A new layer of payment obfuscation has surfaced with the domain checkout.pliromy.com, acting as a silent bridge for high-risk transactions. Our initial analysis suggests this stealth gateway is closely tied to a recently formed Indian corporate shell and a network of shadowy traffic directors like puretransfer.io. Analysis & Context: Peeling Back the Pliromy Network In the continuous game of cat-and-mouse between regulators and offshore merchants, disposable payment gateways are the tools of choice. Our investigation reveals that checkout.pliromy.com functions as a masking rail designed to facilitate high-risk deposits—likely for online gambling or unauthorized offshore trading platforms—while keeping the ultimate beneficiary hidden from European and global banking oversight. When users attempt to make a deposit, traffic analysis shows they are often bounced between traffic aggregators like mellifera.tech, the payment processor puretransfer.io, and ultimately routed through the pliromy.com environment. This multi-hop architecture is a classic “red flag” designed to confuse acquiring banks and bypass merchant category code (MCC) blocks. Domain Ownership and Technical Red Flags: Attribution & Ownership: While the exact WHOIS data for pliromy.com is heavily shielded by privacy proxies. Shell companies like this are frequently used by offshore syndicates to secure merchant accounts and banking access under the guise of “publishing” or “software” activities. Registrar & ISP: The domain infrastructure operates behind standard offshore privacy shields. It utilizes proxy registration services (such as Withheld for Privacy/NameCheap) and routes its DNS through content delivery networks like Cloudflare (acting as the ISP/host) to hide the true physical location of the servers processing these payments. Registration Date: Consistent with the incorporation of its suspected Indian corporate alter-ego, the domain infrastructure was deployed in early-to-mid 2024, marking it as a freshly minted rail built specifically for this current wave of processing. Ecosystem Summary DomainDomain DataKnown ConnectionsRolecheckout.pliromy.comReg: ~Mid 2024Registrar: Proxy ShieldedISP: Cloudflarepuretransfer.io, virtpay.net puretransfer.io, cyberpay.link, payabl.com, mellifera.tech,csp-project.comPrimary Masking Rail / Checkout NodePliromi Payment Solutions (OPC)Inc: April 2024 (India)Dir: Ravinder Singh Chandowkpliromy.com (Suspected)Corporate Shell / Merchant Account Holder Export to Sheets Call to Action: Help Us Unmask the Operators FinTelegram is calling on payment industry insiders, former employees of high-risk PSPs, and whistleblowers with access to offshore banking records to step forward. We need actionable intelligence to connect the dots on this network: The Beneficial Owners: Who is the true offshore operator behind the Indian entity Pliromi Payment Solutions and the pliromy.com domain? The Settling Banks: Which Indian or international acquiring banks are settling the funds processed through checkout.pliromy.com and puretransfer.io? The Merchant Clients: Which specific casino or broker brands are utilizing this gateway for their European or Asian deposits? If you have processing agreements, internal emails, or bank statements relating to Pliromy or PureTransfer, please share them with us. Your identity is guaranteed absolute protection. Submit your tips securely via our whistleblower platform. Share Information via Whistle42.com

OpenSanctions is widely used in screening workflows to surface sanctions targets, PEPs, and other high-risk entities across many public sources. Being flagged as an “entity of interest” is not the same as being sanctioned — but for a regulated payment institution, it is a clear risk indicator that should trigger enhanced review, source verification, and audit-ready decisioning. Key Facts OpenSanctions is an aggregation + normalization layer for sanctions, PEP, and related risk datasets, built to support investigative and compliance screening. The OpenSanctions API (“yente”) is designed for search/match against entities (people/companies/vessels) including sanctions subjects and related risk entities. “Entity of interest” is a broad risk taxonomy used in due diligence contexts (not a legal designation by itself). The key compliance point: the underlying source matters (which dataset, which authority/public record, which allegation or linkage). OpenSanctions helps you find the needle; it does not automatically prove the needle is real. Short Narrative “Entity of interest” is essentially a screening alert category. It tells you: “This name (or linked identifiers/relationships) appears in one or more datasets that are relevant for sanctions/AML/PEP/adverse-risk screening.” OpenSanctions’ core function is to aggregate, clean, standardize, deduplicate, and export watchlist-style entity data so that investigators and compliance teams can query it consistently. In other words: it is infrastructure for risk discovery — not a court ruling, not a regulator’s finding, not a conviction, and not automatically a sanctions designation. Extended Analysis 1) What the label does—and does not—mean Does mean: The entity has been captured in a structured risk graph used for screening (sanctions, PEP, and related risk entities). There may be aliases, identifiers, and relationships (directors, ownership links, addresses, intermediaries) that help connect the entity to other known risk nodes. Does not mean: “Sanctioned” (legal designation) “Proven misconduct” “Regulator enforcement action” “Prohibition to do business” 2) Why this matters more for a regulated payment institution For a regulated PSP/payment institution, the compliance expectation is not “ignore until proven.” It is: Identify relevant risk signals (screening) Verify the underlying source (which dataset and why the entity appears) Assess exposure (customers/merchants, counterparties, corridors, beneficial ownership, agents, nested relationships) Decide and document (EDD, monitoring uplift, restrictions, exit, SAR/STR consideration where applicable) OpenSanctions fits exactly into the identify/verify stages because it’s built as a search/match layer for watchlist-style entities and connections. 3) What “good” handling looks like (audit-ready) If a regulated payment institution (or its key principals) shows up as an “entity of interest,” a defensible response usually includes: Pull the entity record and pin the exact sources/datasets driving the match. Confirm identifiers (registration numbers, addresses, officers) and check for false positives. If the source is adverse-risk/PEP/sanctions-adjacent: apply EDD proportionate to the signal (not blanket de-risking, but not handwaving). Create a clear decision memo: match rationale, source reliability, mitigations, monitoring plan, and review cadence. Actionable Insight If you are a compliance officer, auditor, correspondent bank, or regulated partner: treat “entity of interest” as a triage trigger, not a verdict. The standard is source-level verification + documented risk decisioning — because that’s what supervisors ask for when an alert becomes a regulatory question. Call for Information FinTelegram is mapping how risk signals propagate through payment rails. If you have primary documents (bank/PSP correspondence, KYC/EDD outcomes, termination letters, scheme onboarding packs, acquiring/merchant IDs, gateway domains, or regulator communications) showing how “entity of interest” flags were handled in practice, submit securely via Whistle42.com. Share Information via Whistle42

On 3 October 2025, the Central Bank of Cyprus (CBC) published an official announcement under the Prevention and Suppression of Money Laundering and Terrorist Financing Law 188(I)/2007, as amended. According to the announcement: The CBC, in its capacity as supervisory authority under the AML Law, conducted an examination of compliance. On 30 September 2025, the CBC decided to impose an administrative fine on Payabl.Cy Ltd (formerly Powercash21 Ltd; LEI: 2138003UJXVWKJIH9G72). The amount of the fine is €350,000. The decision relates to findings concerning compliance with provisions of the AML Law following an examination covering the year 2020. The CBC states that the supervised entity was given the opportunity to be heard before the final decision was taken. Judicial Review: On 12 December 2025, Payabl. Cy Ltd registered Appeal No. 1405/2025 before the Administrative Court of Cyprus challenging the CBC decision.(Source: Central Bank of Cyprus – Administrative Sanctions and Measures Register) The full announcement is publicly available on the Central Bank of Cyprus website. Share Information via Whistle42

Following an aggressive FinTelegram investigation and an Open Letter to its European banking partners, the offshore crypto giant MEXC has suddenly scrubbed its website of unauthorized FinTelegram articles. Was it the fear of European financial regulators, or the profound irony of a scam-rated exchange automatically republishing our exposés about its own fraudulent activities? Whatever the reason, the intellectual property theft has ended. However, the systemic regulatory violations have not: Lithuanian EMI Paytend Europe UAB and French EMI Heuro SAS (dba OuiTrust) continue to brazenly process fiat deposits for the unlicensed exchange via a Romanian shell company. The “Shadow Rails” remain operational. Key Findings: A Tactical Retreat by a Rogue Exchange The IP Theft Concludes: On February 23, 2026, MEXC abruptly deleted the unauthorized FinTelegram author page and scrubbed all stolen articles from its news stream. Previous Cease & Desist notices were completely ignored until our direct complaint to their payment facilitators. The Irony of Auto-Publishing: The removal likely resulted from either our Open Letter to Paytend Europe or MEXC administrators finally realizing their automated scrapers were proudly broadcasting our investigative reports exposing their own illegal operations. The “Franchisee” Fairytale: Austrian lawyers for the registered Estonian entity, MEXC Estonia OÜ, have formally claimed to FinTelegram that the company has “nothing to do” with the MEXC global scheme, dismissing themselves as a mere “franchisee.” Since this entity is not named on MEXC.com or MEXC.co, it confirms MEXC is soliciting European investors without any applicable MiCA authorization. The Red Shield Remains Active: Despite the exposure, our live tests confirm that Paytend Europe UAB (Lithuania) and Heuro SAS/OuiTrust (France) are still actively facilitating fiat-to-crypto deposits for MEXC. The Romanian Front: All SEPA and SEPA Instant funds are contractually routed through an unregistered Romanian shell company, Finetix Ltd S.R.L., serving as the legal firewall for the unlicensed exchange. The Case Update: A Small Victory in a Larger War MEXC payment instructions for bank transfer via Finetix Ltd S.R.L. and Paytend Europe. For months, MEXC—an exchange plagued by regulatory warnings and customer accusations of asset confiscation—systematically hijacked FinTelegram’s investigative reporting. By auto-scraping our articles and publishing them on their own news feed without permission, MEXC sought to artificially inflate its credibility. When our legal notices to MEXC were met with the silence typical of an offshore “ghost” entity, we escalated the matter. We took direct aim at the institutional enablers making MEXC’s operations possible: we issued an email complaint and published an Open Letter to Paytend Europe UAB, exposing not only the IP infringement but the severe anti-money laundering (AML) and Markets in Crypto-Assets (MiCA) violations involved in facilitating MEXC’s fiat deposits. Today, February 23, 2026, we confirmed that MEXC blinked. The FinTelegram author page has vanished from their domain, and the stolen content has been purged. Whether this was prompted by panic within Paytend’s compliance department or by MEXC realizing the absurdity of republishing our devastating critiques of their own business model, the outcome is clear. However, the core issue remains untouched: The European fiat gates are still wide open for a fundamentally illegal enterprise. Compliance Analysis: Complicit EMIs and the “Franchisee” Nonsense The current regulatory posture of MEXC is a masterclass in obfuscation and jurisdictional arbitrage. By their own lawyers’ admission, the only EU-regulated entity bearing their name—MEXC Estonia OÜ—claims to be a detached “franchisee” with no operational control over MEXC.com. If the Estonian company is not the operator, and no other EU entity is licensed to operate the platform, then MEXC is irrefutably providing crypto-asset services in Europe illegally and in direct violation of the MiCA framework. Given this undeniable fact, the ongoing participation of European Electronic Money Institutions (EMIs) is staggering. By continuing to process deposits for MEXC, Paytend Europe UAB (Lithuania) and Heuro SAS (France) are engaging in what can only be described as high-level institutional facilitation of an unlicensed platform. They achieve this through a classic “Transaction Laundering” technique: using the Romanian entity Finetix Ltd S.R.L. as the “Merchant of Record.” When a European retail investor deposits euros to buy crypto on MEXC, they are forced to accept the terms of Finetix. The fiat flows into IBANs provided by Paytend and OuiTrust, masking the true, high-risk destination of the funds from the broader banking system. Why these licensed EMIs are willing to risk their own regulatory survival to bank a blacklisted, unlicensed crypto casino remains the multi-million-euro question. The MEXC “Red Shield” Payment Rail Participants Entity / BrandJurisdictionRegulatory StatusRole in the MEXC SchemeFinetix Ltd S.R.L.(Finetix)www.finetix.netRomaniaUnregistered / ShellThe Contractual Shield: Acts as the primary payee and legal buffer, masking the flow of funds to the offshore exchange.Paytend Europe UAB (Paytend)www.paytend.comLithuaniaLicensed EMI (Bank of Lithuania)The Standard SEPA Rail: Provides the underlying banking infrastructure and IBANs for standard fiat deposits routed through Finitex.Heuro SAS(OuiTrust / Heuro Bank)www.ouitrust.comFranceLicensed EMI (ACPR)The SEPA Instant Rail: Provides high-speed fiat processing, allowing rapid liquidity extraction into the offshore scheme.MEXC Estonia OÜwww.mexceu.com (defunct)EstoniaVASP (Under FIU Investigation)The Decoy: Holds a local crypto registration but denies operational responsibility, acting as a “franchisee” to confuse regulators. Export to Sheets Call to Action: We Need the Paper Trail! The removal of our stolen content proves that applying pressure to the payment processors works. Now, it is time to dismantle the illegal payment rails completely. Are you a customer of MEXC who has deposited funds via Paytend, OuiTrust, or Finetix? Are you a compliance insider at one of these European EMIs who has witnessed the systemic failure to perform proper Know Your Business (KYB) checks on the MEXC network? We need your evidence. Please provide us with bank transfer receipts, deposit screenshots, internal compliance memos, or any documentation that exposes the mechanics of these payment facilitators. Help us shut down the shadow rails. Submit your evidence securely and anonymously. Share Information via Whistle42

