As FinTelegram expands its Rail Atlas investigation into offshore casino payment flows, a new element has emerged: alleged threats by Impaya against a player who raised compliance concerns. Screenshots and video evidence reviewed by FinTelegram show aggressive language, legal threats, and mockery — including emojis — instead of a structured response. The incident raises serious questions about complaint handling, compliance culture, and the broader payment ecosystem behind illegal iGaming operations. Key Findings Documented communication: FinTelegram reviewed screenshots and video evidence showing messages attributed to Impaya representatives Threat escalation: The player was accused of “blackmail,” “extortion,” and “stalking,” and threatened with criminal complaints and lawsuits Mocking tone: Messages reportedly included sarcasm and emoji usage, suggesting a non-professional handling of a compliance complaint Complaint context: The player raised concerns about payment flows involving casino operators and provided transaction-related evidence No substantive response: Instead of addressing the underlying issues, the response focused on intimidation Link to broader investigation: Impaya appears in multiple payment-flow analyses involving casino deposits via Paysolo, Pellopay, Yapily Connect, and Open Banking rails Read our Impaya reports here. What Happened: From Complaint To Threat The sequence is straightforward: A player identified payment flows connected to offshore casino activity The player contacted Impaya with questions and supporting evidence The player attempted multiple follow-ups, including phone contact Instead of a structured response, the player received a message stating: “This is called stalking, blackmail, and extortion! … We can file a police report … prepare for an expensive lawsuit … You’re awesome!” FinTelegram has reviewed screenshots and a screen recording documenting this exchange. Tone Matters: Compliance Culture Under Scrutiny Even without assessing the underlying payment activity, the tone of the response alone is problematic. In regulated financial services, standard practice would require: acknowledgment of the complaint internal review of the issue escalation to compliance or AML teams neutral, professional communication Instead, the response described by the player: escalates immediately to legal threats uses emotionally charged language includes sarcasm and emoji use This raises a key question: Does the response reflect a lack of formal compliance handling processes? The Rail Atlas Context: Why This Matters This is not an isolated customer-service dispute. Impaya appears in a broader multi-layer payment flow identified by FinTelegram: Casino front-end→ Pagagate / Urbenics (anonymous gateway layer)→ Impaya / Aceiro (routing layer)→ Paysolo / Pellopay (aggregation layer)→ Yapily Connect (Open Banking)→ Revolut OBA Within this structure: Impaya appears as an intermediate routing layer The player’s complaint directly concerns this infrastructure The response suggests avoidance rather than investigation Complaint Handling As A Compliance Signal For regulators and compliance teams, complaint handling is not secondary — it is a core risk indicator. Poor handling can signal: lack of AML awareness inadequate merchant due diligence absence of escalation procedures attempts to discourage scrutiny In this case, the player: provided transaction-related evidence raised legal concerns (illegal gambling in target markets) attempted to resolve the issue directly The response did not engage with any of these points. Consumer Pressure And Open Banking Risks The player was reportedly told to “do a chargeback.” However: Open Banking payments typically do not allow chargebacks This limits consumer recourse It increases reliance on provider-side compliance controls This creates a structural issue: If complaint handling fails, the consumer may have no effective remedy. Evidence & Confidence Table ElementObserved RoleEvidence TypeConfidenceKey QuestionImpayaPayment-routing / processing layerScreenshots + video evidenceCorroboratedWhat is Impaya’s exact role in the payment chain?AceiroAssociated routing domainPayment-flow observationsIndicatedIs Aceiro operated by or linked to Impaya?PaysoloAggregation / Open Banking bridgePrior Rail Atlas findingsCorroboratedWho controls merchant onboarding?Yapily ConnectOpen Banking connectorScreenshotsConfirmedWhat upstream merchant data is visible?Revolutoba.revolut.comBank authorisation endpointScreenshotsConfirmedHow is transaction purpose classified?Player complaintTriggering eventDirect communicationConfirmedWhy was it not handled via compliance process? Open Questions To Impaya Does Impaya confirm sending the messages attributed to it in the reviewed screenshots? Why was the complaint escalated to legal threats instead of compliance review? What is Impaya’s role in payment flows involving Paysolo, Pellopay, and Yapily Connect? Does Impaya process or route transactions for online casino operators? What due diligence is performed for merchants in the iGaming sector? Does Impaya have a formal complaints-handling and AML escalation procedure? Why was the player advised to use a chargeback mechanism in an Open Banking context? Conclusion The Impaya case introduces a new dimension to the Rail Atlas investigation. It is no longer only about how payments flow — it is also about how companies react when those flows are questioned. The evidence reviewed by FinTelegram suggests that: a consumer raised structured concerns provided supporting information attempted resolution and was met with threats instead of answers This raises fundamental questions about compliance culture, accountability, and the handling of high-risk payment flows in the online gambling ecosystem. Further investigation into Impaya’s role within the broader payment stack is ongoing. Whistle42 Call FinTelegram invites insiders from: Impaya Paysolo / Pellopay Yapily Connect Open Banking providers casino payment agents to submit confidential information regarding: merchant onboarding transaction routing complaint handling procedures internal compliance communications via Whistle42. Share Information via Whistle42

FinTelegram has reviewed a whistleblower report indicating that Germany’s financial watchdog BaFin has registered a case concerning Yapily Connect UAB, the Lithuanian licensed arm of the UK open-banking group Yapily. The allegations are explosive: regulated Pay by Bank infrastructure was allegedly used to process deposits for offshore casino brands targeting German players without a local licence. If this case is real—and the materials reviewed by FinTelegram strongly suggest it is—then BaFin is finally being forced to confront the ugly truth regulators have preferred to ignore: illegal casino schemes are no longer relying only on shady card acquirers and crypto workarounds. They are increasingly running through layered open-banking stacks, often hidden behind anonymous gateways, technical service providers, and mainstream banking interfaces. Key Findings Whistleblower case at BaFin: According to materials reviewed by FinTelegram, BaFin has registered a whistleblower submission concerning Yapily Connect UAB and the alleged processing of deposits for offshore gambling platforms targeting Germany. Seven casino brands named: The report lists betiro.com, joocasino.com, fonbet.com, allspins1.co, bullcasino.com, jackpika.com, and theslotz1.co as examples of brands allegedly using Yapily-linked payment flows while not appearing on Germany’s legal gambling whitelist, according to the whistleblower dossier. Core compliance angle: The allegations focus on two obvious pressure points: merchant screening / ongoing monitoring and AML / risk-management failures for a regulated payment initiation service provider. Official Yapily messaging cuts the other way: Yapily still markets open banking for iGaming, says Yapily Connect lets firms start using open banking without acquiring their own AISP or PISP licences, and publicly claims “zero tolerance” for compliance and financial-crime risk. Yapily Connect UAB remains actively licensed: The Bank of Lithuania register still lists Yapily Connect UAB under authorisation LB002045 as a payment institution providing payment initiation and account information services. FinTelegram has documented the pattern before: Previous reporting connected Yapily-linked rails to Contiant, Klyme, Winhero, BetAlice, Mega.bet, LuckyWins, and repeated Revolut open-banking touchpoints in offshore casino flows. BaFin confidentiality means silence proves nothing: BaFin says its whistleblower office handles reports confidentially and checks every lead in several stages, so the absence of a public announcement does not mean the matter is inactive. Compliance Analysis 1. A whistleblower file has now reached the German regulator FinTelegram has reviewed a report that appears to originate from the same whistleblower who filed the matter with BaFin. The dossier alleges that Yapily Connect UAB processed or enabled payment initiation flows connected to offshore casino brands targeting German users without the required local gambling authorisation. That matters because Germany’s online gambling market is not a regulatory mystery. The Gemeinsame Glücksspielbehörde der Länder (GGL) is the central authority for cross-state online gambling supervision and maintains a public whitelist of permitted operators. In other words, the licensing question is not hidden in a fog of legal uncertainty; regulators already provide a public framework for determining whether an operator is authorised. If the whistleblower material is accurate, then this is not a marginal paperwork issue. It would point to a regulated payment rail being used, directly or indirectly, to funnel consumer money into gambling offers that should not have been serviced in Germany at all. 2. Yapily’s own marketing makes the story even more uncomfortable What makes this case especially explosive is the contrast between public messaging and the alleged payment reality. On its official website, Yapily actively markets a solution for gaming and gambling, including the line “Everything you need to win more iGaming operators.” On the same page, it promotes Yapily Connect as a way to “start using open banking without the need to acquire AISP or PISP licenses.” Separately, Yapily states in its compliance materials that it maintains “zero tolerance” for compliance and financial-crime risk, and in a February 2026 clarification post it stressed that it operates regulated infrastructure under ongoing supervision in the UK and EU. That is precisely why the BaFin angle is so serious. If a company markets regulated open-banking infrastructure to iGaming, and if that infrastructure then repeatedly shows up in flows for unlicensed offshore casinos, regulators cannot simply shrug and pretend the licensed player is too far removed from the merchant. 3. Yapily Connect UAB is not a ghost entity — it is a licensed payment institution Official records at the Bank of Lithuania show that Yapily Connect UAB remains authorised under LB002045, with a payment institution licence valid since 23 December 2020. The register shows activity in payment initiation services and account information services. That status matters because payment initiation service providers are not decorative API vendors. They sit in a regulated position within the payment chain. Recent legal commentary on BaFin’s updated AML guidance notes that any earlier limitation on AML obligations for payment initiation service providers has been removed, meaning those firms must comply fully with applicable AML obligations. So the central question is brutally simple: what exactly did Yapily know, what should it have known, and what did it do when repeated high-risk casino flows surfaced? 4. FinTelegram has already mapped the pattern This BaFin case does not fall out of the sky. It lands on top of a long trail of FinTelegram reporting. FinTelegram previously reported that Contiant, a Bulgarian technical service provider, was acting in front of Yapily’s regulated rails and effectively piggybacking on Yapily Connect UAB to process high-risk gambling traffic. That architecture is important because it creates distance between the licensed payment initiator and the casino merchant while still using the regulated rail. Read our reports on Contiant here. The Winhero / Klyme case was even worse. A leaked internal email, accidentally forwarded to a complaining user, allegedly showed Yapily’s compliance team asking partner Klyme to blacklist the whistleblower rather than suspend or seriously investigate the merchant. FinTelegram described that as compliance theatre—and the label still fits. The BetAlice review showed another familiar multi-layer path: payment-gateway.io → puretransfer.io → mellifera.tech, with Paradis Tech Ltd as payee and Yapily/Wise references in the open-banking flow. Again, the pattern was not one rogue merchant but a structural rail design built for opacity. More recently, FinTelegram’s tag coverage shows Yapily continuing to surface in cases such as Mega.bet and LuckyWins, alongside broader reporting on Revolut’s recurring role as an open-banking touchpoint in offshore casino payment paths. FinTelegram’s own Rail Atlas stresses that it does not allege Revolut knowingly enables illegal gambling; rather, its infrastructure repeatedly appears in observed paths after multiple intermediary layers. 5. So how can open-banking rails be exploited at scale without consequences? This is the real scandal. The answer is regulatory fragmentation plus plausible deniability by design. First, online gambling supervision and payment supervision are split. The GGL watches operators. BaFin watches financial institutions in Germany. Bank of Lithuania supervises Yapily Connect UAB as the home-state regulator. In the UK, another layer sits with the FCA. Then the end-user bank or banking interface—sometimes Revolut—sits further downstream. Everyone sees only part of the chain, and everyone has an incentive to say the real responsibility belongs to someone else. Second, the layered architecture is tailor-made to frustrate supervision:casino cashier → anonymous gateway → technical service provider → regulated PISP rail → bank consent screen → bank account debit → offshore operator. Third, Pay by Bank flows are a perfect laundering interface for illegal casinos. They look clean, modern, and consumer-friendly. They bypass the familiar card-acquiring warning signs. They often come without the friction of classic chargeback dynamics. And once the payment path is buried behind domains like paywith.contiant.com or other anonymous gateways, the regulated entity can pretend it is merely providing neutral infrastructure. Fourth, host regulators often under-enforce. BaFin’s whistleblower office may investigate every lead confidentially, but BaFin is not exactly famous for fast, aggressive, cross-border forensic work in shadow-payment structures. That is the uncomfortable background to this case. If BaFin now has a credible file and still does nothing meaningful, it will reinforce the market’s working assumption that open-banking casino rails are effectively consequence-free. 6. What BaFin should investigate now If BaFin wants to be taken seriously, it should not stop at reading the whistleblower file. It should ask for the full operating stack: the merchant onboarding files for the relevant gambling-facing clients and intermediaries; all due-diligence and periodic review records; risk scoring and escalation logs for gambling / high-risk merchants; transaction-monitoring alerts and internal decisions; the exact role of Contiant, Klyme, and any other technical service providers or white-label partners; the cross-border service map showing where Yapily Connect UAB’s payment initiation services were actually used; evidence of suspicious activity reporting or escalation to competent authorities; the relationship between the regulated payment layer and downstream banks or interfaces repeatedly appearing in these flows. Anything less would be window dressing. 7. The bigger implication: this is not just a Yapily story This case could become the first real test of whether European regulators are willing to look beyond the old card-acquiring paradigm and confront the new reality: illegal casino payments now move through open-banking infrastructures, crypto on-ramps, and fake-fiat conversion rails in parallel. FinTelegram has already shown the crypto side through cases involving ChainValley and similar structures. The Yapily/BaFin angle matters because it strikes at the more respectable-looking front end—the regulated API layer that makes black-market gambling feel like ordinary fintech. If BaFin follows through, this could become a precedent-setting enforcement moment. If it does not, the message to the market will be even clearer: build enough layers, add a few anonymous gateways, route through a licensed open-banking provider, and regulators will look the other way. Conclusion The whistleblower case against Yapily, if pursued properly, could become one of the most important test cases yet for Europe’s open-banking supervision. The central question is no longer whether offshore casinos use modern payment rails. Of course they do. The real question is whether regulators are willing to admit that regulated open-banking infrastructure has become one of the preferred highways for illegal gambling cashflows. Yapily’s own public positioning—as a regulated, compliance-focused provider serving iGaming—means this case cannot be brushed aside as a misunderstanding about generic technology. If the same names, the same gateways, and the same casino patterns keep surfacing in whistleblower files and transaction trails, then supervisors must decide whether they are supervising substance or merely licensing form. If BaFin cannot see a problem here, then the problem is bigger than Yapily. Whistle42 Call FinTelegram invites whistleblowers, payment professionals, compliance officers, bank employees, former PSP staff, and affected players to submit documents, screenshots, transaction records, merchant descriptors, or internal compliance material relating to Yapily, Contiant, Klyme, Revolut open-banking flows, and offshore casino payment schemes via Whistle42. The open-banking rail story is far from over. Share Information via Whistle42

The Regional Court of Cologne has sentenced German B2G principal Rainer Treuer to two years and four months for unauthorized payment-services activity linked to the notorious B2G payment network. The judgment confirms what FinTelegram warned years ago: B2G was not a harmless consultancy outfit but a payment-collection machine moving victim funds through German bank accounts and onward to foreign recipients. Yet the alleged mastermind, Oleg Shvartsman, was not adjudicated because he could not be reached — leaving the bigger question unresolved: why did German enforcement reduce a vast scam-enabling laundering infrastructure to a licensing case? Key Findings Rainer Treuer convicted: The Regional Court of Cologne sentenced Treuer to two years and four months, with three months deemed served due to excessive duration of proceedings. B2G confiscation ordered: The court ordered confiscation against B2G GmbH in the amount of €671,549.52. Court confirms illegal payment infrastructure: The judgment describes B2G as opening bank accounts, receiving third-party customer funds, and forwarding them for remuneration without the required authorization. Scale matters: According to EFRI’s analysis of the judgment, the B2G operation forwarded €33.57 million through B2G GmbH over roughly one year. Shvartsman not tried: Oleg Shvartsman’s case was not decided in this judgment because he did not appear in the proceedings. FinTelegram’s position: Based on multiple communications with both Treuer and Shvartsman during the relevant period, FinTelegram can state that Shvartsman was the driving brain behind the B2G structure, while Treuer acted as his loyal German associate. EFRI’s role: EFRI filed criminal complaints against Treuer, Shvartsman, B2G GmbH, and related structures and represented victims whose deposits flowed through the B2G rails. The core scandal: The judgment confirms unauthorized payment services — but does not fully address the broader money-laundering architecture that enabled binary options and broker scams to scale. Report The Verdict: A Conviction, But Not A Reckoning The Regional Court of Cologne has finally delivered a judgment in the long-running B2G matter. According to the judgment dated 27 January 2026, German defendant Rainer Treuer was convicted for intentional unauthorized provision of payment services and incitement to intentional unauthorized provision of payment services. The court imposed a total custodial sentence of two years and four months, with three months deemed served due to excessive duration of the proceedings. The judgment also orders confiscation against B2G GmbH in the amount of €671,549.52. EFRI, which has monitored the proceedings for years, summarizes that the Cologne proceedings arose from the B2G and P2P complexes and that Treuer was convicted in connection with B2G GmbH and P2P GmbH, while Oleg Shvartsman’s case was not decided because he did not appear. This is a milestone. But it is not justice in proportion to the damage. The Cologne court has confirmed the illegal payment-services structure. What remains under-addressed is the true nature of B2G: a scam-enabling payment laundromat for the binary options era. Read our reports on the B2G Scheme here. Who Are Rainer Treuer And Oleg Shvartsman? Rainer Treuer is a German businessman and one of the formal principals of B2G GmbH, the Cologne-based company used as a payment-collection vehicle. The court judgment identifies Treuer as one of the managing directors of B2G GmbH. It also records that he and Shvartsman founded B2G GmbH in September 2016, each holding 50%. Oleg Shvartsman is the Russian partner behind the B2G structure. FinTelegram has described him for years as the more strategic figure in the operation. The judgment did not decide his case because he was not before the court. But FinTelegram’s direct communications with Shvartsman and Treuer over the years support a clear assessment: Shvartsman was the mastermind, Treuer the German operator and loyal associate. FinTelegram had already reported in 2020 that B2G GmbH, managed by Treuer and Shvartsman, was under investigation across jurisdictions and had facilitated notorious broker scams such as Option888 and Blue Trading. FinTelegram also reported that EFRI had filed a money-laundering complaint against both individuals. The B2G Model: German Bank Accounts As Scam Intake Pipes The judgment describes the B2G business model in straightforward terms: Treuer and Shvartsman opened bank accounts in the name of B2G GmbH, made those accounts available to clients, received incoming customer funds, and forwarded those funds — for remuneration — to the clients or to entities named by them. The court found that the money was not simply passed through one-to-one. It was collected, pooled, and then forwarded in larger blocks, often to foreign bank accounts. EFRI’s summary of the judgment confirms that the court listed bank accounts at Kölner Bank, Sparkasse Koblenz, Deutsche Bank, Südwestbank, and UniCredit/HypoVereinsbank. The same EFRI analysis states that the funds were often bundled and forwarded to foreign recipients and that the court quantified B2G’s forwarded volume at €33,577,475.80. That is not ordinary consulting. That is payment infrastructure. And in the binary options era, payment infrastructure was the oxygen supply of the scam industry. Without bank accounts, boiler rooms could not collect deposits. Without payment processors, victims could not be converted into cash. Without laundromats like B2G, the fake trading platforms could not scale across Europe. The Scam Context: Binary Options Needed Laundromats FinTelegram warned during the heyday of binary options that illegal broker schemes were not merely “websites.” They were organized fraud systems built from layers: boiler rooms, fake brands, sham platforms, shell merchants, and payment processors. B2G belonged to the payment layer. FinTelegram’s earlier reporting identified B2G GmbH and B2G s.r.o. as part of the German/Czech payment-processing infrastructure used by binary options and broker scams. In 2021, FinTelegram reported that Cologne prosecutors had filed charges against the individuals behind B2G and described B2G as one of the notorious German laundromats and scam facilitators of the binary options era. EFRI’s criminal complaint stated that B2G GmbH and its Czech sister company enabled scams including XTraderFX, OptionStarsGlobal, and BlueTrading to intake victims’ money via German and Czech bank accounts, with Treuer and Shvartsman forwarding deposits to scammers after deducting their fees. This is the real issue: B2G was not a passive company that accidentally handled suspicious payments. It was a collection engine. It gave scam operators the appearance of banking legitimacy and converted victim deposits into movable offshore funds. The Court’s Narrow Frame: Unauthorized Payment Services The Cologne court convicted Treuer for unauthorized payment-services conduct under German payment-services law. That matters. It means the court accepted that the B2G structure was not authorized to perform the payment function it performed. But from a financial-crime perspective, the narrow legal framing is deeply unsatisfactory. EFRI’s critique is correct: treating B2G mainly as a licensing breach risks understating the true harm. The pattern described in the judgment — multiple bank accounts, victim deposits, pooling, bundling, and forwarding to foreign recipients — is exactly the infrastructure that enables money laundering and large-scale investment fraud. EFRI argues that this judgment is an important procedural milestone but not the full legal reckoning with the broader infrastructure behind online fraud. FinTelegram agrees. The legal system has again caught the payment pipe but not fully confronted the laundering machine. The Missing Defendant: Shvartsman The glaring absence is Oleg Shvartsman. The judgment does not adjudicate his role because he did not appear. That procedural fact must be respected. However, it does not erase the factual reality around B2G. EFRI reported that case materials named Shvartsman and Treuer in relation to an alleged unlicensed payment-collection infrastructure that received consumer funds into company-controlled accounts, pooled and relabeled them, and forwarded them to upstream recipients. FinTelegram’s own historic communications with Shvartsman and Treuer support the assessment that Shvartsman was not a side character. He was the strategic driver, the man behind the structure, while Treuer gave the operation its German corporate and banking face. The fact that Shvartsman was not in the dock is not a minor procedural footnote. It is the central unfinished business of the B2G case. The Banks And Supervisory Failure EFRI has also raised uncomfortable questions about the timing of supervisory and banking action. In a separate report, EFRI stated that BaFin had been aware of the activities of Shvartsman and Treuer since November 2017, while key payment rails allegedly remained open for months. EFRI also reported that Sparkasse Koblenz remained operational until July 2018 even as complaints and refund demands escalated. EFRI’s research further states that B2G GmbH was used as a key money mule for scams including OptionStarsGlobal, Weiss Finance, InstaFx24, Blue Trading, SafeMarkets, Aspects Financial, MarketsTrading, CentroBanc, and StoxMarket, and that Treuer and Shvartsman also controlled P2P GmbH, another money-mule structure operating German and Dutch bank accounts. This raises the old FinTelegram question: how many victims could have been protected if banks and regulators had acted faster? The B2G case is not only a story about two men and a German GmbH. It is a story about Europe’s failure to understand that payment processors are not peripheral actors in online fraud. They are often the decisive enablers. B2G Scheme — Key Names, Entities, Roles And Connections Name / EntityRole in the B2G SchemeConnection / RelevanceRainer TreuerGerman B2G principal; convicted by Regional Court of CologneSentenced to two years and four months for unauthorized payment-services conduct; formal German operator of B2G GmbHOleg ShvartsmanRussian partner; alleged mastermind behind the B2G structureNot adjudicated in the Cologne judgment because he did not appear; FinTelegram communications indicate he was the strategic driverB2G GmbHGerman payment-collection vehicleCologne-based company used to receive and forward victim funds via German bank accountsB2G s.r.o.Czech sister/related entityIdentified by EFRI and FinTelegram as part of the wider German/Czech B2G payment-processing setupP2P GmbHRelated payment/money-mule structureEFRI states Treuer and Shvartsman also controlled P2P GmbH; used German and Dutch accountsKölner Bank / Volksbank Köln-BonnAccount-holding bankListed in the judgment among banks used for B2G payment flowsSparkasse KoblenzAccount-holding bankEFRI identifies this as a key rail that allegedly remained active for months despite complaints and warning signsDeutsche BankAccount-holding bankListed in the judgment among banks used by B2GSüdwestbankAccount-holding bankListed in the judgment; EFRI notes BaFin acted swiftly in relation to this banking relationshipUniCredit / HypoVereinsbankAccount-holding bankListed in the judgment among banks used by B2GEFRIVictim-representation and enforcement initiativeFiled criminal complaints and represents victims whose deposits flowed through B2G/P2P railsFinTelegramInvestigative reporting and warning platformExposed B2G during the binary options era and communicated with Treuer and ShvartsmanGal Barak / E&G Bulgaria ecosystemScam ecosystem allegedly served by B2G-related railsFinTelegram previously reported that B2G laundered funds for Barak-related and other binary options scamsUwe Lenhoff-related schemesBinary options / broker scam ecosystemMentioned in FinTelegram and EFRI context as part of the broader scam environment in which illegal PSPs operatedOption888, Blue Trading, XTraderFX, OptionStarsGlobal, SafeMarkets, CentroBanc, StoxMarket and othersFraudulent or allegedly fraudulent broker/scam brandsEFRI and FinTelegram reports identify these as brands whose victim deposits appeared in B2G/P2P-related payment flows FinTelegram Comment The Cologne verdict is a conviction — but it is not the historical verdict the victims deserved. For years, FinTelegram warned that B2G was a German laundromat for binary options criminals. The Cologne judgment now confirms the illegal payment-services skeleton of that story. But the flesh and blood of the case — the laundering architecture, the scam brands, the offshore recipients, the role of banks, the regulatory delays, and the missing Shvartsman — remains only partly addressed. This is the bitter truth: Europe’s scam industry did not scale because fake brokers were clever. It scaled because financial enablers gave them bank accounts, payment pipes, and laundering corridors. B2G was one of those corridors. Rainer Treuer has now been convicted. Oleg Shvartsman remains the missing figure. Victims still wait for restitution. And regulators still owe answers. Conclusion The B2G judgment should be read as a warning to every financial crime enabler in Europe: the “we only processed payments” defense is dying. But it should also be read as an indictment of enforcement delay. FinTelegram and EFRI exposed the B2G laundromat years ago. Victims filed evidence. Payment flows were documented. Banks saw complaints. Regulators had tools. Yet millions continued to move. The binary options era is over, but the infrastructure lesson remains alive in crypto, offshore casinos, DeFi brokers, and high-risk payment gateways: follow the payment rails, and you find the real enablers. Whistle42 Call For Information FinTelegram invites former employees, victims, banking insiders, compliance officers, and law-enforcement sources with information about B2G GmbH, B2G s.r.o., P2P GmbH, Rainer Treuer, Oleg Shvartsman, or related payment flows to contact us securely via Whistle42. We are particularly interested in: bank-account opening files and compliance correspondence; communications with B2G, P2P, Treuer, or Shvartsman; payment instructions from binary options or broker brands; records of onward transfers to offshore recipients; internal bank or regulator documents concerning B2G-related alerts. Share Information via Whistle42

