FinTelegram received a whistleblower allegation that Aku (aku.africa) may be issuing falsified “Visa penalty letters” to pressure clients into paying large “penalties.” We cannot currently verify or falsify this claim. What we can do now is document Aku’s public footprint: corporate representations, products, and Nigeria’s regulatory perimeter—then invite insiders to help close the gaps. Key Facts Brand / operator (website claim): “© Akupay Services Limited” and “Aku is a trademark of Aku Fintech Services Ltd (Lagos)” (address shown in Lekki, Lagos). Regulatory footprint: The Central Bank of Nigeria (CBN) lists Akupay Services Limited under Payment Solution Service Provider (PSSP) authorisation. Positioning: Aku markets “payments + simple banking,” including Aku Pay Cards / QR-based acceptance and “turning every phone into a POS.” Founders / executives (open sources): Multiple sources identify Adaeze “Dezzy” Onwumere (Ogakwu) as CEO & co-founder, with Patrick Onwumere referenced as co-founder. Directors / ownership (not independently verified): A third-party Nigeria company-information site lists Patrick Onwumere and Adaeze Mabel Ogakwu as directors (and indicates shareholder data). Treat as a lead, not proof, until confirmed via official CAC filings. Go to the Aku Compliance Profile on RatEx42 Short Analysis Regulatory context: A CBN PSSP authorisation signals a payments-service licence category—not necessarily a “bank” licence in the deposit-taking sense. Where fintechs advertise “digital bank,” the compliance question is which regulated entity actually holds customer funds, who provides settlement accounts, and whether services like “wealth/credit” are delivered directly or via regulated partners. Baseline obligations (Nigeria): A CBN-regulated payments provider is expected to run AML/CFT controls and comply with Nigeria’s AML laws and CBN AML/CFT/CPF rules; it must also treat customer data under Nigeria’s data protection regime and consumer protection expectations. Whistleblower allegation (unverified): The tip alleges Aku “submits falsified Visa penalty letters” lacking a case ID; that Aku’s API requires clients to submit a “source URL”; and that Aku then allegedly references that URL in a ‘penalty letter’ and demands “50k–60k” (currency not specified). We have not seen the underlying documents yet. If genuine, merchants should verify any “scheme penalty” directly with their acquiring bank/card program partner—not via an intermediary letter alone. Penalty Letters Explained In card payments, a “penalty letter” typically refers to a scheme- or acquirer-driven notice that a merchant (or its processing chain) has breached card-network rules—often tied to chargeback ratios, fraud levels, prohibited business models, excessive disputes, or compliance failures. In a legitimate setup, the “penalty” is not a random invoice from the processor: it is usually a pass-through of fees/fines assessed upstream (e.g., by the card scheme via the acquiring bank), backed by a case reference, program name, dates/metrics, and an identifiable acquirer/scheme contact trail—and it is settled via the acquiring relationship, not via ad-hoc pressure tactics. The compliance problem described in the whistleblower tip is that if a processor (or any intermediary) fabricates such letters—especially without a verifiable case ID or upstream documentation—then the “penalty” becomes a pretext to extract money from merchants. That would plausibly amount to misrepresentation and fraud, and (as you note) unjust enrichment, because the funds would not be linked to a genuine scheme/acquirer assessment but instead to an invented enforcement event. Call for Information (Whistle42) Do you have contracts, invoices, “penalty letters,” emails, screenshots of the “source URL” API field, settlement-account details, acquiring partners, or CAC filings connected to Aku / Akupay Services Limited / Aku Fintech Services Ltd? Please submit evidence—securely and, if needed, anonymously—via Whistle42.com. Insiders, affected merchants, and regulators: help us verify or debunk this allegation. Share Information via Whistle42

In its Q3 2025 results communication, Michael Gastauer‘s Black Banx describes itself as a “global digital banking and fintech platform” offering “borderless banking services,” including multi-currency accounts, cross-border payments, and “cryptocurrency-compatible solutions,” allegedly serving clients in 180+ countries and reporting a period-end customer base of ~92 million. Black Banx Q3 2025 Results Announcement Announced Black Banx Q3/2025 numbers The German media report has already questioned the figures presented in the October 2025 press release, with the help of a financial crime expert. Black Banx claims to have generated revenue of $12.7 billion and pre-tax profits of $4.7 billion in the first three quarters of 2025, with just under 92 million customers worldwide. These are indeed incredible figures. But in this report, we are more interested in Black Banx’s self-description in the press release. From a compliance standpoint, this positioning immediately triggers a regulatory-perimeter test: Black Banx describes itself in the Q3 report as a “digital banking and fintech platform.” EU/EEA: If the product set is more than “information and access” and includes regulated activities—e.g., (i) payment services (payment accounts, money remittance, execution of payment transactions), (ii) e-money issuance, or (iii) deposit-taking / banking—then local authorization and conduct obligations generally apply (PSD2 for payment institutions; e-money rules for EMIs; banking/credit-institution rules where deposit-taking is involved).Equally important: consumer-facing growth and scale claims can become a misleading-marketing issue if they are materially inaccurate or omit decisive information (e.g., which regulated entity provides the service in the customer’s jurisdiction). UK: The term “bank” is a sensitive expression. UK corporate-naming and financial-promotion controls typically require regulatory engagement/approval to use “bank” (or to imply regulated status) in a way that could mislead the public. US: Use of “bank” and representations around safeguarding/insurance raise high-risk consumer-protection issues, including misrepresentation of deposit insurance and other deceptive-marketing concerns, even where the exact naming rules vary by state and product structure. Download the Black Banx Q3 Press Release here. Core Compliance Question: A firm can publish marketing language that calls itself a “bank” or “digital banking platform,” but it cannot lawfully conduct regulated banking/payment activity in a jurisdiction without the required authorization, nor can it mislead consumers about regulatory status, licensing scope, or the identity of the service-providing entity. Where a group claims 92 million clients across 180+ countries, the compliance expectation is straightforward: clear, jurisdiction-specific entity disclosure (legal entity + regulator + license type/number + passporting basis), audited/attested financials, and transparent product classification. Absent that, the press-release narrative becomes a material red-flag for counterparties, partners, and consumers. Call for Information (Whistle42) If you are a customer, former employee, banking partner, payment processor, regulator-facing compliance professional, or service provider with documentary evidence on (i) which Black Banx entity contracted with you, (ii) where it is licensed and for what activities, (iii) correspondent/settlement banking relationships, (iv) AML/transaction-monitoring setup, or (v) customer-number/audit substantiation, please submit information securely via Whistle42.com. Share Information via Whistle42

Following German media reporting about investigations into Michael Gastauer and the Black Banx “banking” narrative, FinTelegram conducted a limited, hands-on product review as an EU-based private customer. The result: two “current accounts” (EUR/GBP) were opened with minimal friction, but the onboarding, disclosures, and entity/licensing transparency raise immediate questions under EU, UK, and U.S. financial-services rules. Presumption of innocence applies; this is a compliance interpretation of what the interface and disclosures appear to offer. What We Observed (and documented in screenshots) The Black Banx dashboard for private clients 1) “Current Accounts” created instantly (EUR + GBP).The dashboard shows two “Current Accounts” with Account Number 1999431711 (EUR) and 1999431712 (GBP). The numbers look internal/sequential, not like IBANs or UK sort-code formats. 2) Product menu resembles a regulated banking/PSP stack.Navigation includes: Receive Payments, Send Payments, Currency Conversion, Debit Cards, Statements, Beneficiary List, Trace Payments, plus Savings Accounts and Crypto Wallet. Black Banx biometric identification (didn’t work) 3) Functionality gated behind KYC—and “biometric identification.”Attempting “Receive Payments” triggered a Biometric identification flow (“complete … holding your ID”). The subsequent “Biometric identification” page did not work during your test (13 Jan 2026). 4) Tiering/upsell message tied to funding level.Dashboard notice: upgrading from “Black” to “Gold” if the user adds 100,008.55 USD, promising “better service level and lower rates.” This resembles a paid-tier financial-services proposition. 5) Footer disclosure: entity opacity + “bank” framing.The dashboard footer states that to learn “which Black Banx entity you receive services from” you must contact in-app support, while also stating: “Black Banx Bank S.A. (No. 15770) is authorised by UOCO Finance Authority…” “Deposit products and services are offered by Black Banx Bank S.A.” Black Banx dashboard footer text Regulatory classification: EU, UK, U.S. (high-level perimeter view) 1) EU/EEA: payment services vs e-money vs deposit-taking If the service enables “receive” and “send” payments for customers via maintained accounts, that typically falls inside PSD2 payment services and requires authorisation as a payment institution, e-money institution, or operation as an authorised agent/distributor under strict conditions. PSD2 is the baseline perimeter for account-based payment services. If user funds are stored and used for payments (a “prepaid account” / stored value), regulators will assess whether it constitutes electronic money (e-money) and therefore requires an EMI licence and safeguarding rules. If it is truly “deposit products and services” (repayable funds from the public as a banking product), that moves into credit-institution/banking territory—an activity EU law reserves to authorised institutions; Member States must prohibit non-banks from taking deposits/repayable funds from the public. Key compliance takeaway (EU): A consumer-facing interface offering “current accounts,” “receive payments,” “debit cards,” and “savings” is very likely to be regulated somewhere—and if EU residents can onboard, the provider must be able to explain exactly which licensed entity serves that resident, under what passport/permission, and under what safeguarding/deposit-protection regime. 2) UK: PSRs/EMRs perimeter (similar test, different supervisor) In the UK, account-based payment services generally fall under the Payment Services Regulations 2017, while stored-value issuance/payment accounts can fall under the Electronic Money Regulations 2011. The FCA’s materials summarise e-money as stored monetary value issued on receipt of funds for payment transactions. Key compliance takeaway (UK): If UK residents are served, the operator typically needs an FCA authorisation/registration path (or an exempt/limited model that still has strict boundaries). “Bank-like” branding does not remove that perimeter. 3) United States: money transmission and “bank” boundaries In the U.S., money transmission is heavily regulated: a business that transfers funds can qualify as a money transmitter/MSB under FinCEN rules (plus separate state-by-state licensing). If a platform markets “deposit” or “bank account” style products, additional banking/consumer-protection issues arise (chartering, permissible activities, potential misrepresentation concerns), even where funds are actually held at partner banks. Key compliance takeaway (U.S.): “Accounts” + “receive/send payments” tends to trigger MSB/state MTL analysis; “deposits” and “bank” language raises a second, higher-stakes perimeter. Compliance red flags from the screenshots and footer text Unclear contracting entity at point of sale.Requiring users to contact support to learn the serving legal entity is at odds with standard consumer-facing disclosure expectations for regulated PSP/EMI models. “Deposit products” language without clear jurisdictional framing.The footer asserts deposits are offered by “Black Banx Bank S.A.” but does not present a clear, verifiable home supervisor, scope of permission, or customer eligibility boundary in the onboarding journey itself. No visible geo-blocking despite “not a solicitation outside licensed territories.”The disclaimer says it is not soliciting outside licensed territories, yet EU residents could open accounts in practice (per your test). This mismatch is a classic trigger for supervisory interest. Operational risk signals.A broken biometric/KYC workflow at the moment a user tries to enable “Receive Payments” suggests weak control maturity—relevant for AML/CTF and consumer-harm risk even before legality questions. Product labeling implies regulated activities.“Current Accounts,” “Savings Accounts,” “Debit Cards,” “Trace Payments,” and “Beneficiary List” are not typical for an unregulated “software-only” service. They read like regulated financial services. Actionable insight for counterparties, partners, and users If you are a payment partner, bank, card program manager, correspondent, crypto on/off-ramp, affiliate, or introducer, basic due diligence should demand: The exact legal entity serving each jurisdiction (EU/EEA, UK, U.S.) The licence/registration number, supervisor, and scope (PSP/EMI/bank/MSB/state MTL) Safeguarding / client money arrangements (or deposit-protection framework, if truly “deposit products”) The identity of any partner bank(s) providing local account details (IBAN, sort code, ABA/routing) The full KYC/AML program and reliance model for biometric ID checks Call for Information (Whistle42) FinTelegram is collecting documentation on Black Banx/WB21-related services, onboarding, and the identity of the regulated entities (if any) actually providing accounts and payment rails to EU/UK/U.S. residents. If you are a customer, employee/contractor, banking partner, card issuer/program manager, PSP/EMI, crypto liquidity partner, or regulatory insider with verifiable information (contracts, licence correspondence, bank-account rails, safeguarding setup, term sheets, or internal policies), please submit it securely via Whistle42.com. Share Information via Whistle42

