with central banks, the relevant authorities, and distributors” and claims to supply “extensive information” about trading volumes and destination countries to authorities. If true, this means Austrian regulators have been briefed on the scale and frequency of these cash runs. The question then is not whether they knew — it is whether they acted. RBI’s compliance record compounds this concern dramatically. The Austrian FMA has fined RBI twice for AML failings, the most recent formal investigation opened in 2024 targeting KYC deficiencies in correspondent banking — precisely the business line covering the Oschadbank contract. William Browder’s Hermitage Capital identified RBI’s predecessor entity as a conduit for $634 million of Magnitsky-linked funds. The OCCRP documented RBI’s role in the Troika Laundromat. These are not peripheral allegations — they constitute a documented pattern of AML permissiveness toward post-Soviet financial flows. The Russia dimension makes the picture even more troubling. While RBI has been publicly obliged by the ECB to wind down its Russian operations — and under threat from the US Treasury of being cut off from dollar clearing — it has simultaneously been profiting in Russia at a rate that outpaced all other Western banks combined. A bank managing a substantial, regular physical cash pipeline into Ukraine while simultaneously running Russia’s largest Western banking operation occupies a unique dual position in the geopolitics of the conflict. It is the financial institution most deeply embedded in both sides of the war. Compliance regulators across the EU should be asking what, precisely, RBI’s role is in the broader movement of war-related financial flows. The political context in Austria cannot be ignored. The Raiffeisen banking network — an interlocking structure of regional cooperative banks that feed up into RBI — has long been described as the financial arm of the ÖVP. Raiffeisen’s regional banks have historically provided preferential financing to ÖVP-aligned businesses and political figures; the BUWOG scandal implicated Raiffeisenlandes bank Oberösterreich in a politically sensitive privatisation deal. This structural entanglement raises a legitimate question: does Austria’s regulatory leniency toward RBI’s AML exposure reflect the independence of the FMA and the WKStA, or the political influence of a bank that is, in effect, co-terminus with the ruling party? Finally, the question of Hungary’s prior knowledge must be addressed. Minister Lázár’s admission that the March 5 seizure was deliberate, combined with Szijjártó’s detailed statistics on prior cash transits, strongly implies that Budapest was not surprised by the convoy — it was waiting for it. If Hungarian authorities had data on volumes and frequency, the question arises whether RBI’s self-reported “extensive information” flows to regulators crossed national intelligence boundaries. Were Hungarian authorities briefed by Austrian counterparts on this pipeline? CONCLUSION RBI is not a passive conduit in this story. As the originating institution of a weekly, multi-hundred-million-euro physical cash pipeline — operating under Austrian bank secrecy, under ongoing AML investigation, and in a bank group structurally entwined with the Austrian government — it is a central compliance actor. The $82 million seized in Budapest is the visible tip of a financial iceberg. The EU’s AML architecture was not designed to be defeated by armoured trucks and bank secrecy law. Austria’s regulators, the ECB, and the European Banking Authority need to answer whether RBI’s banknote distribution business has been subject to the same scrutiny as its Russia operations — and if not, why not. WHISTLEBLOWER APPEAL FinTelegram is seeking insiders with direct knowledge of RBI’s banknote distribution operations, its contractual arrangements with Ukrainian state banks, and its internal AML sign-off processes for these cash shipments. We are also seeking information from current or former employees of Austria’s FMA or WKStA regarding regulatory decisions on RBI’s Eastern European cash flows. Do you have knowledge of the political dimension of Austrian regulatory leniency toward RBI? Do you know who the beneficial owners of these cash convoys ultimately are? Report securely and anonymously via Whistle42 — FinTelegram’s encrypted whistleblower platform. Your information is protected. Share Information via Whistle42