Illegal online casinos increasingly operate like adaptive digital organisms. A player may think they clicked on a single casino brand such as MyStake, Donbet or GoldenBet. In reality, the journey may pass through affiliate funnels, mirror domains, device-fingerprinting systems, geo-routing engines, bonus trackers and location-specific payment gateways before the player even reaches the cashier. The result is a hidden compliance maze where the casino shown to the player, the domain used for access, the payment method offered, and the merchant receiving the money may all change depending on the player’s country, device, bank, language, browser, referral source and prior behaviour. Key Findings Illegal casino brands are often only the visible storefront. Behind the visible domain sits a multi-layer infrastructure of affiliates, mirrors, tracking systems, platform providers and payment agents. Geo-routing is central to the model. The same player may be sent to different domains, mirrors or payment channels depending on whether they are in Italy, Germany, the Netherlands, the UK or another restricted market. Mirror domains defeat website blackouts. When regulators block one casino domain, the network can activate alternative domains, fallback URLs or near-identical branded “skins” such as brand123.com, brand-italia.com, brand-vip.com or similar variations. Payment options are also geo-personalised. A Dutch player may see iDEAL-style or open-banking options; a German player may see instant bank transfer or crypto ramps; an Italian player may see card, voucher, crypto or third-party merchant routes. The casino cashier is not static. AI and algorithmic decisioning are likely becoming part of the routing layer. There is no need to prove “full AI control” to understand the risk: even basic machine-learning, rules engines and behavioural analytics can optimise which domain, bonus, payment method and casino skin is shown to each player. The player often has no idea who is really processing the payment. The bank statement may show a software company, payment agent, e-wallet, crypto ramp or neutral merchant descriptor — not the casino brand. Regulatory compliance becomes fragmented. The gambling regulator sees a blocked domain; the bank sees a payment to a merchant; the affiliate sees conversion data; the player sees a casino; the platform provider sees API traffic. No single layer shows the full picture. The Hidden Casino: Why The Player Journey Is Misleading To the player, the process looks simple. They search for a casino, click a link, land on a site, register, deposit and gamble. That apparent simplicity is the illusion. In many offshore casino networks, the player has not travelled directly from Google, Telegram, TikTok, an affiliate site or a bonus page to a gambling operator. Instead, the player may have passed through several invisible routing systems before the final casino page loads. The GAMRS / Deal Me Out report on Santeda International B.V. and Ryker B.V. describes this structure in relation to MyStake and related brands. It says the consumer may be unaware that traffic has passed through “multiple intermediary domains” before reaching the operator, including affiliate redirect domains, link-cloaking services, device fingerprinting servers, bonus attribution trackers and geo-routing decision engines. The same section states that these systems can select a mirror domain, fallback website, different operator or version of the site not yet blocked by regulators. For FinTelegram’s Rail Atlas methodology, this is the decisive point: the casino is not a website; it is a routed network. Layer 1 — The Visible Casino Brand The player sees a brand: MyStake, Donbet, GoldenBet, Rolletto, CosmoBet, Velobet or another offshore casino. The brand creates the impression of a standalone gambling business. It has a logo, a cashier, promotions, customer support, terms and conditions, and sometimes a Curaçao, Anjouan or other offshore licence reference. But the visible brand may be only one skin in a larger network. The GAMRS report states that MyStake should not be viewed as a standalone actor, but as part of a broader multi-entity, multi-domain ecosystem. It identifies shared analytics identifiers, domain churn, coordinated hosting behaviour and links to aggregators as indicators of a wider infrastructure. For players, this matters because self-exclusion from one brand may not protect them from the wider network. If the same backend, affiliate programme, payment infrastructure or CRM system supports multiple brands, a player who closes an account with one casino may later be targeted by another “sister” brand. Layer 2 — The Mirror-Domain System Illegal casino networks frequently use many domains for the same gambling operation. A brand may appear under: Domain typeExample patternFunctionMain domaingoldenbet.comPublic-facing brandMirror domaingoldenbet-1234.comAlternative access routeCountry variantgoldenbet-it.comLocalised targetingAffiliate landing pagebest-bonus-goldenbet.comTraffic captureFallback domaingoldenbet-vip.netReplacement after blockingTemporary shellunfinished clone / placeholderPreserves SEO and routing This is especially relevant in markets such as Italy, where the ADM maintains lists of blocked unauthorised gambling sites and uses site inhibition as an enforcement tool. The ADM describes its action as identifying and inhibiting websites lacking the required authorisations. The problem is that domain blocking targets a visible endpoint, while the illegal network controls many endpoints. A recent international analysis of illegal betting-site blocking notes that operators can bypass geo-blocks by creating multiple mirror websites, allowing continued access if authorities block online portals. The GAMRS report describes this as a “Hydra” model: when one domain is removed, multiple replacements are already created or ready to activate. It also describes replacement shells used to preserve search traffic, affiliate linkages and domain authority while infrastructure is rebuilt in the background. In simple terms: the regulator blocks one door; the network opens three side doors. Layer 3 — Affiliate Funnels And Link Cloaking Affiliate networks are the acquisition engine. They are often the layer that first detects where the player is coming from and decides where to send them. A player may click on: a “non-GamStop casino” article; a Telegram bonus link; a streamer link; a comparison site; a “best crypto casino” page; a fake review site; a country-specific bonus page. The click may not go directly to the casino. It can pass through a chain of redirect domains. These systems can record the source, device, browser, IP range, language, bonus campaign, country, and whether the player is likely to convert. The GAMRS report identifies Affision, operated through Legitnine OÜ, as an affiliate programme for a broader network involving Santeda, Ryker and Onyxion, and says it promotes brands including MyStake, GoldenBet, JackBit, FreshBet and 31Bet. For players, this means the “review site” or “bonus page” may not be independent. It may be part of the same commercial acquisition machine that profits when the player deposits. Layer 4 — Device Fingerprinting And Geo-Routing Modern routing systems do not only look at the country of the IP address. They may evaluate a broader technical profile: AttributeWhy it mattersIP addressCountry, city, VPN/proxy signalBrowser languageLocalisation and market inferenceDevice typeMobile vs desktop behaviourOperating systemFraud and conversion profilingReferrer URLWhich affiliate or campaign sent the playerCookies / previous visitsReturning player recognitionPayment preferenceWhich cashier options are likely to workTime zoneLocation validationSIM / network indicatorsMobile-location inferenceBehaviour patternBot, bonus abuse, high-value player or vulnerable player signals Geolocation verification in iGaming is used for compliance and fraud prevention, including restricting access to users in permitted jurisdictions. AWS describes geolocation verification for sports betting and iGaming as serving compliance and fraud-prevention purposes, including limiting access to users in allowed regions. The darker side is obvious: the same technology that can be used to keep prohibited users out can also be inverted to route prohibited users in — through the domain, bonus, payment channel or mirror that is least likely to be blocked. FinTelegram should frame this carefully: we do not need to prove that every casino uses advanced AI. The compliance risk already exists if rule-based systems and behavioural analytics are used to choose routes around restrictions. AI simply makes the routing faster, more adaptive and harder to detect. Layer 5 — The Algorithmic Workaround This is where the market is moving. A traditional illegal casino network might use fixed rules: Italy → send to mirror A; Germany → send to instant-bank-transfer cashier; Netherlands → show local bank-transfer or open-banking option; UK → show crypto and card fallback; blocked IP → send to domain B; returning high-value player → show VIP bonus; self-excluded player → redirect to sister brand. An algorithmic or AI-enhanced network can do more. It can test which landing page converts best, which payment method succeeds most often, which bonus keeps a player depositing, and which domain survives longest before being blocked. In mainstream compliance technology, device intelligence and geolocation are already marketed as ways to detect suspicious activity, prevent spoofing and support regulatory compliance. In the illegal casino context, the same logic can be abused: Compliance technologyLegitimate useAbusive useGeo-locationBlock prohibited jurisdictionsRoute prohibited players to mirrorsDevice fingerprintingDetect fraudRecognise and re-target vulnerable playersPayment orchestrationImprove payment successRotate payment agents to avoid blocksBonus analyticsPersonalise offersPush high-risk players into repeated depositsAffiliate attributionPay marketersHide acquisition chainsAI optimisationImprove user experienceMaximise regulatory evasion This is the “algorithmic workaround” problem: the system learns how to keep the player inside the network even when regulators, banks or gambling-blocking tools try to interrupt the journey. Layer 6 — The Location-Specific Casino Cashier The payment page is one of the most important but least understood layers. A player in Italy, Germany, the Netherlands or the UK may not see the same cashier. The system can present different payment methods depending on location, device, currency, bank, player history and payment success rates. A Dutch player might see bank-transfer or open-banking options. A German player might see instant transfer, card, crypto or voucher methods. An Italian player may see card processors, crypto ramps, wallet options or neutral merchant-payee routes. A UK player may see card, crypto, e-wallet or bank-transfer options depending on what is still available and which PSP has not yet terminated the merchant. The GAMRS report’s payments section describes a multi-jurisdictional payment infrastructure supporting the Santeda network. It says payment flows can involve UK/EU card payments, white-label processors such as PayOp or PayDo, UK-authorised EMIs such as Clear Junction, Cypriot holding/payment-agent companies, Georgian intermediaries, and eventual banking endpoints in Czechia, Georgia and Germany. The report also lists MBRAMP/Mobilum Pay as a crypto gateway and identifies PayOp, TransferOp and PayDo as processors providing instant bank-transfer services. It notes that funds may be routed through mainstream banks and fintechs, including Revolut, Monzo, Wise, Starling and others, while expressly stating that GAMRS does not allege wrongdoing by those regulated institutions. For players, the warning is simple: the payment method shown in the cashier may not tell you who is really behind the casino or where your money is ultimately going. Layer 7 — Merchant Descriptors And Disguised Payments The most dangerous part of the payment layer is descriptor masking. A player may believe they deposited to a casino, but their bank statement may show: a software company; a payment agent; an e-commerce merchant; a crypto exchange; a consulting company; a generic payment processor; a completely unfamiliar payee. Reuters previously reported on the use of fake online stores to support gambling-payment disguises, explaining that such dummy stores can act as fronts to back up bogus payment descriptions. This matters because many banking controls rely on merchant category codes, descriptors, known gambling merchant lists or transaction monitoring. If the payment is presented as a transfer to a neutral merchant rather than a gambling transaction, gambling blocks and risk controls may fail. For the player, this creates three problems: First, the bank may not recognise the transaction as gambling. Second, a chargeback or refund claim may become harder because the payment does not appear to match the casino brand. Third, the player may not know which entity actually received the funds. Layer 8 — Platform Providers And Game Aggregators The casino brand is only one part of the system. The games, sportsbook, live casino, wallet, bonus engine, CRM, affiliate tracking and payment integrations may all be provided by third-party platform or aggregation providers. The GAMRS report states that the Santeda/MyStake ecosystem shows shared backend infrastructure across MyStake, CosmoBet, VeloBet, GoldenBet, Rolletto and other brands; common LiveChat licence IDs, analytics identifiers and configuration fingerprints; and persistent use of legacy InPlayNet infrastructure under the Upgaming brand. For players, this means that even if the front-end casino name changes, the underlying system may remain the same. The bonus engine, risk scoring, payments integration and customer-service system may follow the player across brands. That is why FinTelegram should explain the concept of network retention: the operator does not need to retain the player inside one casino brand. It only needs to retain the player inside the network. How The Whole System Works A simplified illegal-casino journey may look like this: StepWhat the player seesWhat may happen behind the scenes1A casino review or bonus linkAffiliate ID, campaign tracking and location check2A redirect to a casino domainLink cloaking and geo-routing3A familiar casino brandMirror domain or country-specific skin4Registration formDevice fingerprinting and risk scoring5Bonus offerBehavioural targeting or retention logic6Cashier pageLocation-specific payment orchestration7Bank/card/crypto paymentPSP, agent, EMI, crypto ramp or shell merchant8Casino balance creditedFunds routed through payment intermediaries9Player tries to withdrawKYC friction, delay, account review or refusal risk10Domain gets blockedPlayer is redirected to mirror or sister brand This is why the visible casino website is only the tip of the iceberg. Regulatory Interpretation For regulators, the lesson is clear: blocking domains is necessary but insufficient. The UK Gambling Commission has acknowledged that illegal-market disruption must adapt to changing online infrastructure, networking and marketing tactics, and it has described work involving referrals to platforms hosting unlicensed gambling content. Italy’s model of blocking unauthorised gambling websites through ADM is important, but the existence of thousands of blocked domains shows the scale and persistence of the problem. ADM’s own materials focus on identifying and inhibiting unauthorised gambling sites. The next enforcement frontier must be route-based, not only domain-based: identify affiliate redirect chains; map mirror-domain clusters; require payment providers to detect disguised gambling flows; scrutinise payment agents and merchant descriptors; test open-banking and instant-transfer flows; examine platform providers and aggregators; enforce local licensing rules against brands, suppliers and intermediaries; create cross-border intelligence sharing between gambling regulators, FIUs, banking supervisors and cybercrime units. FinTelegram Conclusion The illegal casino of 2026 is not a website. It is a location-aware, payment-aware, device-aware routing system. A player in Italy, Germany, the Netherlands or the UK may be shown a different domain, different bonus, different casino skin and different cashier — all for the same underlying gambling network. The system’s objective is simple: keep the player depositing, keep regulators chasing domains, keep banks seeing neutral merchants, and keep the real operator insulated behind layers of affiliates, PSPs, payment agents and offshore structures. The most dangerous part is not the visible casino. It is the invisible decision engine behind it. That engine decides: which domain the player sees; which mirror survives the blackout; which payment method is displayed; which merchant receives the money; which bonus keeps the player active; which sister brand receives the player after exclusion; which route avoids the regulator today. For players, the practical warning is blunt: when an offshore casino changes domains, payment names or cashier options depending on your location, you are probably not dealing with a normal gambling operator. You are inside a routed black-market infrastructure. Whistle42 Call To Action FinTelegram invites players, former employees, affiliates, PSP insiders, compliance officers and payment investigators to share evidence about offshore casino routing systems, mirror domains, disguised payment descriptors, open-banking flows, crypto ramps and payment agents. Especially valuable are: screenshots of casino cashier pages; full deposit flows from bank app to casino balance; bank statements showing merchant descriptors; redirect chains and domain histories; withdrawal refusals or account-closure emails; evidence of mirror domains after regulatory blocking; internal documents from affiliates, PSPs or casino operators. Information can be submitted securely via Whistle42. Share Information via Whistle42

FinTelegram’s review of GoldenBet shows a diversified payment architecture around the Santeda Group: card deposits evidenced through Payabl, wallet deposits showing Santeda International Limited as beneficiary via MiFinity, and an Open Banking rail through Bilderlings → Yapily Connect → Revolut’s Open Banking API. This is no longer a single-PSP complaint story. It is a Rail Atlas case study in how offshore casino operators maintain EU-facing payment continuity across cards, wallets, crypto, and account-to-account banking rails. Key Findings GoldenBet offers a multi-rail cashier. The uploaded screenshot shows deposit options for cards, MiFinity, Open Banking, Google Pay, Jetonbank, eZeeWallet, Bitcoin and Ethereum. Payabl processed card deposits to Santeda. The GDPR transaction list disclosed by Payabl shows successful Mastercard transactions to SantedaInternationalLimited totaling €565.00. Payabl refused refund action. Payabl told the player that it provides services to direct clients and could not execute a refund because the player had no direct contractual relationship with Payabl. MiFinity confirms Santeda as beneficiary. The uploaded MiFinity simulation shows a €50 deposit to Santeda International Limited. Open Banking rail confirmed. The screenshots show GoldenBet’s Open Banking option routing into portal.bilderlings.com, then to a bank-selection screen listing Revolut, then a consent screen referencing Yapily Connect, and finally oba.revolut.com. Bilderlings is an FCA-authorised EMI. The FCA Register lists Bilderlings Pay Limited as an authorised electronic money institution since 1 May 2018. Yapily Connect is a regulated Open Banking provider. Yapily states that Yapily Connect Ltd is FCA-regulated and Yapily Connect UAB is regulated by the Bank of Lithuania. Payabl’s Cyprus AML history matters. The Central Bank of Cyprus register records a €350,000 fine against Payabl. Cy Ltd under Cyprus AML legislation, announced on 3 October 2025, with judicial review pending. The GoldenBet Rail Map GoldenBet / Santeda casino cashier│├── Rail 1: Card deposits│ GoldenBet card option│ → Payabl card-processing / acquiring layer│ → GPay card-processing │ → Merchant: Santeda International Limited│ → GDPR transaction list: shows successful transactions│├── Rail 2: Wallet deposits│ GoldenBet MiFinity option│ → MiFinity │ → Jetonbank │ → eZeeWallet │ → Beneficiary: Santeda International Limited│├── Rail 3: Open Banking deposits│ GoldenBet “Deposit with Open Banking”│ → portal.bilderlings.com / OBG payment layer│ → Bilderlings bank-selection interface│ → Yapily Connect consent screen│ → oba.revolut.com│ → Revolut authorisation│└── Rail 4: Crypto deposits GoldenBet several cryptocurrency options → direct wallet transfer via wallet address → high-risk value-transfer channel Analysis: The Multi-Rail Architecture GoldenBet’s cashier does not depend on one payment provider. It presents a resilient payment stack across cards, wallet payments, Open Banking and crypto. That architecture matters because it reduces dependency on any single rail and allows deposits to continue even if one channel becomes disputed, blocked, or scrutinised. The Payabl evidence is documentary: Payabl’s own GDPR disclosure lists multiple successful card transactions to SantedaInternationalLimited in August 2025. Payabl’s complaint team then rejected the player’s refund request on the basis that the player was not Payabl’s direct customer. Read the GoldenBet/Payabl GDPR case here. The MiFinity evidence independently supports the same payment-agent structure: the simulation screenshot shows the deposit beneficiary as Santeda International Limited. The new Open Banking evidence adds the systemic Rail Atlas angle. The user journey moves from GoldenBet into a Bilderlings-hosted payment page, then to a Yapily Connect consent screen, and then to Revolut’s oba.revolut.com authorisation layer. Revolut’s own help pages explain that Open Banking requires explicit approval and allows regulated third-party providers to access data or initiate payments. Why The Bilderlings/Yapily/Revolut Rail Matters The screenshots (left) show a clean Open Banking chain: GoldenBet→ Bilderlings OBG payment page→ “Choose your bank”→ Revolut selected→ Yapily Connect consent→ Revolut authorisation at oba.revolut.com This is sensitive because Open Banking payments can look like user-authorised account-to-account transfers rather than classic gambling card payments. That may reduce the visibility of merchant category codes and weaken chargeback-style consumer remedies. Bilderlings’ FCA status and Yapily’s regulated Open Banking status do not remove the underlying compliance question: what upstream merchant context is visible, screened and passed through the chain? Compliance Red Flags Red FlagWhy It MattersSame casino, multiple railsDemonstrates payment resilience, not incidental processingSanteda clearly identifiedPayabl and MiFinity evidence identify the beneficiary/merchantOpen Banking route to RevolutShows A2A banking rail for casino depositsYapily consent references bank data and RevolutConfirms regulated Open Banking layerCrypto options in cashierAdds value-transfer and AML complexityPayabl AML penalty contextCBC already sanctioned Payabl under AML law in 2025No direct-customer refund defencePSP accountability gap where player is harmed but not contractual client Interpretation In The Rail Atlas Narrative The GoldenBet case is a flagship Rail Atlas case because it illustrates the modern offshore-casino payment perimeter: regulated PSPs + wallet providers + Open Banking infrastructure + crypto rails + offshore casino operator The crucial point is not that each rail is inherently unlawful. Cards, MiFinity, Bilderlings, Yapily and Revolut are all legitimate infrastructures. The issue is how these infrastructures appear to be combined to support casino deposits for an operator alleged to lack the relevant EU/German/Dutch licences. Evidence & Confidence Table Rail ElementObserved RoleEvidence TypeConfidence GradeGoldenBetCasino cashier / originating merchant environmentScreenshotConfirmedSanteda International LimitedMerchant / payment agentPayabl GDPR list + MiFinity screenshotConfirmedPayablCard-processing layerGDPR disclosure + email correspondenceConfirmedMiFinityWallet deposit channelScreenshot simulationConfirmedBilderlingsportal.bilderlings.comOpen Banking gateway layerUploaded screenshots + FCA registerCorroboratedYapily ConnectOpen Banking connectorConsent screen + public regulatory statusConfirmedRevolut / oba.revolut.comBank authorisation endpointUploaded screenshotConfirmed Open Questions To GoldenBet / Santeda Which Santeda entity is the contractual merchant of record for GoldenBet deposits? Does Santeda International Limited act as payment agent for all Santeda casino brands? Which countries are targeted by GoldenBet, and what licences does it hold in each? Why are Open Banking and crypto rails offered to EU players if licensing is disputed? What responsible-gambling safeguards are applied across sister brands? Open Questions To Payabl Was Santeda classified as a high-risk gambling merchant? What due diligence was conducted regarding Santeda’s German/EU licensing status? Did Payabl review the merchant after the player explicitly raised illegality and gambling-addiction concerns? Did Payabl file internal alerts or SARs? How does Payabl reconcile this case with the CBC’s €350,000 AML fine? Open Questions To Bilderlings Is Bilderlings providing the Open Banking gateway shown in the GoldenBet flow? Who is Bilderlings’ direct client in this transaction chain? Does Bilderlings identify the upstream merchant as GoldenBet or Santeda? Does Bilderlings permit Open Banking payments for offshore casino operators? Are gambling merchants geo-blocked where no local licence exists? Open Questions To Yapily What merchant-origin information is passed to Yapily in this flow? Does Yapily know that the Open Banking request originates from GoldenBet? Does Yapily screen iGaming merchants for target-market licensing? Does Yapily pass upstream merchant data to Revolut? Open Questions To Revolut Does Revolut see GoldenBet or Santeda as the originating merchant? Does Revolut classify the transaction as gambling, generic Open Banking, or account-information/payment access? Does Revolut monitor Bilderlings/Yapily casino flows as high-risk? Are transactions blocked where casino operators lack local licences? Conclusion GoldenBet’s payment stack is not a single payment incident. It is a multi-rail architecture. The Payabl GDPR disclosure documents card processing to Santeda. The MiFinity simulation identifies Santeda International Limited as beneficiary. The new screenshots show an Open Banking path via Bilderlings and Yapily into Revolut’s Open Banking API. This makes GoldenBet a flagship Rail Atlas case: it demonstrates how offshore casinos can combine regulated payment institutions, wallet providers, Open Banking connectors and crypto rails into a resilient EU-facing cashier system. The compliance question is now unavoidable: are regulated financial institutions and Open Banking providers adequately detecting, classifying and blocking casino flows where the operator lacks the required target-market licence? Whistle42 Call FinTelegram invites insiders from Santeda, Payabl, MiFinity, Bilderlings, Yapily, Revolut, casino affiliates, payment agents and compliance teams to submit evidence confidentially via Whistle42. We are seeking merchant onboarding files, Open Banking logs, payment descriptors, settlement records, licensing reviews, SAR filings, internal alerts and screenshots of live cashier flows. Share Information via Whistle42