Despite widespread regulatory warnings across the EU, offshore brokers are still seamlessly processing retail deposits using stealth payment architecture. At the center of this web sits trade1.payments.shop, an anonymous gateway routing high-risk funds through Cyprus-supervised payment infrastructure. Analysis & Context: The Anatomy of a Stealth Gateway In the high-risk payment sector, disposable domains are frequently used to obfuscate the flow of funds from regulatory bodies and acquiring banks. Our technical analysis identifies trade1.payments.shop as a specialized “masking rail” heavily utilized by offshore trading brokers, most notably PU Prime, Vantage Markets, and RoboForex (see the Similarweb screenshot left). Instead of functioning as a traditional, public-facing payment processor, this domain operates in the shadows as a vital technical bridge. When EU retail clients attempt to fund their accounts—via credit cards or Apple/Google Pay—the transaction is routed through this gateway. Digital footprint analysis of the anonymous gateway https://trade1.payments.shop highlights a clear target demographic: retail investors in strictly regulated European markets. January data from Similarweb (see screenshot right) shows a highly concentrated traffic distribution, with nearly 42% of visitors originating from Italy, followed by the UK (20%) and Austria (18%). This geographic targeting strongly suggests the payment rail is explicitly deployed to circumvent local financial authorities, funneling unauthorized deposits to offshore brokers operating illegally in these jurisdictions. Red Flags and Processor Connections: Cyprus PSP Integration: Technical inspections of the checkout source code and production-mode payment endpoints reveal embedded references to merchant identifiers tied to a Cyprus-licensed Payment Service Provider (PSP). Regulatory Evasion: The merchants using this rail lack MiFID authorization and have active EU regulatory warnings against them. Yet, this gateway facilitates the bypassing of geo-blocking, allowing unrestricted EU retail deposits. Total Anonymity: The .shop domain is heavily shielded behind WHOIS privacy proxies, deliberately masking the beneficial owners and corporate structure. This setup strongly suggests that regulated EU entities (specifically in Cyprus) are technically and financially settling funds for unauthorized offshore schemes through this anonymized gateway. Ecosystem Summary DomainKnown ConnectionsRoletrade1.payments.shopPU Prime, Vantage Markets, RoboForexAnonymized Payment Gateway / Masking RailCyprus-licensed PSPsSource Code & Endpoint ReferencesPayment Facilitation & Merchant ID ProvisionWHOIS ProxyDomain InfrastructurePrivacy Shielding Export to Sheets Call to Action: Help Us Expose the Network FinTelegram is calling on industry insiders, former employees of Cyprus-based PSPs, and compliance professionals to step forward. To dismantle these unauthorized financial flows, we are specifically looking for actionable intelligence on: The Beneficial Owners: Who are the operators controlling the payments.shop domain portfolio? The Cyprus Connection: Which specific Cyprus-regulated payment institutions are providing the underlying processing and merchant accounts for this gateway? The Settling Banks: Which Tier-1 or Tier-2 acquiring banks are clearing these credit card and digital wallet transactions? Send payment documents: Send us payment documents related to these brokers or Cypriot payment institutions. If you have documents, merchant processing agreements, or internal communications regarding trade1.payments.shop, please share them with us. Your identity will remain strictly confidential. Submit your tips securely via our whistleblower platform: Share Information via Whistle42

A new, anonymous player has emerged in the high-risk payment sector. Operating without a public face, Urbenics.com is quietly fueling the offshore casino industry. FinTelegram dives into the digital breadcrumbs connecting this gateway to the “Pistolo” gambling network. The Analysis: A Ghost in the Machine In the world of online gambling compliance, silence is often the loudest signal. Urbenics.com, a domain registered only in late 2023, has become a pivotal “hop” in the payment journey for offshore casinos. Our investigation reveals that Urbenics does not function as a standard e-commerce gateway but rather as a masking layer. When players attempt to deposit on platforms like Pistolo1.com or LegendPlay, they are funneled through Urbenics. This structure serves a dual purpose: it bypasses bank-level blocks on gambling codes and prevents the end-user from seeing the casino’s name on their bank statement. By utilizing Cloudflare to hide its server origins and NameCheap’s privacy services to bury its ownership, Urbenics operates as a “disposable” rail—easily abandoned and replaced if flagged by card schemes. Data Overview: The Urbenics Ecosystem DomainKnown ConnectionsRole in NetworkUrbenics.comSkyHills, LuckyDreams, Pistolo, LegendPlay, RocketSpin,PlayamoPrimary Payment Rail / Masking GatewayPayment-gateway.ioRedirect SourceTraffic Aggregator for Gambling RailsOpenbanking.paysolo.netTop outgoing linkOpen banking payment gatewayNameCheap / CloudflareInfrastructurePrivacy Shielding & Hosting Export to Sheets Call to Action: Help Us Unmask the Operators FinTelegram is calling on industry insiders, former employees of high-risk PSPs, and affected players to step forward. We are looking for: The “Beneficial Owners”: Who truly controls the Urbenics domain? Settlement Details: Which banks or Tier-1 acquirers are providing the underlying processing for Urbenics? Corporate Structure: Is Urbenics a front for a larger, established payment group? If you have information regarding the management, bank accounts, or software providers behind Urbenics.com, please share it with us. Your identity is protected. Share Information via Whistle42

Austria’s Austrian Financial Market Authority (FMA) has pulled the emergency brake on MiCA-licensed KuCoin EU Exchange GmbH: the Vienna-based CASP is banned from conducting new business after losing its key AML and sanctions officers. Just weeks after FinTelegram questioned KuCoin’s “Austrian whitewash,” the regulator now publicly confirms serious organisational breaches at its own MiCA showpiece. Key Facts Ban on new business: The FMA has issued an administrative decision prohibiting KuCoin EU Exchange GmbH from entering into any new customer relationships and from offering new contracts or products within existing relationships, after determining that the firm no longer has suitable key function holders for AML and sanctions compliance. The order requires “legal compliance” to be re-established without delay and is not yet legally final. Reason: missing AML & sanctions leadership: According to the FMA, the posts of Anti-Money-Laundering Officer, Sanctions Compliance Officer, and their respective deputies are currently not duly staffed. Effective staffing of these key functions is described as a precondition for orderly business operations. From fresh licence to enforcement in under 3 months: KuCoin EU received its MiCA authorisation as a crypto-asset service provider on 27 November 2025, with permission to provide multiple services across the EEA via passporting. The new-business ban follows less than three months later, turning a flagship licence into an early MiCA stress test. Global enforcement history: In January 2025, KuCoin’s Seychelles operator Peken Global Ltd pleaded guilty in New York to operating an unlicensed money transmitting business and agreed to pay over $297 million in fines and forfeiture, after prosecutors highlighted systemic AML failures and billions in illicit flows through the platform. Canadian AML penalty: In July 2025, Canada’s FINTRAC imposed a C$19.6m penalty on KuCoin’s operator for failing to register properly, failing to report large virtual asset transactions thousands of times, and failing to submit suspicious transaction reports in dozens of cases. FinTelegram red flags vindicated: FinTelegram’s December 2025 KuCoin dossier questioned whether Vienna was “whitewashing a repeat offender” by granting a MiCA licence to a group with a fresh U.S. criminal plea, a record Canadian AML fine and multiple regulator warnings. A separate Rail Atlas-style report mapped the Austrian KuCoin cluster and opaque Hong Kong ownership. Read our KuCoin reports here. Short Analysis From MiCA trophy to supervisory headache The FMA proudly put KuCoin EU on its MiCA scoreboard in late November 2025, positioning Vienna as a “European MiCA hub” alongside other CASPs such as Bitpanda, Bybit EU and AMINA. Within weeks of KuCoin EU’s EU-wide launch campaigns, the same regulator has now barred the platform from doing any new business because its AML and sanctions command chain has effectively evaporated. Formally, this is “just” an organisational finding: missing key function holders under MiCA and the Financial Markets Anti-Money Laundering Act. Substantively, it is devastating. A MiCA CASP that cannot keep its AML and sanctions leadership in place fails the most basic test of prudential seriousness – especially when its global parent has only just admitted to U.S. felony-level compliance failures and is appealing a record AML penalty in Canada. Vienna’s MiCA experiment under pressure For Austria, this is more than a single enforcement action. FinTelegram has repeatedly warned that the “Vienna MiCA hub” was drifting towards a rent-a-CEO / rent-a-licence model for high-risk offshore exchanges, with KuCoin as Exhibit A. The FMA’s own decision now confirms that governance at KuCoin EU is fragile enough that its core compliance functions can simply disappear, forcing an immediate business freeze. The ban is temporary and not yet final; if KuCoin EU swiftly installs acceptable AML and sanctions officers, the FMA could lift the restriction. But the symbolic damage is done: one of MiCA’s highest-profile licences has already triggered an AML-driven new-business ban, less than a year after a U.S. guilty plea and amid ongoing Canadian enforcement. For institutional counterparties and regulators in other EU states, KuCoin EU now looks less like “MiCA-de-risked access” and more like a live-fire test of how the new regime handles repeat-offender risk. Call for Information (Whistle42) FinTelegram will continue to track KuCoin EU’s remediation plans, the FMA’s follow-up steps, and any impact on European clients and counterparties. If you work or have worked at KuCoin, KuCoin EU, its Austrian law firms or service providers – or at another EU regulator watching this case closely – we want to hear from you. Share internal risk reports, correspondence, onboarding memos or AML/sanctions findings securely via Whistle42. Your identity will be treated with the highest level of confidentiality. Share Information via Whistle42

