Zentoria / Spinsopotamia and the NALMI Casino Network – New Compliance Intelligence Report Released

Public‑source OSINT model links a Zentoria‑facing billing descriptor into a tightly concentrated casino infrastructure – without yet proving ownership or a single UBO.

For months, FinTelegram has been tracking how Irish‑licensed bookmaker Zentoria Limited and its billing descriptor “Spinsopotamia.com Dublin” appear in connection with offshore casino brands within the NovaForge network. Earlier reporting showed how deposits into brands such as Robycasino and Spinsy surfaced Zentoria and Spinsopotamia on player card statements, positioning the combo as an EU‑facing payment façade rather than a conventional operator brand.

A newly completed FinTelegram Compliance Intelligence Report now adds a dense technical OSINT layer to this story. Based on four isolated collection runs and 496 casino‑related domains, the report maps how the Zentoria‑facing anchor SPINSOPOTAMIA.COM currently resolves into the same NALMI / AS213846 – 185.207.196.0/22 infrastructure envelope as 495 of 496 investigated domains, with 120 byte‑identical application‑asset groups connecting 98 of them into 16 deployment components across 29 brand families.

Key findings – Zentoria / Spinsopotamia / NALMI report

• SPINSOPOTAMIA.COM, used as billing descriptor and casino entry point for Zentoria Limited, currently resolves to 185.207.197.216, inside the same 185.207.196.0/22, AS213846 (NALMI) infrastructure envelope as 495 of 496 investigated casino‑related domains.
• The dominant casino endpoints sit in 185.207.196.0/24 (491 domains), with only a handful of domains in 197/24, 198/24 and 199/24 – indicating a highly concentrated casino infrastructure routed through a single provider and prefix.
• After removing generic Cloudflare and third‑party assets, 120 meaningful SHA‑256 hash groups were identified, forming 16 technical components that connect 98 domains across 29 observed brand families via byte‑identical first‑party application bundles.
• The largest application component links 36 domains from ten brands (including BoaBoa, Boomerang Casino, BuranCasino, Cadoola, CasinoInfinity, CasinoUnlimited, Castyr, Fezbet, Librabet, Rabona) through dozens of identical JavaScript bundles, consistent with a shared multi‑skin casino platform.
• Fifty‑one domains across fourteen brand families expose identical Sentry Replay sampling values (for both session and error replay), providing a telemetry‑layer correlation that overlaps with the application‑layer components and reinforces the shared‑platform pattern.
• Platform and service‑layer artefacts (including an explicit SPTPub host and recurring integrations such as analytics, Hotjar‑style behavioural tools, SEON, MiFinity, PaymentIQ, Anjouan components, Sportradar, Zendesk and mail providers) point to a templated, centralised casino‑platform environment used across many brands.
• Spinsopotamia.com itself did not produce meaningful shared‑asset hashes in the analysed snapshot due to incomplete public asset collection; its correlation with the wider network is therefore established through DNS, prefix and ASN rather than application‑layer matches, and this absence is treated as incomplete data, not as disproof.
• The report uses a tiered evidence weighting system (PRIMARY/SECONDARY/LEAD/BACKGROUND) and explicitly warns against silently converting a match on one layer (e.g. prefix, application bundle, telemetry configuration) into presumed matches on every other layer.
• Legally, the report does not claim common ownership of all 496 domains, does not identify a single UBO, and does not assert that Zentoria Limited controls all NALMI customer accounts or that any criminal or regulatory breach has been proven; it instead defines a high‑correlation infrastructure environment and a set of high‑value disclosure targets.
• Primary disclosure targets identified include NALMI (185.207.196.0/22 customer and abuse records), Cloudflare (zone and origin history), SPTPub and other platform/telemetry/support providers (tenant ownership and authorised users), and payment/cashier providers (MIDs, routing parameters, acquirers, and settlement beneficiaries), which together hold the records needed to move from technical correlation to any legal attribution.