A German player’s GDPR request, reviewed by FinTelegram, has exposed a critical compliance issue: the Cyprus-regulated EMI Payabl processed multiple credit card deposits to Santeda International Limited, the payment agent behind offshore casino GoldenBet, which operates without an EU license. Despite being alerted to the illegality and the player’s gambling addiction, Payabl refused refunds, citing lack of a direct contractual relationship. The case raises serious questions about AML, gambling compliance, and the effectiveness of regulatory oversight — especially in light of the Central Bank of Cyprus’ major penalty against Payabl in 2025. Key Findings Confirmed transaction processing: Payabl (payabl.com) provided a transaction list (reviewed by FinTelegram) showing multiple successful payments to Santeda International Limited totaling €565.00 Merchant identification is clear: All transactions carry the descriptor SantedaInternationalLimited, eliminating ambiguity about the merchant. Payabl acknowledges role as PSP: The company confirms it provides payment services to its “clients” (i.e. merchants like Santeda). Refund refusal: Payabl declined to process refunds because the player is “not a direct contractual client.” Legal notice given: The player explicitly informed Payabl that Santeda operates illegal gambling services in Germany and referenced the Glücksspielstaatsvertrag (GlüStV 2021). MiFinity simulation confirms payment agent: Deposits are routed to Santeda International Limited as beneficiary (screenshot evidence). Responsible gambling failure: Player had prior self-exclusion history and declared gambling addiction, yet deposits were processed. Transaction Evidence: Direct Link To Santeda The transaction file provided by Payabl is the strongest possible evidentiary element. It shows: Merchant: Santeda International Limited Card payments: Multiple Mastercard transactions Dates: August 2025 Status: All marked “Successful” There is no intermediary masking in the descriptor. This is critical: Payabl processed payments directly attributable to Santeda — not an unknown gateway or disguised merchant. GoldenBet & Santeda: The Illegal Gambling Context The whistleblower’s statement — supported by the transaction data — establishes: GoldenBet is operated by Santeda Group No EU / German license exists German law (GlüStV 2021) explicitly: prohibits unlicensed gambling prohibits facilitating payments for such operators The player explicitly notified Payabl: the operator is unlicensed contracts are legally void refunds are legally required (unjust enrichment doctrine) prior court rulings exist against related Santeda brands This transforms the case from a “possible compliance issue” into a “known-risk scenario explicitly escalated to the PSP.” Payabl’s Response: The Critical Compliance Position Payabl’s official response is revealing: “As you do not have a direct contractual relationship… we are unable to… execute a refund.” Interpretation: Payabl is asserting: It serves merchants (Santeda) Not end users (players) This is technically correct under payment-services structure — but compliance-relevant incomplete. Compliance Analysis: Where The Problem Lies 1. Knowledge Threshold Is Met Payabl was informed that: Santeda operates illegally in Germany The player is a gambling addict The transactions are legally void litigation history exists From that point onward: Payabl cannot be considered unaware of the risk. 2. Merchant Risk Is Not Hypothetical — It Is Identified The transaction list: names Santeda explicitly shows repeated payments confirms ongoing merchant activity This is not a hidden merchant scenario This is direct merchant exposure 3. Payment Facilitation Risk Under EU Law Under EU AML and national gambling laws: Payment institutions must: assess merchant legality monitor transaction purpose detect illegal activity patterns file SARs where appropriate In Germany (GlüStV): Payment facilitation for illegal gambling is prohibited 4. Responsible Gambling Failure The player states: prior self-exclusion (2022) gambling addiction disclosed operator ignored safeguards If true, this creates: enhanced duty of care heightened transaction risk For a PSP: repeated deposits under such conditions are a red flag potential indicator of exploitation / harmful use The 2025 Central Bank of Cyprus Penalty The Central Bank of Cyprus (CBC) imposed a major AML-related penalty on Payabl in 2025. Note: On 12 December 2025, Payabl. Cy Ltd registered Appeal no.1405/2025 before the Administrative Court against the decision of the CBC. What the penalty indicates: Although framed as AML deficiencies, such penalties typically relate to: inadequate transaction monitoring weak merchant due diligence insufficient risk classification failure to detect high-risk flows Interpretation in the GoldenBet context The GoldenBet/Santeda case fits exactly into the risk category highlighted by such penalties: CBC Risk CategoryGoldenBet CaseHigh-risk merchant exposureSanteda (offshore casino)AML monitoring gapsrepeated gambling depositsLegal/regulatory mismatchillegal in Germanyconsumer harm indicatorsgambling addiction disclosedtransaction pattern riskmultiple small deposits Therefore: The GoldenBet case can be interpreted as a real-world manifestation of the systemic weaknesses that led to the CBC penalty. Conclusion This case is not speculative. It is documented, traceable, and acknowledged by the PSP itself. Payabl processed payments to Santeda Santeda operates GoldenBet GoldenBet operates without EU license Payabl was informed of this Payabl declined intervention This creates a clear compliance tension between contractual PSP structurevs. regulatory obligations (AML + gambling law) Whistle42 Call FinTelegram invites insiders from: Payabl Santeda Group MiFinity acquiring banks compliance teams to submit: merchant onboarding files risk assessments SAR filings internal alerts transaction monitoring logs via Whistle42. Share Information via Whistle42

Whistleblower evidence reviewed by FinTelegram indicates that casino deposits may pass through a layered redirect chain before reaching the Paysolo open-banking gateway. The observed flow — Pagagate → Impaya.online → Aceiro.online → openbanking.paysolo.net — suggests that Impaya and Aceiro may function as intermediate routing or masking layers between casino-facing payment gateways and the open-banking execution stack involving Paysolo, Pellopay, Yapily and Revolut. Key Findings The observed video/screenshot evidence shows a sequential redirect flow: pagagate.com → impaya.online → aceiro.online → openbanking.paysolo.net. Impaya publicly presents itself as an e-commerce payment-solutions provider offering online payment systems and customised payment technology. Impaya identifies NewTech Mobile SIA as its EU representative, registration number 40103709254, at Skanstes str 7 k1, Riga, Latvia. LinkedIn profiles connect Sergejs Roslikovs to Impaya and NewTech, with Roslikovs described as CEO of IMPAYA Payment System and CEO of NewTech SIA. Aceiro appears in the live payment path, but public-source corporate attribution is not yet confirmed. It should be treated as a technical routing/domain lead. The downstream Paysolo layer is not merely theoretical: Paysolo markets itself as a EUR–crypto bridge and virtual IBAN provider, including SEPA/SWIFT rails and crypto conversion. The Pellopay layer appears later in the payment consent text, while Pellopay publicly describes API-based payment integration, payment traceability, settlements, bank transfers, digital wallets and support for methods including Revolut. The Observed Flow Based on the whistleblower video and screenshots, the payment journey appears to move through the following sequence: Casino deposit page → Pagagate → Impaya.online → Aceiro.online → openbanking.paysolo.net → Pellopay/Yapily consent layer → bank selection, including Revolut EU This is a materially important finding. It shows that before the player even reaches the Paysolo open-banking page, there may already be two additional routing layers — Impaya and Aceiro — sitting between the casino-facing gateway and the open-banking interface. Why Impaya And Aceiro Matter We also found Aceira.online and Paysolo in the open banking payment rails of other casino and sports betting sites that operate without the proper license through payment agents in Cyprus. Betify is another example. As such, this payment rail setup involving Aceira and Impaya, centered around Paysolo, is common in this high-risk segment. Impaya and Aceiro appear to operate in the pre-Paysolo layer. Their role is not visibly explained to the user. In the screenshots, both domains display generic “Payment processing … Please wait, your payment is being processed” pages. That makes them important for compliance analysis because they may perform one or more of the following functions: Possible FunctionCompliance RelevanceRedirect orchestrationBreaks visibility of the original merchant journeyPayment-session handlingMay generate or preserve order/payment tokensGateway maskingMay separate casino brand from bank-facing payment layerRisk-routing logicCould select Paysolo/open banking depending on player country or bankMerchant abstractionMakes it harder to identify who the merchant of record is Impaya.online and Aceiro.online appear in the observed payment path between casino-facing gateways and Paysolo’s open-banking interface. The New Architecture: A Layered Casino Payment Stack The working Rail Atlas model now becomes more precise: Offshore casinos ↓Pagagate / Urbenics ↓Impaya.online ↓Aceiro.online ↓openbanking.paysolo.net ↓Pellopay Finance LTD ↓Yapily Connect ↓Revolut / other banks This is not a conventional payment chain. It is a composable payment stack in which each layer may be operated by a different entity, hosted under a different domain, and subject to different regulatory visibility. Compliance Analysis 1. The “Processing Page” Pattern Both Impaya and Aceiro appear as neutral processing screens. Such pages can be legitimate in ordinary payment orchestration. But in a high-risk gambling context, they can also reduce transparency by preventing the user, bank, or investigator from seeing the full merchant chain at once. The question is not whether a processing page is illegal. The question is whether the processing page is used to strip context before the transaction reaches open banking. 2. Impaya’s Public Positioning Impaya publicly describes itself as a payment-solutions provider offering scalable, secure online payment systems and customised solutions. Its LinkedIn profile similarly presents Impaya as a “full-package solution” with legal support and online payment technology. That public positioning fits the role seen in the payment flow: Impaya may be providing gateway or orchestration technology. However, FinTelegram should request confirmation before making any definitive statement about its contractual role. 3. NewTech Mobile And The Latvian Link The whistleblower identified NewTech Mobile SIA as Impaya’s EU representative. Public search results for Impaya confirm NewTech Mobile SIA, registration number 40103709254, as the EU representative shown on Impaya’s own site. This is relevant because it gives regulators and counterparties a concrete EU contact point for questions about the observed casino-payment routing. 4. Aceiro: The Most Opaque Layer Aceiro is currently the weakest attribution point. The domain appears in the live payment path, but the public corporate operator is not yet established. That makes it a classic Rail Atlas target: a domain-level routing layer whose ownership, contractual role, and regulatory status require further investigation. Evidence & Confidence Table Entity / LayerObserved RoleEvidence TypeConfidencePagagate.comCasino-facing gateway / first visible payment hopScreenshot/video + SimilarWeb contextCorroboratedImpaya.onlinePayment-processing redirect layerScreenshot/videoCorroboratedImpayaimpaya.com Latvia-based payment solutions providerPublic website and LinkedInConfirmedImpaya Payments LtdCanadian payment solutions providerPublic information via websiteConfirmedPaytech Solutions PTE LTDSingapore representative for ImpayaPublic information via websiteConfirmedNewTech Mobile SIAnewtech.lvImpaya EU representativeImpaya public disclosureConfirmedSergejs RoslikovsImpaya CEOPublic professional profiles (LinkedIn)ConfirmedAceiro.onlineIntermediate payment-processing layerScreenshot/videoCorroboratedopenbanking.paysolo.netPaysolo bank-selection layerScreenshot/videoConfirmedPellopay Finance LTDPayment consent / initiation layerScreenshot/video + public siteCorroboratedYapily Connect UABOpen-banking connectorPayment footer / public open-banking roleCorroboratedRevolutBank option / downstream endpointScreenshot/videoConfirmed Questions To Impaya / NewTech Mobile Does Impaya operate or control impaya.online? Does Impaya provide cashier, routing, gateway, or payment-processing services to Pagagate, Urbenics, Paysolo, Pellopay, or casino operators? What is the relationship between Impaya, NewTech Mobile SIA, Aceiro and Pagagate? Does Impaya process or route payments for Luckzie.io, Kingdomcasino.io, Jinxcasino.io, Kingdomcasino6.io, or related casino brands? What merchant due diligence is performed for gambling-related clients? Does Impaya identify the underlying casino merchant to downstream partners? Does NewTech Mobile SIA act as a regulatory representative, technical operator, merchant reseller, or contractual counterparty? Has Impaya received complaints or refund requests regarding casino payments? Does Impaya support open-banking payment flows via Paysolo, Pellopay or Yapily? Who is the merchant of record in the observed €50 casino deposit flow? Questions To Aceiro Who owns and operates aceiro.online? Is Aceiro a payment processor, routing domain, white-label gateway, merchant platform, or affiliate technology layer? Why does Aceiro appear between Impaya and Paysolo in the observed casino payment journey? Does Aceiro maintain transaction logs identifying the original casino merchant? Which PSPs, PISPs or open-banking providers does Aceiro connect to? Regulatory Assessment The Impaya/Aceiro layer is the point where payment opacity appears to intensify. A player starts in a casino environment, but by the time the journey reaches Paysolo and then Pellopay/Yapily, the origin may be reduced to a technical payment session. For regulators, this raises three issues: Merchant transparency: Can the bank or PISP see the original casino brand? Consumer protection: Does the player understand that the payment may become an open-banking transfer without card-style chargeback rights? AML/CTF and gambling compliance: Are unlicensed casino payments being routed through payment layers that avoid MCC 7995-style detection? Conclusion The Impaya/Aceiro evidence gives FinTelegram’s Rail Atlas a sharper view of the upstream routing layer. Paysolo is the visible open-banking gateway. Pellopay and Yapily appear to sit behind it. But Impaya and Aceiro appear before it, acting as the tunnel between the casino-facing payment gateway and the regulated/open-banking stack. This is precisely where the compliance risk becomes most serious: the original gambling context may be fragmented before the payment reaches banks such as Revolut. FinTelegram’s working hypothesis is therefore: Impaya and Aceiro may function as intermediate routing layers in a multi-hop casino-payment architecture that feeds Paysolo’s open-banking gateway and downstream bank APIs. This requires direct responses from Impaya, NewTech Mobile, Aceiro, Paysolo, Pellopay, Yapily and Revolut. Whistle42 Call FinTelegram invites payment insiders, gateway operators, casino employees, compliance officers, open-banking providers and affected players to submit information confidentially via Whistle42. We are specifically seeking URL logs, redirect chains, merchant contracts, settlement records, payment descriptors, KYC files, correspondence with Impaya/NewTech Mobile, and evidence identifying the operator of Aceiro. Share Information via Whistle42

New whistleblower evidence reviewed by FinTelegram appears to show a Dutch-facing casino deposit flow moving from Kingdomcasino into openbanking.paysolo.net, where users are offered banks including Revolut, Rabobank, N26, SNS Bank and Wise. The payment page itself states that the user agrees to allow “Pellopay Finance LTD partners Yapily Connect” to initiate the payment. The evidence strengthens FinTelegram’s working hypothesis that anonymous gateways, open-banking providers, fiat/crypto bridge operators and Revolut’s Open Banking API may form a layered casino-payment corridor. Key Findings Video evidence shows a live casino deposit journey. The uploaded video begins on kingdomcasino6.io, showing a €50 deposit page in Dutch with card, iDEAL, instant bank transfer and crypto options. The user is redirected to Paysolo. The payment flow moves to openbanking.paysolo.net, displaying the Paysolo logo, order number 2026040239881439, total €50.00, and a Dutch-language bank-selection interface. Revolut EU is offered as a bank option. The Paysolo page lists N26, Rabobank, Regio Bank, Revolut EU, SNS Bank and Wise. Pellopay and Yapily appear in the payment consent text. The footer states that by using the service, the user agrees to allow Pellopay Finance LTD partners Yapily Connect to initiate the payment. Yapily publicly markets open-banking infrastructure for payments and lists iGaming as a supported solution category. Yapily’s website says it supports payments and data across consumer and business accounts, and specifically describes open-banking payments “built for iGaming.” Open Banking Limited lists Yapily Connect Ltd as an open-banking regulated provider connecting to banks across 19 countries. NewTech Mobile SIA appears relevant to Impaya. Public Latvian company data identifies NewTech Mobile SIA, registration number 40103709254, at Skanstes iela 7 k-1, Riga, matching the whistleblower’s stated EU representative information. Impaya publicly presents itself as an e-commerce payment-solution provider. Its website describes a “full-package solution” for businesses. Read our Revolut Rail Atlas reports here. The Payment Flow Observed Based on the uploaded video and screenshot evidence, the observed chain appears as follows: Kingdomcasino6.io → payment interface / possible Impaya-linked URL layer → openbanking.paysolo.net → Pellopay / Yapily Connect consent layer → bank selection → Revolut EU and other banks This does not yet prove contractual responsibility by every named party. But it does show a live user journey where a casino deposit flow ends at a Paysolo-branded open-banking bank-selection page and references Pellopay, Yapily Connect and Revolut EU as part of the payment environment. From Kingdom Casino to Revolut: The Multi-Layered Payment Flow The observed payment flow shows that openbanking.paysolo.net functions as a user-facing open-banking gateway, while Pellopay Finance LTD appears at the payment-consent layer as the payment initiator. Casino↓Pagagate (entry gateway / cashier)↓Impaya (processing / routing layer)↓Aceiro (intermediate routing / alias layer)↓Paysolo (open banking UI gateway)↓Pellopay (payment initiator / backend PSP)↓Yapily (regulated Open Banking connector)↓Bank (Revolut, Rabobank, etc.) The upstream routing chain — including Pagagate, Impaya and Aceiro — indicates a multi-layered payment orchestration structure in which different entities handle gateway access, routing, and execution separately. This fragmentation may obscure the original merchant context before the payment reaches regulated banking infrastructure. The Paysolo payment page identifies “Pellopay Finance LTD” in the consent layer. Public materials on Pellopay.com describe Pellopay Finance Ltd as a Canada-registered payment-processing company offering API-based payment integration, payment links, bank transfers, digital wallets and support for methods including Revolut. This supports the assessment that Pellopay acts as a backend payment-processing or orchestration layer in the observed Paysolo open-banking flow, while Yapily Connect appears to provide the regulated open-banking connectivity. If Impaya or related operators provide the gateway front-end, then the observable payment chain may be broader than Paysolo alone: Casino brand → Impaya / Aceiro / gateway layer → Paysolo open banking → Pellopay / Yapily Connect → Revolut EU Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeConfidenceKingdomcasinoCasino deposit originUploaded videoCorroboratedPaysoloopenbanking.paysolo.netBank-selection / Paysolo payment pageUploaded video + screenshotConfirmed in evidenceRevolutListed bank optionUploaded screenshot/videoConfirmed in evidencePellopay Finance LTDNamed in payment-consent footerUploaded screenshot/videoConfirmed in evidenceYapily ConnectNamed as payment-initiation partnerUploaded screenshot/video + public open-banking recordsCorroboratedImpayaAlleged URL/payment-flow layerWhistleblower statementIndicatedNewTech Mobile SIAAlleged EU representative / Impaya-linked entityWhistleblower statement + Latvian company recordIndicatedAceiroAlleged name in payment linksWhistleblower statementIndicated Compliance Analysis 1. Open Banking Replaces Chargeback Logic The whistleblower’s complaint highlights a key consumer-protection issue: where payments are made through open banking, the user may not have the same practical chargeback route as with card payments. That matters in gambling flows, where disputes, failed withdrawals, and merchant opacity are frequent. 2. Yapily’s iGaming Positioning Creates A Compliance Question Yapily openly presents iGaming as one of its supported solution categories and says its open-banking payments can cut fees and improve first-time player deposit success. That is not improper by itself. Licensed iGaming is a legitimate industry. But if the same rails appear in unlicensed or offshore casino environments targeting Dutch users, the compliance question becomes acute. 3. Revolut Appears As A Downstream Bank Option The Paysolo page offers Revolut EU among the selectable banks. That does not prove Revolut has a direct relationship with the casino or Paysolo. But it shows that the player journey can be routed toward Revolut through an open-banking interface. 4. Paysolo Sits At The Critical Conversion Point Paysolo’s presence is significant because earlier Rail Atlas findings already placed openbanking.paysolo.net in a traffic corridor involving Pagagate, Urbenics and oba.revolut.com. The new video now adds transaction-level context: a casino deposit journey visibly reaches the Paysolo bank-selection layer. Questions To Send To The Parties To Paysolo Is Paysolo the operator of openbanking.paysolo.net? Does Paysolo process payments for Kingdomcasino6.io, Luckzie.io, Jinxcasino.io, Pagagate, Urbenics, Impaya, Aceiro or Pellopay? Does Paysolo screen upstream merchants for gambling activity and Dutch licensing status? To Pellopay What is Pellopay Finance LTD’s role in the observed Paysolo payment page? Is Pellopay the merchant, payment initiator, technical service provider or contractual PSP? Does Pellopay onboard or monitor casino-related merchants? To Yapily Was Yapily Connect involved in the payment initiation shown in the uploaded evidence? Does Yapily allow its infrastructure to be used for offshore casino deposits targeting Dutch players? What upstream merchant information is passed to banks such as Revolut? To Revolut Does Revolut detect that these open-banking flows originate from casino deposit journeys? Does Revolut monitor Paysolo, Pellopay, Impaya, Pagagate or Urbenics as high-risk open-banking corridors? Are payments to unlicensed casino operators blocked when they arrive through open-banking intermediaries? To Impaya / NewTech Mobile / Aceiro What role do Impaya, NewTech Mobile and Aceiro play in the observed payment links? Are these entities providing gateway or cashier technology for offshore casinos? Who is the merchant of record in the observed transaction flow? Conclusion The new evidence gives FinTelegram a stronger transaction-level case study. It shows a casino deposit flow reaching Paysolo, presenting Revolut EU as a bank option, and naming Pellopay Finance LTD and Yapily Connect in the payment-consent layer. This does not prove knowing facilitation by Revolut, Yapily, Paysolo, Pellopay or Impaya. But it does show how open banking can be embedded inside casino-payment journeys in ways that may obscure the underlying merchant, weaken chargeback protections, and shift risk into account-to-account payment rails. For regulators, the message is simple: the casino-payment perimeter has moved from card acquiring to open banking.

