A German player’s GDPR request, reviewed by FinTelegram, has exposed a critical compliance issue: the Cyprus-regulated EMI Payabl processed multiple credit card deposits to Santeda International Limited, the payment agent behind offshore casino GoldenBet, which operates without an EU license. Despite being alerted to the illegality and the player’s gambling addiction, Payabl refused refunds, citing lack of a direct contractual relationship. The case raises serious questions about AML, gambling compliance, and the effectiveness of regulatory oversight — especially in light of the Central Bank of Cyprus’ major penalty against Payabl in 2025. Key Findings Confirmed transaction processing: Payabl (payabl.com) provided a transaction list (reviewed by FinTelegram) showing multiple successful payments to Santeda International Limited totaling €565.00 Merchant identification is clear: All transactions carry the descriptor SantedaInternationalLimited, eliminating ambiguity about the merchant. Payabl acknowledges role as PSP: The company confirms it provides payment services to its “clients” (i.e. merchants like Santeda). Refund refusal: Payabl declined to process refunds because the player is “not a direct contractual client.” Legal notice given: The player explicitly informed Payabl that Santeda operates illegal gambling services in Germany and referenced the Glücksspielstaatsvertrag (GlüStV 2021). MiFinity simulation confirms payment agent: Deposits are routed to Santeda International Limited as beneficiary (screenshot evidence). Responsible gambling failure: Player had prior self-exclusion history and declared gambling addiction, yet deposits were processed. Transaction Evidence: Direct Link To Santeda The transaction file provided by Payabl is the strongest possible evidentiary element. It shows: Merchant: Santeda International Limited Card payments: Multiple Mastercard transactions Dates: August 2025 Status: All marked “Successful” There is no intermediary masking in the descriptor. This is critical: Payabl processed payments directly attributable to Santeda — not an unknown gateway or disguised merchant. GoldenBet & Santeda: The Illegal Gambling Context The whistleblower’s statement — supported by the transaction data — establishes: GoldenBet is operated by Santeda Group No EU / German license exists German law (GlüStV 2021) explicitly: prohibits unlicensed gambling prohibits facilitating payments for such operators The player explicitly notified Payabl: the operator is unlicensed contracts are legally void refunds are legally required (unjust enrichment doctrine) prior court rulings exist against related Santeda brands This transforms the case from a “possible compliance issue” into a “known-risk scenario explicitly escalated to the PSP.” Payabl’s Response: The Critical Compliance Position Payabl’s official response is revealing: “As you do not have a direct contractual relationship… we are unable to… execute a refund.” Interpretation: Payabl is asserting: It serves merchants (Santeda) Not end users (players) This is technically correct under payment-services structure — but compliance-relevant incomplete. Compliance Analysis: Where The Problem Lies 1. Knowledge Threshold Is Met Payabl was informed that: Santeda operates illegally in Germany The player is a gambling addict The transactions are legally void litigation history exists From that point onward: Payabl cannot be considered unaware of the risk. 2. Merchant Risk Is Not Hypothetical — It Is Identified The transaction list: names Santeda explicitly shows repeated payments confirms ongoing merchant activity This is not a hidden merchant scenario This is direct merchant exposure 3. Payment Facilitation Risk Under EU Law Under EU AML and national gambling laws: Payment institutions must: assess merchant legality monitor transaction purpose detect illegal activity patterns file SARs where appropriate In Germany (GlüStV): Payment facilitation for illegal gambling is prohibited 4. Responsible Gambling Failure The player states: prior self-exclusion (2022) gambling addiction disclosed operator ignored safeguards If true, this creates: enhanced duty of care heightened transaction risk For a PSP: repeated deposits under such conditions are a red flag potential indicator of exploitation / harmful use The 2025 Central Bank of Cyprus Penalty The Central Bank of Cyprus (CBC) imposed a major AML-related penalty on Payabl in 2025. Note: On 12 December 2025, Payabl. Cy Ltd registered Appeal no.1405/2025 before the Administrative Court against the decision of the CBC. What the penalty indicates: Although framed as AML deficiencies, such penalties typically relate to: inadequate transaction monitoring weak merchant due diligence insufficient risk classification failure to detect high-risk flows Interpretation in the GoldenBet context The GoldenBet/Santeda case fits exactly into the risk category highlighted by such penalties: CBC Risk CategoryGoldenBet CaseHigh-risk merchant exposureSanteda (offshore casino)AML monitoring gapsrepeated gambling depositsLegal/regulatory mismatchillegal in Germanyconsumer harm indicatorsgambling addiction disclosedtransaction pattern riskmultiple small deposits Therefore: The GoldenBet case can be interpreted as a real-world manifestation of the systemic weaknesses that led to the CBC penalty. Conclusion This case is not speculative. It is documented, traceable, and acknowledged by the PSP itself. Payabl processed payments to Santeda Santeda operates GoldenBet GoldenBet operates without EU license Payabl was informed of this Payabl declined intervention This creates a clear compliance tension between contractual PSP structurevs. regulatory obligations (AML + gambling law) Whistle42 Call FinTelegram invites insiders from: Payabl Santeda Group MiFinity acquiring banks compliance teams to submit: merchant onboarding files risk assessments SAR filings internal alerts transaction monitoring logs via Whistle42. Share Information via Whistle42

Whistleblower evidence reviewed by FinTelegram indicates that casino deposits may pass through a layered redirect chain before reaching the Paysolo open-banking gateway. The observed flow — Pagagate → Impaya.online → Aceiro.online → openbanking.paysolo.net — suggests that Impaya and Aceiro may function as intermediate routing or masking layers between casino-facing payment gateways and the open-banking execution stack involving Paysolo, Pellopay, Yapily and Revolut. Key Findings The observed video/screenshot evidence shows a sequential redirect flow: pagagate.com → impaya.online → aceiro.online → openbanking.paysolo.net. Impaya publicly presents itself as an e-commerce payment-solutions provider offering online payment systems and customised payment technology. Impaya identifies NewTech Mobile SIA as its EU representative, registration number 40103709254, at Skanstes str 7 k1, Riga, Latvia. LinkedIn profiles connect Sergejs Roslikovs to Impaya and NewTech, with Roslikovs described as CEO of IMPAYA Payment System and CEO of NewTech SIA. Aceiro appears in the live payment path, but public-source corporate attribution is not yet confirmed. It should be treated as a technical routing/domain lead. The downstream Paysolo layer is not merely theoretical: Paysolo markets itself as a EUR–crypto bridge and virtual IBAN provider, including SEPA/SWIFT rails and crypto conversion. The Pellopay layer appears later in the payment consent text, while Pellopay publicly describes API-based payment integration, payment traceability, settlements, bank transfers, digital wallets and support for methods including Revolut. The Observed Flow Based on the whistleblower video and screenshots, the payment journey appears to move through the following sequence: Casino deposit page → Pagagate → Impaya.online → Aceiro.online → openbanking.paysolo.net → Pellopay/Yapily consent layer → bank selection, including Revolut EU This is a materially important finding. It shows that before the player even reaches the Paysolo open-banking page, there may already be two additional routing layers — Impaya and Aceiro — sitting between the casino-facing gateway and the open-banking interface. Why Impaya And Aceiro Matter We also found Aceira.online and Paysolo in the open banking payment rails of other casino and sports betting sites that operate without the proper license through payment agents in Cyprus. Betify is another example. As such, this payment rail setup involving Aceira and Impaya, centered around Paysolo, is common in this high-risk segment. Impaya and Aceiro appear to operate in the pre-Paysolo layer. Their role is not visibly explained to the user. In the screenshots, both domains display generic “Payment processing … Please wait, your payment is being processed” pages. That makes them important for compliance analysis because they may perform one or more of the following functions: Possible FunctionCompliance RelevanceRedirect orchestrationBreaks visibility of the original merchant journeyPayment-session handlingMay generate or preserve order/payment tokensGateway maskingMay separate casino brand from bank-facing payment layerRisk-routing logicCould select Paysolo/open banking depending on player country or bankMerchant abstractionMakes it harder to identify who the merchant of record is Impaya.online and Aceiro.online appear in the observed payment path between casino-facing gateways and Paysolo’s open-banking interface. The New Architecture: A Layered Casino Payment Stack The working Rail Atlas model now becomes more precise: Offshore casinos ↓Pagagate / Urbenics ↓Impaya.online ↓Aceiro.online ↓openbanking.paysolo.net ↓Pellopay Finance LTD ↓Yapily Connect ↓Revolut / other banks This is not a conventional payment chain. It is a composable payment stack in which each layer may be operated by a different entity, hosted under a different domain, and subject to different regulatory visibility. Compliance Analysis 1. The “Processing Page” Pattern Both Impaya and Aceiro appear as neutral processing screens. Such pages can be legitimate in ordinary payment orchestration. But in a high-risk gambling context, they can also reduce transparency by preventing the user, bank, or investigator from seeing the full merchant chain at once. The question is not whether a processing page is illegal. The question is whether the processing page is used to strip context before the transaction reaches open banking. 2. Impaya’s Public Positioning Impaya publicly describes itself as a payment-solutions provider offering scalable, secure online payment systems and customised solutions. Its LinkedIn profile similarly presents Impaya as a “full-package solution” with legal support and online payment technology. That public positioning fits the role seen in the payment flow: Impaya may be providing gateway or orchestration technology. However, FinTelegram should request confirmation before making any definitive statement about its contractual role. 3. NewTech Mobile And The Latvian Link The whistleblower identified NewTech Mobile SIA as Impaya’s EU representative. Public search results for Impaya confirm NewTech Mobile SIA, registration number 40103709254, as the EU representative shown on Impaya’s own site. This is relevant because it gives regulators and counterparties a concrete EU contact point for questions about the observed casino-payment routing. 4. Aceiro: The Most Opaque Layer Aceiro is currently the weakest attribution point. The domain appears in the live payment path, but the public corporate operator is not yet established. That makes it a classic Rail Atlas target: a domain-level routing layer whose ownership, contractual role, and regulatory status require further investigation. Evidence & Confidence Table Entity / LayerObserved RoleEvidence TypeConfidencePagagate.comCasino-facing gateway / first visible payment hopScreenshot/video + SimilarWeb contextCorroboratedImpaya.onlinePayment-processing redirect layerScreenshot/videoCorroboratedImpayaimpaya.com Latvia-based payment solutions providerPublic website and LinkedInConfirmedImpaya Payments LtdCanadian payment solutions providerPublic information via websiteConfirmedPaytech Solutions PTE LTDSingapore representative for ImpayaPublic information via websiteConfirmedNewTech Mobile SIAnewtech.lvImpaya EU representativeImpaya public disclosureConfirmedSergejs RoslikovsImpaya CEOPublic professional profiles (LinkedIn)ConfirmedAceiro.onlineIntermediate payment-processing layerScreenshot/videoCorroboratedopenbanking.paysolo.netPaysolo bank-selection layerScreenshot/videoConfirmedPellopay Finance LTDPayment consent / initiation layerScreenshot/video + public siteCorroboratedYapily Connect UABOpen-banking connectorPayment footer / public open-banking roleCorroboratedRevolutBank option / downstream endpointScreenshot/videoConfirmed Questions To Impaya / NewTech Mobile Does Impaya operate or control impaya.online? Does Impaya provide cashier, routing, gateway, or payment-processing services to Pagagate, Urbenics, Paysolo, Pellopay, or casino operators? What is the relationship between Impaya, NewTech Mobile SIA, Aceiro and Pagagate? Does Impaya process or route payments for Luckzie.io, Kingdomcasino.io, Jinxcasino.io, Kingdomcasino6.io, or related casino brands? What merchant due diligence is performed for gambling-related clients? Does Impaya identify the underlying casino merchant to downstream partners? Does NewTech Mobile SIA act as a regulatory representative, technical operator, merchant reseller, or contractual counterparty? Has Impaya received complaints or refund requests regarding casino payments? Does Impaya support open-banking payment flows via Paysolo, Pellopay or Yapily? Who is the merchant of record in the observed €50 casino deposit flow? Questions To Aceiro Who owns and operates aceiro.online? Is Aceiro a payment processor, routing domain, white-label gateway, merchant platform, or affiliate technology layer? Why does Aceiro appear between Impaya and Paysolo in the observed casino payment journey? Does Aceiro maintain transaction logs identifying the original casino merchant? Which PSPs, PISPs or open-banking providers does Aceiro connect to? Regulatory Assessment The Impaya/Aceiro layer is the point where payment opacity appears to intensify. A player starts in a casino environment, but by the time the journey reaches Paysolo and then Pellopay/Yapily, the origin may be reduced to a technical payment session. For regulators, this raises three issues: Merchant transparency: Can the bank or PISP see the original casino brand? Consumer protection: Does the player understand that the payment may become an open-banking transfer without card-style chargeback rights? AML/CTF and gambling compliance: Are unlicensed casino payments being routed through payment layers that avoid MCC 7995-style detection? Conclusion The Impaya/Aceiro evidence gives FinTelegram’s Rail Atlas a sharper view of the upstream routing layer. Paysolo is the visible open-banking gateway. Pellopay and Yapily appear to sit behind it. But Impaya and Aceiro appear before it, acting as the tunnel between the casino-facing payment gateway and the regulated/open-banking stack. This is precisely where the compliance risk becomes most serious: the original gambling context may be fragmented before the payment reaches banks such as Revolut. FinTelegram’s working hypothesis is therefore: Impaya and Aceiro may function as intermediate routing layers in a multi-hop casino-payment architecture that feeds Paysolo’s open-banking gateway and downstream bank APIs. This requires direct responses from Impaya, NewTech Mobile, Aceiro, Paysolo, Pellopay, Yapily and Revolut. Whistle42 Call FinTelegram invites payment insiders, gateway operators, casino employees, compliance officers, open-banking providers and affected players to submit information confidentially via Whistle42. We are specifically seeking URL logs, redirect chains, merchant contracts, settlement records, payment descriptors, KYC files, correspondence with Impaya/NewTech Mobile, and evidence identifying the operator of Aceiro. Share Information via Whistle42

New whistleblower evidence reviewed by FinTelegram appears to show a Dutch-facing casino deposit flow moving from Kingdomcasino into openbanking.paysolo.net, where users are offered banks including Revolut, Rabobank, N26, SNS Bank and Wise. The payment page itself states that the user agrees to allow “Pellopay Finance LTD partners Yapily Connect” to initiate the payment. The evidence strengthens FinTelegram’s working hypothesis that anonymous gateways, open-banking providers, fiat/crypto bridge operators and Revolut’s Open Banking API may form a layered casino-payment corridor. Key Findings Video evidence shows a live casino deposit journey. The uploaded video begins on kingdomcasino6.io, showing a €50 deposit page in Dutch with card, iDEAL, instant bank transfer and crypto options. The user is redirected to Paysolo. The payment flow moves to openbanking.paysolo.net, displaying the Paysolo logo, order number 2026040239881439, total €50.00, and a Dutch-language bank-selection interface. Revolut EU is offered as a bank option. The Paysolo page lists N26, Rabobank, Regio Bank, Revolut EU, SNS Bank and Wise. Pellopay and Yapily appear in the payment consent text. The footer states that by using the service, the user agrees to allow Pellopay Finance LTD partners Yapily Connect to initiate the payment. Yapily publicly markets open-banking infrastructure for payments and lists iGaming as a supported solution category. Yapily’s website says it supports payments and data across consumer and business accounts, and specifically describes open-banking payments “built for iGaming.” Open Banking Limited lists Yapily Connect Ltd as an open-banking regulated provider connecting to banks across 19 countries. NewTech Mobile SIA appears relevant to Impaya. Public Latvian company data identifies NewTech Mobile SIA, registration number 40103709254, at Skanstes iela 7 k-1, Riga, matching the whistleblower’s stated EU representative information. Impaya publicly presents itself as an e-commerce payment-solution provider. Its website describes a “full-package solution” for businesses. Read our Revolut Rail Atlas reports here. The Payment Flow Observed Based on the uploaded video and screenshot evidence, the observed chain appears as follows: Kingdomcasino6.io → payment interface / possible Impaya-linked URL layer → openbanking.paysolo.net → Pellopay / Yapily Connect consent layer → bank selection → Revolut EU and other banks This does not yet prove contractual responsibility by every named party. But it does show a live user journey where a casino deposit flow ends at a Paysolo-branded open-banking bank-selection page and references Pellopay, Yapily Connect and Revolut EU as part of the payment environment. From Kingdom Casino to Revolut: The Multi-Layered Payment Flow The observed payment flow shows that openbanking.paysolo.net functions as a user-facing open-banking gateway, while Pellopay Finance LTD appears at the payment-consent layer as the payment initiator. Casino↓Pagagate (entry gateway / cashier)↓Impaya (processing / routing layer)↓Aceiro (intermediate routing / alias layer)↓Paysolo (open banking UI gateway)↓Pellopay (payment initiator / backend PSP)↓Yapily (regulated Open Banking connector)↓Bank (Revolut, Rabobank, etc.) The upstream routing chain — including Pagagate, Impaya and Aceiro — indicates a multi-layered payment orchestration structure in which different entities handle gateway access, routing, and execution separately. This fragmentation may obscure the original merchant context before the payment reaches regulated banking infrastructure. The Paysolo payment page identifies “Pellopay Finance LTD” in the consent layer. Public materials on Pellopay.com describe Pellopay Finance Ltd as a Canada-registered payment-processing company offering API-based payment integration, payment links, bank transfers, digital wallets and support for methods including Revolut. This supports the assessment that Pellopay acts as a backend payment-processing or orchestration layer in the observed Paysolo open-banking flow, while Yapily Connect appears to provide the regulated open-banking connectivity. If Impaya or related operators provide the gateway front-end, then the observable payment chain may be broader than Paysolo alone: Casino brand → Impaya / Aceiro / gateway layer → Paysolo open banking → Pellopay / Yapily Connect → Revolut EU Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeConfidenceKingdomcasinoCasino deposit originUploaded videoCorroboratedPaysoloopenbanking.paysolo.netBank-selection / Paysolo payment pageUploaded video + screenshotConfirmed in evidenceRevolutListed bank optionUploaded screenshot/videoConfirmed in evidencePellopay Finance LTDNamed in payment-consent footerUploaded screenshot/videoConfirmed in evidenceYapily ConnectNamed as payment-initiation partnerUploaded screenshot/video + public open-banking recordsCorroboratedImpayaAlleged URL/payment-flow layerWhistleblower statementIndicatedNewTech Mobile SIAAlleged EU representative / Impaya-linked entityWhistleblower statement + Latvian company recordIndicatedAceiroAlleged name in payment linksWhistleblower statementIndicated Compliance Analysis 1. Open Banking Replaces Chargeback Logic The whistleblower’s complaint highlights a key consumer-protection issue: where payments are made through open banking, the user may not have the same practical chargeback route as with card payments. That matters in gambling flows, where disputes, failed withdrawals, and merchant opacity are frequent. 2. Yapily’s iGaming Positioning Creates A Compliance Question Yapily openly presents iGaming as one of its supported solution categories and says its open-banking payments can cut fees and improve first-time player deposit success. That is not improper by itself. Licensed iGaming is a legitimate industry. But if the same rails appear in unlicensed or offshore casino environments targeting Dutch users, the compliance question becomes acute. 3. Revolut Appears As A Downstream Bank Option The Paysolo page offers Revolut EU among the selectable banks. That does not prove Revolut has a direct relationship with the casino or Paysolo. But it shows that the player journey can be routed toward Revolut through an open-banking interface. 4. Paysolo Sits At The Critical Conversion Point Paysolo’s presence is significant because earlier Rail Atlas findings already placed openbanking.paysolo.net in a traffic corridor involving Pagagate, Urbenics and oba.revolut.com. The new video now adds transaction-level context: a casino deposit journey visibly reaches the Paysolo bank-selection layer. Questions To Send To The Parties To Paysolo Is Paysolo the operator of openbanking.paysolo.net? Does Paysolo process payments for Kingdomcasino6.io, Luckzie.io, Jinxcasino.io, Pagagate, Urbenics, Impaya, Aceiro or Pellopay? Does Paysolo screen upstream merchants for gambling activity and Dutch licensing status? To Pellopay What is Pellopay Finance LTD’s role in the observed Paysolo payment page? Is Pellopay the merchant, payment initiator, technical service provider or contractual PSP? Does Pellopay onboard or monitor casino-related merchants? To Yapily Was Yapily Connect involved in the payment initiation shown in the uploaded evidence? Does Yapily allow its infrastructure to be used for offshore casino deposits targeting Dutch players? What upstream merchant information is passed to banks such as Revolut? To Revolut Does Revolut detect that these open-banking flows originate from casino deposit journeys? Does Revolut monitor Paysolo, Pellopay, Impaya, Pagagate or Urbenics as high-risk open-banking corridors? Are payments to unlicensed casino operators blocked when they arrive through open-banking intermediaries? To Impaya / NewTech Mobile / Aceiro What role do Impaya, NewTech Mobile and Aceiro play in the observed payment links? Are these entities providing gateway or cashier technology for offshore casinos? Who is the merchant of record in the observed transaction flow? Conclusion The new evidence gives FinTelegram a stronger transaction-level case study. It shows a casino deposit flow reaching Paysolo, presenting Revolut EU as a bank option, and naming Pellopay Finance LTD and Yapily Connect in the payment-consent layer. This does not prove knowing facilitation by Revolut, Yapily, Paysolo, Pellopay or Impaya. But it does show how open banking can be embedded inside casino-payment journeys in ways that may obscure the underlying merchant, weaken chargeback protections, and shift risk into account-to-account payment rails. For regulators, the message is simple: the casino-payment perimeter has moved from card acquiring to open banking.

