THE CLOAKED CASINO CLAN
Slotoro and Boomerang-Bet: Fake Mobile Apps, Ghost APKs, and the Shadow Skrill Network
An in-depth investigation into the Galaktika N.V. ecosystem reveals a coordinated scheme in which its casino brands Slotoro and Boomerang-Bet exploit deceptive mobile applications and hidden distribution channels to access user devices, extract sensitive KYC data, and reroute deposits through concealed payment rails.
At the center of this operation is a dual-track strategy targeting both Apple and Android users. On iOS, Slotoro operates behind a disguised puzzle app, while on Android both brands push users toward unofficial APK downloads masquerading as legitimate Google Play applications.
Core Objective
Identity Capture and Payment Obfuscation
The technical purpose of this mobile infrastructure is twofold:
- to covertly collect identity documents and banking data;
- to redirect player deposits into off-ledger payment structures commonly referred to as “Shadow Skrill” accounts.
These mechanisms form the initial entry point into a broader transaction-laundering framework connected to NGPayments, Paygate, and offshore shell entities.
Slotoro: Operational Background
Open-source records confirm that Slotoro (https://slotoro.bet) is operated by Wiraon B.V., holding a Curaçao gambling license, and promoted via the V.Partners affiliate program. The same affiliate network advertises multiple casinos linked to Galaktika N.V.
Multiple technical indicators and insider disclosures show that Slotoro does not operate independently. Instead, it shares backend systems, payment routes, and distribution logic with other Galaktika-branded casinos.
Apple App Store Manipulation
The “Puzzle App” Cover
Public Listing
On Apple’s App Store, Slotoro appears under the name “Lines and Knots: Puzzle World” (App ID 6738087359). The listed developer is KATO Oy, an entity not publicly associated with gambling operations.
Hidden Functionality
While the App Store description advertises a casual puzzle game, the installed application dynamically converts into a full Slotoro casino interface once it establishes a server connection. This transformation is controlled remotely and triggered based on factors such as IP address or server-side instructions.
Compliance Implications
Such behavior constitutes a direct breach of Apple App Store Guideline 5.3 (Gambling), which explicitly forbids deceptive application behavior and requires transparent licensing disclosures for gambling-related software.
Android Distribution
The “Ghost APK” Model
Unlike its iOS deployment, Slotoro avoids the Google Play Store entirely on Android devices.
Download Endpoint
Users are redirected to https://fisodao2.com/, where they are instructed to download a raw APK file outside of Google’s official ecosystem.
Security Consequences
By forcing direct APK installation, the operator bypasses Google Play Protect and other automated security checks. Victim reports confirm that these APKs contained malicious components responsible for the compromise of passport data and online banking credentials.
Boomerang-Bet
Fake Google Play Signals
Boomerang-Bet employs a nearly identical tactic, but with an additional layer of deception.
Visual Deception
Within the Boomerang-Bet interface, users are shown a prominent “GET IT ON Google Play” badge, designed solely to convey legitimacy.
Redirected Downloads
Instead of linking to Google Play, the badge routes users to domains such as https://boomerang-bet-android.com/, where APK files like Boomerang-Bet.apk are hosted for manual installation.
Malware Vector
This method deliberately disables Google’s security controls, allowing the deployment of the same KYC-harvesting malware previously identified in Slotoro-linked installations.
Shared Infrastructure and Control
Technical records show that both brands rely on the same distribution nodes:
- Slotoro APK source: slotoro36.bet
- Boomerang-Bet APK sources: boomerang-bet-android.com, boomerang-bet0101.com
The reuse of these assets demonstrates centralized management rather than independent brand operations.
Findings Summary
One Network, One Strategy
The domain boomerang-bet-android.com functions as a malicious distribution hub. Its existence confirms that fraudulent mobile app deployment is a deliberate and permanent operational pillar of the Galaktika N.V. / Wiraon B.V. structure.
Slotoro and Boomerang-Bet serve as entry mechanisms—offering a mobile gaming experience while funneling users into identity theft and payment diversion workflows.
Technology and Payment Backbone
SoftSwiss, Cyperion, and NGPayments
Despite operating under offshore Curaçao licenses, both brands utilize Affilka, the affiliate tracking system provided by SoftSwiss. This creates a significant regulatory contradiction: an MGA-regulated technology provider supplying critical infrastructure to brands involved in identity theft and unlicensed payment processing.
This mobile distribution layer feeds directly into a financial routing system involving Cyperion Solutions Limited and NGPayments.
Transaction Lifecycle
- Installation – User installs a disguised puzzle app or an unofficial APK.
- Deposit Prompt – The app instructs the user to fund their account via NGPayments.
- Fund Diversion – Deposits are routed into unauthorized “Shadow Skrill” accounts.
- Game Simulation – The user interacts with manipulated casino software while funds are extracted.
The appearance of KATO Oy as the App Store developer suggests the deliberate use of proxy developers to protect core brands from enforcement actions. Apple should immediately audit App ID 6738087359 and its associated developer account.
Paygate’s Role in the Scheme
A review of Skrill confirmation emails and corresponding bank statements confirms Paygate as a central technical routing component.
Although entities such as Cyperion Solutions Limited and Briantie Limited appear as nominal beneficiaries, Paygate operates alongside NGPayments as the underlying transaction handler.
Structure of the “Shadow SKR*Skrill.com” Flow
Key Mechanisms
- Technical Routing: Paygate appears in Skrill notifications as the payment instrument, often alternating with NGPayments.
- Layered Settlement: Deposits (e.g., €20.00) are initiated via fraudulent apps, routed through Paygate, and settled to entities like Novaforge Limited or Briantie Limited, while bank statements display only “SKR*Skrill.com.”
- Account Illusion: Victims receive official Skrill emails, yet their personal Skrill balances remain unchanged because funds never reach their accounts.
The use of consulting-company shells instead of licensed payment or gambling operators, combined with disguised merchant descriptors and links to Slotoro, Boomerang-Bet, and beef.casino, aligns with classic transaction-laundering patterns.
Overview: Entities and Functions
| Entity | Evidence Source | Functional Role |
|---|---|---|
| Paygate | Skrill confirmation emails | Technical routing gateway |
| NGPayments | Bank records, Skrill emails | Masked payment rail |
| Briantie Limited | Bank statements | Primary merchant shell (Cyprus) |
| Cyperion Solutions Limited | Transaction logs | PayFac shell (SIC 70229) |
| Novaforge Limited | Skrill confirmations | Secondary beneficiary |
Advisory for Affected Users
If a Skrill confirmation email exists but the transaction does not appear in your account history, your personal data may have been used to generate a shadow account. Avoid contacting casino support. Immediately notify your bank and relevant authorities.
In the reported case, the affected individual was required to replace his national ID and reset all financial credentials.
Whistleblower Outreach
Have you encountered KATO Oy, Slotoro app shells, or similar cloaking techniques during app reviews?
Do you possess internal knowledge of Galaktika-linked mobile distribution schemes?
Submit information through the Scam-Or Project whistleblower section.