U.S. crypto payment processor MoonPay has announced a “Stablecoin Stack” built around Iron-powered virtual accounts and stablecoin orchestration—promising that what used to take multiple banks and PSPs can now be implemented via one integration. In the context of FinTelegram’s Rail Atlas (where MoonPay repeatedly appears as an embedded on-ramp in offshore “no-KYC” casinos), this move could materially reshape deposit rails by making bank-to-stablecoin funding (ACH/SEPA/Faster Payments) simpler to embed—and harder to detect when merchant controls fail. Key Facts MoonPay markets Virtual Accounts (powered by Iron) that allow partners to issue named USD/EUR/GBP accounts and “convert to stablecoins,” while MoonPay handles payments, compliance and fraud. These virtual accounts can be topped up via ACH, SEPA, and Faster Payments. Iron describes APIs for Virtual Accounts (auto-settle incoming fiat into stablecoins), On/Off-ramp, and Payments (send stablecoins into third-party bank accounts “as a fiat transfer”). MoonPay also launched an enterprise stablecoin business, integrating with M0 for issuance/management of “fully reserved digital dollars,” framing MoonPay as covering “issuance, ramps, swaps, and payments.” Media coverage of the “Stablecoin Stack” emphasizes single-integration banking access + on-chain settlement as the value proposition. Read our MoonPay reports here. Short Analysis What changes for casino rails: In Rail Atlas terms, casinos currently rely heavily on the “Buy Crypto” pattern—an indirect FIAT deposit rail that routes players to an on-ramp (MoonPay, or Changelly→Banxa) before funds land as crypto. MoonPay’s stack adds a more bank-native option: named virtual accounts that accept ACH/SEPA/Faster Payments and can be converted into stablecoins “in minutes,” all behind a single API. If a high-risk merchant is onboarded (or misclassified) into this infrastructure, the “Buy Crypto” flow can evolve into “Buy Stablecoins / Pay-by-Bank”—reducing card friction and potentially increasing conversion rates, especially in Europe where SEPA-based funding is culturally normal. Does it make life easier for illegal operators? Technically, yes: fewer integrations, more payment options, and faster stablecoin settlement can lower implementation costs for any merchant. Compliance-wise, it shouldn’t—if MoonPay/Iron enforce robust KYB, gambling-merchant controls, geo-blocking, and ongoing monitoring. But Rail Atlas experience shows that offshore operators often seek weak links: affiliates, intermediaries, shell merchants-of-record, or jurisdictional mismatches. The more powerful the “stablecoin rails,” the higher the systemic impact of any KYB failure. Regulatory & Supervision Impact Direct connections to ACH/SEPA/Faster Payments move the chokepoint closer to the regulated banking perimeter—potentially improving traceability and SAR/STR pathways. At the same time, the “Payments” capability Iron describes—stablecoins paid out into bank accounts “as a fiat transfer”—raises classic laundering and merchant-obfuscation questions for supervisors: who is the true merchant, what is the underlying activity (gambling), and are descriptors, MCC-equivalents, and beneficiary controls accurate? Call for Information Have you seen MoonPay virtual accounts, “pay-by-bank” stablecoin funding, or new stablecoin checkout flows embedded in offshore casinos/sportsbooks (especially in the EU/UK)? Send screenshots, descriptors, merchant names, and routing domains (redacting sensitive data) via Whistle42.com—we’re mapping the next generation of “stablecoin rails” in the Rail Atlas. Share Information via Whistle42

FinTelegram’s financial crime analysis team identified Igloo Ventures SRL (Costa Rica, Company 3-102-88002) as the parent company and ultimate beneficial owner controlling a network of 45+ cryptocurrency casino brands operating across multiple jurisdictions. Igloo Ventures seems to control MIBS N.V. (Curaçao), Atlantis Interactive SRL (Costa Rica), and Deep Sea Tech Ventures SRL (Costa Rica). The Four-Entity Structure: Regulatory Arbitrage in Action TIER 1: Parent Company (Beneficial Owner) Igloo Ventures SRL Jurisdiction: Costa Rica Company Registration: 3-102-88002 (registered 2024) Gaming License: Anjouan Gaming License ALSI-142311005-FI2 Corporate Aliases: Also operates as EOD Code SRL and Simba N.V. Operational Scope: 45+ casino brands across all jurisdictions Known Brands: BetBlast, PuppyBet, Blockbet, Golden Panda, LuckyPays, Ghostino, FoxyGold, CryptoCasino.com, MegaDice, WSM Casino, TG.Casino, Instant Casino, Kripty Casino, SlotMonster, Crashino, and 30+ additional casinos Estimated Annual Revenue: $4-8 billion (based on 5-10% market share of $81.4 billion crypto gambling market) Key Strategy: Igloo Ventures operates under three corporate identities (Igloo Ventures SRL, EOD Code SRL, Simba N.V.) while consolidating all brands under a single Anjouan gaming license—dramatically reducing regulatory oversight compared to obtaining 45 separate licenses. TIER 2: Platform Infrastructure Provider MIBS N.V. Jurisdiction: Curaçao Company Registration: 162031 Gaming License: Curaçao Gaming Authority OGL/2024/1718/0938 (issued October 4, 2024) Operational Role: Provides technical platform infrastructure, backend systems, and regulatory legitimacy through Curaçao licensing Relationship: Subsidiary or white label platform provider operating on behalf of parent Igloo Ventures Known Brands Operated: MegaDice, TG.Casino, CoinKings, Telbet TIER 3: Legacy Operator Atlantis Interactive SRL Jurisdiction: Costa Rica Historical Role: Original operator identity for multiple brands (2020-2024) Current Status: Retained as operational sub-entity or brand alias under Igloo Ventures parent control Known Brands: MegaDice, CryptoCasino.com, WSM Casino, Instant Casino, Kripty Casino, SlotMonster, Crashino TIER 4: Current Brand Operator Deep Sea Tech Ventures SRL Jurisdiction: Costa Rica Company Registration: 3-102-93629 Current Role: Listed as legal operator in current CryptoCasino.com Terms & Conditions Relationship: Sub-entity operating under Igloo Ventures parent umbrella Operator Identity Discrepancies CryptoCasino.com exemplifies the operator identity rotation within this economic group: November 2024: Listed as operated by Atlantis Interactive SRL (Costa Rica) December 2025: Listed as operated by MIBS N.V. (Curaçao) January 2026: Terms & Conditions identify Deep Sea Tech Ventures SRL (Costa Rica) as legal operator While the operator name changes, the technical platform, payment infrastructure, game providers, bonus structures, and user interface remain completely unchanged—indicating unified backend control rather than genuine arm’s-length corporate separation. The Operator Identity Discrepancy: Intentional Misdirection Previous analysis identified CryptoCasino.com’s operator rotating through multiple entities: November 2024: Atlantis Interactive SRL December 2025: MIBS N.V. January 2026: Deep Sea Tech Ventures SRL This rotation is deliberate deception. The actual operator remained constant throughout: Igloo Ventures SRL (operating under its aliases EOD Code SRL and Simba N.V.). The subsidiary name changes create false perception of corporate separation while unified parent control never changed. Why Rotate Operator Names? Fragment regulatory oversight: Different entities listed in different jurisdictions complicate enforcement Create apparent independence: Multiple names suggest multiple owners rather than single parent Obscure beneficial ownership: Payment processors and regulators track subsidiary names (MIBS, Atlantis, Deep Sea Tech) without connecting to Igloo Ventures parent Facilitate regulatory arbitrage: Costa Rica entities (no gaming licenses) operate platforms while Curaçao entity (MIBS) provides licensing legitimacy Multi-Layer Payment Architecture: Igloo Ventures’ Hidden Role The Four-Tier Payment Flow: Customer Interface (Tier 1): Players see “Buy Crypto” button branded as Changelly Direct cryptocurrency deposit to casino wallet addresses Aggregator Layer (Tier 2): Changelly presents fiat payment interface Creates false impression that Changelly is the processor Actually coordinates backend processor routing Actual Processors (Tier 3, Hidden from Players): Banxa (Australia-regulated) processes credit/debit card transactions MoonPay (UK-regulated) processes credit/debit cards and Google Pay Both conduct customer KYC but may not fully assess casino beneficial ownership Casino Fund Receipt (Tier 4): Cryptocurrency remitted to Igloo Ventures-controlled wallet addresses Wallets may be presented as belonging to MIBS N.V., Atlantis Interactive, EOD Code, or Deep Sea Tech Ventures depending on current brand alias Ultimate recipient: Igloo Ventures SRL parent company Anjouan Gaming License: Regulatory Shell with Zero Oversight Igloo Ventures SRL consolidates all 45+ casino brands under Anjouan Gaming License ALSI-142311005-FI2, issued by the Anjouan government (semi-autonomous region of Comoros). Why Anjouan Instead of Curaçao, Malta, or the UK? Regulatory Arbitrage Strategy: By consolidating 45+ brands under single Anjouan license rather than obtaining separate licenses for each brand, Igloo Ventures: Reduces regulatory scrutiny (1 license inspection vs. 45 separate inspections) Minimizes licensing costs (single $10K-30K fee vs. 45 separate fees) Creates jurisdictional confusion (which entity is “licensed”? Igloo Ventures? EOD Code? Simba? All use same license) Avoids meaningful oversight (Anjouan has minimal enforcement capability compared to Curaçao or Malta) Operates globally with impunity (Anjouan license allows serving players worldwide with zero geographic restrictions) JurisdictionAnnual License CostAML EnforcementConsumer ProtectionInternational RecognitionAnjouan (Igloo Ventures)$10K-30KMinimalNoneZeroCuraçao (MIBS N.V.)~$50KModerateLimitedNot recognized by EU/UK/USMalta (MGA)$500K+StrictComprehensiveEU-wide recognitionUK (UKGC)VariableVery StrictVery ComprehensiveUK only Licensing Crisis: Operating Without Valid Authorization in Major Markets Igloo Ventures Network Group Status: JurisdictionIgloo Ventures SRLMIBS N.V.Atlantis InteractiveDeep Sea Tech VenturesNetwork StatusAnjouan (Comoros)✓ Licensed~ Covered~ Covered~ CoveredLicensed (not recognized)Curaçao✗ No license✓ Licensed✗ No license✗ No licensePartial (MIBS only)Costa Rica✗ No license✗ No license✗ No license✗ No licenseUNLICENSEDEU Member States✗ Not recognized✗ Not recognized✗ No license✗ No licenseUNLICENSEDUnited Kingdom✗ No UKGC✗ No UKGC✗ No UKGC✗ No UKGCUNLICENSEDUnited States✗ No state license✗ No state license✗ No license✗ No licenseUNLICENSED Critical Finding: The Igloo Ventures network is NOT authorized to legally operate in EU, UK, or US jurisdictions, despite actively serving players from these regions. Operating without proper licensing is a criminal offense in these jurisdictions. Consumer Protection Deficits Players using Igloo Ventures network casinos forfeit mandatory consumer protections: ProtectionUK (UKGC)Malta (MGA)Anjouan (Igloo Ventures)Costa Rica (Subsidiaries)Pre-Deposit KYC✓ Mandatory✓ Mandatory✗ None✗ NoneSelf-Exclusion Integration✓ GamStop✓ Required✗ None✗ NoneDeposit Limits✓ Mandatory✓ Mandatory✗ None✗ NoneReality Checks (30 min)✓ Mandatory✓ Mandatory✗ None✗ NoneIndependent Dispute Resolution✓ IBAS✓ PAD✗ None✗ NoneSegregated Client Funds✓ Mandatory✓ Mandatory✗ None✗ NoneSolvency Monitoring✓ Regulatory✓ Regulatory✗ None✗ NoneDeposit Insurance✓ FSCS (£85K)✓ Limited✗ None✗ None Risk to Players: Funds deposited in Igloo Ventures network casinos have zero deposit protection. In event of operator insolvency, bankruptcy, or fraud, players have no recourse and no regulatory authority with enforcement power. DOWNLOAD COMPLIANCE REPORT The full report is available in PDF format and is suitable for distribution to: Gaming regulators and authorities Financial crime compliance officers Law enforcement agencies Payment processor risk teams Media organizations investigating crypto casino operations Call for Information This compliance investigation represents a snapshot of the current state of CryptoCasino.com, MegaDice, and the broader economic group as of January 13, 2026. However, these operations evolve rapidly—entities restructure, payment processors change, licensing status shifts, and new developments emerge constantly. FinTelegram is requesting information from players, insiders, and industry participants to keep this compliance report current and accurate. Share Information via Whistle42