FinTelegram’s first Revolut Rail Atlas follow-up zooms in on openbanking.paysolo.net, a payment gateway that appears to sit between anonymous casino-facing gateways and Revolut’s Open Banking API. SimilarWeb screenshots indicate that all referring traffic to openbanking.paysolo.net came from the anonymous payment gateways Pagagate and Urbenics in March 2026, while more than 78% of outgoing traffic reportedly went to oba.revolut.com. The working hypothesis: Paysolo may represent a crypto/open-banking bridge inside a layered casino-payment architecture. Key Findings Paysolo’s public corporate site identifies Paysolo O.O.D. as a Bulgarian company with registration number 207268330, registered as a provider of virtual/fiat exchange services in Bulgaria’s National Revenue Agency VASP register. Paysolo markets itself as a EUR-to-crypto bridge and virtual IBAN provider, offering SEPA/SWIFT-based fiat-to-crypto services. The open-banking gateway openbanking.paysolo.net is live and publicly returns a minimal version page, supporting its operational existence. SimilarWeb screenshots show a suspicious traffic funnel: Pagagate and Urbenics as the only visible referring domains to openbanking.paysolo.net, and oba.revolut.com as the dominant outgoing destination. Pagagate and Urbenics appear in FinTelegram’s casino-rail observations, suggesting the Paysolo gateway may sit inside an offshore iGaming payment chain. This remains a working hypothesis pending payment-test evidence, registry/DNS linkage, and merchant documentation. The relationship between paysolo.io and paysolo.net is plausible but should be framed carefully. paysolo.io is the corporate/marketing site; paysolo.net presents as “PaySolo – Your payment partner” and references “Newtech Mobile,” so the precise legal/operator linkage requires further verification. Revolut Rail Map: The Paysolo Corridor Similarweb statistics for Paysolo.net for March 2026 The observed traffic pattern suggests the following payment architecture: Casino-facing gateway → Pagagate / Urbenics → openbanking.paysolo.net → Revolut Open Banking API → Revolut account This is exactly the type of multi-layered open-banking rail FinTelegram identified in the Revolut Rail Atlas opener. The key issue is not merely that Revolut appears as a bank destination. The issue is that Revolut appears downstream of gateways that, based on traffic intelligence, are connected to casino environments. Read our initial Revolut Rail Map report here. Paysolo: Crypto Bridge, Virtual IBAN Provider, Or Casino-Rail Middleware? Paysolo’s own materials describe a platform offering virtual IBAN services, crypto-asset exchange, payment processing, SEPA, and fiat-to-crypto conversion. Its website says users can send EUR via SEPA or SWIFT to a Paysolo virtual IBAN, convert EUR to crypto, and withdraw crypto to external wallets. That profile is highly relevant in the casino-payment context. Offshore casino operators increasingly need rails that can move user money from bank accounts into crypto or quasi-crypto settlement environments. A VASP-style bridge with open-banking intake, virtual IBANs, and crypto withdrawal functionality may therefore become a critical conversion layer. FinTelegram does not state at this stage that Paysolo knowingly services illegal casinos. The more precise finding is that openbanking.paysolo.net appears, based on the supplied traffic screenshots, to receive traffic from casino-facing gateways and to send substantial outgoing traffic to Revolut’s Open Banking endpoint. Read all Revolut Rail Atlas reports here. The SimilarWeb Evidence The uploaded SimilarWeb screenshots indicate the following March 2026 pattern: Domain analysedFindingCompliance interpretationopenbanking.paysolo.netReferrals: Pagagate.com 83.31%, Urbenics.com 16.69%;Outgoing traffic: openbanking.paysolo.net 80.40%100% visible referral traffic from two gateway domains;Revolut appears to be the dominant downstream bank/API destinationpagagate.comOutgoing traffic: openbanking.paysolo.net 46.83%, aphrodite1.casino 19.31%Pagagate appears connected to both Paysolo and a casino domainurbenics.comReferrals include Boomerang Bet, Casinoly, Posido, Vegasino, Skyhills;Outgoing traffic: openbanking.paysolo.net 80.40%Urbenics appears casino-facing; Paysolo appears as the dominant downstream endpoint FinTelegram understands that openbanking.paysolo.net recorded more than 309,000 visits in March 2026. This is not a fringe technical endpoint. It is a meaningful traffic node. Why This Matters For Revolut In the Revolut Rail Atlas opener, FinTelegram identified a broader pattern: offshore casino sites often route payments through anonymous gateways and open-banking intermediaries before landing at bank APIs, including Revolut’s oba.revolut.com. The Paysolo case gives that model a sharper structure: Urbenics / Pagagate → Paysolo open-banking gateway → Revolut Open Banking This raises several questions: Does Revolut see only the final open-banking payment instruction, or can it detect the upstream casino/gateway context? Does Revolut monitor repeat traffic from high-risk open-banking intermediaries? Does Revolut classify flows from Paysolo as crypto, open banking, virtual IBAN, merchant payment, or customer-authorised account transfer? Does the gateway chain obscure whether the underlying transaction relates to gambling, crypto conversion, or both? The compliance concern is the possible blending of three high-risk categories: offshore gambling, open banking, and fiat-to-crypto conversion. Corporate & Regulatory Footprint Paysolo’s public website identifies Paysolo O.O.D., Bulgaria, company registration number 207268330, as the relevant legal entity and states that it is registered in Bulgaria’s National Revenue Agency VASP register. Its terms define the platform as including paysolo.io, app.paysolo.io, associated mobile applications, virtual IBAN services, crypto-asset exchange, and payment processing. This matters because VASP registration is not a licence to process illegal gambling flows. A VASP handling fiat-to-crypto conversion must still manage AML, source-of-funds, transaction-monitoring, sanctions, fraud, and high-risk merchant exposure. If casino-originated flows are entering the system via Pagagate or Urbenics, the compliance question becomes unavoidable. Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeJurisdictionConfidence GradePaysolo O.O.D.Public corporate entity behind Paysolo.ioWebsite disclosureBulgariaConfirmedpaysolo.ioCorporate / product sitePublic websiteBulgariaConfirmedpaysolo.net“PaySolo – Your payment partner” gateway sitePublic web pageUnclearIndicatedopenbanking.paysolo.netOpen-banking gatewayLive endpoint + SimilarWeb dataUnclearCorroboratedPagagate.comReferrer into Paysolo gatewaySimilarWeb screenshotUnknownCorroboratedUrbenics.comCasino-facing gateway and Paysolo feederSimilarWeb screenshotUnknownCorroboratedoba.revolut.comDominant outgoing destination from Paysolo gatewaySimilarWeb screenshotUK / EEACorroboratedOffshore casino domainsSource environmentSimilarWeb screenshots / FinTelegram observationsOffshoreCorroborated Compliance Analysis 1. The Paysolo Setup Looks Like A Conversion Layer Paysolo’s public model — virtual IBANs, SEPA/SWIFT intake, fiat-to-crypto conversion, external wallet withdrawals — is exactly the kind of infrastructure that can be legitimate in ordinary crypto use, but highly sensitive when connected to gambling traffic. 2. Pagagate And Urbenics Create The Casino-Rail Context The uploaded screenshots show that Pagagate and Urbenics are not random referrers. Urbenics’ referring domains include multiple casino-style brands, and Pagagate’s outgoing traffic includes both openbanking.paysolo.net and aphrodite1.casino. That pattern suggests gateway-to-casino proximity. 3. Revolut Appears As The Downstream Bank API The most important technical signal is that oba.revolut.com reportedly accounts for 78.69% of outgoing traffic from openbanking.paysolo.net. That makes Revolut not merely one bank among many, but apparently the dominant outgoing destination in the observed SimilarWeb sample. 4. Open Banking May Weaken Merchant Transparency Traditional card acquiring has MCC codes, merchant descriptors, acquirer monitoring, chargeback patterns, and gambling-blocking logic. Open-banking chains can be more opaque if the bank sees a customer-authorised transfer but not the full upstream commercial context. That is why the Paysolo case is important: it shows how an offshore casino user journey may be transformed into an open-banking or fiat-to-crypto transaction before hitting the bank layer. Open Questions To Paysolo Is Paysolo O.O.D. the legal operator of paysolo.net and openbanking.paysolo.net? What is the relationship between Paysolo O.O.D., Paysolo Ltd., Newtech Mobile, and any PaySolo-branded gateway domains? Does Paysolo provide services to Pagagate.com or Urbenics.com? Does Paysolo onboard or process flows for online casinos, betting sites, affiliate networks, or gambling-related gateways? Does Paysolo classify Pagagate and Urbenics as high-risk merchants or technical partners? Does Paysolo screen upstream domains before processing open-banking or vIBAN transactions? How many transactions in March 2026 originated from Pagagate and Urbenics? Does Paysolo pass merchant-origin information to Revolut or other downstream banks? Are fiat-to-crypto conversions allowed when the source transaction originates from gambling-related activity? Has Paysolo filed suspicious-activity reports or blocked transactions connected to casino gateways? Open Questions To Revolut Does Revolut monitor openbanking.paysolo.net as a high-risk open-banking counterparty? Does Revolut receive upstream origin data showing whether payments originate from Pagagate, Urbenics, or casino domains? Does Revolut classify Paysolo-related flows as crypto, open banking, gambling, merchant payment, or account-to-account transfer? Has Revolut restricted, reviewed, or reported any flows involving Paysolo, Pagagate, or Urbenics? Does Revolut’s gambling-blocking logic cover open-banking payments routed through VASP or vIBAN intermediaries? Conclusion The Paysolo case provides the first concrete follow-up node in FinTelegram’s Revolut Rail Atlas. The apparent structure is simple but powerful: anonymous casino-facing gateways feed into openbanking.paysolo.net; Paysolo’s gateway then sends most visible outgoing traffic to Revolut’s Open Banking API. This does not prove that Paysolo or Revolut knowingly facilitate illegal gambling. But it demonstrates the precise compliance risk FinTelegram has warned about: multi-layered open-banking rails can transform casino-originated money flows into bank/API traffic that may appear cleaner than the underlying transaction reality. For regulators, the issue is clear: open banking must not become the new blind spot for illegal gambling and crypto conversion rails. Whistle42 Call FinTelegram invites payment insiders, Paysolo users, Revolut compliance staff, casino operators, open-banking providers, gateway developers, and affected players to submit information confidentially via Whistle42. We are especially interested in API logs, merchant contracts, settlement records, payment descriptors, screenshots, VASP onboarding files, Revolut transaction records, and internal risk alerts involving Paysolo, Pagagate, Urbenics, or casino-linked open-banking flows. Share Information via Whistle42

FinTelegram’s Rail Atlas analysis have repeatedly observed Revolut’s Open Banking endpoint inside layered offshore casino payment flows. The pattern appears to combine anonymous gateways, open-banking intermediaries, and Revolut’s own customer-side payment infrastructure. This does not prove knowing facilitation by Revolut — but it raises serious questions about monitoring, merchant transparency, and whether casino-related flows have become a hidden growth vector inside one of Europe’s fastest-growing fintech platforms. Key Findings Revolut appears repeatedly in observed casino payment paths. FinTelegram has reviewed multiple offshore casino rails where deposits route toward oba.revolut.com, often through intermediary open-banking layers. The rail structure is layered by design. Typical pattern: casino site → anonymous gateway → open-banking provider → bank/open-banking API. Contiant traffic is a red flag. The uploaded SimilarWeb screenshots show Contiant traffic heavily concentrated in the Netherlands, with casino domains among top referrals and oba.revolut.com among top outgoing destinations. Revolut itself recognises gambling-payment risk. Revolut states that some European countries require it to block payments to and from illegal gambling providers, and that it enforces regulator lists where applicable. Revolut Business terms prohibit gambling activity. Revolut’s UK Business Terms list “binary options or gambling” among prohibited business activities. Annual accounts do not disclose iGaming exposure directly. Revolut’s 2025 annual report shows explosive growth in customers, transaction volume, payments revenue, payment acceptance, and Revolut Business — but no specific casino/iGaming segmentation. Financial-crime risk is acknowledged. Revolut’s 2025 report states that its systems analysed over 10 billion transactions and that more than one-third of its workforce works in Financial Crime Prevention. Rail Map: The Observed Casino Payment Flow FinTelegram’s working model is as follows: Player → Offshore casino → anonymous payment gateway → open-banking intermediary → Revolut Open Banking endpoint → player’s Revolut account Observed or reported rail elements include: LayerExamplesCompliance relevanceCasino front-endSkyhills, Epicbet, Wizebets, Spacehills and others shown in traffic referralsUnlicensed/offshore iGaming exposureFirst-hop gatewaysecurepayins.com, urbenics, casino-branded gateway pagesMerchant opacity / transaction laundering riskOpen-banking layerContiant, Yapily Connect, Perspecteev, SaltEdgePayment initiation / routing layerBank/API endpointoba.revolut.comRevolut-side account/payment infrastructure The key compliance issue is not simply that a Revolut customer may gamble. The issue is whether repeated, structured, high-volume flows through Revolut-linked open-banking infrastructure indicate a recognisable casino payment corridor that should trigger enhanced monitoring, blocking, reporting, or regulatory review. Revolut’s Role in the Observed Rails Revolut’s Open Banking API is described by Revolut as the gateway for third-party providers to interact with Revolut customers and products, including account information and payment initiation. This matters because the observed casino rails do not always appear as simple card payments to a gambling merchant. Instead, the flows appear to use open-banking payment initiation and intermediate gateway domains. That structure can make merchant identification harder and can blur whether the transaction is seen as gambling, generic account-to-account transfer, gateway payment, or customer-authorised payment. Revolut cannot be accused, on the basis of this evidence alone, of knowingly facilitating illegal gambling. But the repeated appearance of oba.revolut.com in offshore casino rail analysis creates a serious compliance question: does Revolut’s monitoring framework identify the upstream casino context when payments arrive through third-party open-banking layers? The Open Banking Layer: Contiant, Yapily, Perspecteev, SaltEdge Similarweb statistics on Contiant Contiant is a Bulgarian open banking infrastructure provide. Contiant SimilarWeb screenshots show a highly concentrated traffic profile. In March 2026, Contiant traffic was reportedly 93.21% Netherlands, with Germany, Norway, the UK, and France far behind. The referral screenshot shows casino domains as top referrers, including skyhills.com, epicbet.com, wizebets.com, and spacehills.com. The outgoing-traffic screenshot shows bank destinations including KBC, Rabobank, ING, SNS Bank, and oba.revolut.com. This is not proof of illegality by Contiant or Revolut. It is, however, a strong traffic-intelligence indicator that Contiant functions as a casino-facing open-banking routing layer, with Revolut among the destination banks offered to players. Read our Contiant reports here. Traffic Intelligence: What the SimilarWeb Data Suggests FinTelegram’s working interpretation: ObservationInterpretationConfidenceContiant referrals dominated by casino domainsContiant appears materially exposed to casino payment trafficCorroborated by screenshotNetherlands accounts for over 93% of Contiant trafficDutch player market appears central to this railCorroborated by screenshotoba.revolut.com appears among top outgoing linksRevolut Open Banking is part of the downstream railCorroborated by screenshotSimilarWeb reportedly shows over 1.1m visits to oba.revolut.com in March 2026Revolut Open Banking has significant traffic scaleFinTelegram-held traffic dataAnonymous first-hop gateways appear before open-banking providersLayering may obscure merchant contextWorking hypothesis Traffic analytics should be treated as intelligence, not final evidence. They show directionality, referrals, and routing patterns — not necessarily contractual relationships, settlement flows, or regulatory responsibility. Financial Statement Angle: Can iGaming Exposure Be Seen in Revolut’s Accounts? Directly: no. Indirectly: possibly. Revolut’s 2025 annual report does not disclose gambling, iGaming, casino, MCC 7995, or high-risk merchant exposure as a standalone segment. However, the report contains several data points relevant to the Rail Atlas hypothesis: Retail customers rose to 68.3 million, and retail transaction volume reached £986 billion in 2025. Business customers reached 767,000, and business transaction volume reached £277 billion. Revenue increased to £4.5 billion, with card payments the largest revenue stream at 22.2% of total revenue. Revolut Business accounted for 16% of total income, while payment acceptance volumes increased 228% year-on-year. Revolut states that financial crime risk includes the risk that its products and services are used to facilitate illegal activity, and that failures may lead to enforcement action, fines, restrictions, or reputational damage. The financial statements therefore do not prove iGaming dependence. But they do show a company whose growth is heavily driven by transaction volume, payment acceptance, business accounts, open banking, and high-frequency customer usage. If offshore casino flows are material, they would likely be buried inside broader payment, account-to-account, card, or business-payment categories. Regulatory Context Revolut’s own help pages acknowledge that some European countries require it to block transactions to and from illegal gambling providers, and that regulators publish licensed or unlicensed gambling-provider lists which Revolut enforces where applicable. This is critical. Revolut is not blind to the category. It recognises that illegal gambling payments are a regulated payment-risk domain. The compliance challenge is whether open-banking layering allows casino payments to bypass conventional merchant-category detection. Norway is especially relevant. Public reporting and legal materials describe Norway’s payment transaction ban as requiring banks and financial institutions to block payments connected with unlicensed gambling operators. FinTelegram has separately reported on the alleged use of Revolut as an “entry wallet” in Norwegian offshore gambling flows. Compliance Assessment FinTelegram’s initial assessment is that Revolut should be expected to monitor at least five risk layers: Known casino domains feeding open-banking intermediaries. Repeated customer deposits to offshore casino-linked gateways. Open-banking payment initiation patterns involving high-risk gateway domains. Geographic concentration in regulated or restricted gambling markets, including the Netherlands and Norway. Mismatch between apparent merchant/gateway descriptors and underlying gambling activity. The core issue is not only MCC 7995. Open banking may not always present the same clean merchant-category indicators as card acquiring. That is precisely why layered rails create a compliance blind spot. Evidence & Confidence Table Entity / Rail ElementObserved RoleEvidence TypeJurisdictionConfidence GradeRevolut / oba.revolut.comDownstream open-banking endpointTraffic analysis, rail observationsUK / EEACorroboratedContiantOpen-banking intermediarySimilarWeb screenshotsBulgaria / Netherlands-facing trafficCorroboratedYapily ConnectOpen-banking layerFinTelegram rail observationsUK / EEACorroboratedPerspecteev / SaltEdgeOpen-banking / data layerFinTelegram rail observationsFR / EEACorroboratedsecurepayins.comAnonymous gatewayFinTelegram observationsUnknownCorroboratedurbenicsAnonymous gatewayFinTelegram observationsUnknownCorroboratedOffshore casino brandsOriginating merchantsCasino-site payment testing / traffic dataOffshoreCorroborated Open Questions to Revolut Does Revolut monitor oba.revolut.com traffic for upstream casino or gambling-originated payment flows? Does Revolut classify payments initiated through Contiant, Yapily, Perspecteev, or SaltEdge differently from direct card gambling payments? Does Revolut maintain a list of casino-linked gateway domains such as securepayins.com or urbenics? How does Revolut determine whether an open-banking payment is connected to an illegal gambling operator? Has Revolut identified Contiant as a high-risk open-banking traffic source? How many Revolut customer accounts were restricted or closed in 2025 for gambling-related or casino-payment activity? Does Revolut report suspicious casino-related payment patterns to FIUs or gambling regulators? Does Revolut’s financial-crime monitoring include merchant-domain intelligence and referral-chain analysis? Has Revolut received inquiries from Norwegian, Dutch, UK, Lithuanian, or other EU regulators about offshore gambling payment flows? Does Revolut consider casino-related open-banking traffic a material compliance risk? Conclusion This initial Rail Atlas report does not allege that Revolut knowingly enables illegal gambling. It establishes a more precise and regulator-relevant point: Revolut’s Open Banking infrastructure appears repeatedly in observed offshore casino payment paths, often after multiple layers of anonymous gateways and open-banking intermediaries. That pattern deserves scrutiny. Revolut’s own public materials show that it recognises gambling-payment restrictions and invests heavily in financial-crime prevention. Yet the observed rails suggest that open-banking structures may create a new form of transaction-laundering risk: not by hiding money entirely, but by hiding the commercial context of the payment. The next Rail Atlas installments should focus on the individual rail components — Contiant, Yapily Connect, Perspecteev/SaltEdge, securepayins.com, urbenics, and the casino brands feeding those rails. Whistle42 Call FinTelegram invites Revolut insiders, open-banking providers, casino payment agents, compliance officers, payment processors, affected players, and whistleblowers to submit confidential information through the Whistle42 platform. We are especially interested in payment descriptors, gateway contracts, merchant onboarding files, compliance alerts, blocked-payment records, and internal risk assessments relating to offshore casino flows. Share Information via Whistle42

