The investigative platform SpinangaCase recently published the Vavada Files, a series on the offshore casino Vavada and its front merchant Floxydy. These reports allege a transaction-laundering flow that disguised Vavada casino deposits as “cosmetics” purchases and routed them through PayWRX into NetworxPay infrastructure. Our spot checks confirm a Russian-language NetworxPay backoffice branded “Paywrx Connect Ltd” and public API docs matching the described gateways. This note maps the flow and flags regulatory exposures.
Key Points
- Offshore casino: Vavada (vavada.com) is a Curacao-based offshore casino with a Cyprus-based payment agent.
- Front merchant (Floxydy): Charges surfaced as FLOXYBEATY, MCC 5977 (Cosmetics Stores) while funding alleged casino balances—classic transaction laundering via MCC misclassification. Source series: SpinangaCase, Parts I–III (Source: spinangacase.com).
- Processor layer: SpinangaCase links the flow to the Canadian MSB PayWRX marketing front, with processing handled in NetworxPay. NetworxPay’s merchant backoffice explicitly shows “Paywrx Connect Ltd” with EN/RU locales—consistent with the claim of a unified stack (Source: spinangacase.com)
- Tech evidence: Public NetworxPay API docs expose endpoints (
gateway.networxpay.com,backoffice.networxpay.com) and receipt patterns aligned with processor behavior described in the Spinanga posts (Source: docs.networxpay.com). - Risk lens: Potential breaches include MCC misuse, transaction laundering, and weak SoF checks—contrary to Visa rules and EU AMLD6 expectations referenced by SpinangaCase.
Short Narrative / What we validated
SpinangaCase (Oct 11–16, 2025) documents that the working Czech “cosmetics” shop Floxydy (floxydy.com) carried live checkout but also surfaced on bank statements when players funded casino accounts—timing and descriptors matched “FLOXYBEATY / MCC 5977.” Their Part III moves beyond the storefront to PayWRX and its NetworxPay backbone. Our own look confirms:
- backoffice.networxpay.com presents a Merchant Login footered “© 2023–2025 Paywrx Connect Ltd” with EN/RU toggle—strong indicator of shared corporate/technical control and the RU-language operational footprint Spinanga highlighted (Source: backoffice.networxpay.com).
- docs.networxpay.com shows standard card/APM integrations and receipt URLs that resolve under backoffice.networxpay.com—consistent with the dual brand (public marketing + private gateway) (Source: docs.networxpay.com).
- paywrx.com publicly positions as a FINTRAC-registered payment gateway operated by the FINTRAC registered PayWRX Connect Ltd (site blocks bot scraping), which aligns with Spinanga’s portrayal of a glossy front end (Source: paywrx.com).
Operator Profile: Vavada and Magefin – the Curaçao-Cyprus payment bridge
Corporate Identity
- Operator: Vavada B.V.
- Company Number: 143168
- Registered Address: Hanchi Snoa 19, Trias Building, Curaçao
- Jurisdiction: Curaçao
- License Reference: 8048/JAZ (Antillephone N.V. master license family)
EU Payment Agent
- Entity: Magefin Ltd
- Company Number: HE 404179
- Registered Address: 23 Kennedy Avenue, Office 201, 1075 Nicosia, Cyprus
- Function: Acts as official payment agent of Vavada B.V., facilitating fiat and card transactions for EU/EEA players.
- Regulatory Status: Cyprus-registered company, not licensed as a payment institution or EMI under CySEC or the CBC public registers.
- Compliance Risk: The agent model potentially breaches PSD2 perimeter rules and AMLD6 due-diligence obligations when it intermediates funds for unlicensed gambling.
Operational Pattern
The Vavada setup reflects the typical Curaçao + EU-agent construct used across offshore gambling operations:
- The Curaçao entity (Vavada B.V.) holds the nominal e-gaming license and customer terms.
- The EU agent (Magefin Ltd) receives card or SEPA payments under benign descriptors, often through third-party processors.
- Settlement then routes offshore, insulating the operator from direct EU enforcement.
Analyst Assessment
This corporate layering enables EU payment reach without EU licensing, a recurring hallmark of high-risk gambling operators. When coupled with the alleged MCC 5977 cosmetics-store routing (Floxydy), it suggests a coordinated transaction-laundering scheme designed to obscure gambling merchant codes from banks and card networks.
