Following FinTelegram’s recent reporting on SOFTON LTD, Betzter, KingdomCasino and related offshore casino infrastructure, the FinTelegram platform has been hit by sustained email bombing and significant DDoS attacks. The attacks have temporarily affected access to the website. FinTelegram continues its reporting and will not be intimidated. Cyberattack Notice: FinTelegram Targeted by Email Bombing and DDoS Attacks After Softon Reports FinTelegram informs its readers, whistleblowers, sources and partners that the platform has been facing sustained cyberattacks following our recent reporting on SOFTON LTD, Betzter, KingdomCasino, and related offshore casino and payment infrastructure. Read our Softon reports here. Over the past days, FinTelegram has been confronted with a combination of email bombing and significant DDoS attacks. These attacks have, at times, made the FinTelegram website temporarily difficult or impossible to access for some readers. We have activated Cloudflare’s “Under Attack” mode and additional protective measures. While these measures help, the attacks remain disruptive. FinTelegram does not attribute responsibility for these attacks to any specific person, company or network at this stage. However, the timing is notable: the attacks started after FinTelegram intensified its reporting on the Softon casino cluster, including questions around Cyprus corporate structures, Anjouan licence claims, hidden cashier and PSP routes, player telemetry systems, open infrastructure leads, and EU consumer exposure. DDoS attacks and email bombing are not arguments. They are digital pressure tactics. Their purpose is usually simple: overload systems, disrupt access, intimidate journalists, and make public-interest reporting more difficult. They will not stop FinTelegram. In the coming days, FinTelegram will publish a comprehensive Softon Compliance Report, mapping the broader infrastructure around SOFTON LTD, related casino brands, telemetry systems, technical leads, unresolved payment routes, and regulatory questions. We ask our readers for patience if access to FinTelegram is temporarily disrupted. We are working to keep the platform online, preserve evidence, protect sources, and continue publication. To whistleblowers and insiders: your information remains essential. If you have documents, payment records, technical evidence, KYC/KYB files, corporate records, internal correspondence, casino cashier data, telemetry information, or knowledge about Softon, Betzter, KingdomCasino or related brands, please contact us securely via Whistle42. FinTelegram will continue to follow the rails — including the data rails, payment rails, corporate rails, and now the attack rails. Investigative journalism is not a crime. Cyber intimidation will not stop public-interest reporting. Share Information via Whistle42

Softon Ltd’s offshore casino is not only a licensing problem. Technical evidence reviewed by FinTelegram suggests that Betzter may also operate a player-behaviour intelligence stack capable of linking identity, session replay, account events and sportsbook infrastructure outside the EU’s licensed gambling perimeter. Betzter is not only a gambling-licence story. It is a data-protection story, a player-protection story, a behavioural-surveillance story, and a payment-transparency story. Betzter.com, publicly operated by Cyprus-registered SOFTON LTD (HE 463977), presents itself as an Anjouan-licensed online casino. But the compliance problem may go far beyond gambling licensing. According to technical evidence reviewed by FinTelegram, Betzter’s public application layer exposes a reported telemetry stack involving FullStory, Sentry Replay and Pusher / Laravel Echo private player-account channels. If confirmed, the configuration could enable identity-linked behavioural session recording, realtime balance and account-event tracking, and player-level profiling in an offshore casino environment outside the EU’s licensed gambling and self-exclusion perimeter. Key Findings Operator anchor confirmed. Betzter.com publicly identifies SOFTON LTD, Cyprus registration number HE 463977, Nicosia, Cyprus, as owner/operator. This is the cleanest legal-operator anchor currently available for Betzter. Anjouan licence claim, not EU market access. Betzter publicly displays an Anjouan licence/seal surface referencing ALSI-202409012-FI1 and a unique seal identifier. FinTelegram treats this as a confirmed public licence claim, not as confirmation of licence validity, scope, covered domains, or authorisation to serve regulated EU markets. Reported dual session-replay stack. Technical evidence reviewed by FinTelegram reports the presence of FullStory and Sentry Replay in the Betzter application layer. This finding should be treated as a technical-source lead pending independent reproduction and preservation. Reported Sentry masking concern. According to the technical source, Sentry Replay was configured with maskAllInputs:false, maskAllText:false and blockAllMedia:false. If confirmed, this would represent a high-risk configuration for an online casino environment, particularly where player identity or account context is present. Identity linkage risk. The reported FullStory integration checks or maps player.uuid and player.email, potentially converting behavioural telemetry into an account-linked player dossier rather than anonymous analytics. Realtime account-event stream. The Network Engineer Report identifies Pusher / Laravel Echo private player-account channel architecture, including playerAccount-style channels and account/betting event logic. This suggests that Betzter is not a static casino facade but a realtime account and player-event application. Sportsbook / infrastructure bridge. Sentry configuration references sptpub.com and ui.invisiblesport.com, creating a sportsbook/infrastructure bridge lead. This is not ownership proof, but it expands the data-perimeter and disclosure-target question. GDPR and player-protection risk. The central issue is not merely that Betzter appears to operate outside EU gambling licensing regimes. The further issue is whether EU players are being observed, replayed, profiled and account-linked by an offshore operator outside the official CRUKS/OASIS self-exclusion architecture. Payment and AML black box remains. The public/static evidence identifies visible payment-method branding but does not identify the cashier provider, PSP, merchant ID, gateway ID, connector ID, route UUID, acquirer or settlement bank. This makes the telemetry stack even more sensitive: player behaviour may be visible, while the supervised payment and KYC/CDD chain remains opaque. Executive Summary FinTelegram’s is currently investigating the casino operator SOFTON LTD: a Cyprus company, an Anjouan licence narrative, EU-facing casino access, and unresolved payment infrastructure. This first report addresses a second, under-reported layer: player surveillance infrastructure. According to technical evidence reviewed by FinTelegram, Betzter’s public application layer reportedly includes a combination of: FullStory behavioural session analytics; Sentry Replay error/session replay telemetry; Pusher / Laravel Echo realtime private player-account channels; player UUID and email-context logic; sportsbook/infrastructure markers referencing SPTPub and InvisibleSport. This architecture would allow reconstruction of what a player did, saw, clicked, typed, attempted, failed, deposited, lost, won or triggered at account-event level — while that player may be interacting with an offshore casino outside the EU’s licensed gambling perimeter. This is the core FinTelegram finding: The illegal-casino problem is only the first layer. The second layer is the behavioural-surveillance problem. An offshore operator that is not licensed in the Netherlands, Germany, Austria or other regulated EU markets may nevertheless maintain persistent player identities, session histories, behavioural patterns, balance updates and betting-event data. In other words, the operator may know the player in extraordinary detail — without being integrated into the official player-protection systems designed to protect that player. FinTelegram does not allege that SOFTON LTD has committed a criminal offence or that the telemetry was misused. The issue is the risk architecture: a high-risk gambling environment, reported identity-linked session replay, reported masking-disabled replay configuration, private realtime account channels, and an unresolved payment/KYC chain. That combination should concern data-protection authorities, gambling regulators, payment supervisors and consumer-protection agencies. Why Session Replay Matters In Online Gambling Session replay is not ordinary page analytics. Properly configured, it may help a website operator debug errors, improve user experience and detect friction. Poorly governed, it can reconstruct a user’s digital behaviour at individual-session level: clicks, scrolls, navigation paths, visible text, form interactions, error states and interface context. In ordinary e-commerce, that is already sensitive. In online gambling, it becomes far more serious. A casino session is not a normal shopping journey. It may reveal: impulsive betting behaviour; failed deposits; repeated failed bets; bonus-seeking or loss-chasing patterns; account balance changes; betting limits; session duration and late-night play; payment attempts; withdrawal friction; possible indicators of gambling disorder; identity-linked emotional or behavioural vulnerability. In a licensed environment, gambling regulators impose controls around player protection, responsible gambling, self-exclusion, affordability, AML and complaint handling. In an offshore casino environment, those protections may be absent or structurally weakened. That is why the reported Betzter stack matters. The Reported Player-Telemetry Stack Data LayerReported Tool / MechanismWhy It MattersEvidentiary StatusSession behaviourFullStoryPotentially reconstructs clicks, scrolls, navigation and user interaction sequenceTechnical-source leadError/session replaySentry ReplayReconstructs user sessions around errors and events; privacy depends heavily on masking configurationTechnical-source leadIdentity mappingplayer.uuid / player.emailMay convert behavioural telemetry into account-linked player dataTechnical-source leadRealtime account eventsPusher / Laravel Echo private channelsSupports balance updates, session events, failed-bet events and account-state signalsPrimary technical evidenceSportsbook bridgesptpub.com / ui.invisiblesport.comExtends the infrastructure/data perimeter beyond Betzter’s own domainPrimary technical leadPayment surfaceCard/crypto/alternative payment brandingPublic payment methods visible but cashier/PSP route remains undisclosedPrimary gapCashier/PSP routeUnknownMerchant ID, gateway ID, connector ID, acquirer and settlement path not visibleMissing nuclear evidence The critical point is the combination. A single analytics tool can be lawful and legitimate. Realtime account events can be normal. Error monitoring can be necessary. But when these tools operate together in an offshore casino environment, with reported identity mapping and unclear masking, the compliance risk changes. The system becomes capable of creating an identity-linked behavioural dossier on each player. GDPR Risk Assessment Assessed against Regulation (EU) 2016/679 as initial regulatory risk, not a legal opinion. Two parallel session-replay systems are hard to reconcile with data minimisation (Art. 5(1)(c)); a single, properly masked system would satisfy any UX or debugging purpose. The reported masking-disabled Sentry configuration runs against the expectation — expressed by the CNIL and other EU authorities — that individual-level session replay is high-risk processing requiring comprehensive masking and, ordinarily, prior consent (Art. 6). The reported absence of any consent or disclosure layer on the public surface is a material transparency concern (Arts. 13–14), and disabling masking by default inverts data-protection-by-default (Art. 25). Routing email/UUID to US processors is not unlawful per se. The EU–US Data Privacy Framework remains a valid adequacy decision — it survived the Latombe challenge before the General Court in September 2025 and is under appeal to the CJEU (Case C-703/25 P). Transfers are lawful where the recipient is DPF-certified or covered by SCCs plus a transfer impact assessment. The genuine risk is the absence of any disclosed transfer mechanism and FullStory’s public documentation still citing the defunct Privacy Shield rather than current DPF certification. Large-scale, systematic, identity-linked behavioural monitoring in a high-risk sector squarely triggers the Art. 35 DPIA obligation. Here are our questions in this context: 1. Lawful Basis The first question is simple: on what lawful basis does SOFTON LTD process session-replay and player-level behavioural telemetry? For a normal analytics cookie, consent may be required depending on local implementation and ePrivacy rules. For identity-linked session replay in a gambling context, legitimate interest becomes much harder to sustain without a detailed balancing test, clear disclosure, strict minimisation and robust masking. A high-risk offshore casino cannot treat behavioural session reconstruction as invisible background plumbing. 2. Transparency Players must be told what is being collected, by whom, for what purpose, for how long, and with whom the data is shared. If Betzter’s public surface does not clearly disclose the use of session replay, behavioural analytics, realtime account-event monitoring and processors such as FullStory, Sentry or Pusher, the transparency risk is serious. The fact that a tool is common in software development does not remove the controller’s GDPR transparency obligations. 3. Data Minimisation The reported dual-replay setup raises a basic minimisation question: Why would a casino need both FullStory and Sentry Replay running in parallel on player sessions? A single properly masked tool may be sufficient for debugging or user-experience analysis. Two overlapping systems may create redundancy, but redundancy is not the same as necessity. Under GDPR, the operator must be able to explain why the data is adequate, relevant and limited to what is necessary. 4. Masking and Data Protection by Default According to the technical source, Sentry Replay was configured with: maskAllInputs:false; maskAllText:false; blockAllMedia:false. If confirmed, this would be a major red flag. Sentry’s own privacy-oriented baseline masks text and blocks media by default. Turning masking and blocking off, especially in an online casino interface, materially increases the risk that player-visible text, account context, balance information, interface states or other sensitive data could be reconstructed. This does not prove that passwords, payment credentials or documents were captured. It does mean that the operator and processor must explain the configuration, masking rules, field exclusions and actual data captured. 5. DPIA Requirement Large-scale, systematic, identity-linked behavioural monitoring in an online gambling environment should trigger serious consideration of a GDPR Article 35 Data Protection Impact Assessment. The DPIA question is unavoidable: Was a DPIA conducted? Did it assess session replay? Did it assess identity mapping? Did it assess gambling vulnerability? Did it assess EU player exposure? Did it assess international transfers? Did it assess processor access? Did it assess retention and deletion? If no DPIA exists, that would be a significant governance failure. 6. International Transfers The transfer issue should be framed accurately. The use of U.S.-linked processors such as FullStory or Sentry is not automatically unlawful. The EU-U.S. Data Privacy Framework remains in force following the General Court’s September 2025 Latombe judgment, although an appeal is pending before the Court of Justice of the European Union. Transfers may be lawful where the recipient is DPF-certified or where Standard Contractual Clauses and a transfer impact assessment are properly implemented. The relevant question is not whether every U.S.-linked processor transfer is per se unlawful. The relevant question is whether SOFTON LTD disclosed the transfer mechanism, identified the processors, documented the legal basis, and implemented adequate masking and minimisation controls for high-risk gambling telemetry. GDPR Risk Rating Overall GDPR Risk: HIGH Escalation to CRITICAL if independently confirmed: Sentry Replay masking disabled; FullStory identity mapping to player.email and player.uuid; absence of player-facing disclosure or consent; absence of DPIA; broad processor access to EU-origin gambling behavioural data. Self-Exclusion and Player-Protection Risk The concern is not that the telemetry stack proves active circumvention of CRUKS or OASIS. The concern is more structural. CRUKS in the Netherlands and OASIS in Germany are official self-exclusion frameworks within licensed gambling markets. Offshore operators outside those licensed perimeters are typically not integrated into these systems. If Betzter reaches EU players without local licences, it sits outside the very protection architecture designed to prevent self-excluded or vulnerable individuals from gambling. At the same time, according to the technical evidence reviewed by FinTelegram, the operator may maintain its own persistent player identity, session history and account-event stream. This creates the paradox: The regulator may not see the player — but the offshore casino may see everything. A player excluded from a licensed market could still be tracked by an offshore operator through email, UUID, session replay, account events and behaviour patterns. That does not prove exploitation. It does show why unlicensed casino telemetry is a consumer-protection problem, not merely a privacy topic. Player-Protection Risk Rating HIGH The risk is highest where the same system can identify player behaviour, account state, betting failures, balance changes, and session patterns without being subject to licensed-market responsible-gambling controls. AML and Payment-Transparency Risk The AML concern is not that session replay is a laundering tool. The concern is that the same environment which appears capable of maintaining identity-linked behavioural and account-event data does not disclose, at public level, the supervised payment, KYC/CDD, merchant-of-record and settlement chain. The Network Engineer Report identifies a payment black box: payment methods are visible; cashier provider not identified; PSP not identified; MID not identified; gateway ID not identified; connector ID not identified; route UUID not identified; acquirer not identified; Apple Pay merchant ID not identified. In an offshore gambling environment, this opacity prevents external assessment of whether player identity, deposits, withdrawals, AML risk signals, chargebacks, refunds and complaints are subject to proper regulated monitoring. A licensed operator should be able to explain who processes payments, who holds merchant accounts, what merchant category code is used, who performs KYC/CDD, and which regulator supervises the payment chain. AML / Payment Risk Rating MEDIUM–HIGH The high component is structural: offshore gambling, visible payment surface, hidden payment route, and identity-linked account architecture. The telemetry-specific AML inference remains medium-confidence until payment and KYC flows are obtained. The SPTPub / InvisibleSport Perimeter Question The Network Engineer Report identifies references to sptpub.com and ui.invisiblesport.com in the Betzter technical layer. It also identifies api.sptpub.com resolving to a direct Hetzner infrastructure lead in Germany. This matters for privacy and compliance because it expands the perimeter. A player may believe they are interacting with Betzter. In technical terms, the application may involve multiple infrastructure and telemetry parties. Without processor disclosure, contractual transparency and data-flow mapping, neither players nor regulators can assess: who receives data; who controls the processing; which processors are involved; where data is hosted; what retention applies; whether data is used across brands; whether sportsbook, casino, CRM and payment systems share identifiers. FinTelegram does not claim that SPTPub or InvisibleSport owns Betzter. They are disclosure targets. Regulatory Referral Recommendations Dutch Autoriteit Persoonsgegevens The AP should assess whether Dutch data subjects are exposed to session replay, identity-linked behavioural telemetry or private account-event monitoring by an offshore casino operator outside the licensed Dutch gambling perimeter. Cypriot Commissioner for Personal Data Protection SOFTON LTD is a Cyprus company. The Cypriot data protection authority should assess controller status, processor disclosures, DPIA, session-replay safeguards, transfer mechanisms, and whether the one-stop-shop framework is applicable. Irish Data Protection Commission If FullStory, Sentry or other processors rely on an Irish establishment for EU processing operations, the DPC may be relevant for processor-side compliance, transfer documentation and cross-border coordination. Dutch Kansspelautoriteit The KSA should assess whether Betzter reaches Dutch consumers without a Dutch licence and whether its telemetry architecture creates additional risks for self-excluded or vulnerable players outside CRUKS. German GGL The GGL should assess the German self-exclusion and player-protection dimension, including whether German players can access Betzter or related brands outside the OASIS framework. European Data Protection Board The EDPB should consider the broader policy issue: session replay and identity-linked behavioural monitoring in unlicensed or offshore gambling environments that serve EU data subjects. Europol EC3 EC3 should be notified of the broader cyberfinancial structure: offshore casino, Cyprus operator, direct infrastructure lead, telemetry stack, undisclosed payment route, and potential cross-brand operational pattern. Questions for SOFTON LTD / Betzter Does SOFTON LTD confirm that it operates Betzter.com? Which domains and casino brands are operated by SOFTON LTD? What licence covers Betzter, and which domains and markets are included? Does Betzter use FullStory? Does Betzter use Sentry Replay? Does Betzter use Pusher / Laravel Echo private player-account channels? What data fields are mapped to session replay or behavioural analytics? Is player.email mapped to FullStory or Sentry context? Is player.uuid mapped to FullStory or Sentry context? Are session-replay fields masked by default? Why are two session-replay or replay-like tools necessary? Was a GDPR Article 35 DPIA conducted? Which processors receive player behavioural data? Which international transfer mechanisms apply? What is the retention period for session replay and player-event data? Are EU players informed before session recording begins? Which PSP, cashier, acquirer and payment gateway process deposits? What safeguards exist for self-excluded or vulnerable players? Coming Next: The Full Softon Compliance Report This Betzter telemetry review is only one layer of a broader FinTelegram investigation. In the coming days, FinTelegram will publish an extensive Softon Compliance Report mapping the wider casino infrastructure around SOFTON LTD, including its Cyprus corporate structure, Anjouan licence narrative, related casino brands, SPTPub/InvisibleSport infrastructure leads, Hetzner-hosted API exposure, unresolved cashier and PSP routing, and the broader question of how offshore casino operators use EU-facing corporate, data and payment infrastructure while remaining outside national gambling supervision. The upcoming report will not focus on one casino skin alone. It will examine the machinery behind the brand: operator anchors, player telemetry, sportsbook infrastructure, hidden payment routes, regulatory gaps and the providers that may hold the missing evidence. FinTelegram invites insiders, payment providers, hosting providers, telemetry vendors, former employees and affected players to submit information via Whistle42 before publication. Whistleblower Call — Whistle42 Do you have first-hand knowledge of SOFTON LTD, Betzter, FullStory, Sentry, Pusher, SPTPub, InvisibleSport, the Betzter cashier, or the payment/KYC architecture behind this casino cluster? FinTelegram is seeking: unminified JavaScript; browser network captures; session-replay configuration evidence; FullStory, Sentry or Pusher account screenshots; processor agreements; DPIAs; data processing agreements; payment routing records; cashier provider data; PSP contracts; merchant IDs; gateway IDs; connector IDs; route UUIDs; KYC/CDD records; internal responsible-gambling logs; customer complaint and refund records; evidence of cross-brand telemetry reuse. Confidential submissions can be made via Whistle42, FinTelegram’s secure whistleblower channel. Sources may remain anonymous. Verifiable technical evidence is especially valuable because it allows FinTelegram to upgrade leads into confirmed findings under its evidentiary standards. Share Information via Whistle42