A February 2026 compliance review confirms that offshore broker RoboForex Ltd (Belize) continues onboarding EU retail clients and directing SEPA deposits to a Lithuanian bank account held with AB Mano Bankas. Despite clear EU residency disclosure during KYC, the broker accepted the account and issued an invoice instructing payment to its Belize entity. The structure raises material MiFID and AML governance questions. Key Findings EU passport and EU address submitted and verified. Account opened without restriction. Confirmation email issued by RoboForex Ltd (Belize). SEPA transfer instructions to: Beneficiary: RoboForex Ltd Bank: AB Mano Bankas (Lithuania) IBAN: LT425030120000000032 Invoice explicitly confirms deposit to Belize entity. No MiFID authorization. No MiCA authorization. Regulatory Position of RoboForex RoboForex Ltd is the operator of the offshore broker RoboForex.com. The entity is: Incorporated in Belize. Licensed by FSC Belize. Not licensed in the EU. Not passported under MiFID. Not authorized under MiCA. Under EU law, the active onboarding of EU residents and acceptance of funds via SEPA banking rails constitutes cross-border financial service provision. The review demonstrates: No geo-blocking. No rejection of EU residents. No disclaimers preventing onboarding. Active acceptance of EU deposits. This is not incidental access. This is structured onboarding. SEPA Rail Mechanics The deposit flow is straightforward: EU client↓RoboForex platform↓SEPA instruction↓Transfer to Lithuanian IBAN↓Beneficiary: RoboForex Ltd (Belize) The invoice confirms: “Payment for replenishment of account.” This is retail funding of an offshore broker. Mano Bankas – Supervisory Implications AB Mano Bankas (website) is a Lithuanian-regulated credit institution supervised by the Bank of Lithuania and subject to: EU AMLD framework PSD2 governance obligations EBA Guidelines on ML/TF Risk Factors Customer due diligence obligations Ongoing transaction monitoring requirements Where a bank maintains an account for an offshore broker accepting retail EU funds, compliance questions arise: Was the broker’s licensing position assessed? Was cross-border authorization verified? Was the target market reviewed? Was enhanced due diligence applied? Was ongoing monitoring conducted after regulatory warnings? The IBAN is not used for corporate treasury transfers. It is used for direct EU client deposits. That changes the risk profile materially. Risk Classification From a compliance perspective, this structure may expose the bank to: Reputational risk AML exposure Regulatory scrutiny Supervisory inquiries Cross-border compliance breaches This report does not allege wrongdoing. It documents a factual structure that warrants supervisory examination. Evidence Preservation The review documentation includes: KYC confirmation records Deposit screens Invoice issued by RoboForex Ltd Bank details SEPA instructions Confirmation emails All materials are preserved. Short Analysis The central issue is simple: Can an offshore broker licensed in Belize accept EU retail deposits through a Lithuanian bank account without MiFID authorization? And if not: What is the supervisory expectation of the EU-regulated bank providing the IBAN? Call for Information FinTelegram invites regulators, compliance officers, and insiders with knowledge of cross-border SEPA facilitation of offshore brokers to contact us confidentially via Whistle42.com. Share Information via Whistle42

Following our recent exposure of the NovaForge Group and its blacklisted offshore casino Spinsy, whistleblowers have stepped forward with crucial new evidence. A player recently revealed that Irish-registered Zentoria Limited is operating as a shadow payment processor for another NovaForge brand, Robycasino. Disguising transactions under the billing descriptor “Spinsopotamia.com Dublin,” Zentoria is quietly facilitating offshore gambling while holding an official Irish Remote Bookmaker’s Licence. Here is our compliance analysis of the key actors, Mykhaylo Pavlenko and Alina Vavilova, and the operations behind Zentoria Limited. In our ongoing effort to map the “Rail Atlas” of illegal offshore gambling, FinTelegram relies heavily on the vigilance of the player community. Recently, a victim of the NovaForge Group (operators of the ACMA-blocked Spinsy casino) reached out to share their credit card statements. The player reported that multiple deposits made to another NovaForge offshore brand, Robycasino.com, appeared on their bank statement as “Spinsopotamia.com Dublin.” Our research directly links this billing descriptor to Zentoria Limited, an Irish corporate entity operating out of Dublin 4. This revelation exposes a sophisticated European payment rail acting as a critical financial artery for unregulated, offshore gambling operations. Key Findings The Robycasino Connection: Deposits intended for Robycasino, a brand operated by the offshore NovaForge Group, are being routed through European banking rails using the obscure billing descriptor “Spinsopotamia.com Dublin.” Zentoria Limited Identified: Corporate and domain intelligence links the Spinsopotamia descriptor directly to Zentoria Limited, an Irish company incorporated in April 2024. The Regulatory Contradiction: Despite facilitating payments for an unlicensed offshore casino network, Zentoria Limited officially holds an active Remote Bookmaker’s Licence from the Irish Revenue Commissioners. The Key Actors: According to Irish corporate filings and Revenue.ie data, the individuals acting on behalf of and directing Zentoria Limited are Mykhaylo Pavlenko and Alina Vavilova. Masking Transactions: By using a domain like “Spinsopotamia.com,” the operators are likely utilizing a practice known as “transaction laundering,” masking high-risk offshore casino deposits as benign digital purchases to bypass credit card blocking protocols. Compliance Analysis: The Zentoria Payment Scheme Zentoria Limited represents a classic “Trojan Horse” in the high-risk payment processing sector. By establishing a corporate footprint in a reputable EU jurisdiction (Ireland) and securing a legitimate Remote Bookmaker’s Licence, the operators, Mykhaylo Pavlenko and Alina Vavilova, gain unhindered access to top-tier European merchant accounts and acquiring banks. However, the whistleblower evidence suggests this Irish entity is not conducting legitimate, local bookmaking. Instead, it is being utilized as a shell payment gateway for the NovaForge Group. When a player deposits money into Robycasino (which operates under a weak offshore license), the transaction is diverted to Zentoria’s Irish merchant account. To ensure the player’s bank or credit card issuer doesn’t flag the transaction as illegal offshore gambling, Zentoria applies the descriptor “Spinsopotamia.com.” This setup presents a massive compliance breach. Irish regulatory frameworks require strict Anti-Money Laundering (AML) controls and fitness/probity checks for all directors. The fact that an Irish-licensed entity is acting as a payment funnel for NovaForge—a group whose brands have been formally blacklisted by the Australian Communications and Media Authority (ACMA)—should trigger immediate intervention by the Irish Department of Justice and the Revenue Commissioners. The “Facade Casino” Strategy Acquiring banks and credit card companies (like Visa and Mastercard) use automated systems to block transactions to blacklisted offshore casinos like Robycasino or Spinsy. To get around this, the NovaForge Group uses Zentoria Limited to set up a “clean” casino facade—in this case, Spinsopotamia.com. Because Zentoria holds an official Irish Remote Bookmaker’s Licence, they can easily go to a European bank and say: “We are a fully licensed, regulated Irish betting company operating Spinsopotamia.com. Please give us a merchant account to process credit cards.” The bank sees the Irish license, approves the merchant account, and gives them the ability to process payments under the billing descriptor “Spinsopotamia.com Dublin.” How the Bait-and-Switch Works Once that payment rail is established, the operators connect the backend of the illegal offshore casinos (Robycasino/Spinsy) to the legal Irish merchant account (Spinsopotamia). An player logs into Robycasino and deposits $100. The payment gateway silently routes that transaction to Zentoria’s merchant account in Dublin. The player’s bank sees a charge from “Spinsopotamia.com Dublin” (an EU-licensed entity) instead of “Robycasino” (a blacklisted offshore entity). The bank approves the transaction, completely unaware they just facilitated an illegal offshore deposit. This makes Spinsopotamia the ultimate Trojan Horse. It exists as a real website primarily to serve as a legitimate front, providing “cover” for the massive volume of illicit transactions flowing to NovaForge’s blacklisted brands. Summary Data: Zentoria Limited CategoryDetailsEntity NameZentoria LimitedCompany Number (CRO)761150Date of Incorporation04 April 2024Registered Address3rd Floor, Waterloo Exchange, Waterloo Road, Dublin 4, IrelandPrincipal Activity[9200] Gambling and Betting ActivitiesKey ExecutivesMykhaylo Pavlenko, Alina VavilovaKnown Billing DescriptorsSpinsopotamia.com DublinAssociated Casino NetworkNovaForge Group (Robycasino, Spinsy) Export to Sheets Call for Whistleblowers: Help Us Expose the Network The FinTelegram Investigative Team is actively expanding its dossier on Zentoria Limited, Mykhaylo Pavlenko, Alina Vavilova, and the NovaForge Group. We need to map every node of this payment network to present a complete case to European regulators and acquiring banks. Have you played at Robycasino, Spinsy, or other NovaForge brands? Do you have bank statements showing charges from “Spinsopotamia.com,” “Zentoria Ltd,” or other obscure European descriptors? Are you an insider in the payment processing industry with knowledge of how Zentoria Limited secures its merchant facilities? Your information is the most powerful tool we have to disrupt these shadow financial networks. Please provide any further information, documents, or personal experiences securely and anonymously via our whistleblower platform: Whistle42. Share Information via Whistle42

