The massive €4.228 million fine imposed by the Dutch Kansspelautoriteit (KSA) on the Starscream Group was intended to be a death blow to the illegal iGaming operation. Yet, brands like Rant Casino and AllStarz Casino remain online, accepting deposits from European victims as if nothing happened. How? FinTelegram can now expose the “Shadow Stack”—a sophisticated, multi-layered payment architecture built by SegoPay and HuchPay to bypass EU enforcement and keep the money flowing to sanctioned entities. The Anatomy of the Two-Tier “Black Rail” Our investigation, supported by the latest compliance data from our sister platform RatEx42, reveals that these two providers operate a tag-team maneuver to hide the money trail: Layer 1: SegoPay (The Obfuscator) Acting as the merchant-facing gateway, SegoPay (segopay.com) is the “dirty” end of the stick. It provides the API that connects illegal casinos to the banking system. Our analysts have flagged SegoPay for its complete lack of regulatory licensing and its use of rotating “shadow IBANs” to avoid bank detection. View the full SegoPay Compliance Profile on RatEx42: SegoPay Black-Risk Listing Layer 2: HuchPay (The Technical Wrapper) Once SegoPay captures the transaction, it is routed through the French-registered HuchPay (HUCH SAS). HuchPay acts as a “technical service provider,” utilizing Open Banking protocols to give the transaction a veneer of legitimacy before it hits the SEPA network. By the time the money reaches its destination, the “gambling” origin has been scrubbed. View the full HuchPay Compliance Profile on RatEx42: HuchPay Black-Risk Listing Defying the Regulators The KSA fine against Starscream exposed a critical chokepoint: the payment facilitators. While traditional banks have blocked these operators, the SegoPay/HuchPay stack exploits the “Technical Service Provider” loophole. By not holding a direct banking license, they operate in a regulatory vacuum, ignoring AML/KYC requirements and facilitating transfers for casinos that are explicitly banned in the EU. The “Chargeback-Free” Trap SegoPay and HuchPay market themselves to high-risk merchants with the promise of “Zero Chargebacks.” For victims, this is a nightmare. Because these transactions are processed as “Instant Bank Transfers” via Open Banking, users have zero protection once their funds are drained into the Starscream ecosystem. Whistleblowers Wanted FinTelegram is calling on employees, former associates, and bank compliance officers who have handled transactions involving SegoPay, HUCH SAS, or Starscream Limited. Do you have internal merchant contracts? Do you have settlement reports showing where the funds are truly being laundered? Do you have the identities of the UBOs behind SegoPay? Submit your information anonymously via Whistle42.com. Help us dismantle the shadow rails. Share Information via Whistle42

The U.S. Department of Justice (DOJ) just finalized forfeiture of $400M+ in crypto, real estate, and monetary assets tied to Helix, one of the darknet era’s best-known Bitcoin “mixers.” The message is blunt: mixers that function as laundering infrastructure won’t just be “disrupted” — they’ll be stripped. Key Facts What happened (now): A U.S. court entered a final order of forfeiture on Jan. 21, 2026, giving the government legal title to $400M+ in assets previously seized from Helix operator Larry Dean Harmon. Helix’s role (2014–2017): DOJ says Helix processed roughly 354,468 BTC (about $300M–$311M at the time), blending user funds to obscure source, destination, and ownership. Darknet integration: Helix wasn’t a standalone “privacy tool.” It offered an API that allowed darknet markets to integrate Helix directly into their Bitcoin withdrawal flows; investigators traced tens of millions from darknet markets to Helix. Criminal outcome: Harmon pleaded guilty (Aug 2021) to money laundering conspiracy and was sentenced (Nov 2024) to 36 months plus supervised release, forfeiture judgment, and forfeiture of seized property. Parallel regulator action: FinCEN assessed a $60M civil money penalty (Oct 19, 2020), treating Helix/Coin Ninja as unregistered MSB/money transmitters with BSA/AML obligations (registration, AML program, reporting/recordkeeping). Enforcement stack: IRS-CI + FBI led the investigation, with international support (including Belize) and coordination with FinCEN. Short Analysis DOJ’s approach to Helix is the “full-stack” mixer takedown. First, prosecute the operator (money laundering conspiracy). Second, seize the assets. Third, lock it in with a final forfeiture order that converts seizure into government-owned property at scale — in this case, more than $400 million. That combination does something sanctions alone can’t always do: it permanently removes the economic base and signals that “years later” does not mean “safe.” The compliance lesson is that Helix was engineered as a laundering utility, not neutral infrastructure. DOJ describes Helix as one of the most popular darknet mixers, built to support major darknet markets and integrated via API into their withdrawal systems. That’s not “optional privacy”; it’s product-market fit for obfuscation. For regulated entities, this matters because exposure is rarely direct: it arrives via deposit clustering, peel chains, and downstream consolidation when “mixed” funds hit exchanges, OTC desks, or payment gateways. FinCEN’s parallel posture matters as much as DOJ’s. FinCEN’s 2020 action frames mixers/tumblers as financial institutions (money transmitters/MSBs) when they accept/transmit convertible virtual currency — with core obligations: register, run an AML program, and file reports. If your compliance team still treats “mixer exposure” as a generic blockchain-risk footnote, Helix shows how U.S. enforcement treats it in practice: as a BSA failure case and a laundering conspiracy — with asset forfeiture as the endgame. Call for Information FinTelegram is collecting intelligence on mixer exposure pathways: exchange accounts, OTC desks, payment processors, or banking relationships that repeatedly touch funds from mixers/tumblers (directly or via nested services). If you have compliance screenshots, SAR typologies, internal alerts, or correspondence involving Helix-like services, submit securely via Whistle42.com. Share Information via Whistle42

A BaFin special audit has found 16 deficiencies at Bitpanda’s German subsidiary, including serious weaknesses in risk management, IT and outsourcing. Yet Bitpanda’s home regulator, Austria’s FMA, is simultaneously building a MiCA “crypto hub” in Vienna – licensing Bitpanda and other high-risk players – with Austrian lawyer Oliver Stauber among the key architects. Key Facts German watchdog BaFin conducted a special audit of Bitpanda Asset Management GmbH (BAM), Bitpanda’s licensed German subsidiary, in 2023 – roughly a year after granting its licence. The audit report listed 16 deficiencies: five “severe”, four “significant”, six “medium” and one minor – mainly in risk management, IT and outsourcing, all core areas for investor protection. BAM had outsourced key functions, including crypto custody and KYC, back to Bitpanda group entities in Vienna – raising structural questions that reach beyond Germany. Internal auditors later flagged information-security weaknesses, poor documentation and a lack of regulatory expertise – findings echoed in ICIJ’s “Coin Laundry” cooperation. Despite this, Bitpanda GmbH in Vienna obtained a full MiCA CASP licence from the Austrian FMA in April 2025 and now sits at the centre of an emerging Vienna MiCA hub. The same FMA co-signed a joint paper with France’s AMF and Italy’s Consob in September 2025 warning about jurisdiction shopping and calling for ESMA to directly supervise major CASPs. Vienna is now home to MiCA licences for KuCoin EU, Bitpanda, Bybit, AMINA and others – with former Bitpanda Chief Legal Officer Oliver Stauber playing a prominent role in KuCoin’s licence and now Bitget’s EU MiCA push, alongside advisory work by EY Law. Short Analysis From a pure compliance perspective, the Bitpanda case is a stress test for how Europe’s new MiCA regime interacts with traditional prudential supervision. BaFin’s special audit of BAM did not quibble about minor paperwork; it attacked the heart of the control framework – risk governance, IT security and the oversight of outsourced functions, many of which led straight back to Vienna. Internal auditors added their own red flags about information-security controls and regulatory know-how inside the organisation. Bitpanda insists that all deficiencies have been remedied. But the very pattern – aggressive expansion, outsourcing to group entities, and post-hoc remediation – is exactly what MiCA was supposed to bring under tighter, harmonised control. That is where Austria’s FMA enters the frame. As Bitpanda’s home supervisor, the FMA is now MiCA gatekeeper not just for Bitpanda, but for a growing list of CASPs using Vienna as their EU launchpad. KuCoin EU, Bybit EU, AMINA and others have chosen Austria as their passporting hub – a fact proudly highlighted by industry press and the firms themselves. At the same time, the FMA publicly complains – together with AMF and Consob – that national regulators struggle to supervise global platforms and that only ESMA-level oversight can prevent regulatory arbitrage. You cannot have it both ways. If Vienna markets itself as a high-standard MiCA hub while licensing exchanges that foreign regulators have criticised or penalised, the FMA must be able to demonstrate tangible, intrusive supervision – not just well-phrased position papers. The human factor matters, too. Former Bitpanda CLO Oliver Stauber, who oversaw group legal and licensing during the period when BAM’s structures were being built, is now the go-to MiCA frontman for other large exchanges – first KuCoin EU, now Bitget EU – with EY Law prominently advising on MiCA authorisations. Formally, there is nothing illegal about a “MiCA-as-a-service” career path. Substantively, it raises a sharp question: is Austria exporting regulatory expertise – or importing other people’s unresolved risks and enforcement histories into the EU single market? For investors and counterparties, the answer will depend less on speeches and more on the next inspection reports – this time with the FMA’s name on the letterhead. Call for Information FinTelegram invites current and former employees of Bitpanda, BAM, KuCoin EU, Bitget EU, EY Law and other Vienna-based CASPs, as well as regulators and service providers with insight into MiCA licensing and supervision, to contact us confidentially via Whistle42.com. Documents, internal risk reports and correspondence relating to BaFin findings, FMA MiCA approvals or “Vienna hub” structuring are of particular interest. Share Information via Whistle42

Austria’s Financial Market Authority (FMA) has turned Vienna into a MiCA hub – and a single Viennese lawyer, Oliver Stauber, keeps appearing at the front door. First KuCoin, now Bitget: both global exchanges with serious regulatory baggage, both pushing their EU entry via Austria, both with Stauber as CEO or managing director at the licensing stage. From a compliance perspective, this “rent-a-CEO” model looks increasingly problematic. Key Points Viennese lawyer Oliver Stauber led KuCoin EU’s MiCA application in Austria as managing director/CEO – the FMA granted the MiCA CASP licence on 27 November 2025. Shortly after the licence was granted, Stauber exited both KuCoin EU Exchange GmbH and KuCoin EU Holding GmbH; KuCoin EU is now run by a new management line-up headed by Jing Liu and others. In January 2026, Bitget appointed Stauber as EU CEO to build its Vienna hub and pursue a MiCA licence with the FMA – effectively replaying the KuCoin script. KuCoin has pleaded guilty in the U.S. to operating an unlicensed money-transmission business and agreed to pay almost $300 million in penalties, and faces a record C$19.5m AML fine in Canada, plus a permanent market ban in Ontario. Bitget has been warned by regulators in Australia and Canada for offering unlicensed derivatives products and operating without registration. EY Law publicly celebrates its role in securing KuCoin’s MiCA licence and positions itself as leading MiCA adviser in Austria, including for other large offshore exchanges. At the same time, the FMA, AMF and Consob jointly warned that MiCA as implemented allows “opportunistic choices between countries for authorisation” and called for ESMA to directly supervise large CASPs. Short Narrative Over the past year, Vienna has quietly become a preferred entry point for large offshore crypto exchanges seeking a MiCA licence – and therefore a passport into the entire EU single market. Austria’s FMA is the gatekeeper; Oliver Stauber and EY Law are among the architects of the key that opens the gate. In late 2025, KuCoin EU Exchange GmbH – backed by a Seychelles structure and already under heavy fire from U.S. and Canadian authorities – obtained MiCA authorisation in Austria. The FMA’s brief notice simply lists the licence decision; the heavy enforcement baggage is not mentioned. As the local investigative platform Wiener Zocker has documented, Stauber appeared as managing director/CEO of KuCoin’s Austrian entities during the licensing phase, only to disappear from the commercial register once the licence was secured. Now the same lawyer has surfaced as EU CEO of Bitget, another exchange with a history of regulatory warnings, which is likewise building an EU headquarters in Vienna with MiCA as the prize. Extended Analysis – MiCA Meets “Rent-a-CEO” From a compliance standpoint, three issues stand out. 1. Fit-and-Proper as a Temporary Sticker MiCA requires senior managers of crypto-asset service providers (CASPs) to be “fit and proper” and to effectively direct the business. In practice, Austria appears to allow a front-loaded, personality-based model: A well-connected local lawyer with a political and regulatory profile (Stauber) is installed as CEO/managing director. EY Law structures the licence application and publicly celebrates the successful approval. Once the licence is granted, the “face” of the project steps aside and foreign managers take over operational control. MiCA does not forbid management changes after authorisation – but if the entire local competence and accountability layer is effectively rented for the licensing window and then removed, the spirit of the regime is undermined. Fit-and-proper degenerates into a one-off box-ticking exercise. 2. High-Risk Clients, Low-Signal Licensing KuCoin is not a clean, greenfield applicant: It pleaded guilty in the U.S. to operating an unlicensed money-transmission business and to Bank Secrecy Act violations, agreeing to penalties of nearly $300 million and a two-year exit from the U.S. market. In Canada, the AML watchdog FINTRAC imposed a record C$19.5m penalty for serious AML failings. In Ontario, KuCoin is permanently banned from the capital markets. Bitget, for its part, is on the radar of ASIC and Canadian provincial regulators for offering high-leverage derivatives without proper authorisation. Granting these players an EU passport via Austria is not per se unlawful – MiCA allows firms with prior issues to be authorised where risk-mitigating measures are deemed sufficient. But in the absence of published, granular reasoning, the FMA’s decisions look less like careful rehabilitation and more like regulatory arbitrage: firms with serious cross-border findings obtain a fresh “regulated” label in a comparatively small market and then passport across the Union. 3. FMA’s Split Personality on MiCA The most striking contradiction is the FMA’s own messaging. In September 2025, the FMA co-signed a joint position paper with France’s AMF and Italy’s Consob, warning that current MiCA structures are not sufficient for global platforms and advocating direct ESMA supervision to avoid “opportunistic choices between countries for authorisation.” Yet just weeks later, the same authority signed off MiCA licences for KuCoin EU – precisely the kind of global, enforcement-exposed exchange described in the paper – and did so under a governance structure that looks very much like the opportunistic playbook the FMA claimed to fear. Either the FMA believes it can effectively supervise such structures from Vienna – in which case the alarmist tone of the position paper is puzzling – or it has indeed become a “soft-entry” hub whose licences are intended to be passported under a future ESMA umbrella. In both scenarios, transparency about risk assessment and ongoing supervision is conspicuously missing. To be clear: there is no public evidence that Stauber himself has violated regulatory obligations. The question FinTelegram raises is different: Has Austria’s MiCA pipeline, built by a small circle of lawyers and advisors, drifted from investor protection toward regulatory cosmetics? Actionable Insight (for banks, partners, and regulators) For banks and PSPs: Treat MiCA-licensed CASPs coming out of Austria with a heightened AML and governance risk premium, especially where there is a documented history of foreign enforcement actions. Do not outsource your risk assessment to the FMA stamp alone. For EU regulators and ESMA: Scrutinise the rent-a-CEO pattern in CASP applications and consider whether licence conditions should explicitly restrict rapid post-authorisation management swaps in high-risk cases. For policymakers: The FMA/AMF/Consob paper already acknowledges the risk of regulatory shopping. Austria’s KuCoin and Bitget cases are real-world testbeds. MiCA’s credibility will depend on how quickly this gap between theory and practice is closed. Call for Information FinTelegram is continuing to investigate Austria’s MiCA licensing pipeline, including the role of local gatekeepers, law firms, and political networks in Vienna. Were you involved in the KuCoin or Bitget licensing processes in Austria? Did you work inside FMA-supervised CASPs or assist in their applications? Do you have internal documents or communications about governance, AML controls, or political lobbying around these licences? Insiders, compliance officers, and whistleblowers can contact us securely via Whistle42.com. As always, we treat submissions confidentially and in line with our whistleblower protection standards. Share Information via Whistle42