FinTelegram reviewed CryptoCasino.com and CoinKings.io, two “no-KYC” crypto casinos that appear operationally identical to MegaDice—including the same fiat-to-crypto deposit pattern via Changelly → Banxa and MoonPay. While casino aggregators often attribute these brands to MIBS N.V. (Curaçao), disclosures on the casinos’ own web properties point to Costa Rica entities (Deep Sea Tech Ventures / Atlantis Interactive SRL)—suggesting a layered operator structure or shared beneficial control behind a standardized payment-rail template. Key Facts On-site behavior: Registration and access appear frictionless (email + username), consistent with “no-KYC” marketing in this casino cluster (FinTelegram testing, Jan 2026). Direct crypto deposits: CoinKings shows a deposit modal with multiple assets (BTC, ETH, USDT, USDC, etc.) and a WalletConnect path. Indirect FIAT deposit (“Buy Crypto” rail): Users are pushed through a Changelly-branded flow: accept Changelly terms → enter (pre-filled) receiving wallet address → redirect to either: changellywidget.banxa.com (card/Google Pay) for smaller tickets; or buy.moonpay.com (MoonPay checkout + KYC) for higher tickets. Banxa widget evidence: The Changelly-Banxa page offers Visa/Mastercard and Google Pay options (example shown: $120). Conflicting operator signals: Aggregators claim MIBS N.V. / Curaçao Gaming Authority license OGL/2024/1718/0938 for these brands. MegaDice itself publicly discloses operation by MIBS N.V. and the same Curaçao license number. But CoinKings and CryptoCasino pages state operation by Deep Sea Tech Ventures (Costa Rica) with company number 3-102-93629, while other CoinKings and CryptoCasino pages display Atlantis Interactive SRL (Costa Rica)—a notable inconsistency that warrants escalation. CryptoCasino pages in multiple languages state operation by Deep Sea Tech Ventures (Costa Rica). Payment Rail Map Mini User → Casino Cashier → On-ramp → Crypto delivery → Casino wallet credit Direct Crypto Deposit Rail (No-KYC funding) — CONFIRMED (UI evidence) User selects BTC/ETH/USDT/USDC etc. → deposits from external wallet / WalletConnect → casino credits account. Primary risk: anonymous funding into a gambling environment; source-of-funds opacity; rapid layering. “Buy Crypto” Rail (Indirect FIAT Deposit) — CONFIRMED (redirect evidence) Casino “Buy Crypto” overlay → Changelly terms acceptance → wallet address entry → routed to a provider. Provider routing (ticket-size dependent) — INDICATED (pattern observed across tests) Smaller tickets → Changelly → Banxa widget (changellywidget.banxa.com) with card/Google Pay. Larger tickets → Changelly → MoonPay (buy.moonpay.com) where KYC is required by MoonPay. How the Changelly → Banxa interaction likely works (best-fit model) Changelly markets a fiat on-ramp integration layer (Fiat API / providers), where end-users can be routed to third-party providers. Banxa documentation explicitly describes a Changelly “Buy” flow where users choose a payment method, then are redirected to Banxa and must provide a wallet address because “Changelly doesn’t have its own built-in wallet.” Working hypothesis: the casinos embed a standardized “Buy Crypto” module that uses Changelly as the front layer and dynamically routes to Banxa or MoonPay based on geography, amount, or provider availability. Operator mismatch: why it matters (and what we think is happening) Casino-aggregator sites claim repeatedly place these brands under MIBS N.V. / Curaçao. Yet the casinos’ own pages (and multilingual variants) display Costa Rica entities (Deep Sea Tech Ventures / Atlantis Interactive SRL). FinTelegram hypothesis (Indicated): This is either (a) a shared white-label platform used by multiple “operators of record,” or (b) a single control group using multiple corporate wrappers (Curaçao + Costa Rica) while reusing the same cashier/on-ramp stack. The identical “Buy Crypto” implementation across MegaDice (MIBS) and CryptoCasino/CoinKings (Costa Rica disclosures) is a strong linkage signal—especially given the same pair of on-ramps (Changelly/Banxa + MoonPay) appearing as default rails. Download the full compliance report on Igloo Ventures Casino Group here. Comparative Analysis: MegaDice vs. CryptoCasino.com AspectMegaDiceCryptoCasinoCoinKingsLegal Operator (Per Terms)MIBS N.V.Deep Sea Tech VenturesAtlantis Interactive SRLJurisdictionCuracaoCosta RicaRegistration ID1620313-102-93629Gaming LicenseOGL/2024/1718/0938 (Curacao Gaming Authority)None disclosed (Costa Rica has no gambling licenses)Aggregator ListingsMIBS N.V. (consistent)Conflicting: MIBS N.V. vs. Deep Sea Tech VenturesPayment ProcessorsChangelly, MoonPayChangelly, MoonPay (identical)Platform ArchitectureMIBS platformIdentical to MegaDice (user report)Software ProvidersEvolution, Pragmatic Play, Nolimit City, Hacksaw GamingEvolution, Pragmatic Play, Nolimit City, Hacksaw Gaming (identical)KYC Marketing“No KYC” casinoSimilar low-friction onboardingPlayer Legal CounterpartyMIBS N.V. (Curacao)Deep Sea Tech Ventures (Costa Rica)Dispute Resolution AccessCuracao eGaming ADRNone (Costa Rica has no gambling ADR) Critical Observation: Despite identical technical infrastructure, players using CryptoCasino.com contract with a different legal entity in a weaker regulatory jurisdiction compared to MegaDice users, creating asymmetric consumer protection across platforms built on the same technology. Compliance / Enforcement Angles If these casinos accept players in restricted markets without authorization, the payment stack becomes the practical enforcement lever: merchant onboarding, geofencing, KYB/KYC controls, and high-risk merchant monitoring. Changelly explicitly positions its solutions as a fiat on-ramp gateway for partners. Banxa positions itself as a compliant on/off-ramp provider with KYC/AML tooling. MoonPay states KYC is required to comply with KYC laws and details identity verification requirements. Practical takeaway: Regardless of which entity is “operator of record,” the same rails reappear—making this a repeatable Rail Atlas pattern worth tagging and clustering. Actionable Insight (for the Rail Hub / Atlas) Create a clustered Rail Atlas entry for this pattern: Rail Pattern Name: “Buy Crypto” Casino On-Ramp (Changelly Router → Banxa Widget / MoonPay) Pattern Signature: Changelly TOS modal + wallet address entry + redirect to changellywidget.banxa.com OR buy.moonpay.com Primary Entities: CryptoCasino.com, CoinKings.io, MegaDice; Changelly; Banxa; MoonPay Control Hypothesis: Shared platform / shared BO / shared operating control layer (Indicated) Priority Follow-ups: Identify the embedded Changelly integration ID / partner keys (where visible) Test routing logic by amount / country / device Determine whether Banxa merchant descriptor references Changelly, Banxa, or an intermediate merchant-of-record Map withdrawal rails (currently Unknown) Call for Information Are you a player, affiliate, PSP insider, or former staff member with evidence about CryptoCasino, CoinKings, MegaDice, or their on-ramp partners (Changelly/Banxa/MoonPay)—including merchant descriptors, KYB files, routing rules, chargeback patterns, or operator/beneficial owner links? Please submit information securely via Whistle42.com. Screenshots of checkout flows, bank/card statements (with sensitive data redacted), and internal compliance correspondence are particularly valuable. Share Information via Whistle42

FinTelegram reviewed MegaDice on Jan 11, 2026 as part of our Rail Atlas work. The Curaçao-licensed crypto casino/sportsbook (operator: MIBS N.V.) can be accessed from multiple EU jurisdictions and the UK with email-only onboarding in our tests. MegaDice offers direct crypto deposits (no casino-side KYC observed) and an embedded “Buy Crypto / Compra Crypto” rail that routes users into Changelly and MoonPay purchase flows—where fiat processing and KYC appear to be performed by the on-ramp providers, not the casino. Key Facts Operator / License: MegaDice states it is operated by MIBS N.V. (Curaçao) and licensed by the Curaçao Gaming Authority (license OGL/2024/1718/0938, status “Active”). No-KYC marketing vs. practical onboarding: In our review, registration and access to deposit flows worked from EU/UK locations with minimal friction (email/username style onboarding). MegaDice’s own onboarding copy describes account creation via email and email verification. Rail 1 — Direct crypto deposit (casino): Wallet address generation and crypto deposit path is presented as the default deposit method (no casino-side KYC checkpoint observed during testing). Rail 2 — Indirect FIAT deposit (“Buy Crypto”): MegaDice embeds a Changelly “Buy crypto” interface that, in execution, is processed via changellywidget.banxa.com (Banxa-hosted widget). Changelly→Banxa interaction (most likely model): Banxa’s own support documentation describes a Changelly “Buy” flow where users select a payment method and choose Banxa, then are redirected to Banxa to create the order and complete verification (KYC); it also notes Changelly “doesn’t have its own built-in wallet,” requiring a wallet address entry. Rail 3 — MoonPay direct: The MoonPay flow routes users to buy.moonpay.com and MoonPay documentation confirms identity verification is required to access services (KYC). Traffic indicator (supporting signal): A Similarweb snapshot (Dec 2025) supplied in our internal case materials shows 2,271 visits to changellywidget.banxa.com—suggesting meaningful usage of the Changelly→Banxa rail (not proof of completed deposits). Short Analysis What the rails tell us: MegaDice operationalizes a common offshore pattern: keep the casino layer “no-KYC”, while offering convenient “Buy Crypto” conversion rails that push compliance obligations outward to on-ramps (MoonPay; and Banxa when routed via Changelly). Banxa’s own “Changelly tutorial” strongly supports the interpretation that Changelly is the front-end marketplace/aggregator, while Banxa becomes the fiat processor/merchant flow that executes the order and performs verification. Our review shows that MegaDice evidently makes its services available to users in the EU, the UK, and other regulated markets without holding the local authorisations typically required to lawfully offer online gambling in those jurisdictions. If confirmed, this would constitute a breach of applicable national gambling laws by the operator. The casino explicitly lists the UK, France, and Spain as restricted territories, yet markets itself as “VPN-friendly” to facilitate access from these jurisdictions—a regulatory arbitrage strategy that shifts legal and financial risk from the operator to players. Why our findings matter (chokepoint logic): For regulators and banks, the chokepoint is not the casino UI—it’s the fiat-to-crypto conversion layer. If a casino accepts EU/UK players with minimal onboarding and allows direct crypto deposits without visible checks, then the “Buy Crypto” rail becomes the high-impact control surface: block/limit/monitor it, and player conversion can drop sharply. Equally important, the platform’s ability to onboard and fund player accounts depends on fiat-to-crypto and payment “conversion” rails provided by third parties. Where such providers enable transactions that support unauthorised gambling activity—whether through card/Google Pay flows (e.g., via Banxa-powered widgets) or direct on-ramp services (e.g., MoonPay)—they may expose themselves to heightened regulatory and enforcement risk under AML/CTF, payments, sanctions, and consumer-protection frameworks, including obligations around merchant due diligence, transaction monitoring, and controls against facilitating prohibited or high-risk merchant activity. Call for Information Have you deposited via Changelly/Banxa or MoonPay on MegaDice (especially from EU/UK) and can share error screens, order receipts, KYC prompts, payout behavior, or deposit wallet addresses? Are you an insider (affiliate, PSP contact, compliance, support) with details on how MegaDice routes “Buy Crypto” traffic between providers? Submit securely via Whistle42.com (screenshots + timestamps + jurisdiction/device details help). Share Information via Whistle42