How a Curaçao-linked casino environment, a Cyprus-facing payment vehicle, recurring fiduciary-service providers, and open-banking payment leads raise urgent questions for EU gambling, AML, and PSD2 supervisors. 2-Minutes Briefing FinTelegram has reviewed Cyprus registry documents, whistleblower submissions, open-source casino disclosures, and correspondence concerning Trueluck Casino, Gadzooks Limited, and a recurring fiduciary-service structure in Larnaca, Cyprus. The available records identify Gadzooks Limited — a Cyprus private company registered under HE 438503 — as a Cyprus-facing vehicle within the Luckywayz casino environment. Registry filings reviewed by FinTelegram show that Gadzooks was previously wholly owned by Luckywayz Limited B.V., a Curaçao entity, before a minority shareholding was transferred to Richard John Green, a UK national resident in Malta, on 31 May 2024. The documents further show that Georgia Nikoletti, formally described in Cyprus registry filings as ΥΠΑΛΛΗΛΟΣ — employee — was appointed sole director of Gadzooks Limited on 10 October 2023. On the same date, P.Z.T. Services Ltd became corporate secretary, while the previous director and secretary were removed. This coordinated fiduciary handover mirrors patterns identified by FinTelegram in other casino-linked Cyprus structures. The significance of this third instalment is not that one more offshore casino brand has surfaced. It is that the available registry pattern points to a recurring Larnaca-based fiduciary hub servicing multiple casino-linked Cyprus vehicles connected to offshore ownership structures, EU-facing payment flows, and open-banking payment rails. Whistleblower material further alleges a three-layer payment architecture involving PAYTECH LTD as a possible routing/orchestration layer, Yapily / Yapily Connect UAB as an open-banking front-end, and ISX Financial EU PLC as a potential banking or EMI endpoint. FinTelegram has not independently verified the alleged PAYTECH or ISX links and treats them as investigative leads requiring confirmation through payment records, KYB files, settlement reports, or right-of-reply responses. The Yapily element is supported by correspondence reviewed by FinTelegram, but the precise merchant, platform, or partner relationship through which the transactions allegedly entered Yapily’s rails remains to be established. FinTelegram makes no allegation of personal wrongdoing against registered directors, employees, lawyers, corporate-service providers, or named individuals. The issue is structural: whether Cyprus corporate-service infrastructure, Curaçao ownership, nominee-style directorships, and EU payment rails are being combined in a way that enables offshore casino operators to reach restricted EU markets while obscuring beneficial ownership, merchant responsibility, and consumer remedies. Key Data Table: Trueluck / Gadzooks / Larnaca Fiduciary Hub CategoryName / IdentifierJurisdictionRole in the caseEvidence statusCompliance relevanceCasino brandTrueluck / Trueluck CasinoOnline / offshoreCasino brand referenced in whistleblower material and public casino disclosuresCorroborated as a brand; operator attribution appears inconsistent across public sourcesPossible EU-facing offshore gambling exposureCyprus vehicleGadzooks LimitedCyprusCyprus-facing vehicle linked to Luckywayz casino environment and payment-agent disclosuresRegistry-established / strong OSINT corroborationCentral corporate node in Part 3Company numberHE 438503CyprusRegistration number of Gadzooks LimitedRegistry-establishedKYB / registry anchorFormer / majority shareholderLuckywayz Limited B.V.CuraçaoCuraçao casino entity previously holding 100% of Gadzooks; retained majority after share transferRegistry-established in HE57 filing reviewed by FinTelegramOffshore parent / ownership layerShare transfer100 of 900 ordinary shares transferred to Richard John GreenCyprus / Malta / UKMinority shareholding of approx. 11.1% transferred on 31 May 2024Registry-established in HE57 filing reviewed by FinTelegramRequires rationale, consideration, and relationship explanationMinority shareholderRichard John GreenUK national / Malta addressNew minority shareholder of Gadzooks LimitedRegistry-established; commercial role unknownOpen beneficial-interest questionSole directorGeorgia NikolettiCyprusSole director of Gadzooks Limited; also appears in another pillar according to reviewed registry recordsRegistry-established in documents reviewed by FinTelegramRecurring employee-director patternCorporate secretaryP.Z.T. Services LtdCyprusAppointed secretary of Gadzooks on 10 October 2023Registry-establishedRecurring fiduciary-service providerCorrespondence / filing agentPotens Corporate Services LtdCyprusCorrespondence agent for filings at Larnaca addressRegistry-established in documents reviewed by FinTelegramAdministrative hub indicatorPrevious secretaryNexellence Fiduciary Services LtdCyprusRemoved during 10 October 2023 handoverRegistry-establishedShows coordinated fiduciary migrationPrevious directorAfroditi KittouCyprusRemoved during 10 October 2023 handoverRegistry-establishedPart of director replacement eventAlleged principalPanayiotis / Panos ToulourasCyprusWhistleblower alleges link to P.Z.T. / fiduciary hubUnverified whistleblower leadMust remain framed as allegation pending registry/UBO proofOpen-banking providerYapily / Yapily Connect UABUK / Lithuania / EEAAlleged open-banking rails used in payment flowPartially corroborated through correspondence on filePSD2 / PIS / AIS monitoring questionAlleged routing layerPAYTECH LTD / pay.techCyprus or payment-tech environmentAlleged white-label routing/orchestration layerUnverified whistleblower leadRequires contracts, payment logs, KYB filesAlleged EMI endpointISX Financial EU PLCCyprus / EU EMI environmentAlleged banking or EMI endpointUnverified whistleblower leadRequires settlement and merchant-record verification Methodology and Evidence Grading This report draws on: Cyprus registry documents reviewed by FinTelegram concerning Gadzooks Limited, P.Z.T. Services Ltd, Potens Corporate Services Ltd, and related filings; Form HE4 and HE57 filings concerning director/secretary changes and share transfers; Whistleblower submissions concerning Trueluck, payment flows, and customer complaints; Correspondence reviewed by FinTelegram concerning Yapily’s handling of an affected player complaint; Public casino-facing and open-source material concerning Trueluck, Luckywayz, Gadzooks, and related brand disclosures; Prior FinTelegram reporting on the first two pillars of the Cyprus casino payment-tech cluster. FinTelegram distinguishes between: Registry-established facts — based on official corporate filings reviewed by FinTelegram; Casino-facing evidence — based on website disclosures, casino terms, public brand pages, or payment-agent statements; Correspondence on file — based on communications reviewed by FinTelegram; Whistleblower leads — credible but not yet independently verified allegations; Compliance analysis — FinTelegram’s interpretation of the risk implications. No statement in this report should be read as an allegation of proven criminal conduct by any named person or entity. Introduction: The Third Pillar Under Review On 9 May 2026, FinTelegram reported how Dutch forensic action exposed the HolyLuck / InstantCasino cluster — a set of casino brands operating through shared infrastructure and linked to Dutch consumer losses. On 27 May 2026, FinTelegram identified the second pillar: Mega.bet, connected through Belize parent Global Nexus Ltd and Cyprus vehicle IMMIX Solutions Ltd, with a recurring fiduciary-service pattern. This third instalment concerns Trueluck Casino and Gadzooks Limited. Read our HolyLuck reports here. The documented overlaps now make coincidence increasingly difficult to maintain as the sole explanation. The available registry pattern points to a recurring Larnaca fiduciary hub in which Cyprus companies connected to offshore casino ownership structures are administered through overlapping secretarial, correspondence, and employee-director arrangements. The central issue is not merely whether one casino brand is licensed or unlicensed. The issue is whether Cyprus-based corporate-service infrastructure is being used to create EU-facing companies that sit between offshore casino operators, European consumers, and regulated payment rails. Trueluck Casino and Gadzooks Limited Publicly available Trueluck operator attribution is not fully consistent across sources. Some sources and disclosures connect the environment to Luckywayz Limited B.V., while others refer to different operator entities or jurisdictions. This inconsistency is itself a compliance red flag, suggesting possible brand fragmentation, affiliate mirrors, operator rotation, or uneven disclosure standards. FinTelegram therefore treats Gadzooks Limited as a Cyprus-facing vehicle linked to the Luckywayz / Trueluck casino environment, rather than asserting at this stage that Gadzooks is the definitive legal operator of Trueluck Casino in every context. That said, registry and payment-agent disclosures reviewed by FinTelegram establish a significant structural connection: Gadzooks Limited is a Cyprus company registered under HE 438503; The company was previously wholly owned by Luckywayz Limited B.V. of Curaçao; On 31 May 2024, 100 of 900 ordinary shares were transferred to Richard John Green, a UK national registered with an address in Birgu, Malta; After the transfer, Luckywayz retained approximately 88.9% of Gadzooks Limited; Gadzooks appears in public casino-payment contexts as a Cyprus payment agent or payment-processing vehicle in the Luckywayz casino environment. This structure creates an obvious question for banks, PSPs, EMIs, and open-banking providers: when onboarding or processing for Gadzooks Limited, did they treat it as an ordinary Cyprus company, or did they identify the underlying offshore casino exposure, Curaçao ownership, and restricted-market gambling risk? The Share Shuffle: Curaçao Ownership and a Malta-Based UK Minority Shareholder Form HE57, the share-transfer filing dated 31 May 2024 and reviewed by FinTelegram, records that Luckywayz Limited B.V. held all 900 ordinary shares of Gadzooks Limited. The filing documents the transfer of 100 ordinary shares — approximately 11.1% — to Richard John Green, a UK national described as a businessman with an address in Birgu, Malta. The filing establishes a registry-confirmed structural link between a Curaçao casino entity and an EU-facing Cyprus company. What remains open is the commercial rationale for the minority stake: What consideration was paid? Why was the transfer made in May 2024? Was the transfer connected to licensing, banking, payment onboarding, governance, or risk distribution? Does Mr Green exercise any operational, advisory, or beneficial role? Was the transfer disclosed to PSPs, banks, open-banking providers, or casino counterparties? FinTelegram invites Mr Green and Gadzooks Limited to provide clarification. The Officer Structure: Coordinated Fiduciary Handover Form HE4 records that on 10 October 2023, Georgia Nikoletti was appointed sole director of Gadzooks Limited and P.Z.T. Services Ltd was appointed corporate secretary. The same filing records the simultaneous resignation of the previous secretary, Nexellence Fiduciary Services Ltd, and the previous director, Afroditi Kittou. This was not a random administrative update. It was a coordinated fiduciary handover: director and secretary changed on the same day, with the company moving into the P.Z.T. orbit. A secretary’s certificate signed by P.Z.T. Services Ltd on 31 May 2024 confirms that the HE57 share transfer reflected the register maintained at the company’s registered office, placing P.Z.T. Services Ltd at the administrative centre of the ownership change. Correspondence for the relevant filings was handled by Potens Corporate Services Ltd, Leoforos Archiepiskopou Makariou III 84, Shop/Office 1, Larnaca, the address that recurs throughout FinTelegram’s Cyprus casino payment-tech series. The Nominee-Style Director Pattern Across the three pillars investigated by FinTelegram, the registry record shows a recurring personnel and fiduciary-service pattern: Georgia Nikoletti — registry occupation: ΥΠΑΛΛΗΛΟΣ, i.e., employee — appears as sole director of Gadzooks Limited and, according to documents reviewed by FinTelegram, also directs IMMIX Solutions Ltd, the Cyprus vehicle linked to the Mega.bet pillar. Artem Rak appears as director of S.I.L.V.E.R Veil Group Ltd, the processing vehicle connected to the InstantCasino / HolyLuck pillar. Secretarial and correspondence functions repeatedly involve P.Z.T. Services Ltd, Potens Corporate Services Ltd, or related Larnaca corporate-service infrastructure. Ownership sits with offshore Curaçao or Belize structures. To be clear: FinTelegram makes no allegation of personal wrongdoing against Ms Nikoletti, Mr Rak, or any individual employee. The observation is structural. Where a sole director is formally described in registry filings as an employee, this raises the question whether such person can, in practice, exercise the independent oversight, mind-and-management, and fiduciary judgment that directorship under Cyprus company law presupposes. The compliance consequences are serious. Beneficial-ownership registers are only as good as their inputs. When a registered director is an employee, the shareholder is an offshore company, and the actual commercial activity is high-risk gambling, KYB checks that stop at the face of the registry risk recording form rather than substance. Under the EU AML framework, obliged entities must identify the natural persons who ultimately own or control the customer. A structure that results in no operational controller appearing in any EU registry should trigger enhanced due diligence, not routine onboarding. The Larnaca Fiduciary Hub The documented facts are narrower than the broadest whistleblower allegations, but they are significant. P.Z.T. Services Ltd, Potens Corporate Services Ltd, and multiple casino-linked Cyprus vehicles are associated through recurring filings, secretarial roles, correspondence roles, and the address at Leoforos Archiepiskopou Makariou III 84, Larnaca. The coordinated migrations of secretarial control into P.Z.T. Services Ltd — from other fiduciary-service providers in multiple casino-linked vehicles — point to deliberate, centralised restructuring rather than random administrative movement. FinTelegram therefore treats the Larnaca address and P.Z.T./Potens pattern as a fiduciary hub indicator. It is not yet proof of ultimate control, beneficial ownership, or operational command. Those questions require access to UBO filings, client files, banking records, internal service agreements, and regulatory responses. The Toulouras Lead: Person of Interest, Not Established Controller Whistleblower submissions reviewed by FinTelegram identify Panayiotis / Panos Toulouras, a Cyprus attorney, as the alleged principal behind P.Z.T. Services Ltd and the wider Larnaca fiduciary hub. FinTelegram has not independently verified this allegation. FinTelegram does not currently hold a registry document naming Mr Toulouras as owner, director, or controller of P.Z.T. Services Ltd. Nothing in this report should be read as asserting that Mr Toulouras controls P.Z.T. Services Ltd, Gadzooks Limited, or the casino-payment network. What is documented is narrower: entities associated with the Larnaca hub and companies said by whistleblowers to be connected to Toulouras appear in the same geographic and fiduciary-service context. This creates a legitimate verification question that Cyprus authorities, with full registry, UBO, AML-supervision, and professional-conduct access, should be able to resolve. Mr Toulouras is invited to respond. FinTelegram will publish any substantive reply. The Payment Architecture: PAYTECH, Yapily, and ISX Financial Whistleblower material describes a three-layer payment system allegedly moving EU consumer funds into the Trueluck / Gadzooks environment. Each layer carries a different evidentiary weight. Layer A — PAYTECH LTD / pay.tech Status: whistleblower lead — unverified PAYTECH is described by whistleblowers as a white-label routing and smart-orchestration layer capable of connecting high-risk merchants to multiple payment providers, gateways, and settlement endpoints. FinTelegram has not independently verified a contractual relationship between PAYTECH LTD and Gadzooks Limited, Trueluck, Luckywayz, or the wider casino cluster. The key questions are: Did PAYTECH provide checkout, routing, orchestration, cascading, or merchant-technical services to any entity in the Trueluck / Luckywayz / Gadzooks environment? What is PAYTECH’s regulatory status? Which PSPs, EMIs, banks, PISPs, or acquirers did it connect to? Did it process or route transactions for unlicensed-in-market casino operators? PAYTECH is invited to clarify its role. Layer B — Yapily / Yapily Connect UAB Status: partially corroborated — correspondence on file Whistleblower material and correspondence reviewed by FinTelegram indicate that open-banking rails associated with Yapily were involved in an affected player’s payment flow. Yapily’s own position, as reflected in correspondence reviewed by FinTelegram, is that it is an API infrastructure provider facilitating Account Information Services and Payment Initiation Services. Yapily states that it does not open bank accounts, hold funds, control customer funds, intervene in payments, or determine the account information relating to a particular transaction. That may accurately describe the payment-initiation plumbing. But it does not answer the core compliance question: through which merchant, platform, or partner relationship did the alleged Gadzooks / Trueluck payment flows enter Yapily’s rails, and what merchant-use-case monitoring was applied? FinTelegram does not assert at this stage that Yapily directly onboarded Trueluck, Gadzooks, or Luckywayz as a merchant. The relevant question is broader and more precise: How did a gambling-related payment flow connected to an offshore casino environment allegedly pass through regulated open-banking infrastructure, and what controls were applied at onboarding and during monitoring? Layer C — ISX Financial EU PLC Status: whistleblower lead — unverified Whistleblower material alleges that ISX Financial EU PLC, an EU-licensed electronic money institution, may have acted as a banking or EMI endpoint in the payment architecture. FinTelegram has not independently verified this allegation. The open questions are: Did ISX Financial maintain accounts, settlement relationships, merchant relationships, or technical integrations connected to Gadzooks Limited, Luckywayz, Trueluck, PAYTECH, or related casino brands? If so, what KYB was performed? Was Luckywayz Limited B.V. identified as majority shareholder of Gadzooks? What merchant category coding and transaction descriptors were used? Were gambling-risk, Curaçao-ownership, and restricted-market indicators escalated? ISX Financial is invited to respond. Yapily’s Compliance Response: Denial, Closure, Acknowledgement, Silence The sequence described in correspondence reviewed by FinTelegram is concerning. According to the correspondence, when first contacted by an affected player about transactions linked to the Trueluck / Gadzooks environment, Yapily’s compliance function stated that it could not locate the transactions in its system and did not know who the payment operator was. In the same communication, the complaint was treated as closed, while the player was invited to provide further information and informed of escalation rights. When the player later provided bank-certified transaction metadata explicitly identifying Yapily in the data-exchange chain, the company acknowledged activity and said the matter had been escalated for internal review. According to the whistleblower, no substantive follow-up has since been received. If accurately reflected by the correspondence reviewed by FinTelegram, the sequence is consistent with what consumers experience as a systemic compliance failure: initial denial, reversal under documentary pressure, internal escalation, and subsequent silence. The issue is not whether Yapily held the funds. The issue is whether regulated open-banking infrastructure was used in a payment flow connected to an offshore casino environment, and whether Yapily’s onboarding, partner monitoring, transaction visibility, complaint handling, and suspicious-activity procedures were adequate. Dutch Market and CRUKS: The Consumer-Protection Gap Publicly available material and whistleblower submissions suggest that Trueluck appears to reach Dutch-speaking players. FinTelegram has also reviewed material suggesting that affected players in the Netherlands were able to deposit through payment methods presented in the casino environment. The CRUKS point must be framed precisely. CRUKS is the Dutch self-exclusion register within the Dutch licensed gambling perimeter. Offshore operators that do not hold a KSA licence are typically outside that protection architecture. That is precisely the problem. If Trueluck or related domains reached Dutch consumers without a KSA licence and without CRUKS integration, then Dutch self-excluded players may have been exposed to a casino environment outside the very safeguards designed to protect them. This is not merely a technical licensing issue. It is a consumer-protection failure created by cross-border regulatory arbitrage. The relevant question for the Dutch Kansspelautoriteit is therefore not only whether Trueluck has a KSA licence. The question is whether the operator, affiliates, payment providers, and technical intermediaries enabled Dutch player acquisition, deposits, and losses despite the Dutch regulatory perimeter. EU Regulatory Dimension: A Licensing-Circumvention Architecture? The Curaçao → Cyprus → EU structure has the characteristics of a licensing-circumvention architecture. National regimes such as the Dutch KSA / CRUKS framework regulate gambling access and consumer protection. Payment regulation captures the institutions that move money. AML regulation requires identification of ultimate beneficial owners, business purpose, source of funds, and suspicious activity. The cluster’s architecture appears to split these responsibilities: the offshore parent holds gambling rights or claims offshore licensing; the Cyprus vehicle presents an EU-facing corporate layer; the employee-director and fiduciary-service provider create a formal local governance structure; the open-banking provider supplies payment-initiation infrastructure; the gateway or orchestration layer may route transactions; the EMI or banking endpoint may settle funds; each layer can argue that compliance responsibility lies elsewhere. EU law does not permit regulated firms to outsource responsibility into invisibility. Yapily, as a regulated PISP or AIS/PIS provider, ISX Financial, if involved, as an EMI, and any payment-orchestration provider, if regulated or contractually responsible, each face independent obligations around onboarding, KYB, AML monitoring, suspicious-activity escalation, and use-case control. Where the ultimate commercial activity is offshore-licensed casino gambling targeting restricted markets, every regulated institution in the chain faces the same question: What did you know, what should your KYB have revealed, and what did you report? Regulatory Questions Triggered by the Restructurings The 10 October 2023 coordinated handover of Gadzooks Limited into the P.Z.T. orbit, and similar fiduciary migrations identified in other pillars, should have triggered enhanced scrutiny by every regulated institution dealing with these companies. For banks, EMIs, PSPs, PISPs, auditors, and corporate-service providers, such a change is not routine when the customer is connected to offshore gambling activity. Key questions include: Was the director change reviewed as a material change in governance? Was the secretary change reviewed as a change in control environment? Was the offshore owner identified and risk-rated? Were casino activities disclosed to banks and payment providers? Were restricted-market risks identified? Were Dutch, Belgian, Austrian, German, Italian, or other EU consumer flows detected? Were SARs / STRs filed where required? If the answer is “no,” the issue is not only the casino. It is the entire compliance chain. Compliance Risk Assessment Risk categoryRatingIndicatorsOpen questionsAML / beneficial ownershipHighCuraçao ownership, Cyprus vehicle, employee-director, recurring fiduciary hubWho ultimately controls the structure and receives the proceeds?Gambling regulationHighOffshore licence environment, Dutch-facing signals, no apparent KSA licenceWhich EU markets were targeted and by whom?Payment servicesHighAlleged open-banking payment flows, possible gateway/orchestration layer, potential EMI endpointWhich entity was the merchant of record and which regulated firms processed the flows?Consumer protectionHighReported Dutch player exposure, CRUKS perimeter gap, refund/withdrawal complaintsWhat remedies exist for self-excluded or restricted-market players?Corporate governanceHighSole employee-director, offshore shareholder, fiduciary-service handoverWas there real mind and management in Cyprus?Professional-services riskElevatedP.Z.T./Potens recurrence, Larnaca address, alleged attorney involvementWho owns/controls the service providers and what due diligence was performed?Yapily-specific issueElevatedInitial denial, later acknowledgement after bank metadata, alleged silenceWhat did Yapily’s internal review conclude?PAYTECH / ISX leadsUnverified but significantWhistleblower allegationsRequire contracts, payment logs, settlement files, and right of reply Key Questions for Regulators and Financial Institutions Cyprus Registrar of Companies / CySEC / MOKAS Who are the beneficial owners of P.Z.T. Services Ltd and Potens Corporate Services Ltd according to UBO filings? What declared economic activity does Gadzooks Limited report? Is the declared activity consistent with a Cyprus company acting as payment agent or payment vehicle for an offshore casino? Have UBO filings for Gadzooks Limited, IMMIX Solutions Ltd, and S.I.L.V.E.R Veil Group Ltd been verified against economic substance? Were the coordinated director/secretary changes reviewed by any AML supervisor? Dutch Kansspelautoriteit (KSA) What is the enforcement status of Trueluck, Luckywayz, Gadzooks-linked casino brands, and associated domains with respect to the Dutch market? Has the KSA reviewed Dutch-language acquisition funnels, affiliate pages, and payment methods? Have payment-blocking or affiliate-enforcement measures been initiated? Have Dutch self-excluded players reported losses through these brands? Yapily / Yapily Connect UAB Through which merchant, platform, or partner relationship did the alleged Gadzooks / Trueluck payment flows enter Yapily’s rails? What KYB and use-case review was performed? Was the relevant payment flow classified as gambling-related? What merchant category coding, descriptor, or payment-purpose data was available? Why did the initial response reportedly state that no transactions could be found? What was the outcome of the escalated internal investigation? Were suspicious-activity reports filed? ISX Financial EU PLC Did ISX Financial provide accounts, settlement services, EMI services, or payment infrastructure to Gadzooks, Luckywayz, Trueluck, PAYTECH, or related entities? What KYB was performed? Was Luckywayz Limited B.V. identified as the majority shareholder of Gadzooks? What merchant category coding and descriptors were used? Were restricted-market gambling risks identified? PAYTECH LTD Does PAYTECH maintain any contractual or technical relationship with Gadzooks Limited, Trueluck, Luckywayz, or related casino brands? What regulatory status does PAYTECH hold? Did PAYTECH provide smart routing, checkout, cascading, provider-switching, or payment-orchestration services? Which PSPs, EMIs, PISPs, banks, or acquirers were connected? Cyprus Bar Association What professional-conduct rules apply to attorneys who own, control, advise, or operate corporate-service providers administering high-risk offshore gambling vehicles? How are conflicts, nominee-director arrangements, and AML obligations supervised? Is there an obligation to re-evaluate client risk when a company moves into casino/payment activity after incorporation? Call for Whistleblowers FinTelegram seeks information from current and former insiders across all three pillars of this cluster, including: employees, contractors, and former staff of P.Z.T. Services Ltd, Potens Corporate Services Ltd, Nexellence Fiduciary Services Ltd, Maricorp, Gadzooks Limited, IMMIX Solutions Ltd, S.I.L.V.E.R Veil Group Ltd, Luckywayz Limited B.V., or related entities; persons asked to serve as directors, shareholders, secretaries, nominee officers, or signatories of client companies; payment, PSP, EMI, open-banking, or compliance staff at PAYTECH, Yapily, ISX Financial, or any institution that processed flows for Gadzooks, IMMIX, S.I.L.V.E.R Veil, Trueluck, Mega.bet, HolyLuck, InstantCasino, or related brands; affiliates or operators with knowledge of traffic routing, Dutch-language campaigns, mirror domains, withdrawal blocking, or player complaint handling. FinTelegram is especially interested in: internal contracts and service agreements; KYB/KYC files; beneficial-ownership records; payment logs and settlement reports; bank or EMI statements; payment-session metadata; Yapily / PISP transaction identifiers; merchant category coding; internal compliance escalations; withdrawal-handling instructions; affiliate traffic reports; correspondence with regulators or payment providers. Information can be shared securely and anonymously via Whistle42, FinTelegram’s whistleblower platform. FinTelegram protects its sources and treats whistleblowing on cross-border financial-crime and consumer-protection risks as public-interest reporting. Persons and entities named in this report are invited to respond. Substantive replies, corrections, or clarifications will be published. Share Information via Whistle42 Sources: A. Corporate Registry Documents — Primary Sources [01] | A — Corporate Registry | Cyprus Department of Registrar of Companies — company extract for Gadzooks Limited: company profile, status (Active), registered objects, registered office, officer listing as at date of extract | Cyprus Department of Registrar of Companies and Intellectual Property | Date of extract to be confirmed | Accessed via Cyprus Registrar of Companies; [02] | A — Corporate Registry | Estonian e-Business Register entry for Kaspela Labyrinth OÜ (registry code 16837533) — cross-border network indicator | Estonian e-Business Register (RIK) | Date of extract to be confirmed | Accessed via Estonian e-Business Register; | Primary — registry/official document [03] | A — Corporate Registry | Cyprus registry entries for P.Z.T. Services Ltd (HE 388858) and Potens Corporate Services Ltd — referenced as corporate secretary and correspondence agent respectively | Cyprus Department of Registrar of Companies and Intellectual Property B. Statutory Filings and Corporate Documents — Primary Sources [04] | B — Statutory Filing | Form HE57 (Share Transfer, Companies Law Cap. 113, s. 113A) for Gadzooks Limited (HE 438503) — transfer of 100 ordinary shares from Luckywayz Limited B.V. (Abraham de Veerstraat 9, Curaçao; 900/900 shares pre-transfer) to Richard John Green (occupation: επιχειρηματίας/businessman; UK national; address in Birgu, Malta); post-transfer ownership approx. 88.9% Luckywayz / 11.1% Green; correspondence agent Potens Corporate Services Ltd, Leoforos Archiepiskopou Makariou III 84, Shop 1, Larnaca; signed 25 June 2024 | Gadzooks Limited / Cyprus Registrar of Companies | Transfer dated 31 May 2024; filing signed 25 June 2024 [05] | B — Statutory Filing | Form HE4 (Notification of Change of Officers, Companies Law Cap. 113, s. 192) for Gadzooks Limited (HE 438503) — (i) appointment of Georgia Nikoletti (registry occupation: ΥΠΑΛΛΗΛΟΣ/employee) as sole director; (ii) appointment of P.Z.T. Services Ltd (HE 388858) as corporate secretary; (iii) simultaneous resignation of prior secretary Nexellence Fiduciary Services Ltd (HE 390100) and prior director Afroditi Kittou — all effective 10 October 2023; correspondence agent Potens Corporate Services Ltd; signed 19 October 2023 | Gadzooks Limited / Cyprus Registrar of Companies | Changes effective 10 October 2023; filing signed 19 October 2023 | [06] | B — Statutory Filing | Secretary’s Certificate (Βεβαίωση Γραμματέα) for Gadzooks Limited (HE 438503) — confirms the HE57 share transfer of 31 May 2024 is fully reflected in the register maintained at the company’s registered office; signed by P.Z.T. Services Ltd as secretary | P.Z.T. Services Ltd (as secretary of Gadzooks Limited) | 31 May 2024 C. Website and Public-Facing Operator Statements — Secondary Sources [07] | C — Website/Operator | Trueluck Casino website — public-facing casino offering; Dutch-language marketing to EU consumers; absence of KSA licence and CRUKS integration; operator infrastructure connecting to Luckywayz Limited B.V. | Trueluck Casino (trueluck.com) [08] | C — Website/Operator | Luckywayz Limited B.V. — Curaçao-registered offshore entity, Abraham de Veerstraat 9, Curaçao; 100% pre-transfer and approx. 88.9% post-transfer owner of Gadzooks Limited; offshore iGaming licensing wrapper | Luckywayz Limited B.V. | As per Form HE57, 31 May 2024 D. Correspondence — Partially Corroborated [09] | D — Correspondence | Yapily compliance email correspondence with affected player — sequence: (i) initial complaint regarding transactions linked to the Gadzooks/Trueluck structure; (ii) Yapily response denying knowledge of the transactions, stating it could not locate them in its system, declaring the complaint closed, and referencing the Financial Ombudsman Service; (iii) player submission of bank-certified transaction metadata explicitly identifying Yapily in the data-exchange chain; (iv) Yapily acknowledgement and statement of escalation for internal investigation; (v) subsequent non-response to follow-up communications; includes Yapily’s self-description as an API infrastructure platform facilitating AIS and PIS | Yapily / Yapily Connect UAB — compliance function; E. Whistleblower Submissions — Evidentiary Leads [10] | E — Whistleblower | Three-layer payment architecture submission — PAYTECH LTD (pay.tech) as white-label routing/orchestration hub; Yapily / Yapily Connect UAB as open-banking front-end; ISX Financial EU PLC as banking endpoint and fiat-crossing institution; alleged use of non-gambling retail descriptors; alleged targeting of Dutch and EU consumers without mandatory local licences [11] | E — Whistleblower | Identification of Panayiotis (Panos) Toulouras, Cyprus attorney, as alleged principal behind P.Z.T. Services Ltd and the wider fiduciary hub at Leoforos Archiepiskopou Makariou III 84, Larnaca; alleged coordinated restructuring of multiple high-risk casino vehicles into the P.Z.T./Potens corporate-service environment [12] | E — Whistleblower | Maricorp-to-P.Z.T. transfer of secretarial control at S.I.L.V.E.R Veil Group Ltd (Pillar 1 / InstantCasino) — alleged coordinated corporate restructuring mirroring the Nexellence-to-P.Z.T. handover at Gadzooks Limited G. Regulatory and Legal Framework References [13] | G — Regulatory/Legal | Directive (EU) 2015/2366 (PSD2) — framework governing payment initiation service providers (PISPs), including authorisation, merchant/partner onboarding obligations, ongoing monitoring, and suspicious transaction reporting interfaces with AML law | European Parliament and Council | 25 November 2015 | EUR-Lex: https://eur-lex.europa.eu/eli/dir/2015/2366/oj | Background — regulatory/legal framework [14] | G — Regulatory/Legal | EU AML framework — Directive (EU) 2015/849 (AMLD4) as amended by Directive (EU) 2018/843 (AMLD5); Directive (EU) 2018/1673 (criminalisation of money laundering); 2024 AML Package: Regulation (EU) 2024/1624 (AMLR) and Directive (EU) 2024/1640 — obligations of obliged entities, including corporate-service providers, EMIs, and PISPs, to identify ultimate beneficial owners | European Parliament and Council | 2015–2024 | EUR-Lex (consolidated texts) | Background — regulatory/legal framework [15] | G — Regulatory/Legal | Dutch gambling law — Wet op de kansspelen (Wok) as amended by the Wet kansspelen op afstand (remote gambling), in force 1 April 2021; KSA licensing requirements; CRUKS central self-exclusion register | Kingdom of the Netherlands / Kansspelautoriteit | In force 1 April 2021 | wetten.overheid.nl; kansspelautoriteit.nl | Background — regulatory/legal framework [16] | G — Regulatory/Legal | Cyprus Companies Law, Cap. 113 — corporate governance framework; s. 192 (Form HE4 officer changes) and s. 113A (Form HE57 share transfers) as statutory filing requirements; director fiduciary duties | Republic of Cyprus | Cap. 113, as amended | Cyprus Registrar of Companies / CyLaw | Background — regulatory/legal framework

FinTelegram has opened a formal compliance investigation into Softon Ltd (HE 463977), a Cyprus-registered company linked to offshore-licensed online casino brands actively targeting EU consumers. We have received initial whistleblower submissions and documentary evidence. We are now calling on all persons with inside knowledge of this network to come forward. We Are Investigating FinTelegram’s EU iGaming Payments Desk is conducting an active compliance investigation into Softon Ltd, a private Cyprus company incorporated in August 2024, which is publicly identified as the owner and operator of online casino brands operating under an Anjouan/Comoros offshore licence. Our investigation focuses on the role that Cyprus-registered corporate vehicles, legal-service providers, and EU-based payment infrastructure play in enabling offshore-licensed casino operations to reach EU consumers — including consumers in jurisdictions where such operations are prohibited without a local licence. The investigation covers the following areas: The corporate structure and beneficial ownership of Softon Ltd (HE 463977), Nicosia The relationship between Softon Ltd and online casino brands including Betzter.com and KingdomCasino-branded domains The role of EU open-banking infrastructure and intermediary payment gateways in processing deposits from EU consumers into unlicensed offshore casino structures Cross-border network indicators connecting Cyprus and Estonia in the payment architecture The systemic question of whether Cyprus corporate and legal-service ecosystems are functioning as a regulatory arbitrage layer that structurally undermines enforcement by other EU member states, including the Netherlands Thank You to Our Whistleblowers We have already received substantive submissions from multiple whistleblowers, including documentary evidence from official Cyprus and Estonian company registries, website captures, payment-flow material, and first-hand accounts. To those who have already submitted: your contributions are being taken seriously and are actively informing our investigation. We cannot respond individually to anonymous submissions — this is by design, to protect your identity — but every submission is reviewed by our editorial team and treated with full source protection. If you have submitted material and are wondering whether it reached us or whether it was useful: it did, and it was. We Need More Investigations of this kind depend on insider evidence that public registries and website captures alone cannot provide. We are specifically looking for: Internal documents and contracts relating to Softon Ltd, its casino brands, or associated payment entities Payment-flow evidence — settlement reports, account statements, transaction records, or payment-descriptor data linking Softon Ltd or its casino brands to specific banks, gateways, or open-banking providers KYC/KYB files and onboarding correspondence between Softon Ltd or associated casino brands and payment service providers, banks, or open-banking platforms Customer-complaint records and withdrawal-handling procedures — particularly any internal instructions regarding refund denials or jurisdiction-based exclusion clauses Internal legal or compliance memoranda, including any AML red-flag assessments or risk opinions produced in connection with Softon Ltd or its network Licensing representations made to banks, payment providers, or regulators Beneficial ownership information — any documentation identifying the true economic beneficiaries behind Softon Ltd or associated entities Employee or contractor accounts — if you have worked for, with, or alongside any entity in this network in any capacity, your perspective is relevant How to Submit All submissions are handled through Whistle42, FinTelegram’s secure and fully confidential whistleblower channel. Anonymous submissions are accepted and encouraged No identifying metadata is collected or stored Source protection is a non-negotiable editorial principle at FinTelegram Submissions can include documents, screenshots, email correspondence, or written accounts Submit via Whistle42: [whistle42.com] If you have already submitted and wish to add further material, please use the same secure channel. There is no need to identify yourself or reference your earlier submission — our team will connect the information. What Happens Next FinTelegram is preparing a full compliance intelligence report on Softon Ltd and its network. The report will be published following completion of our editorial verification process and the right-of-reply procedure extended to relevant parties. We are committed to accurate, evidence-based reporting. Every factual claim in the final report will be attributed to a verifiable source. Persons and entities named will be given the opportunity to respond before publication, and any substantiated corrections or statements will be published in full. If you have evidence that supports, contradicts, or adds nuance to any aspect of this investigation — we want to hear from you, regardless of which side of the story you are on. Share Information via Whistle42