Crypto crime didn’t just “come back” in 2025 — it industrialized. TRM Labs estimates $158 billion in incoming value to illicit entities last year, an all-time high, driven less by retail “darknet mythology” and more by sanctions-linked infrastructure, nation-state activity, scalable fraud, and professional laundering services. Key Points $158B in incoming value to illicit entities in 2025 (TRM), while illicit share dipped slightly to ~1.2% of attributed on-chain volume. TRM’s “liquidity lens”: illicit entities captured ~2.7% of incoming VASP liquidity (a more operational risk metric than % of total chain volume). Sanctions activity surged and was “overwhelmingly Russia-linked,” including heavy use of the A7A5 ruble-pegged stablecoin (TRM cites >$72B volume). Hacks: TRM records $2.87B stolen across ~150 hacks; the Bybit breach alone accounted for ~$1.46B of losses. Scams/fraud: TRM observed ~$35B sent to fraud schemes; stablecoins were 84% of verified fraud inflows. Laundering is now “settlement infrastructure”: TRM notes >$60B flowing out of illicit wallets into services; Chainalysis highlights Chinese-language laundering networks at scale. Independent lenses align on “record year” magnitude: Chainalysis estimates illicit addresses received at least $154B in 2025, with sanctions value up 694% YoY. Short Narrative For years, the industry sold a comforting story: “crime is down” because the percentage of illicit activity is shrinking. TRM’s 2025 data punctures that complacency. Yes, illicit share slipped from 1.3% to 1.2% — but the absolute value hit record highs because crypto’s usable liquidity and integration exploded. The more important shift is qualitative: 2025 looks less like a scattered ecosystem of cybercriminals and more like a parallel financial layer—where sanctioned economies, professional fraud shops, and laundering brokers treat crypto rails as durable infrastructure. Extended Analysis 1) Sanctions are no longer “edge cases” — they’re the growth engine TRM flags sanctions-driven activity as the defining accelerant of 2025, dominated by Russia-linked flows and high-concentration stablecoin usage (A7A5). This is the playbook regulators fear most: purpose-built rails that reduce reliance on USD corridors and traditional correspondent chokepoints. 2) “Theft” is shifting from code to operations TRM’s numbers show a year shaped by operational compromise (keys, access control, wallet infrastructure) more than “smart contract wizardry.” The Bybit theft sits at the center of gravity; the FBI publicly attributed the ~$1.5B Bybit hack to North Korea (“TraderTraitor”). 3) Fraud became a production line — and stablecoins are the conveyor belt TRM’s fraud estimate (~$35B) pairs with a critical operational detail: stablecoins = 84% of verified fraud inflows. That tells compliance teams exactly where to look: not at “crypto” in general, but at stablecoin liquidity and on/off-ramp exposure. 4) Laundering is professionalized—and increasingly cross-chain Reuters/Chainalysis describe fast-growing Chinese-language money-laundering networks and “guarantee platform” escrow models that help match launderers with clients at scale.Meanwhile, Elliptic estimates >$21.8B in illicit/high-risk crypto laundered using cross-chain methods (bridges, DEXs, swap services) — a direct challenge to single-chain monitoring assumptions. A FinTelegram framing: the 2025 “conversion stack” If you want to understand crypto crime in 2025, stop asking “Which chain?” and start asking “Where is the conversion?” Acquisition: scams, hacks, illicit markets Conversion: stablecoins, OTC brokers, VASPs Concealment: cross-chain swaps/bridges, peeling patterns, mixers/obfuscation services Cash-out: fiat rails, payment processors, merchant networks, offshore entities Actionable Insight For compliance teams (VASPs, stablecoin issuers, fintechs, banks): Treat stablecoin flows as Tier-1 risk signals (fraud + sanctions), not as “neutral plumbing.” Implement liquidity-based monitoring (TRM’s lens): focus on deployable capital into your rails, not just % of chain volume. Build cross-chain tracing capability and red-flag rules for bridge/DEX routing. Harden operations: key management, privileged access, withdrawal policy, vendor controls—because “ops compromise” is the new exploit. Sanctions screening must be continuous and contextual (clusters, counterparties, typologies), not a checkbox at onboarding. For regulators:If 2025 is the template, enforcement has to move upstream: toward stablecoin governance, VASP liquidity gateways, and repeatable laundering platforms—the chokepoints criminals can’t avoid. Call for Information FinTelegram is tracking stablecoin rails, laundering brokers, “guarantee platform” escrow models, and cross-chain cash-out paths used in 2025. If you have insider information (compliance alerts, SAR patterns, blocked merchant lists, wallet clusters, bank-transfer payees, payment processors, or operational security failures), submit it confidentially via Whistle42.com. Share Information via Whistle42

A U.S. court has sentenced Chinese national Jingliang Su to 46 months in prison for his role in laundering more than $36.9 million stolen from 174 American victims in a “digital asset investment” scam run from scam centers in Cambodia. The laundering trail, as described by U.S. authorities, ran through U.S. shell structures, a single Bahamas bank account, and a conversion step into Tether (USDT)—a familiar “cash-out rail” in global crypto fraud. Key Points Who / outcome: Chinese national Jingliang Su sentenced to 46 months; ordered to pay $26,867,242.44 in restitution. Charge: Su pleaded guilty (June 2025) to conspiracy to operate an illegal money transmitting business. Victims / scale: DOJ says 174 U.S. victims were identified; >$36.9M laundered. Fraud pattern: unsolicited contact via social media / calls / texts / online dating, then fake “crypto trading” websites showing fake profits. Critical rail: funds routed to Deltec Bank (Bahamas) and converted into USDT, then transferred to a Cambodia-controlled wallet and distributed onward. Case context: DOJ previously described Axis Digital Limited as the name on the Bahamas account used to aggregate victim funds. Short Narrative This is not “just another crypto scam conviction.” It’s a clean example of how today’s transnational fraud stacks work: social engineering at the front end, fake platforms as theater, and a stablecoin conversion step as the operational bridge from the U.S. banking system to offshore scam infrastructure. According to the DOJ, the conspiracy began with overseas co-conspirators approaching Americans through unsolicited messages and online dating services, building trust, and then pushing victims toward fraudulent digital-asset “investments” on websites designed to resemble legitimate trading platforms. Victims were shown fabricated gains—while their money was being stolen. The cash-out rail described by prosecutors is the real story: more than $36.9 million was funneled into one account at Deltec Bank in the Bahamas, converted into Tether (USDT), and sent to a digital-asset wallet controlled in Cambodia, from where it was distributed to scam center leadership. Extended Analysis 1) The “Scam Center” model is industrialized fraud DOJ explicitly frames this conspiracy as being “carried out from scam centers in Cambodia.” That language matters: it points to organized, repeatable, scalable operations—where “customer acquisition” is manipulation, and “product delivery” is a fake dashboard showing unreal profits. 2) The rail map (as alleged by U.S. authorities) If you want the anatomy in one chain, the DOJ’s description reads like a compliance flowchart: Contact & grooming (social/text/dating) → Fake trading site → Victim transfers to controlled accounts → U.S. shell-company / bank layering → Aggregation at Deltec Bank (Bahamas) → Conversion to USDT → Cambodia wallet control → Distribution to scam center leaders. This is exactly why FinTelegram keeps calling stablecoins a chokepoint: not because USDT “causes” fraud—but because it repeatedly appears at the conversion layer where victims’ fiat becomes portable, liquid, and internationally transferrable at speed. 3) Compliance questions that don’t go away The DOJ states that co-conspirators “directed” a bank to convert victim funds to USDT and transfer the converted funds onward. That raises blunt compliance questions that the market still refuses to answer out loud: Banking controls: What red-flagging, enhanced due diligence, or transaction monitoring triggered—or failed to trigger—when tens of millions consolidated into a single offshore account and rapidly converted into stablecoins? Account purpose & counterparties: Why was a single account allegedly used as a collection point for large volumes of victim proceeds—then routed to digital asset wallets controlled in Cambodia? MSB licensing reality: Su pleaded guilty to conspiracy to operate an illegal money transmitting business—the exact legal seam where “we just move funds” becomes criminal exposure. 4) The enforcement signal: follow the launderers, not only the scammers The DOJ emphasizes dismantling infrastructure, seizing crypto, and disrupting laundering networks as a strategy against scam-center operations. It also notes that CCIPS has secured 180+ cybercrime convictions since 2020 and court orders for return of $350M+ in victim funds. That is the correct direction—because scam centers thrive when the conversion layer (shell companies, bank accounts, money-mule networks, stablecoin ramps) remains available and scalable. Actionable Insight For banks, EMI/PSPs, and crypto on/off-ramps: treat this DOJ case as a template for detection. Pattern-match on (i) large aggregation into one account, (ii) rapid conversion into stablecoins, (iii) transfers to wallets controlled from high-risk jurisdictions, and (iv) links to shell-company networks that exist primarily to relay funds. For consumers and victims: unsolicited investment outreach—especially via social media or dating apps—paired with a “trading platform” that only shows profits is a classic fraud setup. DOJ points victims to report digital-asset investment fraud via IC3. Call for Information FinTelegram is tracking scam-center payment rails (stablecoin conversion steps, offshore bank accounts, shell-company layers, mule networks, and the service providers enabling them). If you have information about Axis Digital Limited, related accounts, wallets, intermediaries, or scam-center operators targeting Europeans or Americans, contact us via Whistle42.com. Anonymous submissions are welcome. Share Information via Whistle42

A new whistleblower submission to FinTelegram reveals how the RevDuck network—operating Holyluck, Trueluck, and Kokobet under rotating Costa Rican shell companies—uses SoftSwiss’s Affilka platform to systematically target the Netherlands despite KSA sanctions. The case confirms FinTelegram’s January 24 findings that SoftSwiss functions as a central technology and payment hub enabling offshore operators to evade regulators and mask Ultimate Beneficial Owners through dynamic corporate layering. Key Facts Whistleblower claim: RevDuck-operated casinos allegedly rotate Costa Rican “SRL” entities by geo/location, and SoftSwiss tooling enables a “cat-and-mouse” compliance evasion model. KSA enforcement reference: The Dutch regulator (Kansspelautoriteit) issued a penalty payment order (last onder dwangsom) against an operator behind Booms.bet, with a maximum exposure of €840,000. Live footprint match: On Trueluck.com, the footer states rights belong to “SOCIEDAD DE RESPONSABILIDAD LIMITADA” Reg. No. 3-102-903325—the same registration number referenced by KSA for Booms.bet. It’s connected to Sapphire Summit SRL. Geo/redirect behavior observed: Holyluck.com redirected us to Holyluck2.com, which displays Gem Limitada (Costa Rica) as the owner in the footer. RevDuck market targeting signals: RevDuck’s own site includes testimonials describing “TrueLuck Casino” as committed to the Dutch market and “powered by Revduck Partners.” SoftSwiss capability context: “Affilka by SOFTSWISS” markets built-in payment processing features; SoftSwiss also publicly references an MGA B2B authorisation path via Stable Aggregator Limited. The RevDuck Pattern: Shell Game & Geo-Evasion Following FinTelegram’s January 24, 2026, report documenting SoftSwiss’s alleged role as an unlicensed payment hub for illegal casino networks, a detailed whistleblower dossier has confirmed these findings through analysis of the RevDuck affiliate network and its brands Holyluck, Trueluck, and Kokobet. The submission describes a textbook “shell game” in which RevDuck rotates Costa Rican front entities to confuse regulators and payment processors. When accessing holyluck.com from a Dutch IP address, users are redirected to the mirror domain holyluck2.com, which displays ownership by Gem Limitada (Costa Rica), while international visitors see Zephyr Holding Sociedad de Responsabilidad Limitada (Costa Rica, registration 3-102-926727). Earlier iterations of the site (e.g. the German version Holyluck.com/de) cited Yakadea Sociedad de Responsabilidad Limitada, illustrating systematic entity rotation.[whistleblower submission] This corporate layering technique directly mirrors the structure of Booms.bet, which was fined €840,000 by the Dutch gambling regulator KSA in January 2026. KSA identified Booms.bet’s operator as a Costa Rican Sociedad de Responsabilidad Limitada with registration number 3-102-903325—the exact same registration number that appears in Trueluck Casino marketing materials and regulatory disclosures. The name of the company: Sapphire Summit SRL. SoftSwiss Integration: Affilka as Operational Backbone Multiple affiliate industry sources confirm that RevDuck operates on the Affilka platform by SoftSwiss, describing it as the program’s core tracking, reporting, and payment infrastructure. Affilka is SoftSwiss’s proprietary affiliate management software, marketed as part of the integrated SoftSwiss ecosystem alongside its casino platform, game aggregator, and payment orchestration layer. In the “About Us” section of Affilka (www.affilka.com) , you can read that Affilka used to be a division of SoftSwiss but is now operated as a separate brand with its own domain by Zellero Limited, registered in Cyprus. Public statements by RevDuck reveal operational control beyond mere affiliation. In a June 2025 forum post on Affiliate Guard Dog titled “Online Casino Kansspelautoriteit: A System Designed to Fail,” the official RevDuck account writes (screenshot right): “For example, a typical offshore project from RevDuck, which does not have a KSA license, offers…”—linguistically admitting to originating and controlling the illegal casino offers rather than simply promoting third-party brands. RevDuck explicitly promotes its brands as “safer offshore alternatives” to KSA-licensed casinos, criticizing the Dutch regulator’s approach and guiding Dutch players to unlicensed sites. This confirms that SoftSwiss, through Affilka, is providing the technical backbone for an operator that openly targets restricted markets and admits to circumventing local gambling regulation. Systematic Targeting of the Netherlands Despite standard compliance disclaimers, the RevDuck network actively engineers its infrastructure for Dutch players: Trueluck Casino is marketed on Dutch-language portals such as trueluckcasinonl.com and trueluck-app.com as “the best online casino in the Netherlands,” with full Dutch localization and payment methods including Visa, Mastercard, bank transfer, Revolut, and Bitcoin. Dutch review sites explicitly acknowledge that Trueluck “does not have a KSA licence” and operates illegally under Dutch law, yet the brand remains accessible to Dutch players. The whistleblower notes that Holyluck uses Dutch URL paths such as /inloggen/ (Dutch for “Log In”) and deploys holyluck2.com as a geo-evasion mirror when Dutch connections hit the main domain, indicating deliberate circumvention of KSA ISP blocking measures. Affiliate marketing materials within the RevDuck network explicitly state that Trueluck is “tailored to Dutch preferences” and “committed to providing the Dutch market,” contradicting claims of passive international availability. The Netherlands Gambling Authority (KSA) has repeatedly imposed €840,000 fines on offshore operators targeting the Dutch market, including Booms.bet (January 2026), with enforcement actions specifically mentioning Costa Rican Sapphire Summit SRL structures as the typical vehicle for these illegal offers. Payment Hub Consistency While the whistleblower submission focuses primarily on corporate layering and regulatory evasion, the known pattern from other SoftSwiss clusters suggests RevDuck brands, based on the Affilka platform with its integrated payment processing, integrate the same payment rails documented in FinTelegram’s January 24 report: Affiliate sources list CoinsPaid among RevDuck’s payout methods for affiliates, consistent with SoftSwiss’s documented ownership links to the Dream Finance OÜ crypto payment processor.​ Trueluck’s Dutch-facing pages list Visa/Mastercard, bank transfer, Bitcoin, and Revolut as player payment methods, matching the generic SoftSwiss cashier stack (cards, open banking, crypto) identified across Dama N.V., Hollycorn N.V., Stable Tech N.V., and Novatrix SRL casinos. The uniformity of payment rails across nominally independent operators powered by SoftSwiss—spanning crypto (CoinsPaid/CryptoProcessing), open banking (Contiant/Yapily), instant banking (Perspecteev/ChainValley), and e-wallets (MiFinity, Jeton)—reinforces the hypothesis that SoftSwiss functions as a centralized payment orchestration hub rather than a pure B2B software supplier. Compliance Assessment The RevDuck case materially strengthens FinTelegram’s core thesis: SoftSwiss is not a neutral B2B platform provider but a central technology, affiliate, and payment hub enabling offshore networks to structure, market, and monetize illegal casino offers into regulated EU markets. Key risk indicators: Rotating Costa Rican shell entities (Zephyr, Gem, Sapphire, Yakadea) following the same structural pattern as KSA-sanctioned Booms.bet (Costa Rica SRL 3-102-903325). Affilka by SoftSwiss confirmed as the operational platform for RevDuck, linking SoftSwiss directly to unlicensed Dutch-facing operations. Explicit admission in public forums that RevDuck runs “offshore projects” and promotes “safer offshore alternatives” to KSA-licensed sites, demonstrating active regulatory circumvention rather than passive market participation. Systematic geo-evasion and localization for the Netherlands (Dutch language, /inloggen/ URL paths, mirrors such as holyluck2.com, NL-specific affiliate portals). Dynamic legal-entity switching based on visitor IP, displaying different Costa Rican companies (Gem vs. Zephyr) to different geographic audiences—a money-laundering technique known as “layering.” SoftSwiss Network: Key Data EntityTypeRegistration / LicenseRoleBrands / ConnectionsSoftSwiss / Stable Aggregator LtdB2B Platform & AggregatorMalta: MGA/B2B/942/2022Technology hub; casino platform, game aggregation, Affilka affiliate system, payment orchestrationDama, N1 Interactive, Hollycorn, Stable Tech, Novatrix, RevDuckRevDuckwww.revduck.comAffiliate Network / OperatorCosta Rica (via rotating SRL entities)“Offshore projects” operator using Affilka; systematic Dutch market targetingHolyluck, Trueluck, KokobetHolyluckwww.holyluck.comwww.holyluckX.comwww.holy-luck.orgOffshoreOnline CasinoCosta Rica: Zephyr Holding SRL (3-102-926727) / Gem Limitada,Yakadea SRL Sapphire Summit SRLUK: Lyntec Limited(geo-switched)Unlicensed casino targeting Netherlands; geo-evasion via holyluck2.comRevDuck networkTrueluckhttps://thetrueluck.comOffshoreOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)UK: Lyntec LimitedUnlicensed casino; explicit NL marketing; same Costa Rica entity as KSA-fined Booms.betRevDuck networkKokobetwww.koko.betOffshoreOnline CasinoCosta Rica: 3-102-897762 LTDALate 2024 launch; RevDuck network brandRevDuck networkBooms.betOnline CasinoCosta Rica: Sapphire Summit SRL (3-102-903325)KSA fine: €840,000 (Jan 2026) for illegal NL operations; same reg. as TrueluckIndependent but structural parallelAffilkawww.affilka.comAffiliate PlatformSoftSwiss GroupCyprus: Zellero LimitedAffiliate management, tracking, reporting; powers RevDuck and 100+ casino brandsRevDuck, N1 Partners, and SoftSwiss client baseCoinsPaid / CryptoProcessingCrypto Payment ProcessorsEstonia: Dream Finance OÜ (Reg. 14783543, FIU licence FVT000166)Crypto rails for SoftSwiss casinos; co-founded by SoftSwiss founder Ivan MontikDama, Hollycorn, Stable Tech, RevDuck affiliates Conclusion and Call for Evidence The RevDuck whistleblower submission confirms that SoftSwiss, via its Affilka platform and broader ecosystem, is structurally embedded in how illegal offshore casinos reach Dutch players—despite rotating Costa Rican shell companies, geo-evasion mirrors, and public admissions of regulatory circumvention. The reuse of Costa Rican Sapphire Summit SRL (registration 3-102-903325) by the KSA-fined Booms.bet, HolyLuck, and Trueluck Casino demonstrates that these structures are not isolated incidents but systematic patterns within the SoftSwiss-powered offshore casino ecosystem. FinTelegram is preparing an expanded intelligence report on SoftSwiss and its role as a technology, affiliate, and payment hub for illegal casino networks. We are calling on insiders, players, and compliance professionals to share additional information: We are looking for: Current or former employees of SoftSwiss, Stable Aggregator Ltd, RevDuck, Holyluck, Trueluck, Kokobet, Booms.bet, or related entities. Payment and compliance professionals who have seen routing patterns, merchant setups, or banking relationships involving SoftSwiss-powered casinos. Players who have deposited or withdrawn via CoinsPaid, CryptoProcessing, Contiant, Yapily, Perspecteev, ChainValley, MiFinity, Jeton, or other processors at SoftSwiss-powered casinos. Documentation, including contracts, emails, onboarding files, cashier screenshots, merchant names, bank accounts, crypto wallets, or evidence of operations in prohibited jurisdictions. Submit securely via Whistle42 Go to Whistle42 and select the SoftSwiss / payment hub case as your topic. You can upload documents and remain anonymous if you wish. Verified information will be used to expand our ongoing investigation and inform regulators and law enforcement where appropriate. Share Information via Whistle42