The integration of stablecoins into online gambling represents one of cryptocurrency’s most commercially successful—and controversial—applications. By 2025, stablecoins have become the foundational payment infrastructure for a crypto gambling market generating $81.4 billion in annual revenue, a fivefold increase from 2022 levels. This investigation identifies the major platforms accepting stablecoins, examines their regulatory frameworks, and assesses the compliance and financial crime risks inherent in this rapidly expanding sector.​ The Stablecoin Advantage: Why Casinos Adopted Dollar-Pegged Tokens Stablecoins solved the fundamental volatility problem that constrained crypto gambling’s growth. Before widespread stablecoin adoption, players wagering in Bitcoin or Ethereum were effectively making two simultaneous bets: one on the game outcome and another on cryptocurrency price movements. This created psychological barriers for mainstream users who conceptualize money in fiat terms rather than fluctuating digital assets.​ The emergence of USDT (Tether), USDC (Circle), and other dollar-pegged stablecoins provided casinos with stable units of account that operate on low-fee blockchain networks. Players depositing $100 in USDT maintain exactly $100 in value regardless of crypto market volatility, enabling predictable bankroll management. Transaction costs on networks like Tron (TRC-20) remain under $1 regardless of market conditions, compared to Bitcoin fees that can spike to $20-50 during peak demand. Combined with near-instant settlement times versus multi-day traditional banking processes, stablecoins established the infrastructure necessary for crypto gambling’s global expansion.​ By 2025, stablecoins account for 30% of all online wagers globally, up from 20% in 2022. The $26 billion in stablecoin gambling transactions recorded in Q1 2025 alone nearly doubled the previous year’s volume, demonstrating sustained exponential growth driven by technological infrastructure rather than speculative enthusiasm.​ Major Stablecoin Casinos: Market Leaders and Their Operations Tier 1 Platforms Stake.com dominates the crypto casino landscape with over $1.1 billion in monthly transaction volume and $4.7 billion in gross gaming revenue for 2024. The platform supports USDT and USDC alongside 14+ other cryptocurrencies, operating under Curacao licensing. Stake’s aggressive marketing strategy includes Premier League sponsorships and social media campaigns that have generated both massive user growth and regulatory scrutiny.​ BC.Game offers over 9,000 games from top-tier providers with support for USDT, USDC, and DAI. The platform features a 69-level VIP program with proprietary BC Dollar (BCD) token pegged to USD, which players earn through gameplay and can convert to USDT or BTC. BC.Game promotes a 360% deposit bonus up to $500,000, though notably the platform voluntarily withdrew its Curacao license in December 2024, raising questions about regulatory oversight.​ Cloudbet, operating since 2013, represents one of the longest-established crypto casinos with consistent Curacao Gaming Control Board licensing. The platform accepts USDT via both TRC-20 and ERC-20 networks, offering players network choice based on speed and fee preferences. Cloudbet provides direct USDT wallet functionality, allowing deposits, betting, and withdrawals in stablecoins without automatic conversion, alongside a $2,500 welcome package.​ Rollbit emerged as a key player in the $10 billion crypto casino boom, operating since 2020 with its proprietary RLB token that provides utility through fee discounts and lottery entry. The platform allocates 20% of daily casino profits to a revenue-sharing lottery for RLB holders, creating deflationary tokenomics through continuous buyback-and-burn mechanisms. However, recent information suggests licensing issues may affect operations.​​ Duelbits, established in 2020, supports USDT and BUSD across 5,000+ games with a generous 60% rakeback program through its loyalty structure. The platform offers 125% deposit match bonuses up to $250 plus free spins, with instant withdrawals and no mandatory KYC for smaller amounts. Like most competitors, Duelbits operates under Curacao licensing.​ Read our reports on BC.Game here. Secondary Platforms and Specialized Operators Betpanda targets privacy-conscious players with 100% bonuses up to 1 BTC, zero KYC requirements, and no withdrawal limits. CoinCasino ranks among top USDT-specific casinos, while Betplay.io provides USDC support across five major networks including Tron, Ethereum, Solana, BNB Chain, and Polygon. 500 Casino offers USDT deposits on Ethereum, BNB Chain, Solana, and Avalanche networks, and Bets.io supports USDC on Ethereum, Sui, Base, NEAR, and BNB Chain.​ CryptoCasino.com represents emerging Web3-integrated platforms with Telegram-based access, supporting 18+ cryptocurrencies, including USDT and USDC alongside its native $CASINO token. The platform implements a unique incremental bonus release system where 10% of the bonus unlocks for every 6x deposit wagered.​ US-Facing Offshore Casinos While crypto-native casinos theoretically operate globally, most exclude US players through terms of service. However, several offshore casinos explicitly serve the American market through jurisdictions like Panama and Costa Rica. BetOnline processes USDT withdrawals within 24 hours and approves US identification documents during KYC verification. Wild Casino advertises the fastest USDT withdrawals with $5,000 welcome bonuses, supporting USDT, Bitcoin, Ethereum, and Solana.​ Super Slots, Cafe Casino (part of the Bovada network), and Sportsbetting.ag similarly accept US players with USDT support on TRC-20 and ERC-20 networks. These platforms convert stablecoin deposits to USD account credits for gameplay, with withdrawals converting back to USDT at current rates—essentially invisible due to the 1:1 peg. Unlike crypto-native casinos that may confiscate funds when US players submit identification, these offshore operators expect and approve American documents.​ Licensing Framework: Curacao’s Crypto-Friendly Regime The overwhelming majority of stablecoin casinos operate under licenses from Curacao’s Gaming Control Board (GCB). Curacao emerged as the preferred jurisdiction because its regulatory framework explicitly accommodates cryptocurrency gambling, including Bitcoin, Ethereum, and stablecoins, provided operators implement anti-money laundering (AML) and know-your-customer (KYC) compliance measures.​ The 2023 National Ordinance on Offshore Games of Hazard (LOK) modernized Curacao’s licensing system by eliminating the previous master-sublicense structure in favor of individual licenses issued directly by the GCB. This reform introduced stricter AML/CFT obligations aligned with Financial Action Task Force (FATF) and EU standards, requiring enhanced due diligence, transaction monitoring, and responsible gaming protocols.​ Curacao licenses offer several operational advantages: a single license covers multiple verticals including casino, sportsbook, poker, and lottery without separate applications; annual fees range from €40,000-50,000; and approval processes typically complete within 2-3 months. The jurisdiction permits hybrid fiat-crypto platforms and crypto-first operators while maintaining no specific restrictions on stablecoin acceptance.​ However, Curacao licensing provides weaker consumer protections compared to jurisdictions like Malta or the UK. The recent cases of BC.Game voluntarily withdrawing its license and reports of Rollbit’s expired gaming license illustrate enforcement challenges and potential gaps in oversight.​​ Compliance Requirements and AML Obligations Despite operating in crypto-friendly jurisdictions, stablecoin casinos face substantial compliance obligations driven by both local regulations and international AML standards. KYC/AML Implementation Most platforms require KYC verification before processing withdrawals, regardless of amount, to maintain licensing compliance. The verification process typically involves submitting government-issued ID, proof of address, and sometimes selfie verification. US-facing offshore casinos expect American documents and approve them routinely, while crypto-native casinos may use KYC as a “trap” to confiscate funds from restricted jurisdictions.​ Some platforms advertise “no KYC” policies, particularly for smaller transactions, though this creates heightened financial crime risks. Under the GENIUS Act, enacted in July 2025, US-based stablecoin issuers must register as Permitted Payment Stablecoin Issuers with federal regulators and implement bank-grade AML programs. Casinos facilitating stablecoin purchase or redemption using fiat payment methods now fall under this regulatory scope.​ Stablecoin operators are explicitly classified as “financial institutions” under the Bank Secrecy Act, requiring suspicious activity reporting, customer due diligence, and sanctions compliance. The EU’s Markets in Crypto-Assets (MiCA) regulation imposes similar requirements on European stablecoin issuers and service providers.​ Financial Crime Risks Specific to Stablecoin Gambling Online gambling constitutes a high-risk category for money laundering, and stablecoins amplify these risks through several mechanisms. Chainalysis estimated that stablecoins were involved in nearly $25 billion in illicit transactions during 2024, with the UN Office on Drugs and Crime highlighting Tether’s USDT as particularly attractive to criminals due to its price stability, ease of use, and minimal fees.​ Cross-chain laundering exploits stablecoins’ availability across multiple blockchains—USDT operates on Ethereum, Tron, BNB Chain, and 10+ other networks. Criminals move funds between chains to obscure transaction trails, creating compliance blind spots where traditional monitoring tools lose visibility. DeFi integration enables sophisticated layering through lending pools, yield farming, and liquidity provision that creates legitimate-appearing transaction histories masking illicit origins.​ Rapid liquidity allows criminals to quickly convert stablecoins to other cryptocurrencies or fiat without major slippage. Stablecoins’ global accessibility and pseudonymous transactions make them attractive for sanctions evasion, with significant usage documented on exchanges in sanctioned jurisdictions like Iran and Russia. The intersection points where traditional banking meets digital assets—on-ramp and off-ramp services—create particular vulnerabilities where criminals exploit weak exchange KYC to purchase stablecoins or use P2P platforms to convert back to fiat.​ Provably Fair Technology and Transparency Claims Many stablecoin casinos promote “provably fair” gaming as a transparency advantage over traditional online casinos. This cryptographic verification system allows players to independently confirm that game outcomes were not manipulated.​ The technical mechanism involves three components: a server seed (random number generated by the casino), a client seed (random number from the player’s browser that they can modify), and a nonce (incrementing number for each bet). Before each bet, the casino provides a cryptographic hash of the server seed. After the bet concludes, the casino reveals the actual server seed, allowing players to verify it matches the original hash and that the combination of server seed + client seed + nonce produces the displayed outcome.​ BC.Game, Cloudbet, Rollbit, and Duelbits all implement provably fair systems for their proprietary games. However, these verification tools only apply to blockchain-based house games like Crash, Plinko, and Dice—not to third-party slots from providers like Pragmatic Play or Evolution Gaming live dealer tables. The transparency is genuine for applicable games, but players must understand the limitations and that “provably fair” does not address other risks like licensing issues, fund security, or withdrawal processing.​ Payment Processing and Technical Infrastructure Stablecoin casinos support multiple blockchain networks with varying cost and speed characteristics. USDT is available via TRC-20 (Tron network with fees under $1), ERC-20 (Ethereum with variable gas fees), and BEP-20 (Binance Smart Chain offering a middle ground). USDC operates on Ethereum, Polygon, Solana, BNB Chain, Base, and several other networks.​ Deposit processing is typically instant, with casinos crediting accounts after 1-3 blockchain confirmations, generally 5-15 minutes. Withdrawals range from minutes to 24-48 hours depending on the platform and amount. Minimum deposits are usually $20 across major platforms.​ Most casinos convert stablecoin deposits to USD account credits for gameplay, displaying balances and bet amounts in dollars. When players withdraw, the system converts USD balance back to stablecoins at the current rate—effectively invisible due to the 1:1 peg. Some platforms like Cloudbet allow direct stablecoin betting without conversion, maintaining the entire transaction flow in USDT or USDC.​ Risk Assessment: Legitimacy and Consumer Protection Concerns Several factors complicate risk assessment for stablecoin casinos. Offshore jurisdictions provide weaker consumer protections compared to regulated markets, with limited recourse for dispute resolution. The “KYC trap” phenomenon—where casinos accept deposits freely but confiscate funds during withdrawal KYC when identifying restricted jurisdictions—affects players in banned regions.​ Licensing issues present ongoing concerns, with BC.Game’s voluntary license withdrawal and reports of Rollbit’s expired license illustrating governance gaps. Centralized custody risk means deposited funds remain under platform control rather than user wallets, creating insolvency and fraud vulnerabilities.​​ Bonus wagering requirements typically range from 8x to 45x, with some casinos imposing 30x-35x as standard. Players must understand these requirements before claiming bonuses to avoid forfeited winnings. Stablecoin reserves are not FDIC-insured, meaning funds lack the government deposit insurance that protects traditional bank accounts.​ Many platforms are “VPN friendly” and enable users to bypass geo-restrictions, creating legal ambiguity for players in jurisdictions where online gambling is prohibited. While this access serves users in restrictive regions, it also facilitates regulatory arbitrage and exposes players to legal risks in their home countries.​ Market Outlook and Regulatory Pressures The crypto casino market is projected to reach $400 billion by 2028, driven by continued stablecoin adoption, blockchain technology integration, and expansion into emerging markets. Platforms leveraging Solana and BNB Chain report 30% user growth in developing regions, where stablecoins serve dual purposes as inflation hedges and gambling payment rails.​ However, regulatory pressures are intensifying. The GENIUS Act’s stablecoin licensing framework, MiCA’s crypto-asset service provider requirements, and enhanced FATF guidance on virtual assets are converging to impose bank-grade compliance expectations on the sector. Platforms that implement robust AML/KYC, transaction monitoring, and sanctions screening will likely gain competitive advantages and access to institutional partnerships, while those operating with minimal compliance face increased enforcement risks.​ The fundamental tension between crypto gambling’s borderless, pseudonymous nature and regulators’ demands for transparency and consumer protection will shape the industry’s evolution. Stablecoins have definitively enabled the sector’s explosive growth by solving the volatility barrier, but the resulting $81 billion market now attracts regulatory scrutiny that will likely force consolidation around compliant, well-capitalized operators capable of meeting increasingly stringent requirements. Share Information via Whistle42

German public-broadcaster reporting has linked financial entrepreneur Michael Gastauer—known for the WB21/Black Banx storyline—to a large-scale law-enforcement raid in Bavaria. While official details remain scarce, the case raises a hard compliance question: How can globally marketed “banking” narratives, cross-border payment claims, and opaque structures persist without transparent supervisory answers? Key Facts A report titled “Ein Finanzunternehmer und eine Razzia in Bayern” (MVW/ARD Kontraste) discusses Gastauer and connects him to a major raid in Bavaria. Gastauer has long marketed high-growth banking/fintech narratives around WB21 and later Black Banx—claims that have drawn skepticism and reporting scrutiny for years. FinTelegram has repeatedly reported critically on Gastauer-related schemes (WB21/Black Banx) and continues to track the matter as an ongoing case. Publicly accessible, primary-source detail from Bavarian prosecutors (specific allegations, case number, scope of searches, seizure list) is not yet clearly documented in open official releases. Short Analysis Michael Gastauer on stage promoting himself A “raid” is not a conviction—but it is a serious enforcement signal. When public reporting ties a fintech promoter to a large-scale search operation, compliance teams should immediately ask: What predicate risks are being examined—AML failures, unlicensed financial services, false marketing, or cross-border regulatory breaches? Gastauer’s WB21 era already illustrated the core pattern regulators and counterparties should fear: spectacular claims + limited verifiable disclosure + international structuring. Back in 2016, German business reporting described substantial doubts around WB21’s story and numbers and highlighted the difficulty of independently validating the narrative. From a supervisory perspective, the uncomfortable question is not just “What did one entrepreneur do?” but “Which control gates failed?” If consumer-facing “banking” or “payment” propositions are marketed across borders, where are the hard checks: licensing clarity, audited financials, safeguarding/custody assertions, correspondent relationships, and AML program maturity? A raid connected to such a narrative is a reminder that regulatory perimeter enforcement often happens late—after reputational and victim harm is already baked in. Read our reports on Michael Gastauer here. Report: Implausible Metrics, Pay-to-Play Glamor, and Prosecutors Asking AML Questions In a detailed segment by Germany’s leading public broadcaster ARD (Kontraste)—running just under nine minutes—journalists put Michael Gastauer and his Black Banx scheme under a forensic spotlight and link the narrative to ongoing prosecutorial inquiries reportedly coordinated out of Frankfurt. ARD interviews financial experts who reviewed the publicly promoted performance figures and concluded they do not add up—a familiar red flag in the compliance world when marketing claims outpace verifiable operating reality. Black Banx portrays itself as a hyper-growth financial services provider—claiming 92 million customers worldwide, two million new customers per month and results allegedly exceeding those of Commerzbank, one of Germany’s largest banks. App download statistics Black Banx and others ARD counters this “global bank” story with a blunt adoption reality check: in November 2025, the Black Banx app was reportedly downloaded only five times, while a mainstream competitor like Deutsche Bank reportedly exceeded 60,000 downloads in the same period (screenshot left). ARD’s report further claims that even the executive profiles presented on Black Banx’s “leadership” page show signs of having been AI-generated or AI-edited—a bizarre detail, but one that matters when counterparties and regulators rely on management transparency as a baseline control. The segment also dissects the self-awarded aura of prestige around Gastauer. ARD reports that Gastauer is promoted as a recipient of a “Global Banker Award,” but that the award appears to have been handed out only once—namely to Gastauer—as an internal promotion: simply branding theatre. ARD also cites Wealth & Finance as telling the broadcaster that Gastauer paid for a cover placement, and that the associated content was later taken offline after critical reporting. Finally, ARD ties these optics to hard regulatory exposure: the report references the U.S. SEC’s enforcement action connected to a broader fraud scheme attributed to UK citizen Roger Knox, in which the SEC alleged Gastauer’s entities were used to facilitate and obscure flows; a U.S. court entered a final judgment ordering Gastauer to pay more than $17 million. Call for Information Do you have documents, onboarding flows, banking/payment partner details, KYC/AML evidence, correspondence, or regulator communications related to WB21, Black Banx, or Michael Gastauer’s network? Share securely via Whistle42.com. Confidential sources help us verify what enforcement actions are actually about—and who enabled them. Share Information via Whistle42