Following our Feb 19, 2026 compliance report on Zentoria Limited and the NovaForge casino network (Robycasino/Spinsy), a whistleblower has provided email documentation indicating that the card billing descriptor “Spinsopotamia.com” is connected to xpate (xpate.com) — a payment services / e-money firm that states it is authorised by the UK Financial Conduct Authority (FCA) as an Electronic Money Institution (EMI). If accurate, this is a meaningful escalation: it suggests the “clean EU/UK-facing descriptor layer” described in our original report may be supported by an FCA-regulated payments perimeter, raising immediate questions around merchant onboarding, gambling exposure controls, card scheme monitoring, and transaction laundering red flags. Key Findings Whistleblower attribution: The whistleblower concluded that the descriptor “Spinsopotamia.com” belongs to xpate and relates to card deposits into Robycasino.com. Xpate Email Communication xpate response (documented): xpate support described xpate as a “payment processing technology provider,” stated it is generally unable to resolve claims directly, and said it “exceptionally forwarded” the matter to the “relevant merchant.” Original structure remains consistent: Our Feb 19 reporting connected Robycasino deposits to the descriptor “Spinsopotamia.com Dublin” and to Zentoria Limited as the Irish-facing entity in the scheme. Regulatory perimeter indicated: xpate’s public disclosures state xpate Ltd is authorised by the FCA (FRN shown on xpate’s site) to issue e-money and provide payment services; and xpate also references an EEA entity (xpate SIA) licensed in Latvia. Compliance Analysis: What This Update Changes In our original report, we described Zentoria Limited as the Trojan Horse payment layer: a seemingly legitimate, EU-anchored merchant identity (Spinsopotamia) used to route deposits for offshore casino brands (e.g., Robycasino) while avoiding bank/card-issuer gambling blocks. Read our reports on Zentoria here. The whistleblower documentation now adds a possible upstream payments node: The whistleblower contacted xpate seeking recovery of funds tied to “Spinsopotamia.com” charges and received a reply indicating xpate forwarded the complaint to the relevant merchant for review. This language is consistent with a scenario where xpate is embedded in the processing chain (e.g., as a PSP, facilitator, or platform providing payment rails/merchant services), while the “merchant of record” (or underlying merchant) is treated as a separate party. Why this matters from a compliance standpoint:If “Spinsopotamia.com” is indeed routed via an FCA-regulated EMI environment, then the expected control set is materially higher: KYC/KYB on the merchant, gambling policy enforcement, monitoring for MCC/descriptor manipulation, chargeback patterns, and high-risk merchant review (especially where the underlying service is unlicensed offshore gambling in multiple jurisdictions). The “Facade Casino” Strategy (Revisited With xpate in the Chain) Acquiring banks and card networks rely heavily on merchant identity signals (descriptor, website, category/MCC, jurisdiction, onboarding narrative) to detect and block illegal or high-risk gambling flows. The method described in our Feb 19 report remains the core pattern: a “front” domain/descriptor (Spinsopotamia) connected behind the scenes to offshore brands (e.g., Robycasino) The whistleblower emails strengthen the hypothesis that the scheme is not “just a domain trick,” but potentially a multi-party payment stack in which a regulated payments firm may be providing services to a merchant entity that is linked to, or used by, the offshore casino network. Read our reports on Novaforge here. How the Bait-and-Switch Works (Operational View) The transaction pattern described by FinTelegram remains the same, now with an added processing hypothesis: A player deposits funds at Robycasino.com. The card charge appears as “Spinsopotamia.com Dublin” on the statement (the “clean” facade). The whistleblower asserts the descriptor belongs to xpate, and xpate’s support acknowledges involvement by escalating the case to the “relevant merchant.” Xpate Email Communication The issuing bank approves a charge that does not obviously present as an offshore casino deposit. This is precisely the compliance blind spot that enables transaction laundering: the bank’s decisioning engine “sees” a benign-looking merchant identity while funds are ultimately used for restricted activity. Evidence Note: What the Whistleblower Documentation Shows Based on the uploaded email thread: The whistleblower lists multiple card transactions in Dec 2025 showing “spinsopotamia.com Dublin” (20–30 EUR amounts) and states the real recipient is Robycasino.com. In a response dated Feb 20, 2026, xpate support states xpate is not the direct provider of the goods/services and advises the cardholder to contact the merchant / card-issuing bank, while noting the complaint was forwarded to the relevant merchant “as an exception.” In a follow-up dated Feb 23, 2026, the whistleblower tells xpate no merchant contact/refund had occurred and urges xpate to take action, referencing FinTelegram’s reporting on Zentoria/NovaForge. This documentation does not by itself prove the full acquiring chain — but it is credible signal evidence that xpate is operationally close enough to the merchant setup to route escalation to the underlying party. Summary Data: Updated Nodes CategoryDetailsSuspected Front DescriptorSpinsopotamia.com / “Spinsopotamia.com Dublin”Irish-Facing Entity (per original report)Zentoria Limited (Ireland)Offshore Casino BrandRobycasino.com (NovaForge network)Newly Identified PSP Node (whistleblower claim)xpate (xpate.com) (Source: Xpate Email Communication)Regulatory Perimeter (public disclosure)xpate states FCA authorisation