FinTelegram is currently being hit by a wave of spam comments that read like emotional “testimonies” — and then quietly push a “recovery expert,” an email address, a Telegram number, and a disposable website. This is not help. This is the second scam: refund / recovery fraud targeting victims who are already desperate. Key Facts Recovery scams are classic “advance-fee” fraud: pay first (fees, “taxes,” “verification,” “AML certificate,” “gas,” “unlocking”) → lose more. Regulators and agencies repeatedly warn: authorities do not contact you to “recover” crypto, and scammers often impersonate agencies or law firms. The FBI has specifically warned about fictitious law firms offering crypto recovery and urges victims to report to IC3. The exact “testimonial” pattern we received (“restored faith,” “cutting-edge blockchain tracing,” then contact details) shows up elsewhere online as promo content, not as proof. FinTelegram has documented “recovery” operations falsely claiming ties to Europol/EC3 before — same playbook, new brand name. Short Analysis The comment we received is a textbook recovery scam: a dramatic victim story, vague “forensic” jargon, and a hard pivot into marketing (“contact them… it made all the difference”). We will not reproduce the phone numbers/emails/domains here because that’s exactly what the scammers want: free distribution through our platform. Yes, blockchain tracing exists — it’s a real investigative technique used by law enforcement and professional compliance teams. But “tracing” is not the same as “guaranteed recovery,” and legitimate actors do not promise outcomes, pressure victims into fast payments, or operate through random Telegram/WhatsApp numbers and rotating domains. Reality check: recovery is typically only possible when funds hit a regulated chokepoint (e.g., an exchange that can freeze/return assets) or when law enforcement seizes infrastructure. Anyone selling certainty to victims is selling fiction. What to do (and what NOT to do) Do: Report immediately to your exchange/wallet provider, file a police report, and report cybercrime (US: IC3). Preserve evidence: TX hashes, wallet addresses, chats, emails, screenshots. Treat “recovery services” that request upfront crypto payments, remote desktop access, or secrecy as hostile. Don’t: Don’t pay “processing,” “release,” “tax,” “gas,” or “AML verification” fees. Don’t install software or grant remote access to “recovery agents.” Don’t believe testimonials posted in comments. That’s distribution, not evidence. Call for Information Have you been approached by a “fund recovery” service after a scam — especially via comment spam, Telegram/WhatsApp, or “law firm” branding? Send identifiers (domains, wallet addresses, emails, chat logs, invoices, fee requests) via Whistle42.com. Anonymity respected. Share Information via Whistle42

The Dutch regulator Kansspelautoriteit (KSA) has imposed a €4,228,000 administrative fine on Starscream Limited for offering illegal online gambling to Dutch players via RantCasino, AllstarzCasino, and SugarCasino. The KSA explicitly frames enforcement as a “third-party” problem too—working with payment service providers, banks, hosting, and big tech—because unlicensed casinos don’t scale without rails. Key Facts Sanction: €4,228,000 fine (published 13 Jan 2026; fine decision dated 16 Dec 2025). Operator: Starscream Limited (KSA describes it as Saint Lucia-based). Brands named by KSA: rantcasino.com, allstarzcasino.com, sugarcasino.com. Payment facilitation evidence: KSA previously documented iDEAL via MiFinity routing into a Dutch bank during its investigation. FinTelegram context: Starscream is repeatedly linked in our reporting, including the recent Winning.io / Scatters Group intelligence update. Read our report on the KSA sanction here. Compliance Analysis KSA’s case file makes the enforcement logic blunt: Dutch users could register, deposit, and play, with no effective technical barriers—and the regulator treats that as a serious breach of the Dutch gambling framework. Our post-sanction review aligns with that risk pattern: EU users could still register and deposit; geo-blocking could have been implemented, but wasn’t. That places a bright compliance spotlight on the “enablers”: payment gateways, e-money/PSP partners, instant-banking stacks, and “crypto-as-bank-transfer” converters. KSA itself signals it will keep squeezing the ecosystem through PSPs, banks, and other intermediaries. This is exactly why the Starscream/Rant file is a strong candidate for follow-on supervisory action against facilitators—not necessarily only by the KSA, but also via PSP home supervisors and banking/payment networks that can enforce offboarding, monitoring, and scheme-rule compliance. (If illegal operators outside the EU are hard to collect from, the rails are the practical chokepoint.) What We Observed in the Rant Cashier: Payment Rails & Red Flags Instant banking (EPRO): deposit instructions routed to a Luxembourg IBAN held at Olky Payment Service Provider S.A. (as shown in the cashier during our test). Olky operates as a regulated payment institution in Luxembourg and is passported in EU markets. Instant banking (new stack): Rant → SegoPay → Huchpay → Bank. Huchpay markets “open banking” and instant SEPA transfer collection with “0 chargebacks” messaging—exactly the kind of design that can be abused in high-risk merchant flows. We are investigating this stack further for a dedicated report. “Fake bank transfer” crypto rail: ChainValley presented as a bank transfer path but operationally functions as a crypto purchase + onward transfer workflow; in our simulation it used Skrill Rapid Transfer as the bank-transfer layer before crypto is delivered to the operator wallet. This pattern has appeared across multiple offshore casinos in recent weeks. Other observed methods: cards, crypto, vouchers, and common e-wallets including MiFinity / Jeton / Skrill / Neteller, plus PaysafeCard. Read our Starscream reports here. Why Starscream is now a test case for payment‑facilitator enforcement Fake bank deposit via ChainValley and Skrill The KSA fine demonstrates that Starscream’s Dutch‑facing operations generated tens of millions of euros in illegal turnover and that regulators are willing to impose multi‑million‑euro sanctions on offshore casino groups. Yet Rant Casino’s unchanged cashier—featuring SEPA Instant accounts, opaque Segopay/Huchpay open‑banking rails, and crypto‑on‑ramp structures like ChainValley—shows that payment facilitators still treat these merchants as acceptable clients, even after a high‑profile enforcement action.​ From a compliance perspective, this case is tailor‑made for secondary enforcement against PSPs, APMs, VASPs, and banks that knowingly or negligently continue to support Starscream brands: EPRO facilitates Instant SEPA payments for the Starscream casinos Banks holding Olky/EPRO collection accounts. Open‑banking providers in the Segopay/Huchpay chain. Crypto on‑ramps like ChainValley and processors like GammaG. E‑wallet schemes such as MiFinity, Skrill, Neteller, and Paysafe. Regulators could legitimately argue that these intermediaries act as accomplices by providing the financial infrastructure that makes Starscream’s illegal EU gambling operations economically viable. Snapshot Table: Rant Casino & Facilitating Rails (Observed) ItemWhat we foundCompliance signalCasinosRant (rantcasino.com)allStarz (allstarzcasino.com)Named in KSA enforcement.OperatorStarscream LimitedSaint Lucia-based per KSA.Payment AgentStardust Global CCS LtdCyprus-based digital marketing company and payment agent.KSA findingEU access + deposits possible; no effective blockingRepeated “no barrier” pattern.KSA-documented railiDEAL via MiFinity → Dutch bankDirect evidence of local rails.Rail A (instant banking)EPRO → Olky (Olky Payment Service Provider S.A.EU PSP exposure / offboarding question.Rail B (instant banking)SegoPay → Huchpay → bankNew gateway chain under investigation.Rail C (“fake transfer”)ChainValley via Skrill Rapid Transfer → crypto → casino walletChargeback/complaints leverage engineered away.Rail D (e-Wallets & Vouchers)MiFinity, Jeton, Skrill, Neteller, PaysafeCardThe usual suspectsRail E (pay with crypto)GammaG (www.gammag.ge)Unlicensed/unregistered Georgian crypto payment processor GammaG LLC in Tbilisi Call for Information Do you work at—or have documentation about—Starscream/Rant, SegoPay, Huchpay, EPRO, Olky, ChainValley, GammaG, or any acquiring/EMI partners processing these flows? Players with deposit receipts, bank references, payment emails, or cashier screenshots can materially accelerate verification. Submit securely via Whistle42. Share Information via Whistle42

The Dutch gambling regulator Kansspelautoriteit (KSA) has imposed a €4,228,000 administrative fine on Starscream Limited for offering illegal online gambling to Dutch players via Rantcasino, AllstarzCasino, and SugarCasino. The case underlines what FinTelegram has been documenting for months: these are not “minor violations,” but systematic breaches—and the payment stack enabling them is part of the risk surface. Key Facts Fine: €4,228,000 against Starscream Limited (St. Lucia). Websites named: rantcasino.com, allstarzcasino.com, sugarcasino.com. Conduct: Dutch users could register, deposit, and gamble; no effective NL-blocking at the time. Aggravating factors (KSA): no visible age verification; autoplay; and “unreasonable” player conditions (e.g., fees/constraints). Fine basis: KSA estimated NL turnover (2024) ~€70.48M and applied 6% (4% base + 2% uplift). Prior enforcement: earlier order subject to penalty payments—€280,000 per week up to €840,000—and KSA documented payment methods including MiFinity/iDEAL branding and Mastercard routed to a Dutch bank. Short Analysis KSA’s action matters because it quantifies the reality: illegal gambling supply targeting the Netherlands can generate tens of millions—and the operator still tries to run without licensing, age controls, and local safeguards. This is exactly why FinTelegram frames offshore casino operations as a financial-crime adjacent ecosystem rather than a “consumer choice” story. FinTelegram has repeatedly flagged Starscream’s alleged “regulatory evasion” playbook and the role of regulated payment brands in keeping these casinos bankable. Most recently, our Winning.io / Scatters Group intelligence update documented a whistleblower claim tying parts of this network to Starscream-linked control structures—an indicator that “brand rotation + new shells + fresh rails” remains the operating pattern. Payment Facilitators as De Facto Accomplices The Starscream case underscores that payment facilitators are not neutral pipes. KSA explicitly stresses its cooperation with payment service providers and banks as a tool against illegal gambling. In practice, casinos like Starscream’s brands and Winning.io depend on:​ Open‑banking gateways such as Contiant, piggybacking on regulated PISPs like Yapily Connect to accept Dutch and other EU bank payments. Crypto on‑ramps such as Rillpay or Chainvalley, which disguise gambling deposits as “USDC purchases” or “Instant Banking” before auto‑forwarding funds to casino wallets. VASPs and e‑wallets such as Depasify/Depa, MiFinity, Skrill, Neteller, and Paysafe, which aggregate and move funds for unlicensed operators. Read our reports on Open Banking facilitator Contiant here. Given KSA’s explicit focus on “third parties such as payment service providers, banks, and big tech companies”, every facilitator that knowingly or negligently processes payments for Starscream‑type operators is exposed to regulatory, civil, and, in some cases, criminal liability. The scale of the Starscream fine and the €70+ million in estimated illegal turnover should put all such intermediaries on notice: continuing to service these networks is no longer a low‑risk compliance bet but a direct exposure to enforcement and reputational damage. Call for Information Do you have documentary evidence on Starscream-linked payment rails (PSPs, merchant accounts, IBANs, acquiring banks, iDEAL routing, MiFinity flows, card descriptors), or on the broader Scatters/Wagercraft/Starkeast network and its facilitators? If you work at a PSP, bank, open-banking provider, or casino platform vendor with relevant compliance logs, submit securely via Whistle42.com. Share Information via Whistle42