The UK Financial Conduct Authority (FCA) has placed Hyperliquid on its Warning List. The warning was first published on 21 May 2026 and updated on 7 June 2026. The FCA states that Hyperliquid may be providing or promoting financial services or products without FCA permission, and that the firm is not authorised and may be targeting people in the UK. The warning expressly lists hyperfoundation.org, app.hyperliquid.xyz, and Hyperliquid’s social channels as relevant contact points. This is not merely a consumer warning. From a compliance perspective, it is a regulatory classification signal: the FCA appears to treat Hyperliquid’s activities not as neutral software, but as potentially unauthorised financial services or financial promotions directed at UK users. Executive Summary Hyperliquid has built one of the most successful on-chain perpetual futures venues by positioning itself as a decentralised exchange infrastructure rather than a traditional broker, exchange, or custodian. However, that distinction is becoming less persuasive for regulators. The platform enables leveraged perpetual derivatives, including crypto and real-world-asset-linked markets. These products are economically comparable to regulated derivatives, regardless of whether users maintain self-custody of their wallets. The FCA warning therefore exposes the core regulatory issue: decentralisation does not neutralise financial product regulation. If a platform facilitates leveraged long/short exposure, margining, liquidation, funding payments, order execution, and market access, regulators may look at the economic substance rather than the technological wrapper. The warning is especially sensitive because Hyperliquid has moved beyond crypto-native markets. In March 2026, S&P Dow Jones Indices licensed the S&P 500 to Trade[XYZ] for a perpetual derivative contract on Hyperliquid, described by S&P DJI as the first officially licensed S&P 500 perpetual powered directly by institutional-grade index data. The announcement states that Trade[XYZ] launched the market on Hyperliquid and that eligible non-US investors could gain leveraged exposure to the S&P 500 through the product. That development changes the regulatory optics. Hyperliquid is no longer only a DeFi venue for crypto perps. It is becoming an on-chain infrastructure layer for synthetic exposure to traditional financial benchmarks. Key Compliance Findings IssueFinTelegram AssessmentFCA StatusHyperliquid is now publicly listed by the FCA as an unauthorised firm that may be providing or promoting financial services or products without permission.Product ClassificationHyperliquid perps are economically derivatives: leveraged, cash-settled, no fixed expiry, long/short exposure, margining, liquidation and funding mechanics.Custody ArgumentThe fact that Hyperliquid may be non-custodial does not remove the regulatory character of the traded product or the activity of operating/promoting access to it.UK Retail RiskThe UK has banned the sale of crypto-derivatives and ETNs referencing certain cryptoassets to retail consumers since January 2021. The FCA has stated that firms offering such services to retail consumers are likely to be scams.Financial Promotion RiskUK cryptoasset financial promotion rules apply broadly to firms marketing qualifying cryptoassets to UK consumers, including overseas firms and technology-based delivery models.EU / MiFID RiskIn the EU, crypto-linked derivatives are not simply “MiCA products.” ESMA has clarified that cryptoassets can serve as underlying assets for derivative contracts, and such derivatives may fall under MiFID-style financial instrument analysis.U.S. Regulatory PressureThe CFTC has recently approved regulated perpetual futures paths for U.S. venues such as Kalshi, while CME and ICE have reportedly urged scrutiny of Hyperliquid over market manipulation and sanctions-evasion concerns. Why the FCA Warning Matters The FCA warning is short, but its implications are broad. The regulator states that almost all firms and individuals must be authorised or registered to carry out or promote financial services in the UK, and that Hyperliquid is not authorised. It also warns users that they will not have access to the Financial Ombudsman Service or Financial Services Compensation Scheme if they deal with the firm. For FinTelegram, the important point is not whether Hyperliquid calls itself DeFi. The question is whether the platform enables access to regulated-style financial products for users in regulated jurisdictions. On that test, Hyperliquid’s position is vulnerable. Perpetual futures are not ordinary crypto tokens. They are leveraged derivatives. Their key features include no fixed expiry, synthetic exposure to an underlying asset, margin requirements, funding-rate mechanisms, forced liquidations and long/short trading. S&P DJI’s own announcement describes perpetual derivatives as instruments allowing eligible investors to take leveraged long or short positions without fixed expiry. That is precisely the language of financial derivatives. The DeFi Defence: Weakening Under Regulatory Scrutiny Hyperliquid’s implicit defence has been the familiar DeFi argument: the protocol is decentralised, users connect wallets, and the platform may not take custody of assets in the traditional sense. But this argument is increasingly insufficient. Regulators are likely to focus on the following questions: Who designed and maintains the interface?The FCA warning specifically names the Hyperliquid website, application interface and social channels. Who promotes the product or ecosystem?A DeFi protocol with active marketing, public social channels, branded access points and coordinated ecosystem messaging may be treated differently from passive open-source code. Who controls listing, margin, liquidation and risk architecture?Hyperliquid’s own documentation indicates that builder-deployed perpetual markets involve market definition, oracle definitions, contract specifications, leverage limits and settlement responsibilities. Are users receiving access to a regulated economic exposure?Whether the collateral sits in a non-custodial wallet does not alter the fact that the user is trading a leveraged derivative. In other words: self-custody may reduce custody-regulation exposure, but it does not eliminate derivatives, market infrastructure, financial promotion, AML, sanctions, consumer protection or market abuse issues. The S&P 500 Perpetual: A Strategic Breakthrough — and a Regulatory Trigger The S&P 500 perpetual product is a major credibility signal for Hyperliquid’s ecosystem. But it is also a regulatory trigger. S&P DJI announced that it licensed the S&P 500 to Trade[XYZ], not directly to Hyperliquid, for a perpetual derivative contract on Hyperliquid. The announcement describes Trade[XYZ] as a provider of real-world-asset markets via perpetual derivatives on Hyperliquid and says XYZ markets had exceeded $100 billion in volume since October 2025, with an annualised run rate above $600 billion. This matters because the product links a major traditional finance benchmark to a decentralised derivatives venue. It invites regulators to ask whether global retail or semi-professional users can access leveraged synthetic exposure to major equity indices outside traditional exchange, clearing, conduct and investor-protection frameworks. For FinTelegram, this is the inflection point: Hyperliquid is no longer merely a crypto-native DeFi venue. It is becoming a shadow derivatives infrastructure for traditional market exposure. UK Compliance Situation After the FCA Warning The UK position is now materially adverse for Hyperliquid. First, the FCA warning means that UK consumers, regulated firms, payment partners, service providers, affiliates and media partners are on notice. Any party facilitating access, promotion, payments, referrals or onboarding for Hyperliquid in the UK now faces enhanced compliance risk. Second, the UK already has a restrictive stance on crypto derivatives. The FCA’s ban on the sale of crypto-derivatives and ETNs referencing certain cryptoassets to retail consumers came into effect in January 2021. The FCA stated that any firm offering such services to retail consumers is likely to be a scam. Third, the UK financial promotion regime captures cryptoasset promotions to UK consumers even when the firm is based overseas or uses technology-based delivery. This creates a three-layer UK problem for Hyperliquid: UK Risk LayerCompliance ImpactAuthorisation RiskPossible unauthorised provision or promotion of financial services.Retail Derivatives RiskCrypto-derivative access for UK retail users is especially problematic.Promotion RiskWebsites, apps, social media and referral content may constitute financial promotions. The FCA warning does not itself prove illegality. But it creates a strong regulatory presumption that Hyperliquid is not operating inside the UK perimeter in a way the FCA accepts. Potential Spillover Into Other Regulatory Regimes 1. European Union: MiCA Will Not Save Derivatives Platforms In the EU, many crypto firms try to frame their activities under MiCA. But leveraged perpetual derivatives are unlikely to be neatly contained within MiCA. ESMA has made clear that cryptoassets can serve as underlying assets for derivatives and that authorities must distinguish between cryptoassets under MiCA and financial instruments under MiFID II. This is crucial. If Hyperliquid products are treated as derivatives, the relevant framework may be MiFID II / MiFIR, not merely MiCA. That would raise issues around investment firm authorisation, trading venue operation, appropriateness testing, product governance, leverage limits, transaction reporting, market abuse surveillance and investor categorisation. The likely EU regulatory hypothesis is therefore: Hyperliquid-style perps are not “just cryptoassets”; they are derivative exposures delivered through crypto infrastructure. 2. United States: Offshore DeFi Under Pressure From Regulated Perps The U.S. picture is becoming more complex. The CFTC recently approved KalshiEX, a designated contract market, to list a bitcoin perpetual contract as a futures contract. That is important because it creates a regulated domestic path for perpetual futures. Once regulated U.S. venues can offer approved perpetuals, the tolerance for offshore or decentralised venues serving U.S.-linked users may decline. At the same time, CME and ICE have reportedly urged U.S. regulators to scrutinise Hyperliquid, citing concerns around anonymous round-the-clock perpetual futures trading, manipulation risk and sanctions evasion. The U.S. risk is therefore not only investor protection. It is also market integrity: whether on-chain perpetuals referencing oil, equities, indices or cryptoassets can distort benchmarks or provide a venue for manipulation outside regulated surveillance systems. 3. IOSCO / Global Standards: Cross-Border Coordination Risk The FCA warning may become a reference point for other regulators. Warnings by major regulators often serve as soft signals for national competent authorities, banks, payment processors and compliance teams. Once one Tier-1 regulator publicly identifies a platform as unauthorised, the burden shifts to the platform to demonstrate jurisdictional controls, geo-blocking, user restrictions, legal opinions and regulatory permissions. For Hyperliquid, this could affect: fiat on/off-ramp partners; institutional market makers; index and data partners; wallet and frontend integrations; affiliates and influencers; regulated entities offering copy-trading or structured exposure to Hyperliquid strategies. Regulatory Red Flags for Hyperliquid Red FlagWhy It MattersNo visible UK authorisationFCA says Hyperliquid is not authorised and may be targeting UK users.Leveraged perpetual derivativesThese resemble regulated derivatives, not simple token swaps.No KYC / wallet-based access modelRaises AML, sanctions, investor classification and jurisdictional control concerns.24/7 global accessMakes territorial restrictions harder to enforce.RWA and index-linked productsIncreases traditional finance regulatory exposure.Social media and app promotionMay trigger financial promotion rules.Liquidation and funding mechanicsRaise conduct, fairness, transparency and systemic-risk concerns.Potential UK retail accessHighly sensitive given UK crypto-derivatives restrictions. FinTelegram Compliance Hypothesis The FCA warning marks the beginning of a new regulatory phase for Hyperliquid. The platform’s DeFi architecture may have allowed it to scale rapidly without conventional authorisation, but the product reality is now too visible to ignore. Hyperliquid’s core activity is not simply decentralised token exchange. It is the operation of a high-performance, on-chain derivatives environment offering leveraged perpetual exposure to cryptoassets and increasingly to traditional financial benchmarks. From a compliance standpoint, the decisive question is not: “Is Hyperliquid decentralised?” The decisive question is: “Who is enabling, promoting and monetising access to leveraged financial instruments in regulated jurisdictions?” That question brings Hyperliquid into the perimeter of financial regulation, even if the answer differs across jurisdictions. FinTelegram Conclusion The FCA warning against Hyperliquid should be treated as a serious regulatory escalation. It signals that regulators are increasingly unwilling to accept “DeFi” as a blanket exemption from financial services law. For the UK, Hyperliquid is now an unauthorised-firm risk. For the EU, Hyperliquid-style perpetuals may fall closer to MiFID derivatives regulation than MiCA cryptoasset regulation. For the U.S., the approval of regulated perpetual futures may increase pressure on offshore and decentralised competitors. For global compliance teams, the platform now belongs on enhanced monitoring lists. The broader message is clear: perpetual derivatives do not become unregulated because they are traded through a wallet. A derivative remains a derivative, even when wrapped in DeFi infrastructure. FinTelegram will continue to monitor Hyperliquid, Trade[XYZ], index-linked perpetuals, and the regulatory response from the FCA, ESMA, CFTC and other national authorities. Share Information via Whistle42

FinTelegram’s Rail Atlas maps a remarkable payment and offshore-banking network around The Kingdom Bank, Financial House, La Orange / Jeton, Speedy, Banky and Jeton Bank. The case has become urgent after Financial House, a UK FCA-authorised EMI, was placed under severe FCA supervisory restrictions in April 2026. 2-Minutes Briefing FinTelegram’s Rail Atlas has identified a remarkable cross-border payment and offshore-banking network around The Kingdom Bank, Financial House, La Orange / Jeton, Speedy, Banky, Jeton Bank, and related facilitator layers. The trigger for this review is the severe FCA supervisory restrictions imposed on Financial House Limited, a UK-authorised Electronic Money Institution under Firm Reference Number 902039. The case is important because Financial House is not an isolated UK EMI. Public filings, legal disclosures, financial statements, West Ham sponsorship material, FinTelegram’s own operational review, and open-source records point to a wider payment infrastructure involving: The Kingdom Bank, a Dominica-based offshore / international digital banking platform; Financial House Limited, a UK FCA-authorised EMI currently under supervisory restrictions; Speedy, a Financial House trading name and a Polish payment rail observed in The Kingdom Bank deposit flow; La Orange Limited, trading as Jeton, an e-money services agent and major consumer-facing wallet/payment brand; Jeton Bank Limited, another Dominica offshore bank in the Jeton ecosystem; Banky / JSC CH GmbH, observed as an instant bank-transfer gateway in The Kingdom Bank deposit flow; Plato / GoodFintech / KYXPlatform, observed as the KYC and biometric-verification layer in The Kingdom Bank onboarding process. FinTelegram does not allege that all these entities are part of a single legal group or that all are under common control. However, the evidence supports a strong functional network hypothesis: a multi-jurisdictional payment infrastructure connecting offshore banking, UK EMI services, e-money agency, EU payment rails, white-label IBAN/card ambitions, crypto-friendly deposit flows, and high-risk merchant sectors. The key figure linking parts of this network is Nebil Serkan Zubari, publicly associated with The Kingdom Bank and shown in the 2024 Financial House accounts as a director who signed the report. FinTelegram’s operational review also observed The Kingdom Bank customer deposits being routed via a Speedy AG sp. z o.o. Polish payment rail, with The Kingdom Bank Corporation shown as account owner. This is exactly the type of cross-border rail configuration that FinTelegram’s Rail Atlas was designed to map. 1. The FCA Trigger: Financial House Under Severe Restrictions Financial House Limited is authorised by the UK Financial Conduct Authority (FCA) as an Electronic Money Institution. However, the FCA Register and Financial House’s own public notice show that the firm is currently subject to a First Supervisory Notice issued on 14 April 2026. According to the restriction notice published by Financial House, the firm is temporarily unable to: onboard new customers; accept new funds from existing customers; process payment transactions. The restrictions also concern the handling of safeguarded client funds. In substance, this is not a minor compliance footnote. It is a major operational restriction against a regulated UK EMI that appears to sit at the centre of a wider payment ecosystem. The timing is highly relevant. Financial House’s 2024 financial statements describe the company’s principal activity as enabling digital and mobile payments on behalf of consumers and merchants worldwide. The same report discusses European expansion, white-labelled IBANs, card distribution through Mastercard and Visa, and acquiring services in the UK and Europe. A regulated EMI with this profile being placed under severe FCA restrictions is a material Rail Atlas event. 2. Financial House: The UK EMI Infrastructure Node The 2024 Financial House accounts show that the company was not a dormant or marginal player. It reported turnover of approximately £14.4 million and gross profit of approximately £8.9 million. The business remained sizeable, but profitability deteriorated sharply: operating profit fell from around £1.99 million in 2023 to approximately £60,898 in 2024, resulting in a post-tax loss. Download the Financial House statements here. The accounts are especially important for three reasons. First, the company describes its activity as enabling digital and mobile payments on behalf of consumers and merchants worldwide. This is the language of a payment facilitator / EMI infrastructure provider, not a passive holding entity. Second, the report states that the group planned to expand operations into Europe through subsidiaries in Switzerland and Hungary. It also refers to white-labelled IBANs, card distribution through Mastercard and Visa, and acquiring business services in the UK and Europe. Third, the 2024 accounts were signed by Nebil Serkan Zubari, who was appointed as a Financial House director in October 2024. This is highly relevant because Zubari is also publicly associated with The Kingdom Bank. From a Rail Atlas perspective, Financial House appears to be a central regulated infrastructure node in a broader payment network. 3. The Speedy Signal: Trading Name, Polish Rail, EU Deposit Route Financial House publicly states in its own legal terms that it trades as Speedy and Centrue. The FCA register also shows Speedy as a current trading name of Financial House. Separately, FinTelegram’s operational review of The Kingdom Bank observed ordinary bank-transfer deposit instructions showing Speedy AG sp. z o.o. in Poland as the payment institution / bank rail, with the following details displayed in the The Kingdom Bank portal: FieldObserved DetailBank / Payment InstitutionSpeedy AG sp. z o.o., PolandIBANPL21636000030000000000486992BIC/SWIFTSSOPPLP2XXXAccount OwnerThe Kingdom Bank CorporationReferenceD9187185 This is one of the most important findings in the case. A Dominica offshore banking platform appears to receive customer deposits through a Polish Speedy-branded EU payment rail. The same Speedy name also appears in the UK Financial House context. The question is therefore obvious: how exactly are the Speedy-branded UK and Polish structures connected, and what role do they play in The Kingdom Bank customer-funding flows? This does not prove misconduct. But it creates a direct regulatory question for the FCA, Polish KNF, EU AML authorities and counterparties. 4. The Kingdom Bank: Offshore Bank With EU-Facing Onboarding FinTelegram was able to enter the onboarding funnel of The Kingdom Bank as a resident of Austria and Italy. The onboarding process used an external verification environment under verify.kyxplatform.com, branded as Plato. The deposit portal offered several funding options, including: Binance Pay; Instant Bank Transfer; Bank Transfer; Crypto; Kingdom Cash. For instant bank transfer, the flow redirected to pay.banky.io, a Banky-branded gateway listing numerous UK and fintech banks. In FinTelegram’s review, the instant transfer flow was visible but returned the error message: “Cannot execute payment at this time.” For ordinary bank transfer, the portal generated the Speedy AG Poland deposit instruction described above, with The Kingdom Bank Corporation as account owner. This matters because The Kingdom Bank is not a conventional EU bank. Yet EU residents appeared able to enter the onboarding and funding process, and EU-side payment rails were used in the deposit flow. A consumer may see an EU payment instruction or IBAN and assume EU-style banking protections. The underlying customer relationship, however, appears to remain with a Dominica offshore banking entity. That is a classic regulatory-perimeter issue. 5. The KYC Layer: Plato / GoodFintech / KYXPlatform The KYC process observed by FinTelegram was routed through verify.kyxplatform.com, branded as Plato. The verification screen referred to identity verification and biometric processing. The associated Plato / GoodFintech web presence reviewed by FinTelegram raises a transparency concern: the user-facing legal documents and website presentation did not clearly and prominently identify the legal operator responsible for the KYC platform, the data-controller / processor allocation, or the party responsible for biometric-data processing. This is not a minor point. The platform appears to perform sensitive identity-verification functions in the onboarding flow of an offshore bank accepting EU-facing customers. Users asked to submit identity documents and biometric data should not be forced to conduct external corporate-register research to understand who is processing their data and under what legal responsibility. In the context of The Kingdom Bank, this KYC opacity is a serious compliance and GDPR concern. 6. La Orange / Jeton: The Consumer-Facing Wallet And Agent Layer La Orange Limited, trading as Jeton, is another key node in the network. Public disclosures show that La Orange acts in the e-money / payment-services environment, and Jeton’s own disclosures state that the Jeton Card Account and Card are issued by Financial House Limited. The 2023 La Orange financial statements are also revealing. They describe the company’s principal activity as agents for e-money services. The group reported turnover of approximately £28.6 million in 2023, making it a material payment-services business rather than a small affiliate shell. The accounts also disclose important strategic developments: acquisition of La Orange CY Ltd in January 2024, described as a Cyprus EMI structure; disposal of La Orange GE LLC in December 2024; material working-capital movements typical of payment/e-money activity; a significant but cost-intensive international payment business. This confirms La Orange / Jeton as a substantial consumer-facing and agent/distribution layer in the broader payment ecosystem. The FCA restrictions against Financial House are potentially material for Jeton / La Orange to the extent that Jeton products, card accounts, e-money issuance, safeguarding or payment processing depend on Financial House as the authorised EMI or issuer. 7. Jeton Bank: The Second Dominica Offshore-Banking Node The Jeton ecosystem also includes Jeton Bank Limited, presented publicly as an offshore / international bank in Dominica. This is relevant because The Kingdom Bank is also a Dominica-based offshore / international banking platform. FinTelegram does not currently allege that Jeton Bank and The Kingdom Bank are the same entity or under the same legal control. However, from a network-risk perspective, the overlap is striking: Jeton / La Orange depends on regulated e-money and payment infrastructure; Jeton Bank adds a Dominica offshore-banking layer; The Kingdom Bank is another Dominica offshore-banking platform; Financial House and Speedy appear as payment infrastructure nodes; Zubari links Financial House and The Kingdom Bank; Banky and Speedy appear in The Kingdom Bank’s observed deposit stack. This is not a single linear corporate chart. It is a functional payment ecosystem. 8. The West Ham Trust-Building Signal Both Jeton and The Kingdom Bank appear in West Ham United’s official partner ecosystem. Jeton is presented as a finance app / e-wallet partner, while The Kingdom Bank is presented as a banking partner. This does not prove wrongdoing. Sponsorships are not evidence of payment misconduct. However, in financial intelligence terms, they matter as reputational amplification signals. Payment brands, e-wallets, offshore banks and digital-asset-friendly financial platforms often use sports sponsorships to build consumer trust and global visibility. The overlap is therefore noteworthy: two brands connected to the wider Financial House / Jeton / Dominica offshore-banking / payment-rail environment have used the same Premier League sponsorship platform. 9. Rail Atlas Network Configuration Network NodeJurisdictionRole / FindingEvidence LevelThe Kingdom Bank CorporationDominicaOffshore / international digital banking platform; EU-facing onboarding and deposit flow observedConfirmed / ObservedFinancial House LimitedUnited KingdomFCA-authorised EMI, FRN 902039; currently under FCA supervisory restrictionsConfirmedNebil Serkan ZubariUK / Dominica networkFinancial House director and signer of 2024 accounts; publicly associated with The Kingdom BankConfirmed / CorroboratedSpeedyUK / PolandTrading name of Financial House; Speedy AG Poland observed in The Kingdom Bank deposit flowConfirmed / ObservedSpeedy AG sp. z o.o.PolandPolish payment rail used for The Kingdom Bank bank-transfer depositsObservedLa Orange Limited / JetonUnited KingdomE-money services agent / Jeton trading environment; significant 2023 turnoverConfirmedLa Orange CY LtdCyprusCyprus EMI layer acquired by La Orange group in 2024Confirmed via accountsJeton Bank LimitedDominicaOffshore banking node in Jeton ecosystemCorroboratedBanky / JSC CH GmbHSwitzerland-linkedInstant bank-transfer gateway observed in The Kingdom Bank deposit flowObserved / Under ReviewPlato / GoodFintech / KYXPlatformUK-linked / opaque disclosureKYC and biometric verification layer observed in The Kingdom Bank onboardingObserved / Under ReviewWest Ham United SponsorshipsUnited KingdomBoth Jeton and The Kingdom Bank appear in partner ecosystemConfirmed 10. Confirmed Facts vs Network Hypothesis CategoryFindingConfirmedFinancial House is FCA-authorised and subject to FCA restrictions from April 2026ConfirmedFinancial House publicly trades as Speedy and CentrueConfirmedJeton disclosures identify Financial House as issuer of Jeton Card Account/CardConfirmedLa Orange accounts show substantial turnover and e-money agency activityConfirmedFinancial House accounts show Zubari as director and signerObserved by FinTelegramThe Kingdom Bank onboarding was accessible from Austria and ItalyObserved by FinTelegramThe Kingdom Bank KYC flow used KYXPlatform / PlatoObserved by FinTelegramThe Kingdom Bank instant-transfer flow used BankyObserved by FinTelegramThe Kingdom Bank ordinary bank-transfer route used Speedy AG Poland with The Kingdom Bank as account ownerCorroboratedJeton and The Kingdom Bank both use West Ham sponsorship visibilityUnder ReviewExact legal relationship between Banky and the Financial House / Speedy / Zubari networkUnder ReviewExact legal relationship between Jeton Bank and Financial HouseUnder ReviewWhether the same rails are used for gambling, iGaming, crypto or other high-risk merchantsNot Yet ProvenThat all entities form a single corporate group or are under common ownership 11. Compliance Red Flags Risk AreaObservationWhy It MattersFCA restrictionsFinancial House cannot onboard, accept new funds or process payments without restrictionMajor regulatory triggerSafeguardingRestrictions refer to client safeguarded funds and remediationIndicates serious regulatory concern around client funds / CDD / controlsOffshore-to-EU railThe Kingdom Bank uses EU-facing onboarding and Speedy Poland deposit instructionsPotential regulatory-perimeter arbitrageSpeedy overlapSpeedy is a Financial House trading name and Speedy AG Poland appears in The Kingdom Bank flowRaises network and related-party rail questionsKYC opacityPlato / GoodFintech / KYXPlatform operator disclosure appears insufficient to usersGDPR, biometric data and controller/processor riskCrypto-friendly fundingThe Kingdom Bank deposit menu includes crypto and Binance PayRequires enhanced AML, sanctions and source-of-funds controlsA2A / instant paymentsBanky gateway lists multiple banks for instant transferOpen-banking/A2A rails can bypass card chargeback protectionsE-money agency layerLa Orange / Jeton acts as agent for e-money servicesAgent/principal accountability becomes criticalSponsorship trust signalJeton and The Kingdom Bank both appear as West Ham partnersBrand trust amplification for high-risk payment/offshore actorsMulti-jurisdictional complexityUK, Poland, Cyprus, Switzerland, DominicaDifficult for regulators and consumers to see the full rail 12. Regulatory Questions FinTelegram believes the following questions require urgent clarification: What exactly triggered the FCA restrictions against Financial House? Which Jeton / La Orange products depend on Financial House as issuer, principal, processor or safeguarding institution? Are Jeton customers affected by the Financial House restrictions? What is the exact relationship between Financial House, Speedy, Speedy AG Poland and The Kingdom Bank? Does the Polish KNF know that Speedy AG Poland is used as a deposit rail for The Kingdom Bank Corporation? Are funds received via Speedy AG Poland safeguarded, segregated, pooled or transferred onward? Does The Kingdom Bank onboard EU residents without EU banking authorisation? What regulatory disclosures are provided to Austrian, Italian and other EU customers? Who operates the Plato / KYXPlatform KYC layer and who is the data controller for biometric data? What is the role of Banky / JSC CH GmbH in The Kingdom Bank’s instant-transfer flow? Are gambling, iGaming, crypto or other high-risk merchant funds processed through any of these rails? Are correspondent banks and payment networks fully aware of the underlying offshore and high-risk payment exposure? 13. FinTelegram Assessment The evidence now supports a consolidated Rail Atlas Network Case. The central issue is not whether any single company in the network is automatically unlawful. The central issue is that a restricted UK EMI, a consumer-facing wallet/e-money agent, Speedy-branded payment rails, a Dominica offshore banking platform, an opaque KYC facilitator and an instant-transfer gateway appear in overlapping payment and onboarding structures. The Kingdom Bank is not an isolated offshore bank. Financial House is not an isolated UK EMI. La Orange / Jeton is not merely a consumer wallet brand. Speedy is not merely a name. Together, these nodes point to a multi-jurisdictional payment infrastructure with serious regulatory, AML, safeguarding, consumer-protection and transparency questions. The FCA restrictions against Financial House turn this from a theoretical network map into a live regulatory event. For FinTelegram, the conclusion is clear: this network deserves immediate scrutiny by the FCA, Polish KNF, Dominica FSU, Central Bank of Cyprus, data-protection authorities, correspondent banks, payment schemes and affected customers. Call For Information FinTelegram invites whistleblowers, former employees, customers, compliance officers, PSP insiders, banking partners, payment agents, merchants, regulators and sports-sponsorship insiders to provide information about: Financial House Limited and the FCA restrictions; The Kingdom Bank onboarding and deposit flows; Speedy, Speedy AG Poland and Speedy-branded payment rails; La Orange Limited, Jeton and Jeton Card / Wallet products; Jeton Bank Limited in Dominica; Banky / JSC CH GmbH and instant bank-transfer infrastructure; Plato / GoodFintech / KYXPlatform KYC and biometric verification; merchant onboarding involving gambling, iGaming, crypto or forex; safeguarded funds, frozen balances, blocked withdrawals or unresolved payments; internal AML, CDD, EDD, sanctions or transaction-monitoring concerns; contracts, agent agreements, processor agreements, issuer agreements or referral arrangements. Whistleblowers may contact FinTelegram via Whistle42. FinTelegram protects sources and distinguishes between documented facts, open-source intelligence, source-provided material and editorial assessment. Share Information via Whistle42