for xpate Ltd (UK) and an EEA EMI licence for xpate SIA (Latvia). Actionable Compliance Insight For regulators, card schemes, and banking compliance teams, the immediate next steps are straightforward: Merchant KYB review: Identify the legal merchant entity behind “Spinsopotamia.com” and any links to Zentoria Limited and/or NovaForge brands. Descriptor/MCC integrity check: Review whether the merchant category, descriptor, and website content accurately describe the underlying activity (and whether they mask gambling). Chargeback/fraud monitoring: Map chargeback ratios and complaint volumes tied to “Spinsopotamia.com” descriptors. Jurisdictional gambling exposure controls: If underlying activity targets EU/UK consumers without local gambling licences, this should trigger high-risk merchant remediation (restriction/termination) and SAR/STR assessment, depending on the facts and the jurisdiction. Call for Whistleblowers: Help Us Complete the Rail Map FinTelegram is expanding its dossier on Zentoria Limited, the NovaForge casino network, and the newly indicated xpate payment node. If you have: card/bank statements showing Spinsopotamia, Zentoria, Robycasino, or other NovaForge-related descriptors, onboarding emails, checkout screenshots, payment pages, or merchant receipts, insider knowledge of which acquirer/processor is enabling these rails, please submit securely via Whistle42. Share Information via Whistle42

A fresh opinion from the Court of Justice of the EU could materially shift the scam-loss battlefield across Europe. In Case C-70/25 (Tukowiecka), Advocate General Athanasios Rantos proposes that a bank must immediately refund an unauthorised payment once notified—even if the bank believes the customer acted with gross negligence. The bank’s remedy comes after the refund: pursue reimbursement through a separate claim. Key Findings Immediate refund is the rule: PSD2 requires banks to reimburse unauthorised transactions “as a first step.” Gross negligence is not a “refund blocker”: banks cannot refuse reimbursement upfront by alleging the user breached security duties. Only narrow exception flagged: if the bank has good reason to suspect payer fraud, it must report that suspicion to the competent national authority. Refund is not final: after refunding, the bank may seek to shift losses back to the customer if it can prove intentional breach or gross negligence (and may need to sue if the customer refuses). Case context: phishing via a sales platform link led to stolen credentials and an unauthorised payment; the Polish bank refused to refund; District Court in Koszalin asked the CJEU to interpret PSD2. Short Analysis This dispute sits at the heart of PSD2’s consumer-protection design: unauthorised payments are meant to be reversed quickly to prevent victims from financing fraud losses while banks and merchants argue fault. Rantos’ reading of Directive (EU) 2015/2366 (PSD2) treats “immediate reimbursement” as a hard requirement, leaving no room for national carve-outs that effectively turn refund duties into a negligence trial at the complaint desk. Operationally, the opinion pushes banks toward a two-step model: Refund fast (unless there is a documented fraud suspicion reported to authorities), then Litigate or recover later if gross negligence is provable. For compliance teams, the implication is blunt: the “customer was careless” narrative may remain relevant—but not at the refund stage. Expect pressure on banks to tighten real-time fraud detection, strong customer authentication controls, and post-incident evidence collection (device/IP telemetry, authentication logs, social-engineering indicators) to support any later recovery action. Important: Advocate General opinions are not binding; the CJEU will deliberate and issue judgment later. Still, these opinions often preview the direction of travel—and the compliance risk for banks that default to “deny first” practices may rise sharply if the Court follows Rantos. Meta Data Title tag: CJEU AG Rantos: Banks Must Refund Unauthorised Payments Immediately Under PSD2 Meta description: In Case C-70/25 (Tukowiecka), CJEU Advocate General Rantos says banks must refund unauthorised transactions immediately—even where customers were grossly negligent—then pursue recovery separately. Keywords: PSD2, unauthorised transaction, phishing, bank liability, CJEU, Advocate General Rantos, PKO BP, Koszalin Pub date: 2026-03-10 Author: FinTelegram Compliance Desk Tags: PSD2, Banking, Fraud, Phishing, Consumer Protection, CJEU Canonical URL: (set by editor) Image Alt Text Dark forensic compliance graphic: EU court building silhouette with a “REFUND IMMEDIATELY” stamp over a bank app showing an unauthorised transfer, plus a second layer reading “RECOVER LATER (if gross negligence proven)” and PSD2 article markers. Call for Information Have you been denied reimbursement after a phishing scam, APP fraud, SIM-swap, or “authorised push payment” manipulation—especially where a bank blamed “gross negligence”? FinTelegram is gathering EU-wide case patterns. Submit documents, timelines, and bank correspondence securely via Whistle42.com.