Read our Zentoria Reports here.

High correlation – without overstepping into ownership claims

At the infrastructure layer, the strongest finding is concentration, not exact‑IP identity. The majority of observed casino endpoints sit in 185.207.196.0/24, while Spinsopotamia.com currently resolves to 185.207.197.216 – a different host, but within the same 185.207.196.0/22 prefix and the same NALMI provider envelope. This creates a narrow, clearly defined target area for regulators and payment institutions: an entire casino ecosystem routed through one infrastructure provider, with the Zentoria‑facing descriptor sitting inside that same block.

Above that, the new report documents 120 meaningful cross‑domain SHA‑256 hash groups that bind 98 domains into 16 application‑layer components, including large clusters spanning brands such as BoaBoa, Boomerang Casino, BuranCasino, Cadoola, CasinoInfinity, Casinoly, Joker8, Frumzi, BetRiot, GreatWin, PowerUpCasino, ExciteWin, Playzilla, PolestarCasino, FunID, LegendPlay, PowBet and others. Fifty‑one domains across fourteen brand families also expose identical Sentry Replay sampling values, while recurring platform and service‑layer components (for example SPTPub, MiFinity, SEON, analytics and support tooling) point to a templated, centralised casino‑platform environment.

Crucially, the report is explicit about what it does not do. It does not establish that Zentoria Limited legally owns or operates every domain in the NALMI /22 cluster; it does not identify a single ultimate beneficial owner; and it does not assert criminal or regulatory liability as a matter of law. Instead, it converts a very large body of public‑source technical evidence into a compact correlation model and a set of primary disclosure targets – notably NALMI as infrastructure provider, Cloudflare at the edge, SPTPub as platform host, Sentry and Zendesk as telemetry/support tenants, and the payment and wallet providers underpinning the cashier layer.

Why this matters for regulators and payment institutions

For gambling and financial regulators, acquiring banks, wallet providers, and card schemes, the significance is twofold. First, the infrastructure and application‑layer correlation narrows down where to ask questions: who controls the customer accounts behind 185.207.196.0/22, who owns the platform tenants, and who benefits from the settlement flows behind these rotating casino domains. Second, the presence of a licensed EU bookmaker at the visible payment layer – Zentoria Limited – raises classic questions about shadow processing, descriptor‑laundering and mixed‑risk merchant portfolios, similar to patterns previously observed in other FinTelegram cases.

The new report is therefore not a verdict but a map: it highlights the rails, entities, and ecosystems that regulators and PSP compliance teams should now interrogate with their own legal powers and customer‑information records.

Download the full report

FinTelegram has decided to make the full “Zentoria / Spinsopotamia and the NALMI Casino Network” Compliance Intelligence Report available as a downloadable document for regulators, payment institutions, banks, crypto exchanges, legal counsel, and investigative media partners.

Download the full Zentoria / NALMI Compliance Report here.

The report sets out the methodology, data scope, infrastructure and application‑layer findings, telemetry and platform‑layer markers, a detailed correlation matrix, and a dedicated limitations and legal‑boundary section.

Call for whistleblowers: help close the gaps

As always, public‑source OSINT can only go so far. The decisive pieces – merchant IDs, gateway and routing IDs, settlement beneficiaries, internal platform tenants, and contract structures – sit with providers, insiders, and affected customers.

FinTelegram therefore calls on whistleblowers, former employees, payment insiders, and affected players:

• Have you seen “Spinsopotamia.com Dublin”, Zentoria Limited, or NALMI‑hosted casino brands on your card or bank statements?
• Do you have onboarding emails, checkout screenshots, merchant receipts, or internal documents referencing Zentoria, Spinsopotamia.com, NovaForge, NALMI, or their payment providers?
• Do you know which acquirers, PSPs, wallet providers, or EMI/PI entities are actually processing and settling these flows?

Please submit your information securely and anonymously via our whistleblower platform Whistle42.