In an explosive response to a victim’s complaint, payment giant Skrill has officially confirmed that documented shell companies Briantie Limited and Cyperion Solutions Limited are “on-boarded merchants” who passed its internal checks. While admitting it debited the victim’s bank account for 28 fraudulent transactions, Skrill denies all liability, claiming no “contractual agreement” exists with the payers using its gateway. The Skrill Gateway to Transaction Laundering Skrill’s formal response to the player’s complaint acts as a “smoking gun” for regulators. By refusing to reverse the disputed transactions while simultaneously confirming the status of the predatory merchants, Skrill has exposed a systemic vulnerability in the European payment landscape. 1. Official Confirmation of the Shell Network Skrill has confirmed that Cyperion Solutions Limited and Briantie Limited—entities identified in our investigation as financial shells for the Galaktika N.V. / SoftSwiss ecosystem—are official Skrill merchants. Skrill explicitly listed 28 specific transactions between December 2025 and January 2026 that were routed to these entities through its “Quick Checkout” gateway. Skrill’s email is very revealing and, despite rejecting the complaint, provides several strong angles for escalation. All disputed payments are “gateway payments” via Skrill Quick Checkout where Skrill acts only for the merchant, not for the payer; therefore they do not show in the user’s Skrill wallet history. The disputed transactions were processed for two Skrill merchants – Cyperion Solutions Limited and Briantie Limited – plus their “subsidiary companies, license holders or payment processors”. Skrill explicitly classifies Cyperion Solutions Limited and Briantie Limited as approved merchants that “have passed all relevant checks” and states it is “satisfied” with the business relationship. Skrill acknowledges the customer’s allegations of transaction laundering and illegal gambling, yet still declines to uphold the complaint and pushes responsibility to merchants and authorities. Skrill permanently closed the user’s wallet account and claims to have taken steps to prevent further use of his data, implicitly acknowledging the identity‑theft risk. Read our Shadow Skrill reports here. 2. The “No Contract” Loophole Skrill’s primary defense is a technicality: it claims that for “gateway payments,” it offers services only to the merchant and has no contractual agreement with the payer. This allows Skrill to: Debit a victim’s bank account (appearing as SKR*Skrill.com). Transmit those funds to offshore-linked shells. Wash its hands of the “quality, safety, or legality” of the services provided. This confirms our findings that the “Shadow Skrill” phenomenon is a deliberate feature of their “Quick Checkout” architecture, used by illegal operators to mask the final destination of funds. This is how Skrill frames its responsibility: They rely on a strict distinction between: Wallet payments (user–Skrill contractual relationship), and Gateway/Quick Checkout payments (merchant–Skrill only, payer is not their customer). On that basis, Skrill argues: It is merely providing a “technical environment”, It does not vouch for legality of underlying services, and All disputes should be directed at the merchants, not Skrill. This is a classic outsourcing-of-responsibility defence: they acknowledge processing the transactions, but deny any duty to investigate legality or victim compensation beyond closing the user’s account. 3. Victim Blaming: The Permanent Account Closure In a move described as a “security reason,” Skrill has permanently closed the victim’s account following his report of identity theft. While the merchants who allegedly facilitated the fraud remain “checked” and “satisfied” in Skrill’s eyes, the victim is de-platformed, cutting off his access to internal dispute tools. 4. The Impressive “KYC Check” Failure Skrill maintains that these merchants “passed all relevant checks”. However, our research shows Cyperion Solutions Ltd is registered as a “Management Consultancy” in the UK. The fact that an e-money institution allows a “consultancy” to process thousands of transactions for unlicensed Curaçao casinos (Slotoro/Boomerang-Bet) suggests a catastrophic failure in Skrill’s Know Your Business (KYB) and Merchant Monitoring protocols.+1 Conclusion: The Regulatory Imperative Skrill’s response proves that the Galaktika N.V. network is not operating in the shadows; it is operating through the front door of regulated European payment institutions. By providing the technical environment for transaction laundering while claiming zero liability, Skrill is effectively serving as the financial engine for the “Cloaked Casino Clan.” The Shadow Skrill Setting Entity / InstrumentDocumentation SourceRole in the SchemePaygateSkrill Confirmation Emails Technical Receiver/Gateway: Operates as the “shadow” routing agent for fund transfers.NGPaymentsBank Statements / Skrill Emails Payment Instrument: The technical rail used to mask illegal gambling deposits.Briantie LimitedBank Statement Primary Merchant Account: Cyprus-based shell receiving high-volume deposits. Operates as a “Payment Agent” but often uses generic business descriptions to bypass bank filters.Cyperion SolutionsTransaction ID Logs PayFac Shell: Registered as “Management consultancy” (SIC 70229).Disguises casino deposits as “IT consultancy” services.Novaforge LimitedSkrill Confirmation Logs Secondary Shell: Active beneficiary when primary accounts are throttled. Export to Sheets This documentation definitively places Paygate at the center of the Galaktika/Wiraon financial engine. It acts as the technical “glue” that allows these diverse shell companies to interface with legitimate payment giants like Skrill without triggering immediate fraud alerts. Whistleblower Call to Action: Are you a Skrill or Paysafe employee with knowledge of how Cyperion, Briantie, or Paygate bypassed merchant compliance? We need to know who approved these accounts. Contact us anonymously via Whistle42. Share Information via Whistle42

The Dutch gambling regulator KSA has ordered Polymarket’s operator to stop offering its crypto-based prediction markets to people in the Netherlands, backed by weekly penalty payments that can reach €840,000. The case matters far beyond the Dutch market: it’s a template for EU regulators to treat “event contracts” as illegal remote gambling unless licensed locally—regardless of whether the product is framed as “trading.” Key Points The KSA imposed a “last onder dwangsom” (order under penalty) on Polymarket operator Adventure One QSS Inc., demanding it stop offering unlicensed games of chance to Dutch residents; €420,000 per week, max €840,000. In its published decision, the KSA says Dutch residents could create an account, deposit, and participate without effective technical barriers (geo-blocking), following investigations in July and November 2025. Polymarket argued it is not gambling but a “market” where users trade positions and outcomes reflect information and market dynamics; the KSA rejected this and treated it as a Wok-prohibited offering without a Dutch licence. The UK has now publicly clarified that prediction markets offered in Great Britain would be treated as gambling products (and require appropriate licensing). In the US, the regulatory story is split: the Commodity Futures Trading Commission (CFTC) previously sanctioned Polymarket for offering event-based binary options/swaps via an unregistered facility (a 2022 order with a $1.4m penalty and wind-down requirements). Short Narrative The KSA’s message is blunt: if Dutch users can access the platform and stake money-like value on uncertain events, it is remote gambling—licence required. The regulator’s decision frames Polymarket as providing “opportunity to participate” in a game of chance without authorisation under Dutch law, and it backs the stop order with meaningful weekly penalties. This is also not just about consumer protection boilerplate. Dutch public debate has focused on politically sensitive markets (elections, coalition formation) and the risk that such markets can incentivize manipulation, insider behaviour, or public distrust—especially where crypto rails and pseudonymity complicate supervision. Extended Analysis 1) How Prediction Markets Work (and why regulators don’t buy the “it’s just trading” defence) Most prediction markets list “Yes/No” contracts on an event (e.g., “Candidate X wins”). A contract price (say, 0.63) is marketed as an implied probability (63%). Users can buy/sell positions before settlement; at resolution, a winning share pays out and a losing share goes to zero (or close), with settlement often relying on an oracle or defined data source. From a compliance lens, the functional test is simple: stake → chance/uncertainty → payout. Whether the UI says “trade” or “bet,” and whether pricing is formed by an order book or an AMM, regulators frequently classify the product as gambling (EU/UK) or as a derivative (US)—either way, it triggers licensing/authorisation. The KSA decision explicitly records Polymarket’s argument that outcomes are not “pure chance” because informed traders can act; it still treats the offering as a prohibited, unlicensed game of chance under Dutch law. 2) Why the KSA Banned Polymarket The published Dutch decision matters because it reads like an enforcement checklist for any cross-border prediction market: Market access from the Netherlands: the KSA’s investigators could register and participate from Dutch IP space; no effective blocking measures were in place. No Dutch remote-gambling licence: the operator was not authorised for online gambling in the Netherlands. Enforcement posture: the KSA justifies penalties by pointing to core objectives: consumer protection, addiction prevention, fraud/crime prevention, and safe payments—classic gambling-supervision pillars. In other words: this is not a nuanced “MiCA vs MiFID” debate. The KSA is treating the product as gambling first, crypto second. 3) US vs UK: Two Different Legal Boxes, Same Compliance Outcome United States: The CFTC has already acted against Polymarket’s earlier structure, treating its event-based binary options as “swaps” and sanctioning the platform for operating an unregistered facility / non-designated contract market (with a $1.4m penalty and wind-down obligations).Meanwhile, the US environment remains contested, with ongoing clashes between federal derivatives framing and state-level gambling enforcement narratives around event contracts. United Kingdom: The Gambling Commission has now set out that prediction markets, if offered in Great Britain, sit within existing gambling law and would need the appropriate permissions—pushing the model toward a “betting exchange” compliance posture rather than a “financial markets” one. 4) What this means for the EU The EU has no single “prediction market” passport. Gambling is largely regulated at member-state level, and the KSA action signals where enforcement is heading: availability + participation = local licensing exposure. Practical consequences for prediction markets operating (or marketed) into the EU: Geo-fencing becomes non-optional: regulators will test access, onboarding, deposits, and UX “market targeting” factors (language, local events, local marketing). The KSA’s investigation narrative shows exactly how. Crypto rails don’t reduce licensing risk—often the opposite: they raise AML/consumer-protection concerns and make “we’re not targeting you” arguments weaker when access is frictionless. EU expansion strategy shifts to regulated betting-exchange models: in practice, the UK’s position suggests the compliance route is gambling licensing (where available) rather than trying to free-ride on “financial product” narratives. Expect copycat enforcement across the EU: public reporting already notes blocking/illegality debates in neighbouring jurisdictions; the Dutch order adds a fresh, exportable enforcement pattern. Actionable Insight If you operate (or invest in) a prediction market touching the EU: treat the KSA decision as a regulatory routing signal. Your core risk is not “token compliance”—it’s unlicensed gambling distribution, with enforcement triggered by mere accessibility. The minimum viable compliance posture now looks like: hard geo-blocking, EU-market abstention by default, and a jurisdiction-by-jurisdiction licensing strategy (or a pivot into fully regulated betting exchange frameworks). Call for Information Have you used Polymarket (or similar prediction markets) from within the EU—especially the Netherlands—or seen payment facilitators, wallet rails, “localisation” tactics, or influencer campaigns aimed at EU users? Send evidence (screenshots, transaction trails, affiliate links, domain clones, onboarding flows) via Whistle42.com. Insiders at operators, PSPs, or marketing affiliates: we also want to hear how geo-blocking and market targeting decisions are made. Share Information via Whistle42

A February 2026 compliance review confirms that offshore brokers PU Prime, Vantage Markets, and RoboForex continue onboarding EU retail clients and processing card deposits despite repeated regulatory warnings across the EU. Technical analysis of the payment flows identifies Cyprus-supervised payment infrastructure facilitating these transactions, raising supervisory questions under PSD2 and AMLD frameworks. Key Findings PU Prime, Vantage Markets and (offshore) RoboForex accepted EU passport and EU proof-of-address during KYC. Austrian, German, and Italian residents successfully onboarded and their deposits are enabled via: Credit/debit cards Apple Pay Google Pay Bank transfer Crypto wallets. Identical payment gateway architecture observed across multiple warned brokers. Cyprus-linked PSP references embedded in payment source code. Public EU regulatory warnings remain active. Full evidentiary documentation preserved (screenshots + HTML source extracts). Compliance Review (18–19 February 2026) FinTelegram has been monitoring the offshore brokers PU Prime, Vantage Markets, and RoboForex for years and has repeatedly pointed out their regulatory violations. Similarweb statitics for Puprime.com for Jan 2026 Recently, new structured onboarding tests were conducted by EU residents who: Submitted EU-issued passports, Submitted EU residential documentation, Completed full KYC declarations explicitly confirming EU residency. All three brokers approved the registrations. No geo-blocking or jurisdictional filtering prevented EU access. Italian residents were able to register and deposit with Vantage Markets despite a CONSOB blackout order. According to a Similarweb traffic analysis, in January 2026, just under 13.4% of visitors to the Puprime.com website came from Germany. The offshore mutation of Roboforex (Roboforex.com) also received more than 5% of its website visitors from Germany in January 2026. Deposits were apparently mostly made via Cypriot payment institutions. At VantageMarkets.com, just under 10% of website visitors came from Spain. EU residents are therefore a significant target group on all three platforms. Regulatory Status of the Brokers Public warnings include: PU Prime — UK FCA warning, Danish Denish FSA, AMF (France), ASC (Alberta/Canada). Vantage Markets — AFM (Netherlands), CONSOB (Italy blackout), CNMV (Spain), Danish FSA, MFSA (Malta) RoboForex (Belize entity) — Offshore regulation; disclaimer against EU targeting not technically enforced. These brokers operate via non-EU licensed entities while accepting EU retail deposits. Under MiFID II, such cross-border activity raises authorization and passporting concerns. Cyprus-Based Payment Infrastructure Identified Technical inspection of the deposit flows revealed: Anonymously operated card gateway domains such as trade1.payments.shop. Apple Pay routing via Cyprus-controlled subdomains. Merchant identifiers referencing Limassol-based PSP infrastructure. “Powered by” references linked to a Cyprus-licensed payment institution. Production-mode payment endpoints embedded in HTML source code. The architecture observed is consistent across multiple warned brokers. These findings were obtained through lawful user interaction and documented contemporaneously. The underlying technical records are preserved. Central Bank of Cyprus Supervisory Context Payment institutions licensed in Cyprus operate under the supervision of the Central Bank of Cyprus (CBC) pursuant to: The Payment Services Law (PSD2 transposition), The Prevention and Suppression of Money Laundering and Terrorist Financing Law, CBC Directives on risk management, governance, and AML compliance. Under these frameworks, supervised entities are required to: Apply risk-based merchant onboarding procedures, Conduct enhanced due diligence where higher-risk activities are identified, Perform ongoing monitoring of merchant business models, Manage operational and reputational risks appropriately. Where offshore brokers subject to multiple EU regulatory warnings continue to accept EU retail deposits via Cyprus-supervised card infrastructure, supervisory review is a foreseeable consequence. This report does not draw conclusions regarding compliance outcomes. However, the factual pattern raises legitimate supervisory questions that fall within the remit of the CBC’s oversight responsibilities. Structural Pattern Observed Offshore broker (non-EU license)↓EU client onboarding accepted↓Full EU KYC completed↓Card deposit processed via Cyprus-supervised infrastructure This sequence was observed across multiple broker brands using similar technical architecture. Evidence Preservation All findings were preserved in evidentiary format, including: Registration confirmation emails, KYC acceptance records, Payment screen captures, Full HTML source extracts, Gateway domain references, Regulatory warning copies. The documentation exists and is retained. Short Analysis The issue presented is not rhetorical but structural. When brokers publicly warned by EU regulators continue processing EU retail deposits through EU-supervised payment rails, the matter transitions from marketing compliance to supervisory risk governance. The relevant regulatory question is: How should merchant onboarding, risk classification, and ongoing monitoring be calibrated where repeated cross-border warnings exist? Call for Information FinTelegram invites regulators, compliance officers, and industry insiders with further documentation regarding Cyprus-supervised payment facilitation in offshore broker schemes to contact us confidentially via Whistle42.com. Share Information via Whistle42