Juice.gg is an unlicensed CS2 skin-gambling platform owned and operated by Belize-registered Juice Holdings Ltd. Despite lacking any recognized iGaming license, the platform illegally targets global users, including minors. To circumvent strict European banking blocks and AML checks, the scheme utilizes a dual-entity structure, employing Cyprus-based JuiceGG Entertainment Ltd as its EU payment agent, while heavily relying on a deceptive third-party gift-card payment loop. Key Entity & Compliance Data Data PointDetailsBrand NameJuice.ggOperating Entity (Owner)Juice Holdings LtdEU Payment AgentJuiceGG Entertainment LtdRegistered JurisdictionsBelize (Operator) / Cyprus (Payment Agent)Claimed License(s)None (Unlicensed)Targeted / Illicit MarketsGlobal (including US, UK, and EU)Identified Payment ProcessorsSwapped.com, Kinguin, G2Play (via Gift Cards), Cyprus-based Acquirers, Crypto WalletsFinTelegram Risk Rating RED Export to Sheets Regulatory Framework & Operational Status Juice.gg explicitly states on its website that it is owned and operated by Juice Holdings Ltd, an offshore corporate entity registered in Belize. Crucially, the platform operates entirely outside the regulated iGaming perimeter, failing to hold any recognized gambling license—not even from permissive offshore jurisdictions like Curacao or Anjouan. Despite this lack of authorization, Juice.gg illegally targets players in strictly regulated markets, including the US, UK, and the European Union, without implementing effective geo-blocking or standard KYC/AML protocols. The platform’s reliance on CS2 skin unboxing appeals heavily to underage demographics, severely amplifying its regulatory hazard. To create a facade of European legitimacy and access local banking networks, the Belizean operator explicitly names JuiceGG Entertainment Ltd, registered in Cyprus, as its official EU payment agent. This dual-entity structure is a classic offshore maneuver designed to obscure the flow of illicit gambling funds from regulated financial networks. Payment Rails & Processor Analysis Juice.gg cashier with Swapped.com Because the unlicensed Belizean operator (Juice Holdings Ltd) cannot legally secure direct merchant accounts, Juice.gg employs a bifurcated, highly deceptive payment rail strategy to extract fiat from regulated markets. First, the integration of JuiceGG Entertainment Ltd (Cyprus) as an EU payment agent is a critical compliance red flag. By utilizing this European front company, the offshore operator can plug into the European SEPA network and acquire EU-based payment processing. The Cyprus entity acts as the “merchant of record,” absorbing player fiat deposits and subsequently funneling the funds offshore to Belize. This structural separation deceives European acquiring banks and e-wallets into processing payments for an unlicensed gambling operation under the guise of a legitimate Cyprus-based digital entertainment firm. Second, the platform weaponizes a “gift-card payment loop.” Users are directed to purchase digital Juice.gg vouchers on secondary marketplaces like Kinguin and G2Play using standard fiat methods (Visa, Mastercard, PayPal). The acquiring bank codes these transactions as generic digital goods, successfully bypassing Merchant Category Code (MCC 7995) gambling restrictions. Users then redeem these codes on Juice.gg, effectively laundering fiat into betting credits while destroying the AML audit trail. Furthermore, direct crypto deposits are actively processed without any verified fiat-to-crypto compliance gateways acting as an AML buffer. Third: Because the unlicensed Belizean operator (Juice Holdings Ltd) cannot legally secure direct merchant accounts, Juice.gg employs a highly deceptive, two-step “fake fiat” payment rail to extract funds from regulated markets. During our review, we discovered that the Danish fiat-to-crypto on/off-ramp Swapped.com acts as the sole FIAT payment facilitator for the platform. When a player initiates a fiat deposit, the transaction is routed through Swapped.com’s gateway. In the first step, the player unwittingly purchases USDC stablecoins via their credit card or bank account. Once the fiat transaction clears, the second step is triggered: Swapped.com automatically transfers the newly purchased USDC directly to Juice.gg’s crypto wallets. This structure effectively launders the gambling deposit as a standard retail cryptocurrency purchase, successfully bypassing issuing banks’ Merchant Category Code (MCC 7995) gambling restrictions and obfuscating the AML audit trail. We have prepared a separate, detailed compliance report examining Swapped.com’s specific role and regulatory exposure in this scheme. Read our report on Swapped’s Juicy payment rail here. Compliance Verdict Juice.gg presents an extreme regulatory and AML hazard. By combining a Cyprus-based payment agent scheme (JuiceGG Entertainment Ltd) with fake FIAT deposits via on/off-ramper Swappec.dom, and third-party digital marketplace gift cards, the Belizean operator (Juice Holdings Ltd) has constructed a sophisticated network to systematically bypass global banking blocks. Payment Service Providers, acquiring banks servicing Cyprus, and digital marketplaces like Kinguin are unwittingly acting as financial conduits for unlicensed, potentially underage gambling. Regulators and PSPs must immediately scrutinize transactions linked to this dual-entity structure to close this illicit fiat gateway. Did you deposit funds at Juice.gg? We need your input. To expose the hidden payment processors facilitating offshore gambling, we ask players to share their deposit experiences. Please check your bank or credit card statements: what is the exact merchant name that appears for your deposit? Share your receipts, screenshots, and bank statement descriptors with us securely and anonymously via our Whistleblower system. Share Information via Whistle42.com

The Danish fiat-to-crypto on/off-ramper Swapped (www.swapped.com) is systematically acting as an integrated payment facilitator for illegal offshore gambling schemes. Following our discoveries of Swapped embedded in illicit casinos like Roobet and GamDom, our latest review of the Juice.gg scheme reveals Swapped operating as the platform’s sole FIAT payment processor. By utilizing a deceptive two-step “fake fiat” rail, Swapped funnels European retail funds through its Banking Circle accounts in Munich directly into unlicensed offshore casino wallets, deliberately bypassing standard AML and banking restrictions. Key Findings Systemic Offshore Facilitator: Swapped’s business model appears heavily reliant on servicing the illegal offshore casino segment. It operates as the integrated on-ramper for major unlicensed platforms including Juice, Roobet, and GamDom. The Fake Fiat Rail: Swapped provides a two-step “Buy Crypto” disguise. Players deposit fiat (e.g., EUR) via credit card, SEPA bank transfer, or e-wallets to Swapped, which automatically converts the funds to USDC and forwards them instantly to the casino’s wallet. Banking Circle Connection: SEPA bank transfers funding these offshore casino deposits are routed directly to Swapped’s corporate account at Banking Circle in Munich—a banking partner frequently appearing in high-risk fiat rails. Algorithmic Symbiosis: Traffic data confirms a deep integration between the ramper and the casino. In February 2026, the unlicensed casino Juice.gg was the third-largest referring website to the widget.swapped.com payment portal, accounting for nearly 15.7% of its total traffic. Opaque Compliance: Swapped’s Legal & Compliance team ignored FinTelegram’s requests for a statement regarding their involvement in the Juice.gg scheme. Key Entity & Compliance Data Data PointDetailsBrand NameSwapped(prev. Bitinvestor)Primary Domainwww.swapped.com (widget.swapped.com)Legal EntitiesSwapped ApS (Denmark)Swapped ASP NUF (Norway)Swappedcom Inc. (US), FinCEN (MSB Registration Number: 31000300023305)Key ExecutiveThomas Franklin (CEO & Founder)Registered JurisdictionDenmarkKnown Illicit Merchant ConnectionsJuice.gg, Roobet, GamDomIdentified Banking PartnerBanking Circle (Munich, Germany)FinTelegram Risk Rating REDRatEx42 Risk Signal RED (high risk) Export to Sheets Compliance Analysis: Swapped’s Activities and the Juice.gg Payment Rails The Danish tech firm Swapped markets itself as a frictionless platform to buy and sell digital assets. However, FinTelegram’s ongoing investigations indicate that Swapped has positioned itself as the go-to payment gateway for the illegal offshore gambling sector. We have previously detailed how Swapped circumvents European regulatory perimeters for giants like Roobet and GamDom. Our latest review of the Juice scheme (Juice.gg) confirms this is not an isolated oversight, but a systemic operational model. As noted in our recent FinTelegram compliance report on Juice.gg, the platform is operated by the Belize-registered Juice Holdings Ltd, utilizing a Cyprus-based payment agent (JuiceGG Entertainment Ltd). Juice deceptively markets itself as offering “no real money gambling,” a claim easily debunked by examining its payment infrastructure. Cryptocurrencies are widely classified as monetary assets, and Juice actively solicits fiat deposits through its integration with Swapped. Read our Juice.gg review here. Juice.gg cashier with Swapped.com As evidenced by our captured screenshots of the Juice cashier, the “CASH” section offers Bank Transfer, Paysafecard, Skrill, Neteller, and RAPID Transfer options—all explicitly labeled as being processed by “SWAPPED” (see screenshot left). When a player initiates a fiat deposit (e.g., a €34.25 Bank Transfer), the Swapped widget takes over. This initiates a highly orchestrated “fake fiat” loop: The Fiat Capture: The player transfers fiat to Swapped to purchase stablecoins (USDC ERC-20). Crucially, our transaction evidence proves that these SEPA deposits are routed to Swapped’s corporate bank account at Banking Circle in Munich. The Auto-Forward: Once the fiat clears Banking