In 2025, stablecoins moved from “crypto plumbing” to payment infrastructure. On-chain transaction value hit record highs, and banks/fintechs began piloting stablecoin settlement. Regulators also moved: MiCA’s EU stablecoin regime began applying in 2024 and 2025 was the first full year of implementation, while the U.S. GENIUS Act set a federal framework. Key Facts Stablecoin transaction value rose ~72% to about $33T in 2025; USDC led (~$18.3T) and USDT followed (~$13.3T). Q4 2025 alone recorded about $11T in stablecoin transactions. Stablecoin supply was around ~$300B; B2B stablecoin payment flows hit $3B+ per month in 2025. Visa reported ~$3.5B annualized stablecoin settlement volume and launched USDC settlement for U.S. institutions (Dec 2025). Short Analysis Stablecoins bridge TradeFi and blockchains by delivering dollar-like stability in a programmable, 24/7 format. In 2025, usage expanded beyond trading/DeFi into cross-border B2B payments, payouts, and settlement pilots by incumbents. Regulation is now both accelerator and constraint. MiCA applies EU-wide rules to stablecoins classified as e-money tokens (EMTs) or asset-referenced tokens (ARTs), with authorization and disclosure duties; “widely used as means of exchange” thresholds (often summarized as ~1m transactions or €200m per day in a currency area) can trigger remedial measures. In the U.S., the GENIUS Act (signed July 18, 2025) defines “payment stablecoins,” permits banks/approved nonbanks to issue, and sets reserve, attestation, and supervisory requirements. Leading Stablecoins USDT (Tether) remains the market leader with $187 billion in circulation and $13.3 trillion in 2025 transactions, generating $15 billion in profits through Treasury-backed reserves. USDC (Circle) grew 75% to $77 billion market cap with $18.3 trillion in transactions, benefiting from institutional demand and regulatory compliance.  http://daiPayPal‘s PYUSD reached $910 million circulation, positioning itself as a “commerce-first stablecoin”. DAI, the leading decentralized stablecoin, maintains over $5 billion in circulation backed by crypto collateral and real-world assets.​ Outlook / Hypothesis (2026–2027) Stablecoins will continue their trajectory as fundamental payment infrastructure, with conservative estimates projecting market size doubling to $500-750 billion by 2027. Key drivers include expanding use in cross-border payments—where they reduce settlement times from days to minutes—and adoption in inflation-afflicted developing nations, where over 40% of African cryptocurrency volumes now involve stablecoins. Banks will increasingly issue tokenized deposits to compete with private stablecoins while maintaining regulatory protections. The convergence of TradFi and DeFi will accelerate as stablecoins become the standard settlement layer for programmable finance, though growth may moderate as infrastructure buildout requires time and conservative investors approach adoption cautiously. The fundamental shift is irreversible: stablecoins have evolved from experimental crypto assets into mission-critical financial rails connecting the dollar-based global economy to blockchain efficiency. Call for Information Do you see stablecoins used for settlement, payroll, remittances—or as “shadow rails” for illegal gambling, high-risk brokers, or sanctions evasion? Share documents and leads securely via Whistle42.com. Share Information via Whistle42

A federal judge in California has refused to dismiss two lawsuits accusing the U.S. fintech Block Inc. (Square/Cash App) and senior leadership of compliance-related misstatements and oversight failures. The rulings keep an investor class action and a separate shareholder derivative case on track—turning Block’s compliance narrative into a courtroom test of corporate governance, controls, and accountability. Key Facts Court / Judge: U.S. District Court, Northern District of California; Judge Noël Wise denied a motion to dismiss in the securities class action. Class action theory: Investors allege materially misleading statements/omissions about Cash App’s compliance programming (and user metrics), followed by enforcement actions and a major stock decline. Derivative suit theory: Shareholders claim Block’s executives and board breached fiduciary duties by allowing allegedly lax customer due diligence and weak safeguards—effectively failing to supervise compliance. Demand futility: The court accepted allegations that pre-suit demand on the board would have been futile because a majority faced a substantial likelihood of liability / lacked independence (as pleaded). Regulatory backdrop: Block previously agreed to $80M with 48 state regulators (AML program deficiencies) and $40M with NYDFS plus an independent monitor (BSA/AML/KYC gaps). Consumer protection pressure: CFPB said Block failed for years on fraud controls and customer service practices on Cash App and ordered redress and remediation. Short Analysis This is not a “paperwork” dispute. The class action centers on whether Block’s public posture about Cash App’s compliance capacity and operational integrity was materially misleading to investors over the pleaded class period—raising classic securities-fraud questions about disclosure, internal controls, and what management knew (or should have known). The derivative case is the governance blade: it targets the board’s oversight duty—i.e., whether directors meaningfully monitored compliance risk in a fast-scaling fintech with known exposure to fraud, AML/KYC failures, and enforcement attention. If these claims survive discovery, they can become a compliance “X-ray”: board minutes, escalation pathways, SAR/transaction monitoring resourcing, and the reality behind “we take compliance seriously” messaging. Call for Information Do you have internal documents, audit findings, whistleblower evidence, or first-hand experience regarding Cash App’s AML/KYC controls, fraud handling, escalation practices, or board-level reporting? Share information securely via Whistle42.com—anonymity-friendly submissions are welcome. Share Information via Whistle42

FinTelegram has re-tested the RakeBit crypto casino / sportsbook between January 6–10, 2026 and observed repeated failures when attempting to fund accounts via the embedded “Buy Crypto” flow previously routed through MoonPay and Changelly. If confirmed, the loss of this indirect FIAT deposit rail would remove a key conversion chokepoint—potentially explaining RakeBit’s sharp traffic decline in December 2025. Key Points Core finding (Jan 6–10, 2026): The “Buy Crypto” / indirect FIAT deposit rail no longer works in repeated daily tests across jurisdictions (error messages during deposit attempts). In our November 2025 compliance report, MoonPay and Changelly were deeply integrated into RakeBit’s onboarding/deposit journey, enabling FIAT → crypto → RakeBit wallet funding. RakeBit continues to market itself as a “No-KYC” casino and—per its disclosed terms—operates via Innovex Tech Holdings Ltd (Anjouan / Comoros). Hypothesis: The most plausible explanation for the repeated failures is that MoonPay and/or Changelly are no longer supporting RakeBit (offboarding, merchant termination, widget blocking, or compliance geo-restriction). MoonPay explicitly documents region-based widget errors and embed/allowlisting controls that can hard-stop an integration. Traffic angle: Losing the FIAT on-ramp can materially reduce new-player conversion—especially for non-crypto natives—making it a credible contributor to a December traffic drop (correlation, not proof of causation). Reminder: We also warned in November 2025 about RakeBit routing users to the scam domain “Changelly.pro” (distinct from the legitimate Changelly), highlighting elevated deposit-risk conditions around its “Buy Crypto” funnels. Read our reports on MoonPay here. Rail Map Mini: RakeBit Deposit Chokepoint (Update) Rail Type: Indirect FIAT Deposit (“Buy Crypto”) → crypto transfer → casino wallet credit Player Funding Intent (FIAT): User wants to deposit with card/bank but casino is “crypto-first.” Conversion Layer (“Buy Crypto”): Previously routed via MoonPay / Changelly inside RakeBit’s UX (Nov 2025). Settlement: Purchased crypto is transferred to wallets controlled by RakeBit / its operators (casino balance credited). Cash-out: Winnings typically paid out in crypto (keeping the “casino layer” no-KYC while the on-ramp performs KYC/verification). Status (Jan 6–10, 2026): Conversion Layer appears non-functional in repeated tests → rail disruption likely. Short Narrative: What Changed Since November 2025 In our November 6, 2025 RakeBit report, we documented a classic offshore casino pattern: no meaningful KYC at the gambling layer while embedding “compliant-looking” on-ramp partners that perform identity checks at the crypto-purchase step—creating a high-risk architecture that still enables unlicensed gambling access across restricted jurisdictions. During the January 6–10, 2026 retest window, FinTelegram repeatedly attempted the same indirect FIAT deposit flow (via the embedded “Buy Crypto” rail historically associated with MoonPay/Changelly). Across multiple days and jurisdictions, the deposit attempts returned errors and did not complete, suggesting the on-ramp path has been disabled, blocked, or terminated. Extended Analysis: Why Offboarding Is the Lead Hypothesis We cannot confirm contractual relationships without cooperation from the parties. However, the pattern is telling: MoonPay-side enforcement is technically easy. MoonPay’s documentation makes clear that widgets can fail due to geo restrictions or domain/embed controls, which can be used to prevent unauthorized or high-risk placements. Changelly’s FIAT capability often depends on upstream partners. Changelly describes that it processes FIAT transactions through partners including MoonPay, implying that disruption in partner routing can directly break FIAT purchase paths. RakeBit’s risk profile is structurally offboard-worthy. The platform openly markets a “No-KYC” proposition and operates via an offshore licensing posture (Anjouan), which is widely marketed as fast/low-friction for gambling operators—an attractive feature for “regulation-avoiding” models. Working hypothesis (most likely): MoonPay and/or Changelly have stopped servicing RakeBit (compliance offboarding or risk controls), and RakeBit has not yet implemented a replacement on-ramp rail. Alternative hypotheses (less satisfying, but possible): RakeBit broke its own integration (expired keys, misconfigured domains, widget embed failure). MoonPay explicitly notes embed allowlisting issues can produce errors. RakeBit intentionally removed the rail temporarily (pressure, chargeback exposure, or partner dispute). Read our reports on Changelly here. Actionable Insight: What To Watch Next (Rail Research) Signals that confirm a partner offboarding (high value evidence): Screenshots/video of the error flow showing MoonPay/Changelly branding and any error codes. Page-source or network calls identifying the on-ramp endpoint being blocked/terminated. Updated RakeBit terms or checkout UI replacing MoonPay/Changelly with a new partner. Affiliate chatter or operator communications explaining deposit failures. Why this matters for regulators & compliance teams:The on-ramp is the real chokepoint. If major on-ramp partners withdraw, offshore casinos often: shift to direct crypto-only deposits (higher friction, lower conversion), or rotate to less regulated facilitators, often via Cyprus or similar payment-agent hubs (a pattern we previously mapped in RakeBit’s structure). RakeBit Key Data Overview CategoryDetailsWebsiterakebit.comCurrent OperatorInnovex Tech Holdings Ltd (Anjouan, Comoros)​Previous OperatorTECH GROUP BL LIMITADA (Costa Rica, reg. 3-102-880902)​Payment AgentNovaflow Processing LTD. Company number: HE 454267. Address: Archiepiskopou Makariou III, 84, office 1, 6017, Larnaka, Cyprus.Connected EntityTrueFlip.io / Blockchain Games N.V. (Curaçao)​Ultimate Beneficial OwnerKonstantin Katsev (based on whistleblower intelligence)​LicenseAnjouan Gaming (Union of Comoros)​KYC PolicyNo KYC for gambling; marketed as “No-KYC Casino”​Payment FacilitatorsMoonPay Ltd, Changelly​Primary Traffic Source~90% United States (prohibited jurisdiction)Scam AllegationsMultiple BitcoinTalk complaints: $30K seizure, $12K withheld, $833 confiscated​Restricted Markets AcceptingItaly, Germany, UK, United States (verified November 6, 2025)TrueFlip StatusClosed; redirects to RakeBit (November 6, 2025)​ Call for Information (Whistle42) Have you tried depositing on RakeBit in January 2026 and captured the error screen, wallet flows, or updated “Buy Crypto” providers? Are you an insider (affiliate manager, PSP liaison, treasury/ops) with evidence of MoonPay/Changelly offboarding or a replacement rail being negotiated? Share securely via Whistle42. Include timestamps, jurisdiction, device/browser, and any transaction IDs. (Presumption of innocence applies.) Share Information via Whistle42