FinTelegram’s first Revolut Rail Atlas follow-up zooms in on openbanking.paysolo.net, a payment gateway that appears to sit between anonymous casino-facing gateways and Revolut’s Open Banking API. SimilarWeb screenshots indicate that all referring traffic to openbanking.paysolo.net came from the anonymous payment gateways Pagagate and Urbenics in March 2026, while more than 78% of outgoing traffic reportedly went to oba.revolut.com. The working hypothesis: Paysolo may represent a crypto/open-banking bridge inside a layered casino-payment architecture. Key Findings Paysolo’s public corporate site identifies Paysolo O.O.D. as a Bulgarian company with registration number 207268330, registered as a provider of virtual/fiat exchange services in Bulgaria’s National Revenue Agency VASP register. Paysolo markets itself as a EUR-to-crypto bridge and virtual IBAN provider, offering SEPA/SWIFT-based fiat-to-crypto services. The open-banking gateway openbanking.paysolo.net is live and publicly returns a minimal version page, supporting its operational existence. SimilarWeb screenshots show a suspicious traffic funnel: Pagagate and Urbenics as the only visible referring domains to openbanking.paysolo.net, and oba.revolut.com as the dominant outgoing destination. Pagagate and Urbenics appear in FinTelegram’s casino-rail observations, suggesting the Paysolo gateway may sit inside an offshore iGaming payment chain. This remains a working hypothesis pending payment-test evidence, registry/DNS linkage, and merchant documentation. The relationship between paysolo.io and paysolo.net is plausible but should be framed carefully. paysolo.io is the corporate/marketing site; paysolo.net presents as “PaySolo – Your payment partner” and references “Newtech Mobile,” so the precise legal/operator linkage requires further verification. Revolut Rail Map: The Paysolo Corridor Similarweb statistics for Paysolo.net for March 2026 The observed traffic pattern suggests the following payment architecture: Casino-facing gateway → Pagagate / Urbenics → openbanking.paysolo.net → Revolut Open Banking API → Revolut account This is exactly the type of multi-layered open-banking rail FinTelegram identified in the Revolut Rail Atlas opener. The key issue is not merely that Revolut appears as a bank destination. The issue is that Revolut appears downstream of gateways that, based on traffic intelligence, are connected to casino environments. Read our initial Revolut Rail Map report here. Paysolo: Crypto Bridge, Virtual IBAN Provider, Or Casino-Rail Middleware? Paysolo’s own materials describe a platform offering virtual IBAN services, crypto-asset exchange, payment processing, SEPA, and fiat-to-crypto conversion. Its website says users can send EUR via SEPA or SWIFT to a Paysolo virtual IBAN, convert EUR to crypto, and withdraw crypto to external wallets. That profile is highly relevant in the casino-payment context. Offshore casino operators increasingly need rails that can move user money from bank accounts into crypto or quasi-crypto settlement environments. A VASP-style bridge with open-banking intake, virtual IBANs, and crypto withdrawal functionality may therefore become a critical conversion layer. FinTelegram does not state at this stage that Paysolo knowingly services illegal casinos. The more precise finding is that openbanking.paysolo.net appears, based on the supplied traffic screenshots, to receive traffic from casino-facing gateways and to send substantial outgoing traffic to Revolut’s Open Banking endpoint. Read all Revolut Rail Atlas reports here. The SimilarWeb Evidence The uploaded SimilarWeb screenshots indicate the following March 2026 pattern: Domain analysedFindingCompliance interpretationopenbanking.paysolo.netReferrals: Pagagate.com 83.31%, Urbenics.com 16.69%;Outgoing traffic: openbanking.paysolo.net 80.40%100% visible referral traffic from two gateway domains;Revolut appears to be the dominant downstream bank/API destinationpagagate.comOutgoing traffic: openbanking.paysolo.net 46.83%, aphrodite1.casino 19.31%Pagagate appears connected to both Paysolo and a casino domainurbenics.comReferrals include Boomerang Bet, Casinoly, Posido, Vegasino, Skyhills;Outgoing traffic: openbanking.paysolo.net 80.40%Urbenics appears casino-facing; Paysolo appears as the dominant downstream endpoint FinTelegram understands that openbanking.paysolo.net recorded more than 309,000 visits in March 2026. This is not a fringe technical endpoint. It is a meaningful traffic node. Why This Matters For Revolut In the Revolut Rail Atlas opener, FinTelegram identified a broader pattern: offshore casino sites often route payments through anonymous gateways and open-banking intermediaries before landing at bank APIs, including Revolut’s oba.revolut.com. The Paysolo case gives that model a sharper structure: Urbenics / Pagagate → Paysolo open-banking gateway → Revolut Open Banking This raises several questions: Does Revolut see only the final open-banking payment instruction, or can it detect the upstream casino/gateway context? Does Revolut monitor repeat traffic from high-risk open-banking intermediaries? Does Revolut classify flows from Paysolo as crypto, open banking, virtual IBAN, merchant payment, or customer-authorised account transfer? Does the gateway chain obscure whether the underlying transaction relates to gambling, crypto conversion, or both? The compliance concern is the possible blending of three high-risk categories: offshore gambling, open banking, and fiat-to-crypto conversion. Corporate & Regulatory Footprint Paysolo’s public website identifies Paysolo O.O.D., Bulgaria, company registration number 207268330, as the relevant legal entity and states that it is registered in Bulgaria’s National Revenue Agency VASP register. Its terms define the platform as including paysolo.io, app.paysolo.io, associated mobile applications, virtual IBAN services, crypto-asset exchange, and payment processing. This matters because VASP registration is not a licence to process illegal gambling flows. A VASP handling fiat-to-crypto conversion must still manage AML, source-of-funds, transaction-monitoring, sanctions, fraud, and high-risk merchant exposure. If casino-originated flows are entering the system via Pagagate or Urbenics, the compliance question becomes unavoidable. Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeJurisdictionConfidence GradePaysolo O.O.D.Public corporate entity behind Paysolo.ioWebsite disclosureBulgariaConfirmedpaysolo.ioCorporate / product sitePublic websiteBulgariaConfirmedpaysolo.net“PaySolo – Your payment partner” gateway sitePublic web pageUnclearIndicatedopenbanking.paysolo.netOpen-banking gatewayLive endpoint + SimilarWeb dataUnclearCorroboratedPagagate.comReferrer into Paysolo gatewaySimilarWeb screenshotUnknownCorroboratedUrbenics.comCasino-facing gateway and Paysolo feederSimilarWeb screenshotUnknownCorroboratedoba.revolut.comDominant outgoing destination from Paysolo gatewaySimilarWeb screenshotUK / EEACorroboratedOffshore casino domainsSource environmentSimilarWeb screenshots / FinTelegram observationsOffshoreCorroborated Compliance Analysis 1. The Paysolo Setup Looks Like A Conversion Layer Paysolo’s public model — virtual IBANs, SEPA/SWIFT intake, fiat-to-crypto conversion, external wallet withdrawals — is exactly the kind of infrastructure that can be legitimate in ordinary crypto use, but highly sensitive when connected to gambling traffic. 2. Pagagate And Urbenics Create The Casino-Rail Context The uploaded screenshots show that Pagagate and Urbenics are not random referrers. Urbenics’ referring domains include multiple casino-style brands, and Pagagate’s outgoing traffic includes both openbanking.paysolo.net and aphrodite1.casino. That pattern suggests gateway-to-casino proximity. 3. Revolut Appears As The Downstream Bank API The most important technical signal is that oba.revolut.com reportedly accounts for 78.69% of outgoing traffic from openbanking.paysolo.net. That makes Revolut not merely one bank among many, but apparently the dominant outgoing destination in the observed SimilarWeb sample. 4. Open Banking May Weaken Merchant Transparency Traditional card acquiring has MCC codes, merchant descriptors, acquirer monitoring, chargeback patterns, and gambling-blocking logic. Open-banking chains can be more opaque if the bank sees a customer-authorised transfer but not the full upstream commercial context. That is why the Paysolo case is important: it shows how an offshore casino user journey may be transformed into an open-banking or fiat-to-crypto transaction before hitting the bank layer. Open Questions To Paysolo Is Paysolo O.O.D. the legal operator of paysolo.net and openbanking.paysolo.net? What is the relationship between Paysolo O.O.D., Paysolo Ltd., Newtech Mobile, and any PaySolo-branded gateway domains? Does Paysolo provide services to Pagagate.com or Urbenics.com? Does Paysolo onboard or process flows for online casinos, betting sites, affiliate networks, or gambling-related gateways? Does Paysolo classify Pagagate and Urbenics as high-risk merchants or technical partners? Does Paysolo screen upstream domains before processing open-banking or vIBAN transactions? How many transactions in March 2026 originated from Pagagate and Urbenics? Does Paysolo pass merchant-origin information to Revolut or other downstream banks? Are fiat-to-crypto conversions allowed when the source transaction originates from gambling-related activity? Has Paysolo filed suspicious-activity reports or blocked transactions connected to casino gateways? Open Questions To Revolut Does Revolut monitor openbanking.paysolo.net as a high-risk open-banking counterparty? Does Revolut receive upstream origin data showing whether payments originate from Pagagate, Urbenics, or casino domains? Does Revolut classify Paysolo-related flows as crypto, open banking, gambling, merchant payment, or account-to-account transfer? Has Revolut restricted, reviewed, or reported any flows involving Paysolo, Pagagate, or Urbenics? Does Revolut’s gambling-blocking logic cover open-banking payments routed through VASP or vIBAN intermediaries? Conclusion The Paysolo case provides the first concrete follow-up node in FinTelegram’s Revolut Rail Atlas. The apparent structure is simple but powerful: anonymous casino-facing gateways feed into openbanking.paysolo.net; Paysolo’s gateway then sends most visible outgoing traffic to Revolut’s Open Banking API. This does not prove that Paysolo or Revolut knowingly facilitate illegal gambling. But it demonstrates the precise compliance risk FinTelegram has warned about: multi-layered open-banking rails can transform casino-originated money flows into bank/API traffic that may appear cleaner than the underlying transaction reality. For regulators, the issue is clear: open banking must not become the new blind spot for illegal gambling and crypto conversion rails. Whistle42 Call FinTelegram invites payment insiders, Paysolo users, Revolut compliance staff, casino operators, open-banking providers, gateway developers, and affected players to submit information confidentially via Whistle42. We are especially interested in API logs, merchant contracts, settlement records, payment descriptors, screenshots, VASP onboarding files, Revolut transaction records, and internal risk alerts involving Paysolo, Pagagate, Urbenics, or casino-linked open-banking flows. Share Information via Whistle42

FinTelegram’s Rail Atlas analysis have repeatedly observed Revolut’s Open Banking endpoint inside layered offshore casino payment flows. The pattern appears to combine anonymous gateways, open-banking intermediaries, and Revolut’s own customer-side payment infrastructure. This does not prove knowing facilitation by Revolut — but it raises serious questions about monitoring, merchant transparency, and whether casino-related flows have become a hidden growth vector inside one of Europe’s fastest-growing fintech platforms. Key Findings Revolut appears repeatedly in observed casino payment paths. FinTelegram has reviewed multiple offshore casino rails where deposits route toward oba.revolut.com, often through intermediary open-banking layers. The rail structure is layered by design. Typical pattern: casino site → anonymous gateway → open-banking provider → bank/open-banking API. Contiant traffic is a red flag. The uploaded SimilarWeb screenshots show Contiant traffic heavily concentrated in the Netherlands, with casino domains among top referrals and oba.revolut.com among top outgoing destinations. Revolut itself recognises gambling-payment risk. Revolut states that some European countries require it to block payments to and from illegal gambling providers, and that it enforces regulator lists where applicable. Revolut Business terms prohibit gambling activity. Revolut’s UK Business Terms list “binary options or gambling” among prohibited business activities. Annual accounts do not disclose iGaming exposure directly. Revolut’s 2025 annual report shows explosive growth in customers, transaction volume, payments revenue, payment acceptance, and Revolut Business — but no specific casino/iGaming segmentation. Financial-crime risk is acknowledged. Revolut’s 2025 report states that its systems analysed over 10 billion transactions and that more than one-third of its workforce works in Financial Crime Prevention. Rail Map: The Observed Casino Payment Flow FinTelegram’s working model is as follows: Player → Offshore casino → anonymous payment gateway → open-banking intermediary → Revolut Open Banking endpoint → player’s Revolut account Observed or reported rail elements include: LayerExamplesCompliance relevanceCasino front-endSkyhills, Epicbet, Wizebets, Spacehills and others shown in traffic referralsUnlicensed/offshore iGaming exposureFirst-hop gatewaysecurepayins.com, urbenics, casino-branded gateway pagesMerchant opacity / transaction laundering riskOpen-banking layerContiant, Yapily Connect, Perspecteev, SaltEdgePayment initiation / routing layerBank/API endpointoba.revolut.comRevolut-side account/payment infrastructure The key compliance issue is not simply that a Revolut customer may gamble. The issue is whether repeated, structured, high-volume flows through Revolut-linked open-banking infrastructure indicate a recognisable casino payment corridor that should trigger enhanced monitoring, blocking, reporting, or regulatory review. Revolut’s Role in the Observed Rails Revolut’s Open Banking API is described by Revolut as the gateway for third-party providers to interact with Revolut customers and products, including account information and payment initiation. This matters because the observed casino rails do not always appear as simple card payments to a gambling merchant. Instead, the flows appear to use open-banking payment initiation and intermediate gateway domains. That structure can make merchant identification harder and can blur whether the transaction is seen as gambling, generic account-to-account transfer, gateway payment, or customer-authorised payment. Revolut cannot be accused, on the basis of this evidence alone, of knowingly facilitating illegal gambling. But the repeated appearance of oba.revolut.com in offshore casino rail analysis creates a serious compliance question: does Revolut’s monitoring framework identify the upstream casino context when payments arrive through third-party open-banking layers? The Open Banking Layer: Contiant, Yapily, Perspecteev, SaltEdge Similarweb statistics on Contiant Contiant is a Bulgarian open banking infrastructure provide. Contiant SimilarWeb screenshots show a highly concentrated traffic profile. In March 2026, Contiant traffic was reportedly 93.21% Netherlands, with Germany, Norway, the UK, and France far behind. The referral screenshot shows casino domains as top referrers, including skyhills.com, epicbet.com, wizebets.com, and spacehills.com. The outgoing-traffic screenshot shows bank destinations including KBC, Rabobank, ING, SNS Bank, and oba.revolut.com. This is not proof of illegality by Contiant or Revolut. It is, however, a strong traffic-intelligence indicator that Contiant functions as a casino-facing open-banking routing layer, with Revolut among the destination banks offered to players. Read our Contiant reports here. Traffic Intelligence: What the SimilarWeb Data Suggests FinTelegram’s working interpretation: ObservationInterpretationConfidenceContiant referrals dominated by casino domainsContiant appears materially exposed to casino payment trafficCorroborated by screenshotNetherlands accounts for over 93% of Contiant trafficDutch player market appears central to this railCorroborated by screenshotoba.revolut.com appears among top outgoing linksRevolut Open Banking is part of the downstream railCorroborated by screenshotSimilarWeb reportedly shows over 1.1m visits to oba.revolut.com in March 2026Revolut Open Banking has significant traffic scaleFinTelegram-held traffic dataAnonymous first-hop gateways appear before open-banking providersLayering may obscure merchant contextWorking hypothesis Traffic analytics should be treated as intelligence, not final evidence. They show directionality, referrals, and routing patterns — not necessarily contractual relationships, settlement flows, or regulatory responsibility. Financial Statement Angle: Can iGaming Exposure Be Seen in Revolut’s Accounts? Directly: no. Indirectly: possibly. Revolut’s 2025 annual report does not disclose gambling, iGaming, casino, MCC 7995, or high-risk merchant exposure as a standalone segment. However, the report contains several data points relevant to the Rail Atlas hypothesis: Retail customers rose to 68.3 million, and retail transaction volume reached £986 billion in 2025. Business customers reached 767,000, and business transaction volume reached £277 billion. Revenue increased to £4.5 billion, with card payments the largest revenue stream at 22.2% of total revenue. Revolut Business accounted for 16% of total income, while payment acceptance volumes increased 228% year-on-year. Revolut states that financial crime risk includes the risk that its products and services are used to facilitate illegal activity, and that failures may lead to enforcement action, fines, restrictions, or reputational damage. The financial statements therefore do not prove iGaming dependence. But they do show a company whose growth is heavily driven by transaction volume, payment acceptance, business accounts, open banking, and high-frequency customer usage. If offshore casino flows are material, they would likely be buried inside broader payment, account-to-account, card, or business-payment categories. Regulatory Context Revolut’s own help pages acknowledge that some European countries require it to block transactions to and from illegal gambling providers, and that regulators publish licensed or unlicensed gambling-provider lists which Revolut enforces where applicable. This is critical. Revolut is not blind to the category. It recognises that illegal gambling payments are a regulated payment-risk domain. The compliance challenge is whether open-banking layering allows casino payments to bypass conventional merchant-category detection. Norway is especially relevant. Public reporting and legal materials describe Norway’s payment transaction ban as requiring banks and financial institutions to block payments connected with unlicensed gambling operators. FinTelegram has separately reported on the alleged use of Revolut as an “entry wallet” in Norwegian offshore gambling flows. Compliance Assessment FinTelegram’s initial assessment is that Revolut should be expected to monitor at least five risk layers: Known casino domains feeding open-banking intermediaries. Repeated customer deposits to offshore casino-linked gateways. Open-banking payment initiation patterns involving high-risk gateway domains. Geographic concentration in regulated or restricted gambling markets, including the Netherlands and Norway. Mismatch between apparent merchant/gateway descriptors and underlying gambling activity. The core issue is not only MCC 7995. Open banking may not always present the same clean merchant-category indicators as card acquiring. That is precisely why layered rails create a compliance blind spot. Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeJurisdictionConfidence GradeRevolut / oba.revolut.comDownstream open-banking endpointTraffic analysis, rail observationsUK / EEACorroboratedContiantOpen-banking intermediarySimilarWeb screenshotsBulgaria / Netherlands-facing trafficCorroboratedYapily ConnectOpen-banking layerFinTelegram rail observationsUK / EEACorroboratedPerspecteev / SaltEdgeOpen-banking / data layerFinTelegram rail observationsFR / EEACorroboratedsecurepayins.comAnonymous gatewayFinTelegram observationsUnknownCorroboratedurbenicsAnonymous gatewayFinTelegram observationsUnknownCorroboratedOffshore casino brandsOriginating merchantsCasino-site payment testing / traffic dataOffshoreCorroborated Open Questions to Revolut Does Revolut monitor oba.revolut.com traffic for upstream casino or gambling-originated payment flows? Does Revolut classify payments initiated through Contiant, Yapily, Perspecteev, or SaltEdge differently from direct card gambling payments? Does Revolut maintain a list of casino-linked gateway domains such as securepayins.com or urbenics? How does Revolut determine whether an open-banking payment is connected to an illegal gambling operator? Has Revolut identified Contiant as a high-risk open-banking traffic source? How many Revolut customer accounts were restricted or closed in 2025 for gambling-related or casino-payment activity? Does Revolut report suspicious casino-related payment patterns to FIUs or gambling regulators? Does Revolut’s financial-crime monitoring include merchant-domain intelligence and referral-chain analysis? Has Revolut received inquiries from Norwegian, Dutch, UK, Lithuanian, or other EU regulators about offshore gambling payment flows? Does Revolut consider casino-related open-banking traffic a material compliance risk? Conclusion This initial Rail Atlas report does not allege that Revolut knowingly enables illegal gambling. It establishes a more precise and regulator-relevant point: Revolut’s Open Banking infrastructure appears repeatedly in observed offshore casino payment paths, often after multiple layers of anonymous gateways and open-banking intermediaries. That pattern deserves scrutiny. Revolut’s own public materials show that it recognises gambling-payment restrictions and invests heavily in financial-crime prevention. Yet the observed rails suggest that open-banking structures may create a new form of transaction-laundering risk: not by hiding money entirely, but by hiding the commercial context of the payment. The next Rail Atlas installments should focus on the individual rail components — Contiant, Yapily Connect, Perspecteev/SaltEdge, securepayins.com, urbenics, and the casino brands feeding those rails. Whistle42 Call FinTelegram invites Revolut insiders, open-banking providers, casino payment agents, compliance officers, payment processors, affected players, and whistleblowers to submit confidential information through the Whistle42 platform. We are especially interested in payment descriptors, gateway contracts, merchant onboarding files, compliance alerts, blocked-payment records, and internal risk assessments relating to offshore casino flows. Share Information via Whistle42