Circle, Swapped converts it to USDC and automatically transfers the crypto directly to the Juice casino wallet. This two-step process effectively launders the gambling deposit into a standard retail cryptocurrency purchase. By sitting in the middle, Swapped shields the issuing banks from Merchant Category Code (MCC 7995) triggers, masking the fact that they are funding an unlicensed Belizean gambling operation. The fact that Juice alone drives 15.7% of all referring traffic to Swapped’s widget underscores that illegal gambling is a primary revenue driver for the Danish entity. Read our Swapped.com reports here. Compliance Verdict Swapped represents a critical AML and compliance failure within the European fiat-to-crypto pipeline. By embedding its payment widget into unregulated offshore casinos, Swapped is deliberately acting as a financial buffer, enabling illegal gambling operators to drain fiat from protected European markets. In our view, Banking Circle must urgently audit the transaction volume flowing into Swapped’s Munich accounts, as it is heavily polluted with illicit, miscoded gambling deposits. Swapped’s failure to respond to our compliance inquiries further cements their disregard for regulatory transparency. Call to Action: Whistleblowers Wanted Do you have inside information on Swapped.com? To expose the hidden payment processors facilitating illegal offshore gambling, we need your input. Are you a former employee of Swapped, or do you have insights into their merchant onboarding processes, their relationship with Banking Circle, or their direct API integrations with casinos like Juice, Roobet, and GamDom? Please share your information, documents, or insights securely and anonymously via our Whistleblower system. Share Information via Whistle42

Oro.gg is presented as a non-crypto-only casino offering cards, e-wallet brands, bank transfer and direct crypto deposits. Although it relies on an offshore Anjouan gaming licence, our review indicates EU/UK residents can register and deposit. The main compliance exposure sits in (i) card deposits routed via third-party gateway domains and (ii) a recurring fiat→crypto funding pattern linked to ChainValley, plus direct wallet deposits. SNAPSHOT RISK RATING Risk to PSP/EMI: HighConfidence: Medium-HighRationale: EU/UK access observed + obfuscating fiat→crypto typology + opaque gateway domains. KEY DATA TABLE ItemSummaryCasino brand / domainsOro.gg / www.oro.gg (launched in Summer 2025)Claimed operator & jurisdictionTusitier Ltd (Belize) — Indicated (site claim)Licence claim + verification statusAnjouan Gaming register lists Tusitier Limited with licence ALSI-202505043-FI2 incl. oro.gg — Confirmed.Target markets observedEU/UK residents could register & deposit — Confirmed (review)KYC/age gate indicatorsUnknown (inputs not provided)Deposit methods shownCards; Skrill; RAPID; Neteller; PaysafeCard; Revolut; bank transfer; crypto — Confirmed (review)Card gateways/PSPs observedpayments.dinopower.tech; 3dsgatepath.com — Confirmed (review)OB/bank transfer actors observedRevolut + “bank transfer” offered; underlying payee/IBAN Unknown — Indicated (review)Fiat→crypto / onramp actors observedChainValley (PL) across multiple methods (Skrill/RAPID etc.) — CorroboratedCrypto rails summaryDirect to casino wallet (no visible processor) — Confirmed (review)Top 3 red flagsEU/UK access; gateway opacity; fiat→crypto purpose-obfuscation — Confirmed/CorroboratedEvidence tier + last checked dateMixed; last checked Feb–Mar 2026 (inputs) REGULATORY BASELINE Licence reality: Oro.gg appears under Tusitier Limited in Anjouan Gaming’s public licence register (licence ALSI-202505043-FI2, valid 2025-05-10 to 2026-05-09). Jurisdictional gap: An offshore gaming licence is not an EU/UK gambling authorization framework. Market access: EU/UK onboarding and deposits were possible in your review (Confirmed).This combination creates facilitation exposure for payment intermediaries where local authorisation is absent: PSP/acquirer gambling policy enforcement, AML/CFT monitoring, and consumer protection duties become directly relevant once EU/UK residents can fund play. REGULATORY HOOKS Potential triggers: Unlicensed gambling facilitation exposure (EU/UK access observed) Merchant-of-record / acquirer policy risk (card rails via gateway domains) Transaction-purpose obfuscation (fiat→crypto deposit structure) Layering/rapid pass-through indicators (auto-forward to casino) PAYMENT RAILS MAP Rail A – Cards: oro.gg → payments.dinopower.tech / 3dsgatepath.com → card/3DS routing → casino funding Rail B – Fiat→crypto (“fake fiat”): Skrill/RAPID (+ others) → ChainValley crypto sale → auto-forward to casino Rail C – Direct crypto: player wallet → casino wallet address RAIL-BY-RAIL FINDINGS RAIL A: Credit/Debit Cards — Confirmed Observed flow: oro.gg → payments.dinopower.tech / 3dsgatepath.com → card processing/3DS → casino funding Actors surfaced: gateway domains; legal entities behind them Unknown. Compliance exposure: potential