JET Bank was sold to the public as Albania’s first digital bank. But in Albania, the launch quickly turned into a scandal after media reports and political voices began questioning who really stands behind the bank’s Dutch-Cypriot-Israeli ownership maze — and whether the project could be linked to the wider ecosystem around convicted scam mastermind Gal Barak. Against that backdrop, FinTelegram reviewed the case through the lens of its long-running investigations into Barak, Gery Shalon, and the Israeli cybercrime architecture that has repeatedly surfaced across Europe. The result is a troubling picture of opaque structures, high-risk names, and unresolved control questions — even if direct Barak or Shalon ownership of Jet Bank is still unproven on the current public record. Key Findings JET Bank is licensed and live in Albania’s regulated banking perimeter. The Bank of Albania granted preliminary approval in December 2025 and approved the banking licence in March 2026; Jet Bank now appears on the official list of licensed banks. The bank is officially presented as Albania’s first fully digital bank and is marketed through the jet.bank domain as a mobile-native, app-based bank. Jet’s own site and partner Backbase both state that it is owned by Jet Holding B.V., Amsterdam. The upstream ownership structure is Israeli/Cypriot in character. Monitor and Albeu report that Jet Holdings is controlled through a six-shareholder cap table led by Constador Ltd. of Cyprus at about 71.5%, with the remaining stakes held by Israeli companies. Both outlets report that Idan Avishai, a British-Israeli national, is the sole shareholder of Constador and previously controlled Jet Albania. Jet Albania, the precursor vehicle, was 100% owned by Idan Avishai. An Albanian corporate record shows Jet Albania was founded in July 2025, initially 100% owned by Avishai, with later governance roles for Fatbardha Rino, Oliver Hemmer, and Rami Solomon. Oliver Hemmer’s link to 4XFX is documentary, not speculative. A GRF Europe OÜ filing shows Hemmer was sole shareholder and board member; the FCA said 4XFX was “owned and operated” by GRF Europe OÜ; a business agreement shows Hemmer signing on behalf of GRF Europe OÜ in a 4XFX marketing/funds arrangement with Rapid Bo Pty Ltd. What is not proved on the public record is the most explosive allegation: that Gal Barak or Gery Shalon are direct or beneficial owners of Jet Bank. Albanian media report rumors and network allegations; FinTelegram has intelligence pointing in that direction; but the current public-source record does not prove operational control by either man. Compliance Analysis 1. What JET Bank is JET Bank (Jet.Bank) is a newly licensed Albanian bank positioned as the country’s first 100% digital bank. The Bank of Albania granted preliminary approval on 3 December 2025 and the full banking licence on 25 March 2026, explicitly under Law No. 9662/2006 “On Banks in the Republic of Albania” and the central bank’s licensing regulation for banks and branches of foreign banks. The Bank of Albania’s supervisory framework says banks operate under a system of laws, regulations, guidelines, and orders aligned with Basel and EU standards. Jet Bank’s own site says it offers always-on digital financial services and markets itself through jet.bank, with additional visible endpoints such as jobs.jet.bank, a waiting-list flow, referral program, FAQ, and contact pages. Its technology partner Backbase says Jet is an app-based, mobile-native bank and explicitly identifies ownership by Jet Holding B.V., Amsterdam. 2. Who’s Who Behind Jet Bank? JET Bank is presented as Albania’s first fully digital bank. But behind the sleek app-first image sits a layered ownership structure that points not to a classic Albanian banking story, but to an Israeli-led project routed through Amsterdam and Cyprus. At the center of the structure is Jet Holding B.V. in Amsterdam, the Dutch vehicle sitting above the Albanian bank. The dominant shareholder in this holding is Constador Ltd., a Cyprus company reported to hold roughly 71.5%. According to Albanian reporting, Constador’s sole shareholder is Idan Avishai, an Israeli-British businessman who also founded and initially controlled Jet Albania, the precursor vehicle for the bank. Around this core sits a cluster of additional Israeli holding vehicles, including Don Albania Holdings Ltd., Ori Eyal Ltd., Yebogogo Ltd., Nathan Lawrence Ltd., and Israel Albania Holding Ltd. Taken together, the cap table gives Jet Bank the unmistakable appearance of an Israeli banking venture planted in Albania through a multi-tier offshore-friendly structure. Dutch banking technology provider Backbase has been selected to power the launch of Albania’s first digital-only bank, Jet Bank.  In plain language: Jet Bank is licensed in Albania, but the real story is upstream — in Amsterdam, Limassol, and the Israeli shareholder layer behind the façade. Here is a clean summary table: Entity / IndividualTypeJurisdictionRoleKey Connections / RelevanceJET Bank sh.a.BankAlbaniaNewly licensed digital bankLicensed by the Bank of Albania in March 2026; publicly presented as Albania’s first fully digital bank.Jet Albania sh.a.Company / precursor vehicleAlbaniaPrecursor entity used to prepare the bank projectReported as the original Albanian vehicle before the structure was shifted upstream to Amsterdam; earlier controlled by Idan Avishai.Jet Holding B.V. / Jet Holdings B.V.Holding companyNetherlands (Amsterdam)Upstream holding company of the bank projectPublic reporting and partner materials place this Dutch vehicle above Jet Bank in the ownership chain.Constador Ltd.Holding companyCyprus (Limassol)Majority shareholder of Jet HoldingsReported to hold about 71.5% of the Dutch holding; central vehicle in the ownership structure.Idan AvishaiIndividualIsrael / UK / Cyprus-linked structureFounder / key shareholder figure;Reported as the sole shareholder of Constador Ltd; Online‑trading and igaming entrepreneurDon Albania Holdings Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Ori Eyal Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Yebogogo Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Nathan Lawrence Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table.Israel Albania Holding Ltd.Holding companyIsraelMinority shareholder in Jet HoldingsReported shareholder in the Dutch cap table; reinforces the Israeli character of the project.Fatbardha RinoIndividual(LinkedIn)AlbaniaPublic-facing banking executive / managerAppears in Albanian reporting and Jet-facing material as a key management figure in the Albanian operation.Oliver HemmerIndividualLiechtenstein / Germany-linked / Estonia-linkedJet Bank board member; officer of controlling Constador Ltd; separately linked to 4XFX operator GRF Europe OÜAppeared in Jet Albania governance reporting; documentary record shows he was sole shareholder and board member of GRF Europe OÜ.Rami SolomonIndividualIsrael-linkedJet-related governance figureAppears in Albanian reporting on the Jet structure; public profile remains limited.GRF Europe OÜCompany(deleted)EstoniaOperator of 4XFXThe FCA said 4XFX was owned and operated by GRF Europe OÜ; 2018 filing shows Oliver Hemmer as sole shareholder. (FCA warning)4XFXBroker platform / scam schemeCross-borderUnauthorised broker operationWarned against by the FCA and CNMV; linked through GRF Europe OÜ and Hemmer. (FCA warning) (CNMV warning PDF)Gal BarakIndividualIsrael / Bulgaria-linked scam ecosystemConvicted cybercrime figureAlbanian media and investigative reporting raise rumors of a Jet Bank connection, but the currently verified public record does not prove he beneficially owns or controls Jet Bank.Gery ShalonIndividualIsraeli cybercrime ecosystemHistoric cybercrime figureFinTelegram intelligence points to possible relevance, but the currently verified public record does not prove he beneficially owns or controls Jet Bank. 3. The Amsterdam-Cyprus-Israel holding maze This is the core compliance story. Monitor and Albeu describe a multi-tier structure in which the Albanian bank is controlled upstream by Jet Holdings in the Netherlands, while the real economic weight sits behind Cyprus and Israeli entities. The reported six-shareholder structure of Jet Holdings is: Constador Ltd. (Cyprus) – approx. 71.5% Don Albania Holdings Ltd. (Israel) – approx. 3.7% Ori Eyal Ltd. (Israel) – approx. 2.6% Yebogogo Ltd. (Israel) – approx. 4.9% Nathan Lawrence Ltd. (Israel) – approx. 4.9% Israel Albania Holding Ltd. (Israel) – approx. 12.4%. Both Monitor and Albeu say Constador’s sole shareholder is Idan Avishai, who also previously controlled Jet Albania. In practical terms, the structure looks less like a conventional domestic Albanian bank formation and more like an Israeli-led project implanted in Albania through a Dutch holding layer and a dominant Cyprus vehicle. That is not unlawful by itself. But it is exactly the kind of structure that should attract enhanced scrutiny on ultimate beneficial ownership, fit-and-proper checks, source of funds, source of wealth, and related-party influence. A further point: Albeu says Jet Holdings was founded only in September 2025 with paid-up capital of €50,000, while Balkanweb reports that by March 2026 the Albanian operation had completed a capital injection of 1.06 billion lek and that questions were being raised about the minimum capital and source-of-funds review. Those facts do not prove impropriety, but they do sharpen the question: who really stands behind the bank financially and operationally? 4. Why Albania is strategically attractive Albania’s attraction is structural. It is a non-EU jurisdiction with an officially domestic currency, the lek, but both the Bank of Albania and the ECB describe Albania as a country with substantial unofficial euroisation and broad public use of foreign currency, especially the euro. The Bank of Albania even has a formal de-euroization policy framework because foreign currency is widely used in transactions and in the financial system. That combination matters. Albania is close to the EU, tied economically to the euro area, but outside the EU’s institutional perimeter. For legitimate entrepreneurs, that can be an opportunity. For aggressive or high-risk operators, it can also be a jurisdictional edge: EU-adjacent, euro-exposed, but not inside the bloc. That does not make Albania “lax” as a proven fact; the Bank of Albania’s formal framework is robust on paper and aligned with EU/Basel norms. But it does help explain why a multi-jurisdictional, Israeli-linked digital-banking project might see Albania as a strategically useful launchpad. 5. Activities and business model JET Bank presents itself as a digital-only retail bank built around app delivery, simplified onboarding, and customer control. Public materials do not yet show a broad disclosed product set comparable to a mature universal bank, but the positioning is clearly toward app-based banking rather than traditional branch banking. Backbase says the bank was built rapidly with implementation partners and that the go-live focus is on digital customer experience and rollout discipline. Jet’s own site emphasizes ease, speed, and accessibility. The immediate compliance issue is not the digital model itself. The issue is that a newly licensed, digital-only bank can scale fast, onboard remotely, and intermediate euro-linked customer flows in a jurisdiction already wrestling with unofficial euroisation. In that setting, ownership transparency and governance pedigree matter even more, not less. 6. The Albanian media allegations: Gal Barak, Gery Shalon, and the rumor perimeter Albanian media have pushed the story hard. Albeu, Balkanweb, Ora News, Pamfleti and others have highlighted the shareholder opacity, the Israeli character of the project, the role of Idan Avishai, and the presence of Oliver Hemmer in the early structure. Some of those reports go further and float rumors or suspicions about links to Gal Barak and the wider Israeli online-trading/fraud ecosystem. At this point, the defensible line is: There is a serious network-risk story. There is not yet public proof that Gal Barak or Gery Shalon beneficially own or control JET Bank. That distinction is critical. The current public record establishes an Israeli/Cypriot/Dutch ownership architecture, a founder linked in Albanian media to the online-trading sector, and a governance trail that includes Oliver Hemmer. It does not yet establish Barak or Shalon control as a proved fact. The Barak/Shalon thesis remains an investigative hypothesis requiring insider material, registry documents, or case-file evidence. 7. Oliver Hemmer & The Questionable Legacy The role of Oliver Hemmer has become one of the most sensitive aspects of the Jet Bank controversy because public records place him inside the corporate perimeter of the structure while documentary evidence separately links him to the operation of the unauthorised 4XFX broker platform. That combination does not by itself prove control over Jet Bank, but it creates a serious fit-and-proper and transparency issue. Official Role in Constador and the Jet Structure Public Cyprus company-data sources list Oliver Hemmer in the officer structure of Constador Ltd. (HE 478734), including as director and secretary, although those sources also warn that current status should be confirmed through a full registry report. Constador is the Cyprus company reported by Albanian media to hold about 71.5% of Jet Holding B.V. in Amsterdam, the Dutch holding vehicle publicly identified in connection with Jet Bank’s ownership chain. Albanian political and media reporting also says Hemmer appeared in the early Jet Albania governance documents as a founding managerial figure. Why Hemmer Is a Red-Flag Figure Hemmer is controversial not because his role at Jet Bank has been proved as controlling, but because he appears to be more than a stray administrative name. Albanian reporting and FinTelegram’s analysis both treat him as a significant figure in the wider ownership perimeter. Jet Bank has reportedly sought to minimize his relevance by presenting him as an early administrative or registration-side participant rather than an operational decision-maker. Even on that narrower version, however, Hemmer’s presence remains highly sensitive given his documented history. The 4XFX / GRF Europe OÜ LinScam Legacy The strongest evidence concerns GRF Europe OÜ. The UK FCA warned that 4XFX was “owned and operated” by GRF Europe OÜ. A 2018 GRF Europe OÜ filing shows Oliver Hemmer as the company’s sole shareholder and management board member. A further business agreement from the criminal files shows Hemmer signing on behalf of GRF Europe OÜ in a 2019 arrangement under which Rapid Bo Pty Ltd would market 4XFX, receive client funds, deduct a fee, and remit the balance to GRF Europe OÜ. That is not passive paperwork; it is documentary evidence of an active operational role in the 4XFX scheme. Download the X4FX Business Operating Agreement The Wider Online-Trading Connection Public Cyprus registry-style sources also associate Oliver Hemmer with Fortrade Cyprus Ltd., adding to the picture of his proximity to the offshore online-trading sector. Albanian reporting has used these overlaps to argue that Jet Bank’s shareholder structure should be examined through the lens of the same high-risk trading environment that previously spread through Cyprus, Bulgaria, Serbia, and other Balkan-adjacent jurisdictions. What remains important, however, is to distinguish between documented overlap and proved beneficial control. The Bottom Line At this stage, the defensible conclusion is not that Hemmer has been proved to control Jet Bank. It is that Hemmer is a material red-flag figure inside the Jet / Constador perimeter because public records place him in the corporate chain while independent documentary evidence places him at the center of GRF Europe OÜ / 4XFX. For regulators, journalists, and counterparties, that is already enough to justify close scrutiny of source of funds, ultimate beneficial ownership, and fit-and-proper vetting. 8. Barak, Shalon & Fortrade: what is known, what is not Gal Barak was convicted in Austria in 2020 and sentenced to four years in prison for fraud and money laundering tied to the wider scam-broker environment. Multiple reporting sources describe the broader operation as causing losses running into the hundreds of millions of euros. His partner and principal, Gery Shalon, was separately charged in the U.S. in the massive JPMorgan hacking case and is widely described as a key figure in the Israeli cybercrime underworld. Read our reports on Gal Barak here. Even thought the Albanian media connects Jet Bank with the Shalon/Barak scheme, the jump from that background to “Barak and Shalon are behind Jet Bank” is still not proven by the public record reviewed here. What can responsibly be said is this: the regional pattern is real: Israeli fraud, payments, and online-trading actors have repThere is a direct link, via the Israeli-British owners Idan Avishai and Oliver Hemmer, to the broker Schema Fortrade, which has already attracted attention due to numerous regulatory penalties and issues. FinTelegram has reported regularly on ForTrade. JET Bank’s ownership and governance perimeter overlaps with that wider environment in worrying ways, especially through Hemmer and the reported trading-sector background around Avishai; but direct Barak/Shalon control remains an allegation requiring more evidence. Read our Fortrade reports here. Conclusion JET Bank is not a rumor. It is a real, licensed Albanian bank operating under the Bank of Albania’s formal regulatory umbrella. That is exactly why the ownership story matters so much. Behind the “first digital bank” narrative sits a structure that looks unmistakably like an Israeli-led Albania project routed through Amsterdam and Cyprus, with Idan Avishai at the center of the documented chain and Oliver Hemmer appearing in the governance perimeter despite his documented role in GRF Europe OÜ / 4XFX. That does not yet prove that Gal Barak or Gery Shalon own or control the bank. But it does create a serious enough smoke pattern to justify scrutiny by regulators, counterparties, correspondent institutions, journalists, and financial-crime investigators. In other words: the scandal is already real, even if the final control map is not yet complete. Call to Whistleblowers Do you know who really funds or controls JET Bank, Jet Holding B.V., Constador Ltd., or the Israeli vehicles behind the structure?Do you have internal material on source of funds, fit-and-proper checks, compliance onboarding, correspondent banking, technology vendors, or the roles of Idan Avishai, Oliver Hemmer, Rami Solomon, or any intermediaries tied to the bank? FinTelegram invites insiders, regulators, compliance professionals, former staff, vendors, and affected counterparties to submit information via Whistle42. Confidential material on Jet Bank’s ownership, governance, or regulatory vetting could be decisive. Share Information via Whistle42

In 2022, FinTelegram warned that MetaTrader’s publisher MetaQuotes sat inside a Cyprus structure with Russian roots, huge market reach, and unresolved beneficial-ownership questions beyond founder and CEO Renat Fatkhullin. In 2026, that concern looks even more relevant. But the stronger compliance angle is no longer the broad slogan of “Russian control.” The sharper question is whether MetaQuotes, Raritex, and Sumsub belong to a wider Cyprus control orbit linking trading software and KYC infrastructure through funding ties, historic control rights, and only partly transparent ownership. Key Findings FinTelegram’s 2022 reporting identified MetaQuotes as the Cyprus-based publisher behind MetaTrader and expressly noted that the beneficial owners of the MetaQuotes Group beyond Renat Fatkhullin were not known. FinTelegram’s September 2022 follow-up tied MetaTrader to pig-butchering and scam-broker concerns and argued that the platform’s compliance relevance went far beyond ordinary software publishing. MetaQuotes publicly announced in September 2020 that it led Sumsub’s $6 million Series A funding round. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the Sumsub group footprint. UK Companies House shows that Raritex Trade Ltd ceased as PSC of Sum and Substance Ltd on 2 October 2023, and that Andrey Severyukhin, Yakov Sever (Severyukhin), and Peter Sever (Severyukhin) are now the active persons with significant control. The Big Compliance Question FinTelegram warned years ago that the MetaTrader story was never just about software. MetaTrader became dominant infrastructure in speculative retail trading. It was used by thousands of brokers and millions of traders worldwide. At the same time, it became deeply embedded in the scam-broker economy. That was the real issue in 2022. And it is still the real issue now. Back then, FinTelegram focused on MetaQuotes as a Cyprus-based structure with Russian roots and explicitly noted that the beneficial owners beyond Renat Fatkhullin were not known. That old instinct still looks right. But in 2026, the stronger story is no longer merely nationality. It is beneficial ownership, control migration, and Cyprus opacity. The Cyprus Web Behind MetaTrader And Sumsub This Was Never Just A Software Story MetaQuotes was never just another software publisher. It became core infrastructure in a fraud-exposed retail trading world. Scam brokers used it. Boiler-room operators relied on it. Pig-butchering actors benefited from the wider ecosystem built around it. That made the ownership question around MetaQuotes more than a corporate curiosity. It made it a compliance issue. The Old MetaQuotes Question Has Become A New Control-Chain Question The real 2026 story is no longer the old shorthand about “Russian control” with Renat Fatkhullin at the front. He is publicly associated with MetaQuotes and has long been described in reporting and industry profiles as Russian / from Russia, while operating from Cyprus. For the Sumsub side, public aterials describe Andrew/Andrey, Jacob/Jacov, and Peter Severyukhin as founders with Israeli nationality or origin with strong Russian connections. Thus, the sharper and more dangerous question is whether MetaQuotes, Raritex, and Sumsub sit inside the same wider Cyprus control orbit — one linking critical trading software to critical KYC infrastructure through funding ties, group affiliation, and shifting control disclosures. This is no longer abstract speculation. MetaQuotes itself announced that it led Sumsub’s $6 million Series A round in 2020. That single fact changes the frame. Once the publisher behind MetaTrader turns up as the lead investor in a KYC/AML vendor, the story stops being just a broker-tech problem. It becomes an infrastructure-and-governance problem. In plain English: the company behind one of the most fraud-exposed trading ecosystems publicly financed a company whose business is supposed to be trust, onboarding, and verification. Raritex Is The Pressure Point Raritex is the pressure point in this story because it refuses to disappear into the footnotes. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group, alongside SUMSUB Tech Limited and SUMSUB LTD. That means Raritex is not just a historical shell. It is not just an activist talking point. Sumsub itself still places Raritex inside the group footprint. That matters. Because if Raritex remains embedded in the current disclosure structure, then the question is no longer whether there once was a connection. The question becomes: what exactly is Raritex’s current role, and how much of the real control architecture still runs through it or through the same people around it? The UK Filings Do Not Calm The Story The UK register does not reduce risk here. It raises fresh questions. Companies House shows that Raritex Trade Ltd was formerly the person with significant control over Sum and Substance Ltd, with 75% or more ownership of shares, 75% or more voting rights, and the right to appoint or remove directors, before ceasing on 2 October 2023. The same public record now shows Andrey (Sever) Severyukhin, Yakov (Sever) (Severyukhin), and Peter (Sever) (Severyukhin) as the active PSCs, all notified on 24 May 2024. That is not the kind of ownership trail that settles nerves. It is exactly the kind of trail that invites a second and much harder look. On paper, the structure moved from a corporate controller to named individuals. But in substance, the real compliance question is whether anything actually changed except the packaging. If the legal-entity controller disappears and people from the same orbit reappear directly as controllers, that looks less like separation and more like re-presentation. The Real Issue Is Opacity, Not Just Nationality This is why the old FinTelegram MetaQuotes framing needs updating rather than simply repeating. The archive was right to focus on MetaQuotes’ Russian roots, Cyprus incorporation, and central role in fraud-exposed retail trading. But the sharper 2026 point is not simply that MetaQuotes had Russian roots. The sharper point is that a Cyprus-based cluster now connects MetaQuotes, Raritex, and Sumsub through documented funding ties and group-level overlap, while ultimate control still remains only partly transparent. That is a stronger compliance story than the old geopolitical shorthand. Regulators, fintechs, exchanges, brokers, and banks do not just need to ask who founded these companies or where they came from. They need to ask who controls them now, who sits behind the key entities, and whether the public disclosures reflect the substance of power or merely the surface of it. Why This Ownership Pattern Creates A Serious Compliance Problem The real issue here is not where these individuals were born. The real issue is that critical KYC-verification infrastructure and fraud-exposed trading infrastructure may sit inside the same partly opaque Cyprus-routed control environment. FinTelegram’s own archive has long treated MetaTrader as infrastructure heavily exposed to scam-broker abuse, while MetaQuotes’ public 2020 announcement confirms a direct funding link into Sumsub, a major verification provider. That creates a concentration and dependency problem. Sumsub presents itself as a large-scale verification platform used across fintech, crypto, gaming, trading, and other high-risk sectors, and the World Economic Forum profile likewise describes it as a major identity-verification and fraud-prevention provider. When one vendor becomes close to market infrastructure in online onboarding, its ownership chain, governance model, and control disclosures stop being an internal corporate matter. They become a systemic compliance question. It also creates a data-sensitivity problem. A KYC vendor like Sumsub sits on some of the most abuse-sensitive information in the digital economy: identity documents, selfies, liveness checks, beneficial-owner data, and risk-screening context. At the same time, Sumsub’s own public materials show that Raritex still appears in its Cyprus group footprint, while the UK record shows a shift from Raritex as controller to named individuals as PSCs. Even without proving wrongdoing, that is exactly the kind of ownership-opacity pattern that should trigger deeper scrutiny from counterparties and regulators. There is also an ecosystem-conflict problem. MetaTrader is not a neutral piece of back-office plumbing in the FinTelegram archive; it is repeatedly described as infrastructure embedded in scam-broker and pig-butchering environments. If the publisher behind that ecosystem is publicly tied by investment to a verification vendor that now operates as near-standard compliance infrastructure, then the market has to ask whether too much trust is resting on too little transparency. Finally, this creates a substance-over-form problem. The public UK filings show that Raritex no longer sits as the named PSC, but the control position reappears through named individuals. That does not prove improper conduct. But it does raise the exact question good compliance teams are supposed to ask: did control really change, or did the presentation of control change? In a market where KYC data can be weaponized in secondary fraud, mule onboarding, account takeovers, and document recycling, that is not a theoretical concern. It is a live risk question. The scandal is not nationality — it is that de facto trust infrastructure may be sitting inside a control chain that is still too hard to map, while handling some of the most sensitive data in digital finance. Summary Table: Key Individuals, Entities, And Why They Matter EntityWhat it isVerified public linkWhy it mattersMetaQuotes LtdCyprus-based publisher behind MetaTraderFinTelegram’s 2022 archive identified MetaQuotes as the Cyprus entity behind MetaTrader and noted that beneficial ownership beyond Renat Fatkhullin was not known.Core trading infrastructure in a fraud-exposed ecosystem; ownership questions remain unresolved.MetaTraderTrading platform ecosystemFinTelegram described it as dominant in speculative retail trading and widely used by scam brokers.Explains why ownership and control around MetaQuotes are compliance-relevant.SumsubKYC/AML and onboarding vendorMetaQuotes publicly said it led Sumsub’s $6 million Series A round.Connects the MetaQuotes story to the compliance-verification world.Raritex Trade LtdCyprus entity within the Sumsub group footprintSumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group.The key bridge entity in the control-chain story.Sum and Substance LtdUK Sumsub-linked entityUK Companies House shows Raritex was the former PSC and later individual PSCs were filed.Public register where the control migration becomes visible.Renat FatkhullinFounder/CEO and visible key figure of MetaQuotesFinTelegram’s 2022 archive identified him as founder and CEO of MetaQuotes and stated that beneficial ownership beyond him was not known.He is the most visible MetaQuotes principal and the reference point for the unresolved question of who stands behind MetaQuotes beyond the public executive layer.Andrey (Sever) SeveryukhinCEO and Co-founder of Sumsub, Active PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Part of the named-controller layer that replaced Raritex on paper.Yakov (Sever) SeveryukhinActive PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Reinforces the shift from corporate controller to individuals.Peter (Sever) (Severyukhin)Active PSC of Sum and Substance LtdListed by Companies House as active, notified 24 May 2024.Completes the trio now visible in the UK control record.Vyacheslav ZholudevCo-founder and CTO of SumsubListed as co-founder and CTO on the Sumsub site. Important technical architect and public-facing leadership figure in the Sumsub environment; Proven MetaQuotes is the Cyprus-based publisher behind MetaTrader, and FinTelegram’s 2022 archive stated that the beneficial owners beyond Renat Fatkhullin were not known. MetaQuotes publicly announced that it led Sumsub’s $6 million Series A round. Sumsub’s current privacy notice still lists Raritex Trade Ltd among the Cyprus entities in the group footprint. Raritex ceased as PSC of Sum and Substance Ltd, and Andrey/Yakov/Peter Severyukhin are now listed as the active PSCs. Supported It is strongly supported that the stronger 2026 angle is a Cyprus control-chain story, not just a repetition of the older “Russian control” framing. It is also strongly supported that the key compliance issue is whether the apparent restructuring around the Sumsub/Raritex side represented a genuine change in control or merely a formal re-presentation of the same control nucleus. Unresolved Who are the current ultimate beneficial owners of MetaQuotes beyond the visible executive/director layer identified in FinTelegram’s archive? Does Raritex still directly hold shares in operating Sumsub entities such as Sumsub GmbH in Germany or other group companies? Do the same individuals who now appear as controllers on the Sumsub side also control Raritex in substance across the wider Cyprus structure? Is there a provable bridge from the Raritex/Sumsub orbit to ultimate control of MetaQuotes itself, or is the current public record limited to funding and affiliation links? Conclusion FinTelegram’s 2022 warning about MetaQuotes was right in instinct but incomplete in documentation. The real 2026 story is not simply that MetaTrader came out of a Russian-rooted Cyprus structure. The sharper and more defensible story is that a Cyprus-based control chain may connect MetaQuotes, Raritex, and Sumsub through funding, group affiliation, and shifting control disclosures that still leave ultimate beneficial ownership only partly transparent. That is already enough for a serious compliance red flag. It is also enough to justify a new generation of scrutiny from regulators, counterparties, and whistleblowers. Whistleblower Call If you have information about the beneficial owners, shareholders, nominee structures, Cyprus corporate records, internal due-diligence files, or group-control arrangements of MetaQuotes, Raritex, or Sumsub, contact FinTelegram securely via Whistle42. Shareholder extracts, board documents, beneficial-owner certificates, and investor agreements are especially relevant. Share Information via Whistle42