This content is password-protected. To view it, please enter the password below. Password:

Payabl’s Group CEO Ugne Buraciene has been shortlisted for the Merchant Payments Ecosystem (MPE) Influencer of the Year 2026 award. While the nomination highlights strategic positioning and platform integration claims, it also comes at a time when the company faces heightened public and legal attention in Cyprus. Key Facts Ugne Buraciene, Group CEO of Payabl CY Limited, has been shortlisted for MPE Influencer of the Year 2026. The Merchant Payments Ecosystem (MPE) Awards recognise individuals shaping merchant acquiring and payment infrastructure. Payabl is promoting the nomination via client email communication encouraging industry voting. The company positions its platform “payabl.one” as an integrated control layer combining acquiring, business accounts, card issuing, fraud tools, and reporting. Voting is open until 22 February 2026. Short Narrative Registered clients of Payabl received a corporate communication announcing that Group CEO Ugne Buraciene has been shortlisted for the Merchant Payments Ecosystem Influencer of the Year 2026 award. The MPE Awards are a recognised industry event focused on merchant acquiring, payment processing, and fintech infrastructure across Europe. The Influencer category is designed to spotlight leadership impact within the merchant payments ecosystem. In its announcement, Payabl framed the nomination as recognition of its platform strategy under the banner “simplify without compromising control.” The company promotes its integrated solution, payabl.one, as a unified merchant control layer covering online and in-person acquiring, business accounts, card issuing, fraud management tools, and reporting. The email also highlights diversity and leadership positioning, emphasising what it describes as one of the more balanced executive teams in European fintech. Regulatory Context Payabl operates within the EU payments framework and is subject to the regulatory perimeter applicable to electronic money institutions and/or acquiring entities in Cyprus. Industry recognition does not substitute regulatory oversight. Supervisory evaluation remains separate from marketing recognition. The Merchant Payments Ecosystem Awards are industry-led and not affiliated with any supervisory authority. Call for Information FinTelegram invites industry insiders, merchants, compliance professionals, and former employees with relevant insight into payment infrastructure practices to contact us via Whistle42.com. Confidential submissions are welcome. Share Information via Whistle42

By the FinTelegram Editorial Board Date: February 18, 2026 Executive Summary: The Silence is Deafening Last Friday, FinTelegram sent a formal Urgent Notification to the compliance department and board of Paytend Europe UAB, a Lithuanian Electronic Money Institution (EMI). We alerted them to their role in facilitating the illegal operations of the crypto exchange MEXC scheme and demanded an explanation for why their payment rails remain open to a platform that systematically hijacks our intellectual property. We gave Paytend 48 hours to respond. They chose silence. As of this morning, February 18, 2026, our forensic tests confirm that Paytend continues to process Euro deposits for MEXC via the Romanian shell company Finetix Ltd S.R.L. Furthermore, similarweb traffic analysis reveals a damning truth: MEXC.com and MEXC.co are among the top 5 referring websites for Paytend.com. This is not a compliance oversight; it is a business model. Consequently, we are escalating this matter by publishing our notification as an Open Letter. We are doing this with the full knowledge that MEXC’s automated scraping bots will likely steal this article and republish it on their own “News” section—an irony that perfectly encapsulates the lawlessness of their operation. The “Red Shield” Rail: How Paytend Powers MEXC For regulators and compliance officers reading this, here is the exact mechanism Paytend uses to launder high-risk crypto flows into the European banking system: The Front (Finetix): Users on MEXC are forced to accept the Terms & Conditions of Finetix Limited S.R.L., a Romanian entity with no known VASP license and a non-functional website. The Pipe (Paytend): Finetix holds its banking accounts with Paytend Europe UAB (Lithuania). When a user sends Euros to “buy crypto” on MEXC, they are actually wiring funds to Finetix’s Paytend account. The Reality: Finetix acts as a mere pass-through vehicle. It provides no independent service. Its sole purpose is to mask the ultimate beneficiary—the blacklisted exchange MEXC—from the scrutiny of the sending banks. The Evidence of Complicity: Data from Similarweb shows a massive, sustained flow of user traffic directly from MEXC’s domains to Paytend’s portal. It is statistically impossible for Paytend’s risk team to be unaware that one of their largest traffic sources is an unlicensed offshore exchange warning-listed by regulators globally. OPEN LETTER TO PAYTEND EUROPE UAB To: The Board of Directors & Compliance Department, Paytend Europe UAB From: FinTelegram News & The RatEx42 Investigation Team Subject: IMMEDIATE CEASE AND DESIST – Facilitation of Illegal Services & IP Theft Dear Paytend Management, You have ignored our private notice, so we are now making our demand public. 1. Facilitation of Unauthorized Financial Services Your client, Finetix Limited S.R.L. (Romania), is operating as an unlicensed crypto-asset service provider (CASP) on behalf of MEXC Global. By providing banking rails (IBANs) to Finetix, Paytend Europe UAB is knowingly processing funds for an illegal exchange that solicits EU consumers without a MiCA license. This is a direct violation of your AML/CTF obligations under the Bank of Lithuania’s guidelines. 2. Complicity in Intellectual Property Theft MEXC Global systematically scrapes, copies, and republishes FinTelegram’s proprietary content—including our warning lists and investigative reports—on its own website to artificially boost its SEO and create a veneer of legitimacy. By maintaining the financial lifeline for MEXC, Paytend is profiting from an entity that is actively stealing our Intellectual Property. We hold you contributory liable for these damages. 3. The “Finetix” Sham We have evidence that Finetix is a shell entity. Its website is dysfunctional for crypto purchases, yet it processes millions in EUR for MEXC. You are banking a “Ghost.” Our Demand: We require Paytend Europe UAB to immediately terminate its banking relationship with Finetix Limited S.R.L. and cease all indirect processing for MEXC. Continued failure to act will result in FinTelegram submitting a formal complaint to the Bank of Lithuania (Lietuvos bankas) and the Romanian Financial Intelligence Unit, detailing your willful blindness to high-risk flows. Govern yourselves accordingly. A Note to MEXC (and their Bots) To the automated scrapers at MEXC who will likely hijack this article and post it on mexc.com/news: Thank you for distributing the evidence of your own illegality. You are proving our point better than we ever could. Call to Action Whistleblowers: Are you an employee at Paytend or Finetix? Do you have internal emails regarding the “High Risk” classification of the MEXC account? Regulators: We call upon the Bank of Lithuania to audit the transaction volumes between Paytend and Romanian shell companies. The data does not lie. Submit information anonymously at Whistle42.com. Share Information via Whistle42