opacity around merchant-of-record, gambling MCC/descriptor integrity, and jurisdictional controls (EU/UK acceptance). Evidence: cashier flow observed in your review (Feb–Mar 2026). RAIL B: Fiat→Crypto via ChainValley + Skrill/RAPID — Corroborated/Confirmed Observed flow: oro.gg cashier method → crypto purchase via ChainValley → crypto auto-forwarded to casino Actors surfaced: Chain Valley Sp. z o.o. (Poland) identified in its Privacy Policy (KRS 0001036419, Warsaw address). Compliance exposure: purpose obfuscation (“crypto purchase” masking gambling funding), possible third-party settlement and rapid pass-through typologies. Evidence: your review + player documents indicating prior Skrill/RAPID deposits via UTRG UAB (utPay). RAIL C: Direct Crypto Deposits — Confirmed Observed flow: player wallet → casino wallet (assets/chains/wallets Unknown). Actors surfaced: casino deposit wallets not provided. Compliance exposure: reduced intermediary visibility; upstream monitoring shifts to on/off-ramps and wallet screening. Evidence: direct wallet deposit behavior observed in review. Read our ChainValley reports here. PROCESSOR & MERCHANT RISK NOTES Gateways likely act as payment routing/3DS endpoints; map merchant-of-record/acquirer behind each domain. ChainValley appears as fiat→crypto bridge; typology is consistent with gambling-adjacent purpose obfuscation. utPay publicly states it has temporarily suspended MiCA crypto-asset services and would resume after Bank of Lithuania authorization, supporting an ecosystem migration pattern. SUMMARIZING COMPLIANCE ASSESSMENT Based on our review and quick public checks, Oro.gg combines offshore licensing with EU/UK-accessible onboarding and a mixed funding stack (card gateways + fiat→crypto conversion + direct wallet deposits). Anjouan Gaming’s register confirms Tusitier Limited holds licence ALSI-202505043-FI2 and lists oro.gg among numerous authorized URLs—suggesting Oro.gg is part of a multi-brand portfolio rather than a standalone site. The observed rails are consistent with reduced transparency over merchant-of-record and transaction purpose and warrant enhanced due diligence, monitoring, and jurisdictional controls by PSPs/EMIs and related providers. EXTERNAL VERIFICATION NOTES Licence register entry found? Y Operator identity corroborated? Y (Tusitier Limited listed) Conflicting licence claims on site? Unknown (not verified from provided page view) Gateway ownership/hosting identified? Unknown Regulator warnings/enforcement found? Unknown RED FLAGS CHECKLIST EU/UK accepted (weak geo-block) Offshore licence not equivalent to EU/UK authorization Merchant descriptor mismatch / third-party beneficiaries (Unknown) OB routed via unrelated domains (Unknown) Fiat→crypto obfuscation pattern (Corroborated) Mirror domains / rotation (Unknown) KYC absent/post-deposit (Unknown) Withdrawal friction/fee demands (Unknown) INDICATORS & SEARCH STRINGS oro.gg, www.oro.gg Tusitier Limited; ALSI-202505043-FI2 payments.dinopower.tech; 3dsgatepath.com chainvalley.pro; “Chain Valley Sp. z o.o.”; KRS 0001036419 utpay / UTRG UAB ACTIONABLE TAKEAWAYS For regulators: trace the controlling entities behind the gateway domains and assess acquiring relationships; review Tusitier Limited’s broader domain portfolio in the Anjouan register for cross-brand patterns.For PSPs/merchants: treat ChainValley-style fiat→crypto funding as a gambling typology requiring EDD; reconcile merchant-of-record and descriptor/MCC integrity for card rails; add monitoring for gateway domains and rapid pass-through behavior. KNOWN UNKNOWNS Unknowns: merchant descriptors; payee/beneficiary/IBAN; KYC timing; withdrawal behavior; crypto assets/chains; wallet addresses. CALL FOR INFORMATION Deposited or attempted withdrawals at Oro.gg? We need evidence to map the rails precisely: bank/card descriptors, receipts, Skrill/RAPID confirmations, beneficiary/IBAN details, Revolut/bank-transfer screens, and any crypto tx hashes + destination wallet addresses. Please include timestamps and screenshots of the cashier flow and any withdrawal communications. Submit confidentially via Whistle42.com (anonymity options available). Share Information via Whistle42

The fiat-to-crypto on-ramp sector is functionally divided into two distinct operational models with vastly different regulatory footprints. In this compliance report, we analyze the regulatory divergence between Ramp Network’s heavily licensed, direct-clearing approach and Onramper’s hands-off aggregator model. We examine their respective RatEx42 risk ratings, explain the licensing disparities, and assess how the EU’s Markets in Crypto-Assets (MiCA) framework will impact their operations moving forward. Key Findings The Aggregator Loophole: Onramper operates purely as a B2B technology layer, legally bypassing direct MSB or VASP licensing requirements by never taking custody of fiat or crypto, earning a ORANGE RatEx42 risk signal due to its indirect routing to high-risk merchants like offshore casinos. The Direct