A new pressure campaign by Digital Defenders Group (DDG) founder Nivie Kaul is pushing past the usual wallet-tracing narrative in crypto scam cases. Instead of focusing only on who stole the money, Kaul is asking who sat behind the infrastructure: MetaQuotes as the MT4/MT5 platform provider, Raritex as a key ownership layer, and Sumsub as the KYC vendor inside the broader chain. The result is a messy and politically charged story involving the DOJ’s record $225.3 million seizure, Turkish-court allegations about payment flows to MetaQuotes, and awkward optics around Sumsub’s public support for anti-scam campaigner Erin West. Key Findings The U.S. DOJ said in June 2025 that it filed a civil forfeiture complaint against more than $225.3 million in cryptocurrency tied to crypto confidence scams and described it as the largest cryptocurrency seizure in U.S. Secret Service history. MetaQuotes publicly announced in September 2020 that it led Sumsub’s $6 million Series A funding round and also bought out the shares of Sumsub’s first investor, Flint Capital. UK Companies House shows that Raritex Trade Ltd ceased as a person with significant control on 2 October 2023, and on 24 May 2024 three individuals were notified as PSCs while the prior PSC statement was withdrawn. Kaul’s LinkedIn post alleges Turkish criminal proceedings documented 54 SWIFT payments totaling about $638,374 from a scam-network operator to MetaQuotes between December 2019 and March 2023, and further alleges MetaQuotes held a 25% stake in Raritex Trade Ltd. Sumsub publicly said it was “proud to support” Erin West’s investigation into the global scam economy, creating a clear optics problem once DDG began attacking Sumsub’s ownership and governance chain. UA.News adds a useful supporting frame: a KYC/AML vendor that helps clients identify beneficial ownership has itself become a due-diligence target because of ownership opacity and its public-control gap in the UK register. The Story Behind The Story At first glance, this looks like just another fight over seized scam proceeds. It is not. Kaul is trying to turn the DOJ’s celebrated seizure into a much broader infrastructure-liability story. The DOJ release is straightforward: federal authorities filed a forfeiture complaint against more than $225.3 million in crypto allegedly tied to a laundering network used in cryptocurrency confidence scams, with more than 400 suspected victims worldwide. But DDG’s intervention changes the frame. In her LinkedIn post, Kaul argues that victims should stop looking only at the visible scammer and start tracing the corporate stack behind the fraud economy. Her post says Turkish proceedings revealed 54 SWIFT payments totaling about $638,374 from a documented network operator to MetaQuotes between December 2019 and March 2023. She then connects MetaQuotes to Raritex and Raritex to Sumsub. That is the backbone of her thesis. The Hard Public Record The strongest documented part of this story is the MetaQuotes-Sumsub link. MetaQuotes itself announced in September 2020 that it led Sumsub’s $6 million Series A round. It also said it bought out the shares of Flint Capital, the first Sumsub investor. That is not rumor or activist spin. It is a public corporate statement from MetaQuotes. The second hard-record issue is the Raritex control history around Sum and Substance Ltd in the UK. Companies House shows a filing on 3 October 2023 recording the cessation of Raritex Trade Ltd as a person with significant control effective 2 October 2023. It also shows that on 24 May 2024 three individuals were notified as PSCs and the prior PSC statement was withdrawn. The Russian-Israeli Sever (Severiukhin) brothers are the founders and registered controllers of Sumsub’s UK entity and, through Andrew/Andrey Severyukhin’s position as director and key principal, exercise managerial control over Raritex Trade Ltd, the Cyprus vehicle that controlled Sumsub from 2019 to 2023. The ultimate beneficial ownership of Raritex remains opaque, with external sources indicating additional shareholders, including MetaQuotes and IIDF, via trust structures. That situation does not prove misconduct. But it does create a governance problem for a company whose commercial value rests on verifying identity, control, and ownership for others. UA.News puts the point in blunt terms: the verifier itself has become a verification problem. That is editorial language, but it is grounded in a real public-register anomaly. Where The DDG Case Turns Aggressive The most explosive part of Kaul’s narrative is also the part that still sits in the allegation bucket. Her post says Turkish criminal proceedings documented 54 SWIFT transfers totaling $638,374 to MetaQuotes and that MetaQuotes held a 25% stake in Raritex, recorded in its 2019 audited accounts. Those claims appear prominently in the post and in the accompanying infographic. Read more about Russian-controlled Metaquotes here. That is serious material. But the distinction matters: in the source set reviewed here, those underlying Turkish court documents and audited accounts were described, not independently inspected. So this is publishable as a major allegation advanced by DDG, but not yet as a conclusively established fact on the same level as the MetaQuotes funding announcement or the Companies House filings. Erin West And The Optics Problem Erin West is the founder of Operation Shamrock, a nonprofit anti-scam initiative that positions itself as a bridge between victims, law enforcement, and industry — which is precisely why Sumsub’s public support for her work has become a sensitive optics issue in DDG’s campaign. The Erin West angle is what makes this story politically potent. Sumsub publicly promoted West’s Cambodia-focused anti-scam work and said it was “proud to support” her investigation into the global scam economy. At the same time, Compliance Corylated reported that Kaul filed a verified claim in March 2026 arguing not only that she was an innocent owner, but the “original innocent owner,” and that she had already obtained a Turkish judicial seizure preserving the assets before U.S. action. Kaul says she reached wallet 0x82e by first obtaining a Turkish payment order as a fraud victim, then tracing her loss into what she describes as a key network wallet, and finally securing a Turkish criminal judicial seizure on 11 August 2023 that froze the wallet through Tether and, in her view, attached her enforcement interest to those assets. That contrast is exactly what DDG is exploiting. In simple terms: the victim-turned-investigator says she traced the infrastructure and moved early; a high-profile anti-scam advocate celebrated the U.S. seizure; and the advocate’s public campaign was supported by a KYC vendor whose ownership chain is now under scrutiny. Even without proof of misconduct by West or Sumsub, the optics are rough. Why UA.News Matters UA.News should not be treated as the cornerstone evidentiary source. But it is useful because it packages the story into a broader governance-risk critique. Its April 2026 piece ties together Sumsub’s security-incident history, investor opacity, the PSC gap, and the MetaQuotes-Raritex narrative. It also highlights Sumsub’s own 2022 statement that “the initial investors who had ties to Russia and retained minor stakes in our company have now left us,” using that to argue that Russian-exposed investors remained in the cap table until 2022. That does not prove geopolitical control. But it does support a narrower and more defensible point: Sumsub’s ownership history, investor base, and control disclosures deserve more scrutiny than a normal “trust vendor” would ideally invite. That makes UA.News a useful supporting source for the governance angle, even if some of its rhetoric runs hotter than the primary record supports. What Is Proven MetaQuotes publicly led Sumsub’s $6 million Series A round and bought out the first investor’s stake. The DOJ filed a forfeiture complaint against more than $225.3 million and described it as the largest cryptocurrency seizure in U.S. Secret Service history. Raritex ceased as a PSC of Sum and Substance Ltd effective 2 October 2023, and three individual PSC filings appeared on 24 May 2024 alongside withdrawal of the earlier PSC statement. Sumsub publicly supported Erin West’s anti-scam investigation. What Is Alleged Turkish criminal proceedings allegedly documented 54 SWIFT payments totaling about $638,374 from a scam-network operator to MetaQuotes. MetaQuotes allegedly held a 25% stake in Raritex Trade Ltd, described by Kaul as the holding company for the Sumsub group. The broader DDG thesis is that this payment and ownership chain places MetaQuotes, and indirectly the Sumsub chain, too close to the infrastructure behind MT4/MT5-linked fraud. What Needs Verification Next The Turkish court record and the underlying SWIFT documentation need to be reviewed directly. That is the evidentiary hinge of the most serious claim. The 2019 audited accounts allegedly showing MetaQuotes’ 25% Raritex stake also need direct inspection. The current Cyprus ownership chain around Raritex and the wider Sumsub structure should be confirmed through primary corporate documents, not just secondary reporting or social posts. Any operational evidence linking Sumsub directly to onboarding scam-linked actors would be a separate and much higher threshold than ownership overlap or sponsorship optics. Easy summary: who does what ActorSimple descriptionNivie Kaul (LinkedIn)/ DDG (LinkedIn)Says the real story is not just stolen crypto, but the corporate and platform infrastructure behind the scamsMetaQuotesMT4/MT5 software provider; verified investor in Sumsub; alleged recipient of scam-linked SWIFT paymentsRaritex Trade LtdOwnership/control layer sitting between MetaQuotes allegations and the Sumsub governance storySumsubSum and Substance LtdKYC/AML vendor; Backed by MetaQuotes in 2020; UK filings show prior Raritex control and later PSC changes; publicly supported Erin West’s scam-investigation contentErin West (LinkedIn)Operation Shamrock (LinkedIn)Founder of Operation Shamrock (link), which presents itself as a nonprofit, cross-border anti-scam initiative; Sumsub-backed content creates an optics conflict in DDG’s narrativeDOJ / USSSGovernment side of the seizure story Conclusion DDG’s campaign is effective because it mixes hard public-record facts, uncomfortable optics, and still-unproven but potentially explosive allegations into one coherent attack line. The public record already shows enough to justify a strong compliance red-flag briefing: MetaQuotes funded Sumsub, Raritex sat in the control chain, the UK PSC sequence looks awkward for a KYC vendor, and Sumsub publicly backed Erin West while DDG was building a competing victim-first narrative. What the public record does not yet prove is the decisive legal bridge from ownership opacity and bad optics to knowing facilitation of scam infrastructure. That bridge may yet emerge. For now, the story is strongest as a governance, transparency, and infrastructure-accountability report — and it could become much bigger if the Turkish records and audited accounts match DDG’s claims. Whistleblower Call If you have information about MetaQuotes, Raritex, Sumsub, MT4/MT5 scam infrastructure, or cross-border onboarding and payment flows linked to fraud networks, contact FinTelegram securely via Whistle42. Documentary evidence, internal compliance material, shareholder records, and vendor due-diligence files are especially relevant. Share Information via Whistle42

A growing body of indicators suggests that a cluster of outwardly separate online casino brands may be linked, directly or indirectly, to Zentoria Limited and a shared backend payments architecture. FinTelegram reviewed operator attributions, Irish licensing records, repeated payee clues, and live payment flows across multiple brands. The result is not yet a final legal attribution of the full network, but the hypothesis of a Zentoria-linked casino cluster with strong Cyprus-ties has become increasingly plausible. The rail evidence points to a common backend. And the recurring name Morada Horizon Services Limited adds a new payments-side lead that regulators should not ignore. Key Findings Multiple third-party gambling sources and whistleblower information identify Zentoria Limited as operator or owner of at least some relevant brands, including Roostino and BetRepublic (List.Casinos, Tribune.com). Ireland’s official register confirms that ZENTORIA LIMITED is a real holder of a Remote Bookmaker’s Licence, with trading-name references including SPINSOPOTAMIA.COM. Public review sources for Roostino identify Morada Horizon Services Limited as the payments-management entity and use Irish company number 781093. FinTelegram’s own testing indicates that BetRepublic, WestAce, Spinsy, Kingmaker, and GreenLuck share materially identical cashier logic and payment-rail configuration. Across the tested brands, Revolut deposits appear to converge on the same open-banking chain via Perspecteev / Salt Edge / Revolut OBA, while “Rapid” flows show the same payee fragment, “Morada Hor…”. The currently accessible terms and conditions on the tested brands appear highly similar while failing to clearly identify the responsible legal operator, which is itself a compliance red flag. Compliance Analysis 1. The central hypothesis: there is a Zentoria-linked casino cluster! The Zentoria hypothesis is no longer based only on public attribution sources. It is now supported by direct transactional evidence from live testing. Earlier screenshots already appeared to show Novaforge Ltd and later Zentoria Limited in a Payabl-linked environment associated with pay4.payabl.com, suggesting a possible merchant sequence or migration pattern in the same payments architecture. At least some Novaforge-related records appeared to show a statement-facing mismatch, while later Zentoria-linked records looked more transparent. Skill payment confirmation for a Spinsy deposit A fresh FinTelegram test deposit into Spinsy produced a transaction detail stating “Skrill card payment at zentoria limited”, with Dublin shown as the location. This matters because it moves the story beyond: third-party claims, look-and-feel similarity, and indirect operator speculation. It now shows that a live deposit into Spinsy, one of the casinos in the reviewed cluster, resolved to Zentoria Limited at the transaction-detail level. That does not yet prove the exact legal role of Zentoria in every case. It could reflect: the formal operator, the merchant of record, a collection or payment counterparty, or another affiliated commercial entity. Skrill payment confirmation for a Spinsy deposit with AXEGLE as named payee But from a compliance standpoint, the distinction does not reduce the significance of the finding. A live payment into Spinsy surfacing Zentoria Limited as the payee materially strengthens the hypothesis that Spinsy belongs to the same broader Zentoria-linked casino and payments cluster. A second FinTelegram test deposit into Spinsy surfaced a different payee descriptor, “AXEGLE,” with Doncaster shown as location. While FinTelegram has not yet been able to identify a verified legal entity behind that descriptor, the result suggests that Spinsy may be using multiple payment counterparties or merchant descriptors across separate rails. 2. Revolut, Perspecteev, Salt Edge, and the open-banking layer One of the most revealing patterns in the FinTelegram testing is the repeated routing of Revolut deposits through Perspecteev / SaltEdge / Revolut. That is not a trivial technical detail. It suggests a reusable open-banking deposit architecture deployed across multiple casino brands. If multiple supposedly independent casinos all push users through the same OBA path into Revolut, the same question arises every time: Who configured the payment path, and for whom? This does not, by itself, prove that Zentoria owns every brand in the cluster. But it does support the conclusion that these brands likely sit on a shared backend orchestration environment. Read our SaltEdge compliance report here. 4. The Morada Horizon clue is getting harder to ignore The repeated appearance of the truncated payee string “Morada Hor…” in the “Rapid” rail is particularly important. That fragment is highly consistent with Morada Horizon Services Limited. Public Roostino review pages identify Morada Horizon Services Limited, Irish entity founded in Feb 2025 with company number 781093, as the entity handling payment-processing or payment-management services. Tribuna’s Roostino sportsbook and casino reviews both make that attribution. We have also found Moreda acting as a payment agent at other casinos, such as Golisimoo casino, which has already been warned and banned in various jurisdictions. This does not yet prove that Morada Horizon handles payments for every brand in the cluster. But if the same payee fragment appears across Kingmaker, WestAce, BetRepublic, Roostino, and GreenLuck-style rails, then Morada Horizon becomes much more than a footnote. It becomes a serious payments-side lead that deserves focused scrutiny. The key compliance question is straightforward: if Morada Horizon appears across multiple brands’ payment flows, what exactly is its role — payment manager, settlement entity, merchant-of-record layer, or another service function in the cashier stack? 3. The Payabl Angle Recent screenshots shared with FinTelegram add a new and potentially important element to the Zentoria network hypothesis: they appear to show both Novaforge Ltd and later Zentoria Limited in a transaction environment linked to the Payabl subdomain pay4.payabl.com. Particularly notable is the apparent descriptor mismatch in the Novaforge-related screenshots, where the transaction is associated with Novaforge Ltd / pay4.payabl.com but reportedly appears on the statement layer as “APPLEPAY.” By contrast, later screenshots linked to Zentoria Limited appear more transparent, with ZENTORIA LIMITED shown as the statement-facing descriptor. At this stage, these screenshots do not prove misconduct by Payabl or establish who controlled the descriptor logic. They do, however, strengthen the view that Payabl may have sat directly in the payment flow connecting the earlier Novaforge and later Zentoria merchant phases, which makes its role in the wider rail architecture a relevant compliance question. 4. The legal-disclosure gap is itself a compliance signal The terms and conditions reviewed across these casinos appear strikingly similar, yet they reportedly fail to clearly identify the responsible operator. That is not a minor drafting flaw. For gambling compliance, payments transparency, chargeback handling, and AML accountability, the identity of the contracting and operating entity should not be obscured behind generic terms, vague branding, or recycled templates. If multiple casino brands share: near-identical T&Cs, identical cashier architecture, the same payment rails, the same open-banking chain, and the same payee clues, while failing to clearly identify the responsible operator, then the opacity itself becomes part of the compliance story. 5. What can be said safely — and what still needs proof At this stage, FinTelegram can safely say: a Zentoria-linked cluster hypothesis is plausible; Zentoria Limited is a real gambling-sector entity and is repeatedly named in third-party source material tied to relevant brands; Morada Horizon Services Limited is a real named payments-side entity that appears in public Roostino-related materials and is consistent with repeated payee fragments seen in tested flows; FinTelegram’s own testing strongly suggests a shared cashier and payments stack across BetRepublic, WestAce, Kingmaker, GreenLuck, and Spinsy; and a live FinTelegram test deposit into Spinsy surfaced Zentoria Limited directly in the transaction details. That is why the honest conclusion is not “case closed.” It is: the Zentoria network hypothesis is increasingly plausible, and the evidence trail is becoming materially stronger. Conclusion FinTelegram’s review suggests that BetRepublic, WestAce, Kingmaker, Roostino, GreenLuck, and Spinsy may belong to the same broader backend gambling and payments cluster. The recurring attribution of some brands to Zentoria Limited, the official licensing footprint of Zentoria, the repeated payments-side references to Morada Horizon Services Limited, the near-identical rail architecture observed in direct testing, and now a live Spinsy payment detail naming Zentoria Limited together make a Zentoria-linked network hypothesis plausible and increasingly compelling. Summary Table: Reviewed Casino Brands, Entities, and Apparent Roles NameTypeApparent role in reviewed casino clusterCurrent assessment / commentsBetRepublicWestAceKingmakerRoostinoGreenLuckSpinsyRoostinoCasino brand publicly related to ZentoriaOne of the reviewed casino brands in the apparent shared clusterStrongly linked to the cluster; Zentoria link is plausible but not conclusively provenZentoria LimitedLegal entity / gambling operatorCentral hypothesis entity; possible operator or cluster-linked legal wrapper for some of the brandsPlausible anchor entity for the network, but not yet conclusively established as operator of all brandsMorada Horizon Services LimitedLegal / payment-side entity and igamingApparent payment-management / igaming services; likely linked to “Morada Hor…” payee fragmentImportant payments-side lead; likely relevant to the cluster; Irish entity.PayablPayment processor / acquirer / gateway-side entityPossible acquiring / orchestration-side PSP in the broader theory; potentially central to rotating MID hypothesisImportant investigative target, but not directly proven in the current casino-rail review setapi.payment-gateway.ioPayment gateway / technical endpointApparent shared card-processing endpoint for reviewed brandsStrong indicator of shared backend payments stacksecurepayins.comPayment rail / gateway layerAppears in the Revolut / open-banking deposit flowIndicative of shared deposit infrastructureSalt Edge Limiteddba SaltEdgewww.saltedge.comOpen banking infrastructure providerUsed in the Revolut/open-banking deposit pathShared infrastructure clue, not operator evidence by itselfPerspecteev SASOpen banking / payment infrastructure entityAppears in Revolut OBA deposit flowStrong shared-rail indicator across brandsRevolut (oba.revolut.com)Bank / open banking API environmentFinal user-facing bank authorization layer for certain depositsNot evidence of ownership, but confirms common deposit pathChainValleyCrypto / conversion-related payment railApparent destination behind Skrill / Neteller / PaysafeCard “buy crypto” style deposit logicImportant common rail clue; should be described carefully as an apparent routing layerSkrill/Neteller/PaysafeCardPayment method / walletFront-end deposit option that appears to route into the same effective backend logicConsumer-facing method, not the likely ultimate payment operatorRAPIDPayment method / bank transfer style railDeposit route showing the recurring payee fragment “Morada Hor…”One of the strongest shared-payee indicatorsNovaforgeMerchant/front entity (historical)Merchant/front in the Zentoria networkRelevant to the broader network theory, but not central to the reviewed casino rail comparison itself The Simplified Network View Here is the same information in a more operational way: LayerNames involvedApparent roleCasino brandsBetRepublic, WestAce, Kingmaker, Roostino, GreenLuckConsumer-facing casino brands under reviewPossible operator / legal wrapperZentoria LimitedRecurrently attributed operator or network-linked entityPossible payments-side entityMorada Horizon Services LimitedLikely payment-management / payee-side entityPossible acquiring / orchestration-side PSPPayablBroader hypothesis: acquiring / gateway node in the larger networkCard / gateway infrastructureapi.payment-gateway.ioShared card-processing / deposit infrastructureOpen banking infrastructuresecurepayins.com, Salt Edge, Perspecteev SAS, Revolut OBAShared bank-transfer / open-banking pathAlternative payment front endsSkrill, Neteller, PaysafeCard, RAPIDConsumer-facing deposit methodsApparent backend conversion / routing railChainValleyApparent crypto / conversion-style backend railShared payee clue“Morada Hor…”Repeated payee fragment indicating possible common payee/payment entity Call to Whistleblowers If you are a player, PSP insider, affiliate manager, compliance professional, former employee, contractor, or payment specialist with information about Zentoria, Morada Horizon, BetRepublic, Roostino, WestAce, Kingmaker, GreenLuck, or their payment providers, contact FinTelegram confidentially via Whistle42. We are especially interested in: full payment confirmations showing the complete payee name, bank statement lines containing Morada Horizon or related entities, processor/acquirer references, archived legal disclosures, merchant onboarding files, and internal documents showing who controls the cashier and payment stack. Share Information via Whistle42