JET Bank was sold to the public as Albania’s first digital bank. But in Albania, the launch quickly turned into a scandal after media reports and political voices began questioning who really stands behind the bank’s Dutch-Cypriot-Israeli ownership maze — and whether the project could be linked to the wider ecosystem around convicted scam mastermind Gal Barak. Against that backdrop, FinTelegram reviewed the case through the lens of its long-running investigations into Barak, Gery Shalon, and the Israeli cybercrime architecture that has repeatedly surfaced across Europe. The result is a troubling picture of opaque structures, high-risk names, and unresolved control questions — even if direct Barak or Shalon ownership of Jet Bank is still unproven on the current public record. Key Findings JET Bank is licensed and live in Albania’s regulated banking perimeter. The Bank of Albania granted preliminary approval in December 2025 and approved the banking licence in March 2026; Jet Bank now appears on the official list of licensed banks. The bank is officially presented as Albania’s first fully digital bank and is marketed through the jet.bank domain as a mobile-native, app-based bank. Jet’s own site and partner Backbase both state that it is owned by Jet Holding B.V., Amsterdam. The upstream ownership structure is Israeli/Cypriot in character. Monitor and Albeu report that Jet Holdings is controlled through a six-shareholder cap table led by Constador Ltd. of Cyprus at about 71.5%, with the remaining stakes held by Israeli companies. Both outlets report that Idan Avishai, a British-Israeli national, is the sole shareholder of Constador and previously controlled Jet Albania. Jet Albania, the precursor vehicle, was 100% owned by Idan Avishai. An Albanian corporate record shows Jet Albania was founded in July 2025, initially 100% owned by Avishai, with later governance roles for Fatbardha Rino, Oliver Hemmer, and Rami Solomon. Oliver Hemmer’s link to 4XFX is documentary, not speculative. A GRF Europe OÜ filing shows Hemmer was sole shareholder and board member; the FCA said 4XFX was “owned and operated” by GRF Europe OÜ; a business agreement shows Hemmer signing on behalf of GRF Europe OÜ in a 4XFX marketing/funds arrangement with Rapid Bo Pty Ltd. What is not proved on the public record is the most explosive allegation: that Gal Barak or Gery Shalon are direct or beneficial owners of Jet Bank. Albanian media report rumors and network allegations; FinTelegram has intelligence pointing in that direction; but the current public-source record does not prove operational control by either man. Compliance Analysis 1. What JET Bank is JET Bank (Jet.Bank) is a newly licensed Albanian bank positioned as the country’s first 100% digital bank. The Bank of Albania granted preliminary approval on 3 December 2025 and the full banking licence on 25 March 2026, explicitly under Law No. 9662/2006 “On Banks in the Republic of Albania” and the central bank’s licensing regulation for banks and branches of foreign banks. The Bank of Albania’s supervisory framework says banks operate under a system of laws, regulations, guidelines, and orders aligned with Basel and EU standards. Jet Bank’s own site says it offers always-on digital financial services and markets itself through jet.bank, with additional visible endpoints such as jobs.jet.bank, a waiting-list flow, referral program, FAQ, and contact pages. Its technology partner Backbase says Jet is an app-based, mobile-native bank and explicitly identifies ownership by Jet Holding B.V., Amsterdam. 2. Who’s Who Behind Jet Bank? JET Bank is presented as Albania’s first fully digital bank. But behind the sleek app-first image sits a layered ownership structure that points not to a classic Albanian banking story, but to an Israeli-led project routed through Amsterdam and Cyprus. At the center of the structure is Jet Holding B.V. in Amsterdam, the Dutch vehicle sitting above the Albanian bank. The dominant shareholder in this holding is Constador Ltd., a Cyprus company reported to hold roughly 71.5%. According to Albanian reporting, Constador’s sole shareholder is Idan Avishai, an Israeli-British businessman who also founded and initially controlled Jet Albania, the precursor vehicle for the bank. Around this core sits a cluster of additional Israeli holding vehicles, including Don Albania Holdings Ltd., Ori Eyal Ltd., Yebogogo Ltd., Nathan Lawrence Ltd., and Israel Albania Holding Ltd. Taken together, the cap table gives Jet Bank the unmistakable appearance of an Israeli banking venture planted in Albania through a multi-tier offshore-friendly structure. Dutch banking technology provider Backbase has been selected to power the launch of Albania’s first digital-only bank, Jet Bank.  In plain language: Jet Bank is licensed in Albania, but the real story is upstream — in Amsterdam, Limassol, and the Israeli shareholder layer behind the façade. Here is a clean summary table: Entity / IndividualTypeJurisdictionRoleKey Connections / RelevanceJET Bank sh.a.BankAlbaniaNewly licensed digital bankLicensed by the Bank of Albania in March 2026; publicly presented as Albania’s first fully digital bank.Jet Albania sh.a.Company / precursor vehicleAlbaniaPrecursor entity used to prepare the bank projectReported as the original Albanian vehicle before the structure was shifted upstream to Amsterdam; earlier controlled by Idan Avishai.Jet Holding B.V. / Jet Holdings B.V.Holding companyNetherlands (Amsterdam)Upstream holding company of the bank projectPublic reporting and partner materials place this Dutch vehicle above Jet Bank in the ownership chain.Constador Ltd.Holding companyCyprus (Limassol)Majority shareholder of Jet HoldingsReported to hold about 71.5% of the Dutch holding; central vehicle in the ownership structure.Idan AvishaiIndividualIsrael / UK / Cyprus-linked structureFounder / key shareholder figure;Reported as the sole shareholder of Constador Ltd; Online‑trading and igaming entrepreneurDon Albania Holdings Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Ori Eyal Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Yebogogo Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Nathan Lawrence Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Israel Albania Holding Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table; reinforces the Israeli character of the project.Fatbardha RinoIndividual(LinkedIn)AlbaniaPublic-facing banking executive / managerAppears in Albanian reporting and Jet-facing material as a key management figure in the Albanian operation.Oliver HemmerIndividualLiechtenstein / Germany-linked / Estonia-linkedJet Bank board member; officer of controlling Constador Ltd; separately linked to 4XFX operator GRF Europe OÜAppeared in Jet Albania governance reporting; documentary record shows he was sole shareholder and board member of GRF Europe OÜ.Rami SolomonIndividualIsrael-linkedJet-related governance figureAppears in Albanian reporting on the Jet structure; public profile remains limited.GRF Europe OÜCompany(deleted)EstoniaOperator of 4XFXThe FCA said 4XFX was owned and operated by GRF Europe OÜ; 2018 filing shows Oliver Hemmer as sole shareholder. (FCA warning)4XFXBroker platform / scam schemeCross-borderUnauthorised broker operationWarned against by the FCA and CNMV; linked through GRF Europe OÜ and Hemmer. (FCA warning) (CNMV warning PDF)Gal BarakIndividualIsrael / Bulgaria-linked scam ecosystemConvicted cybercrime figureAlbanian media and investigative reporting raise rumors of a Jet Bank connection, but the currently verified public record does not prove he beneficially owns or controls Jet Bank.Gery ShalonIndividualIsraeli cybercrime ecosystemHistoric cybercrime figureFinTelegram intelligence points to possible relevance, but the currently verified public record does not prove he beneficially owns or controls Jet Bank. 3. The Amsterdam-Cyprus-Israel holding maze This is the core compliance story. Monitor and Albeu describe a multi-tier structure in which the Albanian bank is controlled upstream by Jet Holdings in the Netherlands, while the real economic weight sits behind Cyprus and Israeli entities. The reported six-shareholder structure of Jet Holdings is: Constador Ltd. (Cyprus) – approx. 71.5% Don Albania Holdings Ltd. (Israel) – approx. 3.7% Ori Eyal Ltd. (Israel) – approx. 2.6% Yebogogo Ltd. (Israel) – approx. 4.9% Nathan Lawrence Ltd. (Israel) – approx. 4.9% Israel Albania Holding Ltd. (Israel) – approx. 12.4%. Both Monitor and Albeu say Constador’s sole shareholder is Idan Avishai, who also previously controlled Jet Albania. In practical terms, the structure looks less like a conventional domestic Albanian bank formation and more like an Israeli-led project implanted in Albania through a Dutch holding layer and a dominant Cyprus vehicle. That is not unlawful by itself. But it is exactly the kind of structure that should attract enhanced scrutiny on ultimate beneficial ownership, fit-and-proper checks, source of funds, source of wealth, and related-party influence. A further point: Albeu says Jet Holdings was founded only in September 2025 with paid-up capital of €50,000, while Balkanweb reports that by March 2026 the Albanian operation had completed a capital injection of 1.06 billion lek and that questions were being raised about the minimum capital and source-of-funds review. Those facts do not prove impropriety, but they do sharpen the question: who really stands behind the bank financially and operationally? 4. Why Albania is strategically attractive Albania’s attraction is structural. It is a non-EU jurisdiction with an officially domestic currency, the lek, but both the Bank of Albania and the ECB describe Albania as a country with substantial unofficial euroisation and broad public use of foreign currency, especially the euro. The Bank of Albania even has a formal de-euroization policy framework because foreign currency is widely used in transactions and in the financial system. That combination matters. Albania is close to the EU, tied economically to the euro area, but outside the EU’s institutional perimeter. For legitimate entrepreneurs, that can be an opportunity. For aggressive or high-risk operators, it can also be a jurisdictional edge: EU-adjacent, euro-exposed, but not inside the bloc. That does not make Albania “lax” as a proven fact; the Bank of Albania’s formal framework is robust on paper and aligned with EU/Basel norms. But it does help explain why a multi-jurisdictional, Israeli-linked digital-banking project might see Albania as a strategically useful launchpad. 5. Activities and business model JET Bank presents itself as a digital-only retail bank built around app delivery, simplified onboarding, and customer control. Public materials do not yet show a broad disclosed product set comparable to a mature universal bank, but the positioning is clearly toward app-based banking rather than traditional branch banking. Backbase says the bank was built rapidly with implementation partners and that the go-live focus is on digital customer experience and rollout discipline. Jet’s own site emphasizes ease, speed, and accessibility. The immediate compliance issue is not the digital model itself. The issue is that a newly licensed, digital-only bank can scale fast, onboard remotely, and intermediate euro-linked customer flows in a jurisdiction already wrestling with unofficial euroisation. In that setting, ownership transparency and governance pedigree matter even more, not less. 6. The Albanian media allegations: Gal Barak, Gery Shalon, and the rumor perimeter Albanian media have pushed the story hard. Albeu, Balkanweb, Ora News, Pamfleti and others have highlighted the shareholder opacity, the Israeli character of the project, the role of Idan Avishai, and the presence of Oliver Hemmer in the early structure. Some of those reports go further and float rumors or suspicions about links to Gal Barak and the wider Israeli online-trading/fraud ecosystem. At this point, the defensible line is: There is a serious network-risk story. There is not yet public proof that Gal Barak or Gery Shalon beneficially own or control JET Bank. That distinction is critical. The current public record establishes an Israeli/Cypriot/Dutch ownership architecture, a founder linked in Albanian media to the online-trading sector, and a governance trail that includes Oliver Hemmer. It does not yet establish Barak or Shalon control as a proved fact. The Barak/Shalon thesis remains an investigative hypothesis requiring insider material, registry documents, or case-file evidence. 7. Oliver Hemmer & The Questionable Legacy The role of Oliver Hemmer has become one of the most sensitive aspects of the Jet Bank controversy because public records place him inside the corporate perimeter of the structure while documentary evidence separately links him to the operation of the unauthorised 4XFX broker platform. That combination does not by itself prove control over Jet Bank, but it creates a serious fit-and-proper and transparency issue. Official Role in Constador and the Jet Structure Public Cyprus company-data sources list Oliver Hemmer in the officer structure of Constador Ltd. (HE 478734), including as director and secretary, although those sources also warn that current status should be confirmed through a full registry report. Constador is the Cyprus company reported by Albanian media to hold about 71.5% of Jet Holding B.V. in Amsterdam, the Dutch holding vehicle publicly identified in connection with Jet Bank’s ownership chain. Albanian political and media reporting also says Hemmer appeared in the early Jet Albania governance documents as a founding managerial figure. Why Hemmer Is a Red-Flag Figure Hemmer is controversial not because his role at Jet Bank has been proved as controlling, but because he appears to be more than a stray administrative name. Albanian reporting and FinTelegram’s analysis both treat him as a significant figure in the wider ownership perimeter. Jet Bank has reportedly sought to minimize his relevance by presenting him as an early administrative or registration-side participant rather than an operational decision-maker. Even on that narrower version, however, Hemmer’s presence remains highly sensitive given his documented history. The 4XFX / GRF Europe OÜ LinScam Legacy The strongest evidence concerns GRF Europe OÜ. The UK FCA warned that 4XFX was “owned and operated” by GRF Europe OÜ. A 2018 GRF Europe OÜ filing shows Oliver Hemmer as the company’s sole shareholder and management board member. A further business agreement from the criminal files shows Hemmer signing on behalf of GRF Europe OÜ in a 2019 arrangement under which Rapid Bo Pty Ltd would market 4XFX, receive client funds, deduct a fee, and remit the balance to GRF Europe OÜ. That is not passive paperwork; it is documentary evidence of an active operational role in the 4XFX scheme. Download the X4FX Business Operating Agreement The Wider Online-Trading Connection Public Cyprus registry-style sources also associate Oliver Hemmer with Fortrade Cyprus Ltd., adding to the picture of his proximity to the offshore online-trading sector. Albanian reporting has used these overlaps to argue that Jet Bank’s shareholder structure should be examined through the lens of the same high-risk trading environment that previously spread through Cyprus, Bulgaria, Serbia, and other Balkan-adjacent jurisdictions. What remains important, however, is to distinguish between documented overlap and proved beneficial control. The Bottom Line At this stage, the defensible conclusion is not that Hemmer has been proved to control Jet Bank. It is that Hemmer is a material red-flag figure inside the Jet / Constador perimeter because public records place him in the corporate chain while independent documentary evidence places him at the center of GRF Europe OÜ / 4XFX. For regulators, journalists, and counterparties, that is already enough to justify close scrutiny of source of funds, ultimate beneficial ownership, and fit-and-proper vetting. 8. Barak, Shalon & Fortrade: what is known, what is not Gal Barak was convicted in Austria in 2020 and sentenced to four years in prison for fraud and money laundering tied to the wider scam-broker environment. Multiple reporting sources describe the broader operation as causing losses running into the hundreds of millions of euros. His partner and principal, Gery Shalon, was separately charged in the U.S. in the massive JPMorgan hacking case and is widely described as a key figure in the Israeli cybercrime underworld. Read our reports on Gal Barak here. Even thought the Albanian media connects Jet Bank with the Shalon/Barak scheme, the jump from that background to “Barak and Shalon are behind Jet Bank” is still not proven by the public record reviewed here. What can responsibly be said is this: the regional pattern is real: Israeli fraud, payments, and online-trading actors have repThere is a direct link, via the Israeli-British owners Idan Avishai and Oliver Hemmer, to the broker Schema Fortrade, which has already attracted attention due to numerous regulatory penalties and issues. FinTelegram has reported regularly on ForTrade. JET Bank’s ownership and governance perimeter overlaps with that wider environment in worrying ways, especially through Hemmer and the reported trading-sector background around Avishai; but direct Barak/Shalon control remains an allegation requiring more evidence. Read our Fortrade reports here. Conclusion JET Bank is not a rumor. It is a real, licensed Albanian bank operating under the Bank of Albania’s formal regulatory umbrella. That is exactly why the ownership story matters so much. Behind the “first digital bank” narrative sits a structure that looks unmistakably like an Israeli-led Albania project routed through Amsterdam and Cyprus, with Idan Avishai at the center of the documented chain and Oliver Hemmer appearing in the governance perimeter despite his documented role in GRF Europe OÜ / 4XFX. That does not yet prove that Gal Barak or Gery Shalon own or control the bank. But it does create a serious enough smoke pattern to justify scrutiny by regulators, counterparties, correspondent institutions, journalists, and financial-crime investigators. In other words: the scandal is already real, even if the final control map is not yet complete. Call to Whistleblowers Do you know who really funds or controls JET Bank, Jet Holding B.V., Constador Ltd., or the Israeli vehicles behind the structure?Do you have internal material on source of funds, fit-and-proper checks, compliance onboarding, correspondent banking, technology vendors, or the roles of Idan Avishai, Oliver Hemmer, Rami Solomon, or any intermediaries tied to the bank? FinTelegram invites insiders, regulators, compliance professionals, former staff, vendors, and affected counterparties to submit information via Whistle42. Confidential material on Jet Bank’s ownership, governance, or regulatory vetting could be decisive. Share Information via Whistle42

In 2022, FinTelegram warned that MetaTrader’s publisher MetaQuotes sat inside a Cyprus structure with Russian roots, huge market reach, and unresolved beneficial-ownership questions beyond founder and CEO Renat Fatkhullin. In 2026, that concern looks even more relevant. But the stronger compliance angle is no longer the broad slogan of “Russian control.” The sharper question is whether MetaQuotes, Raritex, and Sumsub belong to a wider Cyprus control orbit linking trading software and KYC infrastructure through funding ties, historic control rights, and only partly transparent ownership. Key Findings FinTelegram’s 2022 reporting identified MetaQuotes as the Cyprus-based publisher behind MetaTrader and expressly noted that the beneficial owners of the MetaQuotes Group beyond Renat Fatkhullin were not known. FinTelegram’s September 2022 follow-up tied MetaTrader to pig-butchering and scam-broker concerns and argued that the platform’s compliance relevance went far beyond ordinary software publishing. MetaQuotes publicly announced in September 2020 that it led Sumsub’s $6 million Series A funding round. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the Sumsub group footprint. UK Companies House shows that Raritex Trade Ltd ceased as PSC of Sum and Substance Ltd on 2 October 2023, and that Andrey Severyukhin, Yakov Sever (Severyukhin), and Peter Sever (Severyukhin) are now the active persons with significant control. The Big Compliance Question FinTelegram warned years ago that the MetaTrader story was never just about software. MetaTrader became dominant infrastructure in speculative retail trading. It was used by thousands of brokers and millions of traders worldwide. At the same time, it became deeply embedded in the scam-broker economy. That was the real issue in 2022. And it is still the real issue now. Back then, FinTelegram focused on MetaQuotes as a Cyprus-based structure with Russian roots and explicitly noted that the beneficial owners beyond Renat Fatkhullin were not known. That old instinct still looks right. But in 2026, the stronger story is no longer merely nationality. It is beneficial ownership, control migration, and Cyprus opacity. The Cyprus Web Behind MetaTrader And Sumsub This Was Never Just A Software Story MetaQuotes was never just another software publisher. It became core infrastructure in a fraud-exposed retail trading world. Scam brokers used it. Boiler-room operators relied on it. Pig-butchering actors benefited from the wider ecosystem built around it. That made the ownership question around MetaQuotes more than a corporate curiosity. It made it a compliance issue. The Old MetaQuotes Question Has Become A New Control-Chain Question The real 2026 story is no longer the old shorthand about “Russian control” with Renat Fatkhullin at the front. He is publicly associated with MetaQuotes and has long been described in reporting and industry profiles as Russian / from Russia, while operating from Cyprus. For the Sumsub side, public aterials describe Andrew/Andrey, Jacob/Jacov, and Peter Severyukhin as founders with Israeli nationality or origin with strong Russian connections. Thus, the sharper and more dangerous question is whether MetaQuotes, Raritex, and Sumsub sit inside the same wider Cyprus control orbit — one linking critical trading software to critical KYC infrastructure through funding ties, group affiliation, and shifting control disclosures. This is no longer abstract speculation. MetaQuotes itself announced that it led Sumsub’s $6 million Series A round in 2020. That single fact changes the frame. Once the publisher behind MetaTrader turns up as the lead investor in a KYC/AML vendor, the story stops being just a broker-tech problem. It becomes an infrastructure-and-governance problem. In plain English: the company behind one of the most fraud-exposed trading ecosystems publicly financed a company whose business is supposed to be trust, onboarding, and verification. Raritex Is The Pressure Point Raritex is the pressure point in this story because it refuses to disappear into the footnotes. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group, alongside SUMSUB Tech Limited and SUMSUB LTD. That means Raritex is not just a historical shell. It is not just an activist talking point. Sumsub itself still places Raritex inside the group footprint. That matters. Because if Raritex remains embedded in the current disclosure structure, then the question is no longer whether there once was a connection. The question becomes: what exactly is Raritex’s current role, and how much of the real control architecture still runs through it or through the same people around it? The UK Filings Do Not Calm The Story The UK register does not reduce risk here. It raises fresh questions. Companies House shows that Raritex Trade Ltd was formerly the person with significant control over Sum and Substance Ltd, with 75% or more ownership of shares, 75% or more voting rights, and the right to appoint or remove directors, before ceasing on 2 October 2023. The same public record now shows Andrey (Sever) Severyukhin, Yakov (Sever) (Severyukhin), and Peter (Sever) (Severyukhin) as the active PSCs, all notified on 24 May 2024. That is not the kind of ownership trail that settles nerves. It is exactly the kind of trail that invites a second and much harder look. On paper, the structure moved from a corporate controller to named individuals. But in substance, the real compliance question is whether anything actually changed except the packaging. If the legal-entity controller disappears and people from the same orbit reappear directly as controllers, that looks less like separation and more like re-presentation. The Real Issue Is Opacity, Not Just Nationality This is why the old FinTelegram MetaQuotes framing needs updating rather than simply repeating. The archive was right to focus on MetaQuotes’ Russian roots, Cyprus incorporation, and central role in fraud-exposed retail trading. But the sharper 2026 point is not simply that MetaQuotes had Russian roots. The sharper point is that a Cyprus-based cluster now connects MetaQuotes, Raritex, and Sumsub through documented funding ties and group-level overlap, while ultimate control still remains only partly transparent. That is a stronger compliance story than the old geopolitical shorthand. Regulators, fintechs, exchanges, brokers, and banks do not just need to ask who founded these companies or where they came from. They need to ask who controls them now, who sits behind the key entities, and whether the public disclosures reflect the substance of power or merely the surface of it. Why This Ownership Pattern Creates A Serious Compliance Problem The real issue here is not where these individuals were born. The real issue is that critical KYC-verification infrastructure and fraud-exposed trading infrastructure may sit inside the same partly opaque Cyprus-routed control environment. FinTelegram’s own archive has long treated MetaTrader as infrastructure heavily exposed to scam-broker abuse, while MetaQuotes’ public 2020 announcement confirms a direct funding link into Sumsub, a major verification provider. That creates a concentration and dependency problem. Sumsub presents itself as a large-scale verification platform used across fintech, crypto, gaming, trading, and other high-risk sectors, and the World Economic Forum profile likewise describes it as a major identity-verification and fraud-prevention provider. When one vendor becomes close to market infrastructure in online onboarding, its ownership chain, governance model, and control disclosures stop being an internal corporate matter. They become a systemic compliance question. It also creates a data-sensitivity problem. A KYC vendor like Sumsub sits on some of the most abuse-sensitive information in the digital economy: identity documents, selfies, liveness checks, beneficial-owner data, and risk-screening context. At the same time, Sumsub’s own public materials show that Raritex still appears in its Cyprus group footprint, while the UK record shows a shift from Raritex as controller to named individuals as PSCs. Even without proving wrongdoing, that is exactly the kind of ownership-opacity pattern that should trigger deeper scrutiny from counterparties and regulators. There is also an ecosystem-conflict problem. MetaTrader is not a neutral piece of back-office plumbing in the FinTelegram archive; it is repeatedly described as infrastructure embedded in scam-broker and pig-butchering environments. If the publisher behind that ecosystem is publicly tied by investment to a verification vendor that now operates as near-standard compliance infrastructure, then the market has to ask whether too much trust is resting on too little transparency. Finally, this creates a substance-over-form problem. The public UK filings show that Raritex no longer sits as the named PSC, but the control position reappears through named individuals. That does not prove improper conduct. But it does raise the exact question good compliance teams are supposed to ask: did control really change, or did the presentation of control change? In a market where KYC data can be weaponized in secondary fraud, mule onboarding, account takeovers, and document recycling, that is not a theoretical concern. It is a live risk question. The scandal is not nationality — it is that de facto trust infrastructure may be sitting inside a control chain that is still too hard to map, while handling some of the most sensitive data in digital finance. Summary Table: Key Individuals, Entities, And Why They Matter EntityWhat it isVerified public linkWhy it mattersMetaQuotes LtdCyprus-based publisher behind MetaTraderFinTelegram’s 2022 archive identified MetaQuotes as the Cyprus entity behind MetaTrader and noted that beneficial ownership beyond Renat Fatkhullin was not known.Core trading infrastructure in a fraud-exposed ecosystem; ownership questions remain unresolved.MetaTraderTrading platform ecosystemFinTelegram described it as dominant in speculative retail trading and widely used by scam brokers.Explains why ownership and control around MetaQuotes are compliance-relevant.SumsubKYC/AML and onboarding vendorMetaQuotes publicly said it led Sumsub’s $6 million Series A round.Connects the MetaQuotes story to the compliance-verification world.Raritex Trade LtdCyprus entity within the Sumsub group footprintSumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group.The key bridge entity in the control-chain story.Sum and Substance LtdUK Sumsub-linked entityUK Companies House shows Raritex was the former PSC and later individual PSCs were filed.Public register where the control migration becomes visible.Renat FatkhullinFounder/CEO and visible key figure of MetaQuotesFinTelegram’s 2022 archive identified him as founder and CEO of MetaQuotes and stated that beneficial ownership beyond him was not known.He is the most visible MetaQuotes principal and the reference point for the unresolved question of who stands behind MetaQuotes beyond the public executive layer.Andrey (Sever) SeveryukhinCEO and Co-founder of Sumsub, Active PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Part of the named-controller layer that replaced Raritex on paper.Yakov (Sever) SeveryukhinActive PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Reinforces the shift from corporate controller to individuals.Peter (Sever) (Severyukhin)Active PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Completes the trio now visible in the UK control record.Vyacheslav ZholudevCo-founder and CTO of SumsubListed as co-founder and CTO on the Sumsub site. Important technical architect and public-facing leadership figure in the Sumsub environment; Proven MetaQuotes is the Cyprus-based publisher behind MetaTrader, and FinTelegram’s 2022 archive stated that the beneficial owners beyond Renat Fatkhullin were not known. MetaQuotes publicly announced that it led Sumsub’s $6 million Series A round. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group footprint. Raritex ceased as PSC of Sum and Substance Ltd, and Andrey/Yakov/Peter Severyukhin are now listed as the active PSCs. Supported It is strongly supported that the stronger 2026 angle is a Cyprus control-chain story, not just a repetition of the older “Russian control” framing. It is also strongly supported that the key compliance issue is whether the apparent restructuring around the Sumsub/Raritex side represented a genuine change in control or merely a formal re-presentation of the same control nucleus. Unresolved Who are the current ultimate beneficial owners of MetaQuotes beyond the visible executive/director layer identified in FinTelegram’s archive? Does Raritex still directly hold shares in operating Sumsub entities such as Sumsub GmbH in Germany or other group companies? Do the same individuals who now appear as controllers on the Sumsub side also control Raritex in substance across the wider Cyprus structure? Is there a provable bridge from the Raritex/Sumsub orbit to ultimate control of MetaQuotes itself, or is the current public record limited to funding and affiliation links? Conclusion FinTelegram’s 2022 warning about MetaQuotes was right in instinct but incomplete in documentation. The real 2026 story is not simply that MetaTrader came out of a Russian-rooted Cyprus structure. The sharper and more defensible story is that a Cyprus-based control chain may connect MetaQuotes, Raritex, and Sumsub through funding, group affiliation, and shifting control disclosures that still leave ultimate beneficial ownership only partly transparent. That is already enough for a serious compliance red flag. It is also enough to justify a new generation of scrutiny from regulators, counterparties, and whistleblowers. Whistleblower Call If you have information about the beneficial owners, shareholders, nominee structures, Cyprus corporate records, internal due-diligence files, or group-control arrangements of MetaQuotes, Raritex, or Sumsub, contact FinTelegram securely via Whistle42. Shareholder extracts, board documents, beneficial-owner certificates, and investor agreements are especially relevant. Share Information via Whistle42