Google says it will start allowing ads for “Prediction Markets” from January 21, 2026—but only in the United States and only for federally regulated providers offering exchange-listed event contracts. Binary options remain explicitly prohibited. The compliance question is whether this is a sensible investor-protection filter—or the beginning of a new mass-market mis-selling cycle under a trendier label. Key Points Google’s new category is not a blanket green light: it is US-only and requires Google certification. Eligibility is limited to CFTC-authorized DCMs (Designated Contract Markets) whose primary business is listing event contracts, or NFA-authorized brokerages offering access to such DCM products. Google’s policy still bans binary options/fixed-return contracts, plus affiliates/signals content for event contracts. Google also flags the products as complex and speculative—a rare candid warning in ad policy language. The move gives regulated players (e.g., CFTC-permitted venues) a major distribution advantage—while likely boosting “prediction market” mindshare globally. Short Narrative & Analysis On January 5, 2026, Google published an update: starting January 21, ads for “Prediction Markets” are permitted in the US for platforms that provide access to exchange-listed event contracts tied to economics, sports, or current events—only if the advertiser is federally regulated and certified by Google. Many “yes/no” event contracts look and feel economically similar to a binary (all-or-nothing style outcomes, retail-friendly UX, gamified framing). However, Google’s policy is explicitly designed to exclude the classic offshore “binary options broker” model and instead rely on CFTC/NFA gatekeeping for a narrow class of exchange-listed contracts. Read our full report on Google’s Prediction Markets decision. That said, investor protection concerns don’t disappear just because an instrument sits inside a federal framework: Distribution risk is the product. Allowing Google Ads is not a minor tweak—it’s a “growth unlock.” If prediction markets are marketed like sports betting or meme trading, retail harm can scale quickly even in regulated wrappers. Brand laundering risk. Google’s definitions may be precise, but public perception won’t be: offshore operators and casinos already package “prediction markets” as a buzzword product line. The policy bans affiliates and signals, but enforcement at scale is historically inconsistent—and bad actors optimize faster than policy teams. Regulatory fragmentation remains the elephant in the room. Google lists only the US as an approved location today. That’s an implicit admission that outside the CFTC perimeter, the classification of prediction markets (gaming vs derivatives vs something else) remains uneven and often unresolved. Actionable Insight For compliance teams: treat “prediction market” ads as high-risk financial promotions (not cute infotainment). Demand hard proofs of authorization, tighten ad/landing-page disclosures, and monitor for “binary-style” language (fixed payout, guaranteed wins, “easy money”) that Google explicitly bans. Call for Information Have you seen offshore casinos or unlicensed brokers pushing “prediction markets” (especially via Google/YouTube placements, affiliates, or SEO doorway pages)? Send evidence (domains, ad screenshots, payment rails) via Whistle42—this is exactly how regulatory blind spots become mass-harm events. Share Information via Whistle42

US crypto exchange Kraken and Deutsche Börse Group have announced a wide-ranging strategic partnership that links crypto-market plumbing with Europe’s most regulated market infrastructure. The deal spans FX liquidity, crypto access for institutional clients, custody rails, tokenization—and (crucially) a potential path to Eurex derivatives on Kraken, subject to approvals. Key Facts Phase 1: Kraken integrates with 360T to tap “bank-grade” FX liquidity and improve fiat on/off-ramps. Distribution: “Kraken Embed” is positioned as a white-label crypto trading/custody stack for banks/fintechs across Europe and the U.S. Derivatives (planned): Make Eurex-listed derivatives tradable on Kraken—explicitly subject to regulatory approvals. Custody & tokenization: Leverage Clearstream and Crypto Finance and explore tokenized distribution of Clearstream-held securities; integrate tokenization standards (xStocks/360X). Context: Clearstream has been building institutional crypto custody/settlement capabilities (BTC/ETH) via Crypto Finance. Why this matters for Kraken (strategy) Kraken gains a credible “TradFi interface”: deeper FX pools, institutional distribution via Deutsche Börse’s network, and a blueprint to move from “crypto venue” toward multi-asset market access (crypto + tokenized assets + possibly regulated derivatives). If executed, it strengthens Kraken’s pitch to banks and asset managers that need familiar execution, custody, and risk workflows. Compliance lens: the upgrade Kraken can’t dodge This partnership also tightens the compliance vise. Offering Eurex derivatives would drag Kraken into MiFID II-style product governance, market integrity controls, suitability/appropriateness expectations (where applicable), surveillance, and strong conduct standards—with little tolerance for the “crypto-only” compliance playbook. Tokenized securities distribution adds another layer: disclosure, investor classification, custody segregation, and clear lines between exchange, broker, and custodian roles. Actionable Insight If Kraken wants the institutional upside, it must treat this as a control transformation project: governance, surveillance, AML/sanctions, and custody arrangements need to match the expectations of Deutsche Börse-grade counterparties—not just retail crypto norms. Call for Information Have you seen Kraken (or partners) pitching Eurex access, 360T-based rails, or white-label “Embed” offerings to EU clients already? Send tips (docs/screenshots welcome) via Whistle42. Share Information via Whistle42

FinTelegram is evolving. Instead of treating illegal offshore casinos as isolated stories, we now investigate them as repeatable payment architectures—the rails that keep them alive. Our new Rail Atlas consolidates evidence-based “rail patterns” (open banking gateways, fake-fiat onramps, payee substitution, gateway meshes) into evergreen hubs—so enforcement, banks, and readers can see the system, not just the symptom. Key Facts FinTelegram ’26 focuses on cyberfinance chokepoints: payments, open banking, stablecoin rails, and gateway stacks enabling illegal casinos. We convert recurring tactics into Rail Hubs (evergreen pages) under the Rail Atlas. We operate an Airtable Case Register to track cases, entities, evidence, and rail mappings consistently. Whistleblower information via Whistle42 is recorded and triaged into Airtable as strategic intelligence. FinCrime Observer will increasingly handle financial-crime coverage, separate from FinTelegram but connected via Whistle42. Whistle42 is being developed into a cross-platform whistleblower hub; a C42 reward token is planned for Q1 2026. Short Analysis Illegal offshore casinos and other grey- and dark-side schemes no longer rely on a single payment provider. They run multi-layer payment stacks: open banking consent screens that look “regulated,” “bank transfer” options that are actually stablecoin purchases, and e-wallet flows where the payee is not the casino operator at all. This is not random. It is engineering. FinTelegram’s response is to document and publish these systems as rails—repeatable patterns that can be verified, compared, and mapped across brands. The Rail Atlas is our way of turning scattered exposures into structured compliance intelligence. Extended Analysis Why We Built the Rail Atlas Traditional reporting often stops at: “This casino is illegal.” That may be true—but it’s incomplete. The operational truth is: illegal casinos survive because their payment rails survive. When one gateway is blocked, another appears. When card acquiring gets difficult, open banking consent flows fill the gap. When disputes rise, “crypto purchase + wallet transfer” flows reduce chargeback risk by reframing the transaction. Visit the Rail Atlas Hub The Rail Atlas captures these mechanics as evergreen hubs—so readers don’t have to relearn the same tricks in every case. Each hub explains: How the rail works (step-by-step) What evidence proves it (screenshots, redirects, descriptors, on-chain settlement) What chokepoint actions exist (banks, PSPs, gateways, onramps, enforcement) Where it appears (a living Case Index) How we investigate: “Follow the Conversions” Our method is simple and repeatable: Identify the casino or scheme and its licensing/claims Walk the cashier flows and capture UI evidence Map redirects, domains, and provider roles (gateway, facilitator, agent) Capture descriptors and settlement endpoints (including wallets and tokens) Classify the observed behavior under one or more rails Publish a case report—and link it back to the Rail Atlas hubs This is compliance intelligence built for action: it helps banks, fintechs, and regulators see the enabling infrastructure. Airtable: the case register behind the reporting To make this systematic, we use Airtable as our internal case register. It is where we track: Cases, entities, domains, and role assignments Evidence artifacts (screenshots, links, descriptors, wallet addresses, TX hashes) Rail classifications (which pattern applies, with confidence grading) Investigation status and next steps (what we still need to verify) Airtable is not “admin.” It’s the engine that turns new findings into a repeatable investigative pipeline—and it allows us to expand quickly from a single casino to an entire cluster when the rails match. Whistle42: strategic intelligence, systematically captured Whistleblower submissions are increasingly decisive because the most valuable facts are often hidden behind contracts, account structures, and internal policies. Whistle42 has therefore been revised to serve as a cross-platform whistleblower system. Information submitted via Whistle42 is not just “read.” It is structured and recorded in Airtable: linked to cases and entities, assigned confidence grades, and converted into investigative tasks. This is why whistleblowers are strategically important to our work: they reduce uncertainty where the public surface ends. FinCrime Observer: Where Financial Crime Coverage Expands FinTelegram will stay focused on cyberfinance compliance intelligence—the chokepoints and rails. In parallel, FinCrime Observer will increasingly handle financial crime reporting. It is a separate platform with different operators, but it also uses Whistle42 and is part of the same broader ecosystem. The separation is deliberate: compliance intelligence and criminal case coverage require different editorial structures, standards, and workflows. C42 token: rewarding high-quality whistleblower intelligence (Q1 2026) Finally, we plan to introduce the C42 token as a reward token for whistleblowers in Q1 2026. The purpose is not hype. The purpose is incentives: high-quality, actionable intelligence should be recognized and rewarded—especially when it helps expose systemic payment enabling of illegal activity. Actionable Insight If you work at a PSP, open banking gateway, e-wallet, crypto onramp, or acquiring bank: stop looking only at single merchants. Look for rail patterns. The same deposit architecture repeats across multiple brands—and that repetition is the investigative signal. Call for Information If you have insider knowledge about offshore casino payment stacks—merchant-of-record setups, gateway contracts, descriptor logic, “crypto purchase” flows, stablecoin settlement, wallet operations, or compliance overrides—submit securely via Whistle42.com. Your information is recorded systematically in our case register and can materially accelerate enforcement-grade reporting. Share Information via Whistle42

Since 1 January 2026, crypto platforms serving EU residents must start collecting tax identity data under DAC8—and can be required to block “reportable transactions” after two reminders and 60 days if users don’t provide the required information. The UK is running a parallel track via CARF reporting to HMRC, with first reports due in 2027. This is not a “new crypto tax,” but a major enforcement upgrade. Key Points EU DAC8 starts data collection in 2026; first EU-wide exchange of the 2026 reporting data is due by 30 Sept 2027. If a user fails to provide required info after two reminders (and not before 60 days), the provider must prevent the user from performing “Reportable Transactions.” Reporting scope includes crypto-fiat, crypto-crypto, and transfers, including certain withdrawals to “unhosted” (self-custody) addresses. UK CARF requires platforms to collect user + transaction data and report to HMRC; first submission window: 1 Jan–31 May 2027 for calendar year 2026. This is part of a global convergence: OECD tracks many jurisdictions committed to CARF exchanges in 2027–2029. Short Narrative A viral claim framed January 2026 as “the end of crypto privacy in Europe.” The reality is more precise — and for compliance teams, more operationally painful: the regulated on/off-ramps have become standardized tax sensors. Under DAC8, platforms must collect tax-residency identifiers (including TINs) and report aggregated transaction data annually, including categories that can cover withdrawals to self-custody. For users who refuse to provide required details, platforms face a hard rule: after reminders and a 60-day clock, access to “reportable transactions” must be switched off. Extended Analysis 1) What exactly changed on 1 January 2026 in the EU? DAC8 (Directive (EU) 2023/2226) expands the EU’s “administrative cooperation” rules so that Member States can automatically exchange crypto-asset information for tax compliance. The European Commission’s DAC8 guidance is explicit: data collection starts 1 January 2026, the first reporting year is 2026, and reporting is due within 9 months after year-end — i.e., by 30 September 2027 for the first cycle. Compliance translation: 2026 is not “instant enforcement day”; it is the mandatory capture year that determines what tax authorities can match at scale once exchanges begin in 2027. 2) Which providers are covered? DAC8 targets Reporting Crypto-Asset Service Providers (RCASPs) — broadly, entities (and in some cases individuals) that effectuate exchange/transfer transactions in reportable crypto-assets for users. The Commission notes DAC8 builds on MiCA definitions and covers a broad set of crypto-assets, including stablecoins (incl. e-money tokens) and certain NFTs. Practical perimeter: centralized exchanges, broker-style trading platforms, and custodial/intermediated transfer services are the primary “in-scope” population. Pure self-hosted wallet software (with no custody and no transaction-effectuating intermediary) is typically not the reporting chokepoint — but the moment users touch a reporting provider, the trail restarts. 3) What must providers collect — and do they report automatically? Yes. Under DAC8, RCASPs must collect identification data for reportable users (including TINs and residence information) and report annually to their national tax authority, which then exchanges the information with the user’s tax-residence Member State. The Directive also specifies what gets reported and how it’s structured: aggregated gross amounts for acquisitions/disposals against fiat and other crypto-assets, plus fair-market-value metrics for transfers and certain payment transactions. Crucially, it also includes reporting for transfers to distributed ledger addresses “not known to be associated with a [service provider] or financial institution” — i.e., the regulatory “hook” for many self-custody withdrawals. 4) The 60-day countdown: what platforms must do The “countdown” isn’t a new power to seize wallets — it’s an access-control obligation. The Directive states that if a user does not provide required information after two reminders, but not before 60 days, the provider must prevent the user from performing “Reportable Transactions.” Depending on platform design, that can effectively mean no trading and no withdrawals that fall inside reportable scope until compliance data is provided. 5) EU only — or also UK and other countries? EU: DAC8 applies across EU Member States from 2026 (implemented in national law via transposition), with EU-to-EU exchange of data. UK: The UK is implementing the OECD Cryptoasset Reporting Framework (CARF) with HMRC guidance requiring platforms to collect user/transaction data and file their first report 1 Jan–31 May 2027 covering 2026. Required user data includes (for individuals) name, DOB, address, residence, and for UK residents NI number or UTR; for non-UK residents, TIN + issuing country. Global: OECD and the EU both point to a wide group of jurisdictions committed to CARF exchanges in 2027–2029 (OECD’s commitment list is updated regularly). Bottom line: If your platform serves customers cross-border, assume tax reporting convergence is becoming the norm — not a regional anomaly. 6) What does this mean for offline wallets like Ledger? Self-custody is not banned by DAC8. But the compliance impact is real: If you withdraw from an exchange to a Ledger address, DAC8 reporting can capture that as a reportable transfer (with value and other standardized fields), because the destination address is not “hosted” by the same provider. Transactions entirely within self-custody are not automatically reported by the wallet, but they become visible again when you re-enter a reporting provider (deposit, convert to fiat, use a custodial service, etc.). For users, the compliance message is simple: self-custody reduces counterparty risk, not tax obligations. The reporting perimeter is the on/off-ramp. Actionable Insight For exchanges / crypto platforms (2026 compliance checklist) TIN & tax-residency capture: update onboarding flows, remediation journeys, and “two reminders → 60 days → restrict reportable transactions” logic. Transaction classification & valuation: map events to DAC8/CARF categories; implement consistent fair market value methodology at transaction time. Self-custody transfer reporting: ensure your system can tag and aggregate withdrawals to “unhosted” addresses per the Directive’s reporting fields. Cross-border strategy: if you serve EU residents, plan for DAC8 registration/reporting and for “qualified non-union jurisdiction” equivalents where relevant. Privacy/GDPR + audit trail: reporting is mandatory, but the data lifecycle must be defensible (minimization, access control, retention, breach playbooks). For customers Expect platforms to request TIN / tax identifiers and residency details — and treat non-response as a service continuity risk (trading/withdrawal restrictions). Keep your own records; reporting increases mismatch detection. In the UK, platforms will report summaries to HMRC and penalties exist for inaccurate or late reporting by providers, raising the compliance bar across the ecosystem. Call for Information Are platforms using DAC8/CARF as a pretext for over-collection, selective freezes, or discriminatory de-risking? If you are a compliance insider, affected customer, or vendor with evidence of implementation gaps or abusive practices, send information securely via Whistle42.com (anonymity options available). Share Information via Whistle42