The sanctioned crypto exchange Grinex has abruptly suspended operations after reporting the theft of roughly 1 billion rubles in digital assets. The platform claims the attack bore the hallmarks of “foreign intelligence services,” but blockchain investigators say the on-chain behavior looks far less like a state seizure and far more like classic criminal laundering. Behind the drama sits a bigger story: Grinex was not some ordinary exchange. It was widely identified by U.S. authorities and blockchain intelligence firms as the successor to Garantex, the notorious Russia-linked crypto venue tied to money laundering, sanctions evasion, and the A7A5 shadow-payments network. Key Findings Grinex has suspended operations after reporting that assets worth about 1 billion rubles were stolen in a cyberattack announced on April 16, 2026. The “Western intelligence” narrative is unverified. Reuters explicitly reported that it could not verify Grinex’s claim that “foreign intelligence services” were behind the attack. On-chain evidence cuts against the state-seizure storyline. Chainalysis found that the stolen stablecoins were quickly swapped into TRX via a DEX, a move more consistent with evading issuer freezes than with a law-enforcement confiscation. TRM Labs identified a broader incident footprint than Grinex publicly disclosed and linked the same consolidation address to both Grinex and TokenSpot, another Kyrgyzstan-based exchange TRM assesses as a likely Garantex front. U.S. Treasury said Grinex was created by Garantex employees after the March 2025 disruption of Garantex in order to continue sanctions-evasion services and move customer funds. Grinex was central to trading A7A5, the ruble-backed token issued by sanctioned Kyrgyz company Old Vector, which U.S. and UK authorities linked to Russian sanctions-evasion infrastructure. The bigger compliance picture is explosive: Garantex had already lost its Estonian authorization in 2022 after the FIU found systemic AML/CFT failures, suspicious transaction-reporting failures, and links to criminal wallets. Compliance Analysis 1. The immediate story: Grinex claims a geopolitical hit job Grinex says it was hit by a large-scale cyberattack that stole more than 1 billion rubles and forced the platform to suspend operations. In its public messaging, the exchange framed the incident as an operation by “unfriendly states,” claiming the attack was designed to damage Russia’s “financial sovereignty.” That framing is politically convenient, but at this stage it is still only Grinex’s allegation, not an independently established fact. Reuters, which reported the shutdown on April 16, 2026, said it could not verify the attribution claim. 2. The on-chain trail tells a different story The most important fact is not Grinex’s rhetoric but the movement of funds. Chainalysis reported that the exfiltrated assets were largely centralized stablecoins that were quickly swapped into TRX through a Tron-based DEX. That matters because when governments or law enforcement seize stablecoins, they commonly seek a freeze from the issuer. Rapidly converting into a non-freezable asset is the kind of move criminals make when they fear exactly such a freeze. Chainalysis therefore said the behavior raises real questions about Grinex’s story and even floated the possibility of a false-flag event or exit-style siphoning rather than a classic state takedown. TRM Labs reached a different tactical conclusion on motive, but not on the core point that the attribution remains unproven. TRM found that the attacker converted stolen USDT on TRON into TRX via SunSwap and consolidated about 45.9 million TRX, worth roughly $15 million, into a single address. TRM assessed the incident was more likely an external cyber operation than an exit scam, partly because the activity touched both large and small wallets across multiple platforms. Even so, TRM also stated clearly that Grinex’s claim about “special services of unfriendly states” was not independently verified. 3. Grinex was never just another exchange From a compliance perspective, the hack is only the surface scandal. The deeper issue is what Grinex appears to have been. U.S. Treasury stated in August 2025 that Grinex was created by Garantex employees after the March 2025 law-enforcement action against Garantex, and that it was used to transfer Garantex customer deposits and continue core services. Treasury further said Grinex facilitated billions of dollars in crypto transactions and functioned as part of Garantex’s sanctions-evasion effort. That account matches what blockchain analytics firms had already been saying. TRM reported that Grinex was incorporated in Kyrgyzstan in December 2024, weeks before the multinational action that dismantled Garantex, and that Garantex-linked Telegram channels quickly promoted Grinex as the familiar replacement where clients could recover frozen assets. TRM’s earlier work also pointed to Kyrgyz records showing Grinex was registered by Duulat-eldar Sagynbeki Subankulov, though the open-source record around the real controlling parties remains opaque. 4. The Garantex backdrop: this was a laundering brand with a new logo Any serious review of Grinex starts with Garantex. The U.S. Justice Department said in March 2025 that Garantex’s domains were seized, servers in Germany and Finland were taken, earlier server copies including customer and accounting databases had been obtained, and more than $26 million in funds used to facilitate money laundering were frozen. DOJ also alleged Garantex had redesigned operations to evade sanctions, including moving operational wallets on a daily basis to frustrate blocking and detection. The problems go back even further. Estonia’s Financial Intelligence Unit said Garantex Europe OÜ surrendered its authorization after supervisory findings that included systemic AML/CFT deficiencies, identity-verification failures affecting more than 90% of customers, failure to report suspicious transactions, and property flows linked to criminal conduct or wallets used by offenders. The FIU said annual transactions exceeded €5 billion, with a large share tied to Russia and other high-risk countries. This is why the “Grinex as successor” label is not tabloid exaggeration. It is the core compliance fact pattern. OFAC, Chainalysis, Elliptic, and TRM all describe Grinex as either the direct successor to Garantex or an entity built from the same infrastructure, clientele, and operating purpose. 5. A7A5: the sanctions-evasion rail at the center of the story Grinex’s strategic importance appears to lie in its role as the main trading venue for A7A5, a ruble-backed token issued by Old Vector in Kyrgyzstan. OFAC said Garantex used this token structure so customers whose funds were trapped after the March 2025 disruption could regain access to value. Treasury also said A7, A71, and A7 Agent were owned by sanctioned Moldovan oligarch Ilan Shor and sanctioned Russian bank Promsvyazbank, and that A7A5 was created for a cross-border settlement platform used for sanctions evasion. Chainalysis said A7A5 processed more than $51 billion and described it as a token designed to operate within a narrow ecosystem of Russian-linked financial services, with Grinex as the primary platform facilitating trades. The Financial Times reported even earlier that A7A5 had moved $9.3 billion in four months, was backed by deposits at Promsvyazbank, and was closely linked to Grinex as part of Russia’s shadow payments architecture. Later FT reporting said the wider A7/A7A5 network moved more than $6 billion after sanctions, underscoring how resilient the network remained. In plain English: Grinex mattered because it was not just an exchange. It appears to have been a sanctions-resilient conversion point between rubles, A7A5, and mainstream crypto liquidity. That makes it highly relevant not only for AML analysts but also for sanctions enforcement, cross-border payments supervision, and national-security investigators. 6. The TokenSpot angle makes the case even dirtier One of the more disturbing details in TRM’s April 2026 hack analysis is the linkage to TokenSpot, another Kyrgyz exchange TRM assesses as a likely Garantex front. TRM said two TokenSpot addresses sent funds to the same consolidation address used by the Grinex-linked wallets and that both platforms appear to have been hit around the same time. TRM also reported that TokenSpot had sent $88 million to Garantex and Grinex, received over $12 million back from Grinex, and sent more than $257.5 million to the A7 network. That is not the profile of an isolated exchange mishap. It looks more like stress inside a broader sanctions-evasion ecosystem built to route Russian-linked value through Kyrgyz wrappers, shadow tokens, and crypto liquidity bridges. 7. What the alleged hack likely means from a compliance standpoint The most defensible compliance conclusion today is this: Grinex’s shutdown is real; the attribution is not settled; the underlying business model was already toxic. Reuters confirms the shutdown. Treasury and UK sanctions records confirm Grinex had already been treated as a sanctions-evasion vehicle. Blockchain analytics firms confirm that the attack hit a platform deeply embedded in the Garantex/A7A5 architecture. What remains uncertain is whether this was a hostile state operation, a criminal theft, a compromise by insiders, or some hybrid scenario. For regulated firms, the lesson is brutal but simple: successor entities, rebrands, and jurisdictional shifts do not cleanse sanctions or AML exposure. When the old exchange is taken down and a new one appears in Kyrgyzstan with the same customers, the same purpose, the same staff links, and the same settlement logic, the risk is not reduced. It is merely repackaged. Conclusion: An Exit Scam Wrapped in a Flag The disruption of Grinex is a fatal blow to the infrastructure supporting Russian sanctions evasion, but victims of this exchange should not hold their breath for a rescue. Whether this was a genuine exploit by rival cybercriminals or a meticulously orchestrated rug-pull by the Garantex/Grinex cartel, the outcome is the same. The architects of this illicit financial network have cashed out, leaving their “loyal” clientele holding the bag while blaming the West for their missing millions. Call to Whistleblowers Whistleblowers, counterparties, former staff, liquidity providers, OTC brokers, compliance officers, and banking or payments insiders with knowledge of Grinex, Garantex, TokenSpot, Old Vector, A7A5, or related sanctions-evasion structures should contact FinTelegram via Whistle42. If you have wallet evidence, KYC records, onboarding material, internal chats, payment-routing instructions, banking links, or details of how Russian institutions used these structures to move money, your information could help expose one of the most important crypto-compliance stories in the Russia sanctions space. Share Information via Whistle42

GoDeFi presents itself as a sleek non-custodial DeFi payment-card platform for everyday crypto users. GammaG appears in FinTelegram’s earlier reporting as a Georgian crypto-payment rail surfacing behind offshore-casino deposit flows and in whistleblower material linked to the wider CoinsPaid orbit. A newly visible link between the two schemes is the name Sandra Kübarsepp, who is publicly recorded as the sole director and sole shareholder of GO DEFI CS s.r.o. The overlap is real. But the bigger question remains open: is this merely a personnel coincidence, or part of a broader continuity structure stretching from casino crypto rails into consumer-facing DeFi branding? Key Findings GoDeFi markets a non-custodial Solana-linked payment-card model that promises users direct wallet spending, no top-up, and a DeFi-to-real-world payments bridge. Go Defi Corp. is identified as the developer/operator on GoDeFi’s app disclosures, while GO DEFI CS s.r.o. appears to be the Czech paid-services entity. Sandra Kübarsepp is publicly listed in Czech company records as the sole managing director and 100% shareholder of GO DEFI CS s.r.o. FinTelegram’s prior reporting placed GammaG LLC in Georgia behind a “CoinsPaid” casino deposit flow and described GammaG as a possible continuity rail in the wider CoinsPaid / CryptoProcessing / Dream Finance / SoftSwiss field. FinTelegram also stressed that the evidence showed functional proximity, not yet proven common ownership. Georgia requires VASP registration with the National Bank of Georgia, and the NBG has warned the public against using unregistered virtual-asset providers. Based on the public materials reviewed, FinTelegram could not independently verify GammaG’s NBG registration. Beneficial Owners, Co-Founders, And Funding A second publicly visible name around the GoDeFi.me scheme is Sergei (Sergey) Burmisov. In GoDefi’s own 12 March 2025 press release, the company identified Sergey Burmisov as “Co-Founder & CTO” and quoted him directly on the product’s non-custodial architecture and user proposition. The same release also said GoDefi had already raised $2 million in an initial seed round and was preparing a second funding round. The Estonian national Sandra Kübarsepp (aka Sandra Urvak) is publicly listed as the sole director and sole shareholder of GO DEFI CS s.r.o., the Czech entity named in GoDeFi’s paid-services documentation. Compliance Analysis GoDeFi: polished DeFi card pitch, thin public accountability GoDeFi is pitched as “the first true DeFi payment card for everyday life.” The app-store and website materials describe a 100% non-custodial service built around Solana wallets, promising users that they can connect a wallet, complete KYC for card issuance, and spend crypto without surrendering private keys or pre-funding an intermediary balance. The product language is ambitious: spend, borrow, lend, receive, and send — all wrapped in a consumer-fintech user experience. Publicly, the structure looks split — and the card story looks broken. The app and privacy materials identify Go Defi Corp. as the operator/developer, while the paid-services terms name GO DEFI CS s.r.o. as the subscription counterparty. Those terms still refer to Quicko Sp. z o.o. as the card issuer. But that disclosure appears stale: the Polish regulator KNF revoked Quicko’s licence on 21 January 2026, and Quicko itself said it lost the ability to provide payment services on 3 February 2026. Yet GoDefi’s live Google Play listing continues to market a payment card from unnamed “licensed banking partners,” even though the app shows only 50+ downloads. That leaves a basic operational question unresolved: who, if anyone, is currently issuing the GoDefi card, and whether the card system works at all. GammaG: from Georgian crypto rail to FinTelegram’s continuity hypothesis GammaG entered FinTelegram’s reporting through the payment-rail side, not the DeFi-card side. In December 2025, FinTelegram documented an observed deposit flow at offshore casino Vegadream in which selecting the “CoinsPaid” option opened a GammaG payment pop-up with crypto deposit instructions. GammaG was described there as a Georgia-registered entity offering digital-currency payment solutions, including hosted-wallet and exchange-related functions. Read our CoinsPaid reports here. In April 2026, FinTelegram followed with a more pointed thesis: GammaG may have functioned as a shadow or continuity rail in the same operational field as CoinsPaid, CryptoProcessing, Dream Finance, and the wider SoftSwiss ecosystem. That report was careful on the evidentiary boundary. It did not claim proven formal integration. It said the new whistleblower material reinforced the functional closeness already identified by FinTelegram. That distinction matters. A rail can be strategically close, commercially integrated, or operationally interchangeable without the public record yet proving identical ownership. That is the current state of play. GammaG is not just an isolated Georgian web domain that happened to appear in a single transaction flow. FinTelegram’s existing reporting places it inside a broader compliance pattern: replacement rails, migrating structures, opaque contracting endpoints, and the use of crypto-processing architecture to keep high-risk offshore business moving when older channels become impaired. The GammaG Connection Public records and company statements currently tie at least two names to the GoDefi.me scheme: Sandra Kübarsepp/Urvak on the Czech corporate side, and Sergey Burmisov as publicly named co-founder and CTO. GoDefi also claimed in March 2025 that it had raised $2 million in seed funding and was pursuing a second round, although the underlying investors and financing structure have not yet been independently verified. What FinTelegram can now say with confidence is narrow but important. We know that Sandra Kübarsepp is publicly listed as the sole director and sole shareholder of GO DEFI CS s.r.o., the Czech entity named in GoDeFi’s paid-services documentation. That is verified. Allegedly, Kübersepp is also a director of the Georgian crypto-payments scheme GammaG. FinTelegram’s prior reporting places GammaG in a CoinsPaid-linked rail environment. That already makes the overlap noteworthy. A name tied to a consumer-facing DeFi card structure appears in the same investigatory field as a Georgian rail previously surfaced in offshore-casino crypto flows. For compliance professionals, that is enough to justify closer scrutiny. What FinTelegram knows at this stage FinTelegram knows that GoDeFi is not just a vague app-store project. It has identifiable entities, a Czech services company, a named control person in Sandra Kübarsepp, and a payments-card narrative built around non-custodial DeFi branding. FinTelegram also knows that GammaG has already surfaced in FinTelegram’s casino-rail reporting, specifically behind a CoinsPaid deposit path, and later in whistleblower material consistent with a continuity-rail hypothesis. Read our reports on GammaG here. Those two strands now intersect in a way that is too concrete to ignore and still too incomplete to overstate. Conclusion At this point, FinTelegram’s investigation suggests a credible and potentially significant overlap between the GoDeFi scheme and the GammaG scheme. The public record already supports one hard fact: Sandra Kübarsepp, aka Sandra Urvak, controls GO DEFI CS s.r.o., the Czech company behind GoDeFi’s paid-services leg. Separately, FinTelegram’s prior reporting places GammaG inside a suspicious Georgian crypto-rail environment linked to CoinsPaid-branded transaction paths and the broader Dream Finance / SoftSwiss investigatory field. That is enough to justify continued scrutiny. It is not yet enough to claim full common ownership or a fully proven unified scheme. The overlap is real. The ultimate structure remains unresolved. Summarizing Table Here is a compact summary table you can drop into the report. EntityJurisdictionRoleVerified connectionsGo Defi Corp.www.godefi.mehttps://app.godefi.meDelaware, U.S.App/operator entity shown for GoDeFiListed in GoDeFi app disclosures as the developer/operator; app disclosures use the Dover, Delaware registered-agent address.GO DEFI CS s.r.o.Czech RepublicCzech paid-services / subscription entity for GoDeFiNamed in GoDeFi subscription-plan terms; Czech registry-derived records show Sandra Kübarsepp as sole shareholder and managing director.Sandra Kübarseppaka Sandra UrvakEstonia-resident natural personControl person on the Czech GoDeFi side. According to Estonian register information, she also goes by the name Sandra Urvak.Public Czech records tie her to GO DEFI CS s.r.o. as sole shareholder and statutory director.Sergei BurmisovRussia,Montenegro (LinkedIn)GoDefi CTO and CoFounderPress releaseGammaG LLC / GammaGGeorgiaCrypto-payment / exchange-style rail appearing in FinTelegram’s casino-rail reportingFinTelegram documented a deposit path where clicking a “CoinsPaid” option at Vegadream opened a GammaG pop-up with crypto deposit instructions; FinTelegram later described GammaG as a possible continuity rail in the CoinsPaid field.CoinsPaid / CryptoProcessing orbitMulti-jurisdictionalBranded crypto-processing/payment ecosystem referenced in FinTelegram investigationsIn FinTelegram’s reporting, CoinsPaid-branded deposit flows led users into GammaG checkout/payment pages, suggesting operational proximity. Working takeaway: the strongest verified bridge at this stage is GammaG CoinsPaid on the payments-flow side and Sandra Kübarsepp GO DEFI CS s.r.o. on the GoDeFi side. The missing evidentiary step is a primary-source document proving that the same control persons or beneficial owners sit across both clusters. Call To Whistleblowers And Insiders If you are a current or former employee, contractor, compliance officer, card-program partner, exchange counterparty, merchant, casino operator, PSP, bank, EMI, or affected user with information about GoDeFi, GO DEFI CS s.r.o., Go Defi Corp., GammaG LLC, or their links to CoinsPaid, CryptoProcessing, Dream Finance, or the wider SoftSwiss orbit, contact FinTelegram confidentially via Whistle42. FinTelegram is particularly interested in: corporate records and shareholding documents, director and nominee arrangements, card-issuer and processor contracts, AML/KYC files, wallet and settlement architecture, correspondence about Georgia, Czech, or EU regulatory positioning, and any proof of common control or operational continuity. The public deserves clarity on whether GoDeFi is simply a new fintech wrapper around a legitimate service model — or whether it forms part of a broader migration pattern in which high-risk crypto rails reappear under new names, new jurisdictions, and cleaner consumer branding. Share Information via Whistle42