A new pressure campaign by Digital Defenders Group (DDG) founder Nivie Kaul is pushing past the usual wallet-tracing narrative in crypto scam cases. Instead of focusing only on who stole the money, Kaul is asking who sat behind the infrastructure: MetaQuotes as the MT4/MT5 platform provider, Raritex as a key ownership layer, and Sumsub as the KYC vendor inside the broader chain. The result is a messy and politically charged story involving the DOJ’s record $225.3 million seizure, Turkish-court allegations about payment flows to MetaQuotes, and awkward optics around Sumsub’s public support for anti-scam campaigner Erin West. Key Findings The U.S. DOJ said in June 2025 that it filed a civil forfeiture complaint against more than $225.3 million in cryptocurrency tied to crypto confidence scams and described it as the largest cryptocurrency seizure in U.S. Secret Service history. MetaQuotes publicly announced in September 2020 that it led Sumsub’s $6 million Series A funding round and also bought out the shares of Sumsub’s first investor, Flint Capital. UK Companies House shows that Raritex Trade Ltd ceased as a person with significant control on 2 October 2023, and on 24 May 2024 three individuals were notified as PSCs while the prior PSC statement was withdrawn. Kaul’s LinkedIn post alleges Turkish criminal proceedings documented 54 SWIFT payments totaling about $638,374 from a scam-network operator to MetaQuotes between December 2019 and March 2023, and further alleges MetaQuotes held a 25% stake in Raritex Trade Ltd. Sumsub publicly said it was “proud to support” Erin West’s investigation into the global scam economy, creating a clear optics problem once DDG began attacking Sumsub’s ownership and governance chain. UA.News adds a useful supporting frame: a KYC/AML vendor that helps clients identify beneficial ownership has itself become a due-diligence target because of ownership opacity and its public-control gap in the UK register. The Story Behind The Story At first glance, this looks like just another fight over seized scam proceeds. It is not. Kaul is trying to turn the DOJ’s celebrated seizure into a much broader infrastructure-liability story. The DOJ release is straightforward: federal authorities filed a forfeiture complaint against more than $225.3 million in crypto allegedly tied to a laundering network used in cryptocurrency confidence scams, with more than 400 suspected victims worldwide. But DDG’s intervention changes the frame. In her LinkedIn post, Kaul argues that victims should stop looking only at the visible scammer and start tracing the corporate stack behind the fraud economy. Her post says Turkish proceedings revealed 54 SWIFT payments totaling about $638,374 from a documented network operator to MetaQuotes between December 2019 and March 2023. She then connects MetaQuotes to Raritex and Raritex to Sumsub. That is the backbone of her thesis. The Hard Public Record The strongest documented part of this story is the MetaQuotes-Sumsub link. MetaQuotes itself announced in September 2020 that it led Sumsub’s $6 million Series A round. It also said it bought out the shares of Flint Capital, the first Sumsub investor. That is not rumor or activist spin. It is a public corporate statement from MetaQuotes. The second hard-record issue is the Raritex control history around Sum and Substance Ltd in the UK. Companies House shows a filing on 3 October 2023 recording the cessation of Raritex Trade Ltd as a person with significant control effective 2 October 2023. It also shows that on 24 May 2024 three individuals were notified as PSCs and the prior PSC statement was withdrawn. The Russian-Israeli Sever (Severiukhin) brothers are the founders and registered controllers of Sumsub’s UK entity and, through Andrew/Andrey Severyukhin’s position as director and key principal, exercise managerial control over Raritex Trade Ltd, the Cyprus vehicle that controlled Sumsub from 2019 to 2023. The ultimate beneficial ownership of Raritex remains opaque, with external sources indicating additional shareholders, including MetaQuotes and IIDF, via trust structures. That situation does not prove misconduct. But it does create a governance problem for a company whose commercial value rests on verifying identity, control, and ownership for others. UA.News puts the point in blunt terms: the verifier itself has become a verification problem. That is editorial language, but it is grounded in a real public-register anomaly. Where The DDG Case Turns Aggressive The most explosive part of Kaul’s narrative is also the part that still sits in the allegation bucket. Her post says Turkish criminal proceedings documented 54 SWIFT transfers totaling $638,374 to MetaQuotes and that MetaQuotes held a 25% stake in Raritex, recorded in its 2019 audited accounts. Those claims appear prominently in the post and in the accompanying infographic. Read more about Russian-controlled Metaquotes here. That is serious material. But the distinction matters: in the source set reviewed here, those underlying Turkish court documents and audited accounts were described, not independently inspected. So this is publishable as a major allegation advanced by DDG, but not yet as a conclusively established fact on the same level as the MetaQuotes funding announcement or the Companies House filings. Erin West And The Optics Problem Erin West is the founder of Operation Shamrock, a nonprofit anti-scam initiative that positions itself as a bridge between victims, law enforcement, and industry — which is precisely why Sumsub’s public support for her work has become a sensitive optics issue in DDG’s campaign. The Erin West angle is what makes this story politically potent. Sumsub publicly promoted West’s Cambodia-focused anti-scam work and said it was “proud to support” her investigation into the global scam economy. At the same time, Compliance Corylated reported that Kaul filed a verified claim in March 2026 arguing not only that she was an innocent owner, but the “original innocent owner,” and that she had already obtained a Turkish judicial seizure preserving the assets before U.S. action. Kaul says she reached wallet 0x82e by first obtaining a Turkish payment order as a fraud victim, then tracing her loss into what she describes as a key network wallet, and finally securing a Turkish criminal judicial seizure on 11 August 2023 that froze the wallet through Tether and, in her view, attached her enforcement interest to those assets. That contrast is exactly what DDG is exploiting. In simple terms: the victim-turned-investigator says she traced the infrastructure and moved early; a high-profile anti-scam advocate celebrated the U.S. seizure; and the advocate’s public campaign was supported by a KYC vendor whose ownership chain is now under scrutiny. Even without proof of misconduct by West or Sumsub, the optics are rough. Why UA.News Matters UA.News should not be treated as the cornerstone evidentiary source. But it is useful because it packages the story into a broader governance-risk critique. Its April 2026 piece ties together Sumsub’s security-incident history, investor opacity, the PSC gap, and the MetaQuotes-Raritex narrative. It also highlights Sumsub’s own 2022 statement that “the initial investors who had ties to Russia and retained minor stakes in our company have now left us,” using that to argue that Russian-exposed investors remained in the cap table until 2022. That does not prove geopolitical control. But it does support a narrower and more defensible point: Sumsub’s ownership history, investor base, and control disclosures deserve more scrutiny than a normal “trust vendor” would ideally invite. That makes UA.News a useful supporting source for the governance angle, even if some of its rhetoric runs hotter than the primary record supports. What Is Proven MetaQuotes publicly led Sumsub’s $6 million Series A round and bought out the first investor’s stake. The DOJ filed a forfeiture complaint against more than $225.3 million and described it as the largest cryptocurrency seizure in U.S. Secret Service history. Raritex ceased as a PSC of Sum and Substance Ltd effective 2 October 2023, and three individual PSC filings appeared on 24 May 2024 alongside withdrawal of the earlier PSC statement. Sumsub publicly supported Erin West’s anti-scam investigation. What Is Alleged Turkish criminal proceedings allegedly documented 54 SWIFT payments totaling about $638,374 from a scam-network operator to MetaQuotes. MetaQuotes allegedly held a 25% stake in Raritex Trade Ltd, described by Kaul as the holding company for the Sumsub group. The broader DDG thesis is that this payment and ownership chain places MetaQuotes, and indirectly the Sumsub chain, too close to the infrastructure behind MT4/MT5-linked fraud. What Needs Verification Next The Turkish court record and the underlying SWIFT documentation need to be reviewed directly. That is the evidentiary hinge of the most serious claim. The 2019 audited accounts allegedly showing MetaQuotes’ 25% Raritex stake also need direct inspection. The current Cyprus ownership chain around Raritex and the wider Sumsub structure should be confirmed through primary corporate documents, not just secondary reporting or social posts. Any operational evidence linking Sumsub directly to onboarding scam-linked actors would be a separate and much higher threshold than ownership overlap or sponsorship optics. Easy summary: who does what ActorSimple descriptionNivie Kaul (LinkedIn)/ DDG (LinkedIn)Says the real story is not just stolen crypto, but the corporate and platform infrastructure behind the scamsMetaQuotesMT4/MT5 software provider; verified investor in Sumsub; alleged recipient of scam-linked SWIFT paymentsRaritex Trade LtdOwnership/control layer sitting between MetaQuotes allegations and the Sumsub governance storySumsubSum and Substance LtdKYC/AML vendor; Backed by MetaQuotes in 2020; UK filings show prior Raritex control and later PSC changes; publicly supported Erin West’s scam-investigation contentErin West (LinkedIn)Operation Shamrock (LinkedIn)Founder of Operation Shamrock (link), which presents itself as a nonprofit, cross-border anti-scam initiative; Sumsub-backed content creates an optics conflict in DDG’s narrativeDOJ / USSSGovernment side of the seizure story Conclusion DDG’s campaign is effective because it mixes hard public-record facts, uncomfortable optics, and still-unproven but potentially explosive allegations into one coherent attack line. The public record already shows enough to justify a strong compliance red-flag briefing: MetaQuotes funded Sumsub, Raritex sat in the control chain, the UK PSC sequence looks awkward for a KYC vendor, and Sumsub publicly backed Erin West while DDG was building a competing victim-first narrative. What the public record does not yet prove is the decisive legal bridge from ownership opacity and bad optics to knowing facilitation of scam infrastructure. That bridge may yet emerge. For now, the story is strongest as a governance, transparency, and infrastructure-accountability report — and it could become much bigger if the Turkish records and audited accounts match DDG’s claims. Whistleblower Call If you have information about MetaQuotes, Raritex, Sumsub, MT4/MT5 scam infrastructure, or cross-border onboarding and payment flows linked to fraud networks, contact FinTelegram securely via Whistle42. Documentary evidence, internal compliance material, shareholder records, and vendor due-diligence files are especially relevant. Share Information via Whistle42

A growing body of indicators suggests that a cluster of outwardly separate online casino brands may be linked, directly or indirectly, to Zentoria Limited and a shared backend payments architecture. FinTelegram reviewed operator attributions, Irish licensing records, repeated payee clues, and live payment flows across multiple brands. The result is not yet a final legal attribution of the full network, but the hypothesis of a Zentoria-linked casino cluster with strong Cyprus-ties has become increasingly plausible. The rail evidence points to a common backend. And the recurring name Morada Horizon Services Limited adds a new payments-side lead that regulators should not ignore. Key Findings Multiple third-party gambling sources and whistleblower information identify Zentoria Limited as operator or owner of at least some relevant brands, including Roostino and BetRepublic (List.Casinos, Tribune.com). Ireland’s official register confirms that ZENTORIA LIMITED is a real holder of a Remote Bookmaker’s Licence, with trading-name references including SPINSOPOTAMIA.COM. Public review sources for Roostino identify Morada Horizon Services Limited as the payments-management entity and use Irish company number 781093. FinTelegram’s own testing indicates that BetRepublic, WestAce, Spinsy, Kingmaker, and GreenLuck share materially identical cashier logic and payment-rail configuration. Across the tested brands, Revolut deposits appear to converge on the same open-banking chain via Perspecteev / Salt Edge / Revolut OBA, while “Rapid” flows show the same payee fragment, “Morada Hor…”. The currently accessible terms and conditions on the tested brands appear highly similar while failing to clearly identify the responsible legal operator, which is itself a compliance red flag. Compliance Analysis 1. The central hypothesis: there is a Zentoria-linked casino cluster! The Zentoria hypothesis is no longer based only on public attribution sources. It is now supported by direct transactional evidence from live testing. Earlier screenshots already appeared to show Novaforge Ltd and later Zentoria Limited in a Payabl-linked environment associated with pay4.payabl.com, suggesting a possible merchant sequence or migration pattern in the same payments architecture. At least some Novaforge-related records appeared to show a statement-facing mismatch, while later Zentoria-linked records looked more transparent. Skill payment confirmation for a Spinsy deposit A fresh FinTelegram test deposit into Spinsy produced a transaction detail stating “Skrill card payment at zentoria limited”, with Dublin shown as the location. This matters because it moves the story beyond: third-party claims, look-and-feel similarity, and indirect operator speculation. It now shows that a live deposit into Spinsy, one of the casinos in the reviewed cluster, resolved to Zentoria Limited at the transaction-detail level. That does not yet prove the exact legal role of Zentoria in every case. It could reflect: the formal operator, the merchant of record, a collection or payment counterparty, or another affiliated commercial entity. Skrill payment confirmation for a Spinsy deposit with AXEGLE as named payee But from a compliance standpoint, the distinction does not reduce the significance of the finding. A live payment into Spinsy surfacing Zentoria Limited as the payee materially strengthens the hypothesis that Spinsy belongs to the same broader Zentoria-linked casino and payments cluster. A second FinTelegram test deposit into Spinsy surfaced a different payee descriptor, “AXEGLE,” with Doncaster shown as location. While FinTelegram has not yet been able to identify a verified legal entity behind that descriptor, the result suggests that Spinsy may be using multiple payment counterparties or merchant descriptors across separate rails. 2. Revolut, Perspecteev, Salt Edge, and the open-banking layer One of the most revealing patterns in the FinTelegram testing is the repeated routing of Revolut deposits through Perspecteev / SaltEdge / Revolut. That is not a trivial technical detail. It suggests a reusable open-banking deposit architecture deployed across multiple casino brands. If multiple supposedly independent casinos all push users through the same OBA path into Revolut, the same question arises every time: Who configured the payment path, and for whom? This does not, by itself, prove that Zentoria owns every brand in the cluster. But it does support the conclusion that these brands likely sit on a shared backend orchestration environment. Read our SaltEdge compliance report here. 4. The Morada Horizon clue is getting harder to ignore The repeated appearance of the truncated payee string “Morada Hor…” in the “Rapid” rail is particularly important. That fragment is highly consistent with Morada Horizon Services Limited. Public Roostino review pages identify Morada Horizon Services Limited, Irish entity founded in Feb 2025 with company number 781093, as the entity handling payment-processing or payment-management services. Tribuna’s Roostino sportsbook and casino reviews both make that attribution. We have also found Moreda acting as a payment agent at other casinos, such as Golisimoo casino, which has already been warned and banned in various jurisdictions. This does not yet prove that Morada Horizon handles payments for every brand in the cluster. But if the same payee fragment appears across Kingmaker, WestAce, BetRepublic, Roostino, and GreenLuck-style rails, then Morada Horizon becomes much more than a footnote. It becomes a serious payments-side lead that deserves focused scrutiny. The key compliance question is straightforward: if Morada Horizon appears across multiple brands’ payment flows, what exactly is its role — payment manager, settlement entity, merchant-of-record layer, or another service function in the cashier stack? 3. The Payabl Angle Recent screenshots shared with FinTelegram add a new and potentially important element to the Zentoria network hypothesis: they appear to show both Novaforge Ltd and later Zentoria Limited in a transaction environment linked to the Payabl subdomain pay4.payabl.com. Particularly notable is the apparent descriptor mismatch in the Novaforge-related screenshots, where the transaction is associated with Novaforge Ltd / pay4.payabl.com but reportedly appears on the statement layer as “APPLEPAY.” By contrast, later screenshots linked to Zentoria Limited appear more transparent, with ZENTORIA LIMITED shown as the statement-facing descriptor. At this stage, these screenshots do not prove misconduct by Payabl or establish who controlled the descriptor logic. They do, however, strengthen the view that Payabl may have sat directly in the payment flow connecting the earlier Novaforge and later Zentoria merchant phases, which makes its role in the wider rail architecture a relevant compliance question. 4. The legal-disclosure gap is itself a compliance signal The terms and conditions reviewed across these casinos appear strikingly similar, yet they reportedly fail to clearly identify the responsible operator. That is not a minor drafting flaw. For gambling compliance, payments transparency, chargeback handling, and AML accountability, the identity of the contracting and operating entity should not be obscured behind generic terms, vague branding, or recycled templates. If multiple casino brands share: near-identical T&Cs, identical cashier architecture, the same payment rails, the same open-banking chain, and the same payee clues, while failing to clearly identify the responsible operator, then the opacity itself becomes part of the compliance story. 5. What can be said safely — and what still needs proof At this stage, FinTelegram can safely say: a Zentoria-linked cluster hypothesis is plausible; Zentoria Limited is a real gambling-sector entity and is repeatedly named in third-party source material tied to relevant brands; Morada Horizon Services Limited is a real named payments-side entity that appears in public Roostino-related materials and is consistent with repeated payee fragments seen in tested flows; FinTelegram’s own testing strongly suggests a shared cashier and payments stack across BetRepublic, WestAce, Kingmaker, GreenLuck, and Spinsy; and a live FinTelegram test deposit into Spinsy surfaced Zentoria Limited directly in the transaction details. That is why the honest conclusion is not “case closed.” It is: the Zentoria network hypothesis is increasingly plausible, and the evidence trail is becoming materially stronger. Conclusion FinTelegram’s review suggests that BetRepublic, WestAce, Kingmaker, Roostino, GreenLuck, and Spinsy may belong to the same broader backend gambling and payments cluster. The recurring attribution of some brands to Zentoria Limited, the official licensing footprint of Zentoria, the repeated payments-side references to Morada Horizon Services Limited, the near-identical rail architecture observed in direct testing, and now a live Spinsy payment detail naming Zentoria Limited together make a Zentoria-linked network hypothesis plausible and increasingly compelling. Summary Table: Reviewed Casino Brands, Entities, and Apparent Roles NameTypeApparent role in reviewed casino clusterCurrent assessment / commentsBetRepublicWestAceKingmakerRoostinoGreenLuckSpinsyRoostinoCasino brand publicly related to ZentoriaOne of the reviewed casino brands in the apparent shared clusterStrongly linked to the cluster; Zentoria link is plausible but not conclusively provenZentoria LimitedLegal entity / gambling operatorCentral hypothesis entity; possible operator or cluster-linked legal wrapper for some of the brandsPlausible anchor entity for the network, but not yet conclusively established as operator of all brandsMorada Horizon Services LimitedLegal / payment-side entity and igamingApparent payment-management / igaming services; likely linked to “Morada Hor…” payee fragmentImportant payments-side lead; likely relevant to the cluster; Irish entity.PayablPayment processor / acquirer / gateway-side entityPossible acquiring / orchestration-side PSP in the broader theory; potentially central to rotating MID hypothesisImportant investigative target, but not directly proven in the current casino-rail review setapi.payment-gateway.ioPayment gateway / technical endpointApparent shared card-processing endpoint for reviewed brandsStrong indicator of shared backend payments stacksecurepayins.comPayment rail / gateway layerAppears in the Revolut / open-banking deposit flowIndicative of shared deposit infrastructureSalt Edge Limiteddba SaltEdgewww.saltedge.comOpen banking infrastructure providerUsed in the Revolut/open-banking deposit pathShared infrastructure clue, not operator evidence by itselfPerspecteev SASOpen banking / payment infrastructure entityAppears in Revolut OBA deposit flowStrong shared-rail indicator across brandsRevolut (oba.revolut.com)Bank / open banking API environmentFinal user-facing bank authorization layer for certain depositsNot evidence of ownership, but confirms common deposit pathChainValleyCrypto / conversion-related payment railApparent destination behind Skrill / Neteller / PaysafeCard “buy crypto” style deposit logicImportant common rail clue; should be described carefully as an apparent routing layerSkrill/Neteller/PaysafeCardPayment method / walletFront-end deposit option that appears to route into the same effective backend logicConsumer-facing method, not the likely ultimate payment operatorRAPIDPayment method / bank transfer style railDeposit route showing the recurring payee fragment “Morada Hor…”One of the strongest shared-payee indicatorsNovaforgeMerchant/front entity (historical)Merchant/front in the Zentoria networkRelevant to the broader network theory, but not central to the reviewed casino rail comparison itself The Simplified Network View Here is the same information in a more operational way: LayerNames involvedApparent roleCasino brandsBetRepublic, WestAce, Kingmaker, Roostino, GreenLuckConsumer-facing casino brands under reviewPossible operator / legal wrapperZentoria LimitedRecurrently attributed operator or network-linked entityPossible payments-side entityMorada Horizon Services LimitedLikely payment-management / payee-side entityPossible acquiring / orchestration-side PSPPayablBroader hypothesis: acquiring / gateway node in the larger networkCard / gateway infrastructureapi.payment-gateway.ioShared card-processing / deposit infrastructureOpen banking infrastructuresecurepayins.com, Salt Edge, Perspecteev SAS, Revolut OBAShared bank-transfer / open-banking pathAlternative payment front endsSkrill, Neteller, PaysafeCard, RAPIDConsumer-facing deposit methodsApparent backend conversion / routing railChainValleyApparent crypto / conversion-style backend railShared payee clue“Morada Hor…”Repeated payee fragment indicating possible common payee/payment entity Call to Whistleblowers If you are a player, PSP insider, affiliate manager, compliance professional, former employee, contractor, or payment specialist with information about Zentoria, Morada Horizon, BetRepublic, Roostino, WestAce, Kingmaker, GreenLuck, or their payment providers, contact FinTelegram confidentially via Whistle42. We are especially interested in: full payment confirmations showing the complete payee name, bank statement lines containing Morada Horizon or related entities, processor/acquirer references, archived legal disclosures, merchant onboarding files, and internal documents showing who controls the cashier and payment stack. Share Information via Whistle42