Recent whistleblower reports and online investigative publications in January 2026 allege that SoftSwiss, through its Malta-licensed entity Stable Aggregator Limited (MGA/B2B/942/2022), operates as an unlicensed payment hub and money laundering facilitator for affiliated casino operators targeting prohibited jurisdictions. The allegations assert that SoftSwiss processes payments from unlicensed merchants and routes funds via cryptocurrency to casinos operating in Tunisia, Egypt, UAE, Qatar, Saudi Arabia, Kuwait, Oman, Jordan, Morocco, Lebanon, and Bahrain—markets where gambling is strictly prohibited or heavily restricted. Read our SoftSwiss reports here. FinTelegram’s technical investigation of casino operators Dama N.V., Stable Tech N.V., Hollycorn N.V., and Romanian payment merchant Novatrix SRL reveals nearly identical payment rails across all reviewed brands (Rooli, RollXO, MoonWin, KoruCasino, SpinRise, and others), supporting the hypothesis that SoftSwiss functions as a centralized payment orchestration layer beyond its licensed game-aggregation remit. This report analyzes the evidence, identifies structural compliance violations, and outlines the role of CoinsPaid and CryptoProcessing—crypto processors controlled by the SoftSwiss founder network—in facilitating this infrastructure. Whistleblower Allegations and January 2026 Reports Anonymous industry sources provided FinTelegram with detailed allegations that SoftSwiss is processing traffic from unlicensed casino operators and routing funds through cryptocurrency rails into jurisdictions where gambling is illegal. The whistleblower specifically claims that Stable Aggregator Limited, licensed by the Malta Gaming Authority under a Critical Gaming Supply licence (MGA/B2B/942/2022), is violating the terms of that licence by providing payment processing services to entities not on its approved client list and facilitating transactions for blacklisted URLs. Simultaneously, investigative articles published online in January 2026 characterize SoftSwiss as a “$10 billion crime syndicate” engaged in systematic money laundering, regulatory evasion, identity theft, document forgery, and bonus fraud. Key figures named include Ivan Montik (SoftSwiss founder), Pavel Kashuba, and Maksim “Max” Trafimovich (SoftSwiss Chief Commercial Officer). While the $10 billion revenue figure and “crime syndicate” framing originate from advocacy sources rather than court judgments, the structural elements—beneficial ownership, payment processor integration, and multi-jurisdictional licensing gaps—are corroborated by corporate records and prior regulatory investigations. SoftSwiss as Payment Hub: Technical Evidence Uniform Payment Rail Template Across All Reviewed Casinos FinTelegram conducted live casino reviews of Rooli (Dama N.V.), RollXO (Stable Tech N.V.), MoonWin (Dama N.V.), KoruCasino (Stable Tech N.V.), and SpinRise (Hollycorn N.V.)—operators spanning three distinct corporate entities licensed in Curaçao and Canada (Tobique). Despite nominally separate ownership, all five casinos implement nearly identical cashier interfaces and payment processors: Open banking: Contiant (Bulgaria) integrated with Yapily (UK/Lithuania) Instant banking: Perspecteev (France) and ChainValley (Poland, rated BLACK “Severe Risk” by RatEx42 for “fake-fiat deposit” schemes) Crypto payments: CoinsPaid and CryptoProcessing (Dream Finance Group) Card processing and e-wallets: MiFinity, Jeton, Revolut (via open banking), Visa/Mastercard Screenshot evidence submitted by FinTelegram shows that MoonWin Casino displays the merchant name “Novatrix SRL” during Contiant/Yapily open banking transactions and lists Perspecteev SAS and Yapily Connect UAB as intermediary entities. Novatrix SRL, a Romania-based entity holding a Tobique Gaming Commission licence, is explicitly identified in German-language casino industry sources as a “sister company” to Dama N.V. and a user of the SoftSwiss platform.​ Key Findings from the Payment Rails Analysis Summarizing Table Entity / BrandDomain / IdentifierType & JurisdictionRole in SoftSwiss Payment RailsSoftSwissStable Aggregator Ltdsoftswiss.comB2B casino platform & game aggregator, Malta – Stable Aggregator Ltd, MGA/B2B/942/2022 (Critical Gaming Supply)Core technology hub; provides SoftSwiss platform and game aggregation; orchestrates integration of payment processors (crypto, open banking, instant banking, e‑wallets) for affiliated operators (Dama, Hollycorn, Stable Tech, N1, Novatrix).Dama N.V.Operator of Rooli, MoonWin and many other brandsCuraçao casino operator, Reg. 152125, licences incl. 8048/JAZ and OGL/2023/174/0082 (Curaçao Gaming Control Board / Antillephone)SoftSwiss‑powered B2C operator; runs Rooli, MoonWin and dozens of other brands; connects its cashiers to SoftSwiss payment rails, including CoinsPaid/CryptoProcessing, Contiant/Yapily, Perspecteev, ChainValley, MiFinity, Jeton.Stable Tech N.V.Operator of RollXO, KoruCasino, CoinSlottyCuraçao casino operator, Reg. 160129, licence OGL/2024/161/0191 (Curaçao Gaming Control Board)SoftSwiss‑based crypto‑focused operator; integrates identical cashier stack (CoinsPaid/CryptoProcessing, Contiant/Yapily, Perspecteev, ChainValley, MiFinity, Jeton) for its brands.Hollycorn N.V.Operator of SpinRise and various other brandsCuraçao casino operator, Reg. 144359, licence OGL/2023/176/0095 (Curaçao Gaming Control Board)SoftSwiss white‑label B2C operator; brands (incl. SpinRise) run on SoftSwiss platform and use the shared cashier template with CoinsPaid, Contiant/Yapily, Perspecteev, ChainValley, MiFinity, Jeton.Novatrix SRLMerchant for MoonWin & other Tobique brandsRomania‑based merchant and Tobique Gaming Commission licensee (Licence 0000002, New Brunswick, Canada)Acts as merchant of record and payment facilitator in the MoonWin cashier; receives open‑banking payments via Contiant/Yapily and appears in Revolut payment pages, while the underlying casino runs on SoftSwiss rails.Strukin LtdPayment agentCyprus-based payment agent and merchantACMA warning against StrukinCoinsPaidDream Finance Groupcoinspaid.comCrypto payment processor and VASP, Estonia – Dream Finance OÜ Reg. 14783543, FIU licence FVT000166Core crypto rail for SoftSwiss casinos; processes crypto deposits/withdrawals for RollXO, SpinRise and many Dama/Hollycorn brands; co‑founded by SoftSwiss founder Ivan Montik and led by CEO Max Krupyshev.CryptoProcessingDream Finance Groupcryptoprocessing.comCrypto payment processor and VASP, Estonia – Dream Finance OÜ Reg. 14783543, FIU licence FVT000166Sister brand to CoinsPaid; provides crypto rail for MoonWin, KoruCasino and other SoftSwiss casinos, converting fiat‑style deposits into crypto and routing them to casino wallets.Contiantcontiant.comOpen‑banking gateway / payment initiation, Bulgaria (subject to Bulgarian National Bank oversight)Central open‑banking rail in the SoftSwiss cashier stack; fronts Yapily’s PSD2 infrastructure and connects casino cashiers to EU/UK banks and Revolut; used by Rooli, RollXO, MoonWin, KoruCasino, SpinRise.YapilyYapily Connect UAByapily.comOpen‑banking infrastructure provider, Lithuania – Yapily Connect UAB Reg. 305602679, Bank of Lithuania licence (AIS/PIS)Backend PSD2 API provider powering Contiant; handles account access and payment initiation to banks and fintechs (including Revolut) for casino deposits; central to the SoftSwiss open‑banking rail.Perspecteev SAS Bridge / Bankinbridgeapi.io, bankin.comFrench open‑banking/payment institution, Perspecteev SAS (ACPR‑authorised)Main instant‑banking rail; provides SEPA instant transfers and open‑banking flows for MoonWin, KoruCasino, RollXO and other SoftSwiss casinos; appears as “Perspecteev” on banking authorisation screens.ChainValleyChain Valley sp. z o.o.chainvalley.com, chainvalley.proPolish crypto‑payments / instant‑banking hybrid, VASP register RDWW‑765High‑risk instant‑banking / crypto‑fiat hybrid rail; implements “fake‑fiat deposit” patterns (bank‑like UX hiding embedded crypto purchase); appears across SoftSwiss casinos.MiFinitymifinity.comE‑wallet and payment institution (EU/UK‑regulated)Core e‑wallet rail in SoftSwiss cashiers; provides wallet deposits/withdrawals to many Dama, Hollycorn and Stable Tech brands (including Rooli, RollXO, MoonWin, KoruCasino, SpinRise).JetonJeton Bankjeton.comE‑wallet / stored‑value service, run through FCA‑regulated and other entitiesAdditional e‑wallet rail; widely offered in SoftSwiss cashiers for deposits and withdrawals, especially for EU/LatAm/Asia players.Revolut (via Contiant / Yapily)revolut.comFintech bank / e‑money institution with multiple EU/UK licencesAppears as bank account provider in open‑banking flows; users authorise Revolut via Yapily/Contiant screens for MoonWin and other casinos, enabling instant pay‑by‑bank deposits into Novatrix/Dama merchant accounts.Offshore Casino LayerVarious casino domains and GEO‑specific mirrorsUnregulated / partially licensed offshore casinos (Curaçao, Tobique, Anjouan) operating cross‑border into EU and restricted marketsFront‑end layer of the SoftSwiss ecosystem; presents a unified cashier UI that routes player deposits through the shared crypto, open‑banking, instant‑banking and e‑wallet rails orchestrated by SoftSwiss and its associated processors. Casino Operator Layer All five reviewed casinos—Rooli, RollXO, MoonWin, KoruCasino, and SpinRise—operate under three distinct corporate entities (Dama N.V., Stable Tech N.V., and Hollycorn N.V.) but share nearly identical payment infrastructure, confirming the use of a centralized SoftSwiss platform. Platform & Orchestration Layer SoftSwiss (via its Malta-licensed entity Stable Aggregator Limited, MGA/B2B/942/2022) serves as the B2B platform provider and game aggregator, but the uniformity of payment rails across nominally independent operators indicates it also functions as a payment orchestration hub. Crypto Payment Layer Both CoinsPaid and CryptoProcessing are operated by Dream Finance OÜ (Estonia, registration 14783543), which holds an Estonian FIU virtual asset service provider (VASP) licence (FVT000166). These processors appear across all reviewed casinos and are directly affiliated with SoftSwiss founder Ivan Montik, who co-founded CoinsPaid.​ Open Banking Layer Contiant (Bulgaria) acts as the gateway, routing transactions through Yapily Connect UAB (Lithuania, registration 305602679, Bank of Lithuania licence LB002045), which holds PSD2 Payment Institution authorization for Account Information Services (AIS) and Payment Initiation Services (PIS). Yapily explicitly markets to the iGaming sector and has been documented by FinTelegram as facilitating flows to illegal offshore casinos. Instant Banking Layer Perspecteev SAS (France, ACPR-authorized Payment Institution) provides instant SEPA transfer services through its Bridge brand and appears as a merchant name on casino deposit screens. ChainValley (Poland, VASP register RDWW-765) has been rated  BLACK (Severe Risk) by RatEx42 for “fake-fiat deposit” mechanisms that embed crypto purchases within what appears to be a bank transfer interface, obscuring the true nature of the transaction. Payment Merchant Layer Novatrix SRL (Romania, Tobique Gaming Commission licence 0000002) appears as the merchant of record for MoonWin Casino deposits and is described in industry sources as a “sister company” to Dama N.V. and a user of the SoftSwiss platform. Compliance Implications The systematic deployment of identical payment rails—spanning crypto (CoinsPaid/CryptoProcessing), open banking (Contiant/Yapily), instant banking (Perspecteev/ChainValley), and card/e-wallet processing—across casinos operated by Dama, Stable Tech, and Hollycorn under Curaçao, Tobique, and Anjouan licences strongly supports the allegation that SoftSwiss functions as a centralized payment hub rather than solely a B2B game aggregator. This architecture enables standardized payment routing that transcends individual casino licensing and creates single points of regulatory exposure at the payment processor level (Estonia for crypto, Lithuania for open banking, France for instant banking, Poland for high-risk hybrid mechanisms), raising material AML/CTF and licensing compliance concerns, particularly in light of the whistleblower allegations regarding processing for unlicensed merchants and prohibited jurisdictions. Ecosystem: Platform, Aggregator, and Payment Layer SoftSwiss markets itself as an “ecosystem” comprising casino platform, game aggregator, sportsbook, affiliate system (Affilka), and jackpot tools, with explicit acknowledgment that operators can run casinos on SoftSwiss infrastructure using their own merchant accounts and licences. This architecture allows SoftSwiss to sit adjacent to payment routing even when framing itself as a pure B2B technology provider. Independent industry analyses confirm that SoftSwiss introduced and scaled cryptocurrency payments in online casinos from the early 2010s, positioning the company at the nexus of gaming and payment infrastructure. German public broadcaster BR and FinTelegram previously documented that SoftSwiss (founded by Ivan Montik) is tightly linked to Direx N.V. (later renamed Dama N.V.), with millions in casino transactions processed via Wirecard before its collapse. An official letter of the Australian regulator, ACMA (screenshot left), confirms the link between Dama/Direx and Montik. The same investigation identified regulatory correspondence naming Montik and Maksim Trafimovich as the principals behind Direx/Dama and noted that N1 Interactive Ltd (MGA-licensed, Malta) transferred millions to Dama N.V. (Curaçao) within the same network. Industry sources state that “most Dama N.V. casinos are powered by SoftSwiss technology,” including game aggregation, payment processing, and security, and that SoftSwiss helped Dama brands introduce crypto payments broadly. Hollycorn N.V., incorporated in Curaçao in July 2017, operates on a white-label basis using the SoftSwiss platform across all its casino brands, with player forums and industry databases confirming that Hollycorn casinos share game providers, restricted-game patterns, and bonus mechanics with Dama/Direx and N1 Interactive casinos, consistent with a shared platform or white-label framework. The Role of CoinsPaid and CryptoProcessing Ownership and Control Links CoinsPaid and CryptoProcessing are brands operated by Dream Finance OÜ, an Estonian-registered entity with Max Krupyshev as co-founder and CEO. Ivan Montik’s official website biography identifies him as co-founder of CoinsPaid alongside his role as founder of SoftSwiss, and CoinsPaid is listed as an official partner on the N1 Partners affiliate network website. FinTelegram’s prior investigations established that Dream Finance OÜ/CoinsPaid emerged as Wirecard collapsed, serving as a crypto payment processor for the same Montik-centered casino network that includes Dama, N1 Interactive, and Hollycorn.​ Read our Dream Finance Group reports here. Allegations of Illegal Casino Facilitation In April 2025, Frédéric Hubin, former director of CoinsPaid’s Estonian parent Dream Finance OÜ, publicly accused the company of processing payments for “illegal SoftSwiss casinos,” operating with negative equity, and being controlled by Russian beneficial owners Roland Isaev and Paata Gamgoneishvili. Hubin’s LinkedIn post followed his departure from the company and coincided with CoinsPaid’s legal partnership with Payabl in a defamation lawsuit against FinTelegram in Cyprus, raising questions about why a payment service provider under scrutiny in multiple jurisdictions (Belgium, Estonia, Switzerland, Israel, Germany) would align itself with such litigation. FinTelegram’s April 2025 Rabidi-SoftSwiss Intelligence Report concluded that SoftSwiss operates a “vast money-laundering network” controlled by Russian and Belarusian individuals, with payment processing entities including CoinsPaid and CryptoProcessing found on the payment pages of casinos linked to Rabidi, Dama N.V., Hollycorn, and other operators frequently lacking proper licensing in their target markets. The report identified Cypriot entities—including Tilaros Limited, Tranello Limited, and Mirata Services Limited—acting as payment agents, with Mirata facilitating payments through Binance, raising AML/CTF red flags. Evidence from Casino Reviews Screenshot documentation confirms that CoinsPaid appears as a payment option at RollXO (Stable Tech N.V.) and SpinRise (Hollycorn N.V.), while CryptoProcessing is integrated at MoonWin (Dama N.V.) and KoruCasino (Stable Tech N.V.). The consistent presence of these processors across nominally independent operators—Dama, Hollycorn, Stable Tech—alongside identical open banking (Contiant/Yapily) and instant banking (Perspecteev, ChainValley) rails, demonstrates a standardized payment stack that transcends individual casino licensing and points to centralized orchestration by SoftSwiss as the common platform provider. MGA Licence Compliance and Jurisdictional Violations Stable Aggregator Limited holds a Malta Gaming Authority (MGA) licence MGA/B2B/942/2022, categorized as a Critical Gaming Supply (B2B) licence, which legally permits the company to provide game aggregation and related technical services to vetted, licensed B2C operators within the MGA’s regulatory framework. The MGA’s official register lists Stable Aggregator’s approved service providers, which include recognized game studios and technical suppliers but do not publicly disclose the full roster of B2C casino operators to whom Stable Aggregator supplies services. The whistleblower allegations assert that Stable Aggregator is violating its MGA licence terms by providing payment processing solutions to unlicensed casino operators and routing funds via cryptocurrency to entities targeting prohibited jurisdictions (Tunisia, Egypt, UAE, Qatar, Saudi Arabia, Kuwait, Oman, Jordan, Morocco, Lebanon, Bahrain). MGA B2B licences restrict services to a defined list of approved clients and require adherence to AML/CTF obligations, meaning that processing payments for unlicensed or blacklisted domains would constitute a material breach. Public MGA enforcement records reviewed by FinTelegram do not currently show disciplinary action against Stable Aggregator as of January 2026, but the structural overlap between SoftSwiss’s marketed “ecosystem” (platform + payment integration), the uniform payment rails observed across Dama/Hollycorn/Stable Tech casinos, and the documented ownership links to CoinsPaid/CryptoProcessing provide reasonable grounds for regulatory inquiry. Compliance Assessment and Risk Indicators From a compliance perspective, the allegations against SoftSwiss align with recognized money laundering typologies for illegal online gambling: Custom payment layer construction: Prosecutors in a January 2026 Taipei case identified a $970 million gambling money laundering network that built custom payment platforms to frame illegal gambling deposits as routine consumer payments, weakening risk signals at ingestion. Multi-jurisdictional licensing arbitrage: SoftSwiss-affiliated operators (Dama, Hollycorn, Stable Tech) hold Curaçao and offshore licences with limited regulatory oversight, while targeting EU and other restricted markets without local authorization. Crypto-fiat bridge mechanisms: ChainValley (Poland) has been rated BLACK (Severe Risk) by RatEx42 for “fake-fiat deposit” patterns, where a “bank transfer” user experience resolves as an embedded stablecoin purchase routed to prefilled casino wallets, engineering away chargeback leverage and obscuring the true merchant purpose.​ Uniform infrastructure across nominally independent operators: The near-identical cashier templates, merchant names (Novatrix SRL, Perspecteev SAS, Yapily Connect UAB), and payment processor lineup (Contiant, Yapily, CoinsPaid, CryptoProcessing) across Rooli, RollXO, MoonWin, KoruCasino, and SpinRise indicate centralized payment orchestration rather than independent operator choice. Conclusion The evidence reviewed by FinTelegram—comprising whistleblower reports, live casino payment flow documentation, corporate ownership links, and prior regulatory investigations—supports the allegation that SoftSwiss functions as an unlicensed payment hub for its white-label and affiliated casino operators. The systematic integration of CoinsPaid and CryptoProcessing, entities co-founded by the SoftSwiss founder network and accused by a former director of facilitating illegal casino payments, reinforces the structural nexus between game aggregation, platform provision, and payment processing within the SoftSwiss ecosystem. Share Information inTelegram is currently preparing an in‑depth intelligence report on SoftSwiss and its alleged role as a central payment hub for offshore casinos. We are looking for additional information and documentation from insiders and affected players. Who we are looking for Current or former employees, contractors, or partners of SoftSwiss, Stable Aggregator Ltd, Dream Finance (CoinsPaid / CryptoProcessing), Dama N.V., Hollycorn N.V., Stable Tech N.V., Novatrix SRL, or related entities. Payment and compliance professionals who have seen routing patterns, merchant setups, or banking relationships involving these groups. Players who have deposited or withdrawn via CoinsPaid, CryptoProcessing, Contiant, Yapily, Perspecteev, ChainValley, MiFinity, Jeton, or similar rails at casinos such as Rooli, RollXO, MoonWin, KoruCasino, SpinRise, or other SoftSwiss‑powered sites. What kind of information helps Internal documents, emails, contracts, onboarding or risk files relating to payment processing for SoftSwiss‑associated casinos. Screenshots or statements showing merchant names, bank accounts, crypto wallets, or payment flows that differ from the visible casino brand. Evidence of operations in prohibited or unlicensed jurisdictions, or instructions to bypass AML/KYC and gambling rules. Any information on ownership/control structures linking SoftSwiss to CoinsPaid, CryptoProcessing, and other payment intermediaries. Please submit your information via FinTelegram’s whistleblower platform whistle42. You can upload documents and screenshots and, if you wish, remain anonymous. Share Information via Whistle42