A Kazakhstan-based customer says MEXC froze and effectively liquidated her exchange account holding crypto assets worth roughly $160,000—then hid behind “high-risk activity” and AML boilerplate while refusing to explain or restore access. FinTelegram reviewed her formal pre-trial claim and an independently commissioned OSINT dossier that alleges shifting corporate touchpoints across jurisdictions, with an Estonian entity repeatedly surfacing as a potential accountability anchor. The case raises a hard question for customers and regulators alike: is “compliance” being used as a shield for opaque asset deprivation—while legal responsibility is routed through a fog of entities? Key findings Documented by claimant (pre-trial claim): MEXC allegedly blocked a specific account on 27 June 2024, requested re-verification, then informed the customer the account was permanently blocked and denied reasons. Documented by claimant: MEXC support responded with a standard “high-risk activities / AML obligations” template and refused to provide details. OSINT dossier (allegations to be independently verified): The report claims the group’s older entities were dissolved/struck off in prior hubs while new touchpoints emerged in other jurisdictions—creating jurisdictional friction for victims seeking redress. OSINT dossier (allegations): A Rotterdam District Court decision in late 2024 allegedly ordered an Estonian entity linked to MEXC to pay EUR 123,724.50 in a frozen-funds case—suggesting a possible EU liability route. Compliance risk signal: Repeated “we can’t disclose details” responses, paired with asset access loss and entity ambiguity, create a consumer-protection and governance red-flag cluster—especially when the platform remains widely marketed as “top-tier.” The case: What the Customer Alleges Happened The MEXC customer aka victim writes that she stored crypto assets on MEXC and found her funds blocked without an adequate explanation. She estimates the blocked assets (USDT and ETH) at around $160,000 at current exchange rates (claimant statement). In her formal pre-trial claim, she states that: On 27 June 2024, her MEXC account (UID stated in the claim) was blocked. Initially, withdrawals were restricted while login still worked; support then demanded re-verification (passport photo + selfie + handwritten note). After waiting, she was informed the account was permanently blocked, funds inaccessible, and reasons would not be disclosed. She formally demanded restoration of access within 30 calendar days from the letter date (16 July 2024) and threatened litigation if not remedied. MEXC’s response, as quoted in the email, follows a familiar pattern seen across multiple offshore and grey-zone platforms: “high-risk activities,” “AML obligations,” “cannot disclose details,” and “until further notice.” The problem is not that AML controls exist—it’s the absence of due-process-like transparency when customer assets are effectively immobilized. Compliance lens: “AML” as a Black Box A legitimate AML restriction can be justified, but in regulated markets it typically comes with: a documented case rationale (even if partially redacted), a clear escalation channel, timelines and scope of restrictions, and a demonstrable separation between risk controls and asset deprivation. In this case, the claimant alleges she received none of that—only a permanent restriction and silence. The MEXC OSINT Dossier FinTelegram also reviewed a commissioned OSINT report produced by Murkledove Intelligence in Feb 2025. The dossier is written in a strongly accusatory tone and must be treated as lead material, not a final adjudication. Still, it contains several actionable intelligence threads worth verifying. OSINT “Core Thesis” (as alleged) The dossier alleges that MEXC’s corporate footprint has shifted across multiple jurisdictions since 2023, and that customers seeking legal redress are pushed toward entities that may be defunct or contested—while operational continuity persists via other touchpoints. The “EU anchor” allegation The OSINT report repeatedly centers MEXC Estonia OÜ as a potentially relevant liability node. It alleges: the entity exists as an active Estonian company and has been positioned in public narratives around licensing, while representatives have disputed its connection to the global platform. the District Court of Rotterdam ruled against this Estonian entity in a frozen-funds dispute and ordered payment of EUR 123,724.50 (per OSINT). Important: we have seen a redacted copy of the Rotterdam decision within this workflow. The OSINT report provides a clear pointer that can be verified through court databases and filings. The “App Operator / US nexus” Allegation The dossier also claims that MEXC Fintech Inc is registered as the developer/operator of the MEXC mobile app on major app marketplaces, and that its earlier corporate label was Snowbird Connect Inc, which MEXC allegedly acquired. If accurate, that matters because “app operator” status can become a legal and regulatory lever where the trading venue’s licensing posture is disputed. OSINT Entity Map The following table summarizes what the OSINT dossier and the claimant materials assert—not what FinTelegram has independently proven. The following table summarizes what the OSINT dossier and the claimant materials assert—not what FinTelegram has independently proven. Brand / productLegal entity (as alleged/mentioned)JurisdictionRegulatory / compliance angleKnown individuals named by OSINTMEXC exchangeMEXC.comMEXC Global LtdDISSOLVED (Aug 2023) Seychellesjurisdictional fog risk for claimants. MEXC _Murkledove Intelligence_O…Xin Hu, John Chen “License anchor” narrativeMEXC Estonia OÜEstoniaOSINT alleges FIU scrutiny; OSINT claims Dutch court liability precedent (Rotterdam). MEXC _Murkledove Intelligence_O…Yichen Peng; Ljudmila Budnikova; Bing Li; Hongjiang LiuMEXC exchange (EU touchpoint – LT)Oceanblue Fintech UAB (formerly MEXC Lithuania UAB), Co. No. 306111081LithuaniaOSINT alleges active LT entity; potential EU accountability / contracting node; verify any licensing/regulated status separatelyFebvi Aldana Dela Calzada (current director/shareholder); Xinran Guo (former director/shareholder until May 2023)MEXC SwissGIDA Technology AGSwitzerlandf/k/a MEXC Switzerland AG Luo Tao, Hongxiu Liu Mobile app operationsMEXC Fintech IncUnited StatesOSINT alleges “developer/operator” designation for the MEXC app; potential enforcement nexus. MEXC _Murkledove Intelligence_O…—App development (historic)Snowbird Connect IncUSOSINT alleges predecessor name/partner acquired by MEXC. MEXC _Murkledove Intelligence_O…—UK footprintMEXC UK LimitedUnited KingdomOSINT references UK-related structures; relevance depends on current activity. MEXC _Murkledove Intelligence_O…—Token / foundation structuresMXC Foundation GmbH; MXC China Limited(DE) / (CN)OSINT ties brand token narratives to entity shifts; relevance depends on customer asset routing. MEXC _Murkledove Intelligence_O…—Legal representation (dispute layer)Brandl TalosAustriaOSINT claims this firm issued statements disputing corporate linkage claims. MEXC _Murkledove Intelligence_O…—OSL PayOSL Pay S.R.L.ItalyFIAT payment railOrlando MeroneTeo Jing WeiOuiTrustHeuro SASFranceFIAT payment railChuan Chen and Haixiang Li Summary & FinTelegram Context FinTelegram has repeatedly warned about MEXC’s risk profile and its disputed licensing posture across jurisdictions—especially where a large exchange appears to operate “globally” while regulatory accountability remains fragmented. This new case adds an evidence-backed customer narrative (with a formal claim letter) and an OSINT lead set that alleges an emerging pattern: asset restrictions + non-explanation + entity opacity = a recipe for consumer harm at scale. Even if MEXC argues every freeze is “compliance-driven,” the compliance industry has a name for what customers experience when the process becomes non-transparent and irreversible: governance failure. In regulated environments, “AML” is not a magic spell that dissolves a firm’s accountability to explain and remediate—especially when customer funds appear to be treated as collateral damage. This case perfectly aligns with FinTelegram’s previous warnings regarding MEXC’s scam-level ratings and its reliance on Finetix Ltd Limited, Paytend and HEURO to bypass AML filters. This case proves that MEXC is no longer just “unregulated”—it is actively predatory. By moving its mobile app development to a Delaware entity (MEXC Fintech Inc.) while maintaining its only regulatory thread in Estonia, MEXC has built a “Hydra” structure designed to survive national crackdowns while continuing to seize user assets. Read reports about the Paytend / MEXC payment rail here. Call to Action: Whistleblowers & Customers If your funds have been frozen or “liquidated” by MEXC, or if you are an employee of OSL Pay, HEURO, or Finetix with knowledge of how these transactions are coded, your information is critical. We are specifically looking for the “High-Risk” triggers used by MEXC to automate account liquidations. Share Information via Whistle42

OSL Pay, the Milan‑based payments arm of Hong Kong–listed OSL Group, is positioning itself as a MiCAR‑regulated crypto on‑ramp in the EU while at the same time providing core card and wallet rails to offshore exchanges MEXC and WEEX that target EU clients without MiCAR authorization and have attracted regulatory warnings. This dual role creates a structural “on‑ramp paradox”: an Italian VASP under MiCAR’s transitional regime effectively front‑ends unregulated trading venues for European customers. Key Findings OSL Pay S.R.L. (formerly Saintpay S.R.L.) is an Italian VASP founded by Teo Jing Wei and indirect wholly owned subsidiary of Hong Kong–listed OSL Group Limited, acquired via OSL MidasPay Limited (BVI). OSL Pay operates from Milan under MiCAR’s transitional regime and is in the process of obtaining full CASP authorization in Italy. In July 2025 OSL Pay and MEXC launched card‑based fiat on‑ramp services for MEXC; in September 2025 the partnership expanded to Apple Pay and Google Pay integrations in MEXC’s Quick Buy flow. WEEX publicly confirms integrating the “OSL Payment Channel” for its Quick Buy feature, with users redirected to OSL Pay to pay via Visa, Mastercard, Apple Pay or Google Pay. The MEXC and WEEX Quick Buy screens, payment options and “How to buy crypto” instructions are nearly identical, indicating a shared technical and UX stack centered on OSL Pay’s infrastructure. Traffic analytics show that in January 2026 about 83% of osl-pay.com’s referral traffic came from weex.com and roughly 12% from mexc.com, meaning around 95% of visible referrals originate from these two exchanges.​ Neither MEXC nor WEEX is publicly listed as a MiCAR‑authorized CASP in the EU, yet both actively market trading services, including derivatives, to EU users while relying on OSL Pay’s “local” payment rails.​ European regulators have issued warnings against MEXC and WEEX or related domains for operating without necessary local authorization, though OSL Pay is not named in these warnings.​ In early 2024 BGX Group invested about HK$710 million (≈ US$90m) into OSL Group, taking an approximately 30% stake and strengthening the group’s capital base before its European payments expansion. Taken together, these facts create an “on‑ramp paradox” in which an Italian MiCAR‑aspirant VASP (OSL Pay) functions as the primary fiat gateway for two offshore, non‑MiCAR exchanges, raising material questions about group‑level risk appetite, oversight and regulatory coverage in the EU.​ Short Narrative Our review of MEXC and WEEX payment flows reveals a shared gateway: OSL Pay. Screenshots show that: MEXC advertises purchases via “OSL Pay, Google Pay or Apple Pay.” WEEX lists OSLPay as the recommended card payment method. Both exchanges present nearly identical “Quick Buy” layouts—right down to the step-by-step instructional wording and UI structure. The checkout interface and payment selector modules appear operationally aligned. The overlap is not cosmetic—it is infrastructural. Further analysis of osl-pay.com’s referral traffic indicates that roughly 95% of inbound desktop referral traffic comes from weex.com and mexc.com, suggesting that OSL Pay functions predominantly as a dedicated on-ramp rail for these two exchanges. Go to the OSL Pay compliance listing on RatEx42 OSL Pay: Corporate background and MiCAR ambitions OSL Pay S.R.L. originates from the Italian company Saintpay S.R.L., incorporated in March 2023 and described in HKEX documents as the “Italian Target Company” to be acquired by OSL MidasPay Limited, a BVI vehicle wholly owned by OSL Group Limited (HKEX: 0863). After completion of the acquisition, Saintpay/OSL Pay becomes an indirect wholly owned subsidiary of OSL Group. Italian fintech media report that OSL Pay opened a Milan office and appointed former Bitpanda and Circle executive Orlando Merone as General Manager for Europe. Recent Italian coverage confirms that OSL Pay is operating in Italy under MiCAR’s transitional regime and is in the process of obtaining full CASP authorization from the Bank of Italy and CONSOB. These articles frame OSL Pay as a bridge between traditional payment methods (cards, Apple Pay/Google Pay) and digital assets, stressing regulatory compliance and local hiring. At the same time, they provide no detail on OSL Pay’s exposure to high‑risk offshore trading platforms such as MEXC and WEEX. The Lithuanian OSL Branch Filings with the Hong Kong Stock Exchange confirm that between late 2024 and early 2025, the OSL Group acquired a portfolio of regulated entities from vendor Teo Jing Wei. This acquisition included the Italian entity Open Pay S.R.L. (formerly known as SaintPay), which is registered as a Virtual Asset Service Provider (VASP) in Italy. Additionally, the transaction encompassed the acquisition of MultiExchange UAB (operating as MultiExchange or MultiEx) in Lithuania, which also holds VASP status. As part of this strategic expansion into North America, Teo Jing Wei further divested MultiExchange Canada Limited to the OSL Group; this entity is registered as a Money Services Business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). In our review on February 16, 2026, the MultiExc.com website was not functioning. It was not possible to purchase cryptocurrencies, and the LinkedIn icon was linked to the OSL Pay account. Compliance Analyst Notes Entity Names: The filings (specifically the Europe SPA dated December 9, 2024, and subsequent amendments in January 2025) identify the target companies. While “MultiEx” is the trading name, the corporate registry name in Lithuania often appears as “MultiExchange UAB.” Regulatory Status: The definitive value of these acquisitions for OSL Group was the pre-existing regulatory statuses (VASP in Italy/Lithuania and MSB in Canada), which allows OSL to bypass the lengthy application periods for new licenses. Timeline: The initial agreement was struck in December 2024, with amendments and completions extending into Q1 2025, making “2024/25” the correct temporal designator. Deep integration with MEXC and WEEX In July 2025, OSL Pay and MEXC announced a partnership to launch credit and debit card fiat on‑ramp services for MEXC users, allowing Visa and Mastercard purchases of crypto via OSL infrastructure. In September 2025 this partnership was expanded: OSL Pay and MEXC jointly announced the integration of Apple Pay and Google Pay for crypto purchases, embedded into MEXC’s Quick Buy flow. Current MEXC promotional pages explicitly advertise campaigns such as “Buy XAUT or PAXG via OSL Pay, Google Pay or Apple Pay,” evidencing that OSL Pay remains at the heart of MEXC’s card and wallet on‑ramp stack. WEEX has implemented an almost identical user journey. In a November 2025 article, WEEX explains that its Quick Buy feature integrates the “OSL Payment Channel,” describing OSL Pay as part of OSL Group and registered as a VASP in Italy. The article details that WEEX users select “OSL Pay” as payment method, are redirected to OSL’s environment, and can then pay via Visa, Mastercard, Apple Pay or Google Pay—mirroring the MEXC flow and marketing language almost one‑to‑one. Similar web statistics for OSL Pay for Jan 2026 Traffic analytics for osl-pay.com further underline this dependency: in January 2026, an estimated 83% of referral traffic originated from weex.com and about 12% from mexc.com, meaning that roughly 95% of visible referrals come from these two offshore exchanges. This concentration suggests that, in practice, OSL Pay’s European business is dominated by providing card and wallet rails to MEXC and WEEX rather than servicing a diversified portfolio of regulated EU platforms.​ Regulatory Red Flags and The “On‑Ramp Paradox” Neither MEXC nor WEEX appears as a MiCAR‑authorized CASP in available public registries, and both operate from offshore jurisdictions (MEXC from Seychelles, WEEX as an offshore derivatives venue) while actively marketing to EU users in multiple languages. MEXC Estonia OÜ is registered in Estonia with Yichen Peng listed in the commercial register as its manager and beneficial owner, but this entity is not disclosed as the operating company on the main MEXC trading websites (mexc.com and mexc.co). An Estonian registration obtained before the MiCAR framework does not in itself grant passporting rights or authorization to offer crypto‑asset services across other EU or non‑EU jurisdictions, meaning MEXC would still require appropriate local or MiCAR‑compliant approvals to lawfully target those markets. Various European regulators and warning lists have flagged MEXC and WEEX or their associated domains for operating without local authorization and offering high‑risk derivatives to retail clients (read the Dutch AFM warning here). While these warnings do not directly name OSL Pay, they make clear that the underlying venues are outside the supervised perimeter.​ Against this backdrop, OSL Pay’s MiCAR‑driven positioning as a compliant Italian “gateway” creates a structural conflict. On the one hand, the company seeks EU‑level authorization as a CASP and promotes its role in building regulated digital‑asset rails in Europe. On the other, its main practical activity appears to be the provision of card, Apple Pay and Google Pay on‑ramps to two offshore exchanges that lack MiCAR authorization, face regulatory warnings, and offer leveraged trading products to EU clients. This effectively allows MEXC and WEEX to advertise “local” and “fully compliant” payment methods while leaving trading and custody activities outside EU prudential and investor‑protection regimes. The situation is further framed by OSL Group’s strategic funding: in early 2024 BGX Group agreed to invest around HK$710 million (about US$90 million) into OSL Group, taking a stake of roughly 30%. Shortly thereafter, OSL structured its European subsidiaries (including OSL Pay) and ramped up its EU presence. The timing suggests that BGX‑backed capital has financed an aggressive European expansion built around servicing offshore exchanges, raising questions about group‑level risk appetite and governance. Key actors and roles around OSL Pay ItemName / EntityJurisdictionRegulatory status (public)Role in networkOn‑ramperOSL Pay S.R.L. (ex‑Saintpay S.R.L.)dba OSL Paywww.osl-pay.comItalyVASP in Italy, MiCAR CASP under transitional regime; indirect subsidiary of OSL GroupProvides card, Apple Pay and Google Pay fiat on‑ramps for MEXC and WEEX; core payment gateway into EU.On-ramperMultiExchange UABdba MultiExwww.multiex.comLithuaniaVASP in LíthuaniaOn-ramper and payment facilitatorParent groupOSL Group Limited(prev BT Technology Group Limited) (HKEX: 0863)Hong KongHK‑listed digital asset groupOwns OSL MidasPay Limited (BVI) which acquires OSL Pay; overall strategic controller of EU on‑ramp structure.InvestorBGX Group Holding LimitedHong KongPrivate crypto group; investor in OSL GroupInvests ≈ US$90m in OSL Group in 2024, taking ~30% stake and enabling capital‑intensive expansion including EU payments build‑out.ExchangeMEXCMEXC Estonia OÜSeychelles / offshoreEstoniaNot MiCAR‑authorized in EU; subject to multiple EU regulatory warningsUses OSL Pay for Visa/Mastercard and Apple/Google Pay Quick Buy flows addressing EU clients.ExchangeWEEXOffshoreNot MiCAR‑authorized in EU; also subject to regulatory warningsIntegrates OSL Payment Channel (OSL Pay) as Quick Buy gateway, with identical UX and “How to buy crypto” flow to MEXC.​ExecutivesOrlando Merone (LinkedIn)Teo Jing Wei (LinkedIn)ItalyGeneral ManagerCEOWei is the founder of SaintPay and sold the company to OSL Group Call for Whistleblowers FinTelegram views OSL Pay’s dual positioning—as a MiCAR‑aspirant Italian VASP and as the dominant fiat on‑ramp for unregulated offshore exchanges with EU customer reach—as a material compliance and investor‑protection concern. The concentration of osl-pay.com referral traffic from WEEX and MEXC, combined with deep technical integration and mirrored user journeys, underscores the need for closer supervisory scrutiny of this “on‑ramp paradox.” Share Information via Whistle42