The sanctioned crypto exchange Grinex has abruptly suspended operations after reporting the theft of roughly 1 billion rubles in digital assets. The platform claims the attack bore the hallmarks of “foreign intelligence services,” but blockchain investigators say the on-chain behavior looks far less like a state seizure and far more like classic criminal laundering. Behind the drama sits a bigger story: Grinex was not some ordinary exchange. It was widely identified by U.S. authorities and blockchain intelligence firms as the successor to Garantex, the notorious Russia-linked crypto venue tied to money laundering, sanctions evasion, and the A7A5 shadow-payments network. Key Findings Grinex has suspended operations after reporting that assets worth about 1 billion rubles were stolen in a cyberattack announced on April 16, 2026. The “Western intelligence” narrative is unverified. Reuters explicitly reported that it could not verify Grinex’s claim that “foreign intelligence services” were behind the attack. On-chain evidence cuts against the state-seizure storyline. Chainalysis found that the stolen stablecoins were quickly swapped into TRX via a DEX, a move more consistent with evading issuer freezes than with a law-enforcement confiscation. TRM Labs identified a broader incident footprint than Grinex publicly disclosed and linked the same consolidation address to both Grinex and TokenSpot, another Kyrgyzstan-based exchange TRM assesses as a likely Garantex front. U.S. Treasury said Grinex was created by Garantex employees after the March 2025 disruption of Garantex in order to continue sanctions-evasion services and move customer funds. Grinex was central to trading A7A5, the ruble-backed token issued by sanctioned Kyrgyz company Old Vector, which U.S. and UK authorities linked to Russian sanctions-evasion infrastructure. The bigger compliance picture is explosive: Garantex had already lost its Estonian authorization in 2022 after the FIU found systemic AML/CFT failures, suspicious transaction-reporting failures, and links to criminal wallets. Compliance Analysis 1. The immediate story: Grinex claims a geopolitical hit job Grinex says it was hit by a large-scale cyberattack that stole more than 1 billion rubles and forced the platform to suspend operations. In its public messaging, the exchange framed the incident as an operation by “unfriendly states,” claiming the attack was designed to damage Russia’s “financial sovereignty.” That framing is politically convenient, but at this stage it is still only Grinex’s allegation, not an independently established fact. Reuters, which reported the shutdown on April 16, 2026, said it could not verify the attribution claim. 2. The on-chain trail tells a different story The most important fact is not Grinex’s rhetoric but the movement of funds. Chainalysis reported that the exfiltrated assets were largely centralized stablecoins that were quickly swapped into TRX through a Tron-based DEX. That matters because when governments or law enforcement seize stablecoins, they commonly seek a freeze from the issuer. Rapidly converting into a non-freezable asset is the kind of move criminals make when they fear exactly such a freeze. Chainalysis therefore said the behavior raises real questions about Grinex’s story and even floated the possibility of a false-flag event or exit-style siphoning rather than a classic state takedown. TRM Labs reached a different tactical conclusion on motive, but not on the core point that the attribution remains unproven. TRM found that the attacker converted stolen USDT on TRON into TRX via SunSwap and consolidated about 45.9 million TRX, worth roughly $15 million, into a single address. TRM assessed the incident was more likely an external cyber operation than an exit scam, partly because the activity touched both large and small wallets across multiple platforms. Even so, TRM also stated clearly that Grinex’s claim about “special services of unfriendly states” was not independently verified. 3. Grinex was never just another exchange From a compliance perspective, the hack is only the surface scandal. The deeper issue is what Grinex appears to have been. U.S. Treasury stated in August 2025 that Grinex was created by Garantex employees after the March 2025 law-enforcement action against Garantex, and that it was used to transfer Garantex customer deposits and continue core services. Treasury further said Grinex facilitated billions of dollars in crypto transactions and functioned as part of Garantex’s sanctions-evasion effort. That account matches what blockchain analytics firms had already been saying. TRM reported that Grinex was incorporated in Kyrgyzstan in December 2024, weeks before the multinational action that dismantled Garantex, and that Garantex-linked Telegram channels quickly promoted Grinex as the familiar replacement where clients could recover frozen assets. TRM’s earlier work also pointed to Kyrgyz records showing Grinex was registered by Duulat-eldar Sagynbeki Subankulov, though the open-source record around the real controlling parties remains opaque. 4. The Garantex backdrop: this was a laundering brand with a new logo Any serious review of Grinex starts with Garantex. The U.S. Justice Department said in March 2025 that Garantex’s domains were seized, servers in Germany and Finland were taken, earlier server copies including customer and accounting databases had been obtained, and more than $26 million in funds used to facilitate money laundering were frozen. DOJ also alleged Garantex had redesigned operations to evade sanctions, including moving operational wallets on a daily basis to frustrate blocking and detection. The problems go back even further. Estonia’s Financial Intelligence Unit said Garantex Europe OÜ surrendered its authorization after supervisory findings that included systemic AML/CFT deficiencies, identity-verification failures affecting more than 90% of customers, failure to report suspicious transactions, and property flows linked to criminal conduct or wallets used by offenders. The FIU said annual transactions exceeded €5 billion, with a large share tied to Russia and other high-risk countries. This is why the “Grinex as successor” label is not tabloid exaggeration. It is the core compliance fact pattern. OFAC, Chainalysis, Elliptic, and TRM all describe Grinex as either the direct successor to Garantex or an entity built from the same infrastructure, clientele, and operating purpose. 5. A7A5: the sanctions-evasion rail at the center of the story Grinex’s strategic importance appears to lie in its role as the main trading venue for A7A5, a ruble-backed token issued by Old Vector in Kyrgyzstan. OFAC said Garantex used this token structure so customers whose funds were trapped after the March 2025 disruption could regain access to value. Treasury also said A7, A71, and A7 Agent were owned by sanctioned Moldovan oligarch Ilan Shor and sanctioned Russian bank Promsvyazbank, and that A7A5 was created for a cross-border settlement platform used for sanctions evasion. Chainalysis said A7A5 processed more than $51 billion and described it as a token designed to operate within a narrow ecosystem of Russian-linked financial services, with Grinex as the primary platform facilitating trades. The Financial Times reported even earlier that A7A5 had moved $9.3 billion in four months, was backed by deposits at Promsvyazbank, and was closely linked to Grinex as part of Russia’s shadow payments architecture. Later FT reporting said the wider A7/A7A5 network moved more than $6 billion after sanctions, underscoring how resilient the network remained. In plain English: Grinex mattered because it was not just an exchange. It appears to have been a sanctions-resilient conversion point between rubles, A7A5, and mainstream crypto liquidity. That makes it highly relevant not only for AML analysts but also for sanctions enforcement, cross-border payments supervision, and national-security investigators. 6. The TokenSpot angle makes the case even dirtier One of the more disturbing details in TRM’s April 2026 hack analysis is the linkage to TokenSpot, another Kyrgyz exchange TRM assesses as a likely Garantex front. TRM said two TokenSpot addresses sent funds to the same consolidation address used by the Grinex-linked wallets and that both platforms appear to have been hit around the same time. TRM also reported that TokenSpot had sent $88 million to Garantex and Grinex, received over $12 million back from Grinex, and sent more than $257.5 million to the A7 network. That is not the profile of an isolated exchange mishap. It looks more like stress inside a broader sanctions-evasion ecosystem built to route Russian-linked value through Kyrgyz wrappers, shadow tokens, and crypto liquidity bridges. 7. What the alleged hack likely means from a compliance standpoint The most defensible compliance conclusion today is this: Grinex’s shutdown is real; the attribution is not settled; the underlying business model was already toxic. Reuters confirms the shutdown. Treasury and UK sanctions records confirm Grinex had already been treated as a sanctions-evasion vehicle. Blockchain analytics firms confirm that the attack hit a platform deeply embedded in the Garantex/A7A5 architecture. What remains uncertain is whether this was a hostile state operation, a criminal theft, a compromise by insiders, or some hybrid scenario. For regulated firms, the lesson is brutal but simple: successor entities, rebrands, and jurisdictional shifts do not cleanse sanctions or AML exposure. When the old exchange is taken down and a new one appears in Kyrgyzstan with the same customers, the same purpose, the same staff links, and the same settlement logic, the risk is not reduced. It is merely repackaged. Conclusion: An Exit Scam Wrapped in a Flag The disruption of Grinex is a fatal blow to the infrastructure supporting Russian sanctions evasion, but victims of this exchange should not hold their breath for a rescue. Whether this was a genuine exploit by rival cybercriminals or a meticulously orchestrated rug-pull by the Garantex/Grinex cartel, the outcome is the same. The architects of this illicit financial network have cashed out, leaving their “loyal” clientele holding the bag while blaming the West for their missing millions. Call to Whistleblowers Whistleblowers, counterparties, former staff, liquidity providers, OTC brokers, compliance officers, and banking or payments insiders with knowledge of Grinex, Garantex, TokenSpot, Old Vector, A7A5, or related sanctions-evasion structures should contact FinTelegram via Whistle42. If you have wallet evidence, KYC records, onboarding material, internal chats, payment-routing instructions, banking links, or details of how Russian institutions used these structures to move money, your information could help expose one of the most important crypto-compliance stories in the Russia sanctions space. Share Information via Whistle42

GoDeFi presents itself as a sleek non-custodial DeFi payment-card platform for everyday crypto users. GammaG appears in FinTelegram’s earlier reporting as a Georgian crypto-payment rail surfacing behind offshore-casino deposit flows and in whistleblower material linked to the wider CoinsPaid orbit. A newly visible link between the two schemes is the name Sandra Kübarsepp, who is publicly recorded as the sole director and sole shareholder of GO DEFI CS s.r.o. The overlap is real. But the bigger question remains open: is this merely a personnel coincidence, or part of a broader continuity structure stretching from casino crypto rails into consumer-facing DeFi branding? Key Findings GoDeFi markets a non-custodial Solana-linked payment-card model that promises users direct wallet spending, no top-up, and a DeFi-to-real-world payments bridge. Go Defi Corp. is identified as the developer/operator on GoDeFi’s app disclosures, while GO DEFI CS s.r.o. appears to be the Czech paid-services entity. Sandra Kübarsepp is publicly listed in Czech company records as the sole managing director and 100% shareholder of GO DEFI CS s.r.o. FinTelegram’s prior reporting placed GammaG LLC in Georgia behind a “CoinsPaid” casino deposit flow and described GammaG as a possible continuity rail in the wider CoinsPaid / CryptoProcessing / Dream Finance / SoftSwiss field. FinTelegram also stressed that the evidence showed functional proximity, not yet proven common ownership. Georgia requires VASP registration with the National Bank of Georgia, and the NBG has warned the public against using unregistered virtual-asset providers. Based on the public materials reviewed, FinTelegram could not independently verify GammaG’s NBG registration. Beneficial Owners, Co-Founders, And Funding A second publicly visible name around the GoDeFi.me scheme is Sergei (Sergey) Burmisov. In GoDefi’s own 12 March 2025 press release, the company identified Sergey Burmisov as “Co-Founder & CTO” and quoted him directly on the product’s non-custodial architecture and user proposition. The same release also said GoDefi had already raised $2 million in an initial seed round and was preparing a second funding round. The Estonian national Sandra Kübarsepp (aka Sandra Urvak) is publicly listed as the sole director and sole shareholder of GO DEFI CS s.r.o., the Czech entity named in GoDeFi’s paid-services documentation. Compliance Analysis GoDeFi: polished DeFi card pitch, thin public accountability GoDeFi is pitched as “the first true DeFi payment card for everyday life.” The app-store and website materials describe a 100% non-custodial service built around Solana wallets, promising users that they can connect a wallet, complete KYC for card issuance, and spend crypto without surrendering private keys or pre-funding an intermediary balance. The product language is ambitious: spend, borrow, lend, receive, and send — all wrapped in a consumer-fintech user experience. Publicly, the structure looks split — and the card story looks broken. The app and privacy materials identify Go Defi Corp. as the operator/developer, while the paid-services terms name GO DEFI CS s.r.o. as the subscription counterparty. Those terms still refer to Quicko Sp. z o.o. as the card issuer. But that disclosure appears stale: the Polish regulator KNF revoked Quicko’s licence on 21 January 2026, and Quicko itself said it lost the ability to provide payment services on 3 February 2026. Yet GoDefi’s live Google Play listing continues to market a payment card from unnamed “licensed banking partners,” even though the app shows only 50+ downloads. That leaves a basic operational question unresolved: who, if anyone, is currently issuing the GoDefi card, and whether the card system works at all. GammaG: from Georgian crypto rail to FinTelegram’s continuity hypothesis GammaG entered FinTelegram’s reporting through the payment-rail side, not the DeFi-card side. In December 2025, FinTelegram documented an observed deposit flow at offshore casino Vegadream in which selecting the “CoinsPaid” option opened a GammaG payment pop-up with crypto deposit instructions. GammaG was described there as a Georgia-registered entity offering digital-currency payment solutions, including hosted-wallet and exchange-related functions. Read our CoinsPaid reports here. In April 2026, FinTelegram followed with a more pointed thesis: GammaG may have functioned as a shadow or continuity rail in the same operational field as CoinsPaid, CryptoProcessing, Dream Finance, and the wider SoftSwiss ecosystem. That report was careful on the evidentiary boundary. It did not claim proven formal integration. It said the new whistleblower material reinforced the functional closeness already identified by FinTelegram. That distinction matters. A rail can be strategically close, commercially integrated, or operationally interchangeable without the public record yet proving identical ownership. That is the current state of play. GammaG is not just an isolated Georgian web domain that happened to appear in a single transaction flow. FinTelegram’s existing reporting places it inside a broader compliance pattern: replacement rails, migrating structures, opaque contracting endpoints, and the use of crypto-processing architecture to keep high-risk offshore business moving when older channels become impaired. The GammaG Connection Public records and company statements currently tie at least two names to the GoDefi.me scheme: Sandra Kübarsepp/Urvak on the Czech corporate side, and Sergey Burmisov as publicly named co-founder and CTO. GoDefi also claimed in March 2025 that it had raised $2 million in seed funding and was pursuing a second round, although the underlying investors and financing structure have not yet been independently verified. What FinTelegram can now say with confidence is narrow but important. We know that Sandra Kübarsepp is publicly listed as the sole director and sole shareholder of GO DEFI CS s.r.o., the Czech entity named in GoDeFi’s paid-services documentation. That is verified. Allegedly, Kübersepp is also a director of the Georgian crypto-payments scheme GammaG. FinTelegram’s prior reporting places GammaG in a CoinsPaid-linked rail environment. That already makes the overlap noteworthy. A name tied to a consumer-facing DeFi card structure appears in the same investigatory field as a Georgian rail previously surfaced in offshore-casino crypto flows. For compliance professionals, that is enough to justify closer scrutiny. What FinTelegram knows at this stage FinTelegram knows that GoDeFi is not just a vague app-store project. It has identifiable entities, a Czech services company, a named control person in Sandra Kübarsepp, and a payments-card narrative built around non-custodial DeFi branding. FinTelegram also knows that GammaG has already surfaced in FinTelegram’s casino-rail reporting, specifically behind a CoinsPaid deposit path, and later in whistleblower material consistent with a continuity-rail hypothesis. Read our reports on GammaG here. Those two strands now intersect in a way that is too concrete to ignore and still too incomplete to overstate. Conclusion At this point, FinTelegram’s investigation suggests a credible and potentially significant overlap between the GoDeFi scheme and the GammaG scheme. The public record already supports one hard fact: Sandra Kübarsepp, aka Sandra Urvak, controls GO DEFI CS s.r.o., the Czech company behind GoDeFi’s paid-services leg. Separately, FinTelegram’s prior reporting places GammaG inside a suspicious Georgian crypto-rail environment linked to CoinsPaid-branded transaction paths and the broader Dream Finance / SoftSwiss investigatory field. That is enough to justify continued scrutiny. It is not yet enough to claim full common ownership or a fully proven unified scheme. The overlap is real. The ultimate structure remains unresolved. Summarizing Table Here is a compact summary table you can drop into the report. EntityJurisdictionRoleVerified connectionsGo Defi Corp.www.godefi.mehttps://app.godefi.meDelaware, U.S.App/operator entity shown for GoDeFiListed in GoDeFi app disclosures as the developer/operator; app disclosures use the Dover, Delaware registered-agent address.GO DEFI CS s.r.o.Czech RepublicCzech paid-services / subscription entity for GoDeFiNamed in GoDeFi subscription-plan terms; Czech registry-derived records show Sandra Kübarsepp as sole shareholder and managing director.Sandra Kübarseppaka Sandra UrvakEstonia-resident natural personControl person on the Czech GoDeFi side. According to Estonian register information, she also goes by the name Sandra Urvak.Public Czech records tie her to GO DEFI CS s.r.o. as sole shareholder and statutory director.Sergei BurmisovRussia,Montenegro (LinkedIn)GoDefi CTO and CoFounderPress releaseGammaG LLC / GammaGGeorgiaCrypto-payment / exchange-style rail appearing in FinTelegram’s casino-rail reportingFinTelegram documented a deposit path where clicking a “CoinsPaid” option at Vegadream opened a GammaG pop-up with crypto deposit instructions; FinTelegram later described GammaG as a possible continuity rail in the CoinsPaid field.CoinsPaid / CryptoProcessing orbitMulti-jurisdictionalBranded crypto-processing/payment ecosystem referenced in FinTelegram investigationsIn FinTelegram’s reporting, CoinsPaid-branded deposit flows led users into GammaG checkout/payment pages, suggesting operational proximity. Working takeaway: the strongest verified bridge at this stage is GammaG CoinsPaid on the payments-flow side and Sandra Kübarsepp GO DEFI CS s.r.o. on the GoDeFi side. The missing evidentiary step is a primary-source document proving that the same control persons or beneficial owners sit across both clusters. Call To Whistleblowers And Insiders If you are a current or former employee, contractor, compliance officer, card-program partner, exchange counterparty, merchant, casino operator, PSP, bank, EMI, or affected user with information about GoDeFi, GO DEFI CS s.r.o., Go Defi Corp., GammaG LLC, or their links to CoinsPaid, CryptoProcessing, Dream Finance, or the wider SoftSwiss orbit, contact FinTelegram confidentially via Whistle42. FinTelegram is particularly interested in: corporate records and shareholding documents, director and nominee arrangements, card-issuer and processor contracts, AML/KYC files, wallet and settlement architecture, correspondence about Georgia, Czech, or EU regulatory positioning, and any proof of common control or operational continuity. The public deserves clarity on whether GoDeFi is simply a new fintech wrapper around a legitimate service model — or whether it forms part of a broader migration pattern in which high-risk crypto rails reappear under new names, new jurisdictions, and cleaner consumer branding. Share Information via Whistle42