FinTelegram’s review of the offshore casino Rooli (rooli.com), operated by Curaçao-based Dama N.V., shows a recurring Open Banking pattern: the player’s bank transfer is made to “Chain Valley” as the recipient. In multiple flows, the deposit confirmation screen identifies Chain Valley as payee while the payer is a retail bank (e.g., Revolut, ING). That is not a neutral technicality—it is a compliance chokepoint. Key Facts Illegal casino activities: Rooli is an offshore casino without license or permission to operate in the UK, EU, or in North America. Observed Rail: Player chooses Open Banking in Rooli cashier → payment initiation screen → “To: Chain Valley” (payee) → funds leave player’s bank (e.g., Revolut/ING) and land at Chain Valley. (Confirmed by screenshots.) Entity: Chain Valley Sp. z o.o. (Warsaw) operates chainvalley.pro; terms identify KRS 0001036419 and Warsaw address. Status in Poland: Chain Valley is listed in Poland’s virtual-currency activity register (RDWW-765, entry date 25.05.2023) with services including exchange between “virtual currencies and means of payment” and related intermediation. Regulatory reality check: Poland’s Ministry of Finance has explicitly warned that virtual-currency activity in this register is not “licensed or supervised” as a financial licence; oversight is primarily AML/CFT compliance control. Operator context: Rooli states payments are processed via Dama N.V. (Curaçao) and places the legal burden on players to assess legality in their jurisdictions. Pattern signal: ChainValley previously surfaced in FinTelegram’s Legiano rail investigation (FIAT→USDC “conversion” narrative risk). Illegal Casino Activities First, it must be stated plainly: the underlying activity being funded is unlawful in large parts of the market. Rooli—like many Dama-branded casinos—appears to accept players and deposits from multiple EU jurisdictions without holding the required local gambling authorisations. In our review, registration and funding from EU-based banks worked without meaningful friction, while the cashier dynamically surfaced EU languages and bank options tailored to those jurisdictions. That combination is a strong indicator of active cross-border targeting rather than accidental access. If the gambling offer is not lawfully authorised where the player is located, then the payment rail is not a neutral utility—it becomes an enabler. Payment facilitators and open-banking intermediaries should therefore treat Dama/Rooli exposure as a high-risk, often non-permissible use case and apply refusal and off-boarding controls accordingly. Yet the operational reality we observe is different: “open banking,” “instant banking,” and crypto on-ramps are increasingly used to route around local licensing, card gambling blocks, and merchant scrutiny—making the regulatory perimeter look optional when it is not. Short Analysis The compliance issue is the payee. In the Open Banking flow, the recipient of the transfer is Chain Valley—not the casino, not a licensed EU payment institution branded as merchant acquiring, not an e-money wallet with regulated safeguarding disclosures. That means ChainValley functionally sits as a collection account / payment agent for casino deposits (or as a “merchant of record” via a “crypto purchase” wrapper). Either way, this is a high-risk typology for circumventing gambling blocks: bank statements show “Chain Valley,” not “casino.” VASP registration ≠ right to run FIAT payment rails. Under PSD2, payment services in the EU must be provided by authorised/registered payment service providers in scope of the directive. ChainValley’s publicly visible positioning is crypto-service (KYC/AML policy; “buy crypto”; APMs including instant bank transfers). If casino deposits are being routed through a VASP-labeled “crypto purchase,” regulators and banks should treat this as regulatory arbitrage: gambling funding disguised as crypto on-ramp activity. Who should be asking hard questions (now): Chain Valley: Who is the ultimate beneficiary of these casino-related transfers? Is ChainValley the merchant of record? Are transfers credited as casino deposits or as crypto buys? What is the settlement path to Dama/its PSP stack? Open Banking enablers: Why is a casino cashier initiating payments where the payee is a crypto VASP? What enhanced due diligence is applied for unlicensed/offshore gambling exposure? Banks: Why are repeated transfers to “Chain Valley” not treated as potential gambling funding / third-party collection patterns requiring review? Call for Information Do you work at ChainValley, an Open Banking provider, a bank risk team, or an offshore casino payment desk—and have documentation on how these “To: Chain Valley” deposits are booked (crypto purchase vs. casino funding), settled, and screened? Send evidence securely via Whistle42.com (screenshots, transaction references, merchant agreements, settlement files, risk rules). Share Information via Whistle42

In recent Rail Atlas reviews of the FGS Software Solutions casino cluster (including Monixbet, Rakoo Casino, and VoltSlot), we documented repeatable deposit flows where “Pay by Bank / Open Banking” rails appear to route through PayOp → Tink (Visa subsidiary) → Revolut OBA, with deposits attributed to FairGame G.P. N.V. as the receiving party. This looks less like an anomaly and more like a normalized pattern. Compliance teams should explain—clearly—who screens what, and why this is allowed to run. Key Points Our observations indicate a consistent open-banking chain: PayOp checkout → Tink redirect (link.tink.com) → Revolut OBA consent (oba.revolut.com) → payment attributed to FairGame G.P. N.V. (as shown in deposit flows). “Illegality” is jurisdiction-dependent, but the risk question is not: these are offshore casino brands that appear engineered to serve EU users while keeping the merchant identity at the bank layer ambiguous (often via payment-agent entities). In PSD2-style flows, banks typically authorize the TPP (Tink), not the downstream merchant. That design makes the TPP’s onboarding and monitoring controls the decisive compliance chokepoint. We also observed additional “instant bank transfer” rails that may effectively convert deposits into USDC via crypto pathways (e.g., Rillpay → Kryptonim), and a separate “instant banking” corridor linked to Contiant via an opaque gateway domain (paymentproccesing.net), underscoring a broader multi-rail obfuscation pattern. Read our report on the FairGame Payment Rails here. Short Narrative FinTelegram has been mapping payment chokepoints around offshore casinos for months. What we are seeing now is uncomfortable in its simplicity: open banking has become the cleanest deposit rail for merchants that would struggle to sustain card acceptance under normal scheme scrutiny. In the FGS cluster, the “bank transfer” experience presented to players is not a simple bank transfer. It is a structured consent-and-initiation pipeline: PayOp acts as the front-end payment option; Tink appears as the open-banking layer; and Revolut’s OBA interface is invoked to authorize Tink as the third-party provider. The payment recipient is presented as FairGame G.P. N.V., suggesting a central payment agent structure. This is exactly the kind of stacked accountability that allows risk to “fall between chairs.” This letter is addressed to those chairs. Open Letter to Compliance (Visa, Tink, PayOp, Revolut OBA, and Partner Banks) To the Compliance and Financial Crime teams of Visa, Tink, PayOp, Revolut, and partner financial institutions: We are publishing this as an evidence-led compliance challenge, not as a verdict. We do not ask you to “take our word for it.” We ask you to answer the questions that the industry has been avoiding—because this pattern is no longer exceptional. What we observed (FGS cluster) Across multiple offshore casino brands in the same operator family (Monixbet, Rakoo Casino, VoltSlot), we documented deposit journeys where: The user selects PayOp or a bank-transfer-like option in the casino cashier. The user is routed to Tink (link.tink.com) with language indicating the payment is processed through Tink. The user is then redirected to Revolut OBA (oba.revolut.com) to authorize Tink AB. In at least some flows, the payment is attributed to FairGame G.P. N.V. as the receiving party (payment agent pattern). We also documented parallel rails (crypto conversions and opaque gateway domains), which suggests an intentional multi-rail resilience strategy. The core compliance question How can a Visa-owned open-banking provider (Tink) integrate a PSP (PayOp) in a way that appears to enable offshore casino deposits into EU consumer bank accounts—while the downstream merchant and local-legality context remain blurred? If your answer is “because we only onboard PayOp,” then the next question is: what exactly do you require PayOp to do, how do you verify it, and what do you do when it fails? Extended Analysis: Why This Can Run Even if “Everyone Should Know” 1) The bank authorizes the TPP, not the merchant In open-banking flows, the bank’s interface is focused on authorizing the third-party provider (here: Tink AB) to initiate a payment or access account information. The bank may not see a merchant brand in a way that triggers meaningful risk classification—especially when a payment agent entity sits as the payee. Result: The bank layer is not where merchant legality gets solved. 2) The onboarding perimeter is often the PSP, not the casino If Tink’s direct customer is PayOp, then downstream casinos may be treated as sub-merchants. That can create a compliance “handoff”: Tink screens PayOp. PayOp screens its merchants. The casino operates behind a payment agent name. The bank sees a payment to a corporate payee. Result: Everyone has a piece of the puzzle; nobody holds the whole picture. 3) “Transaction screening” may not catch “offshore casino” Sanctions screening and typical transaction monitoring do not reliably flag “casino marketed into NL/BE without local authorization,” especially when: the payee is a corporate payment agent, descriptors are generic, and there’s no sanctions nexus. Result: The activity can look “normal” to automated systems—until a targeted investigation occurs. 4) Commercial incentives + weak escalation loops Pay-by-bank is cheaper, has fewer chargeback dynamics, and scales. If policy and controls are ambiguous, volume wins—until a regulator, partner bank, or reputational event forces a change. Result: The system drifts toward permissiveness. The Questions You Need to Answer (Publicly, if possible) A) Merchant-of-record and responsibility Who is the merchant of record for these transactions—PayOp, FairGame G.P. N.V., or the casino brand? Who is responsible for ensuring the merchant’s jurisdictional legality (e.g., NL/BE marketing restrictions, licensing requirements)? Where, precisely, is the “merchant identity” stored in logs (TPP ID, client_id, redirect URL, payee mapping), and who can audit it? B) Sub-merchant onboarding and oversight Does Tink require PayOp to provide full KYB/UBO files for sub-merchants in high-risk verticals? Does Tink independently verify a sample of sub-merchants (enhanced due diligence), or rely entirely on PayOp’s representations? What are the termination triggers? (e.g., regulator inquiries, adverse media, traffic from restricted geos, repeated complaints) C) Monitoring and geo/legality controls What monitoring detects EU retail-banking concentration into offshore casino payment agents? Are there enforceable geo-controls (blocked countries, residency checks) and are they audited? How do you treat flows where the payee is a payment agent rather than the branded merchant? D) Visa group governance (because Tink is in the Visa family) What group-level standards apply to Visa-owned open-banking rails used in iGaming corridors? Are high-risk PSP integrations (like PayOp-type iGaming processors) subject to group-level review and periodic reassessment? Actionable Insight This is the compliance truth: open banking is now a primary deposit rail for offshore gambling ecosystems. If the industry doesn’t clarify accountability, regulators will clarify it for you—likely through enforcement that redefines what “embedded open banking” can do in high-risk verticals. If you operate any layer of this stack, you should be able to answer—immediately and in writing: Who is the merchant of record? Who screens and approves sub-merchants? What evidence proves geo/legality controls are enforced? What monitoring detects payment-agent obfuscation? Call for Information (Whistle42) If you work at Visa, Tink, PayOp, Revolut, a partner bank, or within the FGS/“FairGame” payment chain—and you have onboarding policies, sub-merchant agreements, KYB/UBO requirements, risk memos, monitoring rules, escalation tickets, regulator correspondence, or settlement descriptors tied to these flows—submit evidence securely via Whistle42.com. Redact personal data; focus on contracts, process documents, and transaction metadata. Share Information via Whistle42