A recent data leak via an accidental email has exposed questionable compliance practices at the Open Banking platform Yapily. Instead of investigating a reported illegal casino, Yapily’s compliance team instructed their partner, Klyme, to blacklist the complaining user. This case highlights the role of Open Banking facilitators in the illegal gambling industry. Key Findings: Accidental Leak: Yapily’s compliance team accidentally forwarded an internal instruction to a complaining customer instead of their partner, Klyme (www.klyme.io). Retaliation vs. Remediation: The internal email explicitly requests that the user (PSU) be blacklisted from using Yapily’s services, rather than suspending the illegal merchant. Regulatory Arbitrage: Despite the user being Dutch and the casino violating Dutch law, Yapily only inquired about access restrictions for Lithuania—likely to appease their home regulator (Bank of Lithuania) while ignoring cross-border illegality. Delayed Response: The compliance team took nearly two months (Dec 2025 to Feb 2026) to address a serious AML and regulatory complaint. The Klyme Connection: The emails confirm that Klyme (klyme.io) acts as the merchant/intermediary using Yapily’s license to process payments for the unlicensed casino Winhero. The Whistleblower Report FinTelegram has received a new submission via our Whistle42 platform involving Yapily, a UK and Lithuania-based Open Banking infrastructure provider. A Dutch player deposited funds into the unlicensed online casino Winhero (www.winhero.com) using Yapily’s payment rails. The leaked Yapily email to Klyme When the player realized the casino was operating illegally in the Netherlands—without authorization from the Kansspelautoriteit—they filed a formal complaint with Yapily in December 2025, requesting a refund and clarification on Yapily’s KYC checks. The “Oops” Moment For nearly two months, the player received only silence. Then, in February 2026, they received a reply. However, the email from compliance@yapily.com was not meant for the player. It was an internal directive addressed to the “Klyme Team,” which was CC’d to the player by mistake. This accidental disclosure provides a rare, unvarnished look into how High-Risk payment processors handle consumer complaints regarding illegal activities. Analysis: Protect the Volume, Block the Complainer The leaked email (see screenshots below) reveals a shocking approach to compliance. Shooting the Messenger In the email, Yapily’s Compliance officer writes: “We are also requesting that the Payment Service User identified would be blacklisted from using Yapily’s services to send funds to any of your clients.” Rather than investigating why their infrastructure is servicing an unlicensed casino, Yapily’s immediate reaction was to ban the whistleblower to prevent further complaints. This suggests a “kill the messenger” culture intended to protect transaction volumes. The Lithuanian Loophole The player explicitly stated they were Dutch and that the casino was violating Dutch law. However, Yapily’s internal questions to Klyme were: “Description of the measures the merchant implements to restrict access for players from Lithuania.” Yapily Connect UAB (website) is licensed by the Bank of Lithuania (No. LB002045). By focusing solely on Lithuanian players, Yapily appears to be engaging in “compliance theater”—ensuring they look clean to their direct regulator while knowingly facilitating illegal transactions in other EU jurisdictions like the Netherlands and Germany. The Klyme & Winhero Stack The email confirms that Klyme is the entity integrating Yapily’s Open Banking API. Klyme appears to be acting as the payment aggregator for Winhero. This structure is similar to the “payment stacks” FinTelegram has previously uncovered, such as the cooperation between Yapily and the Bulgarian Contiant, which also facilitated high-risk gambling traffic. Download the Yapily Compliance Report 2026 here. Conclusion The evidence suggests that Yapily and its partner Klyme are failing in their duty of care. When alerted to money laundering risks and illegal gambling (unlicensed solicitation in the Netherlands), the response was to shield the merchant and ban the consumer. This incident raises serious questions about Yapily’s monitoring capabilities. If they cannot identify that a merchant is an unlicensed casino until a user complains, and their response to the complaint is to blacklist the user, their AML/CTF frameworks are fundamentally flawed. We have made the full compliance report, including the raw screenshots and email headers, available for download here. Call to Action: Help Us Expose the Stacks This case proves that user reports frighten these operators. The accidental email shows that Yapily is terrified of “urgent legal matters” but reacts by trying to silence the user. We need your help to uncover more. Are you a player who has deposited at an illegal casino (e.g., Winhero, NineCasino, various Curacao brands) using Yapily, Klyme, Contiant, or Volt? Did you use “Instant Bank Transfer” or Open Banking? Have you been refused a refund? Do you have bank statements showing the receiver of funds? Report it to Whistle42! FinTelegram and Whistle42 will use this data to assist lawyers and regulators in holding these facilitators accountable. Your information could be the key to recovering losses for thousands of players. Share Information via Whistle42