Exceleon Exchange — also presented through the older GoDeFi.eu environment — is marketed as a polished crypto-fintech gateway combining exchange, wallet, payment-account, and card functionality. But the legal disclosures behind that pitch describe a fragmented structure: a UK technology company, a Greek EU crypto operator, a Canadian non-EU crypto operator, and a separate EMI/card layer provided through the DiPocket group for a Greek partner. Public filings now add another important detail: the UK company’s control chain runs through NPM Technologies Limited to Mrs Niki Kaloudi. The result is a scheme that looked unified to users but was legally split across multiple entities, roles, and jurisdictions. Key Findings GoDeFi.eu was embedded in the Exceleon/Excelon ecosystem, not a separate unrelated site. Exceleon’s own privacy text referred to users visiting or logging into the godefi.eu platform. The Exceleon website described a split operator model: Excelon Financial Services Limited in the UK as technology provider; DEFI Technologies SMPC in Greece for EU exchange and wallet services; Global Money Gate Corp. in Ontario for non-European exchange, wallet, and crypto trading; and DiPocket UAB / DiPocket Limited providing the card and payment-account services for EMS TECHNOLOGY SMPC in Greece. The GoDeFi.eu / Excelon Exchange terms state that the exchange and wallet service is provided by DEFI Technologies SMPC and governed by Greek law. The exchange terms also imposed a material restriction: crypto bought through the service could not be transferred to an external wallet for 30 days after purchase, and the fiat on/off-ramp was tied to the separate Excelon E-money Service. DiPocket appears to be a separate regulated EMI infrastructure group, not part of the Exceleon group itself. On its own site, DiPocket splits customers between DiPocket UAB in Lithuania for EU residents and DiPocket Limited in the UK for UK residents. DiPocket UAB is listed by the Bank of Lithuania as an EMI holding a Lithuanian licence, valid from 2020-11-10. UK filings show the former Excelon Technologies Limited changed its name to Excelon Financial Services Limited in November 2025. In December 2025, NPM Technologies Limited became the PSC of the UK company, replacing Nikolaos Skondreas. NPM itself is controlled by Mrs Niki Kaloudi. Summary Table: Entities, Jurisdictions, Roles, And Control EntityJurisdictionStated or verified rolePublicly disclosed connectionExcelon Financial Services Limited (formerly Excelon Technologies Limited)United KingdomTechnology provider for the Exceleon app, XLON Chain, e-money services, and exchange servicesNamed in Exceleon’s legal footer as the technology provider; Companies House shows name change in Nov. 2025.DEFI Technologies SMPCGreeceEU-facing exchange and wallet operatorGoDeFi.eu terms say the service is “provided to you by DEFI Technologies SMPC”; footer says Excelon Exchange is operated by it from 92 Tatoiou St, Metamorfosi, Greece.Global Money Gate Corp.Ontario, CanadaNon-European exchange, wallet, and crypto-trading operatorExceleon legal footer says it serves non-European residents and is registered with FINTRAC for virtual-currency services.EMS TECHNOLOGY SMPCGreecePartner entity for the card/e-money layerExceleon says DiPocket UAB and DiPocket Limited provide the card and payment-account services for EMS TECHNOLOGY SMPC.DiPocket UABLithuaniaEMI for EU/EEA residentsDiPocket is regulated by the Bank of Lithuania; the BoL lists it as an EMI with licence valid from 2020-11-10.DiPocket LimitedUnited KingdomEMI for UK residentsDiPocket’s site says it serves UK resident customers and is regulated by the FCA.NPM Technologies LimitedUnited KingdomActive PSC of Excelon Financial Services LimitedCompanies House shows NPM was notified as PSC of the UK Excelon entity on 18 Dec. 2025.Niki KaloudiGreece / UK filingsPSC of NPM Technologies LimitedCompanies House shows Kaloudi controls NPM with 75%+ shares and voting rights and director-appointment rights.Nikolaos SkondreasGreece / UK filingsFormer PSC of the UK Excelon entityCompanies House shows he ceased as PSC on 18 Dec. 2025. Compliance Analysis 1. What Exceleon Exchange Was Selling To Users Exceleon marketed a seamless consumer-fintech proposition: open an account, receive an IBAN, order a Mastercard, hold crypto, exchange crypto for euros, move money globally, and manage everything in one app. The public-facing brand was designed to look unified and frictionless. The site explicitly pitched “future banking,” current accounts, cards, exchange, wallets, and crypto trading as parts of one digital-money experience. That matters because the legal architecture behind the user experience is far less unified than the branding suggested. The brand looked singular; the operator stack is not. 2. The Operator Stack Was Split Across Several Entities The Exceleon footer is unusually explicit. It says the website only provides information about products offered on the app, and then allocates those products across multiple entities: the UK company as technology provider, DEFI Technologies SMPC in Greece for EU exchange and wallet services, Global Money Gate Corp. in Canada for non-European crypto services, and DiPocket UAB / DiPocket Limited for card and payment-account services for EMS TECHNOLOGY SMPC in Greece. This is not just a legal footnote. It is the core of the scheme’s compliance posture. It shows a deliberate compartmentalization of roles by both function and geography. That can be legitimate, but it also means a user dealing with the Exceleon brand may actually be relying on different counterparties depending on whether the activity is crypto exchange, wallet use, fiat storage, or card issuance. 3. DEFI Technologies SMPC Was The Real EU Crypto Counterparty The strongest single operator statement sits in the GoDeFi.eu / Excelon Exchange terms:“This service is provided to you by DEFI Technologies SMPC,” a Greek company with registry code 166556101000. The same materials say Excelon Exchange is operated by that Greek entity from 92 Tatoiou Str, 14452, Metamorfosi, Greece. So while the UK company supplied the technology narrative, the disclosed legal counterparty for the EU-facing crypto exchange and wallet proposition was the Greek DEFI Technologies vehicle. That is a key distinction for any reader trying to understand who actually operated the crypto side of the scheme. 4. The Product Was More Controlled Than The Marketing Suggested The user-facing pitch emphasized freedom, convenience, and borderless digital finance. But the terms show a more tightly controlled environment. Most notably, the terms say that to prevent money laundering, users could not transfer virtual assets purchased through the Excelon Exchange Service to another wallet outside the service for 30 days after purchase. They also say users can deposit and withdraw fiat through the separate Excelon E-money Service. That is an important compliance signal. It suggests that the scheme was not offering a fully open crypto environment, but rather a more managed internal stack in which fiat flows, exchange activity, and outbound crypto mobility were constrained by internal controls and third-party processors. 5. The Relationship Between The Exceleon Group And The DiPocket Group This is where the new findings materially improve the picture. Based on the available disclosures, DiPocket appears to be a separate regulated EMI group that Exceleon was using as infrastructure for its card and payment-account layer, not a company inside the Exceleon group itself. Exceleon’s own footer says the Excelon Mastercard and payment accounts are provided by DiPocket UAB and DiPocket Limited for EMS TECHNOLOGY SMPC under their electronic-money-institution licence. DiPocket’s own site supports that interpretation. It does not present itself as part of Exceleon. Instead, it presents a standalone payments group with a dual-entity structure: DiPocket UAB for EU resident customers, regulated by the Bank of Lithuania, DiPocket Limited for UK resident customers, regulated by the FCA. The Bank of Lithuania independently lists DiPocket, UAB as an electronic money institution, holding a licence issued in Lithuania for non-limited activity, with the EMI licence valid from 2020-11-10. The most accurate interpretation, therefore, is this:Exceleon did not itself present as the EMI behind the card/account product. It presented as a branded front end that relied on the DiPocket group’s regulated EMI infrastructure, with EMS TECHNOLOGY SMPC inserted as the Greek partner in that arrangement. That does not mean DiPocket endorsed every other aspect of the Exceleon crypto proposition. It means the available information points to a service-provider / infrastructure relationship, not a unified group identity. On the present record, the safe conclusion is that the DiPocket group and the Exceleon group were distinct, but contractually connected through the card/e-money offering. 6. The UK Control Chain Is Now Much Clearer The UK corporate trail is no longer as opaque as before. Companies House shows that the former Excelon Technologies Limited changed its name to Excelon Financial Services Limited in November 2025. It also shows that on 18 December 2025, NPM Technologies Limited was notified as the PSC of the UK company and Nikolaos Skondreas ceased as PSC the same day. The next layer is also public: Companies House shows Mrs Niki Kaloudi as the active PSC of NPM Technologies Limited, with 75% or more of shares and voting rights and the right to appoint or remove directors. That means FinTelegram can now say, carefully and accurately, that the apparent ultimate control person of the UK Exceleon entity is Mrs Niki Kaloudi via NPM Technologies Limited. This proves the UK control chain. It does not, by itself, prove that Kaloudi is the ultimate beneficial owner of every Greek, Canadian, or partner entity in the broader Exceleon structure. 7. What The Current Record Still Does Not Prove The revised picture is much stronger, but there are still gaps. The public materials reviewed here do not prove: that the same ultimate owner controls every Exceleon-related entity across the UK, Greece, and Canada, that EMS TECHNOLOGY SMPC is owned or controlled by the DiPocket group, or that the later GoDeFi.me structure is formally the same enterprise as the older GoDeFi.eu / Exceleon structure. What the record does support is a more modest and defensible conclusion: Exceleon was a brand-led multi-entity structure, and its card/e-money layer relied on a separate regulated DiPocket infrastructure stack rather than an in-house EMI licence. Conclusion The revised evidence shows that Exceleon / GoDeFi.eu was not a simple crypto exchange brand. It was a multi-entity structure in which different legal actors handled different pieces of the user experience. The crypto exchange/wallet layer sat with DEFI Technologies SMPC in Greece for EU users, the broader technology shell sat in the UK, and the payment-account/card proposition appears to have relied on the separate DiPocket EMI group through a partner arrangement involving EMS TECHNOLOGY SMPC. The addition of the UK PSC trail materially strengthens the picture: the UK entity is now traceable through NPM Technologies Limited to Mrs Niki Kaloudi. But the broader cross-border ownership picture remains incomplete. That is the core FinTelegram takeaway: the structure is now clearer, but not yet fully transparent. Call To Insiders And Whistleblowers If you are a current or former employee, contractor, compliance officer, issuing-bank contact, EMI partner, PSP, technology vendor, exchange counterparty, or affected user with information about Exceleon Exchange, GoDeFi.eu, Excelon Financial Services Limited, DEFI Technologies SMPC, Global Money Gate Corp., EMS TECHNOLOGY SMPC, DiPocket UAB, DiPocket Limited, NPM Technologies Limited, or Mrs Niki Kaloudi, contact FinTelegram confidentially via Whistle42. FinTelegram is particularly interested in: shareholder and nominee documents, agreements involving EMS TECHNOLOGY SMPC and the DiPocket group, issuer and processor contracts, AML/KYC manuals, internal escalation or compliance correspondence, and any evidence clarifying whether the later GoDeFi.me scheme is merely similar — or part of the same underlying network. Share Information via Whistle42

First they steal your money. Then someone shows up promising to get it back. That is the ugly logic of the recovery-scam industry, and Trek Tech Corp fits far too many of the warning signs. The operation behind trektechcorp.net sells itself as a crypto recovery expert, but the public footprint points in a much darker direction: a young domain, very low trust ratings, spam-style promotional posts, miracle-recovery stories pasted across unrelated websites, and no clearly verified accountable operator. In plain English: this looks less like salvation and more like a second trap for people already wounded by the first scam. Key Findings Trek Tech Corp markets crypto recovery services and claims to recover stolen, hacked, or inaccessible digital assets through trektechcorp.net. The domain trektechcorp.net has a very low trust score, was first analyzed in early January 2026, and ScamDoc says the site is linked to multiple risk signals including a young domain, partial Whois identity, and suspected spam. Public web results show near-testimonial promotional stories for Trek Tech Corp appearing on unrelated forums, blogs, mailing lists, and even memorial/guestbook-style pages. Scamwatcher explicitly labels trektechcorp.net / trektechcorp1@gmail.com / TREK Tech Corp as a recovery scammer “company” targeting people who already lost money. Regulators warn that recovery scams specifically target previous scam victims, often by promising recovered funds or fast asset retrieval and then demanding payment or extracting more information. The Pitch Is Familiar. That’s The Problem. Trek Tech Corp sells the one thing desperate victims most want to believe in: a second chance. Its website promises crypto recovery, asset tracing, wallet help, fraud investigation, and digital expertise. On paper, that sounds polished. In reality, that is exactly the sort of language used by operators who know their audience is frightened, embarrassed, and easy to pressure. The real tell is not the website copy. It is the marketing footprint. Trek Tech Corp keeps turning up in the same kind of scripted “success story” posts that have become a trademark of the recovery-scam ecosystem: dramatic victim narrative, huge loss, emotional collapse, miracle referral, ultra-fast recovery, glowing thanks, then the direct plug for the website and email address. That is not how credible forensic firms, lawyers, or regulated professionals normally build trust. That is how lead funnels for desperate victims are built. And the credibility problem gets worse the closer you look. ScamDoc gives the site a 1% trust score and flags the domain as less than a year old, with only partial owner identification and a free-email style signal in the Whois data. Scamwatcher goes further and flatly describes it as a recovery scammer outfit. Standing alone, one warning page might not be decisive. But when you combine that with the spammy testimonial spread and the classic victim-targeting script, the picture becomes hard to ignore. Why This Smells Like A Second Scam Recovery scams thrive on the emotional wreckage left by the first fraud. Regulators have been explicit about this. New Zealand’s FMA says crypto recovery scams target people who have already lost money to previous scams. CIRO warns against “recovery” approaches that demand upfront money or make promises about getting lost crypto back. The model is brutally simple: find people in pain, offer hope, then monetize that hope. That is why Trek Tech Corp should be viewed through a hostile lens. The combination of young domain + opaque identity + spammy promotion + emotional testimonials + recovery promises is not a trust signal. It is a hazard pattern. Even if every single claim on the site were framed in polished language, the surrounding footprint still screams high-risk. FinTelegram Warning To Victims If you have already been scammed, do not let a second operator weaponize your desperation. Do not send Trek Tech Corp or similar outfits more money. Do not hand over wallet credentials, seed phrases, remote access, identity documents, or “release fees.” Do not trust miracle turnaround times, emotional testimonials, or comment-section referrals. Those are the mechanics of the recovery-scam pipeline. Victims who have lost funds should instead contact their bank, relevant exchanges, law enforcement, and competent legal or regulatory channels immediately. Real recovery work is slow, uncertain, document-heavy, and rarely sold through pasted comments on random websites. Boxed Explainer: How To Spot A Recovery Scam They find you after you’ve already been burned.That is the business model. Recovery scammers target prior victims. They promise speed, certainty, or guaranteed success.Fast crypto recovery claims are one of the biggest red flags in the sector. They push testimonials instead of verifiable credentials.If praise appears in random comment sections and unrelated forums, assume manipulation first. They want money, access, or sensitive information upfront.Fees, gas costs, tax clearance, release payments, remote access, or seed phrases are danger signs. Their legal identity is blurry.If you cannot clearly identify the responsible operator, jurisdiction, and accountable humans, walk away. Call To Whistleblowers Have you dealt with Trek Tech Corp / Trektech Corp / trektechcorp.net? Did you pay fees, receive wallet instructions, or see the same promotional stories planted across websites, forums, or media comment sections? FinTelegram invites victims, insiders, service providers, former contractors, hosts, domain intermediaries, and payment professionals to submit documents, emails, invoices, chat logs, wallet addresses, and related intelligence via Whistle42. Tips about Trek Tech Corp and other recovery scams may help expose the networks preying on fraud victims a second time. Share Information via Whistle42

At first glance, Payvision may look like an old scandal from the binary-options era. It is not. A newly reviewed EFRI dossier argues that Payvision did not merely sit in the background as a payment processor, but allegedly helped build, adapt, and preserve the payment rails that kept the Lenhoff/Barak fraud factories running. That matters now because the fallout is still alive: EFRI is pursuing claims in Amsterdam, criminal-file materials continue to be re-evaluated. The wider U.S. and T1/Payvision angle shows that similar allegations about European shell structures and high-risk processing also surfaced in U.S. litigation. Key Findings The dossier supports a “knowing facilitation” theory, not just a “missed red flags” theory. It says Payvision’s role went beyond technical processing and extended to merchant setup, MID migration, settlement continuity, and operational stabilization. Booker’s own reported statements are central. According to the dossier, he acknowledged knowledge of the real beneficial owners, the binary-options/CFD/crypto environment, extreme chargeback levels, and 273 suspicious transaction reports filed between August 2016 and January 2019. The MCC issue is explosive. The dossier says Payvision used MCC 6211 for platforms that allegedly lacked the required MiFID authorization, while also accepting MOTO/CNP flows and shell-merchant structures. The commercial-motive argument is plausible. The dossier ties scam-linked volume to fees, cash flow, and growth, and notes ING’s acquisition of 75% of Payvision at a reported €360 million valuation. There is external reinforcement for the control-failure narrative. ING has publicly stated that the Dutch criminal investigation into Payvision concerned conduct dating from before ING acquired the company, and ING’s disclosures noted the April 2024 Dutch-authorities decision to resolve that criminal investigation. The U.S. angle matters. Public Nevada records show Payvision B.V. was named as a defendant in Ibuumerang v. T1 Payments, alongside T1, Donald Kasdon, Amber Fairchild, and Pixxles. The Payvision Dossier There are processors that miss red flags. And then there are processors that, if the record holds up, look like they helped keep the scam machine humming. The Scam Infrastructure Facilitator That is the core force of the EFRI dossier. It does not describe Payvision as a passive bystander that got fooled by clever merchants. It describes Payvision as an allegedly active infrastructure partner in the Lenhoff/Barak ecosystem: a company that knew what kind of business it was processing, knew who stood behind the front entities, knew the fraud and chargeback metrics were terrible, and still kept the rails open. Read our reports on Payvision here. The dossier starts from a large and ugly factual base. It says German and Austrian criminal investigators identified a fraud complex involving platforms such as optionstars/global, xtraderfx, safemarkets, goldenmarkets, option888, xmarkets, tradovest, tradeinvest90, and zoomtrader/global, harming 59,345 European consumers for roughly €340 million between September 2015 and the January 2019 arrests. It identifies Payvision B.V. and its sister Acapture B.V. as the principal payment-service providers for those systems. FinTech Cowboys and Co-Conspirators Payvision Fintech Cowboys Rudolf Booker and Gijs op de Weegh Then the dossier gets more dangerous for Payvision. It says the company’s role did not stop at taking cards and sending money onward. It says the files document participation in setting up, adjusting, and continuing merchant and settlement structures. That is the difference between “processor” and “operator’s enabler.” If true, Payvision was not just near the fraud. It was allegedly helping preserve its plumbing. The material on the former Payvision CEO Rudolf Booker is especially damaging. According to the dossier, Booker confirmed that Payvision knew the connected platforms were offering binary options, and later CFD/crypto-related products, to retail customers; knew Lenhoff and Barak were the real economic actors behind formally different merchants; saw chargeback rates ranging from 2% up to 20% per month; and filed 273 FIU reports for possible money laundering or terrorist financing. That is not the profile of an ordinary merchant book. It is the profile of a business relationship screaming for shutdown. And yet the dossier says the business continued. The MCC 6211 Issue The MCC 6211 issue matters much in the Payvision scheme. The dossier says Payvision used a code associated with licensed broker or securities activity even though the connected platforms allegedly lacked the necessary MiFID authorization. It also says Payvision accepted MOTO flows and shell-style merchant structures that distorted the true risk and regulatory profile of the underlying activity. If accurate, that is not just sloppy compliance. It is a processing architecture that allegedly made dirty business look cleaner than it was. The dossier also offers a motive. It notes that ING bought 75% of Payvision at a reported €360 million valuation in early 2018 and argues that the high-risk volumes tied to Lenhoff/Barak were commercially meaningful. More volume meant more fees, more growth, and a better valuation story. That inference is commercially plausible even where intent remains contested. The T1 / U.S. Angle The dossier explicitly says similar allegations surfaced in U.S. cases between 2019 and 2022, including allegations that Payvision helped merchants build European company structures to obtain card-processing access. That matters because it shows the EFRI theory is not some one-off Austrian or German complaint. It echoes a broader pattern. Public Nevada records support that broader picture. In Ibuumerang, LLC v. T1 Payments LLC et al., Payvision B.V. was named as a defendant alongside T1 Payments LLC, T1 Payments Limited, TGlobal Services Limited, Donald Kasdon, Amber Fairchild, and Pixxles, Ltd. Public records do not clearly disclose the settlement terms for Payvision or ING in that U.S. case. What it does show is that the case existed, that Payvision was inside the T1 litigation orbit, and that later T1 bankruptcy materials treated the U.S. litigation landscape as part of the wider post-collapse fallout. So it is safe to state: Payvision was sued in the U.S. in the T1 orbit, and the public record supports that this litigation was later resolved or dismissed without publicly visible settlement detail in the materials reviewed. That is enough to make the editorial point: the allegation that Payvision allegedly helped structure European wrappers for high-risk underlying business was not confined to the Lenhoff/Barak files. It also showed up in U.S. litigation connected to T1 Payments. FinTelegram Take The dossier’s real punch is simple. It does not depict Payvision as a processor that merely failed to act fast enough. It depicts Payvision as a company that allegedly helped industrialize the payment rails of fraud — and kept doing so while the warning lights flashed red. If that reading of the files is right, then Payvision’s role was not incidental. It was infrastructural. And that is exactly why this is a hot case again. Whistle42 CTA FinTelegram invites whistleblowers, former Payvision staff, merchants, compliance officers, and victims with information on Payvision, Rudolf Booker, ING, T1 Payments, or related merchant structures to contact us via Whistle42. Confidential submissions help expose the payment architecture behind cyberfinance fraud. Share Information via Whistle42

The Court of Justice of the European Union has delivered a brutal blow to the cross-border online casino model. In Case C-440/23, European Lotto and Betting and Deutsche Lotto- und Sportwetten, the CJEU ruled on 16 April 2026 that EU law does not stop a Member State from banning certain online gambling services even when the operator is licensed in another EU country such as Malta. Worse for the casino industry, the Court also confirmed that those illegal offers may carry civil-law consequences: the gambling contract may be treated as void, and players may sue to recover their losses under national law. For the Malta casino crowd, this is more than a legal setback. It is a crack in the business model. Key Findings The CJEU held that EU law does not preclude a Member State from prohibiting certain online gambling services that are licensed in another Member State. The Court said such prohibitions may legitimately pursue consumer protection, prevention of gambling addiction, protection of social order, and channeling gambling into controlled circuits. The judgment confirms that a later shift to a licensing model, such as Germany’s 1 July 2021 reform, does not retroactively wipe out the earlier prohibition. The Court also held that EU law does not preclude nullity of the gambling contract and civil restitution claims for losses incurred under the prohibited regime. The reference arose from a dispute involving Malta-licensed operators whose services were accessible in Germany, where a player incurred losses between June 2019 and July 2021 and sought recovery. Compliance Analysis The Malta excuse just took a hit For years, the offshore casino pitch was simple: we are licensed in Malta, we are in the EU, therefore we are legitimate. That line has now taken a serious beating. In C-440/23, the CJEU made clear that a gambling licence in one Member State does not act like an EU passport for online casinos targeting consumers in more restrictive jurisdictions. Gambling remains an area without full EU harmonization, and Member States still have broad room to decide how far they want to go in restricting online casino products. That is the core message: Malta licensing does not neutralize German law, or any other national law that validly bans the product. What the case was really about The case involved European Lotto and Betting Ltd and Deutsche Lotto- und Sportwetten Ltd, two companies licensed by the Malta Gaming Authority. Their online services were available in Germany. Between June 2019 and July 2021, a Germany-based player used those services and lost money. During that period, German law still broadly prohibited certain online games of chance, including the products at issue in the case, before the later reform that took effect on 1 July 2021. The player’s claim ended up before a Maltese court, which asked the CJEU whether EU law — especially the freedom to provide services — blocked Germany from maintaining that prohibition and from attaching civil consequences to it. The Court’s answer was effectively: No. It does not. The Court did not blink The judges accepted the standard anti-gambling arguments that regulators love and operators hate: online gambling can create particular risks because it is available continuously, takes place in isolation, reduces social control, may encourage excessive frequency of play, and can be especially dangerous for vulnerable persons and younger users. On that basis, the Court said Member States can try to channel gambling into supervised structures and suppress parallel markets. That matters because it kills the lazy narrative that national restrictions are automatically protectionist or anti-single-market nonsense. The Court did not buy that. The real bomb: players may sue for the money back This is the part that will terrify the illegal-casino ecosystem. The CJEU expressly said EU law does not preclude national rules under which gambling contracts concluded in breach of the prohibition are void, and under which players may bring civil actions to recover lost stakes. The final mechanics still depend on national law, of course. But the big EU-law umbrella defense has been badly damaged. That means operators can no longer wave the EU flag and pretend that player restitution cases are obviously incompatible with the single market. The Court just made clear they are not. The German reform did not save the old conduct One of the casino industry’s favorite talking points has been that Germany moved to a regulated licensing regime on 1 July 2021, so the earlier prohibition must have been defective, obsolete, or incompatible with EU law. The CJEU rejected that shortcut. A later policy change does not automatically invalidate the earlier ban. That is devastating for operators facing claims tied to the pre-July-2021 period. They cannot simply say: Germany later legalized parts of online gambling, therefore our earlier German-facing operations were fine all along. The Court did not give them that escape route. What this means for players at illegal casinos Players should not misunderstand the ruling. This is not an automatic jackpot. The Court did not say every player in every EU country automatically gets every euro back. What it did say is far more useful in practice: where a Member State validly prohibited the gambling offer, and where national law allows nullity and restitution, EU law does not stand in the way. That is a strong pro-player result. It strengthens claims by players who lost money with operators targeting them during periods when the relevant products were prohibited in their home market. It also weakens the industry line that the player’s mere use of a foreign-licensed site is enough to label the claim abusive. The Court indicated that foreign licensing alone is not enough to prove abuse of rights under EU law. In plain English: players at illegal casinos now have a clearer EU-law runway to sue for restitution, if their national law supports it. Why this matters beyond the operators This ruling is bad news not just for the casinos themselves, but for the entire support system around them. If the underlying gambling offer can be treated as unlawful and the contract can be voided, then the legal and compliance heat rises for everyone riding that traffic: payment processors, open-banking providers, affiliate networks, merchant acquirers, payment agents, KYC vendors, and platform intermediaries. That broader implication is an inference rather than an express holding of the Court, but it follows naturally from the Court’s acceptance that illegal online gambling can produce real civil-law fallout. For FinTelegram’s long-running work on illegal casinos and payment rails, this is exactly the point. Once the operator’s legal footing weakens, the payment chain starts to look much more dangerous too. FinTelegram Take This is a serious defeat for the Malta casino defense industry. The CJEU did not abolish cross-border online gambling. But it did demolish the lazy fiction that a Malta licence magically disinfects gambling offers aimed at consumers in restricted markets. It also handed players and claimant lawyers a much stronger weapon: EU law is no longer the easy shield operators hoped it would be when players sue for losses from illegal offers. For years, the offshore gambling crowd sold the same line to PSPs, banks, service providers, and maybe even themselves: licensed in Malta, therefore legitimate in Europe. The Court has now reminded them that Europe does not work that way. National gambling law still bites. And when it bites, it can bite hard. Conclusion The ruling in C-440/23 is one of the most important recent judgments in the EU online gambling fight. It confirms that Member States may ban certain online casino and gambling products despite foreign EU licences, may preserve the civil effects of those bans, and may allow players to pursue recovery of losses under national law. For illegal-casino operators, this is a warning shot. For players, it is an opening. For the payment and compliance ecosystem surrounding offshore gambling, it is a message that the risk perimeter around illegal casino flows has just expanded. If you have internal documents, legal memos, payment-routing files, merchant onboarding records, or compliance reports relating to illegal EU-facing online casinos, send them securely to Whistle42.