2-Minutes Briefing FinTelegram’s Rail Atlas has conducted an extended compliance review of The Kingdom Bank Corporation, a Dominica-based offshore/international banking and fintech institution publicly positioning itself toward global payments, digital assets, Forex, Gambling and iGaming. In an operational review, FinTelegram was able to register with The Kingdom Bank as a resident of Austria and Italy. The onboarding flow used an external KYC verification domain, verify.kyxplatform.com, branded as Plato. The deposit area inside The Kingdom Bank portal offered several funding methods, including Binance Pay, Instant Bank Transfer, Bank Transfer, Crypto and Kingdom Cash. For Instant Bank Transfer, the flow redirected to pay.banky.io, a Banky-branded account-to-account payment gateway listing numerous UK and fintech banks, including Lloyds Bank, Barclays, Santander, RBS, NatWest, Revolut, HSBC, Monzo, Nationwide, Starling Bank, TSB, Wise and others. In FinTelegram’s test, the instant bank transfer could not be executed and returned the error message: “Cannot execute payment at this time.” For ordinary bank transfer, The Kingdom Bank generated Polish account details showing Speedy AG sp. z o.o. as the bank / payment institution and The Kingdom Bank Corporation as account owner. The IBAN shown in the test flow was: PL21636000030000000000486992BIC/SWIFT: SSOPPLP2XXXAccount Owner: The Kingdom Bank CorporationReference: D9187185 This finding is significant. The Kingdom Bank is not an EU-licensed bank. Yet its customer-funding flow appears to rely on an EU-based Polish payment institution account infrastructure through Speedy AG sp. z o.o. Public Polish and business-register data indicate that Speedy is connected to Nebil Serkan Zubari, the founder / key person behind The Kingdom Bank. This creates a relevant intra-network payment-rail question: an offshore Dominica “bank” appears to access EU payment infrastructure through a Polish payment institution linked to the same principal. Rail Atlas Snapshot FieldFindingEntityThe Kingdom Bank CorporationDomainhttps://www.thekingdombank.comJurisdictionDominicaEU Licence StatusNo EU banking licence identifiedEU Access FindingOnboarding possible from Austria and ItalyKYC Layerverify.kyxplatform.com / PlatoDeposit GatewayBanky (pay.banky.io) for instant bank transferEU Payment RailSpeedy AG sp. z o.o., Poland (Speedy.io)Observed IBANPL21636000030000000000486992Observed BICSSOPPLP2XXXAccount OwnerThe Kingdom Bank CorporationRisk VerticalsForex, Gambling, iGaming, cryptoKey RiskOffshore bank using EU payment rails for customer depositsConfidence GradeConfirmed / Corroborated / IndicatedStatusActive Rail Atlas Monitoring Case Why This Case Matters The Kingdom Bank should not be analysed as a conventional EU or UK commercial bank. It presents itself as a licensed international bank in the Commonwealth of Dominica and markets digital banking, global payments, digital assets, crypto-friendly services, FX and payment solutions to international clients. From a Rail Atlas perspective, the case matters because The Kingdom Bank combines several compliance-sensitive layers: offshore/international banking framework; digital-asset-friendly positioning; public service offering to Forex, Gambling and iGaming; customer onboarding from EU residents; outsourced KYC / identity verification; instant account-to-account payment gateway flow; crypto and Binance Pay funding options; bank-transfer funding via an EU payment institution; apparent linkage between the offshore bank principal and the EU payment institution used for deposits. This combination creates a high-risk compliance profile requiring enhanced scrutiny by regulators, correspondent banks, payment networks, AML teams and consumer-protection authorities. Public iGaming And Gambling Positioning The Kingdom Bank publicly markets Global Payment Solutions for sectors including Forex and Gambling and lists iGaming as an industry served. This is not merely third-party speculation. It is The Kingdom Bank’s own public-facing positioning. FinTelegram has not yet identified a confirmed casino merchant list or a public casino-domain disclosure stating that a specific casino brand uses The Kingdom Bank as banking, settlement or payment partner. However, the bank’s own market positioning makes iGaming and gambling a legitimate compliance focus. In high-risk gambling payments, the banking and settlement layer often remains behind the visible cashier, payment gateway, affiliate, crypto or payment-intermediary interface. The absence of public merchant names therefore does not eliminate risk. It only means that transaction-level evidence is required before naming specific operators. FinTelegram Test: Registration From Austria And Italy FinTelegram was able to register with The Kingdom Bank as a resident of Austria, Germany and Italy. This is important because The Kingdom Bank is not an EU-licensed bank in the conventional sense. It appears to operate globally on the basis of its offshore/international banking licence from Dominica while allowing EU residents to enter the onboarding process. The compliance issue is not whether offshore financial institutions may ever serve international clients. The issue is whether EU residents are being onboarded into a banking/payment ecosystem without the customer receiving a clear, prominent explanation of the regulatory perimeter: Dominica supervision, no EU deposit protection, no EU banking licence, and the involvement of EU payment institutions as operational rails. KYC Flow: verify.kyxplatform.com / Plato The KYC process observed by FinTelegram was conducted through verify.kyxplatform.com, branded as Plato. By clicking the verification button, the user consents to Plato, described as a vendor, collecting and using third-party service providers to process biometric information for identity verification, fraud detection and platform improvement. The screen also states that biometric information will be stored for no more than three years. Open-source research indicates that the KYXPlatform domain is connected to Plato-branded KYC verification. Plato / Goodfintech publicly describes its services as KYC, KYB, KYT, ID verification, liveness checks, facial expression analysis, sanctions and AML checks, risk scoring and automated KYC flows. Good Fintech Limited appears in UK Companies House as an active private limited company. A further red flag concerns the user-facing legal disclosure of the KYC provider. The Kingdom Bank onboarding flow redirects users to verify.kyxplatform.com, branded as Plato. Plato is presented under the GoodFintech ecosystem and offers KYC, KYB, KYT, ID verification, liveness checks, facial-expression analysis, sanctions and AML checks. However, FinTelegram’s review of the GoodFintech and Plato web presence found that the reviewed user-facing pages do not clearly and prominently identify the legal entity operating the platform or accepting responsibility for the processing of identity and biometric data. Open-source corporate records indicate the existence of Good Fintech Limited, a UK company incorporated in October 2023, with the Turkish national Nuri Ozlu listed as director and controlling person. In the context of EU residents onboarding with an offshore Dominica banking platform, this lack of prominent legal-entity, controller/processor and data-protection disclosure is a material compliance concern. Users asked to submit identity documents and biometric information should not have to conduct external corporate-register research to determine who operates the verification platform and who is responsible for their sensitive personal data. This raises several compliance questions: Who is the contractual KYC processor for The Kingdom Bank: Plato, Goodfintech or another operator behind KYXPlatform? Where exactly are biometric data and identity documents stored? Which entity is the data controller and which entity is the processor? Are EU residents provided with GDPR-compliant disclosures before biometric data collection? Are customers clearly told that they are onboarding with an offshore Dominica bank rather than an EU bank? How are PEP, sanctions, adverse media and source-of-funds checks calibrated for high-risk sectors such as crypto, Forex and gambling? The use of external KYC vendors is not unusual. However, in this case, the combination of offshore banking, EU customers, biometric processing, crypto funding and high-risk merchant positioning requires a much higher standard of transparency. Deposit Options: Binance Pay, Bank Transfer, Instant Bank Transfer, Crypto And Kingdom Cash Inside the portal, FinTelegram observed the following deposit methods: Binance Pay; Instant Bank Transfer; Bank Transfer; Crypto; Kingdom Cash. This funding menu is revealing. It indicates that The Kingdom Bank is not merely presenting itself as a traditional offshore bank account provider. It operates more like a digital banking/payment platform integrating crypto, account-to-account payments and alternative deposit methods. From an AML perspective, the coexistence of fiat bank transfers, instant payments, crypto and Binance Pay increases the importance of transaction monitoring, source-of-funds review, sanctions screening, wallet risk analytics and real-time fraud controls. Banky Instant Bank Transfer Flow For the Instant Bank Transfer option, The Kingdom Bank redirected to pay.banky.io, a Banky-branded gateway. The Banky screen showed a payment amount of EUR 101.50 and allowed the customer to choose from a list of banks. The list included major UK and fintech banks such as Lloyds Bank, Barclays, Santander, RBS, NatWest, Revolut, HSBC, Monzo, Nationwide, Starling Bank, TSB, Bank of Scotland, Ulster Bank, First Direct, Halifax, Danske Bank, Wise, Allied Irish Banks and Bank of Ireland. In FinTelegram’s review, the instant bank transfer could not be completed and returned the error message: “Cannot execute payment at this time.” The failed transaction does not by itself prove misconduct. However, the flow is relevant because it shows that The Kingdom Bank’s deposit infrastructure appears to connect to open-banking-style account-to-account payment rails. This is the type of infrastructure frequently observed in modern high-risk payment ecosystems because it can bypass card-chargeback rails and move customer funds directly from bank accounts. For Rail Atlas purposes, Banky should be treated as a relevant payment gateway layer in The Kingdom Bank deposit stack. Ordinary Bank Transfer: Polish Speedy AG Rail The most important operational finding is the ordinary bank-transfer deposit instruction. The Kingdom Bank portal instructed the user to make a transfer to bank details showing: Bank Name: Speedy AG spółka z ograniczoną odpowiedzialnościąDomain: Banky.ioIBAN: PL21636000030000000000486992BIC/SWIFT: SSOPPLP2XXXBank Number: 636Account Number: 636000030000000000486992Account Owner: The Kingdom Bank CorporationReference: D9187185 This means that, in the tested deposit flow, the EU-side funding account was not shown as a direct The Kingdom Bank account at a traditional EU bank. Instead, it was a Polish Speedy AG payment-institution rail where the account owner was The Kingdom Bank Corporation. Speedy AG sp. z o.o. is a Polish payment institution. Polish regulator KNF granted Speedy AG a national payment institution licence in August 2024. Public sources identify its BIC/SWIFT as SSOPPLP2XXX. This finding gives The Kingdom Bank an EU payment-rail footprint. It also creates a clear regulatory question: how is a Dominica offshore bank using a Polish payment institution account to receive customer deposits from EU residents? The Speedy / Zubari Connection The Speedy finding is particularly sensitive because public Polish register and business data indicate that Nebil Serkan Zubari (LinkedIn) is connected to Speedy AG sp. z o.o. as a board / representative figure and beneficial owner through Speedy Group Holding Limited. Zubari is also the key person behind The Kingdom Bank. Public sources identify Zubari as the founder and CEO of The Kingdom Bank. The bank’s own blog states that Zubari is the founder and current CEO, while an English court decision in The Kingdom Bank Corporation v Moorwand Ltd identifies Zubari as a director of The Kingdom Bank. West Ham United’s official partnership communication also refers to him as founder of The Kingdom Bank. This creates an important network-level compliance issue. The flow observed by FinTelegram suggests that The Kingdom Bank customer funds may be routed through a Polish payment institution connected to the same principal behind the offshore bank. This does not automatically mean the structure is illegal. It may be presented as an internal group or partner infrastructure. But from a compliance perspective, it requires transparency: Is Speedy acting as payment institution, account provider, correspondent partner or technical payment rail for The Kingdom Bank? Does KNF know that Speedy accounts are used for The Kingdom Bank customer deposits? Are The Kingdom Bank customers informed that their funds are received through a Polish payment institution? Is Speedy conducting independent AML monitoring on the underlying The Kingdom Bank customer and transaction risk? Does Speedy classify The Kingdom Bank as a high-risk offshore banking client? Are gambling, crypto or iGaming-related funds processed through the same infrastructure? Are EU customers protected by any EU safeguards, or are they merely sending money to an offshore bank via an EU payment institution? These are central Rail Atlas questions. The Kingdom Bank is not an isolated Dominica offshore bank. It appears to sit within a broader Zubari-linked financial infrastructure that also includes Speedy-branded EU/UK payment entities. One of these nodes, Financial House Limited, is FCA-authorised but currently subject to FCA supervisory restrictions. That significantly strengthens the Rail Atlas risk profile. Regulatory Perimeter Issue The Kingdom Bank appears to offer onboarding and deposit functionality to EU residents while operating under a Dominica offshore/international banking licence. FinTelegram has not identified evidence that The Kingdom Bank itself holds an EU banking licence. The observed Polish deposit rail through Speedy AG does not transform The Kingdom Bank into an EU bank. It may only show that The Kingdom Bank has access to EU payment infrastructure through a regulated Polish payment institution. This distinction is critical. A consumer in Austria, Italy or another EU country may see an EU IBAN and assume a familiar EU banking environment. However, the account owner remains The Kingdom Bank Corporation, a Dominica offshore entity. The regulatory protection, complaints route and prudential supervision may therefore be very different from those of a conventional EU bank. Pooled Accounts And Merchant Payment Opacity The Kingdom Bank publicly promotes pooled-account functionality. In legitimate financial operations, pooled or omnibus accounts may be used to manage client funds efficiently. In high-risk environments, however, they can create transparency problems. If an offshore bank or payment platform serves gambling, crypto, Forex or high-risk merchant clients through pooled or omnibus-style structures, the visible payee may not clearly reveal the underlying merchant, casino operator, affiliate, crypto broker or beneficiary. This is one of the central Rail Atlas concerns: in modern payment ecosystems, the entity visible to the customer or the sending bank may be a processor, pooled account, payment institution or banking wrapper rather than the true commercial counterparty. Compliance Red Flags Risk AreaFinTelegram FindingCompliance RelevanceOffshore bankingThe Kingdom Bank operates from Dominica under an international/offshore banking profileNo conventional EU banking licence identifiedEU onboardingRegistration possible from Austria and ItalyEU residents appear able to enter the customer funnelKYC / Plato / GoodFintechVerification through verify.kyxplatform.com / Plato. User-facing pages reviewed by FinTelegram do not clearly disclose the legal operator; external records point to Good Fintech Limited in the UKBiometric-data, GDPR and data-controller transparency questions. GDPR, biometric-data, controller/processor and contractual transparency concernCrypto fundingDeposit menu includes Crypto and Binance PayRequires wallet-risk, sanctions, source-of-funds and Travel Rule controlsInstant bank transferDeposit flow redirects to pay.banky.ioOpen-banking/account-to-account rail relevant for card-chargeback bypass riskFailed test paymentInstant transfer returned “Cannot execute payment at this time”Operational reliability and gateway availability questionEU bank-transfer railDeposit instruction uses Speedy AG sp. z o.o. in PolandOffshore bank appears to receive EU deposits through Polish payment institutionAccount ownerAccount owner shown as The Kingdom Bank CorporationEU payment rail used for offshore bank fundingNebil Serkan ZubariActive director of Speedy, Financial House Limited, and The Kingdom BankLinks The Kingdom Bank principal to UK EMI infrastructureSpeedy connectionPublic data links Speedy to Nebil Serkan ZubariNetwork-level conflict / related-party rail questioniGaming positioningThe Kingdom Bank publicly targets Forex, Gambling and iGamingHigh-risk merchant vertical explicitly part of target marketPooled accountsThe Kingdom Bank promotes pooled-account structuresUnderlying merchant / beneficiary transparency riskReferral / merchant acquisitionWhistleblower material indicates external client-introduction structuresIncentives to source higher-risk merchants require enhanced controls Rail Map A simplified Rail Atlas model based on the review findings is: EU Resident / Customer→ The Kingdom Bank Online Portal→ KYC via KYXPlatform / Plato→ Deposit Method Selection→ Banky Instant Bank Transfer / Crypto / Binance Pay / Ordinary Bank Transfer→ Speedy AG Polish Payment Rail→ Account Owner: The Kingdom Bank Corporation→ Offshore Dominica Banking / Payment Platform For merchant flows, the potential model is: High-Risk Merchant / iGaming / Forex / Crypto Client→ External introducer or referral partner→ The Kingdom Bank onboarding and payment stack→ Pooled account / IBAN / SWIFT / Crypto / A2A payment layer→ Customer deposits, merchant settlement or cross-border payouts The second model remains a working Rail Atlas hypothesis requiring transaction-level confirmation for specific merchants. FinTelegram Assessment The extended review significantly strengthens the Rail Atlas case on The Kingdom Bank. The issue is no longer only that The Kingdom Bank publicly positions itself toward Forex, Gambling and iGaming. The operational review shows that EU residents can enter the onboarding funnel, pass into a KYC process handled through an external KYXPlatform / Plato domain, and receive deposit instructions involving a Polish payment institution. The Speedy AG connection is the most important new element. A Dominica offshore bank appears to use an EU payment institution rail in Poland for customer deposits, while public register data indicates that the same key person behind The Kingdom Bank is also connected to Speedy. This does not prove unlawful conduct. But it creates a high-risk related-party payment infrastructure that deserves regulatory and journalistic scrutiny. For consumers, the risk is transparency. The presence of a Polish IBAN or EU payment institution does not mean the customer is banking with an EU bank. The customer relationship remains with The Kingdom Bank Corporation, a Dominica offshore entity. For regulators, the risk is perimeter arbitrage. Offshore banking, EU payment institutions, crypto funding, open-banking gateways, pooled accounts and high-risk merchant sectors may combine into a payment architecture that is technically distributed and difficult to supervise end-to-end. Call For Information FinTelegram invites whistleblowers, former employees, compliance officers, payment agents, PSP insiders, casino operators, affiliates, customers, regulators and banking partners to provide information about The Kingdom Bank, Speedy AG, Banky, KYXPlatform / Plato, and related payment flows. We are particularly interested in: The Kingdom Bank onboarding documents for EU residents; deposit screenshots showing Speedy AG, Banky, Binance Pay, crypto or other payment methods; account statements showing transfers to or from The Kingdom Bank via Speedy AG; contracts or service agreements between The Kingdom Bank and Speedy AG; information about the operator and data-controller structure behind KYXPlatform / Plato; complaints about frozen deposits, failed withdrawals, blocked accounts or unresolved refunds; merchant onboarding files involving gambling, iGaming, Forex or crypto clients; payment screenshots linking casino or betting platforms to The Kingdom Bank, Speedy, Banky or related infrastructure; internal AML, sanctions, KYC, KYB, PEP, adverse-media or transaction-monitoring concerns; evidence concerning pooled accounts or omnibus structures used for high-risk merchants. Whistleblowers may contact FinTelegram via Whistle42. FinTelegram protects sources and distinguishes clearly between documented facts, open-source intelligence, third-party allegations and editorial assessment. Share Information via Whistle42

A June 2026 promotional article on openPR explains how users can transfer USDT into Payeer through BoomChange, even though Payeer has been linked to EU sanctions measures, Lithuanian sanctions and AML enforcement, and persistent customer complaints over blocked withdrawals. Evidence from a detailed Bitcointalk scam thread materially escalates the risk profile of BoomChange, which is presented not merely as an opaque crypto intermediary but as a suspected fake exchange operation tied to static deposit addresses, phishing-style behavior, and wallet flows allegedly ending at Binance. Key Findings The openPR press release explicitly promotes a 2026 workflow for sending USDT into Payeer via BoomChange and presents that path as a normal convenience service for online users and remote workers. Specialist sanctions and compliance sources report that Payeer was targeted under the EU’s 19th sanctions package, with a transaction ban or equivalent transaction prohibition taking effect in November 2025 after a short wind-down period. Lithuanian FCIS/FNTT enforcement reportedly imposed roughly €9.3 million in penalties on Payeer for sanctions breaches and AML failures, including dealings involving sanctioned Russian banks. FinTelegram has documented repeated complaints from Payeer users about frozen balances, blocked accounts, and failed withdrawals during the sanctions-driven shutdown phase. Payeer no longer appears reachable on the legacy domain payeer.com, which now returns an NXDOMAIN error in live retrieval, while the currently active public-facing site is payeer.online. The current payeer.online site presents itself as a global payment gateway based around merchant acquiring, cards, PayPal, crypto, WeChat Pay, and Alipay rather than the older wallet-centered interface historically associated with payeer.com. The Bitcointalk thread on BoomChange alleges that boomchange.com, boomchange.io, and boomchange.net operate as fake exchanges using static deposit addresses that route victim funds into operator-controlled wallets. The same Bitcointalk report links BoomChange to an Armenia footprint, identifies multiple email addresses, phone numbers, IP addresses, social-media accounts, and hosting or registrar changes, but none of this amounts to transparent corporate disclosure or verified beneficial ownership. No verifiable legal operator or beneficial owner for BoomChange was identified on its public website, which remains a severe compliance red flag for a platform routing crypto into payment environments such as Payeer. In risk terms, the BoomChange-Payeer pathway combines sanctions exposure, AML deficiencies, consumer harm, and scam indicators in a single transaction chain. Press Release Analysis The openPR article titled “How to Transfer USDT into Payeer in 2026” is framed as a simple user guide for moving stablecoins into a payment account. It positions BoomChange as the transfer mechanism and Payeer as the destination platform, while naming additional payment brands such as Skrill, Wise, Payoneer, PayPal, and Cash App to normalize the route. The article is problematic because it is not merely descriptive. It is operational marketing that guides users from USDT into Payeer without mentioning the sanctions, enforcement, withdrawal, or consumer-risk issues now associated with the Payeer ecosystem. After incorporating the Bitcointalk material, the omission becomes even more serious. The release does not just promote access to a sanctioned or restricted payment rail; it appears to direct users through a platform that has been publicly accused of functioning as a fake exchange scam using static wallet infrastructure and phishing-style collection mechanisms. Payeer: Sanctions, Enforcement, and Domain Shift EU sanctions and shutdown context Specialist sanctions and crypto-compliance reporting states that Payeer was included in the EU’s 19th sanctions package against Russia, with the measures taking effect in November 2025 after a limited wind-down period. These reports characterize the measure as a ban on transactions involving Payeer and highlight the significance of the case because it directly touches the crypto and payment-services perimeter. That matters for any intermediary touching the flow. If a third-party exchanger, wallet service, PSP, acquirer, or banking partner enables funds to be routed into Payeer after the prohibition became effective, the risk shifts from abstract association to possible direct or indirect facilitation. Lithuanian enforcement and complaint pattern Lithuanian FCIS/FNTT reporting described major sanctions and AML failures at Payeer and imposed penalties totaling approximately EUR 9.3 million. Public reports say the findings included transactions involving sanctioned Russian banks, weaknesses in customer due diligence, and failures connected to suspicious transaction monitoring and reporting. FinTelegram’s reporting adds the practical consumer dimension. It documents complaints from users whose withdrawals were blocked or delayed and whose balances became trapped as the sanctions-driven exit period unfolded. From payeer.com to payeer.online A live retrieval of payeer.com now returns a DNS error, indicating that the legacy domain is no longer reachable at the time of review. In contrast, payeer.online is active and currently markets itself as an all-in-one international payment gateway offering cards, PayPal, crypto, WeChat Pay, Alipay, API integration, and merchant services in more than 180 countries. This domain change is analytically important. It indicates that Payeer’s current web presence has shifted away from the older payeer.com brand entry point and toward a new domain with a different public presentation, one that emphasizes merchant acquiring, global coverage, and broad payment-method support rather than the historic wallet image widely associated with Payeer. That does not reduce the underlying compliance concern. If anything, a post-enforcement rebranding or domain migration can make customer screening, adverse-media detection, and sanctions controls harder unless institutions actively map historical domains, trade names, and legacy references to the currently active infrastructure. BoomChange: Scam Indicators and Ownership Clues Public website and transparency failures BoomChange’s public website presents the service as an instant crypto exchange with fast execution, no-registration usage, and multiple conversion paths involving crypto and payment destinations. It does not clearly identify a legal operator, jurisdiction of incorporation, licensing authority, directors, or beneficial owners in a way expected from a regulated CASP or payment intermediary. That alone already justified a high-risk classification. After reviewing the Bitcointalk evidence, however, the risk assessment must be strengthened from opaque intermediary to suspected fake-exchange scam operation. Bitcointalk scam evidence The Bitcointalk thread titled “SCAM – Boomchange.com / Boomchange.io / Boomchange.net – Fake Crypto Exchanges” contains a detailed allegation set backed by wallet addresses, archived pages, social-media references, and transaction links. The core allegation is that BoomChange uses static order pages and repeatedly shows the same deposit addresses to different visitors, which is inconsistent with how legitimate instant-exchange order management normally works. The thread lists numerous crypto addresses across Bitcoin, Ethereum, Litecoin, Solana, Tron, BNB, Perfect Money, and other networks, and alleges that victim funds were consolidated and then moved onward, in many cited cases to Binance-linked destinations. It also notes that MetaMask’s phishing-warning list and several scam-reporting services had already flagged BoomChange-related domains or addresses. As a matter of editorial caution, the Bitcointalk material is community-sourced and accusatory in tone. Even so, the density of technical indicators, the consistency of the allegations, and the overlap with BoomChange’s missing ownership transparency make the thread highly relevant adverse-media evidence that cannot be ignored in a compliance analysis. Operators and beneficial ownership The Bitcointalk post attributes BoomChange to an operator in Yerevan, Armenia and identifies a cluster of contact points including email addresses such as boomchange222@gmail.com, boomchange6@gmail.com, register2022.2023@gmail.com, edgarhakobyan2012@gmail.com, boomchangeplay@gmail.com, and info@boomchange.com, as well as the phone number +1 850 280 0803 used on social and messaging channels. It also references Armenian IP addresses, Ucom and Telecom AM connectivity, hosting via Koddos/Amarutu Technology, and registrar changes from Namecheap to Nicenic and later Internet Domain Service BS Corp. Those indicators point to an operational footprint, but they do not establish verified beneficial ownership in a corporate-law sense. At present, the evidence supports describing BoomChange as a suspected Armenia-linked scam operation with identified digital traces, not as a transparently owned or lawfully disclosed business. The thread also mentions a possible link to Smartweb.am and to another project, iptvleopard.com, through overlapping promotion patterns and archived content. Those links are investigatively relevant and may justify further OSINT work, but they should be presented as leads rather than settled findings unless confirmed through company records, domain control evidence, payment data, or insider documentation. Compliance Analysis Sanctions risk The sanctions issue is straightforward. Any service route that enables users to move value into Payeer after the EU prohibition took effect creates a direct or indirect sanctions exposure for the user and for any intermediary facilitating the chain. This is precisely why the BoomChange link is so troubling. A suspected scam exchange with weak or absent transparency is being used in promotional content as the bridge into a payment environment already burdened by sanctions and enforcement findings. AML and fraud risk The AML risk profile is compounded rather than additive. Payeer carries a documented history of sanctions and AML enforcement, while BoomChange now shows significant public scam indicators including static deposit addresses, alleged phishing behavior, and address-level abuse reporting. For compliance teams, this combination should trigger enhanced due diligence, counterparty restrictions, wallet screening, transaction monitoring, and partner review at the highest risk level. Institutions that continue to process related flows without tracing destination logic, domain relationships, and adverse-media indicators would be exposed not only to financial crime risk but also to serious supervisory criticism. Consumer protection and market integrity The consumer-harm narrative is no longer limited to frozen Payeer withdrawals. If users are directed first into BoomChange and then onward into Payeer, they face the risk of losing funds at two separate points in the chain: first to a suspected scam exchanger, and second to a sanctioned or shutdown-affected payment platform with documented withdrawal complaints. That makes the openPR article especially problematic from a market-integrity perspective. It presents a high-risk transaction route as a routine financial convenience while suppressing material facts that would likely alter user behavior and partner risk assessments. Key Data Table FieldPayeerBoomChangeCurrent public domainpayeer.online is currently active; payeer.com returned NXDOMAIN in live retrieval boomchange.com remains publicly accessible and is promoted as an instant exchange Public rolePayment gateway and merchant-acquiring style platform on current website Instant crypto exchange / transfer intermediary on public website Sanctions positionIncluded in EU 19th Russia sanctions reporting; transaction prohibition described by compliance sources Not identified as sanctioned in the reviewed source set Enforcement / adverse findingsLithuania reportedly imposed about EUR 9.3 million in sanctions and AML penalties Bitcointalk scam thread alleges fake-exchange conduct, static deposit addresses, phishing behavior, and Binance offloadsConsumer-risk indicatorsFinTelegram reports blocked withdrawals, frozen balances, and trapped funds Community reports describe irreversible loss after sending crypto to operator-controlled addressesOwnership transparencyHistorical structure linked by FinTelegram to Russian control, Lithuania, and offshore entities No verified beneficial owner found; thread points to Armenia-linked digital traces but not formal ownership proof Link between entitiesDestination platform promoted in the openPR guide Transfer route promoted for sending USDT into Payeer Core compliance concernSanctions exposure, AML failings, frozen funds, partner risk Scam risk, lack of ownership disclosure, possible sanctions-evasion facilitation  Whistleblower Call Whistleblowers, former staff, banking and PSP partners, vendors, hosting providers, domain registrars, exchange compliance officers, and affected customers with information on Payeer or BoomChange should submit evidence to Whistle42 and FinTelegram. Especially valuable are internal communications, KYC and sanctions procedures, merchant or affiliate contracts, wallet-cluster data, registrar and hosting records, beneficial ownership documents, and evidence showing how customer or victim funds were routed. Submissions are particularly important where they help identify the real operators behind BoomChange, explain the shift from payeer.com to payeer.online, document any continuing service relationships after sanctions took effect, or prove the use of third-party exchanges and payment rails to keep restricted flows alive. Share Information via Whistle42

FinTelegram has received a copy of what appears to be a Turkish law-enforcement / Interpol-Europol document concerning Ozan Özerk, OpenPayd’s founder and controlling shareholder. The document, provided by a previously reliable source, refers to serious allegations and possible international police-cooperation steps. This lands at a critical moment: OpenPayd is seeking a Nasdaq listing through Titan Acquisition Corp. at a proposed unicorn valuation, while FinTelegram victim files show OpenPayd vIBAN infrastructure in scam payment paths involving Klickl Europe. 2-Minute Briefing OpenPayd wants U.S. public-market investors to buy a unicorn fintech story. FinTelegram is now looking at a much darker disclosure issue: the law-enforcement risk surrounding Ozan Özerk, OpenPayd’s founder, economic owner, and controlling shareholder. FinTelegram has received from a previously reliable source a screenshot of what appears to be a Turkish law-enforcement / Interpol-Europol document concerning Özerk personally. The document identifies Özerk by Turkish ID number, date and place of birth, lists addresses in London and Northern Cyprus, and states that he is actively sought in Turkish UYAP records in relation to serious allegations, including forming an organization to commit crimes, transferring assets derived from money laundering abroad, and fraud through the use of banks, insurance companies, credit institutions or information systems. The document further states that Özerk left Turkey for London on 20 September 2025 and that Turkish authorities had information suggesting that he may still be in the United Kingdom. It also refers to possible Red Notice / Diffusion procedures through the Ministry of Justice and Interpol-Europol channels. FinTelegram has not yet independently authenticated the screenshot through official Turkish court or police records. However, the source has previously provided information that proved reliable. The content is also consistent with OCCRP’s reporting on Turkish money-laundering investigations involving companies owned by Özerk. This matters because OpenPayd is pursuing a public listing through Titan Acquisition Corp. The transaction is designed to bring OpenPayd to Nasdaq under a Cayman PubCo structure, with a proposed pro-forma equity valuation of $1.145 billion. SEC materials identify Özerk as the key company shareholder, directly holding approximately 82.72% of OpenPayd Holdings Limited before the transaction. The risk file does not stop there. FinTelegram has also reported extensively on OpenPayd’s appearance as vIBAN infrastructure provider in alleged investment-scam payment paths involving Klickl Europe Sp. z o.o. Victim files and OpenPayd GDPR/DSAR material indicate that victims paid into OpenPayd named vIBANs / OpenPayd Malta IBANs using CFTEMTM1, with funds swept to Klickl Europe under references such as “Sweep to Primary Account.” That creates a direct Nasdaq disclosure question: how will OpenPayd, Titan, their advisers, auditors, and SEC-facing counsel describe founder-risk, Turkish law-enforcement exposure, vIBAN scam-rail exposure, and the Klickl Europe victim-flow files? Key Findings The copy puts Özerk personally in focus. The apparent Turkish document refers to Ozan Özerk personally, not merely to corporate entities in his network. The allegations described are serious. The document refers to organized-crime, money-laundering-asset transfer, and fraud-related allegations involving banks, credit institutions, insurance companies or information systems. The document refers to international police-cooperation steps. It mentions possible Red Notice / Diffusion procedures through Turkish justice and Interpol-Europol channels. The source is considered credible by FinTelegram. The screenshot was provided by a source previously known to FinTelegram and considered reliable. Formal authentication through Turkish official records remains pending. The content aligns with OCCRP’s reporting. OCCRP reported Turkish money-laundering investigations involving companies owned by Özerk and linked the wider context to its Scam Empire investigation. Özerk is central to the OpenPayd transaction. SEC transaction materials identify him as the key company shareholder and controlling figure behind OpenPayd Holdings. OpenPayd already faces a payment-rail disclosure issue. FinTelegram victim files show OpenPayd infrastructure inside alleged investment-fraud payment paths involving Klickl Europe. Why This Matters For The Nasdaq Transaction The planned OpenPayd–Titan transaction is not a simple growth financing. It is a public-market trust event. OpenPayd wants Nasdaq investors to value the group as a high-growth financial infrastructure platform operating across fiat rails, vIBANs, digital assets, stablecoins and crypto on/off ramps. That story now faces three overlapping disclosure layers: Disclosure LayerCore IssueWhy It MattersFounder / control riskApparent Turkish law-enforcement document concerning Ozan ÖzerkÖzerk is the controlling shareholder and key company shareholderOCCRP / Turkey riskTurkish investigations involving Özerk-owned companiesMatches broader money-laundering and illegal-betting risk contextOpenPayd–Klickl rail riskVictim files show OpenPayd vIBAN infrastructure feeding Klickl EuropeGoes directly to OpenPayd’s core product risk: vIBANs, payment rails, crypto exposure If OpenPayd wants public-market investors to accept a unicorn valuation, these are not footnotes. They belong in the risk-factor discussion. The OpenPayd–Klickl Context FinTelegram has recently documented a pattern involving OpenPayd and Klickl Europe. Victims of multiple fake investment schemes allegedly received OpenPayd-generated named vIBANs. Funds entered OpenPayd infrastructure and were then swept to Klickl Europe Sp. z o.o., a Polish virtual-asset service provider, with references such as “Transfer to Klickl Europe – EUR/Sepa” and “Sweep to Primary Account.” Victim-organized material also points to a broad app-front layer: fake investment apps and scam platforms used to lure victims through WhatsApp, Telegram and social-media grooming before deposits were routed through OpenPayd and Klickl Europe. This is precisely the type of rail exposure that should concern public-market investors. OpenPayd’s business model is built around payment infrastructure, virtual IBANs, regulated accounts, digital-asset rails and cross-border settlement. When that infrastructure appears in victim-fund flows, the issue becomes material. Read our Klickl Europe reports here. Questions For OpenPayd, Titan And Advisers Are OpenPayd and Titan aware of the apparent Turkish law-enforcement / Interpol-Europol document concerning Ozan Özerk? Have Titan, its counsel, auditors and SEC-facing advisers reviewed the underlying Turkish proceedings? Will the Form F-4 / proxy materials disclose the Turkish investigation and founder-risk context? Did OpenPayd disclose the OpenPayd–Klickl Europe victim files to Titan? How many OpenPayd vIBANs were issued in relation to Klickl Europe? How many scam complaints involve OpenPayd Malta / CFTEMTM1? Were SARs or STRs filed in relation to Klickl Europe or the related investment-scam flows? Has OpenPayd terminated or restricted Klickl Europe? Will Nasdaq investors receive the full risk file — or only the unicorn growth narrative? FinTelegram Assessment OpenPayd’s Nasdaq transaction is now a disclosure test. The apparent Turkish law-enforcement document, OCCRP’s reporting, the SEC transaction structure, Özerk’s control position, and the OpenPayd–Klickl victim files all point to the same problem: the public-market story is incomplete without the risk story. FinTelegram does not state that Özerk has been convicted of any offence. The Turkish document reviewed by FinTelegram remains a screenshot and requires formal authentication. But given the credibility of the source, the seriousness of the allegations, and the consistency with the broader OCCRP context, this material is plainly relevant. The question is no longer whether OpenPayd has a growth story. The question is whether OpenPayd and Titan will disclose the full risk story before asking Nasdaq investors to buy it. Read our reports on OpenPayd here. Summary Table — Ozan Özerk / OpenPayd / Titan / Klickl Risk File ElementKey DataFinTelegram RelevanceOzan ÖzerkFounder, economic owner and controlling shareholder behind the OpenPayd group. SEC transaction materials identify him as the key company shareholder with approx. 82.72% direct ownership of OpenPayd Holdings Limited before the Titan transaction.The Nasdaq story is founder-controlled. Any serious law-enforcement, reputational or AML issue around Özerk is directly relevant to the OpenPayd public-market risk profile.Apparent Turkish law-enforcement documentFinTelegram received from a previously reliable source a screenshot of what appears to be a Turkish law-enforcement / Interpol-Europol document concerning Özerk personally. It refers to serious allegations, including organized-crime, money-laundering-asset transfer, and fraud-related allegations involving banks, credit institutions, insurance companies or information systems.If authentic, this materially escalates founder-risk. The document should be reviewed by OpenPayd, Titan, advisers, auditors and SEC-facing counsel.Red Notice / Diffusion referenceThe screenshot refers to possible international Red Notice / Diffusion procedures through Turkish justice and Interpol-Europol channels.This is potentially public-market material. If any international police-cooperation step exists or is being considered, it should be assessed for disclosure.OCCRP contextOCCRP reported Turkish money-laundering investigations involving companies owned by Özerk and linked the wider context to its Scam Empire investigation. OCCRP also noted limits on what was proven regarding knowledge of fraud-derived payments.The screenshot is not isolated. It aligns with a broader investigative and law-enforcement context around Özerk-linked entities.OpenPaydGlobal payments / Banking-as-a-Service group offering vIBANs, pooled accounts, fiat rails, FX, digital-asset infrastructure, stablecoins and crypto on/off ramps.The products are high-risk when abused. OpenPayd’s own infrastructure is central to the FinTelegram scam-rail investigation.Titan Acquisition Corp. transactionProposed SPAC transaction designed to bring OpenPayd to Nasdaq under ticker OP, with a proposed pro-forma equity valuation of $1.145 billion.The transaction creates a disclosure test. Investors should receive the full risk story, not only the unicorn-growth narrative.OpenPayd Global Holdings LimitedCayman Islands PubCo structure planned for the post-transaction listed group.The transaction would place the Özerk-controlled OpenPayd group into a U.S. public-market wrapper.Klickl Europe Sp. z o.o.Polish virtual-asset service provider identified by FinTelegram victim files as recipient of funds swept from OpenPayd vIBAN infrastructure.Klickl is a core node in the OpenPayd scam-rail files. Its role should be disclosed if material to OpenPayd’s risk profile.OpenPayd vIBAN / CFTEMTM1 railVictim files reviewed by FinTelegram show deposits into OpenPayd named vIBANs / OpenPayd Malta IBANs using CFTEMTM1, followed by transfers to Klickl Europe.This is the payment-rail evidence. It goes directly to OpenPayd’s controls around vIBANs, high-risk merchants and crypto/on-ramp customers.“Sweep to Primary Account” referencesOpenPayd payment summaries reviewed by FinTelegram show transfers to Klickl Europe with references such as “Sweep to Primary Account.”This suggests structured routing, not random payment noise. OpenPayd and Klickl should explain the full flow and downstream recipients.Fake investment appsVictim material indicates multiple scam frontends, including KXTRA, fake Peel Hunt / Peelhuntaicore, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT and others.The app layer suggests scale. The frontends changed; the payment rail appears to have remained stable.Core disclosure issueFounder-risk, Turkish law-enforcement context, OCCRP reporting, OpenPayd vIBAN exposure, Klickl Europe flows and fake investment-app rails.The Form F-4 / proxy materials should address these risks clearly. Nasdaq investors should not receive a sanitized unicorn brochure while victims hold payment files. Conclusion OpenPayd wants Nasdaq to see a unicorn. FinTelegram sees a control-risk file, a Turkish law-enforcement shadow, OCCRP’s Scam Empire context, and victim evidence showing OpenPayd infrastructure in scam payment paths. If the controlling shareholder of a Nasdaq-bound fintech is referenced in apparent Turkish law-enforcement material involving organized-crime, money-laundering and fraud allegations, investors deserve to know. If OpenPayd’s vIBAN infrastructure appeared in Klickl Europe scam rails, investors deserve to know. This is not a reputational footnote. It is a disclosure issue. Whistleblower Call: Help Us Complete The OpenPayd Risk File FinTelegram calls on victims, insiders, former employees, compliance officers, payment specialists, law-enforcement sources, regulators, Titan advisers, auditors, lawyers, and OpenPayd counterparties to come forward. We are especially looking for information and documents relating to: Ozan Özerk and any Turkish law-enforcement, court, police, Interpol, Red Notice or Diffusion-related proceedings; OpenPayd’s planned Titan / Nasdaq transaction and related due-diligence material; internal OpenPayd risk assessments, board papers, investor presentations, legal memoranda or SEC disclosure drafts; OpenPayd vIBANs, especially OpenPayd Malta / CFTEMTM1; customer, merchant or counterparty files involving Klickl Europe Sp. z o.o.; OpenPayd GDPR / DSAR responses and “Summary of payments” files; transaction references such as “Sweep to Primary Account” or “Transfer to Klickl Europe – EUR/Sepa”; fake investment apps, WhatsApp / Telegram groups, adviser scripts and victim onboarding instructions; SAR / STR filings, internal AML alerts, account freezes, account terminations or remediation measures; communications with Titan Acquisition Corp., advisers, auditors, law firms, regulators, or SEC-facing counsel; information on Ozan Özerk-linked entities, including OpenPayd, Ozan, Ozan Elektronik Para, SuperApp, European Merchant Bank, Akce-related structures, and other connected payment or fintech companies. The questions are simple: What did OpenPayd know?What did Titan review?What will Nasdaq investors be told?Where did the victims’ money go? Victims and insiders can submit documents securely via Whistle42. FinTelegram will protect sources, verify material where possible, and redact personal data before publication. Share Information via Whistle42