Exceleon Exchange — also presented through the older GoDeFi.eu environment — is marketed as a polished crypto-fintech gateway combining exchange, wallet, payment-account, and card functionality. But the legal disclosures behind that pitch describe a fragmented structure: a UK technology company, a Greek EU crypto operator, a Canadian non-EU crypto operator, and a separate EMI/card layer provided through the DiPocket group for a Greek partner. Public filings now add another important detail: the UK company’s control chain runs through NPM Technologies Limited to Mrs Niki Kaloudi. The result is a scheme that looked unified to users but was legally split across multiple entities, roles, and jurisdictions. Key Findings GoDeFi.eu was embedded in the Exceleon/Excelon ecosystem, not a separate unrelated site. Exceleon’s own privacy text referred to users visiting or logging into the godefi.eu platform. The Exceleon website described a split operator model: Excelon Financial Services Limited in the UK as technology provider; DEFI Technologies SMPC in Greece for EU exchange and wallet services; Global Money Gate Corp. in Ontario for non-European exchange, wallet, and crypto trading; and DiPocket UAB / DiPocket Limited providing the card and payment-account services for EMS TECHNOLOGY SMPC in Greece. The GoDeFi.eu / Excelon Exchange terms state that the exchange and wallet service is provided by DEFI Technologies SMPC and governed by Greek law. The exchange terms also imposed a material restriction: crypto bought through the service could not be transferred to an external wallet for 30 days after purchase, and the fiat on/off-ramp was tied to the separate Excelon E-money Service. DiPocket appears to be a separate regulated EMI infrastructure group, not part of the Exceleon group itself. On its own site, DiPocket splits customers between DiPocket UAB in Lithuania for EU residents and DiPocket Limited in the UK for UK residents. DiPocket UAB is listed by the Bank of Lithuania as an EMI holding a Lithuanian licence, valid from 2020-11-10. UK filings show the former Excelon Technologies Limited changed its name to Excelon Financial Services Limited in November 2025. In December 2025, NPM Technologies Limited became the PSC of the UK company, replacing Nikolaos Skondreas. NPM itself is controlled by Mrs Niki Kaloudi. Summary Table: Entities, Jurisdictions, Roles, And Control EntityJurisdictionStated or verified rolePublicly disclosed connectionExcelon Financial Services Limited (formerly Excelon Technologies Limited)United KingdomTechnology provider for the Exceleon app, XLON Chain, e-money services, and exchange servicesNamed in Exceleon’s legal footer as the technology provider; Companies House shows name change in Nov. 2025.DEFI Technologies SMPCGreeceEU-facing exchange and wallet operatorGoDeFi.eu terms say the service is “provided to you by DEFI Technologies SMPC”; footer says Excelon Exchange is operated by it from 92 Tatoiou St, Metamorfosi, Greece.Global Money Gate Corp.Ontario, CanadaNon-European exchange, wallet, and crypto-trading operatorExceleon legal footer says it serves non-European residents and is registered with FINTRAC for virtual-currency services.EMS TECHNOLOGY SMPCGreecePartner entity for the card/e-money layerExceleon says DiPocket UAB and DiPocket Limited provide the card and payment-account services for EMS TECHNOLOGY SMPC.DiPocket UABLithuaniaEMI for EU/EEA residentsDiPocket is regulated by the Bank of Lithuania; the BoL lists it as an EMI with licence valid from 2020-11-10.DiPocket LimitedUnited KingdomEMI for UK residentsDiPocket’s site says it serves UK resident customers and is regulated by the FCA.NPM Technologies LimitedUnited KingdomActive PSC of Excelon Financial Services LimitedCompanies House shows NPM was notified as PSC of the UK Excelon entity on 18 Dec. 2025.Niki KaloudiGreece / UK filingsPSC of NPM Technologies LimitedCompanies House shows Kaloudi controls NPM with 75%+ shares and voting rights and director-appointment rights.Nikolaos SkondreasGreece / UK filingsFormer PSC of the UK Excelon entityCompanies House shows he ceased as PSC on 18 Dec. 2025. Compliance Analysis 1. What Exceleon Exchange Was Selling To Users Exceleon marketed a seamless consumer-fintech proposition: open an account, receive an IBAN, order a Mastercard, hold crypto, exchange crypto for euros, move money globally, and manage everything in one app. The public-facing brand was designed to look unified and frictionless. The site explicitly pitched “future banking,” current accounts, cards, exchange, wallets, and crypto trading as parts of one digital-money experience. That matters because the legal architecture behind the user experience is far less unified than the branding suggested. The brand looked singular; the operator stack is not. 2. The Operator Stack Was Split Across Several Entities The Exceleon footer is unusually explicit. It says the website only provides information about products offered on the app, and then allocates those products across multiple entities: the UK company as technology provider, DEFI Technologies SMPC in Greece for EU exchange and wallet services, Global Money Gate Corp. in Canada for non-European crypto services, and DiPocket UAB / DiPocket Limited for card and payment-account services for EMS TECHNOLOGY SMPC in Greece. This is not just a legal footnote. It is the core of the scheme’s compliance posture. It shows a deliberate compartmentalization of roles by both function and geography. That can be legitimate, but it also means a user dealing with the Exceleon brand may actually be relying on different counterparties depending on whether the activity is crypto exchange, wallet use, fiat storage, or card issuance. 3. DEFI Technologies SMPC Was The Real EU Crypto Counterparty The strongest single operator statement sits in the GoDeFi.eu / Excelon Exchange terms:“This service is provided to you by DEFI Technologies SMPC,” a Greek company with registry code 166556101000. The same materials say Excelon Exchange is operated by that Greek entity from 92 Tatoiou Str, 14452, Metamorfosi, Greece. So while the UK company supplied the technology narrative, the disclosed legal counterparty for the EU-facing crypto exchange and wallet proposition was the Greek DEFI Technologies vehicle. That is a key distinction for any reader trying to understand who actually operated the crypto side of the scheme. 4. The Product Was More Controlled Than The Marketing Suggested The user-facing pitch emphasized freedom, convenience, and borderless digital finance. But the terms show a more tightly controlled environment. Most notably, the terms say that to prevent money laundering, users could not transfer virtual assets purchased through the Excelon Exchange Service to another wallet outside the service for 30 days after purchase. They also say users can deposit and withdraw fiat through the separate Excelon E-money Service. That is an important compliance signal. It suggests that the scheme was not offering a fully open crypto environment, but rather a more managed internal stack in which fiat flows, exchange activity, and outbound crypto mobility were constrained by internal controls and third-party processors. 5. The Relationship Between The Exceleon Group And The DiPocket Group This is where the new findings materially improve the picture. Based on the available disclosures, DiPocket appears to be a separate regulated EMI group that Exceleon was using as infrastructure for its card and payment-account layer, not a company inside the Exceleon group itself. Exceleon’s own footer says the Excelon Mastercard and payment accounts are provided by DiPocket UAB and DiPocket Limited for EMS TECHNOLOGY SMPC under their electronic-money-institution licence. DiPocket’s own site supports that interpretation. It does not present itself as part of Exceleon. Instead, it presents a standalone payments group with a dual-entity structure: DiPocket UAB for EU resident customers, regulated by the Bank of Lithuania, DiPocket Limited for UK resident customers, regulated by the FCA. The Bank of Lithuania independently lists DiPocket, UAB as an electronic money institution, holding a licence issued in Lithuania for non-limited activity, with the EMI licence valid from 2020-11-10. The most accurate interpretation, therefore, is this:Exceleon did not itself present as the EMI behind the card/account product. It presented as a branded front end that relied on the DiPocket group’s regulated EMI infrastructure, with EMS TECHNOLOGY SMPC inserted as the Greek partner in that arrangement. That does not mean DiPocket endorsed every other aspect of the Exceleon crypto proposition. It means the available information points to a service-provider / infrastructure relationship, not a unified group identity. On the present record, the safe conclusion is that the DiPocket group and the Exceleon group were distinct, but contractually connected through the card/e-money offering. 6. The UK Control Chain Is Now Much Clearer The UK corporate trail is no longer as opaque as before. Companies House shows that the former Excelon Technologies Limited changed its name to Excelon Financial Services Limited in November 2025. It also shows that on 18 December 2025, NPM Technologies Limited was notified as the PSC of the UK company and Nikolaos Skondreas ceased as PSC the same day. The next layer is also public: Companies House shows Mrs Niki Kaloudi as the active PSC of NPM Technologies Limited, with 75% or more of shares and voting rights and the right to appoint or remove directors. That means FinTelegram can now say, carefully and accurately, that the apparent ultimate control person of the UK Exceleon entity is Mrs Niki Kaloudi via NPM Technologies Limited. This proves the UK control chain. It does not, by itself, prove that Kaloudi is the ultimate beneficial owner of every Greek, Canadian, or partner entity in the broader Exceleon structure. 7. What The Current Record Still Does Not Prove The revised picture is much stronger, but there are still gaps. The public materials reviewed here do not prove: that the same ultimate owner controls every Exceleon-related entity across the UK, Greece, and Canada, that EMS TECHNOLOGY SMPC is owned or controlled by the DiPocket group, or that the later GoDeFi.me structure is formally the same enterprise as the older GoDeFi.eu / Exceleon structure. What the record does support is a more modest and defensible conclusion: Exceleon was a brand-led multi-entity structure, and its card/e-money layer relied on a separate regulated DiPocket infrastructure stack rather than an in-house EMI licence. Conclusion The revised evidence shows that Exceleon / GoDeFi.eu was not a simple crypto exchange brand. It was a multi-entity structure in which different legal actors handled different pieces of the user experience. The crypto exchange/wallet layer sat with DEFI Technologies SMPC in Greece for EU users, the broader technology shell sat in the UK, and the payment-account/card proposition appears to have relied on the separate DiPocket EMI group through a partner arrangement involving EMS TECHNOLOGY SMPC. The addition of the UK PSC trail materially strengthens the picture: the UK entity is now traceable through NPM Technologies Limited to Mrs Niki Kaloudi. But the broader cross-border ownership picture remains incomplete. That is the core FinTelegram takeaway: the structure is now clearer, but not yet fully transparent. Call To Insiders And Whistleblowers If you are a current or former employee, contractor, compliance officer, issuing-bank contact, EMI partner, PSP, technology vendor, exchange counterparty, or affected user with information about Exceleon Exchange, GoDeFi.eu, Excelon Financial Services Limited, DEFI Technologies SMPC, Global Money Gate Corp., EMS TECHNOLOGY SMPC, DiPocket UAB, DiPocket Limited, NPM Technologies Limited, or Mrs Niki Kaloudi, contact FinTelegram confidentially via Whistle42. FinTelegram is particularly interested in: shareholder and nominee documents, agreements involving EMS TECHNOLOGY SMPC and the DiPocket group, issuer and processor contracts, AML/KYC manuals, internal escalation or compliance correspondence, and any evidence clarifying whether the later GoDeFi.me scheme is merely similar — or part of the same underlying network. Share Information via Whistle42

First they steal your money. Then someone shows up promising to get it back. That is the ugly logic of the recovery-scam industry, and Trek Tech Corp fits far too many of the warning signs. The operation behind trektechcorp.net sells itself as a crypto recovery expert, but the public footprint points in a much darker direction: a young domain, very low trust ratings, spam-style promotional posts, miracle-recovery stories pasted across unrelated websites, and no clearly verified accountable operator. In plain English: this looks less like salvation and more like a second trap for people already wounded by the first scam. Key Findings Trek Tech Corp markets crypto recovery services and claims to recover stolen, hacked, or inaccessible digital assets through trektechcorp.net. The domain trektechcorp.net has a very low trust score, was first analyzed in early January 2026, and ScamDoc says the site is linked to multiple risk signals including a young domain, partial Whois identity, and suspected spam. Public web results show near-testimonial promotional stories for Trek Tech Corp appearing on unrelated forums, blogs, mailing lists, and even memorial/guestbook-style pages. Scamwatcher explicitly labels trektechcorp.net / trektechcorp1@gmail.com / TREK Tech Corp as a recovery scammer “company” targeting people who already lost money. Regulators warn that recovery scams specifically target previous scam victims, often by promising recovered funds or fast asset retrieval and then demanding payment or extracting more information. The Pitch Is Familiar. That’s The Problem. Trek Tech Corp sells the one thing desperate victims most want to believe in: a second chance. Its website promises crypto recovery, asset tracing, wallet help, fraud investigation, and digital expertise. On paper, that sounds polished. In reality, that is exactly the sort of language used by operators who know their audience is frightened, embarrassed, and easy to pressure. The real tell is not the website copy. It is the marketing footprint. Trek Tech Corp keeps turning up in the same kind of scripted “success story” posts that have become a trademark of the recovery-scam ecosystem: dramatic victim narrative, huge loss, emotional collapse, miracle referral, ultra-fast recovery, glowing thanks, then the direct plug for the website and email address. That is not how credible forensic firms, lawyers, or regulated professionals normally build trust. That is how lead funnels for desperate victims are built. And the credibility problem gets worse the closer you look. ScamDoc gives the site a 1% trust score and flags the domain as less than a year old, with only partial owner identification and a free-email style signal in the Whois data. Scamwatcher goes further and flatly describes it as a recovery scammer outfit. Standing alone, one warning page might not be decisive. But when you combine that with the spammy testimonial spread and the classic victim-targeting script, the picture becomes hard to ignore. Why This Smells Like A Second Scam Recovery scams thrive on the emotional wreckage left by the first fraud. Regulators have been explicit about this. New Zealand’s FMA says crypto recovery scams target people who have already lost money to previous scams. CIRO warns against “recovery” approaches that demand upfront money or make promises about getting lost crypto back. The model is brutally simple: find people in pain, offer hope, then monetize that hope. That is why Trek Tech Corp should be viewed through a hostile lens. The combination of young domain + opaque identity + spammy promotion + emotional testimonials + recovery promises is not a trust signal. It is a hazard pattern. Even if every single claim on the site were framed in polished language, the surrounding footprint still screams high-risk. FinTelegram Warning To Victims If you have already been scammed, do not let a second operator weaponize your desperation. Do not send Trek Tech Corp or similar outfits more money. Do not hand over wallet credentials, seed phrases, remote access, identity documents, or “release fees.” Do not trust miracle turnaround times, emotional testimonials, or comment-section referrals. Those are the mechanics of the recovery-scam pipeline. Victims who have lost funds should instead contact their bank, relevant exchanges, law enforcement, and competent legal or regulatory channels immediately. Real recovery work is slow, uncertain, document-heavy, and rarely sold through pasted comments on random websites. Boxed Explainer: How To Spot A Recovery Scam They find you after you’ve already been burned.That is the business model. Recovery scammers target prior victims. They promise speed, certainty, or guaranteed success.Fast crypto recovery claims are one of the biggest red flags in the sector. They push testimonials instead of verifiable credentials.If praise appears in random comment sections and unrelated forums, assume manipulation first. They want money, access, or sensitive information upfront.Fees, gas costs, tax clearance, release payments, remote access, or seed phrases are danger signs. Their legal identity is blurry.If you cannot clearly identify the responsible operator, jurisdiction, and accountable humans, walk away. Call To Whistleblowers Have you dealt with Trek Tech Corp / Trektech Corp / trektechcorp.net? Did you pay fees, receive wallet instructions, or see the same promotional stories planted across websites, forums, or media comment sections? FinTelegram invites victims, insiders, service providers, former contractors, hosts, domain intermediaries, and payment professionals to submit documents, emails, invoices, chat logs, wallet addresses, and related intelligence via Whistle42. Tips about Trek Tech Corp and other recovery scams may help expose the networks preying on fraud victims a second time. Share Information via Whistle42

At first glance, Payvision may look like an old scandal from the binary-options era. It is not. A newly reviewed EFRI dossier argues that Payvision did not merely sit in the background as a payment processor, but allegedly helped build, adapt, and preserve the payment rails that kept the Lenhoff/Barak fraud factories running. That matters now because the fallout is still alive: EFRI is pursuing claims in Amsterdam, criminal-file materials continue to be re-evaluated. The wider U.S. and T1/Payvision angle shows that similar allegations about European shell structures and high-risk processing also surfaced in U.S. litigation. Key Findings The dossier supports a “knowing facilitation” theory, not just a “missed red flags” theory. It says Payvision’s role went beyond technical processing and extended to merchant setup, MID migration, settlement continuity, and operational stabilization. Booker’s own reported statements are central. According to the dossier, he acknowledged knowledge of the real beneficial owners, the binary-options/CFD/crypto environment, extreme chargeback levels, and 273 suspicious transaction reports filed between August 2016 and January 2019. The MCC issue is explosive. The dossier says Payvision used MCC 6211 for platforms that allegedly lacked the required MiFID authorization, while also accepting MOTO/CNP flows and shell-merchant structures. The commercial-motive argument is plausible. The dossier ties scam-linked volume to fees, cash flow, and growth, and notes ING’s acquisition of 75% of Payvision at a reported €360 million valuation. There is external reinforcement for the control-failure narrative. ING has publicly stated that the Dutch criminal investigation into Payvision concerned conduct dating from before ING acquired the company, and ING’s disclosures noted the April 2024 Dutch-authorities decision to resolve that criminal investigation. The U.S. angle matters. Public Nevada records show Payvision B.V. was named as a defendant in Ibuumerang v. T1 Payments, alongside T1, Donald Kasdon, Amber Fairchild, and Pixxles. The Payvision Dossier There are processors that miss red flags. And then there are processors that, if the record holds up, look like they helped keep the scam machine humming. The Scam Infrastructure Facilitator That is the core force of the EFRI dossier. It does not describe Payvision as a passive bystander that got fooled by clever merchants. It describes Payvision as an allegedly active infrastructure partner in the Lenhoff/Barak ecosystem: a company that knew what kind of business it was processing, knew who stood behind the front entities, knew the fraud and chargeback metrics were terrible, and still kept the rails open. Read our reports on Payvision here. The dossier starts from a large and ugly factual base. It says German and Austrian criminal investigators identified a fraud complex involving platforms such as optionstars/global, xtraderfx, safemarkets, goldenmarkets, option888, xmarkets, tradovest, tradeinvest90, and zoomtrader/global, harming 59,345 European consumers for roughly €340 million between September 2015 and the January 2019 arrests. It identifies Payvision B.V. and its sister Acapture B.V. as the principal payment-service providers for those systems. FinTech Cowboys and Co-Conspirators Payvision Fintech Cowboys Rudolf Booker and Gijs op de Weegh Then the dossier gets more dangerous for Payvision. It says the company’s role did not stop at taking cards and sending money onward. It says the files document participation in setting up, adjusting, and continuing merchant and settlement structures. That is the difference between “processor” and “operator’s enabler.” If true, Payvision was not just near the fraud. It was allegedly helping preserve its plumbing. The material on the former Payvision CEO Rudolf Booker is especially damaging. According to the dossier, Booker confirmed that Payvision knew the connected platforms were offering binary options, and later CFD/crypto-related products, to retail customers; knew Lenhoff and Barak were the real economic actors behind formally different merchants; saw chargeback rates ranging from 2% up to 20% per month; and filed 273 FIU reports for possible money laundering or terrorist financing. That is not the profile of an ordinary merchant book. It is the profile of a business relationship screaming for shutdown. And yet the dossier says the business continued. The MCC 6211 Issue The MCC 6211 issue matters much in the Payvision scheme. The dossier says Payvision used a code associated with licensed broker or securities activity even though the connected platforms allegedly lacked the necessary MiFID authorization. It also says Payvision accepted MOTO flows and shell-style merchant structures that distorted the true risk and regulatory profile of the underlying activity. If accurate, that is not just sloppy compliance. It is a processing architecture that allegedly made dirty business look cleaner than it was. The dossier also offers a motive. It notes that ING bought 75% of Payvision at a reported €360 million valuation in early 2018 and argues that the high-risk volumes tied to Lenhoff/Barak were commercially meaningful. More volume meant more fees, more growth, and a better valuation story. That inference is commercially plausible even where intent remains contested. The T1 / U.S. Angle The dossier explicitly says similar allegations surfaced in U.S. cases between 2019 and 2022, including allegations that Payvision helped merchants build European company structures to obtain card-processing access. That matters because it shows the EFRI theory is not some one-off Austrian or German complaint. It echoes a broader pattern. Public Nevada records support that broader picture. In Ibuumerang, LLC v. T1 Payments LLC et al., Payvision B.V. was named as a defendant alongside T1 Payments LLC, T1 Payments Limited, TGlobal Services Limited, Donald Kasdon, Amber Fairchild, and Pixxles, Ltd. Public records do not clearly disclose the settlement terms for Payvision or ING in that U.S. case. What it does show is that the case existed, that Payvision was inside the T1 litigation orbit, and that later T1 bankruptcy materials treated the U.S. litigation landscape as part of the wider post-collapse fallout. So it is safe to state: Payvision was sued in the U.S. in the T1 orbit, and the public record supports that this litigation was later resolved or dismissed without publicly visible settlement detail in the materials reviewed. That is enough to make the editorial point: the allegation that Payvision allegedly helped structure European wrappers for high-risk underlying business was not confined to the Lenhoff/Barak files. It also showed up in U.S. litigation connected to T1 Payments. FinTelegram Take The dossier’s real punch is simple. It does not depict Payvision as a processor that merely failed to act fast enough. It depicts Payvision as a company that allegedly helped industrialize the payment rails of fraud — and kept doing so while the warning lights flashed red. If that reading of the files is right, then Payvision’s role was not incidental. It was infrastructural. And that is exactly why this is a hot case again. Whistle42 CTA FinTelegram invites whistleblowers, former Payvision staff, merchants, compliance officers, and victims with information on Payvision, Rudolf Booker, ING, T1 Payments, or related merchant structures to contact us via Whistle42. Confidential submissions help expose the payment architecture behind cyberfinance fraud. Share Information via Whistle42