Clearer: Ramp Network acts as a primary financial institution, executing its own KYC/AML, clearing fiat, and settling crypto. This direct accountability necessitates strict global licensing (FCA, FinCEN, EU CASP), earning it a GREEN RatEx42 rating. MiCA’s Regulatory Cleaver: Under the EU’s MiCA regulation, Ramp Network’s newly acquired Crypto Asset Service Provider (CASP) license allows it to passport services seamlessly across 27 member states. Existential Risk for Aggregators: MiCA regulates the “reception and transmission of orders for crypto-assets.” If regulators determine that Onramper’s dynamic routing widget constitutes order transmission rather than a mere IT interface, the aggregator may be forced into the regulatory perimeter. Comparative Compliance Analysis The Two Models: Technology Layer vs. Financial Institution To understand why Onramper can operate globally without a single financial license while Ramp Network spends millions maintaining registrations across the US, UK, and EU, one must look at the mechanics of the transaction. Onramper (The Aggregator): Onramper is legally classified as a software provider. Its core product is a dynamic routing engine—an API and widget that digital wallets or merchants embed into their platforms. When a user buys crypto, Onramper’s algorithm evaluates the user’s location and payment method, then routes the user to a third-party gateway (like Swapped.com or MoonPay). Because Onramper never touches the user’s fiat, never holds the cryptocurrency, and does not conduct the KYC/AML checks, it shifts 100% of the regulatory liability to its underlying partners. However, this lack of direct oversight is exactly why RatEx42 assigns Onramper a ORANGE risk signal. The platform’s dynamic routing is frequently leveraged by high-risk merchants, such as offshore casinos, to seamlessly accept fiat deposits under the radar, muddying the waters of consumer protection. Ramp Network (The Direct Clearer): Conversely, Ramp Network operates as a B2B2C financial institution. When a user interacts with a Ramp Network widget inside a Web3 app, Ramp is the entity verifying the user’s identity (KYC), processing the credit card payment, and executing the crypto transfer from its own liquidity pools. Because Ramp Network handles the flow of funds and data directly, it cannot rely on technology exemptions. It must register as a Money Services Business (MSB) with FinCEN in the US, hold cryptoasset registration with the UK FCA, and maintain EU licenses. This direct control and accountability over the transaction lifecycle earns Ramp Network a GREEN RatEx42 risk signal. The Impact of MiCA on Both Schemes The EU’s Markets in Crypto-Assets (MiCA) framework is fundamentally reshaping this dynamic. For Ramp Network, MiCA is a massive operational advantage. Having secured authorization as a Crypto Asset Service Provider (CASP) from the Central Bank of Ireland, Ramp Network can now “passport” its services across all 27 EU member states. It replaces a fragmented patchwork of national VASP registrations with a single, harmonized rulebook, allowing for compliant, pan-European scaling. For Onramper, MiCA presents a complex challenge. While Onramper claims exemption as a pure IT provider, MiCA explicitly regulates the “reception and transmission of orders for crypto-assets on behalf of clients.” If European regulators classify Onramper’s dynamic routing widget as actively receiving and transmitting retail orders to underlying gateways, Onramper could find itself reclassified as a CASP, instantly requiring licensing, capital reserves, and direct AML obligations. Furthermore, under MiCA’s strict consumer protection rules, aggregators must ensure that every gateway they route EU citizens to is fully MiCA-compliant, drastically shrinking the pool of available regulatory arbitrage. Summary Table: Onramper vs. Ramp Network FeatureOnramper Technologies B.V.Ramp Network (Ramp Swaps)Business ModelB2B Aggregator / Tech LayerB2B2C Direct Fiat/Crypto ProcessorFiat/Crypto CustodyNone (Routed to 3rd parties)Direct handling and settlementKYC / AML ExecutionHandled by partner gatewaysHandled in-house by RampRegulatory LicensesNone (Software provider exemption)UK FCA, US FinCEN MSB, EU CASPMiCA ImpactPotential risk regarding “order transmission” rulesHighly positive; EU passporting enabledRatEx42 Risk Signal ORANGE (Elevated) GREEN (High Confidence)Primary Risk FactorHigh-risk merchant routing (e.g., casinos)External clone scams / Chargebacks Export to Sheets Whistle42 Call to Action The fiat-to-crypto gateway sector is evolving rapidly, and the line between software providers and financial transmitters is blurring. If you have insider information, merchant integration data, or evidence of regulatory circumvention regarding Onramper, Ramp Network, or any other crypto on/off-ramp, we want to hear from you. Help us expose the financial shadows. Submit your evidence anonymously via our Whistle42 secure portal today. Share Information via Whistle42