A forensic audit of the fiat-to-crypto infrastructure utilized by the blacklisted crypto exchange MEXC has identified a highly sophisticated, multi-layered payment rail. By nesting Finetix Limited S.R.L. (Romania) within the French electronic money infrastructure of HEURO SAS (formerly Harmoniie SAS), MEXC has successfully constructed a “Red Shield” network to mask high-risk crypto flows behind legitimate-looking SEPA and SEPA Instant transfers by utilizing deceptive branding and a cadre of executives with deep roots in Chinese fintech conglomerates. The Dual-Rail Architecture Our investigation confirms that Finetix Limited S.R.L. acts as the universal “Contractual Recipient” for all Euro deposits on the MEXC mirror platform (mexc.co). Depending on the payment speed selected by the user, the flow is routed through two distinct financial arteries: 1. The SEPA Instant Rail (French Axis) When users select “SEPA Instant,” the transaction is processed through HEURO SAS, doing business under the brand OuiTrust, and the Romanian Finetix Ltd S.R. L. The Trap: Users must consent to the Terms of Service of both Finetix (as the commercial gateway) and HEURO SAS (as the EMI processor). The Deception: By presenting the destination as “Heuro Bank” at a Paris address, the platform suggests institutional banking safety. In reality, it is a virtual account managed by an EMI whose primary purpose in this chain is the settlement of high-risk crypto liquidity. In the checkbox, the MEXC customer making the deposit must confirm that they agree to the MEXC Terms, whereby the link to the Terms actually leads to the Finetix Terms. The user is therefore not making a deposit to MEXS, but to Finetix (see screenshot above). We assume that Finetix is part of the MEXC scheme. 2. The Standard Bank Transfer Rail (Lithuanian Axis) Standard SEPA transfers are routed via Paytend Europe UAB (Lithuania). As previously established, Finetix acts as the named payee here as well, ensuring that the “MEXC” brand remains invisible to the sending bank’s AML monitoring systems. Read our report on the MEXC – Finetix – Paytend Europe Rail here. The Corporate Dimension: Rebranding and Asian Influence The HEURO Transformation On December 16, 2025, the French institution Harmoniie SAS (formerly Easyeuro and Unirpay) officially rebranded as HEURO SAS. They are still doing business as OiuTrust. The name change has not yet been implemented on the OuiTrust website. Harmoniie SAS is still listed as the operator there. (This move appears to be a strategic pivot to adopt a more “bank-like” identity (“Heuro Bank”) to facilitate its expanding Banking-as-a-Service (BaaS) partnerships with offshore exchanges. Despite the branding, it remains an Electronic Money Institution (EMI) under ACPR supervision, currently operating at the limits of its regulatory mandate. The Chinese-Asian Connection Both the technology and the leadership of this rail originate from the mainland Chinese fintech sector. HEURO SAS Leadership: Controlled by individuals such as Chuan Chen and Haixiang Li, whose professional pedigrees include senior roles at Ant Financial (Alibaba), Huawei, and HSBC China. MEXC Ownership: Founded by Chinese blockchain veterans (e.g., Sheen Xin Hu) and currently managed by Singapore-based John Chen. Strategic Sync: This shared background allows for a unified operational logic. The “Shadow Rail” is not merely a service but a synchronized export of Chinese fintech bypass technology into European regulated shells. Summary Table: The French-Romanian SEPA Instant Rail LayerEntity / BrandJurisdictionRolePlatformMEXCOffshore (Seychelles)Mutated/Ghost ExchangeContractual GatewayFinetix Limited S.R.L.Finetix Ltd S.R.L.RomaniaUniversal Recipient / Legal ShieldEMI ProcessorHEURO SAS (ex-Harmoniie)FranceSEPA Instant Rail ProviderBrand Identity“Heuro Bank” / OuiTrustFranceDeceptive Trade BrandingCollection IBANFR761747800 0010 0016 6962 3202FranceFrench-to-Offshore Settlement Account Export to Sheets The HEURO Evolution We tracked the transformation of a single French corporate vehicle (SIREN 833 165 863) as it rebranded and repositioned itself within the European payment landscape, maintaining a consistent core of Chinese-origin leadership throughout its pivot toward high-risk crypto-shadow banking. 1. Timeline of Corporate Metamorphosis EraEntity NamePrimary BrandCore Strategic Focus2017 – 2018Unirpay SASUnirpayInitial entry into French fintech; cross-border payments.2018 – 2020Easyeuro SASEasyEuroRebranding to target “Easy” Euro-Chinese business settlements.2020 – 2025Harmoniie SASOuiTrustExpansion into EMI services and VASP-adjacent processing.Dec 2025 – PresentHEURO SASCompany dataHeuro BankOuiTrustFull pivot to high-speed crypto-rails for offshore exchanges (MEXC, Tap) Export to Sheets 2. The Shared Executive “DNA” The following individuals have served as the “Red Thread” connecting these entities, ensuring operational continuity despite the frequent name changes. Chuan CHEN (The Architect) Role: Founder and President He stepped down from the board in 2019 during the Easyeuro transition. Significance: Former senior executive at Ant Financial (Alibaba). He is the primary link between Chinese digital payment logic and the French regulatory environment. Haixiang LI (The Infrastructure Lead) Role: Director General (DG) of HEURO SAS; previously key leadership in Harmoniie. Significance: Background in Huawei and HSBC China. He manages the technical “pipes” that allow the SEPA Instant system to interface with the Finetix/MEXC infrastructure. Xue DINGSHENG & Xue LU (The Founding Board) Role: Original board members of Unirpay SAS. Significance: Instrumental in the initial licensing phase with the French ACPR. Their involvement established the original “corridor” between Paris and the Chinese tech sector. 3. The “Chinese Fintech Pedigree” Diagram The corporate structure of HEURO is not typical for a French EMI. It is built as a “Gateway for Export”—specifically designed to allow offshore entities (like MEXC) to tap into the European Banking Union. 4. Compliance Risk: The Persistence of Control The fact that the same individuals have remained in control through four different rebrandings is a major compliance signal. In AML/KYC terminology, this is known as “Permanent Entity Control” used to mask a shifting business model. Risk Pattern: While the name on the license changes to avoid historical scrutiny, the beneficial ownership and executive intent remain static. The Finetix Tie-In: By the time the company became HEURO, it had fully integrated with Compliance Verdict: High-Velocity Risk Status: CRITICAL VIOLATION (RED SIGNAL) The payment architecture orchestrated by MEXC, Finetix Limited S.R.L., and HEURO SAS (dba Heuro Bank / OuiTrust) represents a deliberate attempt to circumvent the Markets in Crypto-Assets (MiCA) framework and Anti-Money Laundering (AML) directives. This infrastructure is not merely high-risk; it is a textbook case of Transaction Laundering and Regulatory Arbitrage. Key Compliance Violations: Unlicensed Crypto Service Provision (MiCA Violation): MEXC operates within the EU without the mandatory MiCA authorization. Simultaneously, Finetix Limited S.R.L. (Romania) markets itself at www.finetix.net as a crypto service provider despite being unregistered as a VASP in Romania. The fact that the Finetix website is currently non-functional (“ghosting”) further indicates a lack of operational substance (Shell Company risk). Facilitation of Unlicensed Entities (HEURO SAS): As a French-regulated EMI, HEURO SAS is legally obligated under 5AMLD/6AMLD to perform rigorous Know Your Business (KYB). Processing SEPA Instant transfers for an unlicensed, offshore exchange (MEXC) via an unregistered Romanian shell (Finetix) constitutes a massive failure in institutional oversight and potential complicity in unlicensed financial intermediation. Deceptive Payment Labeling & “Shadow Banking”: The use of the “Heuro Bank” trade name by an EMI to process funds for a blacklisted entity is a deceptive practice designed to bypass the automated AML filters of the users’ sending banks. This obscures the high-risk nature of the destination (Crypto) behind an institutional “Banking” facade. Jurisdictional Layering: By inserting a Romanian “Terms Holder” between a French processor and a Seychelles exchange, the participants have created a fragmented legal trail. This prevents a single national regulator from having a clear view of the end-to-end transaction, a common tactic in laundering criminal proceeds or bypassing sanctions. Summary of Institutional Risk EntityPrimary ViolationRegulatory ExposureMEXC GlobalUnlicensed operation in EUMiCA Enforcement / Asset FreezingFinetix LtdUnregistered VASP activitiesRomanian Police / AML InvestigationHEURO SASKYB Failure / Processing for Unlicensed EntitiesACPR License Revocation / Fines Export to Sheets Call to Whistleblowers Are you an employee of HEURO SAS in Paris or Finetix in Bucharest? Do you have internal documentation regarding the profit-sharing agreements between these entities and MEXC? We are specifically seeking: KYB files submitted by Finetix to HEURO SAS. Transaction logs showing the daily settlement volumes from the French FR76 IBAN to MEXC-controlled wallets. Communication between HEURO executives and MEXC’s John Chen. Share your information securely and anonymously via our platform. Share Information via Whistle42

Investigative forensics have unmasked the sophisticated “shadow rail” powering the Euro-denominated on-ramps for the globally blacklisted exchange MEXC. By deploying a complex layering strategy across Romania and Lithuania, MEXC avoids regulatory scrutiny and banking blocks, utilizing a “ghost” payment gateway that effectively launders the identity of the merchant from the financial system. The Anatomy of Deception While regulators across Europe issue warnings against MEXC Global, the exchange continues to process millions in Euro deposits via its “mutated” mirror domain, MEXC.co and its main domain MEXC.com. One rail behind this bypass is the Romanian Finetix Ltd S.R.L. via the Lithuanian Paytend Europe UAB. By using a Romanian shell company as the payee and a Lithuanian EMI for the banking pipes, MEXC ensures that bank compliance systems remain blind to the destination of the funds. Forensic Compliance & Risk Analysis 1. The “Ghost” Payee: Finetix Limited S.R.L. When a registered MEXC user initiates a bank transfer, they are directed to send funds not to MEXC, but to Finetix Ltd S.R.L. aka Finetix Limited S.R.L. This entity, registered in Bucharest, Romania (Strada BUZESTI, Nr. 75-77), is a not registered or regulated Romanian crypto service provider and serves as a contractual shield. It is a standard limited liability company with no financial or crypto license. Its primary purpose is to act as the “Merchant of Record,” ensuring the name “MEXC” never appears on a user’s bank statement. Based on the wording on the MEXC website, the processes as well as look and feel of both websites, we assume that Finetix is closely affiliated with or controlled by MEXC. We also found that the Finetix website (www.finetix.net) does not work. Officially, the website offers the purchase of crypto. However, in our review, it was not possible to register or complete a transaction. It is very obvious that the website is just a front for MEXC. 2. The Financial Pipe: Paytend Europe UAB The actual funds land in a Lithuanian IBAN (LT48 3120 0108 5320 6016) held at Paytend Europe UAB. Paytend, a licensed Electronic Money Institution (EMI) in Lithuania, provides the virtual IBAN (vIBAN) infrastructure. Curiously, the payment instructions list the “bank address” as the Romanian office of the payee, a highly irregular practice designed to confuse automated AML triggers that look for jurisdictional consistency. 3. The Anatomy of the Shadow Flow Our forensic investigation into the specific payment instructions (IBAN LT483120010853206016) reveals a deliberate “Triple-Masking” strategy: The Address Deception: In a highly irregular move, the payment instructions list the Romanian address (Strada BUZESTI, Nr. 75-77) as the “Bank Address” for a Lithuanian IBAN. This is a classic tactic to confuse automated AML filters that would otherwise flag a cross-border mismatch between a Romanian payee and a Lithuanian bank (Note: This address is a high-density “virtual office” hub often used by fintech and IT services firms.) The Romanian Shell: The payee is Finetix Limited S.R.L., registered in Bucharest. This is a standard commercial entity with zero financial or crypto-asset licenses. It acts as a “Merchant of Record” to hide the name “MEXC” from bank audits. The Lithuanian Pipe: The funds land at Paytend Europe UAB, a Lithuanian Electronic Money Institution (EMI). Paytend provides the IBAN, but importantly, Paytend is not a crypto exchange. It is a bank-like entity being used as a blind passthrough. Compliance & Risk Analysis Verdict: CRITICAL RISK (BLACK) There is no registered VASP (Virtual Currency Exchange Operator) in this transaction chain. Users are sending money to a Romanian IT shell which then presumably funnels the liquidity to MEXC’s offshore accounts. ComponentEntityRoleStatusBrandMEXC The public interface. High RiskContractual PayeeFinetix Limited S.R.L.Romanian Shell (Bucharest)Payee for Deposits UnlicensedFinancial RailPaytend Europe UAB(www.finetix.net)Lithuanian EMI (Vilnius)IBAN provider IntermediaryCrypto LicenseNONEMissing VASP Anchor CRITICAL FAILURE Export to Sheets The Trap: Registered MEXC users believe they are utilizing a “secure” EU bank transfer. In reality, they are participating in an unregulated “shadow settlement” that has no consumer protection, no insurance, and no MiCA compliance. Risk Verdict: CRITICAL (RED) The Finetix-MEXC partnership is a textbook example of Transaction Masking. By decoupling the brand (MEXC) from the payee (Finetix) and the bank (Paytend), the group facilitates unlicensed financial services to EU residents. Under the MiCA 2026 framework, such “shadow rails” are illegal and subject to severe penalties for both the exchange and the facilitators. Whistle42 Call to Action Insiders at Finetix Limited S.R.L. or MEXC are encouraged to come forward. We are seeking internal documentation from Paytend Europe compliance officers or Finetix Limited S.R.L. employees. What is the volume of “Digital Asset Purchase” traffic moving through IBAN LT483120010853206016? Who is the ultimate beneficial owner (UBO) of the Romanian shell? Share Information via Whistle42