The Court of Justice of the European Union has delivered a brutal blow to the cross-border online casino model. In Case C-440/23, European Lotto and Betting and Deutsche Lotto- und Sportwetten, the CJEU ruled on 16 April 2026 that EU law does not stop a Member State from banning certain online gambling services even when the operator is licensed in another EU country such as Malta. Worse for the casino industry, the Court also confirmed that those illegal offers may carry civil-law consequences: the gambling contract may be treated as void, and players may sue to recover their losses under national law. For the Malta casino crowd, this is more than a legal setback. It is a crack in the business model. Key Findings The CJEU held that EU law does not preclude a Member State from prohibiting certain online gambling services that are licensed in another Member State. The Court said such prohibitions may legitimately pursue consumer protection, prevention of gambling addiction, protection of social order, and channeling gambling into controlled circuits. The judgment confirms that a later shift to a licensing model, such as Germany’s 1 July 2021 reform, does not retroactively wipe out the earlier prohibition. The Court also held that EU law does not preclude nullity of the gambling contract and civil restitution claims for losses incurred under the prohibited regime. The reference arose from a dispute involving Malta-licensed operators whose services were accessible in Germany, where a player incurred losses between June 2019 and July 2021 and sought recovery. Compliance Analysis The Malta excuse just took a hit For years, the offshore casino pitch was simple: we are licensed in Malta, we are in the EU, therefore we are legitimate. That line has now taken a serious beating. In C-440/23, the CJEU made clear that a gambling licence in one Member State does not act like an EU passport for online casinos targeting consumers in more restrictive jurisdictions. Gambling remains an area without full EU harmonization, and Member States still have broad room to decide how far they want to go in restricting online casino products. That is the core message: Malta licensing does not neutralize German law, or any other national law that validly bans the product. What the case was really about The case involved European Lotto and Betting Ltd and Deutsche Lotto- und Sportwetten Ltd, two companies licensed by the Malta Gaming Authority. Their online services were available in Germany. Between June 2019 and July 2021, a Germany-based player used those services and lost money. During that period, German law still broadly prohibited certain online games of chance, including the products at issue in the case, before the later reform that took effect on 1 July 2021. The player’s claim ended up before a Maltese court, which asked the CJEU whether EU law — especially the freedom to provide services — blocked Germany from maintaining that prohibition and from attaching civil consequences to it. The Court’s answer was effectively: No. It does not. The Court did not blink The judges accepted the standard anti-gambling arguments that regulators love and operators hate: online gambling can create particular risks because it is available continuously, takes place in isolation, reduces social control, may encourage excessive frequency of play, and can be especially dangerous for vulnerable persons and younger users. On that basis, the Court said Member States can try to channel gambling into supervised structures and suppress parallel markets. That matters because it kills the lazy narrative that national restrictions are automatically protectionist or anti-single-market nonsense. The Court did not buy that. The real bomb: players may sue for the money back This is the part that will terrify the illegal-casino ecosystem. The CJEU expressly said EU law does not preclude national rules under which gambling contracts concluded in breach of the prohibition are void, and under which players may bring civil actions to recover lost stakes. The final mechanics still depend on national law, of course. But the big EU-law umbrella defense has been badly damaged. That means operators can no longer wave the EU flag and pretend that player restitution cases are obviously incompatible with the single market. The Court just made clear they are not. The German reform did not save the old conduct One of the casino industry’s favorite talking points has been that Germany moved to a regulated licensing regime on 1 July 2021, so the earlier prohibition must have been defective, obsolete, or incompatible with EU law. The CJEU rejected that shortcut. A later policy change does not automatically invalidate the earlier ban. That is devastating for operators facing claims tied to the pre-July-2021 period. They cannot simply say: Germany later legalized parts of online gambling, therefore our earlier German-facing operations were fine all along. The Court did not give them that escape route. What this means for players at illegal casinos Players should not misunderstand the ruling. This is not an automatic jackpot. The Court did not say every player in every EU country automatically gets every euro back. What it did say is far more useful in practice: where a Member State validly prohibited the gambling offer, and where national law allows nullity and restitution, EU law does not stand in the way. That is a strong pro-player result. It strengthens claims by players who lost money with operators targeting them during periods when the relevant products were prohibited in their home market. It also weakens the industry line that the player’s mere use of a foreign-licensed site is enough to label the claim abusive. The Court indicated that foreign licensing alone is not enough to prove abuse of rights under EU law. In plain English: players at illegal casinos now have a clearer EU-law runway to sue for restitution, if their national law supports it. Why this matters beyond the operators This ruling is bad news not just for the casinos themselves, but for the entire support system around them. If the underlying gambling offer can be treated as unlawful and the contract can be voided, then the legal and compliance heat rises for everyone riding that traffic: payment processors, open-banking providers, affiliate networks, merchant acquirers, payment agents, KYC vendors, and platform intermediaries. That broader implication is an inference rather than an express holding of the Court, but it follows naturally from the Court’s acceptance that illegal online gambling can produce real civil-law fallout. For FinTelegram’s long-running work on illegal casinos and payment rails, this is exactly the point. Once the operator’s legal footing weakens, the payment chain starts to look much more dangerous too. FinTelegram Take This is a serious defeat for the Malta casino defense industry. The CJEU did not abolish cross-border online gambling. But it did demolish the lazy fiction that a Malta licence magically disinfects gambling offers aimed at consumers in restricted markets. It also handed players and claimant lawyers a much stronger weapon: EU law is no longer the easy shield operators hoped it would be when players sue for losses from illegal offers. For years, the offshore gambling crowd sold the same line to PSPs, banks, service providers, and maybe even themselves: licensed in Malta, therefore legitimate in Europe. The Court has now reminded them that Europe does not work that way. National gambling law still bites. And when it bites, it can bite hard. Conclusion The ruling in C-440/23 is one of the most important recent judgments in the EU online gambling fight. It confirms that Member States may ban certain online casino and gambling products despite foreign EU licences, may preserve the civil effects of those bans, and may allow players to pursue recovery of losses under national law. For illegal-casino operators, this is a warning shot. For players, it is an opening. For the payment and compliance ecosystem surrounding offshore gambling, it is a message that the risk perimeter around illegal casino flows has just expanded. If you have internal documents, legal memos, payment-routing files, merchant onboarding records, or compliance reports relating to illegal EU-facing online casinos, send them securely to Whistle42.

A new whistleblower submission reviewed by FinTelegram adds fresh fuel to the Yapily-Klyme case. The material includes a deposit ledger, complaint emails, and a payment-flow screen capture showing Mega.bet using a Klyme-branded “Pay by Bank” rail with Immix Solutions Ltd named as payee. The emerging picture is ugly: a player’s money appears to have moved through a layered structure involving a UK technology intermediary, a Cyprus payment-agent-style entity, and a Lithuanian beneficiary account, while Yapily remains the obvious regulated open-banking name in the background. Yapily openly markets pay-by-bank solutions to the iGaming industry, and the Bank of Lithuania confirms its Lithuanian entity holds a payment institution licence. Key Findings A new whistleblower package reviewed by FinTelegram shows repeated deposits from a Dutch ABN AMRO account to IBAN LT53 5030 1200 0000 0804, indicating a recurring collection account rather than a one-off payment event. A still from the player’s own payment video shows Mega.bet displaying “Pay by Bank” powered by Klyme and naming Immix Solutions Ltd as the payee. In the correspondence provided by the player, Klyme allegedly admits the merchant relationship existed, that transactions ran during the relevant period, and that the merchant was later terminated. Klyme reportedly first gave the player a wrong termination date and later corrected it to 7 April 2025, a discrepancy that raises further questions about merchant oversight and complaint handling. Yapily Connect UAB is listed by the Bank of Lithuania as a licensed payment institution. Yapily openly promotes open-banking products for iGaming operators and PSPs, including pay-by-bank deposit flows. Immix Solutions Ltd publicly presents itself as a Cyprus-based payment-services business offering settlement, escrow, and payment processing. Compliance Analysis The first FinTelegram report on the Yapily leaks exposed a disturbing theme: instead of treating an offshore-casino complaint as a red-flag merchant-risk issue, Yapily’s compliance handling appeared to focus on the complaining user. According to that report, an internal email instructed partner Klyme to blacklist the whistleblower rather than confront the illegal-gambling problem head-on. Read our Yapily reports here. Now comes the follow-up evidence. And it makes the whole thing look worse. The new whistleblower package contains exactly the kind of material that matters in rail investigations: transaction data, complaint correspondence, and front-end payment proof. The player’s deposit ledger shows repeated payments from her Dutch bank account to LT53 5030 1200 0000 0804 across late 2024 and March 2025. That is not what an isolated accidental consumer payment looks like. It looks like a working deposit rail. The payment screenshot is the real grenade. It shows Mega.bet running a “Pay by Bank” screen powered by Klyme, with Immix Solutions Ltd listed as the payee. That single image blows a hole in any attempt to treat Klyme as a distant, irrelevant bystander. If Klyme’s brand appears in the payment journey and a Cyprus payments outfit appears as payee, then this was not some abstract software relationship. This was a visible and operational payment chain. And then there is Immix Solutions Ltd. The whistleblower herself did not even highlight Immix in her email. But the screenshot did. Publicly available material at immix.pro presents Immix Solutions as a Cyprus-based payments business offering settlement, escrow, and payment processing services. In plain English: the kind of entity you would expect to find sitting inside a layered, hard-to-read collection structure. So what do we appear to have here? A player deposits into an offshore-style casino environment. The customer-facing rail is branded Klyme. The payee shown is Immix Solutions Ltd in Cyprus. The beneficiary trail points to a Lithuanian account. And hanging above all of this is Yapily, a regulated open-banking player that openly courts the iGaming sector and promotes pay-by-bank solutions precisely for that market. That does not prove that Yapily personally touched every euro in this exact chain. It does prove something more uncomfortable: the whistleblower’s basic story is commercially and structurally plausible. Yapily cannot pretend that iGaming use of its rails is some bizarre edge case. The company itself says it helps iGaming operators and PSPs “win more operators,” streamline onboarding, support top-ups, and deploy open-banking payment flows in gambling environments. The Lithuanian angle matters too. The Bank of Lithuania publicly lists Yapily Connect UAB as a licensed payment institution. The central bank also previously announced the licensing of Yapily’s Lithuanian vehicle, explaining that the business intended to offer open-banking payment services in Lithuania after Brexit. That is why the regulatory optics here are so bad. When a regulated open-banking player actively markets iGaming solutions, and when whistleblower evidence then points to offshore-casino deposit flows routed through a Klyme-branded widget, a Cyprus payee, and a Lithuanian account, this stops being a whiny player dispute. It becomes a merchant-control and rail-governance problem. Klyme’s reported emails add another ugly wrinkle. In the correspondence provided by the whistleblower, Klyme allegedly said the merchant had been onboarded under its infrastructure, later breached terms, and was terminated. Klyme also reportedly first gave the wrong termination date and later corrected it to 7 April 2025. If that correspondence is authentic, then Klyme has already conceded the critical point: there was a merchant relationship, there was oversight, and there was later intervention. That makes the “we are only a technology provider” line sound less like a defense and more like a shield. To be clear, FinTelegram is not saying Klyme or Yapily automatically owe the player a refund. That is the weakest part of the whistleblower’s legal argument. Payment rails are not automatically refund guarantors. But that is also not the real story. The real story is this: A player complaint appears to have exposed an offshore-gambling deposit rail that ran through branded open-banking plumbing, a Cyprus payee, and a Lithuanian banking endpoint — and the firms in the chain seem far more comfortable disclaiming responsibility than explaining the structure. That is the scandal. Why This Follow-Up Matters This case reinforces the pattern already exposed in the earlier Yapily report: when offshore-gambling complaints hit the payment chain, the response appears to drift toward damage control, distancing, and user management, instead of direct answers about merchant onboarding, downstream controls, geo-risk, and beneficiary routing. The new evidence also introduces a far more explosive angle: Immix Solutions Ltd. If a Cyprus payment-services business is appearing as payee inside a Klyme-powered Mega.bet deposit flow, then investigators need to know exactly what role it played. Collection merchant? Settlement agent? Payment agent? Shadow PSP layer? That is where the next round of scrutiny belongs. Summary Table Entities EntityTypeRole in CaseKey DataStatus / FinTelegram ViewYapily / Yapily Connectwww.yapily.comOpen-banking / payment institution groupAlleged regulated payment rail in the background of casino depositsPlayer says Yapily processed transactions and appears in GDPR dataCommercially plausible in iGaming context; direct role in each payment not yet fully evidenced from current attachments aloneKlyme Ltdhttps://klyme.ioUK technology / payment-flow intermediaryCustomer-facing “Pay by Bank” layer shown in Mega.bet payment flow“Powered by Klyme” visible in uploaded screenshotStrongly implicated in front-end payment journey; exact contractual role still needs clarificationShane Adam WilliamsDirector of KlymeMain named Klyme contact in player correspondenceAllegedly sent/approved responses stating Klyme was only a technology providerRelevant decision-maker in complaint handlingMega.betOffshore-style casino / sportsbookCasino directly evidenced in screenshotAppears in uploaded payment-flow stillStrongly evidenced in current fileLuckytwiceCasino mentioned by playerAdditional casino referenced in complaintMentioned in email chain onlyNeeds independent evidence before strong publication claimImmix Solutions LtdCyprus-based payment-services entityPayee shown in Klyme-powered Mega.bet payment flowVisible as “Payee: Immix Solutions Ltd” in uploaded screenshotImportant new rail entity; likely payment agent / settlement / collection function, exact role still openImmix.proWebsite / operating frontPublic-facing site for Immix SolutionsPresents settlement, escrow, and payment processing servicesSupports plausibility of payments roleLT53 5030 1200 0000 0804Lithuanian beneficiary IBANRepeated beneficiary account in player transaction ledgerAppears across multiple depositsCentral rail endpoint in current evidenceAB Mano bankasLithuanian bankLikely bank of beneficiary IBANBank code 50300 corresponds to Mano bankasUseful rail-mapping anchor; account holder still unknownChillstockName allegedly linked to beneficiary accountPossible merchant / collection / network nameMentioned by playerNot independently verified in current fileKasha Global Holding LTDName allegedly linked to beneficiary accountPossible related entityMentioned by playerNot independently verified in current file Questions That Now Need Answers Questions for Yapily Did Yapily Connect Ltd or Yapily Connect UAB provide payment-initiation or related infrastructure for flows connected to Mega.bet, Luckytwice, or linked merchants? What controls does Yapily apply when its infrastructure is used by PSPs or intermediaries serving offshore-gambling operators? Why did the earlier whistleblower case result in a blacklisting controversy instead of a fully transparent merchant-risk explanation? Questions for Klyme Did Klyme onboard the merchant behind the Mega.bet flow shown in the whistleblower material? Why did Klyme reportedly misstate the merchant termination date before correcting it? What exactly was Klyme’s role in the payment stack: gateway, orchestration layer, merchant-of-record support, or something else? What is Klyme’s relationship, if any, with Immix Solutions Ltd? Questions for Immix Solutions Ltd Why did Immix Solutions Ltd appear as payee in a Klyme-powered Mega.bet payment flow? Was Immix acting as payment agent, settlement intermediary, collection merchant, or another role? Which gambling or high-risk merchants was Immix servicing during the relevant period? Conclusion The new whistleblower submission does not close the case. It opens it wider. The combination of a Klyme-branded Mega.bet pay-by-bank flow, Immix Solutions Ltd as payee, a Lithuanian beneficiary account, and Klyme’s reported admission of a later-terminated merchant relationship turns this from a player grievance into a serious open-banking compliance story. And because Yapily openly promotes iGaming payment solutions while operating through regulated entities, the pressure now shifts to one simple question: Who knew what about this merchant flow, and why was the whistleblower treated like the problem? If you worked at Yapily, Klyme, Immix Solutions, or any PSP or banking partner involved in offshore-gambling flows, FinTelegram and Whistle42 want to hear from you. We are particularly interested in merchant onboarding files, KYB/KYC records, beneficiary-account documentation, internal escalations, geo-fencing decisions, and complaints-handling logs. Share Information via Whistle42

At first glance, T1 Payments may look like an old story from the heyday of binary options, high-risk MLM, and aggressive offshore processing. Its glory days as one of the major high-risk payment processors are long over. But the case is far from dead. Courts in the U.S. and Europe are still dealing with the wider fallout, including the role of its long-time partner Payvision. And now, fresh developments — from renewed U.S. litigation pressure and bankruptcy fallout to overdue accounts and revealing disclosures at Pixxles — are turning this supposedly closed chapter into a hot case once again. That is why Key Findings Pixxles is FCA-authorised as an Authorised EMI, making the quality and transparency of its disclosures especially important. The 2023 accounts identify Amber Fairchild as the ultimate controlling party and disclose material related-party balances and expenses with counterparties left unnamed. Those same accounts disclose £1,276,606 in other debtors paid to a company with a common shareholder and director, £618,765 in intermediary service fees paid to a company with a common shareholder and director, and £59,961 owed to one of the directors on an unsecured, interest-free, on-demand basis. Pixxles reported 2023 turnover of £1,886,496, a loss of £389,165, debtors of £3,359,951, and creditors due within one year of £3,968,629, ending the period with net liabilities rather than positive net assets. The 2023 accounts were filed only on 28 July 2025, and the next accounts for the period to 29 December 2024 are already several months overdue. Pixxles was also hit with a First Gazette notice for compulsory strike-off in March 2025 before that action was discontinued. In Nevada federal litigation, Pixxles Ltd, Pixxles LLC, Amber Fairchild, and Donald Kasdon remain tied to the New U Life case, where amended civil theft and federal RICO claims survived dismissal. As FinTelegram recently reported, the wider T1 Payments saga has entered a post-bankruptcy fallout phase, including renewed merchant-case pressure and a March 30, 2026 default judgment against T1 in related litigation. A Regulated EMI Sitting In The T1 Blast Radius There are routine small-company accounts, and then there are accounts that look like they were filed from inside a live legal minefield. Pixxles’ 2023 financial statements belong in the second category. On paper, Pixxles is a UK company authorised by the FCA as an Authorised Electronic Money Institution. In reality, the company sits inside a much darker story: the collapse of T1 Payments, the personal and corporate links around Donald Kasdon, the role of Amber Fairchild, and U.S. lawsuits that keep naming the same cluster of people and entities. That is what makes these accounts so important. They are not just a filing. They are a glimpse into a regulated payments company operating in the long shadow of a collapsed high-risk processing network. The Explosive Core: Large Related-Party Transactions, But No Real Names The 2023 accounts are revealing because they do not just show a loss-making regulated firm. They show a company with a balance sheet heavily exposed to related-party dynamics, while leaving readers largely in the dark about who those related parties actually are. In Note 20, Pixxles says that other creditors include £59,961 owed to one of the directors, unsecured, interest free, and repayable on demand. It also says that other debtors include £1,276,606 paid to a company with a shareholder and director in common, and that administrative expenses include £618,765 in intermediary service fees paid to a company with a common shareholder and director. The same note begins a further line on commission fees of £110…, but the uploaded XHTML cuts off before the full figure can be read. In Note 21, the accounts state plainly that “The ultimate controlling party is A Fairchild.” That is the heart of the story. The accounts disclose major insider-linked balances and expenses, but do not properly identify the counterparties. In a normal private company, that would already warrant scrutiny. In an FCA-regulated EMI operating under the shadow of U.S. lawsuits and bankruptcy fallout, it becomes a major transparency problem. The Numbers Behind The Red Flags The wider financial picture only sharpens the concern. Pixxles reported: Turnover: £1,886,496 Gross profit: £1,149,751 Administrative expenses: £1,538,916 Loss for the period: £389,165 On the balance sheet, the company reported: Debtors: £3,359,951 Creditors due within one year: £3,968,629 Net position: net liabilities rather than positive net assets This is not the profile of a comfortably ring-fenced regulated institution. It is the profile of a company whose finances appear deeply interwoven with others and whose short-term obligations weigh heavily on the business. That is precisely why the related-party note matters so much. The real issue is not whether such transactions exist. The real issue is who the counterparties were, what they were doing for Pixxles, whether the transactions were arm’s length, and whether the company depended on a wider insider-affiliate network to function. Amber Fairchild, Donald Kasdon, And The Wider Litigation Network Readers should not view the accounts in isolation. As FinTelegram recently reported in its latest T1 case note, the broader T1 Payments story has shifted from operating history to post-bankruptcy fallout. Nevada court records show that T1’s Chapter 7 case was treated as closed by June 10, 2025, that stayed merchant litigation restarted, and that one related action ended in a March 30, 2026 default judgment against T1. Pixxles sits squarely inside that same blast radius. In the New U Life litigation, the Nevada federal court’s September 29, 2024 order states that amended civil theft and federal RICO claims, including against Pixxles LLC and Pixxles LTD, survived dismissal. The order records that Kasdon, Fairchild, King, and the Pixxles entities moved to dismiss and lost at that stage. That does not establish liability, but it does show that the court found the pleadings sufficient for the case to continue. This is where the personal links become more than gossip. Pixxles’ own accounts say A Fairchild is the ultimate controlling party. U.S. litigation places Amber Fairchild in the same defendant and counterclaim-defendant constellation as Donald Kasdon and the Pixxles entities. The concern is therefore not merely that Fairchild and Kasdon were personally connected. The concern is that the company’s own financial disclosures, the corporate-control record, and the live U.S. litigation all point to a business whose true economic perimeter may be much wider than the face of the accounts suggests. Overdue Accounts And Administrative Stress Signals Then there is the timing problem. Companies House shows that the 2023 accounts were filed only on 28 July 2025 after a string of accounting-period changes. The next accounts, made up to 29 December 2024, were due by 24 January 2026 and remain overdue. That alone is a red flag for a regulated payments firm. But there is more. In March 2025, Pixxles was hit with a First Gazette notice for compulsory strike-off, only for that action to be discontinued days later. None of this proves misconduct by itself. But it is exactly the kind of administrative and reporting instability that regulators, claimants, and counterparties notice when they are trying to assess whether a regulated EMI is operating on a solid footing. What The Pixxles Accounts Really Tell Us So what do the 2023 Pixxles accounts actually tell us? They tell us that this is not a neat, self-contained EMI story. They tell us that a regulated payments company controlled by Amber Fairchild reported large balances and expenses linked to unnamed common-control counterparties, while the wider T1/Kasdon litigation machine kept running in the background. They tell us that the balance sheet looked stretched, the reporting cycle became erratic, and the next accounts are already late. And they tell us that anyone trying to understand the big picture — from T1 plaintiffs to regulators — should not read Pixxles as an isolated regulated firm, but as part of a wider, still-contested network. Latest Status Company: Pixxles LtdStatus: Active at Companies House; accounts overdue.Regulatory status: FCA-authorised Authorised Electronic Money Institution.Controlling party per 2023 accounts: A Fairchild2023 filing date: 28 July 2025Next accounts due: 24 January 2026 for the period made up to 29 December 2024; currently overdue.Key concern: large unnamed related-party balances and expenses disclosed in a regulated firm linked to live U.S. litigation around the T1/Kasdon network.Why it matters: readers can see signs of concentrated control, related-party opacity, late reporting, and litigation overlap — all at once. Boxed Explainer: What The Pixxles Related-Party Note Tells Us The most explosive part of the 2023 Pixxles accounts is not the loss figure. It is the related-party note. That note shows that Pixxles had substantial financial dealings with affiliates tied by common ownership or management, but it does not properly identify those counterparties. The company says it had £1.28 million in other debtors paid to a company with a shareholder and director in common and £618,765 in intermediary service fees paid to a company with a common shareholder and director. It also discloses a director-linked balance of £59,961, unsecured, interest-free, and repayable on demand. For FinTelegram, that is the real headline: a regulated EMI disclosing large insider-linked exposures while keeping the names in the shadows. In a litigation-heavy environment involving T1, Kasdon, Fairchild, and Pixxles, that is not a footnote. That is the story. Chronology 30 March 2026 — Related T1 litigation produces a default judgment against T1, reinforcing the post-bankruptcy fallout context around the wider network.FinTelegram is revisiting it now. 4 October 2018 — Pixxles Ltd incorporated in the UK. 15 June 2021 — FCA register shows Pixxles as an Authorised Electronic Money Institution. 29 September 2024 — Nevada federal court denies dismissal motions in T1 Payments v. New U Life and allows amended civil theft and RICO claims, including against Pixxles LLC and Pixxles LTD, to proceed. 25 March 2025 — Companies House issues a First Gazette notice for compulsory strike-off. 29 March 2025 — Strike-off action discontinued. 28 July 2025 — Pixxles files its full accounts made up to 28 October 2023. 24 January 2026 — Deadline for next accounts, made up to 29 December 2024. Accounts now overdue. Entity Map Entity / PersonRole in the StoryWhy It MattersPixxles Ltdwww.pixxles.comUK company and FCA-authorised electronic money institutionThe main subject of this report. Its 2023 accounts disclose large related-party balances and expenses with unnamed common-control counterparties, while its 2024 accounts are overdue.Amber FairchildDirector and ultimate controlling party of PixxlesIdentified in the 2023 accounts as the ultimate controlling party. Also appears in the U.S. litigation orbit alongside Donald Kasdon and the Pixxles entities.Donald KasdonFounder and former CEO of T1 PaymentsCentral figure in the wider T1 Payments story and the U.S. litigation and bankruptcy fallout. His connections to Pixxles and Amber Fairchild are part of the broader network readers need to understand.T1 PaymentsCollapsed U.S. high-risk payment processorThe core legacy entity in the story. Its bankruptcy and renewed litigation exposure provide the wider context for why Pixxles matters today.PayvisionFormer European processing partner of T1 PaymentsImportant because courts in the U.S. and Europe are still dealing with the wider T1/Payvision fallout, keeping the old case alive and relevant again.Pixxles LLC / Pixxles LTDRelated Pixxles entities named in U.S. litigationNamed in the Nevada New U Life litigation as part of the wider dispute constellation around T1 Payments, Kasdon, and related parties.New U LifeU.S. litigation counterpartyOne of the most important public court cases tying together T1 Payments, Donald Kasdon, Amber Fairchild, and the Pixxles entities.Gaia Ethnobotanical / Vida DivinaMerchant plaintiffs in related U.S. litigationTheir cases help show the post-bankruptcy fallout around T1 Payments, including the March 30, 2026 default judgment against T1. Call for Information FinTelegram invites whistleblowers, former employees, merchants, compliance officers, auditors, and counterparties with information on Pixxles, T1 Payments, Amber Fairchild, Donald Kasdon, or related entities to contact us via Whistle42. Confidential submissions help expose the structures, relationships, and payment flows hidden behind the formal corporate record. Share Information via Whistle42