The U.S. Supreme Court has unanimously upheld the SEC’s authority to seek disgorgement of illegal profits even where the agency cannot prove a concrete financial loss for specific investors. The ruling preserves a core enforcement remedy and materially increases litigation and settlement exposure for securities violators, including high-risk brokers, microcap operators, and crypto-related issuers touching the U.S. market. 1-Minute Briefing The U.S. Supreme Court has handed the Securities and Exchange Commission (SEC) a significant enforcement victory. In Sripetch v. SEC, the Court unanimously held that the SEC does not have to prove that investors suffered a measurable financial loss before seeking disgorgement of illegal profits from securities-law violators. The decision preserves one of the SEC’s most important financial remedies: forcing wrongdoers to surrender gains obtained through fraud or unlawful securities activity. For regulated firms, promoters, crypto operators, and capital-market intermediaries, the ruling confirms a simple enforcement principle: illegal profits remain recoverable even where victim losses are difficult to quantify. The Case The case involved Ongkaruck Sripetch, who was accused of participating in fraudulent schemes involving multiple penny-stock companies. The SEC obtained a disgorgement order requiring him to repay illegal gains and prejudgment interest. Sripetch challenged the order, arguing that under earlier Supreme Court precedent — especially Liu v. SEC — disgorgement should be available only where the SEC can prove that investors suffered actual financial harm. The Supreme Court rejected that argument. Writing for a unanimous Court, Justice Neil Gorsuch explained that disgorgement is a gain-based remedy. Its core purpose is not to compensate investors for a precisely measured loss, but to prevent wrongdoers from retaining profits generated through unlawful conduct. Context: The SEC’s Disgorgement Power Disgorgement has long been a central SEC enforcement tool. It allows courts to require defendants to give up profits obtained through securities-law violations. However, the remedy has been under pressure for years. In Kokesh v. SEC in 2017, the Supreme Court held that SEC disgorgement can operate as a penalty for statute-of-limitations purposes. In Liu v. SEC in 2020, the Court allowed disgorgement as equitable relief but imposed limits: it generally must be tied to net profits and awarded for the benefit of victims. In SEC v. Jarkesy in 2024, the Court restricted the SEC’s use of in-house administrative proceedings for civil penalties by emphasizing the right to a jury trial. Against this background, Sripetch was closely watched as another potential limitation on the SEC. Instead, the Court clarified that Liu does not impose a separate requirement to prove pecuniary loss. Compliance Consequences For compliance professionals, the decision is important because it strengthens the SEC’s leverage in both investigations and settlement negotiations. Defendants can no longer rely as easily on the argument that the absence of demonstrable investor losses should block disgorgement altogether. The ruling is especially relevant for offerings and distribution models where harm is diffuse, delayed, or structurally opaque, including microcap promotions, token sales, yield products, and offshore-led structures marketed into the United States. In those cases, unlawful revenue extraction, hidden compensation, manipulative trading gains, or proceeds from unregistered activity may remain fully exposed to recovery claims even where victim-level accounting is incomplete. FinTelegram Analysis From a FinTelegram perspective, the judgment is a net win for market integrity and investor protection because it prevents fraud actors from exploiting evidentiary complexity as a shield against repayment. It should also be read as a warning to crypto and fintech operators that formalistic defenses around investor-loss quantification will not neutralize U.S. enforcement risk when unlawful profits can still be shown. For European and offshore operators, the ruling matters beyond traditional securities issuers. Any business model with U.S. nexus, U.S. investors, U.S. dollar rails, or securities-like marketing representations now faces a stronger SEC remedy framework, making pre-launch legal structuring, distribution controls, and revenue-tracing documentation more important than ever. Share Information via Whistle42

The U.S. Supreme Court has unanimously upheld the SEC’s authority to seek disgorgement of illegal profits even where the agency cannot prove a concrete financial loss for specific investors. The ruling preserves a core enforcement remedy and materially increases litigation and settlement exposure for securities violators, including high-risk brokers, microcap operators, and crypto-related issuers touching the U.S. market. 1-Minute Briefing The U.S. Supreme Court has handed the Securities and Exchange Commission (SEC) a significant enforcement victory. In Sripetch v. SEC, the Court unanimously held that the SEC does not have to prove that investors suffered a measurable financial loss before seeking disgorgement of illegal profits from securities-law violators. The decision preserves one of the SEC’s most important financial remedies: forcing wrongdoers to surrender gains obtained through fraud or unlawful securities activity. For regulated firms, promoters, crypto operators, and capital-market intermediaries, the ruling confirms a simple enforcement principle: illegal profits remain recoverable even where victim losses are difficult to quantify. The Case The case involved Ongkaruck Sripetch, who was accused of participating in fraudulent schemes involving multiple penny-stock companies. The SEC obtained a disgorgement order requiring him to repay illegal gains and prejudgment interest. Sripetch challenged the order, arguing that under earlier Supreme Court precedent — especially Liu v. SEC — disgorgement should be available only where the SEC can prove that investors suffered actual financial harm. The Supreme Court rejected that argument. Writing for a unanimous Court, Justice Neil Gorsuch explained that disgorgement is a gain-based remedy. Its core purpose is not to compensate investors for a precisely measured loss, but to prevent wrongdoers from retaining profits generated through unlawful conduct. Context: The SEC’s Disgorgement Power Disgorgement has long been a central SEC enforcement tool. It allows courts to require defendants to give up profits obtained through securities-law violations. However, the remedy has been under pressure for years. In Kokesh v. SEC in 2017, the Supreme Court held that SEC disgorgement can operate as a penalty for statute-of-limitations purposes. In Liu v. SEC in 2020, the Court allowed disgorgement as equitable relief but imposed limits: it generally must be tied to net profits and awarded for the benefit of victims. In SEC v. Jarkesy in 2024, the Court restricted the SEC’s use of in-house administrative proceedings for civil penalties by emphasizing the right to a jury trial. Against this background, Sripetch was closely watched as another potential limitation on the SEC. Instead, the Court clarified that Liu does not impose a separate requirement to prove pecuniary loss. Compliance Consequences For compliance professionals, the decision is important because it strengthens the SEC’s leverage in both investigations and settlement negotiations. Defendants can no longer rely as easily on the argument that the absence of demonstrable investor losses should block disgorgement altogether. The ruling is especially relevant for offerings and distribution models where harm is diffuse, delayed, or structurally opaque, including microcap promotions, token sales, yield products, and offshore-led structures marketed into the United States. In those cases, unlawful revenue extraction, hidden compensation, manipulative trading gains, or proceeds from unregistered activity may remain fully exposed to recovery claims even where victim-level accounting is incomplete. FinTelegram Analysis From a FinTelegram perspective, the judgment is a net win for market integrity and investor protection because it prevents fraud actors from exploiting evidentiary complexity as a shield against repayment. It should also be read as a warning to crypto and fintech operators that formalistic defenses around investor-loss quantification will not neutralize U.S. enforcement risk when unlawful profits can still be shown. For European and offshore operators, the ruling matters beyond traditional securities issuers. Any business model with U.S. nexus, U.S. investors, U.S. dollar rails, or securities-like marketing representations now faces a stronger SEC remedy framework, making pre-launch legal structuring, distribution controls, and revenue-tracing documentation more important than ever. Share Information via Whistle42

Michael Saylor built Strategy — formerly MicroStrategy — into the world’s most aggressive corporate Bitcoin vehicle on one core narrative: buy Bitcoin, hold Bitcoin, never sell Bitcoin. The first net Bitcoin sale since 2022 – a seemingly trivial 32 BTC – has detonated the “never sell” myth around Michael Saylor’s Strategy, raising uncomfortable questions about liquidity, leverage, and the true resilience of the world’s largest corporate Bitcoin treasury. That narrative has now been cracked. 2-Minutes Briefing According to Strategy’s latest SEC filing, the company sold 32 BTC between May 26 and May 31, 2026 at an average price of around 77,135 USD per coin, generating approximately $2.5 million at an average net sale price of $77,135 per Bitcoin. The stated purpose: to fund distributions on preferred stock. Economically, the sale is tiny. Symbolically, it is enormous. Strategy still holds 843,706 BTC, acquired at an aggregate purchase price of approximately $63.87 billion, or $75,699 per BTC. But the sale came just as Bitcoin entered another sharp weakness phase, with BTC falling materially over recent trading sessions and Strategy’s own stock under renewed pressure. On Reddit and other social channels, the community immediately framed the move as both trivial and deeply symbolic: users highlighted that Strategy sold more MSTR stock than BTC to fund obligations, but fixated on the simple fact that “Saylor with diamond hands” had finally sold some coins. Several commenters explicitly tied the sale to dividend and preferred‑share obligations, noting that Strategy recently used cash to retire a chunk of convertible debt and now must find new cash sources for the rich STRC preferred dividends. For a company whose chairman became the high priest of corporate HODL culture, selling even 32 BTC is not just a balance-sheet event. It is a psychological rupture. Key Facts ItemDetailCompanyStrategy Inc., formerly MicroStrategyExecutive ChairmanMichael SaylorBTC sold32 BTCSale periodMay 26–31, 2026Aggregate proceedsApprox. $2.5 millionAverage sale price$77,135 per BTCStated use of proceedsPreferred stock distributionsBTC holdings after sale843,706 BTCAggregate BTC purchase price$63.87 billionAverage purchase price$75,699 per BTCUSD Reserve as of May 31, 2026$900 millionConvertible notes outstanding after recent repurchase$6.7 billionPreferred stock notional outstanding after recent transactions$15.5 billion The Narrative Break: From “Never Sell” To “Dividend Funding” The most explosive aspect of the transaction is not the amount sold. It is the contradiction between the transaction and the public mythology around Strategy. For years, Saylor has framed Bitcoin as the ultimate treasury asset — not something to be traded, trimmed, monetized, or liquidated, but something to be accumulated indefinitely. His public message to Bitcoin investors was simple: hold. Strategy’s sale therefore raises a dangerous question: if the most prominent corporate Bitcoin accumulator can sell to fund obligations, what exactly remains of the “never sell” doctrine? The official explanation is straightforward. Strategy sold the BTC to help fund distributions on preferred stock. That makes corporate-finance sense. But it also exposes the tension at the heart of the Strategy model: the company has built a capital structure around Bitcoin accumulation, but that structure now includes recurring cash obligations. Bitcoin does not pay interest. Bitcoin does not pay dividends. Strategy’s preferred securities do. That mismatch matters. Market Reaction: Tiny Sale, Big Shock The crypto community immediately understood the symbolic risk. On LinkedIn, X, Reddit and other platforms, the debate quickly split into two camps. The first camp calls the sale a “nothing burger.” Their argument: 32 BTC is an immaterial fraction of Strategy’s holdings — roughly 0.004% of the total BTC position. In this view, the sale is an accounting and liquidity-management detail, not a strategic reversal. The second camp sees the sale as the first crack in the vault. Their argument: Strategy did not need to sell much to trigger concern. The issue is precedent. Once the sacred rule is broken, investors must ask how often it may be broken again. This is why the market reacted so strongly. The sale did not matter arithmetically. It mattered narratively. Why Would Strategy Sell Such A Small Amount? From a FinTelegram perspective, the 32‑BTC transaction looks less like a liquidity emergency and more like a calibrated signal to rating agencies, preferred holders and hedge funds that Strategy can and will tap its Bitcoin stack when its capital structure demands it – without abandoning the broader “long forever” narrative. Based on the filings and community reconstructions, a coherent w 1. Calibrated “proof of concept” for BTC‑as‑collateralBy selling an almost comically small 0.004% of its holdings above its average acquisition cost, Strategy demonstrates to credit analysts that its Bitcoin reserve is not just an accounting abstraction but a monetizable buffer for preferred‑share distributions if and when needed. 2. Signaling discipline to preferred holders (STRC et al.)The 8‑K and subsequent commentary emphasize that proceeds are earmarked to facilitate STRC dividends, implicitly telling preferred holders that they will be protected even if that means occasionally dipping into the Bitcoin hoard instead of endlessly issuing new equity. 3. Managing dilution vs. narrative riskStrategy has aggressively relied on ATM equity offerings, selling hundreds of thousands of new MSTR shares to fund Bitcoin purchases and service obligations. With MSTR underperforming Bitcoin over the past 12–14 months and trading below the effective value of its BTC holdings at times, the marginal cost of further equity dilution has risen, making a tiny BTC sale comparatively attractive despite its symbolic cost. 4. Front‑running the next downturn in a controlled fashionSaylor and CEO Phong Le had already telegraphed in recent earnings calls and Q&A sessions that some BTC sales might be on the table, meaning they were preparing the market psychologically for exactly this kind of move. Executing a minuscule sale in a still‑elevated price zone around 77,000 USD allows Strategy to stress‑test price impact and investor reaction before any larger‑scale adjustments in a more severe drawdown. 5. Tactical poker with hedge fundsLevered‑beta players and crypto hedge funds actively trade the MSTR/BTC relationship, and research desks have floated trades shorting MSTR while going long BTC to exploit the company’s rich NAV premium and structural leverage. A token sale may be part of Strategy’s game with this crowd: reminding the market that it can adjust its BTC‑per‑share metric and capital stack opportunistically, potentially destabilizing one‑sided “MSTR is unliquidatable” trades. In short, this sale looks deliberately small because the symbolic damage is the real instrument: Strategy is sacrificing a few basis points of its myth to buy optionality in how it finances its preferred and debt stack going forward. Can MicroStrategy Run Into Liquidity Trouble If BTC Weakness Persists? The core risk question is whether prolonged Bitcoin weakness could push Strategy into a genuine liquidity crisis, forcing larger BTC disposals and potentially triggering a negative feedback loop for both MSTR and BTC. Public analyses of Strategy’s balance sheet and capital structure highlight a multi‑layered risk profile: Strategy has financed a significant portion of its >800,000 BTC war chest with debt, including convertible notes, senior secured loans and, increasingly, high‑coupon perpetual preferred shares with double‑digit dividend rates. Its legacy software business does not generate enough free cash flow to independently service these layers while also supporting continued Bitcoin accumulation. Over the last year, Strategy has retired some debt by using both cash and equity issuance, but at the cost of thinning its cash buffer and diluting existing shareholders. A concise risk map: DimensionCurrent situationRisk in prolonged BTC weaknessBTC holdings~843k–844k BTC, largest corporate treasury worldwideMark‑to‑market value falls; collateral cushion for debt and prefs shrinksAverage BTC cost~75.7k USD per coinExtended trading below cost basis pressures narrative and solvency opticsFunding mixDebt, convertibles, high‑yield perpetual prefs (STRC etc.)Fixed coupons and dividends must be paid regardless of BTC priceOperating businessSoftware & services, insufficient to carry all obligations aloneMakes Strategy structurally dependent on equity and/or BTC salesEquity strategyHeavy use of ATM offerings of MSTRIf MSTR underperforms BTC, equity becomes an expensive funding sourceRecent 32 BTC sale2.5m USD proceeds; 0.004% of holdingsSymbolically shows BTC is on the table as a liquidity backstop In the near term, media analyses and community breakdowns converge on the view that Strategy is not yet in acute distress: the company still has substantial BTC collateral and, after recent equity sales, access to capital markets, even if on less favorable terms. However, r/CryptoCurrency discussions and derivatives‑desk research warn that Strategy’s leverage is a double‑edged sword – amplifying not just Bitcoin’s upside but also its downside, with the potential for margin‑like dynamics if BTC were to trade decisively and persistently below the company’s blended cost basis and key loan covenants.bligations, markets will start pricing the treasury not only as an asset, but also as collateral for an increasingly complex liability stack. FinTelegram Assessment: The Day The Saylor Myth Died For years, Michael Saylor’s Strategy has functioned as a leveraged Bitcoin ETF with a built‑in megaphone: buy BTC, issue more stock, repeat, and never sell – while telling the world to follow. The 32‑BTC disposal does not change the balance sheet; it changes the story. Our working hypothesis is therefore: The sale is a controlled narrative reset, not a panic liquidation. Strategy is deliberately trading a sliver of its “never sell” mystique in exchange for signaling optionality to creditors and preferred holders. If Bitcoin weakness deepens and persists, the company’s capital structure virtually guarantees more of these episodes – potentially larger, more frequent and far less symbolic. This is the moment when institutional allocators, regulators and sophisticated retail investors must stop treating MicroStrategy as a one‑directional Bitcoin proxy and start analyzing it as what it really is: a complex, leveraged, dividend‑bearing Bitcoin structured product wrapped in a Nasdaq‑listed equity shell. Share Information via Whistle42

OpenPayd wants to enter Nasdaq through Titan Acquisition Corp. at a proposed unicorn valuation. The 2025 financial statements of OpenPayd Holdings show real growth, rising profitability, and sharply expanding payment volumes. But they also show a group whose valuation case depends on future scale, not current earnings. FinTelegram’s view: the financial growth story is visible — but so is the disclosure problem around vIBANs, crypto rails, high-risk merchants, and the OpenPayd–Klickl scam-rail files. 2-Minute Briefing OpenPayd Holdings Limited reported a strong financial year to 30 April 2025. Consolidated revenue increased to €47.53 million, up from €32.58 million in 2024. Operating profit rose to €5.63 million, and profit after tax increased to €3.95 million. Processed volume almost doubled to €83.7 billion, while transaction numbers increased to 22.8 million. Client balances also rose sharply to €497.29 million. Download the financial statements here. This is the financial foundation for OpenPayd’s planned Nasdaq transaction with Titan Acquisition Corp. OpenPayd wants investors to value it as a global Banking-as-a-Service and payment-infrastructure platform operating across fiat rails, virtual IBANs, pooled accounts, FX, digital wallets, stablecoins, crypto on/off ramps, and digital-asset services. The growth is real. The valuation is aggressive. The announced transaction targets a pro-forma equity valuation of $1.145 billion. Against FY2025 consolidated revenue of €47.53 million, that implies a revenue multiple of roughly 22–24x, depending on FX assumptions. Against operating profit of €5.63 million, the implied multiple is well above 180x. Even if OpenPayd’s claimed March 2026 ARR of more than $85 million is used, the valuation still sits around 13x ARR. That may be defendable for a high-growth fintech infrastructure company if investors believe in durable expansion, strong margins, low credit risk, clean compliance, and scalable public-market governance. But OpenPayd is not a clean software-only story. Its own financial statements identify regulatory risk, liquidity risk, operational risk, technology risk, and conduct / anti-money-laundering risk as principal risk areas. The group openly states that criminals may target it and its clients to process illicit proceeds. That is the issue. OpenPayd’s valuation pitch and FinTelegram’s risk file collide in the same place: vIBANs, payment rails, crypto on/off ramps, and high-risk merchant flows. Key Findings Revenue growth is strong: OpenPayd Holdings grew consolidated revenue by roughly 46% to €47.53 million. Profitability improved: Operating profit increased to €5.63 million, and profit after tax rose to €3.95 million. Volume growth is the main scale signal: Processed volume rose to €83.7 billion, almost doubling year-on-year. The regulated core is split between UK and Malta: The FCA-regulated UK EMI, SettleGo Solutions Limited dba OpenPayd, generated €34.85 million revenue. The MFSA-regulated Malta payment institution generated €13.29 million revenue. The business model is rail-heavy, not software-light: OpenPayd’s own strategic report describes IBANs, virtual IBANs, payment accounts, SEPA, open banking, FX, stablecoins, wallets, digital assets, and fiat/crypto conversion as core infrastructure. The unicorn valuation is demanding: A $1.145 billion valuation implies a high revenue multiple and an extremely high earnings multiple on FY2025 actuals. Risk disclosure is central: The financial statements themselves identify conduct and AML risk. That makes the OpenPayd–Klickl victim-flow files material to any serious Nasdaq risk analysis. Read our Klickl Europe reports here. Financial Snapshot MetricFY2025FY2024FinTelegram ReadRevenue€47.53m€32.58mStrong growth, but still small versus unicorn valuationOperating profit€5.63m€2.62mProfitability improvingProfit after tax€3.95m€1.59mPositive but modest absolute earningsProcessed volume€83.7bn€44.1bnHigh scale signal; also high AML burdenTransactions processed22.8m14.3mNetwork usage expandingClient balances€497.29m€334.15mMaterial safeguarded / client-fund exposureUK regulated revenue€34.85m€21.14mMain revenue engineMalta regulated revenue€13.29m€11.93mStrategically important cross-border railProposed valuation$1.145bn—Aggressive public-market price tag Is The Unicorn Valuation Plausible? The short answer: financially possible, but not obvious from FY2025 actuals alone. On FY2025 revenue of €47.53 million, the proposed $1.145 billion valuation implies a revenue multiple above 20x. That is a premium fintech-infrastructure multiple. It assumes investors will value OpenPayd not as a regulated payments group with compliance-heavy rails, but as a high-growth embedded-finance and digital-asset infrastructure platform. On earnings, the valuation looks much more stretched. With operating profit of €5.63 million, the implied valuation-to-operating-profit multiple is extremely high. OpenPayd would need to convince investors that FY2025 is only the beginning of a much larger earnings ramp. OpenPayd’s public-market argument therefore depends on four assumptions: revenue growth continues at high speed; ARR and transaction volume convert into durable profit; regulatory and AML controls scale with the business; high-risk payment, crypto and vIBAN exposure does not trigger major regulatory or reputational cost. The first two assumptions are commercial. The last two are the FinTelegram problem. Regulated Entity Breakdown OpenPayd Holdings is not merely a marketing platform. It is a regulated payments group built around licensed entities. SettleGo Solutions Limited, trading as OpenPayd, is the FCA-regulated UK electronic-money institution and the largest revenue contributor. Its FY2025 standalone accounts show revenue of €34.85 million and profit after tax of €4.25 million. OpenPayd Financial Services Malta Limited is the MFSA-regulated Malta payment institution. It generated €13.29 million in revenue and gives the group a strategically important EU payment-rail footprint. The group also refers to OP Digital Services Limited in Malta, approved by the MFSA as a virtual asset service provider, with trading operations commencing in April 2025. This is important because it confirms OpenPayd’s shift deeper into digital-asset infrastructure, including custody, exchange, on/off ramp and stablecoin-related services. FinTelegram Assessment The OpenPayd financials show a real business with growth, licensing, volume, revenue and profit. This is not an empty fintech shell. But the proposed unicorn valuation requires more than growth. It requires trust. That trust is precisely where the risk file sits. The group’s own accounts admit that criminals may target the company and its clients to process illicit proceeds. FinTelegram’s OpenPayd–Klickl reporting shows the practical version of that risk: victim funds allegedly entering OpenPayd vIBAN infrastructure and being swept to Klickl Europe, with fake investment apps feeding the payment rail. The financial statements confirm that vIBANs, payment accounts, digital assets and on/off ramps are central to the business. Therefore, the OpenPayd–Klickl issue is not external noise. It concerns core infrastructure. Conclusion OpenPayd’s 2025 financials support the growth story. They do not automatically support the unicorn story. A $1.145 billion valuation requires investors to believe that OpenPayd can scale revenue, protect margins, control AML risk, manage high-risk merchants, and avoid regulatory damage from scam-rail exposure. That is the disclosure test. OpenPayd has numbers. It also has risk files. Nasdaq investors deserve both. Share Information via Whistle42