The U.S. has revived its 2020 “narco-terrorism” case against Venezuelan leader Nicolás Maduro—now in U.S. custody after a military operation in Caracas that Washington frames as law enforcement. But FinTelegram’s prior reporting suggests the courtroom story may be only half the plot: heavy crude, USDT settlement rails, and China’s oil foothold sit uncomfortably close to the timing, tactics, and messaging of this escalation. Key Points The charges: U.S. prosecutors accuse Maduro (and others) of narco-terrorism and cocaine importation conspiracy (among further counts in filings) (Source: US DOJ) The operation: U.S. forces captured Maduro and Cilia Flores in Caracas on Jan 3; the administration publicly framed it as an anti-drug/anti-“narco-terror” campaign (Source: TIME). Oil reality check: U.S. Gulf Coast refineries were built for heavy grades like Venezuela’s; much U.S. shale output is lighter, which keeps imports structurally relevant (Source: U.S. Energy Information Administration). The stablecoin angle: PDVSA’s increased reliance on USDT for oil-related settlement was widely reported in 2024, raising sanctions-and-AML scrutiny questions (Source: Reuters). The China angle: Reuters has documented China as a major buyer/investor in Venezuela’s oil sector, and the post-Maduro reshuffle is explicitly being framed as a blow to Beijing’s position. Reuters+1 Short Narrative This case didn’t start this week. It started in March 2020, when the DOJ unsealed charges portraying Maduro and allied officials as leaders of a transnational narcotics enterprise and paired the legal attack with a State Department rewards push (Source: US DOJ) Fast-forward: sanctions, offshore trading workarounds, and a familiar dynamic—resource pressure meets financial-rail innovation. PDVSA’s move toward stablecoin settlement (USDT) for oil exports was reported in 2024 as a sanctions-era attempt to reduce funds getting stuck or frozen in traditional banking channels. Then came the kinetic crescendo: a U.S. operation in early January that ended with Maduro and Flores in U.S. hands—an act many observers immediately framed as a sovereignty-shredding “law enforcement” hybrid. FinCrime Observer has focused on the criminal case mechanics; FinTelegram is looking at the political economy behind the trigger. Extended Analysis 1) Heavy crude: the unglamorous driver Washington won’t headline The U.S. produces a lot of oil—but not all barrels are operationally equal. The EIA has long noted that the U.S. produces lighter crude while importing heavier crude that many refineries are configured to process. Reuters explicitly ties the post-Maduro shock to refinery economics: Gulf Coast plants were built for heavy-grade crude like Venezuela exports, and even with shale, many still “require heavy grades to optimise operations.” So when commentators say “the U.S. needs Venezuelan oil because its own oil isn’t the right quality,” that’s not conspiracy—it’s refinery physics. The question is whether this physics helped shape the policy timeline. 2) “De-dollarization” via USDT: escaping banks, not the unit of account Venezuela’s USDT pivot is often described as “moving away from the dollar.” The irony: USDT is a dollar proxy—but it can move outside the classic U.S.-influenced correspondent banking grid. Reuters reported PDVSA would increase digital-currency usage for oil exports amid sanctions churn, and experts warned that such rails require sharper AML scrutiny. FinTelegram previously framed this as “petro-dollar from within”: not replacing USD pricing, but relocating the plumbing into crypto settlement paths that are harder to freeze, slower to attribute, and easier to launder through intermediaries (Source: FinTelegram). If that analysis is directionally correct, then Maduro’s legal exposure and PDVSA’s stablecoin rails are not separate stories—they are the same chokepoint story, just told with different labels. 3) China: the other defendant sitting in the gallery Reuters describes China as a major buyer and investor in Venezuela’s oil sector and presents the recent U.S. posture as explicitly aimed at pushing Beijing out of its foothold. This matters because Washington’s messaging around the operation has not been only about drugs; it has repeatedly drifted into oil control and “running” transitions. So here’s the provocative question regulators and investors should ask: Was the “narco-terrorism” indictment the legal lever—and oil/USDT/China the strategic payload? The U.S. can insist both are true. Courts may be asked to decide whether that insistence survives due-process scrutiny. Call for Information Have documentation on PDVSA’s USDT settlement flows, intermediary trading desks, shipping/STS activity, escrow structures, or legal filings tied to the Maduro/Flores case? Submit securely via Whistle42.com. We verify sources before publication. Share Information via Whistle42

A Singapore court has sentenced British citizen James Henry O’Sullivan to 6½ years in prison for abetting the falsification of Wirecard-linked escrow/balance confirmation letters—paperwork used to convince auditors that hundreds of millions of euros sat safely in escrow accounts. The FinCrime Observer (FCO) brief covered the verdict and defendants. FinTelegram’s angle is different: Singapore is doing what Germany’s watchdogs and parts of its justice system refused to do for years—treat Wirecard’s “Asia cash” narrative as a criminal red-flag, not a PR nuisance. Key Points Singapore sentencing (Jan 6, 2026): O’Sullivan 6½ years; Citadelle director Rajaratnam Shanmugaratnam 10 years (appeals announced) (Source: Reuters, Financial Times). Core conduct: falsified confirmations (2016–2018) meant to mislead auditors into believing Wirecard held large sums in Singapore escrow accounts. Why this matters for Munich: German prosecutors allege Wirecard’s profits were inflated by invented “third-party acquiring” (TPA) business “especially in Asia,” with group accounts 2015–2018 misstated and the fraud culminating in the €1.9bn hole revealed in June 2020 (Sources: Justiz Bayern). Regulatory failure (Germany): BaFin and prosecutors spent key periods targeting journalists and short sellers; BaFin even imposed a Wirecard short-selling ban in Feb 2019. Accountability moment: BaFin president Felix Hufeld ultimately left his post after the Wirecard collapse exposed supervisory failure (Source: Reuters). Short Narrative Singapore’s verdict reads like a compressed anatomy lesson: fake paper → fake cash → audit comfort → market deception. O’Sullivan and Shanmugaratnam were convicted over letters that “confirmed” escrow balances Wirecard did not have (Source: Reuters). In Germany, the same “cash-in-Asia” storyline metastasized into one of the biggest post-war corporate frauds. And here is the uncomfortable part: the scandal is not only about Wirecard’s executives—it is also about Germany’s regulators and parts of its justice apparatus choosing the wrong enemy (Source: Reuters). Extended Analysis 1) What exactly was proven in Singapore According to Reuters and Financial Times reporting, the Singapore case focused on falsified escrow/balance confirmations used to mislead Wirecard’s auditors (commonly referenced as EY in coverage) about the existence of large Wirecard-linked funds in Singapore. This is important: Singapore did not “try the whole Wirecard collapse.” It convicted a high-leverage document-fraud mechanism that made a broader fraud believable. 2) Munich: what German prosecutors say (and what the indictment covers) The Staatsanwaltschaft München I has publicly stated (in its 2022 announcement of the first main indictment) that Wirecard executives and associates allegedly fabricated highly profitable business—“especially in Asia”—and that consolidated accounts 2015–2018 were false because they booked revenue attributed to TPA business. That framing matters for the Singapore connection: escrow confirmations functioned as “cash proof” for the very Asia-centric partner narrative prosecutors describe. FinTelegram’s critique remains: even this large indictment window risks being too narrow for a structure that—by multiple public accounts and earlier red flags—shows warning signs before 2015/2016. The public record of “why didn’t anyone stop this earlier?” remains a governance scandal in its own right. 3) How Singapore and Munich are connected They are connected by the same underlying claim: Wirecard’s “third-party business in Asia” (and the associated cash story) was propped up with manufactured evidence. Munich prosecutors allege the group’s financial picture was distorted by fabricated TPA business and misstated accounts. Singapore courts have now delivered convictions on a key supporting artifact: forged/falsified confirmations designed to persuade auditors the money was there. So yes: the Singapore conviction is directly related to the “non-existent third-party business in Asia” and the “missing millions/billions” thesis as advanced by German prosecutors—because it targets the documentary scaffolding that made those numbers auditable and sellable. 4) BaFin + German judiciary: the shameful inversion Wirecard is now widely described as Germany’s biggest post-war corporate fraud. Yet in 2019—after Financial Times reporting and short-seller scrutiny—BaFin’s reflex was to shield “market confidence,” not interrogate the issuer: BaFin banned short-selling of Wirecard shares in February 2019 (Source: Reuters). German prosecutors later dropped the probe into FT journalists; Reuters reported the Munich prosecutor said the FT’s reporting was “fundamentally correct,” and the FT statement called BaFin’s complaint “unfounded” (Source: Reuters). Reuters also documented the broader pattern: for years, BaFin and prosecutors focused on investors and journalists who highlighted irregularities (Source: Reuters). This is why Hufeld’s departure wasn’t “just personnel.” It was a delayed admission that Germany’s supervisory model—and the prosecutorial instincts around Wirecard—failed at a systemic level. Call for Information Do you have documentation on Citadelle confirmations, escrow account claims, TPA counterparties, or German supervisory/prosecutorial decision-making pre-2016 (including interactions with BaFin, FREP, prosecutors, or political offices)? Send tips securely via Whistle42.com. Share Information via Whistle42