The roughly $280 million Drift Protocol exploit is rapidly turning into a defining compliance test for the stablecoin sector. A proposed class action accuses the US stablecoin issuer Circle of standing by while attackers allegedly moved more than $230 million in stolen USDC through Circle-linked infrastructure instead of freezing the assets. The case strikes at the core of Circle’s regulatory narrative: if USDC is marketed as a controlled, compliance-friendly digital dollar, why was that control not used when it mattered most? Key Findings This is not just a DeFi hack story anymore. The Drift exploit has become a legal and compliance test of whether a centralized stablecoin issuer can escape responsibility when stolen assets move through infrastructure it controls or materially influences (Source: law360.com) Circle is being attacked at its weakest point: the gap between compliance branding and operational conduct. Plaintiffs allege that Circle had the technical ability and contractual discretion to intervene, but failed to do so while stolen USDC was allegedly routed through its Cross-Chain Transfer Protocol. (Source: circle.com) The proposed class action was filed on April 14, 2026. Public docket records identify the case as McCollum v. Circle Internet Group, Inc. et al. in the U.S. District Court for the District of Massachusetts. (Source: pacermonitor.com) Circle’s legal defense is clear, but politically and reputationally dangerous. The company says freezes should occur only under proper legal authority. Critics will read that as a polished way of saying that a “regulated” stablecoin issuer watched a live laundering event and chose not to act. (Source: circle.com) Circle’s own disclosures may undercut its public posture. Circle’s published USDC materials say it may block or freeze addresses in certain circumstances, giving plaintiffs room to argue that Circle was not powerless at all, but selectively passive. The case could reshape expectations for the entire stablecoin sector. Even if Circle defeats the complaint, courts, regulators, and counterparties may increasingly expect stablecoin issuers to maintain documented emergency-response standards for major thefts and tainted-flow events. Compliance Analysis The April 1, 2026 Drift Protocol exploit was one of the most significant DeFi thefts of the year. Public reporting places the loss at around $280 million to $285 million, and security analysis indicates that the attackers did not simply exploit buggy code. The incident appears to have involved privileged-access abuse, governance compromise, and social-engineering tactics. That distinction matters. This was not merely “protocol risk.” It was a failure of operational control and trust architecture. (Source: chainalysis.com) Now Circle has been dragged into the fallout. Not because it caused the exploit, but because it allegedly did nothing meaningful once the stolen assets began moving through USDC rails. According to public reporting and court summaries, the plaintiffs’ theory is that Circle allowed attackers to move more than $230 million in stolen USDC through its Cross-Chain Transfer Protocol instead of freezing or blocking those flows. That is the crucial escalation. The legal spotlight has moved from the hack itself to the conduct of a centralized infrastructure provider in the middle of a live post-theft asset-movement event. (Source: law360.com) That makes this case highly relevant from a FinTelegram compliance perspective. Circle does not position USDC as a censorship-resistant, uncontrollable asset in the pure crypto-anarchist sense. On the contrary, Circle has long marketed itself as the respectable, regulated, institution-ready face of stablecoins. It wants the trust premium that comes with control, compliance, and recoverability. But that branding starts to unravel when a major exploit unfolds in real time and the issuer’s answer is effectively that it could not intervene without the right legal paperwork. Circle’s public response is built on due process. The company argues that freezes must be grounded in lawful authority and not in social-media pressure, market outrage, or improvised demands during an unfolding crisis. That position is legally intelligible. No serious financial institution wants to become an ad hoc private court deciding ownership disputes on the fly. But Circle’s reliance on due process creates a deeper compliance problem: it suggests that the stablecoin issuer is happy to emphasize control when selling trust, yet reluctant to accept responsibility when that control becomes operationally inconvenient. (Source: circle.com) This tension becomes sharper because Circle’s own public documentation appears less absolute than its post-incident messaging. In its USDC risk disclosures, Circle states that it may block certain addresses and freeze USDC in certain circumstances, including where it determines addresses are associated with illegal activity. That is not the language of a helpless bystander. It is the language of a party that reserves meaningful intervention rights. Plaintiffs will almost certainly use that language to argue that Circle had both technical capacity and documented discretion, but simply chose not to use them in a timely way. The architecture of Circle’s Cross-Chain Transfer Protocol adds to that exposure. CCTP is not merely a passive third-party bridge sitting outside Circle’s sphere. It is Circle-linked infrastructure built around burn-and-mint mechanics and attestation processes. That allows plaintiffs to frame Circle not as a distant issuer whose token happened to be used, but as a participant sitting at a critical chokepoint in the movement of allegedly stolen assets from Solana into Ethereum. That may not be enough, on its own, to establish liability. But it is more than enough to make Circle’s “we are not the relevant actor here” position look fragile. (Source: developers.circle.com) From a compliance-policy standpoint, the real issue is no longer whether Circle had a perfect legal duty to freeze. The real issue is whether a stablecoin issuer can continue to claim the benefits of central control while disowning the burdens that inevitably come with it. A company that can freeze, block, attest, and control redemption cannot credibly present itself as both highly governed and operationally neutral at the same time. The market, regulators, and increasingly the courts will force a choice. To be clear, Circle still has serious defenses. It did not execute the theft. The plaintiff will face hurdles on duty, causation, knowledge, and class certification. Courts may be reluctant to create a sweeping obligation for stablecoin issuers to act as universal recovery agents every time stolen assets touch their systems. But even if Circle wins in court, it may still lose the larger argument. The case has already exposed the compliance contradiction that sits at the center of the stablecoin industry’s institutional pitch. Conclusion The proposed class action against Circle is aggressive, but it is not frivolous. It forces an overdue question onto the table: when a “regulated” stablecoin issuer has visibility, discretion, and technical leverage over tainted flows, at what point does inaction stop looking like legal restraint and start looking like compliance failure? The Drift case may not produce an immediate precedent, but it already marks a turning point. The liability perimeter around stablecoin issuers is moving outward. Circle is simply the first major issuer being forced to test it in court. Call for Information FinTelegram is investigating the post-hack conduct of stablecoin issuers, DeFi infrastructure operators, and cross-chain settlement providers. Insiders, compliance staff, law-enforcement contacts, counterparties, and affected users with information about USDC freezing practices, incident-response protocols, or asset-movement decisions are encouraged to submit information securely via Whistle42. Share Information via Whistle42

The latest public record around U.S. high-risk processor T1 Payments and its founder and former CEO Donald Kasdon points not to a comeback, but to a deepening post-collapse aftermath. Court records show that T1’s Chapter 7 bankruptcy was treated as closed by June 10, 2025, that stayed merchant cases began moving again, and that one related action ended in a March 30, 2026 default judgment against T1. At the same time, Kasdon remains tied to the still-active New U Life litigation in Nevada. Key Findings T1’s Chapter 7 bankruptcy was treated as closed by June 10, 2025, removing the automatic-stay protection that had frozen at least some civil litigation. In Gaia Ethnobotanical v. T1 Payments, the court lifted the stay in July 2025 and later directed the plaintiff to move for default judgment after T1 failed to respond. In a related merchant action, default judgment was entered on March 30, 2026 in favor of Vida Divina, LLC and Gaia Ethnobotanical, LLC against T1 Payments, LLC for failure to comply with court orders. In T1 Payments v. New U Life, Donald Kasdon remained exposed as litigation continued into 2026; the court extended summary-judgment reply deadlines to February 24, 2026. A September 29, 2024 Nevada order denied motions to dismiss and allowed amended civil theft and federal RICO claims in the New U Life case to proceed. The UK company T1 Payments Limited was dissolved by compulsory strike-off on June 6, 2023, reinforcing the broader unwind picture. Kasdon still has a visible public profile in payments media; American Banker’s author page currently identifies him as founder of T1 Payments and shows a recent byline dated April 6. The Post-Bankruptcy Report The latest developments around T1 Payments and Donald Kasdon suggest that the real story is now playing out not in processor growth or licensing announcements, but in the slow legal aftershocks of collapse. The key turning point was the end of bankruptcy protection. In July 2025, the Nevada federal court in Gaia Ethnobotanical v. T1 Payments expressly noted that T1’s Chapter 7 case had closed on June 10, 2025 and lifted the automatic stay because the bankruptcy code’s stay no longer applied. That mattered because it reopened a path for merchant plaintiffs. In the Gaia matter, the case moved from procedural suspension to pressure on a now-unshielded defendant. By February 25, 2026, the court noted that T1 had failed to respond to the amended complaint, that default had already been entered, and ordered the plaintiff to move for default judgment by March 11, 2026 or explain why it would not. The most concrete fresh blow came shortly afterward. A court judgment dated March 30, 2026 shows default judgment entered in favor of Vida Divina, LLC and Gaia Ethnobotanical, LLC against T1 Payments, LLC for failure to comply with court orders. That is one of the strongest recent indicators that T1 is not defending itself in a normal operating-company posture. At the same time, Donald Kasdon remains relevant because the long-running T1 Payments v. New U Life Corporation litigation is still alive. A March 27, 2025 discovery order shows litigation continuing with Kasdon and related parties still in the case structure, while a February 11, 2026 order extended reply deadlines on competing summary-judgment motions to February 24, 2026. In other words, the flagship dispute involving Kasdon had not burned out by early 2026. The procedural history of that case is also significant. A Nevada order from September 29, 2024 denied dismissal motions and allowed amended claims, including civil theft and federal RICO, to move forward. That does not establish liability, but it confirms that the court found the amended allegations sufficient to survive that stage of challenge. For a processor group already damaged by bankruptcy, that is a serious litigation signal. There is also a bankruptcy-to-litigation crossover worth noting. The March 27, 2025 New U Life order references an April 4, 2024 Asset Purchase Agreement under which the Chapter 7 trustee and Kasdon agreed to the purchase of certain estate claims for $36,000. That detail suggests the post-bankruptcy landscape is not merely passive liquidation, but active positioning around claims and litigation exposure. Outside the U.S. dockets, the UK company record points in the same direction. T1 Payments Limited shows a Final Gazette dissolved via compulsory strike-off on June 6, 2023. That does not resolve the U.S. litigation picture, but it reinforces the impression of structural disintegration rather than international operating continuity. Kasdon himself remains publicly visible. American Banker’s current author page still identifies him as founder of T1 Payments and lists a byline dated April 6. That indicates ongoing presence in industry commentary, but there is no comparable public evidence in the sources reviewed that T1 itself has re-emerged as a functioning, scaled payment processor. How the Payvision–T1 Structure Allegedly Worked According to investigative reporting and allegations in U.S. complaints, Payvision and T1 Payments allegedly operated a structure that allowed high-risk U.S. merchant transaction flows to be routed through European corporate vehicles linked to Donald Kasdon rather than being presented directly as U.S. high-risk business. The alleged model was straightforward in concept. T1 Payments sourced or managed the underlying high-risk U.S. merchants, while Payvision provided the European processing layer. To bridge that gap, entities such as T1 Payments Limited in the UK and TGlobal Services Limited in the Isle of Man were allegedly inserted into the chain as formal counterparties or merchant-facing entities. On paper, this created the appearance of non-U.S. merchant business. In substance, according to the allegations, the payment flows remained tied to U.S.-related high-risk activity. Read more on the Payvision – T1 Payments partnership. From a compliance perspective, the significance of such an arrangement is obvious. If a processor formally onboards a European entity but the real economic activity, merchant control, or risk exposure sits elsewhere, then the corporate wrapper may serve to obscure the true merchant identity, the actual jurisdictional nexus, and the real risk profile of the business being processed. That, in turn, can weaken onboarding controls, distort due-diligence outcomes, and reduce the visibility of red-flag merchant sectors. FinTelegram’s interest in this alleged structure is therefore not merely historical. It goes directly to a recurring compliance question in cross-border acquiring: whether offshore or European entities were used as processing fronts for merchants that might otherwise have triggered stricter scrutiny, enhanced monitoring, or outright rejection. FinTelegram takeaway:If the allegations are correct, the Payvision–T1 setup was not just a commercial partnership. It was a risk-transformation mechanism: high-risk U.S. merchant activity allegedly entered the acquiring chain under the cover of European entities, making the processing profile appear cleaner than the underlying business reality. Chronology June 6, 2023 — T1 Payments Limited in the UK dissolved via compulsory strike-off. October 5, 2023 — Nevada bankruptcy opinion notes that Donald Kasdon paid debtor’s counsel in the Chapter 7 proceeding. September 29, 2024 — In New U Life, motions to dismiss denied; amended civil theft and RICO claims allowed to proceed. March 27, 2025 — Discovery scheduling order entered in New U Life; order references Kasdon’s purchase of certain estate claims for $36,000. June 10, 2025 — T1 bankruptcy treated as closed in later court filings. July 23, 2025 — Automatic stay lifted in Gaia Ethnobotanical v. T1 Payments. February 11, 2026 — Summary-judgment reply deadline in New U Life extended to February 24, 2026. February 25, 2026 — Court orders Gaia to move for default judgment. March 30, 2026 — Default judgment entered in related Vida Divina / Gaia action against T1. Whistle42 Closing CTA Whistleblowers, former merchants, payment insiders, and compliance professionals with information on T1 Payments, Donald Kasdon, Payvision, related entities, or similar high-risk processor structures are invited to contact FinTelegram via Whistle42. Confidential submissions help expose the rail operators, corporate vehicles, and processing arrangements that continue to shape the cyberfinance risk landscape. Share Information via Whistle42

FinTelegram has received a whistleblower report and a Visa complaint indicating that deposits to the high‑risk online casino Legionbet were routed through Estonian company NovaArcade OÜ under a non‑gambling merchant category code (MCC). We are calling on players, industry insiders, and payment professionals to provide additional documentation and intelligence to determine NovaArcade’s actual role as payment agent or registered merchant in this potentially illegal transaction‑laundering setup. Key findings so far A UK player reported several GBP deposits to legionbet.com that allegedly settled to “NovaArcade” in Tallinn, Estonia. In his Visa complaint, the player states that the transaction used a non‑gambling MCC despite being a casino deposit. NovaArcade OÜ is a small Estonian company (reg. no. 17280191, Narva mnt 7‑557, 10117 Tallinn) registered as an online retail/e‑commerce business, not as a licensed gambling or financial institution. Legionbet is an offshore casino scheme targeting international and UK players, with credit‑card deposits and crypto payments, Trustpilot reviews explicitly allege that Legionbet bypasses UK gambling blocks and uses transaction laundering to take money from credit cards. At this stage, NovaArcade’s role as payment agent, technical merchant, or front merchant for Legionbet is not fully documented, and further evidence is required. Situation and context (Senior Compliance Analyst view) Legionbet – high‑risk casino targeting UK and EU players Multiple third‑party review sites describe Legionbet as a relatively new online casino offering thousands of games, live casino products, and generous bonus structures. These reviews consistently highlight credit‑card and crypto acceptance, aggressive promotions, and a focus on continuous play and retention. There is conflicting and often opaque information regarding Legionbet’s licensing and corporate ownership: some sources reference AMO Global S.R.L. or Fortaprime SRL in offshore jurisdictions, while others claim coverage under non‑transparent licensing frameworks. In parallel, user feedback on platforms like Trustpilot indicates that Legionbet allegedly bypasses UK gambling blocks and uses transaction‑laundering practices to accept credit‑card deposits from vulnerable UK customers. NovaArcade OÜ – small Estonian entity with online‑services profile NovaArcade OÜ (registry code 17280191) is a micro‑company entered into the Estonian register in July 2025 with a share capital of 250 EUR and an e‑commerce/online‑retail business classification. It operates the website Village Network, a gaming/virtual‑world space. In itself, this profile fits the pattern of a “technical provider” or “front merchant” that can be repurposed to acquire payments for third‑party projects while disguising the true nature of the underlying business. This risk is amplified when such entities are integrated into card‑acquiring chains that process cross‑border, high‑risk verticals like online gambling. The whistleblower report and the Visa complaint A whistleblower approached FinTelegram alleging that NovaArcade OÜ is acting as a payment agent for Legionbet and possibly other illegal or high‑risk casinos. This allegation has now been partly supported by a concrete Visa complaint submitted by a UK player. In the Visa “Report a Purchase Issue” form, the cardholder: Identifies the merchant as “PLR NovaArcade” with location details matching NovaArcade’s Estonian address profile. States that he made several GBP-deposits into legionbet.com, which he characterises as an unlicensed UK gambling company. Alleges that the payment “was circumvented to Nova Arcade OU and the MCC code was not gambling-related.” Asserts that this constitutes a breach of Visa merchant terms and conditions. This is a primary‑source document that directly links Legionbet front‑end activity with NovaArcade’s merchant profile on the Visa network, and it raises the specific allegation of MCC misclassification. Compliance analysis – possible MCC and transaction laundering From a compliance and card‑scheme perspective, the alleged setup raises several red flags: Misuse of MCCs: Visa and other card schemes require that the merchant category code truthfully reflects the primary business of the merchant and the underlying transaction type; using a non‑gambling MCC for a gambling deposit is a breach of scheme rules and can be treated as transaction laundering. Circumvention of regulatory safeguards: In the UK, credit‑card gambling restrictions and gambling blocks are designed to protect vulnerable consumers; routing gambling deposits through an e‑commerce MCC or another innocuous category undermines these safeguards. Use of micro‑merchants as fronts: The combination of a small Estonian online‑services company with minimal capital and cross‑border gambling flows fits known typologies, where front merchants or “technical providers” are inserted between the casino and the acquirer to obfuscate the gambling nature of the transaction. Licensing opacity: Public sources either question Legionbet’s licensing or show a lack of cooperation with dispute resolution platforms, reinforcing concerns that the casino may be operating outside a robust regulatory framework while still taking Visa deposits. If these allegations are confirmed, NovaArcade OÜ, its acquirer, and the underlying casino operators could face serious consequences under card‑scheme rules and local AML/gambling regulations. Why we need more evidence While the whistleblower’s statement and the Visa complaint provide a strong initial indication, they are not yet sufficient to fully document NovaArcade’s role and the scope of the transaction‑laundering scheme: We currently have only one player transaction formally documented, without the full card‑statement metadata (MCC, acquirer name, authorisation and clearing details). The merchant descriptor “PLR NovaArcade” needs to be systematically linked with NovaArcade OÜ and any related entities or payment facilitators. The breadth of the scheme is unknown: it is unclear whether NovaArcade processes only specific Legionbet deposits, broader casino traffic, or multiple brands in a network of high‑risk operators. FinTelegram therefore invites all affected players, merchants, payment professionals, and insiders to share additional documents and intelligence that can help clarify the full picture. Key entities and roles (current working view) ItemName / EntityJurisdiction / AddressAlleged Role in SchemeNotes / SourcesCasino brandLegionbet (LegionBet Casino)Online; targets UK/EU playersFront‑end online casino accepting card & cryptoReviews highlight credit‑card deposits, crypto, aggressive bonuses and unresolved complaints. Casino operatorAMO Global S.R.L. / Fortaprime SRLOffshore (e.g. Costa Rica / non‑EU)Nominal owner/operator of the Legionbet platformOwnership and licensing details are opaque and inconsistent across sources. Merchant (card side)“PLR NovaArcade”Tallinn, 10117, EstoniaRegistered merchant on Visa network for the transactionDescriptor and location match NovaArcade OÜ profile. Legal entityNovaArcade OÜNarva mnt 7‑557, 10117 Tallinn, EstoniaAlleged payment agent / technical merchant for LegionbetMicro‑company, EMTAK online retail; no public gambling or payment‑institution licence. Acquirer / PSPUnknown (to be identified)Possibly EU/EEA acquiring bank or payment facilitatorProvides acquiring services to “PLR NovaArcade”Identity and risk controls still to be established from statements and insider information.  Call to action – help us expose the NovaArcade–Legionbet payment chain FinTelegram invites Players who deposited to Legionbet (or related brands) using Visa/Mastercard, Google Pay, or Apple Pay to provide the respective information to FinTelegram. If you hold any of the following, we strongly encourage you to share them with us: Card statements showing deposits to Legionbet where the merchant appears as “PLR NovaArcade” or similar (PAN and personal details can be redacted). Screenshots of deposit pages, payment confirmations, and email receipts linking Legionbet deposits to NovaArcade or other non‑gambling descriptors. Internal documents, contracts, or technical integration materials that describe NovaArcade’s role as payment agent, technical provider, or front merchant for Legionbet or other casinos. Any information on acquiring banks, PSPs, or MCC ranges used in these transactions. Please submit all documents and information through our secure Whistle42 whistleblower system so that your identity and data remain protected. Evidence provided will be analysed by FinTelegram’s compliance team and may be shared with relevant regulators and card schemes where appropriate. Together, we can bring transparency to this opaque payment structure and help stop abusive transaction‑laundering practices that target vulnerable gamblers in the UK and EU. Share Information via Whistle42