In the public record, 2025 looks like a collapse in US whistleblower award messaging: the US SEC’s own newsroom tag shows 7 award-related items in 2023, 5 in 2024, and just 1 in 2025; the CFTC’s whistleblower news feed shows only one 2025 award post. It is a systematic dismantling of the most effective financial crime detection mechanism occurring precisely when the financial system has become exponentially more complex, opaque, and vulnerable to abuse. Key Facts SEC (public “award news” posts): 2023 (7), 2024 (5), 2025 (1) on the SEC newsroom tag used for whistleblower award items. SEC (program reality check): In FY2024, the SEC reports $255M+ awarded to 47 whistleblowers and ~24,980 tips received—hardly a “quiet” pipeline. SEC 2025 award press release: “SEC Awards $6M to Joint Whistleblowers” (Apr 21, 2025). Leadership change: Paul Atkins was nominated by President Trump (Jan 20, 2025) and sworn in as SEC Chair (Apr 21, 2025). CFTC 2025 award: CFTC announced a ~$700,000 whistleblower award on May 29, 2025; whistleblower.gov’s news page shows that as the 2025 award item. A Crisis Hidden in Plain Sight The Trump administration has quietly done what no Wall Street lobby ever fully achieved: it has gutted the most effective anti-fraud weapon in U.S. securities regulation at the exact moment financial crime has gone fully digital. Under Gary Gensler, the SEC Whistleblower Program was a monster success: $255 million paid to 47 whistleblowers in FY 2024, the third‑highest annual total ever, contributing to more than $2.2 billion in total awards since 2011. In FY 2025, under Trump and new SEC Chair Paul Atkins, awards collapsed to just $59.7 million—a 77% plunge and the lowest level in years.​ So why the chill? Three plausible drivers show up in the 2025 context: Higher friction / higher denial rates. Multiple legal and compliance observers reported a rise in denied claims and a more conservative posture around eligibility—i.e., awards “slow to trickle” as standards tighten. Enforcement process + staffing disruption. Reuters described a post-January 2025 pivot toward “traditional” cases and internal process shifts amid staff departures—conditions that can slow complex cyberfinance investigations that typically generate big whistleblower awards years later. Messaging retreat. Even some whistleblower-focused commentators argue the SEC continued issuing award determinations but stopped “promoting” them the old way—creating the appearance of a shutdown even if the machinery still moves. The CFTC mirrors the pattern. After a record 12 awards totaling $42 million in FY 2024, it issued only two awards in FY 2025—$700,000 in May and $1.8 million in December. Both agencies are sitting on massive pipelines of tips in markets riddled with crypto and derivatives abuse, and choosing not to pay.​ This is not an accident of budget. It is policy. Paul Atkins: An Anti‑Whistleblower Ideologue Paul Atkins has opposed the SEC whistleblower concept from the beginning. In 2011 Senate testimony, he attacked the Dodd‑Frank program as creating “perverse incentives” and claimed it would encourage employees to bypass internal compliance. The data later proved him wrong—but now the program is in his hands.​ It gets worse. Atkins is not just philosophically hostile to whistleblowers; he is financially entangled with the very sector most dependent on them: He reported roughly $6 million in personal crypto holdings before taking the job.​ His consulting firm advised and lobbied for FTX, one of history’s largest crypto frauds, before its collapse.​ He sat on digital asset advisory bodies and promoted “best practices” for token issuers and platforms.​ Under Trump and Atkins, the SEC has dropped or paused nearly 60% of crypto cases, sharply reduced actions against public companies, and brought no new crypto enforcement cases after the administration change. At the same time, whistleblower awards—the primary way insiders are incentivized to expose crypto and DeFi fraud—have been suffocated.​ This is not a regulator “rebalancing priorities.” This is regulatory capture in broad daylight. Cyberfinance Without Whistleblowers: Blindfolding the Watchdogs The timing could not be more dangerous. Financial crime has moved from branch offices and boiler rooms to blockchains, APIs, and high‑velocity payment rails. Cross‑chain laundering pushed over $20 billion in illicit crypto through multiple blockchains in 2025, with many cases spanning 5–10 chains.​ Stablecoins like USDT are now a favored laundering vehicle—liquid, fast, and pseudo‑anonymous.​ Open banking and embedded finance create fragmented, multi‑party payment chains where no single institution sees the full risk picture.​ Instant payments carry fraud risk an order of magnitude higher than traditional transfers, leaving almost no time for manual review.​ Offshore casinos and high‑risk payment processors layer “fake instant banking” and crypto ramps to disguise flows, as FinTelegram has documented around Winning.io and its processors. Traditional AML systems were never built for this world. DeFi protocols, privacy mixers, synthetic identities, nested correspondent banking chains, and white‑label payment cascades cannot be fully decoded from outside. You need insiders: devs, compliance officers, risk managers, PSP staff, and operations people who can explain which wallets belong to whom, how the layering works, and where the beneficial owners are hiding. Academic work is crystal clear: the SEC Whistleblower Program significantly reduced financial reporting fraud and deterred insider trading once implemented, especially at firms with weak internal controls. SEC officials themselves admit that insider tips and expert analysis are “critical” to detecting complex schemes and that the program only works if whistleblowers can share information freely and expect to be paid when they are right.​ In crypto and DeFi, specialists emphasize that exposing fraud is “extremely difficult” without insiders, as schemes are crafted to exploit the very opacity and cross‑chain complexity of the ecosystem. It is “now more important than ever” for crypto whistleblowers to come forward.​ Trump’s SEC has effectively told them: don’t bother. Hypothesis: Deliberate Deactivation of a Critical Safety System Cyberfinance misconduct is rail-based and multi-layered: open-banking “pay-by-bank” flows, nested PSPs, stablecoin bridges, OTC brokers, DeFi perps, affiliate-driven offshore casinos—systems designed to fragment accountability. Regulators cannot “audit the internet” from their offices. They need human sensors inside the stack: compliance staff, payment ops, risk analysts, growth teams, KYC vendors, chain surveillance contractors. The SEC’s own FY2024 data shows crypto/ICO-related allegations are already a meaningful share of tips—this is not a niche problem. If 2025 becomes the year regulators stop visibly rewarding insiders, the message to the market is brutal: “Stay quiet.” And the winners are exactly the actors who thrive in opacity. Share Information via Whistle42

FinTelegram’s Rail Atlas review of the FGS Software Solutions casino cluster (Monixbet, Rakoo Casino, VoltSlot) shows a repeatable deposit architecture: (1) “instant bank transfer” flows that appear to convert deposits into USDC via a crypto rail (Rillpay → Kryptonim), (2) an open-banking stack where PayOp routes players into Visa-owned Tink and onward to Revolut’s open-banking interface, and (3) an alternative “instant banking” path using Contiant and a misspelled gateway domain (paymentproccesing.net), plus MiFinity deposits settling to FairGame G.P. N.V. as payment recipient. Key Facts (Observed + Corroborated) Same rail pattern across multiple casinos: Monixbet, Rakoo Casino, and VoltSlot present largely identical cashier options (bank + crypto + “instant” variants). Payment recipient surfaced in flows: Screenshots show deposits directed to FairGame G.P. N.V. (Curaçao) as the receiving party in at least some rails (MiFinity; PayOp/Tink flow wording). Open-banking rail chain: PayOp → Tink (via link.tink.com) → Revolut OBA (oba.revolut.com) → payment to FairGame G.P. N.V. Contiant appears in the same ecosystem: A misspelled gateway domain paymentproccesing.net appears in cashier flow, and Similarweb signals show monixbet.com among the referring sites to paywith.contiant.com (small but present). PayOp iGaming positioning: PayOp markets iGaming payment services and its documentation/terms reference its operating entity. Tink is a Visa-owned open-banking provider (Visa completed acquisition) and markets payment-initiation/open-banking capabilities, including iGaming use-cases. Rail Map Snapshot (How the Money Moves) 1) “Instant Bank Transfer” that behaves like a crypto on-ramp Player selects: “Direct Bank Transfer / Instant Bank Transfer” (casino cashier label)Observed stack (from our testing notes + cashier UI):Rillpay → Kryptonim → USDC → casino wallet(s)Why it matters: This is a pattern we see repeatedly in offshore casino environments: a bank-transfer UI that is operationally fulfilled by a crypto purchase (stablecoins), reducing traditional card/acquirer visibility and potentially shifting AML/KYC responsibilities onto the crypto leg. Kryptonim context: Kryptonim publicly states it holds a VASP licence entry number and references multiple entity registrations. 2) Open Banking rail: PayOp → Tink → Revolut OBA → FairGame G.P. N.V. Player selects: PayOp in cashierObserved flow (screenshots): PayOp modal routes user into Tink (link.tink.com) and explicitly states that FairGame G.P. N.V. uses Tink to process the payment. User is then redirected to Revolut’s open banking authorization page (oba.revolut.com) showing “Authorize Tink AB.”Interpretation: This is consistent with a PIS/AIS-style account-to-account payment initiation flow where Tink acts as the open-banking layer and Revolut’s OBA is the bank-side consent/auth step. Tink context: Visa completed the acquisition of Tink, and Tink markets open-banking payment initiation (including iGaming-related use cases). PayOp context: PayOp’s own materials position it in high-risk/iGaming processing, and its terms identify the operator entity. 3) Contiant rail via misspelled gateway domain: Monixbet → paymentproccesing.net → (Contiant / Bank selection / Revolut OBA) Player selects: “Instant Bank Transfers” (casino cashier label)Observed indicators: The browser status bar shows requests to paymentproccesing.net (note the double “cc”), suggesting an intermediary deposit page/gateway. Similarweb signals show monixbet.com appears among referrers to paywith.contiant.com (small share), linking this casino into the same Contiant gateway ecosystem you previously mapped. Your prior Contiant work established Contiant as a “technical” pay-by-bank layer in front of regulated open-banking rails, with a notable Benelux footprint. Contiant context: Contiant’s own merchant documentation identifies the company as a Bulgarian entity and describes AIS/PIS technical services positioning. 4) MiFinity rail: Monixbet → paymentproccesing.net → MiFinity → FairGame G.P. N.V. Observed (screenshots): A MiFinity-branded deposit page hosted at paymentproccesing.net shows “Deposit to FairGame G.P. N.V.” and the MiFinity support email contact. MiFinity context: MiFinity states it is dual-licensed (UK FCA + Malta MFSA) and its legal terms identify MiFinity UK Limited as an FCA-authorised EMI (Register Ref. 900090). Who is the “Payment Agent” here? (FairGame G.P. N.V.) Our testing indicates that FairGame G.P. N.V. (Curaçao) appears as the named recipient/payment agent in multiple deposit rails (PayOp/Tink flow wording; MiFinity deposit page). That is a key compliance signal: it suggests consolidation of player funds at a central entity that may sit between the casino brand and upstream PSP/open-banking providers. Verification targets: bank beneficiary details (IBAN/BIC), merchant IDs, PayOp/Tink “client_id” mappings, and settlement statements showing where funds land and under what descriptor. Why This Matters (Compliance Lens) Benelux exposure + open-banking chokepointsOur earlier Contiant traffic intelligence suggested a strong Netherlands/Belgium banking footprint. If these rails are used to fund offshore casinos that appear to be offered into NL/BE without local authorisation, that is a high-sensitivity corridor for regulators and banks. Open-banking providers can become the “quiet rail” for high-risk merchantsEven where the open-banking layer is regulated (e.g., Tink as a payment institution and MiFinity as an EMI), risk concentrates at the edges: merchant onboarding, MoR identification, and monitoring of downstream brand networks and affiliate funnels. Gateway opacity is a recurring red-flag patternThe use of thin, sometimes oddly named domains (e.g., paymentproccesing.net) as cashier gateways complicates consumer recognition, dispute handling, and third-party monitoring. It also raises questions about who controls the payment page and what scripts/vendors are embedded. Call for Information (Whistle42) If you have direct evidence about these rails—PayOp/Tink onboarding records, merchant contracts, settlement statements, MoR documentation, bank beneficiary details, gateway operator identity for paymentproccesing.net, or correspondence with compliance teams—please submit it via Whistle42.com. We are specifically looking for: (1) PayOp account/merchant IDs, (2) Tink client_id mappings and service agreements, (3) bank transfer descriptors and beneficiary IBANs, (4) proof of who controls the cashier gateway domains, and (5) any regulator notices, chargeback/dispute logs, or account closures linked to these flows. Share Information via Whistle42