FinTelegram Review: Vavada Casino
Unlicensed EU Access
During FinTelegram’s ongoing compliance reviews across multiple EU jurisdictions (Austria, Germany, Italy, and others), test users were able to register and deposit on vavada.com without restriction. No geo-blocking, IP redirection, or license disclosures for the EU or UK were detected. SpinangaCase calls Vavanda “a Russion casino in Western disguise.” Our traffic intelligence analysis confirmed the Russian connection.
Evidently, Vavada operates without authorization under national gambling laws and the EU’s regulatory frameworks (notably the MGA, ADM, or Kansspelautoriteit), yet continues to target European consumers.
Deposit Channels Observed
Vavada accepts an unusually broad mix of fiat and crypto payment methods, indicative of an attempt to maximize accessibility while fragmenting regulatory responsibility:
- Credit/Debit Cards — processed through both traditional and “alternative” channels; no 3-D Secure enforcement observed.
- E-wallets — including Piastrix, a Russian-linked payment system commonly used by high-risk gambling brands.
- Mobile Payments — Google Pay and Apple Pay are integrated, often routed via indirect merchant domains (see below).
- Cryptocurrencies — Bitcoin, USDT, and Ethereum via Bybit Pay and Binance Pay, both accessed through anonymized subdomains.
- Alternative Card Processors — notably:
- Repayfor (repayfor.com), operated by Firelaketech LLC, registered in the Marshall Islands.
- Pay-Masters (pay-masters.com), likewise Marshall Islands-registered.
Both entities appear on multiple AML risk lists and have been observed servicing unlicensed casinos in prior FinTelegram reports.
- Jetonbank (Belize) — another recurring facilitator in the offshore gambling scene, enabling cross-border e-wallet transfers.
Anonymous Payment Domains
FinTelegram’s payment-flow tests confirmed that Vavada uses non-public, operator-concealed domains for payment redirection — a hallmark of “anonymous payment environments.”
Example: Selecting Google Pay redirects users to https://checkout.transactes.com, a domain with no public website, legal imprint, or SSL ownership record traceable to Vavada or its payment agent Magefin Ltd. On the G Pay payment page, “fastpayway” is then listed as the recipient. No trace of a deposit to an offline casino. Perfectly hidden from Google.
Similar shadow domains have been associated with transaction-laundering schemes previously documented in FinTelegram’s investigations into Donbet, Rolletto, and Stake.com.
Crypto Payment Layer
For crypto deposits, the platform integrates Bybit Pay and Binance Pay through an anonymously operated subdomain of zicrosync.com, likely serving as an API proxy to conceal the receiving wallet. This structure obscures both the merchant beneficiary and the on-chain audit trail, increasing AML risk.
Compliance Assessment
The cumulative evidence indicates that Vavada B.V.—through Magefin Ltd and various offshore processors—runs a multi-layered payment infrastructure deliberately designed to:
- Circumvent EU gambling restrictions,
- Mask true merchant identities and MCC codes, and
- Enable frictionless cross-border crypto-fiat conversion via opaque intermediaries.
Such practices fall squarely within transaction-laundering typologies defined by card schemes and AMLD6 regulators.
Banks or payment facilitators servicing these flows could face serious AML and PSD2 perimeter-breach exposure.
Regulatory / Compliance Analysis
- Transaction laundering via MCC: Routing gambling deposits under MCC 5977 conceals true merchant category—historically treated harshly by card schemes and prosecutors (see prior U.S. cases against gambling processors). This creates brand-risk triggers and potential scheme fines up the acquiring chain (Sources: moneylaundering.com, moneylaundering.com).
- AMLD6 obligations: If the same operator stack mingles high-risk gambling with crypto on-ramping, SoF/SOW controls and license perimeter assessments become pivotal for EU exposure. Spinanga’s evidence points to insufficient transparency on merchant ownership and flows (Source: spinangacase.com).