Hyperliquid‘s utility token HYPE is no longer trading anywhere near the “>$40 in June 2025” regime that many holders still anchor to. Using widely-cited price points, HYPE traded around $41.50 on June 10, 2025 (after breaking $40) and is now around $24.5–$24.6 on January 2, 2026. That’s roughly a -40.6% drawdown from the June 2025 “$40+” zone—and a much larger ~58.8% drawdown from the Sep 18, 2025 ATH (~$59.30) (Source: CoinGecko). The uncomfortable takeaway: even with Hyperliquid’s “poster-child” status for this cycle’s perps-DEX narrative and a high-profile stablecoin partner (Circle), HYPE still trades like a high-beta exchange token—reflexive to (1) market regime, (2) platform flows/volumes, and (3) supply shocks (Sources: FinTelegram, Circle). Price Snapshot: June 2025 vs. Jan 2, 2026 Reference point (June 10, 2025): HYPE hits ~$41.50 after breaking $40. On Jan 2, 2026: HYPE day stats show open ~$24.28 / close ~$24.64 (with live aggregates ~$24.5) (Source: CoinMarketCap). Performance (approx.): $41.50 → $24.64 = -$16.86 (~-40.6%) (Source: CCN.com). ATH ~$59.30 (Sep 18, 2025) → $24.6 ≈ -58.8% (Source: CoinGecko). Also worth correcting the framing: HYPE’s lifecycle clearly predates June 2025 (CoinGecko shows an ATL in Nov 2024), so June was not a “genesis listing” moment—it was a cycle acceleration moment. Why is HYPE so far below the June 2025 “$40+” zone? 1) Macro regime risk: the market started pricing a risk-off / bear transition A growing set of analysts has argued that Bitcoin demand dynamics are weakening and the market may already be shifting into a bear-cycle posture—exactly the environment where leverage-heavy venues and their tokens tend to de-rate fastest (Source: Binance). If BTC is the tide, HYPE is the small boat: it doesn’t need “bad news” to fall—it only needs the tape to turn. 2) Hyperliquid-specific stress: $430M weekly net outflows hit the narrative FinTelegram’s report (Dec 21, 2025) frames the >$430M weekly net outflow as a visible stress test for Hyperliquid’s “perps-DEX poster child” status, especially with intensifying competition and a risk-off macro backdrop (Source: FinTelegram).Outflows matter because they’re not just sentiment—they can translate into lower collateral, lower activity, and weaker fee generation, which is fatal for any token story that implicitly depends on “venue flywheel” economics. 3) Competition is no longer theoretical: perps-DEX market share is being contested Hyperliquid has been described as the dominant perps-DEX by volume (e.g., one market update cited ~79% share among decentralized perps at one point in 2025), but late-2025 reporting increasingly highlights rivals closing the gap (or temporarily overtaking in certain windows). Translation: traders are less ideological than narratives suggest. If incentives, UX, or perceived safety improve elsewhere, flow migrates. 4) Tokenomics overhang: large unlocks create supply shocks at the worst possible time Late 2025 saw a very large unlock event highlighted in market coverage: 9.92M HYPE (reported around $251M value) unlocking into circulation—exactly the kind of supply event that can pressure price in thin/risk-off conditions. Even if some recipients stake or hold, markets tend to price the sellable float, not the best-case behavior. 5) “Strong partners” don’t immunize the token—sometimes they raise the bar Yes: Circle has deepened integration with Hyperliquid (native USDC/CCTP on HyperEVM, “network utility” messaging) and public reporting indicates Circle also became a HYPE stakeholder (Sources: Circle, Circle). But ask the harder question: does this reduce risk, or does it raise expectations (compliance, controls, governance maturity)? In a tightening regulatory climate, the market can assign a bigger risk discount to venues that are “too visible to ignore.” The constellation around HYPE: dominance + reflexivity + regulatory perimeter HYPE increasingly trades like a reflexive proxy for: Perps volumes / fee intensity (the “exchange token” dynamic), Net flows (collateral in/out), Competitive positioning (DEX-perps wars), Regulatory risk premium (especially where access is perceived as permissive). FinTelegram has already put the regulatory question on the table: perps access without meaningful geo/KYC friction pushes the venue toward a derivatives-perimeter problem (e.g., MiFID II exposure in the EU framing) (Source: Fintelegram). Investor Hypothesis: What’s the most likely path from here? Base-case (most likely): Hyperliquid survives, but HYPE remains a high-beta, regime-sensitive token that can stay suppressed as long as (a) the broader cycle is risk-off, (b) outflows/competition remain visible, and (c) unlock narratives keep resurfacing. Bear-case: If the bear-market thesis hardens and regulators begin to seriously target offshore/permissionless perps distribution, HYPE could face a longer “exchange-token winter” where each rally is sold into. Actionable Takeaways (non-advice) Treat HYPE less like “a tech token” and more like a leveraged bet on onchain perps activity. Watch three signals: net flows, competitive share, and unlock calendar—they often lead price. Assume the Circle integration is a strategic positive, but not a near-term price floor. Reference: FinTelegram prior coverage This update builds on FinTelegram’s December 21, 2025, report on the $430M weekly outflow and the broader “double whammy” (bear regime + regulation risk) framing. Read the Hyperliquid reports here. Call for Information Are you a market maker, integrator, or trader with insight into Hyperliquid’s real collateral movements, incentive spend, jurisdictional controls, or any enforcement outreach? Share documents and screenshots securely via Whistle42.com. We protect sources. Share Information via Whistle42

In a comprehensive compliance investigation, FinTelegram has documented that MiFinity—a regulated Electronic Money Institution operating under FCA and MFSA licenses—is systematically facilitating payments for unlicensed offshore casinos operating illegally in the UK and EU. The 2024 financial statements reveal a 307% explosion in net income (to £8.6 million), driven by aggressive expansion into high-risk gambling merchants. Simultaneously, the group has concealed £22.6 million in undisclosed inter-company flows to unregulated support entities. The underlying beneficial ownership remains opaque, and the death of founder Mike Busher in summer 2024 removes the primary witness to the group’s offshore structuring. EXECUTIVE SUMMARY FinTelegram Intelligence has completed a comprehensive compliance review of the MiFinity Group, a multi-jurisdictional payment processor operating with regulatory licenses in the United Kingdom (FCA) and Malta (MFSA). The investigation reveals: KEY FINDINGS 1. Documented Illegal Gambling Facilitation MiFinity is a primary payment processor for offshore casinos operating illegally in regulated markets: Legiano Casino: Licensed in Anjouan/Curacao, illegally accepting UK and EU players without local gambling licenses Winning.io: Curacao-licensed operator facilitating global payments including to restricted jurisdictions Documented presence across 650+ gambling websites, many operating without adequate local licensing Regulatory Violation: UK Gambling Commission and EU national gambling authorities require payment processors to refuse merchants operating without local licenses. MiFinity’s facilitation of Legiano and Winning.io violates these regulatory obligations. 2. Explosive 307% Growth Correlated with High-Risk Merchant Expansion Net Income (2024): £8.6 million (+307% YoY from £2.1M in 2023) Total Assets (2024): £77.0 million (+231% YoY from £23.2M in 2023) Gross Profit Margin (2024): 52.1% (compared to 2–5% standard for legitimate payment processors) Timing: Growth explosion immediately followed the October 2023 appointment of Jim Purcell (former CFO of EBET Inc., a gaming operator) as Chief Operating Officer Compliance Insight: The anomalously high gross margin (52.1%) indicates premium pricing for high-risk merchants—casinos unable to access banking rails through legitimate processors. This is consistent with a business model targeting “merchants of last resort.” 3. £22.6 Million in Undisclosed Inter-Company Flows The 2024 audited financial statements reveal massive inter-company transactions without transparent business rationale: Payment DirectionAmount (GBP)NatureMiFinity UK → Concentric Data Services (Ireland)£6.8 million“Service & Technology Fee” (79% of net income)MiFinity Malta → MiFinity UK£14.4 millionPayable Due (undisclosed purpose)MiFinity Payments (Ireland) → MiFinity UK£1.4 millionPayable Due (undisclosed purpose)TOTAL£22.6 million+Undisclosed interdependencies Compliance Red Flag: The £6.8M annual fee to Concentric Data Services—an unregulated entity with no public business description—suggests outsourcing of critical compliance functions (merchant onboarding, KYC, AML/CFT) to an entity outside regulatory oversight. Read the MiFinity Financial Analyses here. 4. Opaque Corporate Structure & Beneficial Ownership Ultimate Beneficial Owners: Not publicly disclosed. While Paul Kavanagh (CEO) and Kieron Nolan (CFO) are identified as controllers, precise equity percentages and additional UBOs remain unknown Founder Death: Mike Busher (American, b. 1951), founder and original majority shareholder (>75%), died in an aircraft accident in summer 2024. His death removes the key witness to the group’s 2017 control transfer and offshore structuring Offshore Links: Busher is listed in the ICIJ Offshore Leaks (Paradise Papers) database as a shareholder of Concentric Data Services Malta Ltd, confirming historical use of offshore secrecy jurisdictions Holding Company Opacity: MiFinity Payments Limited (Malta) serves as group parent but provides no public financial disclosures 5. Regulatory Arbitrage Through Multi-Jurisdictional Structure The group exploits differences in regulatory stringency: Merchant Onboarding in Malta (MFSA, historically permissive) → Execution through UK (FCA) Technology services outsourced to Ireland (Concentric, unregulated) → Limited FCA/MFSA visibility Holding company in Malta → Opaque beneficial ownership and transfer pricing Result: The structure creates systematic gaps in regulatory oversight, allowing high-risk merchants to be onboarded in jurisdictions with weaker enforcement while accessing UK banking infrastructure. FULL COMPLIANCE REPORT SUMMARY The MiFinity Group Compliance Report 2026 provides a comprehensive 26-page analysis covering: Part 1: Corporate Structure Detailed mapping of the group’s seven entities across four jurisdictions, identification of the holding company structure in Malta, and analysis of the inter-company financial relationships totaling £22.6 million. Part 2: Beneficial Ownership & Key Individuals Profiles of current controllers (Kavanagh, Nolan), historical founder (Busher, deceased), and management team including Jim Purcell (COO, gaming sector background) and Franklin Cachia (Chief Compliance Officer, Malta, with dual role at consulting firm CSB Group). Part 3: Business Activities & Merchant Exposure Documentation of MiFinity’s explicit focus on online gambling, detailed case studies of Legiano and Winning.io (illegal offshore casinos), evidence of presence across 650+ gambling websites, and analysis of the compliance gaps that allow illegal operators to be onboarded. Part 4: Regulatory Environment & Gaps Analysis of FCA oversight (MiFinity UK, Reg. 900090) and MFSA oversight (Mifinity Malta, Reg. C64824), identification of group-level compliance gaps (no consolidated AML/CFT policy, undisclosed merchant screening procedures, opaque transaction monitoring), and evidence of regulatory arbitrage opportunities. Part 5: Compliance Hypothesis Hypothesis: The 307% 2024 growth is directly correlated with aggressive acquisition of offshore gambling merchants (specifically Legiano, Winning.io, Dama Group) that cannot access banking services through legitimate processors. The 52.1% gross margin reflects premium pricing charged to these high-risk merchants. Evidence: COO appointment (Oct 2023) from gaming sector immediately preceded growth explosion Documented facilitation of illegal operators (Legiano, Winning.io) Lack of compliance scaling proportional to 231% asset increase £6.8M annual payments to unregulated support entity (Concentric) Part 6: Corporate Opacity & Red Flags Multiple entities with unclear operational roles receiving millions in payments Paradise Papers link confirming historical offshore structuring Deceased founder removing key witness to beneficial ownership Ireland-Malta-UK jurisdictional structure enabling regulatory arbitrage Minimal compliance infrastructure relative to transaction volume Part 7: Summary Findings & Enforcement Recommendations The report identifies critical compliance concerns requiring investigation by: UK Gambling Commission: Illegal gambling facilitation FCA: Merchant due diligence adequacy and AML/CFT controls MFSA: Group-level compliance coordination UK National Crime Agency: Money laundering risks EU Financial Intelligence Units: Cross-border transaction patterns COMPLIANCE RISK ASSESSMENT Risk Level: CRITICAL Risk CategoryAssessmentEvidenceMerchant Due DiligenceCRITICALDocumented facilitation of Legiano, Winning.io (illegal in EU/UK)AML/CFT AdequacyCRITICALNo public disclosure of transaction monitoring, SAR filing, sanctions screening standards; Concentric outsourcing to unregulated entityBeneficial Ownership OpacityCRITICALUltimate UBOs not disclosed; holding company in permissive jurisdiction; founder death removes witnessTransfer Pricing & Fund FlowsHIGH£6.8M annual payments to unregulated entity lack business rationale; £14.4M inter-company payables undisclosedConsumer ProtectionHIGHFacilitation of unlicensed gambling violates UK Gambling Commission regulations and harms consumersRegulatory CoordinationHIGHNo evidence of group-level AML/CFT; multi-jurisdictional structure creates oversight gapsFinancial Crime RiskMEDIUM-HIGHStructure and transaction patterns consistent with money laundering schemes; opacity enables hidden beneficial ownership Regulatory Enforcement Urgency: IMMEDIATE The documented facilitation of illegal gambling operators (Legiano, Winning.io) constitutes a clear regulatory violation that should trigger: Immediate investigation by UK Gambling Commission and FCA Merchant compliance audit examining Legiano, Winning.io, and similar onboarding Beneficial ownership disclosure request to Malta parent company Concentric Data Services investigation regarding unregulated compliance functions Transaction pattern analysis for money laundering indicators DOWNLOAD THE FULL COMPLIANCE REPORT [DOWNLOAD: MiFinity Group Compliance Report 2026 (PDF)]26-page comprehensive analysis with detailed evidence, regulatory framework citations, and enforcement recommendations Download the full MiFinity Compliance Report 2026 here. CALL TO WHISTLEBLOWERS: SUBMIT EVIDENCE VIA WHISTLE42 FinTelegram is actively seeking information from MiFinity insiders, former employees, merchants, and partners regarding: [ACCESS WHISTLE42 SECURE PLATFORM] FinTelegram will respect whistleblower confidentiality to the maximum extent possible while ensuring information reaches appropriate regulatory and law enforcement authorities for investigation and potential enforcement action. Share Information via Whistle42 ABOUT THIS REPORT FinTelegram Intelligence is a leading investigative organization specializing in financial crime, cryptocurrency compliance, and high-risk payment processor analysis. This compliance report represents 6 months of independent research, source verification, and regulatory analysis. Report Prepared By: FinTelegram Intelligence DivisionDate: January 2, 2026Distribution: FinTelegram, Regulatory Authorities, Law Enforcement, Media Partners