FinTelegram’s Rail Atlas review of the FGS Software Solutions casino cluster (Monixbet, Rakoo Casino, VoltSlot) shows a repeatable deposit architecture: (1) “instant bank transfer” flows that appear to convert deposits into USDC via a crypto rail (Rillpay), (2) an open-banking stack where PayOp routes players into Visa-owned Tink and onward to Revolut’s open-banking interface, and (3) an alternative “instant banking” path using Contiant and a misspelled gateway domain (paymentproccesing.net), plus MiFinity deposits settling to FairGame G.P. N.V. as payment recipient. Key Facts (Observed + Corroborated) Same rail pattern across multiple casinos: Monixbet, Rakoo Casino, and VoltSlot present largely identical cashier options (bank + crypto + “instant” variants). Payment recipient surfaced in flows: Screenshots show deposits directed to FairGame G.P. N.V. (Curaçao) as the receiving party in at least some rails (MiFinity; PayOp/Tink flow wording). Open-banking rail chain: PayOp → Tink (via link.tink.com) → Revolut OBA (oba.revolut.com) → payment to FairGame G.P. N.V. Contiant appears in the same ecosystem: A misspelled gateway domain paymentproccesing.net appears in cashier flow, and Similarweb signals show monixbet.com among the referring sites to paywith.contiant.com (small but present). PayOp iGaming positioning: PayOp markets iGaming payment services and its documentation/terms reference its operating entity. Tink is a Visa-owned open-banking provider (Visa completed acquisition) and markets payment-initiation/open-banking capabilities, including iGaming use-cases. Rail Map Snapshot (How the Money Moves) 1) “Instant Bank Transfer” that behaves like a crypto on-ramp Player selects: “Direct Bank Transfer / Instant Bank Transfer” (casino cashier label)Observed stack (from our testing notes + cashier UI):Rillpay → USDC → casino wallet(s)Why it matters: This is a pattern we see repeatedly in offshore casino environments: a bank-transfer UI that is operationally fulfilled by a crypto purchase (stablecoins), reducing traditional card/acquirer visibility and potentially shifting AML/KYC responsibilities onto the crypto leg. 2) Open Banking rail: PayOp → Tink → Revolut OBA → FairGame G.P. N.V. Player selects: PayOp in cashierObserved flow (screenshots): PayOp modal routes user into Tink (link.tink.com) and explicitly states that FairGame G.P. N.V. uses Tink to process the payment. User is then redirected to Revolut’s open banking authorization page (oba.revolut.com) showing “Authorize Tink AB.”Interpretation: This is consistent with a PIS/AIS-style account-to-account payment initiation flow where Tink acts as the open-banking layer and Revolut’s OBA is the bank-side consent/auth step. Tink context: Visa completed the acquisition of Tink, and Tink markets open-banking payment initiation (including iGaming-related use cases). PayOp context: PayOp’s own materials position it in high-risk/iGaming processing, and its terms identify the operator entity. 3) Contiant rail via misspelled gateway domain: Monixbet → paymentproccesing.net → (Contiant / Bank selection / Revolut OBA) Player selects: “Instant Bank Transfers” (casino cashier label)Observed indicators: The browser status bar shows requests to paymentproccesing.net (note the double “cc”), suggesting an intermediary deposit page/gateway. Similarweb signals show monixbet.com appears among referrers to paywith.contiant.com (small share), linking this casino into the same Contiant gateway ecosystem you previously mapped. Your prior Contiant work established Contiant as a “technical” pay-by-bank layer in front of regulated open-banking rails, with a notable Benelux footprint. Contiant context: Contiant’s own merchant documentation identifies the company as a Bulgarian entity and describes AIS/PIS technical services positioning. 4) MiFinity rail: Monixbet → paymentproccesing.net → MiFinity → FairGame G.P. N.V. Observed (screenshots): A MiFinity-branded deposit page hosted at paymentproccesing.net shows “Deposit to FairGame G.P. N.V.” and the MiFinity support email contact. MiFinity context: MiFinity states it is dual-licensed (UK FCA + Malta MFSA) and its legal terms identify MiFinity UK Limited as an FCA-authorised EMI (Register Ref. 900090). Who is the “Payment Agent” here? (FairGame G.P. N.V.) Our testing indicates that FairGame G.P. N.V. (Curaçao) appears as the named recipient/payment agent in multiple deposit rails (PayOp/Tink flow wording; MiFinity deposit page). That is a key compliance signal: it suggests consolidation of player funds at a central entity that may sit between the casino brand and upstream PSP/open-banking providers. Verification targets: bank beneficiary details (IBAN/BIC), merchant IDs, PayOp/Tink “client_id” mappings, and settlement statements showing where funds land and under what descriptor. Why This Matters (Compliance Lens) Benelux exposure + open-banking chokepointsOur earlier Contiant traffic intelligence suggested a strong Netherlands/Belgium banking footprint. If these rails are used to fund offshore casinos that appear to be offered into NL/BE without local authorisation, that is a high-sensitivity corridor for regulators and banks. Open-banking providers can become the “quiet rail” for high-risk merchantsEven where the open-banking layer is regulated (e.g., Tink as a payment institution and MiFinity as an EMI), risk concentrates at the edges: merchant onboarding, MoR identification, and monitoring of downstream brand networks and affiliate funnels. Gateway opacity is a recurring red-flag patternThe use of thin, sometimes oddly named domains (e.g., paymentproccesing.net) as cashier gateways complicates consumer recognition, dispute handling, and third-party monitoring. It also raises questions about who controls the payment page and what scripts/vendors are embedded. Call for Information (Whistle42) If you have direct evidence about these rails—PayOp/Tink onboarding records, merchant contracts, settlement statements, MoR documentation, bank beneficiary details, gateway operator identity for paymentproccesing.net, or correspondence with compliance teams—please submit it via Whistle42.com. We are specifically looking for: (1) PayOp account/merchant IDs, (2) Tink client_id mappings and service agreements, (3) bank transfer descriptors and beneficiary IBANs, (4) proof of who controls the cashier gateway domains, and (5) any regulator notices, chargeback/dispute logs, or account closures linked to these flows. Share Information via Whistle42

In December 2025, FinTelegram flagged Contiant Ltd (Bulgaria) as a “technical” open-banking layer sitting in front of Yapily‘s PSD2 rails, enabling pay-by-bank deposits for offshore casino brands apparently offered into restricted markets. New traffic intelligence now points to a strong Benelux banking footprint—and to SkyHills as a dominant feeder into Contiant’s payment gateway. Key Points Contiant (www.contiant.com) is positioned as a technical service provider (TSP) that relies on third-party regulated rails (most notably Yapily) to execute payment initiation. Updated Similarweb signals (Dec 2025) indicate heavy Netherlands concentration for traffic to paywith.contiant.com and outgoing link destinations dominated by Belgian/Dutch banks, plus Revolut’s open-banking touchpoint (oba.revolut.com). Referral traffic into paywith.contiant.com appears casino-heavy, with SkyHills the largest observed referrer in the new dataset (Dec 2025). SkyHills discloses it is operated by Igloo Ventures SRL (Costa Rica) (per its “About us”/policy pages). Contiant markets “Open Banking” payments with typical “card alternative” positioning (e.g., instant payments / no chargebacks), which can be attractive for high-risk merchants. Risk Signal The key risk still isn’t a single casino domain. It’s the stack: casino checkout → paywith.contiant.com → Yapily consent/authorization flow (including “Powered by Yapily” UI, per prior observations) → bank approval. This architecture can create plausible distance between the licensed rail provider and the underlying gambling merchant—while regulated rails still settle the transaction. Go to the Contiant Compliance Profile on RatEx42. What changed with the new data: the gateway’s footprint looks less “generic EU open banking” and more “Benelux-banking-centric.” In the new Similarweb snapshots (Dec 2025), the Netherlands dominates traffic share, and the top outgoing link destinations concentrate around KBC (Belgium) and major Dutch retail banks, with Revolut OBA also among the top destinations. That combination is a meaningful partner-risk and geo-risk escalation trigger: it suggests a repeatable consumer journey tied to specific banking rails rather than a diffuse pan-EU pattern. Mini Rail Map (Update: Dec 2025, traffic intelligence) Brand/domains: Contiant — contiant.com, paywith.contiant.com (Observed) Payment options: Pay-by-Bank / Open Banking (PIS) (Observed) Named rails: Contiant (TSP layer) → Yapily (licensed PISP rail, per FinTelegram’s prior reporting) → bank authorization flows incl. Revolut OBA touchpoint (Observed/Indicated) New indicators: Benelux bank destinations + casino-heavy referral profile (Indicated) What the New Similarweb Signals Imply (and what they don’t) Benelux concentration is operationally informative. If a payment gateway’s top link destinations are concentrated in Belgium/Netherlands banks (plus Revolut’s OBA domain), it often means the checkout is optimized for those banks’ authorization journeys—suggesting a deliberate “where players bank” targeting logic, not incidental traffic. SkyHills as a dominant feeder tightens the merchant attribution problem. The new dataset shows SkyHills driving the majority share of observed referral traffic into paywith.contiant.com. SkyHills publicly discloses Igloo Ventures SRL (Costa Rica) as its operator. This does not prove illegal activity by any specific bank or rail provider. But it does sharpen the due-diligence question: what KYB, merchant classification, geo-blocking, and prohibited-use controls exist at the Contiant Yapily boundary for gambling merchants and their traffic sources? Group usage claims require documentary confirmation. The broader claim that the same Contiant gateway supports additional offshore casino brands and entities (e.g., Curaçao/Costa Rica-linked operators) is plausible given the recurring gateway pattern and public operator disclosures in the casino ecosystem, but must be evidenced with primary artifacts (checkout screenshots, redirect logs, merchant IDs, T&Cs naming the contracting party, settlement descriptors). Read our new compliance report on Yapily here. Call for Information (Whistle42) Are you at Contiant, Yapily, Revolut, a Benelux bank, a PSP, or a gambling compliance function? We are looking for primary evidence: partner contracts, KYB files, merchant onboarding communications, consent screens (“Powered by Yapily”), redirect host logs, payee/IBAN mapping, and transaction descriptors (PII redacted). Submit securely via Whistle42.com. Share Information via Whistle42

FinTelegram has published an enhanced 28‑page Compliance Report on the open banking infrastructure provider Yapily operated by Yapily Connect Ltd (UK) and Yapily Connect UAB (Lithuania), analysing the company’s high‑profile partnership with Google and its problematic role as open‑banking infrastructure for illegal offshore casinos. The report is now available for professional download and will be updated quarterly.​ Yapily Under Intensified Scrutiny Yapily positions itself as a leading open‑banking payment institution in the UK and EU, licensed in the UK by the FCA and in Lithuania by the Bank of Lithuania. In late 2024 and 2025, the company gained additional visibility through a strategic partnership with Google to power bank account verification services for business customers in Europe, a move widely covered in the fintech and tech press. This cooperation significantly raises Yapily’s public profile and systemic relevance in the European open‑banking ecosystem.​ FinTelegram findings: Yapily rails into illegal offshore casinos FinTelegram’s recent investigations documented that Yapily’s open‑banking rails are routed via the Bulgarian intermediary Contiant into illegal offshore online casinos, turning Yapily into a critical technical layer in unlicensed gambling payment flows. This raises serious questions about Yapily’s customer due diligence, transaction monitoring, and sector‑specific risk controls for iGaming and high‑risk merchants. Read our reports on Yapily here. These findings are likely to attract increasing attention from UK and EU regulators, especially in the context of tightening expectations around gambling payments and open‑banking risk management.​ Scope of the Yapily Compliance Report The new FinTelegram Compliance Report covers the period January 2025 to January 2026 and provides:​ A regulatory profile of Yapily Connect Ltd (FCA‑authorised payment institution) and Yapily Connect UAB (Bank of Lithuania‑licensed payment institution).​ A mapping of the ownership and funding structure after Yapily’s venture rounds led by Sapphire Ventures, Lakestar and others.​ An assessment of Yapily’s MiCA‑relevance and broader EU regulatory posture, including its Google partnership and exposure to offshore gambling flows via Contiant.​ Download the full Yapily Compliance Report here. The report is prepared for compliance officers, EU merchants, regulators, and investigative journalists and is available for download in professional formats (Word/PDF) via the FinTelegram case register (Case ID: YAPILY‑2026‑Q1).​ Call for whistleblowers and industry insiders FinTelegram is actively seeking additional documentation from:​ Current and former Yapily employees Partner banks, PSPs, and open‑banking intermediaries Merchants and affiliates in the iGaming and high‑risk sectors Whistleblowers, compliance officers, and affected customers who have internal documents, screenshots, contracts, payment flow descriptions, or other evidence related to Yapily, Contiant, and connected gambling operators are invited to securely reach out to FinTelegram’s whistleblower channels. All information will be handled confidentially in line with journalistic standards and data‑protection requirements.​ Share Information via Whistle42