OpenPayd wants Nasdaq to buy the unicorn story. FinTelegram sees the scam-rail problem. The Ozan Özerk-founded fintech plans to go public through Titan Acquisition Corp. at a proposed $1.145 billion valuation while victim files reviewed by FinTelegram show OpenPayd infrastructure inside alleged investment-fraud payment paths involving Klickl Europe, fake trading apps, and vIBAN-based victim-fund flows. 2-Minute Briefing OpenPayd wants Nasdaq to buy the unicorn story. FinTelegram sees the scam-rail problem. The Ozan Özerk-founded fintech has announced a business combination with Titan Acquisition Corp., a Nasdaq-listed SPAC. If completed, OpenPayd says it will list on Nasdaq under the ticker OP at a proposed pro-forma equity value of $1.145 billion. The company markets the transaction as a milestone for programmable money, stablecoins, fiat rails, blockchain networks and global payment orchestration. That is the pitch. The risk story is harder. FinTelegram victim files show OpenPayd infrastructure inside alleged scam payment paths in Europe. In the OpenPayd–Klickl Europe cases, victim deposits entered OpenPayd Malta vIBAN / CFTEMTM1 infrastructure and were swept to Klickl Europe Sp. z o.o., a Polish VASP controlled by Chinese interests, with recurring references such as “Sweep to Primary Account.” FinTelegram has also reviewed victim-organized material showing multiple fake investment app frontends feeding the same OpenPayd–Klickl rail. That is not a theoretical compliance issue. It is the core public-market question. OpenPayd sells the exact infrastructure that becomes dangerous when abused: virtual IBANs, pooled accounts, open banking, fiat-to-crypto on/off ramps, stablecoin rails, digital-asset payments and iGaming payment infrastructure. A company seeking a Nasdaq listing at unicorn valuation must explain not only its growth metrics, but also how its rails were used in scam contexts. There is also the founder risk. OCCRP and other media have reported Turkish investigations involving companies owned by Ozan Özerk in connection with alleged money laundering and illegal betting proceeds. OpenPayd is now asking U.S. public-market investors to trust the Özerk fintech ecosystem at scale. The filing question is blunt: will OpenPayd and Titan disclose the scam-rail reality — or will investors receive only the unicorn brochure? Key Findings OpenPayd is selling a Nasdaq growth story.The company says the Titan transaction would bring OpenPayd to Nasdaq under ticker OP at a proposed $1.145 billion pro-forma equity valuation. The business model is high-risk by design.OpenPayd markets virtual IBANs, pooled accounts, open banking, digital-asset infrastructure, on/off ramps, stablecoins, forex and iGaming payments. These products require hard AML controls. FinTelegram files place OpenPayd infrastructure inside scam rails.The OpenPayd–Klickl Europe evidence shows victim funds entering OpenPayd vIBAN infrastructure and being swept to Klickl Europe. Klickl Europe is not a harmless payment detail.It appears repeatedly in victim files as the recipient of funds swept from OpenPayd vIBANs. FinTelegram has flagged Klickl as a Chinese-controlled Polish crypto gateway with DAREX D / Red risk treatment. The fake app layer shows scale.Victim material identifies dozens of victim-app entries and numerous fake investment apps, including Peelhuntaicore, KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro and YHT. Ozan Özerk’s wider ecosystem is a material disclosure issue.Turkish investigations involving Özerk-linked companies and alleged illegal betting proceeds belong in any serious investor-risk review. The SEC filings will test OpenPayd’s transparency.The filings should explain the fraud complaints, high-risk customers, vIBAN controls, Klickl exposure, SAR/STR handling, regulatory inquiries and remediation steps. The SEC Filing: Titan, PubCo, Shareholders — And Ozan Özerk At The Center The SEC filing confirms that the OpenPayd–Titan transaction is not a simple IPO. It is a SPAC-driven restructuring built around a new Cayman Islands public holding company: OpenPayd Global Holdings Limited (“PubCo”). Under the Business Combination Agreement dated 1 June 2026, Titan Acquisition Corp. will merge into PubCo. Titan will cease to exist as a separate company, and its shareholders and warrantholders will receive substantially equivalent PubCo securities. PubCo will then acquire all shares of OpenPayd Holdings Limited, the English company operating the OpenPayd business, in exchange for PubCo ordinary shares issued to OpenPayd’s beneficial owners. After the transaction, OpenPayd Holdings Limited will become a direct wholly owned subsidiary of PubCo. This structure matters. OpenPayd is not simply “listing.” The transaction moves the group into a Cayman-listed public-company wrapper, with the operating OpenPayd business held below it. Transaction Structure ElementSEC Filing DescriptionFinTelegram InterpretationPurchaser / SPACTitan Acquisition Corp., Cayman Islands SPACNasdaq vehicle used to bring OpenPayd to marketPublic company after closingOpenPayd Global Holdings Limited, Cayman IslandsNew PubCo wrapper for the listed groupOperating companyOpenPayd Holdings Limited, England & WalesExisting OpenPayd operating holding companyTransaction mechanicsTitan merges into PubCo; PubCo acquires OpenPayd Holdings LimitedDe-SPAC plus share acquisitionCompany considerationPubCo shares with aggregate value of $800 million, less advisor transaction-fee sharesCore equity consideration for OpenPayd shareholdersMinimum proceeds conditionAggregate transaction proceeds must be at least $130 million, subject to adjustmentsClosing depends on available financing / non-redemptions / PIPE supportSEC processPubCo must file a Form F-4 registration statement including Titan proxy/prospectusThe real risk-factor disclosure will come in the F-4Nasdaq conditionPubCo ordinary shares and warrants must be approved for Nasdaq listingListing approval is a closing conditionLong-stop dateTransaction may be terminated if conditions are not satisfied or waived by 31 December 2026Timeline pressure for Titan, OpenPayd and advisers Shareholder Structure: Ozan Özerk Is The Dominant Shareholder The filing identifies Ozan Özerk, a Cypriot citizen, as the Key Company Shareholder. He directly owns 1,000,000 OpenPayd Holdings Limited shares, representing approximately 82.72% of the company. The remaining 208,953 shares, or approximately 17.28%, are legally held by Zedra Trust Company (Guernsey) Limited as nominee for the relevant beneficial owners. That means the pre-transaction shareholder structure is not dispersed. It is founder-dominated. Shareholder / HolderSharesPercentageRoleOzan Özerk1,000,00082.72%Direct owner; Key Company ShareholderZedra Trust Company (Guernsey) Limited208,95317.28%Nominee legal holder for relevant beneficial ownersTotal1,208,953100%OpenPayd Holdings Limited pre-transaction equity The SEC filing also states that PubCo was newly incorporated and, as of signing, was owned entirely by Özerk. That is important: before the SPAC mechanics take effect, the future listed Cayman holding company is initially an Özerk-controlled vehicle. Ozan Özerk’s Role: More Than Founder Branding The filing does not treat Özerk as a passive founder. It places him at the center of the transaction. Özerk appears in multiple roles: Founder of OpenPayd, presented in the investor materials; Key Company Shareholder, holding approximately 82.72% of OpenPayd Holdings Limited directly; Company Shareholders Representative, empowered to act for OpenPayd shareholders and beneficial owners in transaction matters; sole shareholder of PubCo prior to the transaction mechanics; party to a Key Company Shareholder Support Agreement, under which he agrees to support and vote in favor of the transaction; party to a Non-Competition Agreement effective at closing; recipient of additional SPAC sponsor economics: 1,035,000 PubCo ordinary shares and 1,216,508 PubCo private warrants transferred from the Sponsor in connection with the termination of the Company Shareholders’ Agreement. This is the core governance point: Özerk is not just the face of OpenPayd. He is the controlling shareholder and transaction control figure. Why This Matters For The Risk Story The filing describes OpenPayd’s business as a global, rail-agnostic banking-as-a-service and payments platform enabling fiat and crypto interoperability. It specifically references named virtual IBANs, multi-currency fiat and crypto payment accounts, international and domestic payments, real-time settlements, fiat-to-fiat and crypto-to-fiat-to-crypto conversions, digital wallets, stablecoin minting and burning, on-chain payments, digital-asset trading and blockchain access through a single API infrastructure. That description is critical for FinTelegram’s analysis. It confirms that the very products at the center of OpenPayd’s growth story — named vIBANs, fiat-to-crypto infrastructure, stablecoin rails, digital wallets and crypto conversion capabilities — are not peripheral services. They are the business model. This is also why the OpenPayd–Klickl Europe files are material. FinTelegram victim files show OpenPayd vIBAN infrastructure inside alleged scam payment paths, including funds swept to Klickl Europe with references such as “Sweep to Primary Account.” If OpenPayd wants Nasdaq investors to buy a unicorn infrastructure story, the SEC filings must disclose the fraud-rail exposure clearly. FinTelegram Takeaway The SEC filing confirms the structure: Titan SPAC → Cayman PubCo → OpenPayd Holdings Limited → Ozan Özerk-dominated shareholder base → Nasdaq listing attempt. It also confirms the disclosure battleground. The Form F-4 proxy/prospectus will be the real test. OpenPayd and Titan must decide whether to disclose the difficult facts: OpenPayd vIBAN abuse allegations, Klickl Europe victim flows, fake investment-app rail exposure, high-risk merchant sectors, SAR/STR handling, Turkish investigations involving Özerk-linked firms, and the governance risk of a founder-controlled fintech entering U.S. public markets. OpenPayd wants to sell Nasdaq the infrastructure story. The SEC filing shows who controls that story. FinTelegram will watch what they disclose. The OpenPayd–Klickl Europe vIBAN Scam Files The most sensitive issue for OpenPayd’s Nasdaq ambitions is not the marketing story around programmable money, stablecoins, or global payment infrastructure. It is the hard evidence from Europe: victim files reviewed by FinTelegram show OpenPayd infrastructure inside alleged investment-fraud payment rails, with funds repeatedly routed to Klickl Europe Sp. z o.o., a Polish virtual-asset service provider. Klickl Europe is part of a Chinese-controlled crypto scheme around Michael (Xu) Zhao. SEC filings for Crypto 1 Acquisition Corp identify Zhao as founder, CEO and director. The filing states that he began investing in crypto in 2016, served as founder/executive chairman of International Digital Currency Markets (IDCM), and founded/led VGPay, a crypto-payment business serving crypto exchanges and their clients. Read our report on “Who is behind Klickl” here. The pattern is no longer anecdotal. FinTelegram has reviewed GDPR/DSAR responses and OpenPayd “Summary of payments” files received by victims. These files show a recurring structure: victims made deposits into OpenPayd named vIBANs / OpenPayd Malta IBANs using BIC CFTEMTM1. The funds were then transferred onward to Klickl Europe with references such as “Transfer to Klickl Europe – EUR/Sepa” and “Sweep to Primary Account.” This is the rail map: Victim bank account → OpenPayd named vIBAN / CFTEMTM1 → Payin → immediate Transfer → “Sweep to Primary Account” → Klickl Europe Sp. z o.o. → crypto/on-ramp or settlement layer → unknown operators OpenPayd’s own GDPR response in one victim case confirmed the core architecture. The victim was not OpenPayd’s client. OpenPayd’s corporate client was Klickl Europe. The IBAN assigned to the victim was not a normal personal bank account, but a named virtual IBAN linked to Klickl Europe’s payment account. OpenPayd further stated that funds credited through that vIBAN became the property of Klickl Europe. That point is critical. It means the victim-facing IBAN created the appearance of a personalized payment route, while the economic recipient was Klickl Europe. The victims did not hold real OpenPayd accounts. They were given OpenPayd-generated deposit identifiers that routed money into Klickl Europe’s corporate payment structure. Read our reports on Klickl Europe-facilited scams here. FinTelegram has also reviewed victim-organized material showing that the fraud was not limited to one fake investment platform. KXTRA and fake Peel Hunt / Peelhuntaicore appear to be only two frontends in a much wider app layer. Victim material identifies dozens of app-front entries and numerous fake investment apps allegedly feeding the same OpenPayd–Klickl rail, including Peelhuntaicore, KXTRA, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT, KKRDE, KzipPro, FD MIN, Quantanils, Phantom, Voya and others. This points to a repeatable fraud architecture: Disposable investment apps → WhatsApp / Telegram grooming → OpenPayd vIBAN infrastructure → Klickl Europe recipient account → crypto conversion / settlement → hidden operators For OpenPayd, the issue is direct. OpenPayd was not a random bank name appearing once in a victim transfer. Its vIBAN infrastructure appears as the fiat-entry rail in multiple victim files. If OpenPayd issued or serviced named vIBANs for Klickl Europe, it should have records showing how many vIBANs were created, how many retail investors paid into them, how many complaints were received, when transaction monitoring triggered alerts, whether SARs or STRs were filed, and when the relationship with Klickl Europe was reviewed, restricted, or terminated. For Klickl Europe, the issue is even sharper. If the funds were swept into its account, Klickl must know what happened next. It should have customer data, merchant files, transaction records, wallet addresses, conversion records, settlement partners, ledger entries, and compliance alerts. If Klickl was merely used as an on-ramp by fraud operators, it should identify those operators. If it cannot or will not, the suspicion deepens. The public-market question is therefore unavoidable: how will OpenPayd disclose this in its SEC filings? OpenPayd’s business model is built around precisely the type of infrastructure that requires hard controls: virtual IBANs, pooled accounts, fiat rails, digital-asset infrastructure, crypto on/off ramps, stablecoin payments and high-risk merchant sectors. The OpenPayd–Klickl files show why those controls matter. Named vIBANs can become powerful tools for fraud operators when they create a personal-account illusion while routing victim money into a corporate crypto/on-ramp account. This is not a soft compliance footnote. It is a material disclosure issue. Titan, its advisers, OpenPayd’s lawyers, auditors and ultimately the SEC should ask the obvious questions: How many OpenPayd vIBANs were issued for Klickl Europe? How much money flowed through the OpenPayd–Klickl rail? How many victims complained? How many fake investment apps were connected to the rail? Were suspicious activity reports filed? Was Klickl Europe terminated or restricted? Did OpenPayd disclose these facts to Titan and its transaction advisers? Will the Form F-4 / proxy materials include a specific risk factor on vIBAN abuse, fraud-rail exposure and high-risk crypto intermediaries? OpenPayd wants investors to see scalable global payment infrastructure. FinTelegram’s victim files show the other side of that scale: when vIBAN infrastructure is used by fraud networks, the same technology can become a victim-fund collection machine. That is why the OpenPayd–Klickl Europe files belong in the Nasdaq disclosure discussion. The OCCRP Findings OpenPayd founder and beneficial owner Ozan Özerk The Organized Crime and Corruption Reporting Project (OCCRP) reported that Turkish authorities launched a money-laundering investigation targeting companies in the corporate network of Cypriot-Norwegian fintech entrepreneur Ozan Özerk, OpenPayd’s founder and controlling figure. According to OCCRP, the Turkish probe concerns Ozan Elektronik Para A.Ş., an electronic-money institution allegedly used to introduce criminal assets — primarily from illegal betting — into the financial system, and Aveon Global Sigorta A.Ş., another Özerk-majority-owned company allegedly used to inject criminal proceeds disguised as insurance premiums. OCCRP further noted that its earlier Scam Empire investigation found fraud payments running through dozens of companies, including OpenPayd and European Merchant Bank, both owned by Özerk; OCCRP stressed that there was no evidence those companies knew the funds were fraud-derived. For FinTelegram’s OpenPayd–Titan analysis, the point is clear: OpenPayd’s Nasdaq ambitions sit against a wider Özerk ecosystem already linked by investigative reporting and Turkish authorities to money-laundering, illegal-betting and scam-payment questions. Conclusion OpenPayd wants the market to see a unicorn. FinTelegram sees the rail map. Victims paid into OpenPayd infrastructure. Funds were swept to high-risk crypto intermediaries. Fake app frontends multiplied. Turkish investigations around Özerk-linked companies remain part of the risk landscape. Nasdaq investors should not receive a unicorn brochure while victims hold the payment files. OpenPayd’s listing is a disclosure test. If the company wants public-market trust, it must disclose the fraud-rail reality. Summary Table — OpenPayd Nasdaq Pitch vs. Scam-Rail Reality The following table contrasts OpenPayd’s Nasdaq pitch with the FinTelegram risk file. The transaction is not only a capital-markets event; it is a disclosure test for OpenPayd, Titan, their advisers, and ultimately the SEC. CategoryKey Data / EntityWhat OpenPayd / Titan PresentFinTelegram Risk ContextTransactionOpenPayd business combination with Titan Acquisition Corp.OpenPayd plans to go public through a SPAC merger with Titan. Upon closing, OpenPayd expects to list on Nasdaq under ticker OP.The transaction turns OpenPayd’s risk profile into a public-market disclosure issue.Proposed valuation$1.145 billion pro-forma equity valueOpenPayd markets the transaction as a unicorn-valuation milestone.The valuation must be tested against unresolved AML, fraud-rail, high-risk merchant and founder-risk exposure.Potential proceedsUp to $276 million from Titan’s trust account, assuming no redemptionsOpenPayd presents this as growth capital for its next phase.Investor redemptions and SEC scrutiny may increase if risk disclosures are weak or incomplete.Titan Acquisition Corp.Nasdaq SPAC, ticker TACHU / Class A shares TACH / warrants TACHWTitan raised $276 million in its April 2025 IPO and is positioned as a SPAC seeking a business combination.Titan’s due diligence must address OpenPayd’s high-risk payment exposure, not only growth metrics.Titan leadershipChairman & CEO Frank MastrangeloTitan publicly praises OpenPayd as a high-growth financial infrastructure platform.Titan and its advisers become gatekeepers for SEC disclosure of OpenPayd’s risk profile.OpenPayd positioningGlobal financial infrastructure for fiat rails, blockchain networks and stablecoinsOpenPayd claims to operate at the intersection of traditional finance and digital assets.This is precisely the risk zone where scam operators exploit fiat-to-crypto rails.OpenPayd metricsMore than 1,100 customers, over $240 billion annualized transaction volume, over $85 million ARR as of March 2026OpenPayd uses these figures to support the unicorn narrative.Large volume increases AML burden. Scale makes scam-rail exposure more material, not less.Core OpenPayd infrastructurevIBANs, pooled accounts, fiat payments, stablecoin/on-off ramps, digital-asset infrastructureMarketed as programmable money movement and embedded financial infrastructure.FinTelegram files show OpenPayd vIBAN infrastructure appearing in alleged investment-fraud payment paths.OpenPayd Malta railOpenPayd Malta IBAN / CFTEMTM1Not part of the investor pitch.FinTelegram victim files identify OpenPayd Malta / CFTEMTM1 as the fiat-entry infrastructure in multiple scam contexts.Klickl EuropeKlickl Europe Sp. z o.o., Polish VASP, RD WWW-930Not addressed in OpenPayd’s Nasdaq announcement.FinTelegram victim files show funds routed through OpenPayd vIBANs and swept to Klickl Europe with references such as “Sweep to Primary Account.”Klickl risk profileChinese-controlled Polish crypto/on-ramp structureNot part of OpenPayd’s public SPAC pitch.Klickl Europe appears as the EU-facing recipient node in the OpenPayd scam-rail files. RatEx42 flagged Klickl Red / DAREX D.App-front layerKXTRA, fake Peel Hunt / Peelhuntaicore, PHFINCORE, FinTechX, BMEBEX, MirrorTrd, SSGM Pro, YHT and othersNot addressed in OpenPayd’s Nasdaq narrative.Victim material indicates numerous fake investment apps fed funds into the OpenPayd–Klickl rail.Founder / ecosystem riskOpenPayd founder Ozan ÖzerkOpenPayd presents a fintech growth story.OCCRP and other media reported Turkish investigations involving Özerk-linked companies and allegations concerning money laundering and illegal betting proceeds.Regulatory issueSEC filings / Form 8-K / proxy or registration documentsOpenPayd says additional transaction documents will be filed with the SEC.The filings should disclose scam complaints, Klickl exposure, vIBAN abuse, high-risk merchants, SAR/STR handling, and Özerk-linked investigation risk.Core FinTelegram questionDisclosure testOpenPayd wants Nasdaq investors to buy the unicorn story.Will investors receive the full scam-rail risk picture — or a polished fintech growth brochure? The issue is not whether OpenPayd has scale. The issue is whether a company built on vIBANs, pooled accounts, fiat-to-crypto rails and high-risk payment infrastructure will fully disclose how often its rails appeared in scam payment paths. Whistleblower Call FinTelegram calls on victims, insiders, former employees, compliance officers, payment specialists, OpenPayd clients, Titan advisers, auditors, lawyers, regulators, and law-enforcement contacts to come forward. We are looking for documents and information relating to: OpenPayd vIBANs / named IBANs, especially OpenPayd Malta / CFTEMTM1; scam complaints involving OpenPayd infrastructure; OpenPayd–Klickl Europe payment flows; GDPR / DSAR responses from OpenPayd; “Summary of payments” files showing Payin / Transfer patterns; references such as “Sweep to Primary Account”; Klickl Europe account statements, wallet data, merchant records, or onboarding files; fake investment apps connected to OpenPayd rails; internal OpenPayd risk alerts, SAR/STR filings, account freezes, customer exits, or remediation steps; communications with Titan Acquisition Corp., auditors, legal advisers, investment banks, or SEC-facing counsel; any due-diligence material prepared for the planned Nasdaq transaction; information on Ozan Özerk-linked entities, Turkish investigations, illegal gambling exposure, or high-risk merchant relationships. If OpenPayd wants a Nasdaq listing at unicorn valuation, investors deserve the full risk picture. Victims should not be left with payment files while public-market investors receive a sanitized fintech growth story. Documents can be submitted securely via Whistle42. FinTelegram will protect sources and redact personal data where necessary. Share Information via Whistle42

A new technical analysis shared with FinTelegram points to NALMI LIMITED (AS213846) as the infrastructure envelope behind a large rotating casino-domain ecosystem. The findings do not prove that NALMI owns or operates the underlying casino brands. But they do suggest that a substantial cluster of outwardly separate gambling domains — including brands already relevant in the broader Zentoria context — appears to converge within the same hosting and routing environment. That makes NALMI a serious enhanced-due-diligence target. The NALMI Ecosphere in Stealth Mode Illustrative infrastructure map based on technical material reviewed by FinTelegram. The chart visualizes the observed NALMI-associated hosting envelope (AS213846 / 185.207.196.0/22), Cloudflare shielding, and overlaps with domains and brand families already relevant to FinTelegram’s broader Zentoria inquiry. It supports a shared infrastructure hypothesis, but not yet a final ownership or control conclusion. This chart is published as an investigative working model based on technical material and open-source checks reviewed by FinTelegram. It is intended to illustrate observed infrastructure patterns, routing signals, and domain clustering. It should not be read as conclusive proof of final legal ownership, beneficial ownership, or unified operational control of all brands shown. FinTelegram’s investigation into the apparent NALMI ecosystem remains ongoing. A new network-engineering analysis received by FinTelegram suggests that NALMI LIMITED (AS213846) may sit at the center of a much larger technical casino ecosystem than previously understood. According to the material reviewed, the issue is not one casino, one domain, or one payment anomaly. The issue is an apparent infrastructure envelope spanning a large number of gambling-related domain families, combined with Cloudflare shielding, repeated CRM/mail patterns, and visible links to brands already associated with the broader Zentoria-facing environment. NALMI LIMITED is not entirely invisible, but it is remarkably opaque. Public ASN and registry records point to a Marshall Islands entity with an associated domain, nalmiltd.com, yet there is no meaningful transparent corporate web presence comparable to that of an openly operating infrastructure provider. Instead, NALMI presents as a technically traceable but publicly low-profile entity — a pattern made even more noteworthy by the Cyprus-linked contact signal embedded in the same records. The most important point at this stage is methodological: the evidence does not prove that NALMI is the beneficial owner or legal operator of the casino brands observed in the cluster. It does, however, support a narrower and more defensible conclusion: NALMI appears to be the hosting or infrastructure layer behind a rotating farm of casino-facing domains. That alone would make it highly relevant from a compliance and due-diligence perspective. A hosting envelope, not a random collection of sites The technical material reviewed by FinTelegram describes AS213846 / NALMI LIMITED as a hosting ASN with a 185.207.196.0/22 envelope comprising 1,024 IPv4 addresses, and links this range to a large observed casino-facing domain set. The report frames this not as one isolated gambling site, but as a domain-farm system with repeated brand families, numbered variants, mirror domains, and repeated IP reuse across the same NALMI-associated range. That matters because it changes the character of the finding. This is no longer just a question of one rogue domain or one suspicious merchant. It looks, at minimum, like an industrialized infrastructure cluster capable of supporting multiple outward-facing casino skins. NALMI in the Zentoria story The NALMI findings become particularly interesting because they intersect with the Zentoria line of research already under review by FinTelegram. Read our Zentoria reports here. In the report, SPINSOPOTAMIA.COM is treated as the key public-facing anchor into ZENTORIA LIMITED, and the same domain is then mapped into the NALMI-associated IP environment. The report explicitly presents SPINSOPOTAMIA not as a decorative casino logo, but as the visible legal/public wrapper that connects the Zentoria-facing layer into the wider technical ecosystem. That is important. If a domain already relevant to the Zentoria structure resolves into the same NALMI environment as other rotating casino brands, then the NALMI question is not separate from the Zentoria question. It becomes part of the same broader operational picture. Cyprus-linked signals, but not yet proof of control The report also emphasizes several Cyprus-linked signals, including a +357 phone signal in RIPE-related records, routing observations, and latency arguments suggesting Cyprus-local relevance behind the infrastructure. It further argues that Cloudflare acts as a choke point or shielding layer, making direct origin attribution more difficult while leaving certain Cyprus-linked network observations unusually clear. These are serious EDD signals. But they should be treated with caution. What they support is a Cyprus-linked operational footprint. What they do not yet prove is that the entire domain farm is directly controlled from Cyprus, or that the economic or legal controllers of the ecosystem have been conclusively identified. That is the difference between a strong technical red flag and a finished ownership case. Shared infrastructure is easier to show than shared control One of the strongest parts of the report is not the rhetoric, but the cluster logic. The analysis points to repeated DNS, CRM, mail, and infrastructure patterns across brands such as Spinsy, Spinsopotamia, Green Luck, SpinRollz, and Kingmaker. The report describes common mail and customer-communication elements — including Google verification, Mailjet, Zendesk, and Carmamail-style patterns — as evidence of shared operational machinery rather than isolated standalone websites. That is a meaningful distinction. Shared infrastructure and shared tooling do not automatically prove common legal ownership. But they do support the theory of a shared operational ecosystem — and that is often exactly where a serious compliance investigation begins. Where Payabl fits into the wider picture The NALMI analysis does not replace FinTelegram’s earlier work on Payabl, NovaForge, and Zentoria. It complements it. In the broader body of material under review, Payabl appears as a recurring gateway / PSP / payment-rail layer, while Zentoria appears as a cleaner public-facing or legal-facing wrapper and NovaForge as an older, riskier offshore-facing merchant layer. The NALMI report adds a different layer to that picture: infrastructure. In other words: NALMI appears relevant to the hosting / technical environment, Zentoria to the legal / public-facing wrapper, and Payabl to the payment / gateway layer. That multi-layer reading is far more plausible — and more defensible — than any simplistic one-company theory. The right conclusion At this stage, FinTelegram would not state that NALMI “runs” the entire casino network. That would go too far. But it is increasingly plausible that NALMI LIMITED functions as the infrastructure envelope behind a large rotating casino-domain ecosystem, and that this technical ecosystem overlaps with domains, brands, and public-facing wrappers already relevant to the broader Zentoria story. That alone is enough to justify further scrutiny. If confirmed through additional DNS, passive-DNS, routing, and registrar material, the NALMI findings could become a significant part of the wider compliance picture: not as proof of final ownership, but as evidence that many outwardly separate gambling brands may sit inside the same concentrated technical habitat. FinTelegram will continue to review the evidence. NALMI Key Findings CategoryKey InformationInfrastructure Anchor NALMI LIMITED / AS213846 appears as the central hosting / ASN envelope of the observed cluster. Sources: RIPEstat AS213846 | BGP HE AS213846 | RIPE Database Query IP Environment The main observed infrastructure range is 185.207.196.0/22, comprising 1,024 IPv4 addresses, which points to a concentrated infrastructure environment rather than a handful of isolated sites. Sources: RIPE Prefix Query | BGP HE Prefix Overview | RIPEstat Cluster Character The reviewed material indicates a rotating system of mirror domains, numbered variants, brand extensions, and repeated IP reuse, supporting the hypothesis of an industrialized casino-domain farm. Source: Source material reviewed by FinTelegram. Scale The reviewed dataset refers to 994 unique domains, 1,663 domain-to-IP mappings, 138 distinct IPs, and 138 repeated domain families, indicating a network of substantial operational scale. Source: Source material reviewed by FinTelegram. Zentoria Anchor SPINSOPOTAMIA.COM, already relevant in the broader Zentoria inquiry, appears as a key public-facing entry point into ZENTORIA LIMITED. Sources: Revenue Ireland register page | Revenue Ireland PDF register Observed Brand Families Observed casino-facing brands and skins include Spinsy, Spinsopotamia, Green Luck, SpinRollz, and Kingmaker, suggesting a shared operational environment rather than isolated standalone brands. Source: Source material reviewed by FinTelegram. DNS / Mail / CRM Patterns The reviewed material points to recurring backend indicators such as Google site verification, Mailjet, Google SPF, Zendesk mail, and Carmamail, supporting the view of a shared CRM and communications backend. Source: Source material reviewed by FinTelegram. Cloudflare Shielding The observed setup is consistent with a Cloudflare-shielded edge layer in front of the NALMI environment, making direct origin attribution more difficult. Sources: Cloudflare network overview | Cloudflare Anycast overview | plus source material reviewed by FinTelegram Cyprus-Linked Signals The reviewed material highlights Cyprus-linked routing and registry signals, including a +357 phone number and visibility patterns consistent with a Cyprus-facing operational footprint. These are important EDD indicators, but not final proof of control. Sources: RIPEstat AS213846 | RIPE Database Query | plus source material reviewed by FinTelegram RIPE / Registry Profile NALMI appears with a Marshall Islands profile while also showing Cyprus-linked contact signals in RIPE-related data. This is a jurisdictionally unusual combination and a significant due-diligence red flag. Sources: RIPE Database Query | RIPEstat | BGP HE NALMI’s Role At this stage, the most defensible reading is that NALMI functions as an infrastructure or hosting layer, not as the proven merchant, operator, or beneficial owner of the observed casino brands. Sources: RIPEstat | BGP HE | plus source material reviewed by FinTelegram Zentoria’s Role Zentoria appears as the cleaner legal and public-facing wrapper within the broader ecosystem, consistent with earlier FinTelegram findings. Sources: Revenue Ireland register page | Revenue Ireland PDF register Payabl’s Role In the broader investigation, Payabl appears more relevant to the PSP / gateway / payment layer than to the infrastructure envelope itself. This supports a layered model: NALMI = infrastructure, Payabl = payment rail. Sources: Source material reviewed by FinTelegram and earlier payment-path evidence under review. NovaForge’s Role NovaForge remains the likely older, riskier offshore-facing merchant or operator layer in the broader ecosystem, complementing the later and cleaner Zentoria-facing layer. Sources: Source material reviewed by FinTelegram and earlier merchant / wallet comparisons under review. Ownership / Control The current evidence does not conclusively establish that NALMI or the Cyprus-linked signals prove final legal ownership, beneficial ownership, or unified operational control of the full ecosystem. Sources: RIPEstat | RIPE Database Query | plus source material reviewed by FinTelegram Editorial Takeaway The strongest current publication angle is that of a NALMI-linked technical ecosystem behind a rotating casino-domain farm, with visible overlap into the broader Zentoria-facing structure. This supports a shared infrastructure hypothesis, but not yet a final ownership conclusion. Sources: Revenue Ireland PDF register | RIPEstat | plus source material reviewed by FinTelegram NALMI LIMITED (AS213846) appears as a concentrated hosting/infrastructure envelope for a large number of casino-facing domains. The observed environment includes SPINSOPOTAMIA.COM, a domain already relevant to the broader Zentoria line of inquiry. The findings support a shared infrastructure ecosystem, not yet a proven single ownership structure. Cyprus-linked registry and routing signals are notable, but should currently be treated as EDD indicators, not definitive proof of control. The NALMI findings are best read together with the existing Zentoria / NovaForge / Payabl evidence as part of a layered casino-and-payments ecosystem. The NALMI story matters because infrastructure is often the one layer that changes more slowly than brands, domains, or merchant names. If the brands rotate but the technical habitat remains stable, the habitat itself becomes evidence. Share Information via Whistle42