- Jurisdictional exposure: EN/RU localization in the processor backoffice plus alleged ruble-adjacent traces (as Spinanga claims) heighten sanctions and KYC risk if any Russia-touching corridors persisted post-2022. (We are seeking direct bank/SWIFT corroboration for this element.) (Source: spinangacase.com).
| Entity / Domain | Jurisdiction | Registration No. | Role in Scheme | Primary Connections | Notes / Evidence |
|---|---|---|---|---|---|
| Vavada B.V. / vavada.com (incl. mirrors) | Curaçao | RN 143168 | Offshore casino operator (license under 8048/JAZ family) | Uses Magefin Ltd as payment agent; serviced by PayWRX / NetworxPay per investigations | Public site T&Cs; Curaçao registry; SpinangaCase & FinTelegram tests |
| Magefin Ltd | Cyprus | HE 404179 | EU-facing payment agent for Vavada B.V. | Receives/mediates fiat card/SEPA flows for Vavada | Declared in Vavada T&Cs; Cyprus Registrar filings |
| Connect Online S.R.O. d/b/a Floxydy / Descriptor: FLOXYBEATY floxydy.com | Czech | — | Front merchant (alleged transaction laundering via MCC 5977 – Cosmetics) | Checkout used to fund Vavada balances; routed via PayWRX → NetworxPay | SpinangaCase series; FinTelegram statement reconstructions |
| PayWRX Connect Ltd d/b/a PayWRX / paywrx.com | Canada | — | Processor front/brand; merchant onboarding & routing | Linked to NetworxPay gateway; footer shows “Paywrx Connect Ltd” | Public site; NetworxPay backoffice footer; SpinangaCase references |
| NetworxPay / networxpay.com; backoffice.networxpay.com; docs.networxpay.com | — | — | Payment gateway/backoffice & settlement tooling | Processes PayWRX merchant traffic; EN/RU backoffice; receipt URLs align with API docs | Public API docs; backoffice login; SpinangaCase series; FinTelegram validation |
| checkout.transactes.com | — | — | Anonymous payment domain used for Google Pay redirection | Presented during Vavada GPay checkout flows | FinTelegram test flows; no legal imprint on domain |
| zicrosync.com (anonymous subdomain) | — | — | Proxy/relay for Bybit Pay & Binance Pay crypto deposits | Masks receiving merchant/wallet; on-ramp to Vavada balances | FinTelegram crypto deposit tests |
| Repayfor / repayfor.com | Marshall Islands | — | Alternative card processor for high-risk merchants | Integrated on Vavada deposit page | FinTelegram tests; on-site integrations |
| Pay-Masters Ltd d/b/a Pay-Masters / pay-masters.com | Marshall Islands | — | Alternative card processor for high-risk merchants | Integrated on Vavada deposit page | FinTelegram tests; on-site integrations |
| Piastrix / piastrix.com | — (RU-linked) | — | E-wallet for fiat-in/fiat-out servicing high-risk gambling | Available as e-wallet option on Vavada | FinTelegram tests; prior industry reports |
| Jetonbank | Belize | — | E-wallet / transfer service used in offshore gambling | Offered on Vavada deposit page | FinTelegram tests; prior FinTelegram coverage |
| Bybit Pay / bybit.com | — | — | Crypto payment channel | Accessed via zicrosync.com proxy to credit Vavada | FinTelegram tests |
| Binance Pay / binance.com | — | — | Crypto payment channel | Accessed via zicrosync.com proxy to credit Vavada | FinTelegram tests |
What we’re asking insiders to provide (evidence pack wishlist)
- Merchant onboarding files (Floxydy / PayWRX / NetworxPay): MIDs, MCC assignments, acquirer names, risk questionnaires.
- Gateway logs / receipt URLs linking Vavada deposits to FLOXY* descriptors (screenshots + full URLs).
- Settlement statements or chargeback reports showing descriptor rotations and routing IDs.
- Email headers between [email protected] and processors (“we will contact our payment provider”) to establish chain-of-command. (Hash your files, redact PII—we can handle safely.)
Editorial Note & Credit
This note cross-references SpinangaCase reporting on Floxydy/PayWRX/NetworxPay (Parts I–III). We thank them for surfacing artifacts; FinTelegram independently verified the NetworxPay backoffice branding and public API documentation. Further confirmations welcome.
Actionable Insight (for banks/processors)
Run a descriptor + BIN-range sweep for FLOXY* under MCC 5977 with abnormal chargeback/velocity into EU/EEA—escalate for enhanced due diligence when downstream merchant names suggest gambling or Curaçao-licensed entities. Combine with networxpay.com referral URLs in transaction metadata to flag laundering patterns. (Use typologies in recent FIU/industry write-ups as control references.)
Call for Information
Were you onboarded by PayWRX/NetworxPay or processed deposits where FLOXY* appeared on statements? Are you a former employee, acquirer, or integrator with access to MIDs, routing tables, or scheme correspondence? Contact FinTelegram (or submit via Whistle42). Confidentiality guaranteed;