A sophisticated money laundering network has been identified that systematically rotates disposable Cypriot payment processing entities to facilitate illegal online casinos targeting Dutch and German consumers. The operation employs a distinctive “Colors & Animals” naming convention for its payment shells, which are cycled through when individual entities face regulatory sanctions. This report validates and expands upon whistleblower intelligence received by FinTelegram, revealing a calculated strategy of entity “phoenixing” designed to evade enforcement actions by the Dutch Kansspelautoriteit (KSA) while maintaining continuous payment rail access through complicit corporate service providers and regulated fintech intermediaries. Network Architecture Analysis The “Colors & Animals” Payment Shell Rotation System The network operates through a deliberate pattern of disposable payment processing entities, each following a consistent naming convention that combines a color with an animal. This systematic approach enables rapid replacement of compromised entities while maintaining operational continuity for underlying casino brands. Documented Payment Agent Evolution (2023–Present): Entity NameStatusJurisdictionProcessing PeriodPayment MethodsRegulatory ActionSarah EternalSanctionedCosta RicaPre-2025Cryptocurrency, traditional€900,000 KSA fine (March 2025)​Red Raven LimitedFlaggedCyprus (HE 432429)Throughout 2023Open Banking/Volt via Yapily Connect UABUnder investigationBrown Bear LimitedActiveCyprus (HE 127392)2024–PresentUnknownNo public actionSilver Swan LimitedActiveCyprus (ΗΕ 445300)2032-PresentOpen Banking/ via Yapily No public actionMoody MooseActiveCyprus2024–PresentUnknownNo public action The rotation pattern demonstrates a responsive adaptation to regulatory pressure. When Sarah Eternal received a €900,000 penalty from Dutch authorities for operating Casinosky without proper player exclusion measures, the network seamlessly transferred processing volume to Red Raven Limited (Cyprus), which leveraged Yapily‘s open banking infrastructure throughout 2023. Following Red Raven’s identification, operations shifted to Brown Bear Limited and Moody Moose, both currently active and registered within Cyprus’s corporate ecosystem.​ The Infrastructure Hub: Emidala Business Services & Lokemor Ltd All identified payment shells connect to a single administrative nexus in Cyprus, creating a centralized command structure that facilitates coordinated evasion efforts. Corporate Registry Evidence: Emidala Business Centre Ltd (HE 443388) lists Georgia Katsampa as Director and Lokemor Limited as Secretary​ Lokemor Limited (HE 283397) maintains active status and appears as secretary for multiple entities in the network​ Georgia Katsampa serves as director across numerous Cyprus companies, including Emidala Business Centre Ltd, Nordam Invest Ltd, and Blue Triangle Limited​ Giorgoulla Tsiakkirouappears as liquidator in British Virgin Islands corporate notices, suggesting involvement in cross-jurisdictional entity management​ The Hadjiyianni Building at 34 Makarios III, 3065 Limassol, Cyprus, serves as the physical locus for this network. Red Raven Limited and related entities register at this specific address, which functions as a shared operational base enabling centralized control while maintaining nominal corporate separation.​ So the “admin nexus” thesis is directionally supported: same secretary company, same director, same address, multiple shells. Corporate Shuffling Mechanisms The Deep Dive Tech B.V. Facade The whistleblower report identifies a strategic corporate restructuring designed to obscure beneficial ownership and operator responsibility. Previously, brands including Bull Casino, Simple Casino, and Casino Sky maintained visible associations with Hero Gaming. Recent scrubbing of these connections from Hero Gaming‘s corporate website represents a deliberate distancing maneuver. Deep Dive Tech B.V. has emerged as the new ostensible operator, registered in Curacao under license 365/JAZ (registration number 154314). However, this entity utilizes the identical payment laundering route (Emidala → Brown Bear/Moody Moose) as the previous structure, demonstrating operational continuity despite nominal ownership changes.​ Critical Finding: Deep Dive Tech B.V.’s PlayBoom.com brand explicitly names Red Raven Limited and Silver Swan Limited—both registered at the Hadjiyianni Building in Limassol—as “service providers”. This admission directly links the Curacao-licensed operator to the Cypriot payment shell network, confirming the whistleblower’s assertion of a unified laundering infrastructure.​ Hero Gaming Distancing Strategy The removal of Bull Casino, Simple Casino, and Casino Sky from Hero Gaming‘s corporate disclosures follows a predictable pattern in illegal gambling operations. When regulatory scrutiny intensifies, parent entities attempt to sever visible connections to high-risk brands while maintaining underlying commercial relationships through opaque service agreements. This tactic creates plausible deniability while preserving revenue streams. Payment Rail Analysis: The Yapily Connect UAB Facilitation The network’s persistence depends critically on access to legitimate payment infrastructure. Yapily Connect UAB d/b/a Yapily (www.yapily.com), a regulated Lithuanian fintech provider, facilitated transaction traffic for Red Raven Limited throughout 2023 despite clear indicators of high-risk gambling activity targeting prohibited markets.​ The Bank of Lithuania lists Yapily Connect UAB with authorization code LB002045 as a Payment Institution (license valid from 2020-12-23). The UK FCA regulated Yapily Connect Ltd as a Payment Institution with the reference number 827001. Yapily’s iGaming Positioning: The company actively markets its open banking solutions to gambling operators, emphasizing “fast, secure bank transfers with strong customer authentication” and claiming its infrastructure “supports AML and KYC frameworks”. However, the continued processing of transactions for Red Raven Limited—an unlicensed operator serving Dutch and German markets—demonstrates either willful blindness or inadequate due diligence.​ In our reviews and payment rails analyses over the past few months, we have already identified Yapily several times as an open banking facilitator for illegal offshore casinos. Read our reports here: Read our Yapily Reports here. Systemic Vulnerability: This case exemplifies a broader pattern where regulated fintechs become inadvertent (or complicit) enablers of illegal gambling. The network’s ability to shift volume from Sarah Eternal to Red Raven to Moody Moose without interruption indicates that payment processors prioritize transaction volume over compliance verification, creating systemic regulatory gaps. Regulatory Evasion: The Phoenixing Strategy The “Colors & Animals” methodology represents a refined version of entity phoenixing, where new corporate vehicles emerge as old ones face enforcement. Key characteristics include: Rapid Entity Creation: Cyprus’s light-touch incorporation regime enables swift establishment of replacement shells Shared Infrastructure: Common directors, addresses, and service providers maintain operational continuity while creating nominal separation Jurisdictional Arbitrage: Costa Rica registration for Sarah Eternal, Curacao licensing for Deep Dive Tech B.V., and Cyprus domicile for payment processors exploit regulatory gaps between jurisdictions Fintech Intermediation: Using regulated open banking providers like Yapily adds legitimacy layers that obscure ultimate beneficiary relationships KSA Enforcement Limitations The Dutch regulator’s actions against Sarah Eternal, while substantial, demonstrate enforcement challenges in cross-border gambling cases. The €900,000 fine—exceeding the standard €600,000 base penalty due to aggravating factors like cryptocurrency acceptance and lack of age verification—represents a significant sanction. However, the network’s immediate pivot to alternative payment shells illustrates the limitations of entity-specific enforcement without parallel action against infrastructure providers.​ Aggravating Factors Identified by KSA: No age verification mechanisms, enabling minor access​ Cryptocurrency payment acceptance​ Autoplay functionality​ No geographic blocking for Dutch players​ These violations, while serious, triggered only entity-level sanctions rather than broader payment rail disruption. Risk Assessment and Market Impact Target Market Penetration The network specifically targets Dutch and German consumers, exploiting these markets’ strict gambling regulations and high player value. The Netherlands’ regulated online gambling market, operational since October 2021, has intensified enforcement against illegal operators. However, the “Colors & Animals” network’s persistence indicates continued demand for unlicensed platforms, particularly among high-stakes players seeking to circumvent deposit limits and self-exclusion mechanisms.​ Consumer Protection Failures The absence of age verification and responsible gambling measures—highlighted in KSA’s Sarah Eternal investigation—exposes vulnerable consumers to significant harm. The network’s cryptocurrency integration further complicates player protection, as crypto transactions bypass traditional banking safeguards and enable anonymous gambling. Money Laundering Vulnerabilities The rotation of payment shells through a centralized Cypriot hub creates ideal conditions for money laundering. The network’s structure—combining offshore licensing, opaque corporate ownership, and fintech-facilitated bank transfers—mirrors typologies identified in FATF guidance on casino-related money laundering. The use of open banking APIs may enable layering of illicit funds through seemingly legitimate transaction patterns. Recommendations for Investigators Immediate Actions Enhanced Due diligence on Cyprus Corporate Service Providers: Regulatory authorities should scrutinize Emidala Business Services Ltd and Lokemor Limited for potential violations of AML obligations in facilitating payment shell creation for illegal gambling operators. Fintech Supervision Review: Lithuanian regulators should examine Yapily Connect UAB’s merchant onboarding procedures and transaction monitoring systems to assess compliance with PSD2 and AMLD5 requirements regarding high-risk merchants. Cross-Border Information Sharing: Dutch KSA, German GGL, and Cyprus Gaming and Casino Supervision Commission should establish joint investigation protocols targeting payment infrastructure rather than individual operators. Long-Term Strategic Responses Payment Rail Targeting: Instead of focusing solely on gambling operators, enforcement agencies should target the payment processors and corporate service providers that enable these networks. This includes potential sanctions against entities that repeatedly facilitate illegal gambling transactions. Beneficial Ownership Transparency: Cyprus should be urged to implement stricter beneficial ownership disclosure requirements for companies providing services to licensed gambling operators, particularly those serving EU markets. Fintech Liability Frameworks: EU regulators should clarify liability frameworks for open banking providers that process transactions for unlicensed gambling operators, potentially including administrative fines for repeated compliance failures. Intelligence Sharing Platform: Establish a dedicated EU-wide intelligence sharing mechanism for illegal gambling payment patterns, enabling real-time identification of emerging shell entities before they achieve scale. Conclusion The “Colors & Animals” network represents a sophisticated adaptation to intensified EU gambling enforcement. By rotating disposable payment shells through a centralized Cypriot infrastructure hub while maintaining continuous access to regulated fintech payment rails, the operators have created a resilient system that neutralizes entity-specific sanctions. The whistleblower’s intelligence has been substantially validated through corporate registry analysis, regulatory filings, and payment processor documentation. The network’s continued operation despite the KSA’s €900,000 sanction against Sarah Eternal demonstrates that current enforcement approaches—targeting individual operators rather than infrastructure—are insufficient. Effective disruption requires parallel action against corporate service providers, payment processors, and the jurisdictions that harbor them. The Emidala-Lokemor nexus in Cyprus and Yapily’s facilitation through Lithuania represent critical intervention points where regulatory action could achieve systemic impact rather than temporary disruption. FinTelegram will continue monitoring this network’s evolution and coordinate with regulatory partners to support enforcement actions targeting the infrastructure enabling illegal cross-border gambling operations. Share Information via Whistle42

Following FinTelegram’s December 2025 exposé on the Winning.io / Scatters Group network, a whistleblower has provided documentary evidence confirming that the economic ownership and control structure traces directly to Starkeast Management B.V., controlled by Menno Jordaan. The whistleblower states: “The owner of these sites (all of them) is now, starkeast service owned by menno jordaan. he is the director of starscream aswell.”  Critically, the whistleblower reports that Alexis Wicén and Scatters Group have systematically removed all references to Winning.io from their website following FinTelegram’s original December 2025 report—a classic compliance red flag indicating consciousness of wrongdoing and attempted evidence destruction.​ The Cover-Up: Scatters Group Scrubs Winning.io from Public Records Evidence Preservation by Whistleblower:The anonymous source reports: “After your article alexis wicen and scatters group has removed all information about winning from their site trying to hide this from the people. fortunately i have all these screenshots from when it was still there.” Documentary Evidence Provided: The whistleblower supplied screenshots showing: LinkedIn Post (2023): Scatters Group announcing Winning.io as “our latest crypto #casino and the very first #sportsbook brand” and “the 5th brand of Scatters Group”.​ LinkedIn Company Profile: Scatters Group’s “About Us” page explicitly listing Winning.io alongside Scatters Casino, Sticky Wilds, GoSlot, and BitReels as part of their portfolio.​ Current Status (January 2026): As of this intelligence update, references to Winning.io have been removed from Scatters Group’s public-facing materials. This systematic scrubbing occurred after FinTelegram’s December 2025 report linked Scatters Group to the Winning.io operation and the broader “New Gammix” network. Compliance Analysis: In regulatory enforcement and financial crime investigations, the deliberate deletion of documentary evidence following public exposure is treated as consciousness of guilt and potential obstruction. The fact that Scatters Group—a Malta-based entity claiming to operate legitimately—chose to (try to) erase its association with Winning.io rather than defend the relationship or clarify the corporate structure strongly suggests that: The relationship was never a mere “consultancy” as publicly claimed, but involved operational control or beneficial ownership. Scatters Group and its principals (Alexis Wicén) are aware that Winning.io’s operations violate EU gambling regulations. The removal is intended to create deniability ahead of potential regulatory action. FinTelegram has preserved all evidence provided by the whistleblower and will make it available to regulators and law enforcement upon request. The Ownership Trail: Starkeast Management & Menno Jordaan Whistleblower Statement: “The owner of these sites (all of them) is now, starkeast service owned by menno jordaan. he is the director of starscream aswell.” Cyprus Registry Confirmation: The Cyprus Companies Registry confirms that Starkeast Management B.V. (Netherlands) is listed as a Director of Wagercraft Services Ltd (Cyprus, HE 455954), the payment agent and operational entity for Winning.io. According to Winning.io’s current Terms & Conditions (updated January 15, 2026), Wagercraft Services Ltd is the operator, and it is described as a wholly owned subsidiary of Wagercraft Limited (St. Lucia).​ The Starscream Connection: The whistleblower explicitly confirms that Menno Jordaan is also the director of Starscream Limited, the St. Lucia-based entity operating the former Gammix brands (Scatters Casino, Locowin, Vegadream, GoSlot) under a Kahnawake Gaming Commission license. This confirms the structural unity between Starscream and Wagercraft—they are parallel vehicles controlled by the same individual via Starkeast Management.​ The Rabidi Connection: Starkeast Management (in its Curaçao incarnation, Starkeast Management N.V.) was previously identified by the insolvency administrator of Rabidi N.V. as the statutory director of Adonio N.V., the entity to which Rabidi’s 34 casino brands were transferred for €1.2 million—a fraudulent transfer from which Rabidi received no payment. The Rabidi administrator declared this transfer null and void and initiated claims against Starkeast for asset stripping. This pattern—using Starkeast as a corporate “juggler” to move assets between shells while shielding beneficial owners—appears to have been replicated with Winning.io and the broader Starscream/Wagercraft network.​ Download our Forensic Report on the Rabidi Insolvency here. Menno Jordaan as Professional Nominee: FinTelegram’s assessment is that Menno Jordaan, through Starkeast Management B.V. and its Curaçao sister entity, acts as a professional nominee director and trustee for undisclosed beneficial owners, likely based in Cyprus or the Netherlands. The whistleblower’s statement that Jordaan is “the owner” likely refers to his role as the visible controller, though FinTelegram believes he serves as a front for deeper beneficial owners who remain deliberately obscured.​ Licensing Confusion & Regulatory Arbitrage Current License Claim (January 2026): Winning.io’s Terms & Conditions state that the operator is Wagercraft Services Ltd (Cyprus), a wholly owned subsidiary of Wagercraft Limited (St. Lucia). However, the whistleblower’s screenshot and multiple third-party review sites list Winning.io as operating under Dama N.V. (Curaçao) with license number 8048/JAZ2020-13 (Antillephone N.V.).​​ Analysis: This dual-identity structure—common in high-risk offshore casino networks—allows the operator to: Claim Curaçao licensing for “legitimacy” when challenged (as shown in the 2023 tweet).​ Deflect liability to Cyprus (Wagercraft Services) when payment agents are scrutinized.​ Attribute operational control to St. Lucia (Wagercraft Limited) when EU regulators investigate.​ The involvement of Starkeast Management B.V. as director of the Cyprus entity adds another layer of obfuscation, making it nearly impossible for players or regulators to identify the true beneficial owners.​ Updated Summary Data: Winning.io Network CategoryDetailsPrimary BrandWinning.io (Casino & Sportsbook)Operator (Current Terms)Wagercraft Services Ltd– Reg. No: HE 455954 (Cyprus)– Registered: January 31, 2024​Parent EntityWagercraft Limited (St. Lucia)​Director (Cyprus Entity)Starkeast Management B.V. (Netherlands)– Controller: Menno Jordaan (per whistleblower)​Secretary (Cyprus Entity)Xaptic Management Limited (Cyprus)​Alleged License (2023-2024)Dama N.V. (Curaçao)– License: 8048/JAZ2020-13 (Antillephone N.V.)​​Current License ClaimSt. Lucia (Wagercraft Limited)​Consultancy/MarketingScatters Group Ltd (Malta)– CEO: Alexis Wicén– Status: Removed all Winning.io references post-December 2025​​​Related NetworkStarscream Limited (St. Lucia, Kahnawake #00952)– Director: Starkeast Management B.V. / Menno Jordaan (per whistleblower)– Operates: Scatters Casino, Locowin, Vegadream, GoSlot​Key Payment Facilitators– Kryptonim sp. z o.o. (Poland VASP) via Rillpay– Contiant Ltd (Bulgaria) via Yapily Connect UAB– Depasify S.L. / Depa (Spain VASP) via Open Way Ltd (UK)– MiFinity, Skrill, Neteller, PaysafePrimary Markets (Nov 2025)France (60%+), Netherlands (30%), USACompliance StatusRed – Operating without license in target markets; promoting VPN circumventionEvidence StatusPreserved – Screenshots of Scatters Group association and VPN promotion secured by whistleblower The Rabidi Parallel: Asset Stripping & Fraudulent Transfers The identical involvement of Starkeast Management in both the Rabidi N.V. bankruptcy and the Wagercraft/Winning.io structure is not coincidental.​ Rabidi Pattern (2024): Rabidi N.V. (34 casinos) operates under Curaçao license. Assets transferred to Adonio N.V. for €1.2M, no payment received. Starkeast Management N.V. acts as director of Adonio. Insolvency administrator declares transfer fraudulent; Starkeast faces claims.​ Casinos continue operating anonymously under new domains.​ Winning.io / Starscream Pattern (2023-2026): Scatters Group (Malta consultancy) announces Winning.io launch (2023).​ Operations assigned to Wagercraft Services Ltd (Cyprus), directed by Starkeast Management B.V..​ License claims oscillate between Dama N.V. (Curaçao, 2023) and Wagercraft Limited (St. Lucia, 2026).​​ Casino targets prohibited markets (France, Netherlands) using VPN encouragement and payment obfuscation.​ After FinTelegram exposé (December 2025), Scatters Group scrubs all public references to Winning.io.​ Hypothesis: Menno Jordaan and Starkeast Management function as professional asset movers and nominee directors within a larger network controlled by beneficial owners based in Cyprus or the Netherlands (potentially connected to Tilaros Limited, Tranello Limited, and the ButOn Group, all linked to Rabidi). When regulatory or insolvency pressure mounts, assets (domains, player databases, trademarks) are transferred to new shells, with Starkeast providing the corporate “legitimacy” for these transfers. The scrubbing of evidence by Scatters Group follows this exact pattern: distance the visible entities from the toxic brands before enforcement action arrives.​ Conclusion The whistleblower’s intelligence—corroborated by preserved documentary evidence—confirms that Winning.io is controlled by Menno Jordaan via Starkeast Management B.V., the same entity implicated in the fraudulent Rabidi N.V. bankruptcy. The systematic removal of Winning.io references from Scatters Group’s website following FinTelegram’s December 2025 exposé represents a deliberate attempt to obstruct investigators and create plausible deniability for Alexis Wicén and other principals.​​ The use of transaction-laundering techniques (disguising gambling deposits as “cryptocurrency purchases” via Kryptonim/Rillpay) and documented encouragement of VPN use to bypass geographic blocks demonstrates a deliberate, premeditated strategy to evade national gambling regulations and defraud players.​ FinTelegram calls on the Malta Gaming Authority, Dutch KSA, French ANJ, and Cyprus financial regulators to investigate the Scatters Group / Starscream / Wagercraft network and the role of Starkeast Management B.V. in facilitating illegal gambling operations across multiple jurisdictions. Whistleblower Call to Action To the insider who provided this intelligence: Thank you. Your evidence is preserved and will be shared with regulators. Do you have additional information on Menno Jordaan, Starkeast Management, Wagercraft Limited, or the beneficial owners behind the Winning.io / Scatters Group / Starscream network? Are you an insider at Kryptonim, Rillpay, Depasify, Contiant, or Scatters Group with knowledge of the evidence-scrubbing operation? FinTelegram wants to hear from you.We are dedicated to exposing the structures behind high-risk offshore gambling networks and fraudulent asset transfers. You can share information anonymously and securely via our whistleblower platform: Share Information via Whistle42