The Bureau of Investigative Journalism (TBIJ) has reported that Belgian prosecutors are investigating Wise, the London-headquartered money transfer and payments giant, over concerns that Wise accounts may have been used in connection with approximately €500 million in suspicious transactions. The investigation reportedly focuses on Wise’s European operations and potential indications of non-compliance with anti-money laundering (AML) legislation. Wise has not been accused of criminal wrongdoing in court. The investigation is ongoing. However, the case adds another regulatory pressure point to a company that has grown into one of the most important cross-border payment infrastructures for retail users, freelancers, SMEs, and increasingly business customers. Key Points Belgian prosecutors reportedly opened the investigation after Wise accounts appeared in hundreds of judicial assistance requests from more than 30 European countries. The suspicious transaction exposure reportedly amounts to approximately €500 million. The investigation concerns Wise’s European operations, handled through Wise Europe SA in Belgium. Wise told TBIJ that its Belgian office manages law-enforcement requests across the EEA and that it is cooperating with the Brussels prosecutor. This is not an isolated compliance issue: Wise has previously faced AML-related scrutiny in Europe and the United States. The case highlights a broader structural issue: electronic money institutions and payment institutions are becoming critical nodes in cross-border financial crime risk. The TBIJ Findings According to TBIJ, Belgian prosecutors are examining whether Wise may have failed to comply with AML obligations after its accounts appeared repeatedly in criminal-proceeding assistance requests across Europe. These requests reportedly involved fraud, corruption, drug trafficking, and other suspected criminal proceeds. The core issue is not whether Wise intentionally enabled money laundering. The relevant compliance question is whether its transaction monitoring, customer due diligence, suspicious activity detection, and law-enforcement response framework were sufficiently robust for the scale and risk profile of its business. This distinction matters. A payment institution can be fully legitimate and still become systemically attractive to criminal networks if its onboarding, account controls, transaction monitoring, and escalation procedures do not scale as fast as its customer base and transaction volume. Wise’s Regulatory Position Wise Europe SA is authorised in Belgium and passported across the EEA. This makes Belgium a central regulatory jurisdiction for Wise’s European operations. TBIJ reports that Wise’s Belgian office handles law-enforcement requests across the EEA, which helps explain why the Belgian prosecutor’s office is a central node in the current investigation. Wise reportedly said it is working with the Brussels prosecutor and routinely cooperates with regulators and law-enforcement authorities. The company also stated that around one third of its staff is dedicated to fighting financial crime. That statement is important, but it also raises a sharper compliance question: if a company has such a large financial crime function, why did hundreds of judicial requests across Europe still accumulate into a reported €500 million suspicious exposure pattern? Prior AML Pressure The new Belgian investigation follows earlier AML-related issues. In 2024, the Financial Times reported that the National Bank of Belgium had required Wise to implement a remediation plan after identifying weaknesses in customer address documentation. In 2025, Wise US entered into a $4.2 million multistate settlement with US regulators over alleged inadequacies in its AML/CFT programme. Those earlier matters do not prove wrongdoing in the Belgian criminal investigation. However, they indicate a recurring theme: Wise’s compliance architecture has been under regulatory pressure in multiple jurisdictions. Compliance Analysis From a compliance perspective, the Wise case is a classic scale-versus-controls problem. Wise built its market position by making cross-border payments cheaper, faster, and easier than traditional correspondent banking. That is precisely what made the company successful. But the same speed, reach, and convenience also make such platforms attractive to fraud networks, mule-account operators, sanctions evaders, and money-laundering structures. For payment institutions, the key risks are: Mule Account NetworksFraud proceeds can be rapidly moved through seemingly ordinary retail or business accounts. Cross-Border FragmentationCriminal flows often touch multiple jurisdictions, making law-enforcement coordination slow and incomplete. High-Velocity Transaction PatternsFast transfers reduce the time available for intervention before funds leave the platform. CDD GapsWeak or outdated customer documentation can undermine risk scoring and transaction monitoring. Business Account MisuseSME and freelancer-style accounts can be abused as payment collection layers for scams or unlicensed activity. Why This Matters Wise is no longer a niche fintech. It is a major global payment infrastructure provider. In Q4 FY2026, Wise reported £49.4 billion in quarterly cross-border volume and 11.3 million active customers. It has also shifted its primary listing to Nasdaq while maintaining a London presence. This makes the Belgian investigation strategically significant. It is not merely a local enforcement matter. It is a test case for how regulators and prosecutors assess the AML responsibilities of global payment platforms that operate between traditional banking, e-money infrastructure, and fintech convenience. FinTelegram Assessment FinTelegram’s preliminary assessment is that the Wise case should be viewed as part of a broader regulatory trend: electronic money institutions and payment institutions are moving from “fintech innovation” status into “systemic compliance infrastructure” status. The core question is no longer whether such firms are cheaper or faster than banks. The question is whether they can detect, stop, report, and explain suspicious flows at the same speed at which they process legitimate transactions. Wise may ultimately demonstrate that it acted appropriately and cooperated fully with authorities. But the reported €500 million suspicious transaction exposure, combined with prior AML remediation and US enforcement history, creates a material reputational and regulatory issue. Call For Information FinTelegram invites former Wise employees, compliance officers, law-enforcement sources, affected customers, and payment industry insiders to provide information about: Wise account closures and fund freezes; suspicious transaction reporting processes; mule account patterns; law-enforcement request handling; Wise Europe SA compliance operations; onboarding and proof-of-address remediation; fraud complaints involving Wise accounts; business account misuse and high-risk merchant flows. Information can be submitted confidentially through Whistle42. Share Information via Whistle42

Executive Summary The global stablecoin market has moved from a crypto-trading utility into a strategic layer of digital financial infrastructure. Stablecoins are now used for exchange settlement, cross-border payments, dollar access, DeFi liquidity, remittances, and increasingly institutional payment flows. The regulatory divide between the United States and the European Union is becoming structural. The U.S. GENIUS Act is designed to domesticate and scale dollar-backed payment stablecoins under a federal framework. The EU’s MiCA regime is designed to contain stablecoin risks, protect monetary sovereignty, and prevent reserve-run contagion into the banking sector. The result is an emerging asymmetry: the U.S. is turning stablecoins into a dollar-export and Treasury-demand mechanism, while Europe is regulating stablecoins primarily as a financial-stability risk. Background: The UniCredit Warning Elena Carletti, Deputy Vice Chair of UniCredit and head of the bank’s risk committee, warned that Europe may be less able than the U.S. to contain shocks arising from the connection between stablecoins and banks. The reference point is the 2023 Silicon Valley Bank (SVB) crisis. SVB held deposits linked to crypto firms, and its collapse destabilized a major stablecoin before U.S. authorities invoked a systemic-risk exception and guaranteed all deposits. That intervention helped stabilize both the banking system and the affected stablecoin market. Carletti’s concern is that Europe cannot easily replicate such a response. Under MiCA, stablecoin issuers must hold reserves in bank deposits and low-risk liquid assets. This creates a forced link between stablecoin issuers and banks. In a stress scenario, Europe may face a double weakness: stablecoins become dependent on banks, while banks may be exposed to volatile stablecoin reserve flows — without a U.S.-style emergency backstop. Global Importance of Stablecoins Stablecoins are no longer a niche crypto instrument. Their market capitalization has grown from a few billion dollars in 2019 to roughly USD 300 billion. The market remains overwhelmingly dollar-based and concentrated in the largest issuers, particularly USDT and USDC. Their strategic importance rests on four functions: Crypto settlement layer: Stablecoins remain the dominant cash-equivalent inside crypto markets. Cross-border payments: They offer fast, 24/7 settlement outside traditional correspondent banking rails. Dollar access: In emerging markets, dollar stablecoins function as synthetic offshore dollars. Treasury demand: Large fiat-backed stablecoin issuers hold substantial reserves in cash and short-term government securities, especially U.S. Treasuries. This explains why the stablecoin debate is no longer merely about crypto regulation. It is about monetary power, banking liquidity, payment sovereignty, sanctions control, and the future role of the dollar and euro in digital finance. U.S. Approach: GENIUS Act The GENIUS Act creates the first comprehensive U.S. federal framework for payment stablecoins. Its core policy logic is pro-growth but prudentially framed. Key features include: 100% reserve backing with liquid assets such as U.S. dollars and short-term Treasuries. Monthly public disclosure of reserve composition. Prohibition on misleading claims that stablecoins are government-backed, federally insured, or legal tender. Priority protection for stablecoin holders in issuer insolvency. Bank Secrecy Act application, including AML and sanctions compliance. Technical capability to freeze, seize, or burn stablecoins when legally required. A pathway for U.S.-regulated banks and non-bank issuers to issue payment stablecoins. Conditional market access for foreign issuers subject to comparable supervision and U.S. registration requirements. The strategic purpose is visible: regulate the sector, protect users, and scale dollar-backed stablecoins as part of U.S. digital-asset leadership. EU Approach: MiCA MiCA takes a more restrictive and risk-control-oriented approach. Stablecoins are mainly regulated as either: E-money tokens (EMTs): tokens referencing one official currency; or Asset-referenced tokens (ARTs): tokens referencing multiple assets, currencies, commodities, or a basket. Issuers require authorization and must comply with reserve, governance, disclosure, own-funds, liquidity, redemption, and supervisory requirements. The EBA has a central role in technical standards and supervision of significant ARTs and EMTs, while ESMA coordinates broader crypto-market rules. MiCA’s objective is not to create a global euro-stablecoin industry at all costs. Its logic is defensive: market integrity, consumer protection, financial stability, and monetary sovereignty. The ECB remains skeptical of a large private stablecoin market in Europe. It fears that stablecoins could make bank deposits more volatile, reduce bank lending capacity, complicate monetary policy, and create new run dynamics. GENIUS vs. MiCA: Key Differences TopicU.S. GENIUS ActEU MiCAStrategic policy directionPromote regulated dollar stablecoins and U.S. digital-asset leadershipContain stablecoin risk and protect financial stabilityCore philosophyInnovation with prudential guardrailsPrudential containment and consumer protectionMain stablecoin categoryPayment stablecoinsEMTs and ARTsReserve model100% backing with liquid assets, especially cash and short-term TreasuriesReserve assets, bank deposits, low-risk liquid assets, liquidity and own-funds requirementsMonetary policy angleSupports dollar dominance and Treasury demandProtects euro sovereignty but restricts rapid stablecoin scalingIssuer opportunityStrong pathway for banks, non-bank issuers, and fintechsMore complex authorization and supervisory burdenForeign issuer accessPossible, but subject to U.S. comparability, OCC registration, U.S. reserve requirements, sanctions complianceNon-EU issuers face MiCA compliance burden for EU accessAML/sanctions focusExplicit Bank Secrecy Act, sanctions compliance, freeze/seize/burn capabilityAML obligations mainly through broader EU AML/CASP framework plus MiCA governance and supervisionBank linkageStablecoins become regulated payment instruments with Treasury/cash reserve baseStablecoin reserves create strong links to EU banks and deposit marketsCompetitive effectLikely accelerates U.S. dollar stablecoin dominanceMay protect the EU system but weaken EU stablecoin competitivenessRegulatory toneIndustrial-policy tool for dollar-based digital financeRisk-management framework for crypto-assetsMarket outcomeEncourages institutional adoptionEncourages compliance but may slow scale and innovation Compliance Analysis The UniCredit warning identifies the key European vulnerability: MiCA reduces issuer risk at the micro level but may create systemic linkage at the macro level. If stablecoin issuers must hold substantial reserves in bank deposits and liquid instruments, their risk becomes bank-system risk. In a crisis, redemptions could pressure both the issuer and the banks holding reserves. In the U.S., the policy architecture is different. The GENIUS Act channels stablecoin reserves toward cash and short-term Treasuries, while the 2023 SVB precedent demonstrated that U.S. authorities may act aggressively to contain systemic spillovers. This does not remove risk, but it creates a more credible expectation of crisis intervention. Europe has stricter rules but potentially weaker crisis elasticity. The U.S. has a more growth-oriented regime with stronger systemic backstop expectations. Market Implications The immediate winner is the U.S. dollar stablecoin sector. Dollar-backed tokens already dominate global supply, liquidity, exchange settlement, DeFi activity, and cross-border crypto payments. GENIUS may reinforce that dominance by giving institutional issuers, banks, fintechs, and payment platforms a clearer legal route. Europe faces a different problem. MiCA provides legal certainty, but legal certainty alone does not create market depth. Euro stablecoins remain marginal globally. Even if MiCA-compliant euro stablecoins emerge, they must compete against the network effects, liquidity, exchange integration, and global demand for dollar tokens. This is why the European debate increasingly frames stablecoins as a strategic-autonomy issue. If Europe regulates too tightly, it may protect banks but leave digital money markets to the dollar. If it relaxes too much, it may import bank-liquidity and monetary-policy risks into the EU financial system. Hypothesis: Europe’s Stablecoin Dilemma Europe is likely to produce compliant but structurally smaller stablecoin issuers, while the U.S. is likely to produce globally scalable dollar stablecoin champions. Under MiCA, European issuers will have regulatory legitimacy but face higher compliance costs, stricter reserve constraints, fragmented banking relationships, and a more skeptical central-bank environment. In contrast, U.S. issuers benefit from a large domestic capital market, deep Treasury liquidity, stronger dollar demand, and a law explicitly designed to promote stablecoin growth. The likely outcome is a two-speed stablecoin market: U.S. stablecoins become global payment and settlement infrastructure. EU stablecoins remain regulated, safer, but comparatively niche instruments. Unless Europe creates a more positive stablecoin strategy — or successfully launches a digital euro and tokenized commercial-bank deposit ecosystem — MiCA may unintentionally reinforce digital dollarisation. The EU may win the regulatory-risk argument while losing the market-scale argument. Conclusion Stablecoins are becoming a strategic financial infrastructure layer. The U.S. has chosen to regulate and scale them. Europe has chosen to regulate and contain them. The UniCredit warning captures the core risk: MiCA links stablecoin issuers to banks without giving Europe a clearly equivalent crisis backstop. That may make the EU framework safer in normal times but more fragile in stress scenarios. From a compliance perspective, MiCA is stronger on containment. From a market-structure perspective, GENIUS is stronger on competitiveness. The decisive question is whether Europe can develop a stablecoin and digital-money strategy that protects financial stability without surrendering the future of programmable money to the dollar. Share Information via Whistle42

The UK has designated Huobi Global S.A., operating as HTX, under the Russia sanctions regime. The designation imposes an asset freeze, internet services restrictions, and correspondent banking / payment processing prohibitions. UK authorities allege there are reasonable grounds to suspect that Huobi Global S.A. provided financial services or made available funds, economic resources, goods or technology to A7 LLC and Garantex Europe OU — both described as operating in sectors of strategic significance to the Government of Russia. Key Findings Designated entity: HUOBI GLOBAL S.A., also listed as HTX (formerly Huobi), HTX Exchange, and Huobi Global Limited. Unique UK sanctions ID: RUS3619. Jurisdictional marker: Panama-registered entity, with the UK sanctions notice listing a Panama City address and the HTX website. Sanctions imposed: Asset freeze, trust services sanctions, director disqualification sanction, internet services sanctions, and correspondent banking / payment processing prohibitions. UK allegation: The UK Secretary of State states there are reasonable grounds to suspect that Huobi Global S.A. supported or obtained a benefit for the Government of Russia by providing financial services or making available funds, economic resources, goods or technology to A7 LLC and Garantex Europe OU. Compliance significance: The designation moves HTX from a high-risk crypto compliance case into a sanctions-screening and transaction-blocking case for UK persons, UK financial institutions, UK VASPs, platforms, app stores, and related intermediaries. Prior UK regulatory context: HTX was already under FCA scrutiny for allegedly illegal cryptoasset financial promotions to UK consumers. UK Sanctions Huobi Global S.A. d/b/a HTX Over Alleged Russia-Linked Crypto Rails The UK has escalated its campaign against Russia-linked crypto and shadow-finance infrastructure by designating HUOBI GLOBAL S.A., operating as HTX, under the Russia sanctions regime. The designation is highly significant. HTX is not a small fringe exchange but one of the best-known global crypto trading brands, formerly operating under the Huobi name. The UK sanctions notice identifies the designated entity as HUOBI GLOBAL S.A., with name variations including HTX (formerly Huobi), HTX Exchange, and Huobi Global Limited. The designation carries a broad sanctions package: asset freeze, trust services restrictions, director disqualification, internet services sanctions, and correspondent banking / payment processing restrictions. For UK-regulated firms, UK VASPs, payment providers, app stores, banks, compliance teams, and counterparties, the message is clear: HTX is now a sanctions-relevant counterparty. The UK’s Allegation: A7 and Garantex Exposure According to the UK designation, the Secretary of State considers that there are reasonable grounds to suspect that Huobi Global S.A. is or has been involved in obtaining a benefit from or supporting the Government of Russia. The alleged basis is specific: the UK says Huobi Global S.A. provided financial services or made available funds, economic resources, goods or technology to A7 Limited Liability Company and Garantex Europe OU. Both are described in the sanctions notice as carrying on business in a sector of strategic significance to the Government of Russia. This wording matters. The UK is not merely alleging weak or incidental exposure. It is framing the case as support to entities within Russia’s strategic financial infrastructure. That makes the designation particularly relevant for sanctions compliance, crypto-asset tracing, counterparty due diligence, and platform-access controls. A7 Network: The Crypto-Financial Bypass Architecture The UK government has described the latest sanctions package as a crackdown on crypto and illicit-finance networks used by Russia to circumvent sanctions and channel funds into its war economy. The A7 network is presented by UK authorities as a Kremlin-backed structure designed to bypass Western sanctions, finance procurement, and process funds linked to Russia’s war economy. For compliance teams, A7 should now be treated as more than a named entity. It represents a network risk model: a sanctions-evasion infrastructure potentially involving exchanges, payment processors, stablecoin issuers, offshore companies, banks, intermediaries, and correspondent/payment relationships. The relevance for HTX is that the UK designation places the exchange within this alleged network exposure. This is precisely the type of risk that cannot be managed by simple name screening alone. It requires transaction-chain analysis, wallet attribution, indirect exposure controls, and enhanced review of flows touching Russia-linked crypto infrastructure. Garantex: The Persistent Sanctions-Evasion Reference Point The inclusion of Garantex Europe OU in the UK statement of reasons is equally important. Garantex has long been one of the most relevant names in the Russia-linked crypto compliance space. The UK’s reference to Garantex in the HTX designation indicates that the regulator is looking not only at direct customer relationships but also at exchange-to-exchange flows, liquidity channels, settlement routes, and facilitation of access to sanctioned crypto infrastructure. For VASPs, this is a warning shot. Exposure to a sanctioned exchange may no longer be assessed only at the direct counterparty level. Where a designated exchange appears upstream, downstream, or as an intermediary in the flow of funds, compliance teams may need to treat the transaction as sanctions-relevant. The Regulation 17A Shift: Crypto Exchanges Treated Like Financial Plumbing The most important compliance development is the application of correspondent banking and payment processing restrictions to crypto exchange infrastructure. In traditional sanctions enforcement, correspondent banking restrictions attack the plumbing of the financial system. Applying similar logic to cryptoasset exchanges means regulators are now treating major exchanges as functional financial infrastructure, not merely as websites or trading venues. This changes the compliance burden. UK credit institutions and financial institutions must not process payments to, from, or via a designated person where the prohibition applies. For digital-asset firms, the practical implication is that blockchain flows need to be assessed for indirect exposure to designated exchanges and related entities. This is a major operational challenge. A simple sanctions-screening check against the immediate customer name is not sufficient. Firms need wallet screening, transaction monitoring, historical exposure analysis, and escalation procedures for funds previously processed by or intended for a designated exchange. Internet Services Sanctions: Platform Access Becomes a Compliance Issue The designation also includes internet services sanctions. Under the UK notice, social media services, internet access services, and application stores must take reasonable steps to prevent users in the UK from accessing content, sites, or applications provided by designated persons. This adds a second enforcement perimeter around HTX. The issue is no longer limited to banks or crypto counterparties. App stores, social platforms, internet access services, and potentially online distribution channels may have to assess whether HTX-related apps, content, accounts, links, and promotional materials remain accessible to UK users. That overlaps with the FCA’s earlier concerns about HTX promotions to UK consumers. In February 2026, the FCA stated that it had begun legal proceedings against HTX for allegedly illegal financial promotions and referred to continued promotions across websites and social media platforms. The sanctions designation now adds a national-security and foreign-policy layer to what was already a UK conduct and financial-promotion enforcement case. Compliance Conclusion The UK’s designation of Huobi Global S.A. / HTX is a landmark crypto sanctions event. It shows that regulators are now willing to treat large offshore exchanges as systemic nodes in sanctions-evasion infrastructure where they allegedly provide services to designated or Russia-linked financial networks. For compliance teams, the response should be immediate: freeze where required, stop prohibited processing, screen name variations, review wallet exposure, identify indirect flows, block UK access where applicable, and document escalation decisions. For the crypto industry, the message is broader: global scale does not neutralize sanctions risk. Offshore structure does not remove UK exposure. And in the post-Garantex, post-A7 enforcement environment, exchange infrastructure is now sanctions infrastructure. Call for Information FinTelegram invites former HTX / Huobi employees, compliance officers, payment partners, liquidity providers, blockchain investigators, victims, and insiders to share information about HTX-related Russia flows, A7 exposure, Garantex-linked transactions, UK user access, wallet clusters, intermediary exchanges, payment processors, and related compliance failures. Information can be submitted confidentially via Whistle42. Please include transaction hashes, screenshots, payment confirmations, account notices, compliance correspondence, wallet addresses, exchange account identifiers, and any evidence of HTX-linked Russia or Garantex exposure. Share Information via Whistle42

Nexo markets itself as a premier digital-asset wealth platform, but its licensing posture in Europe appears materially narrower than its branding suggests. A review of Nexo’s public positioning, entity footprint, product stack, and prior regulatory actions indicates a business model that sits at the intersection of crypto-asset services, lending, and investment-like products, with MiCA likely to force sharper legal boundaries in the EU. Nexo operates a broad crypto platform spanning exchange, custody, crypto-backed lending, OTC, and interest-bearing products, while publicly presenting itself as a “wealth platform” for digital assets. The group appears to rely on a mix of offshore and European entities, including Nexo Capital Inc. in the Cayman Islands, while using EU VASP registrations as the visible regulatory basis for parts of its European activity. Italy’s VASP registration regime supports AML-supervised crypto services, but it does not by itself authorize traditional wealth management, portfolio management, or broad banking-style activity. Nexo’s interest and yield products represent the clearest compliance pressure point, as past enforcement in the United States shows that such products can be treated as unregistered securities or analogous regulated products. Nexo’s MiCA messaging suggests strategic adaptation to the new EU framework, but available public materials do not show that the group already holds a full MiCA CASP authorization. Corporate onboarding practices may rely on aggressive, OSINT-influenced risk assumptions, raising questions around proportionality, relevance, and data minimization in KYB/KYC reviews. The Nexo Narrative and the Regulatory Reality Nexo’s public-facing narrative is straightforward: the company presents itself as a one-stop digital wealth platform where clients can buy, trade, borrow, and earn on crypto assets. That framing is commercially effective, but from a compliance perspective it blurs a critical distinction between regulated crypto-asset services and classical financial services such as portfolio management, investment advice, or deposit-taking. This distinction matters because the legal foundation visible in Europe is not a conventional investment-firm or banking licence. Instead, Nexo points to VASP registrations in several EU jurisdictions and to its ongoing MiCA alignment, which is a materially narrower basis than the expression “wealth platform” may imply to retail and corporate clients. Nexo at a Glance CategoryInformationBrandNexo, marketed as a digital-assets or crypto-wealth platform.Primary domainnexo.com, including localized variants such as /en-us.Other domain/siteNexo Markets https://nexo-markets.com/Core visible legal entitiesNexo Capital Inc.; Nexo Inc.; Nexo Financial LLC; additional Nexo group entities organized primarily in European jurisdictions according to enforcement records.Publicly visible offshore anchorNexo Capital Inc., Cayman Islands, appears repeatedly in app-store disclosures and enforcement materials.Nexo Markets Ltd, Seychelles (Securities Dealer license)Key jurisdictionsCayman Islands, Seychelles, Switzerland, Italy, Poland, and other European jurisdictions; U.S. footprint appears in enforcement and licensing-related disclosures.Product scopeSpot trading, swaps, custody, crypto-backed credit lines, Earn/yield products, OTC services, corporate accounts, and payment-card-related offerings.Founders / key figuresAntoni Trenchev, Kosta Kantchev/Kanchev, Kalin Metodiev; Georgi Shulev appears in historical founder-related reporting and litigation context.Ownership / controlPrivately held group with no fully transparent public UBO picture on the website; public materials point to concentrated founder influence.EU regulatory framingVASP registrations in multiple member states and MiCA transition messaging.Key regulatory pressure pointsEarn products, lending representations, cross-border marketing, entity transparency, and MiCA transition readiness. Entity Structure, Key Persons, and Beneficial Ownership Questions Nexo is a privately held group and does not provide a transparent, consolidated UBO map on its public-facing website. What is visible through public records and enforcement materials is a recurring set of core entities and individuals, above all Nexo Capital Inc. and the founding circle around Antoni Trenchev, Kosta Kantchev, and Kalin Metodiev. This matters from a compliance standpoint for two reasons. First, a fragmented multi-jurisdiction structure can complicate customer understanding of the actual contracting entity, client-asset exposure, and recourse options. Second, concentrated founder control combined with cross-border structuring raises recurring questions around governance, transparency, and intra-group risk allocation that should be central to any institutional due-diligence review. Key Persons and Apparent Control Cluster PersonApparent RoleCompliance RelevanceAntoni Trenchev (LinkedIn)Co-founder and public-facing senior executive; frequently associated with Nexo in public reporting.Central control person, reputational anchor, and likely key individual for governance review.Kosta Kantchev / Kanchev (LinkedIn)Co-founder, Executive Chairman, and core control figure in founder-related reporting.Likely central to beneficial ownership and strategic control assessment.Kalin Metodiev (LinkedIn)Co-founder and recurring key executive figure in reporting and proceedings.Material for governance mapping and historic decision-making review.Georgi Shulev (LinkednIn)Historical co-founder figure referenced in reporting and litigation context. Managing Partner until 2019Relevant to early ownership history and internal disputes over assets/control.​Trayan Nikolov (LinkedIn)Named in reporting around Bulgarian proceedings involving Nexo-linked individuals.​Relevant to expanded key-person screening and contextual risk review.​Peter Serdev (LinkedIn)Contact person Nexo MarketsNexo Markets is registered as a security dealer in the Seychelles Europe: VASP Registrations vs. Actual Licensing Reality Nexo’s European licensing narrative is difficult to verify from its own public materials. The group has publicly claimed since 2022 that it secured VASP registration in Italy and later stated that it holds VASP registrations in several EU member states as part of its preparation for MiCA. Yet the latest available OAM list in Italy does not show any Nexo-branded or obviously Nexo-controlled entity among the registered virtual asset operators.​ This discrepancy alone would warrant caution. Taken together with the group’s own website disclosures, it raises a broader transparency problem around Nexo’s actual regulatory footing in the EEA.​​ First, Nexo’s public-facing website does not provide a clear, consolidated, and current overview of which legal entities are licensed or registered in which jurisdictions, and for which products. The site relies heavily on broad trust and safety messaging, including references to “proven regulatory compliance”, technology partners, audits, and security infrastructure, while omitting the kind of entity-by-entity licensing map that customers would normally expect from a serious cross-border financial services provider. Even on the US-facing site, the footer points to Bakkt disclosures without clearly explaining which Nexo products or entities are covered by which regulated framework.​ Second, Nexo’s EEA Terms of Service do not identify a specific contracting entity. Instead of naming a particular legal person with its registered office, registration number, and competent supervisor, the terms define “Nexo” in broad group language as any holding company, subsidiary, or entity belonging to the Nexo group of companies.​ From a compliance perspective, that is highly problematic. It leaves EEA clients without clear visibility on who the actual counterparty is, which entity bears liability, and which supervisory framework, if any, governs the relevant service relationship.​ Third, the licensing picture only becomes marginally clearer through a separate Security page that is not the obvious first stop for clients seeking legal or regulatory transparency.​ There, Nexo lists selected licences and registrations in California, Australia, Hong Kong, Poland, and Seychelles, including a Polish registration for activities in the field of virtual currencies. Notably absent are any current references to an Italian OAM VASP registration, any other clearly identified EEA registrations, or any MiCA/CASP authorisation.​ In other words, Nexo’s own dedicated licensing page appears to confirm a fragmented and selective regulatory footprint rather than a transparent EEA licensing framework.​ Against that background, the regulatory significance of a VASP registration should not be overstated even where one can be verified. National VASP regimes such as Italy’s OAM framework are primarily AML-centered registration systems for defined crypto-asset services such as exchange, transfer, and custody-wallet activity. They are not equivalent to authorisation as a traditional asset manager, discretionary portfolio manager, investment adviser, or bank, all of which sit under separate legal regimes depending on product design and distribution model. In Nexo’s case, however, the more immediate issue is even more basic: the company’s public narrative suggests a wider European regulatory foundation than can currently be verified from official registers, contractual documentation, and its own licensing disclosures.​ Product-Level Compliance Analysis The compliance risk around Nexo becomes clearest at product level. Some parts of the business fit relatively comfortably within the evolving CASP/VASP perimeter, while others move toward securities, investment-management, or banking-like territory depending on how they are structured, marketed, and distributed. Product / ServiceTypical Nexo FunctionMain Regulatory FrameCompliance AssessmentSpot crypto–fiat exchangeBuying and selling crypto against fiat on platform.VASP regime; MiCA CASP for exchange and execution.Broadly compatible with VASP/CASP logic, provided the serving entity is properly authorized for the EU market.Crypto–crypto swapsIn-app token swaps and conversions.VASP; MiCA CASP.Core CASP-type activity, but token classification remains relevant where instruments may fall outside standard crypto categories.Custody / wallet servicesHolding and administering client crypto assets.VASP; MiCA CASP custody rules.Permissible in principle under the crypto-services regime, but safeguarding, segregation, and insolvency-remoteness are critical control questions.Crypto-backed credit linesLoans against pledged crypto collateral.Hybrid area; VASP-adjacent, but potentially subject to national lending rules.Not automatically prohibited, but structurally sensitive where lending, collateral liquidation, and retail marketing intersect.Retail Earn / interest productsYield-bearing accounts with daily or flexible interest features.​Potential securities / deposit-like / investment-product treatment depending on structure.Highest-risk area; past enforcement strongly suggests VASP registration is not an adequate standalone basis for these products.Corporate yield productsFixed-term yield products for businesses and treasury clients.​Same core concerns as retail Earn, with additional suitability and disclosure expectations.Marketing language such as “high interest yields” and “no downside risk” should be viewed critically from a conduct and product-governance perspective.OTC servicesLarge-volume execution for institutional or corporate clients.​CASP / execution-related perimeter under MiCA.Lower legal novelty than yield products, but requires strong market-conduct, best-execution, and AML controls.Stablecoin-facing servicesUse of stablecoins and fiat-linked token rails within platform services.MiCA for EMT/ART-related services plus CASP obligations.Increasingly sensitive under MiCA, particularly where stablecoin reporting and issuer-related obligations apply.“Wealth platform” positioningUmbrella branding across custody, exchange, yield, and credit.Marketing and conduct risk across multiple regimes.Branding outpaces the visible licensing base and may create a misleading impression of regulated wealth-management status.Corporate accountsBusiness onboarding, custody, OTC, and treasury-style services.​KYB/KYC, AML, sanctions, and underlying product-specific licensing rules.Legitimate in principle, but onboarding and risk assessment must remain proportionate, relevant, and legally grounded. Enforcement History and Why It Matters Nexo’s regulatory history matters because it shows how supervisors interpret the group’s product set when legal classifications become contested. In the United States, Nexo and related entities entered settlements with the SEC and multiple state regulators over the Earn Interest Product, while other proceedings and public notices raised issues around unregistered securities activity and lending-related licensing. Securities Commission of South Carolina: Cease and Desist (2023) New York State Attorney General: $24 million settlement over illegal offerings (2023) NEXO blog on the US settlement: Nexo reaches landmark solutions with U.S. regulators These cases do not automatically determine Nexo’s status in the EU, but they are highly relevant compliance signals. When multiple regulators across jurisdictions converge on the view that interest-bearing crypto products may fall outside a platform’s claimed licensing perimeter, European supervisors and compliance officers have little reason to treat similar marketing claims as low-risk. Corporate Onboarding and the Risk of Compliance Drift Nexo’s corporate-account page targets businesses and family offices and emphasizes relationship management, OTC execution, custody, and yield opportunities. That positioning is consistent with an attempt to move beyond pure retail crypto intermediation and into treasury-style client relationships. The risk emerges when onboarding controls expand beyond relevant KYB/KYC into speculative or OSINT-driven assumptions. Available evidence and user reports suggest that Nexo may, in some cases, request documents tied to third-party media platforms or inferred affiliations that are not obviously connected to the applicant entity. If accurate, that would reflect a problematic drift from risk-based due diligence into compliance overreach, with implications for fairness, data minimization, and procedural integrity. Formula 1 Branding and the Credibility Narrative Nexo has also moved into high-visibility sports marketing through a multi-year partnership with the Audi Revolut F1 Team, where it is presented as the official digital-asset partner. The Formula 1 car already appears prominently on Nexo’s own website and serves a clear reputational purpose: to project scale, permanence, and mainstream legitimacy at a moment when the group’s EU-facing licensing narrative remains in transition from VASP-era registrations toward MiCA.  From a compliance perspective, that distinction matters. Premium sports sponsorship may strengthen brand trust, but it does not answer the underlying questions around entity transparency, product classification, and the legal basis for marketing yield-bearing and wealth-style crypto services in Europe. MiCA: The Pressure Test Ahead MiCA is likely to become the decisive pressure test for Nexo’s EU-facing model. The regulation introduces a more harmonized authorization regime for crypto-asset service providers, clearer conduct and safeguarding obligations, and more explicit treatment of services involving crypto-asset advice and stablecoin-related activity. For Nexo, this means the room for regulatory ambiguity is narrowing. Exchange, custody, and certain execution services may transition into a cleaner CASP framework, but yield products, lending constructs, and wealth-style marketing will face closer scrutiny where substance begins to resemble investment, deposit, or advisory business rather than pure crypto intermediation. Compliance Takeaway Nexo should not be viewed as a conventional regulated wealth manager in Europe. Based on the currently visible public record, it is more accurately described as a crypto-asset platform with a broad product perimeter, supported by VASP-era registrations and in transition toward MiCA, but carrying material licensing, product-governance, and transparency risk in areas such as Earn, corporate yield, lending, and marketing claims. That distinction is not semantic. It goes directly to client protection, legal classification, contracting-entity clarity, and the question of whether customers and counterparties are dealing with a regulated crypto intermediary, a shadow banking-style yield platform, or a business model that has long relied on the grey space between the two. Whistleblower Call FinTelegram invites current and former employees, counterparties, service providers, onboarding clients, and other informed sources with additional information about Nexo’s internal compliance processes, legal entities, beneficial ownership, product governance, and regulatory interactions to come forward. Confidential submissions can be made through the whistleblower platform Whistle42, which is publicly presented as a secure reporting channel for whistleblower intelligence and forensic compliance analysis.​ Share Information via Whistle42

Editorial Note: This report distinguishes between documented facts, public self-positioning, third-party allegations, whistleblower claims and FinTelegram’s compliance-risk assessment. Allegations are reported as allegations and do not constitute final judicial findings. FinTelegram remains open to factual corrections and right-of-reply statements from the entities and persons mentioned. Dream Finance, UAB, through Lithuanian law firm Glimstedt, has demanded the removal and refutation of seven FinTelegram reports concerning Dream Finance, CoinsPaid, CryptoProcessing, SOFTSWISS and FinteqHub. FinTelegram rejects the blanket takedown demands. This forensic explainer sets out the public-interest basis and evidence chain behind our reporting: audited financial statements, registry records, brand disclosures, court materials, prosecution documents, screenshots, whistleblower information and adverse-media reporting. Key Findings Seven legal notices: Dream Finance, UAB, through Glimstedt, demanded the removal and refutation of seven FinTelegram reports concerning Dream Finance, CoinsPaid, CryptoProcessing, SOFTSWISS and FinteqHub. Audited accounts confirm the core structure: Dream Finance OÜ’s audited 2024 annual report confirms that CryptoProcessing and CoinsPaid are its main brands and that its business includes crypto-payment processing, virtual wallets, crypto/fiat exchange, SaaS and OTC services. Curaçao concentration: The 2024 report shows significant revenue from Curaçao — a key jurisdiction in offshore iGaming — giving relevant context to FinTelegram’s reporting on iGaming and casino-payment exposure. Customer-asset sensitivity: Dream Finance OÜ reports significant customer deposits and customer-held virtual currencies, highlighting the public-interest relevance of customer-asset safeguarding, AML/CFT controls and operational risk. Hacking and security risk: The audited report confirms hacking-related losses and states that 2025 revenues were affected by MiCA-related USDT delisting and client-contract terminations under a stricter risk-management strategy. Insider material: FinTelegram reviewed materials provided by a former Dream Finance group executive. An Estonian prosecution notice records internal Dream Finance Venture OÜ / Dream Finance OÜ structures, Wise-account access, and the role of a CoinsPaid finance employee with admin rights. SOFTSWISS / FinteqHub nexus: SOFTSWISS has publicly presented FinteqHub as a payment gateway built by SOFTSWISS for online casinos and sportsbook projects; FinTelegram has also reviewed material connecting Dream Transaction, Lda. to the FINTEQHUB trademark and to SOFTSWISS-linked shareholder references. Ownership questions: Public Estonian company-data information reviewed by FinTelegram identifies Alexander Horst Riedinger as 100% shareholder and ultimate beneficial owner of Dream Finance OÜ, while public founder-level materials connect Ivan Montik to SOFTSWISS, CoinsPaid/CryptoProcessing and Merkeleon. These overlapping narratives make ownership and control transparency a legitimate public-interest issue. Allegations vs. facts: FinTelegram distinguishes between documented facts, public self-positioning, third-party adverse-media allegations, insider claims and FinTelegram’s own compliance-risk assessment. Article Draft Dream Finance, CoinsPaid, CryptoProcessing & SOFTSWISS: The Evidence Chain Behind FinTelegram’s Public-Interest Reporting Dream Finance, UAB, through Lithuanian law firm Glimstedt Bernotas & Partners, has demanded that FinTelegram remove and refute seven reports concerning Dream Finance, CoinsPaid, CryptoProcessing, SOFTSWISS and FinteqHub. FinTelegram rejects these blanket takedown demands. The matter is not a private commercial disagreement. It concerns a large cross-border crypto-payment and iGaming-related ecosystem involving customer assets, crypto-processing, casino-related payment infrastructure, AML/CFT exposure, MiCA transition, hacking incidents, ownership transparency, offshore structures and regulatory-risk indicators. This forensic explainer sets out why FinTelegram considers its reporting to be firmly within the public interest — and why the reporting was not based on invented allegations, but on a substantial evidence chain. That evidence chain includes audited financial statements, corporate and registry information, public brand disclosures, screenshots, whistleblower information, adverse-media sources, court documents, prosecution materials and FinTelegram’s own payment-rail and compliance-risk analysis. The Trigger: Seven Legal Notices From Glimstedt On behalf of Dream Finance, UAB, Glimstedt submitted seven separate notices demanding removal and refutation of FinTelegram publications concerning Dream Finance, CoinsPaid, CryptoProcessing, SOFTSWISS and FinteqHub. The notices broadly object to FinTelegram’s reporting on alleged money laundering, regulatory evasion, sanctions exposure, shadow ownership, iGaming payment flows, corporate structuring, hacking incidents and compliance-risk indicators. FinTelegram reviewed the notices and responded that it does not accept: blanket removal of the publications; a general cease-and-desist undertaking; publication of the proposed refutations; the characterisation of its reporting as defamatory or commercially disparaging. FinTelegram remains willing to correct demonstrably inaccurate factual statements. But broad denials of entire reporting categories do not justify the deletion of investigative publications concerning matters of public interest. Why This Is a Public-Interest Case CoinsPaid and CryptoProcessing are not obscure private actors. They publicly market crypto-payment infrastructure for iGaming, online-casino, crypto-gambling and high-risk business segments. SOFTSWISS publicly presents itself as a major online casino and sports-betting software provider. SOFTSWISS has also publicly described FinteqHub as a payment gateway built by SOFTSWISS for online casinos and sportsbook projects. In that same public context, iGaming has been described as a high-risk industry. That context matters. Crypto-payment processors operating in or around iGaming and casino-payment flows handle sensitive transaction infrastructure. They interact with merchants, wallets, exchanges, liquidity providers, payment intermediaries, gambling operators, offshore jurisdictions and customer assets. This makes them relevant not only for commercial reporting, but also for AML/CFT, regulatory and counterparty-risk analysis. The public-interest basis is further reinforced by the well-publicised CoinsPaid hacking incident. A major crypto-payment processor that publicly reports a significant hacking event and operates in the customer-asset, crypto-payment and iGaming environment is plainly a legitimate subject of investigative reporting and compliance scrutiny. Dream Finance OÜ’s Own 2024 Accounts: CoinsPaid and CryptoProcessing Confirmed Dream Finance OÜ’s audited 2024 annual report is one of the most important evidence anchors. The report confirms that Dream Finance OÜ began operations in 2019 and provides crypto-payment processing services based on internally developed software. It identifies the main brands as CryptoProcessing for B2B services and CoinsPaid for B2C services. The service package includes virtual wallets, crypto/fiat top-ups, custody, withdrawals, crypto exchange, SaaS solutions, cross-chain deposit recovery and OTC transactions. This matters because it directly confirms the Dream Finance–CoinsPaid–CryptoProcessing operating link from Dream Finance OÜ’s own audited reporting. The report also shows substantial scale. Dream Finance OÜ reported 2024 revenue of approximately €32.37 million, up from approximately €25.18 million in 2023. It also reported a profit of approximately €23.1 million after a significant loss in 2023. The recovery was notable. But the report also shows that the business remains highly sensitive to crypto-market, security, regulatory and customer-asset risks. Curaçao Revenue Concentration: The Offshore iGaming Context One of the most striking items in the 2024 annual report is the geographic revenue split. Dream Finance OÜ reported approximately €21.99 million of its 2024 revenue from Curaçao, out of total revenue of approximately €32.37 million. Curaçao is a well-known jurisdiction in offshore iGaming. The audited accounts do not state that Curaçao revenue is casino revenue. However, the Curaçao concentration becomes highly relevant when read together with the public positioning of CryptoProcessing and CoinsPaid in iGaming, casino payments and high-risk payment segments. For FinTelegram, this is not a speculative allegation. It is a risk-relevant fact pattern: audited revenue concentration in Curaçao; public iGaming/casino-payment positioning; crypto-payment processing; high-risk business marketing; customer-asset exposure; cross-border operating entities. This combination clearly justifies public-interest reporting. Customer Assets, Deposits and Operational Risk The 2024 annual report also confirms significant customer-asset exposure. Dream Finance OÜ reported substantial customer deposits and customer-held virtual currencies. The balance sheet shows very large current assets and liabilities, with customer deposits forming a major part of the liability side. This is central to the public-interest analysis. A crypto-payment processor holding or processing large amounts of customer assets requires robust safeguarding, transaction monitoring, wallet controls, AML/CFT systems, liquidity management and incident-response processes. These are not private matters. They are key issues for customers, counterparties, financial institutions, regulators and enforcement bodies. Hacking Incidents and Security Losses Dream Finance OÜ’s 2024 report also confirms a hacking incident on 5 January 2024, with losses of approximately €4.075 million. It states that the stolen funds were marked and reported to the Estonian Police, and that a tracked amount was later returned to company accounts in February 2025. The accounts also report incident-related losses in 2024 and refer to the earlier 2023 hacking event. This confirms another key public-interest factor: the security, resilience and AML/CFT controls of a large crypto-payment processor are legitimate subjects of scrutiny, especially when hacking events and recovery efforts are publicly acknowledged by the company itself. MiCA, USDT Delisting and Risk-Management Tightening The 2024 annual report also contains a significant post-balance-sheet disclosure. Dream Finance OÜ states that 2025 revenues declined due to a combination of factors, including: removal of USDT from the listing in order to comply with MiCA requirements; termination of client contracts due to the company’s stricter risk-management strategy. This is highly relevant to FinTelegram’s reporting on MiCA transition, regulatory exposure and de-risking. It shows that MiCA and risk-management tightening had real operational consequences for the business. That is not a FinTelegram invention. It is disclosed in Dream Finance OÜ’s own audited reporting. Dream Finance UAB, Lithuania, and the Shift Toward Estonia Glimstedt’s client is Dream Finance, UAB in Lithuania. However, CryptoProcessing’s own legal disclosures identify Dream Finance OÜ, Estonia as a key operating entity under the CoinsPaid / CryptoProcessing brand framework. At the same time, Dream Finance UAB, Lithuania, has been publicly presented as having temporarily suspended crypto-asset-related services. This includes onboarding, transaction execution and new agreements. FinTelegram’s reporting on the shift from the Lithuanian UAB structure toward the Estonian OÜ operating framework is therefore plainly relevant. It sits within the broader MiCA transition and the regulatory clean-up of crypto-asset service providers in Lithuania. Ownership and Control: Why Transparency Matters Ownership and control transparency is another public-interest issue. Public Estonian company-data information reviewed by FinTelegram identifies Alexander Horst Riedinger as the 100% shareholder and ultimate beneficial owner of Dream Finance OÜ. The same company-data record links Dream Finance OÜ to the CoinsPaid ecosystem through contact details and website information and identifies Maksym Krupyshev as a management board member. FinTelegram does not assert, without qualification, that any one individual is the beneficial owner of every entity using the CoinsPaid or CryptoProcessing brands. However, given the scale of customer assets, the Curaçao revenue concentration, the iGaming exposure, the hacking history and the shift in operating entities, questions concerning beneficial ownership, control and regulatory accountability are plainly legitimate. This is especially important because public founder-level narratives also connect the broader ecosystem to Ivan Montik, SOFTSWISS, CoinsPaid/CryptoProcessing and Merkeleon. Such overlapping public ownership and control narratives are precisely why investigative scrutiny is required. SOFTSWISS, FinteqHub, Merkeleon and Founder-Level Links FinTelegram’s reporting on the connection between SOFTSWISS, FinteqHub, CoinsPaid/CryptoProcessing and Merkeleon is not arbitrary. It is supported by public communications, trademark and registry information, and founder-level materials. SOFTSWISS has publicly described FinteqHub as a payment gateway built by SOFTSWISS and created by its iGaming-experienced payments team. Public information concerning Ivan Montik and related entities links SOFTSWISS, CoinsPaid/CryptoProcessing and Merkeleon through founder-level and ecosystem roles. FinTelegram has also reviewed information concerning Dream Transaction, Lda., the Portuguese / Madeira entity associated with the FINTEQHUB trademark, and public registry references indicating shareholder links to Pavel Kashuba, PrimeFuture Ltd and Bitcapital Ltd. This supports the relevance of analysing FinteqHub as part of the broader SOFTSWISS-linked iGaming payment ecosystem. International Media Reporting on SOFTSWISS FinTelegram’s public-interest assessment is further supported by independent reporting by major international media. A BR / Tagesschau investigation into illegal online casinos in Germany reported that SOFTSWISS and its founder may be linked to dozens of online-casino websites targeting German players without a German licence. The investigation described a complex network involving Malta, Cyprus and Curaçao and referred to court documents, corporate registers and domain records as relevant evidence. FinTelegram has also reviewed international media reporting concerning disputes around SOFTSWISS-related iGaming assets, including reporting by Radio-Canada and Israeli Calcalist concerning the BeFree / SOFTSWISS investment dispute involving Ofer Baazov, Ivan Montik, Dzmitry Yaikau, Pavel Kashuba and Roland Isaev. These reports describe serious allegations, hacking claims, smear-campaign allegations, offshore investment structures and litigation concerning SOFTSWISS-related iGaming assets. FinTelegram does not rely on such reporting as a final judicial finding of criminal wrongdoing. However, it confirms that the SOFTSWISS-linked iGaming ecosystem has been the subject of substantial international media and litigation scrutiny. That reinforces the public-interest basis for reporting on ownership, control, AML/CFT exposure, adverse-media risk and regulatory transparency. Insider Material and Whistleblower Information FinTelegram has received and reviewed information from insider sources, including a former executive of a Dream Finance group entity. These materials were not treated uncritically. They were assessed together with public documents, registry information, screenshots, payment-rail indicators, corporate records and other supporting material. With respect to the article “FinteqHub’s Hidden Rails: How SoftSwiss’s Gateway Allegedly Funnels Casino Payments Through Spoynt, Decta, Rapyd and Rastpay”, FinTelegram reviewed whistleblower-provided material, including screenshots evidencing payment-method identifiers and payment-rail references relevant to the reporting. This is important: FinTelegram’s reporting was not based on abstract speculation. It was supported by documents and technical indicators provided by sources with relevant knowledge. Estonian Prosecution Notice: What It Shows — And What It Does Not FinTelegram has also reviewed an Estonian prosecution notice concerning an internal Dream Finance Venture OÜ dispute. That document records, among other things, that Dream Finance Venture OÜ was wholly owned by Dream Finance OÜ, that Dream Finance OÜ provided online-wallet and crypto-processing services, and that a CoinsPaid finance employee held admin rights to the Dream Finance Venture OÜ Wise account. The prosecution notice also documents elements of the Dream Finance group structure and internal governance environment. FinTelegram does not rely on this document as proof of criminal wrongdoing by Dream Finance. The prosecution declined to open a criminal investigation against the former executive concerned. Rather, the document is relevant because it demonstrates that FinTelegram reviewed materials concerning internal structures, account access, governance roles, Wise-account controls and group-level operational links. Facts, Allegations and Risk Assessment: FinTelegram’s Editorial Distinction FinTelegram distinguishes between different categories of information. Established facts include audited financial statements, corporate records, registry information, public brand disclosures, legal disclosures and documented company structures. Public self-positioning includes the way SOFTSWISS, CoinsPaid, CryptoProcessing and related brands describe their own services and target sectors. Third-party allegations and adverse-media claims include external reporting and public allegations concerning money laundering, sanctions exposure, regulatory evasion, shadow ownership and related concerns. Whistleblower claims include insider-provided material and screenshots that FinTelegram reviews and assesses. FinTelegram risk assessment is FinTelegram’s editorial evaluation of these materials from a compliance, AML/CFT, payment-rail and regulatory-risk perspective. This distinction matters. FinTelegram does not present allegations, adverse-media claims or risk assessments as final judicial findings. Dream Finance’s Takedown Demand Rejected FinTelegram rejects the characterisation that its reporting is defamatory or commercially disparaging. The fact that Dream Finance, UAB, Dream Finance OÜ, CoinsPaid, CryptoProcessing or affiliated entities disagree with FinTelegram’s reporting or risk assessment does not make fact-supported investigative journalism defamatory. FinTelegram has conducted an editorial review of the publications concerned. Where appropriate, certain formulations were refined to reinforce the distinction between established facts, third-party allegations, whistleblower claims, adverse-media allegations and FinTelegram’s compliance-risk assessment. These clarifications were made voluntarily, in the interest of editorial precision, and without any admission of liability, inaccuracy or wrongdoing. FinTelegram will not remove the publications based on blanket demands. Nor will it publish pre-formulated refutations that do not reflect the underlying evidence record. Right of Reply FinTelegram again invites Dream Finance, UAB, Dream Finance OÜ, CoinsPaid, CryptoProcessing, SOFTSWISS, FinteqHub, Dream Transaction, Lda., and any relevant affiliated entity or representative to provide a concise factual statement responding to the matters raised. FinTelegram remains prepared to review and publish such statement, provided that it is factual, non-defamatory and directly responsive to the issues reported. We also invite insiders, former employees, customers, payment providers, regulators, law enforcement officers and affected merchants to provide information through Whistle42. Compliance Takeaway The Dream Finance / CoinsPaid / CryptoProcessing / SOFTSWISS / FinteqHub case is not simply about one disputed article or one legal notice. It is about the transparency of a crypto-payment and iGaming infrastructure ecosystem operating across multiple jurisdictions, handling significant customer assets, reporting hacking-related losses, undergoing MiCA-driven transition, serving high-risk market segments and attracting international media, regulatory and adverse-media scrutiny. That is exactly the type of ecosystem FinTelegram was created to investigate. Evidence Box Document / SourceWhat It ShowsEvidentiary RelevanceDream Finance OÜ audited annual report 2024Confirms that Dream Finance OÜ’s main brands are CryptoProcessing and CoinsPaid; confirms crypto-payment processing, virtual wallets, crypto/fiat exchange, SaaS and OTC services; shows significant customer deposits, customer-held virtual currencies, hacking-related losses, Curaçao revenue concentration, and MiCA-related 2025 revenue impact.Core documentary evidence that Dream Finance OÜ is a substantial crypto-payment processor operating under the CoinsPaid / CryptoProcessing brands, with customer-asset exposure, offshore revenue concentration, security incidents and regulatory-transition sensitivity.Seven Glimstedt notices on behalf of Dream Finance, UABDemand removal and refutation of seven FinTelegram reports concerning Dream Finance, CoinsPaid, CryptoProcessing, SOFTSWISS and FinteqHub; object to references to money laundering, regulatory evasion, sanctions exposure, shadow ownership, iGaming rails and compliance-risk indicators.Establishes the legal-pressure context and shows that the dispute concerns a broad attempt to challenge FinTelegram’s reporting across an entire ecosystem, not one isolated factual correction.Estonian prosecution notice concerning Dream Finance Venture OÜRecords that Dream Finance Venture OÜ was wholly owned by Dream Finance OÜ; describes Dream Finance OÜ as providing online-wallet and crypto-processing services; records that a CoinsPaid finance employee held admin rights to a Dream Finance Venture OÜ Wise account; documents an internal governance dispute.Demonstrates that FinTelegram reviewed official material concerning internal Dream Finance structures, account access, roles, controls and governance. It is not used as proof of criminal wrongdoing by Dream Finance.CryptoProcessing / CoinsPaid public legal and brand disclosuresPresent Dream Finance OÜ, Estonia, as a key operating entity under the CoinsPaid / CryptoProcessing framework; disclose that Dream Finance UAB, Lithuania, temporarily suspended crypto-asset-related services; publicly market services to iGaming, online-casino and high-risk business sectors.Supports FinTelegram’s reporting on the operational shift from Lithuania to Estonia, the iGaming/high-risk payment context, and the public relevance of MiCA-related regulatory transition.Public Estonian company-data records for Dream Finance OÜIdentify Alexander Horst Riedinger as 100% shareholder and ultimate beneficial owner of Dream Finance OÜ; list company links to CoinsPaid contact details and website information; identify Maksym Krupyshev as management board member.Supports FinTelegram’s public-interest scrutiny of ownership, beneficial control, management and regulatory accountability within the Dream Finance / CoinsPaid / CryptoProcessing structure.SOFTSWISS public statements on FinteqHubSOFTSWISS publicly described FinteqHub as a payment gateway built by SOFTSWISS and created by its iGaming-experienced payments team for online casinos and sportsbook projects; iGaming was described in that context as high risk.Supports FinTelegram’s reporting that FinteqHub is not an unrelated payment gateway, but part of a SOFTSWISS-linked iGaming payment infrastructure context.Dream Transaction, Lda. / FINTEQHUB trademark and registry referencesInformation reviewed by FinTelegram links Dream Transaction, Lda. to the FINTEQHUB trademark and indicates shareholder references to Pavel Kashuba, PrimeFuture Ltd and Bitcapital Ltd.Supports analysis of FinteqHub as part of a broader SOFTSWISS-linked founder, shareholder and iGaming-payment ecosystem.BVI court materials concerning SOFTSWISS-related iGaming assetsDocument investor and shareholder disputes involving SOFTSWISS-related iGaming assets, offshore holding structures and Russian-linked investors.Supports the public-interest basis for scrutinising ownership, control, offshore structuring and transparency in the SOFTSWISS / CoinsPaid / CryptoProcessing ecosystem.BR / Tagesschau investigation into illegal online casinosMajor German public-broadcaster reporting described alleged links between SOFTSWISS / its founder and online-casino websites targeting German players without a German licence; referenced Malta, Cyprus and Curaçao structures, court documents, registers and domain records.Confirms that SOFTSWISS-linked iGaming structures are already the subject of major public-interest media scrutiny, not merely FinTelegram reporting.Radio-Canada and Calcalist reporting on BeFree / SOFTSWISS disputesInternational media reporting concerning disputes involving Ofer Baazov, Ivan Montik, Dzmitry Yaikau, Pavel Kashuba, Roland Isaev, Rivos Megrelashvili, and SOFTSWISS-related iGaming assets; includes allegations of hacking claims, smear campaigns, offshore structures and litigation.Used as adverse-media and public-interest context, not as a final judicial finding of criminal wrongdoing. Supports the relevance of AML/CFT, ownership, governance and reputational-risk scrutiny.CoinsPaid public reporting on its hacking incidentCoinsPaid publicly reported and discussed a major hacking incident affecting the company.Reinforces the public-interest basis for reporting on security, AML/CFT, transaction monitoring, asset safeguarding and operational-risk controls at a large crypto-payment processor.Whistleblower / insider materials reviewed by FinTelegramFinTelegram reviewed materials provided by insider sources, including a former executive of a Dream Finance group entity; materials included screenshots, payment-method identifiers, payment-rail references and internal-structure information.Supports the fact that FinTelegram’s reporting was not based on abstract speculation, but on insider-provided material reviewed alongside public records and other evidence.Screenshots and payment-rail indicators concerning FinteqHub / LuckyDreamsScreenshots reviewed by FinTelegram show payment-method identifiers and payment-rail references relevant to the FinteqHub / SOFTSWISS / casino-payment reporting.Supports article-specific reporting on the alleged FinteqHub payment-rail structure and explains why the reporting was framed as whistleblower-based and evidence-supported.Public adverse-media sources concerning SOFTSWISS, CoinsPaid and CryptoProcessingThird-party sources have publicly raised allegations concerning money laundering, sanctions exposure, regulatory evasion, shadow ownership and related misconduct.FinTelegram reports these as third-party allegations, adverse-media claims and risk indicators — not as final judicial findings. They form part of the compliance-risk context. Editorial Note: This evidence table distinguishes between audited records, official or registry material, public brand disclosures, court and prosecution documents, media reporting, adverse-media allegations, whistleblower material and FinTelegram’s own compliance-risk assessment. Allegations are reported as allegations and do not constitute final judicial findings. Call for Information FinTelegram is continuing its investigation into the Dream Finance / CoinsPaid / CryptoProcessing / SOFTSWISS / FinteqHub ecosystem and invites insiders, former employees, payment providers, compliance officers, regulators, law-enforcement sources, affected merchants, customers, and industry participants to come forward. We are particularly interested in information concerning: AreaInformation SoughtPayment RailsEvidence of payment flows involving CoinsPaid, CryptoProcessing, FinteqHub, Dream Transaction, SOFTSWISS-linked casinos, PSPs, EMIs, crypto exchanges, liquidity providers, or offshore casino operators.iGaming / Casino ClientsInformation on casino operators, gambling platforms, white-label providers, brands, domains, cashier systems, payment descriptors, or merchant accounts connected to the ecosystem.AML / CFT ControlsInternal policies, transaction-monitoring alerts, SAR/STR handling, KYC practices, high-risk-client onboarding, risk overrides, compliance exceptions, or regulatory communications.Ownership & ControlDocuments or insider knowledge concerning beneficial ownership, nominee structures, shareholder arrangements, founder-level control, offshore holding entities, or related-party arrangements.MiCA / Regulatory TransitionInformation on Dream Finance UAB’s Lithuanian suspension, Dream Finance OÜ’s role as operating entity, client migration, USDT delisting, contract terminations, de-risking, or regulatory correspondence.Security Incidents & HacksInternal reports, wallet-flow evidence, incident-response materials, recovery efforts, law-enforcement contacts, liquidity-provider involvement, or blockchain-tracing material.FinteqHub / SOFTSWISS LinksEvidence concerning FinteqHub’s development, ownership, payment-routing role, Dream Transaction Lda, PrimeFuture, Bitcapital, Pavel Kashuba, Ivan Montik, or related SOFTSWISS entities. Secure Contact:If you have relevant information, documents, screenshots, payment receipts, blockchain data, internal communications, compliance reports, or regulatory correspondence, please contact FinTelegram through Whistle42. Share Information via Whistle42