Close Menu
    Subscribe
    Your shield against financial fraud
    Your shield against financial fraud
    Trending Now:
    Back
    Illegal gambling

    The Yapily Internal Leak: Blacklisting the Whistleblower Instead of the Illegal Casino

    Avatar photo By Tom Morris - February 17, 2026 No comments 5 mins read
    The Yapily Internal Leak: Blacklisting the Whistleblower Instead of the Illegal Casino

    A mistakenly forwarded internal email has exposed troubling compliance behavior at the Open Banking provider Yapily. Rather than examining allegations concerning an unlicensed online casino, Yapily’s compliance department instructed its intermediary partner, Klyme, to block the complaining user from future transactions.

    The incident raises serious questions about how Open Banking infrastructure providers handle high-risk gambling merchants and cross-border regulatory violations within the European Union.

    Executive Summary of Findings

    • Internal Email Misfire: Yapily’s compliance team accidentally sent an internal instruction to a customer instead of to Klyme (www.klyme.io).
    • User Sanction Instead of Merchant Review: The directive focused on blacklisting the Payment Service User (PSU), not suspending the casino.
    • Selective Regulatory Focus: Despite the casino breaching Dutch law, Yapily’s inquiry centered only on Lithuanian access restrictions—its primary regulatory jurisdiction.
    • Extended Silence: Nearly two months passed between the December 2025 complaint and the February 2026 response.
    • Intermediary Confirmation: The communication confirms that Klyme (klyme.io) operates as the integrating merchant layer using Yapily’s regulated Open Banking framework to process payments for Winhero.

    Whistleblower Disclosure to Scam-Or Project

    Scam-Or Project received documentation through the Scam-Or Project whistleblower section involving Yapily, which operates from the UK and Lithuania as an Open Banking infrastructure provider.

    According to the submission, a Dutch customer deposited funds into Winhero (www.winhero.com), an online casino operating without authorization from the Kansspelautoriteit in the Netherlands. The deposit was processed through Yapily’s Open Banking rails.

    Upon discovering the casino’s unlicensed status, the player filed a formal complaint with Yapily in December 2025. The complaint requested:

    • A refund of deposited funds
    • Clarification regarding merchant onboarding and KYC controls
    • Information about Yapily’s AML compliance procedures

    The Accidental Exposure

    For almost two months, Yapily did not provide a substantive answer. In February 2026, the complainant finally received an email from [email protected].

    However, the message was clearly not intended for the customer. It was addressed to the “Klyme Team” and included the customer in CC by mistake.

    The content of that internal communication provides rare insight into how certain Open Banking operators respond to allegations of illegal gambling activity flowing through their systems.

    Internal Directive: Block the User

    The leaked instruction contained the following request:

    “We are also requesting that the Payment Service User identified would be blacklisted from using Yapily’s services to send funds to any of your clients.”

    Instead of initiating a merchant investigation into Winhero’s licensing status, Yapily’s compliance team sought to prevent the whistleblower from making further transactions.

    This approach suggests a defensive strategy designed to protect transaction throughput and reduce complaint exposure, rather than remediate potential compliance breaches.

    Jurisdictional Narrowing: The Lithuania Question

    The complainant clearly stated that:

    • They were Dutch
    • Winhero was illegally offering gambling services in the Netherlands

    Nevertheless, Yapily’s internal follow-up question to Klyme asked only for:

    “Description of the measures the merchant implements to restrict access for players from Lithuania.”

    Yapily Connect UAB (https://www.yapily.com/) operates under a license issued by the Bank of Lithuania (License No. LB002045). By restricting its compliance inquiry to Lithuania, Yapily appears to have concentrated on satisfying its domestic supervisory authority while overlooking potential violations in other EU jurisdictions such as the Netherlands and Germany.

    This pattern may indicate regulatory compartmentalization—maintaining formal compliance visibility in one country while facilitating cross-border high-risk traffic elsewhere.

    The Payment Stack: Yapily, Klyme, Winhero

    The exposed email confirms the layered structure of the payment flow.

    Layer Entity Function
    Infrastructure Provider Yapily Connect UAB Regulated Open Banking payment access
    Integration / Aggregation Klyme (klyme.io) Merchant-facing API integration
    Merchant Winhero (winhero.com) Unlicensed online casino

    Such layered “payment stacks” are not new. Scam-Or Project has previously documented similar arrangements, including cooperation between Yapily and the Bulgarian entity Contiant, where regulated infrastructure was used to process high-risk gambling transactions.

    This architecture creates operational distance between the licensed provider and the merchant, complicating accountability.

    Compliance Implications

    The case raises multiple concerns:

    1. Merchant Due Diligence
      How did Winhero gain access to regulated Open Banking rails?
    2. Transaction Monitoring
      Were gambling-related payment patterns detected through AML controls?
    3. Cross-Border Risk Assessment
      Why was Dutch illegality not treated as a material compliance issue?
    4. Consumer Protection
      Why was the reporting user penalized instead of triggering a risk review?

    If illegal merchant activity is identified only after a consumer complaint—and the response is to block the consumer rather than investigate the merchant—then the effectiveness of AML/CTF safeguards must be questioned.

    Conclusion

    The leaked internal email suggests that Yapily and Klyme prioritized limiting reputational or regulatory exposure over investigating alleged unlawful gambling activity.

    Rather than suspending or reviewing Winhero’s access to payment rails, the compliance response targeted the whistleblower.

    The episode highlights broader structural risks in Open Banking ecosystems where intermediaries and layered integrations may obscure merchant accountability.

    Call for Further Evidence

    This incident demonstrates the impact of documented user complaints. The accidental disclosure shows that internal communications shift when regulatory pressure is anticipated.

    If you have used:

    • Yapily
    • Klyme
    • Contiant
    • Volt

    to deposit funds at unlicensed casinos such as:

    • Winhero
    • NineCasino
    • Various Curacao-licensed operators

    and have experienced refund denials or suspicious payment routing, relevant documentation may assist further investigation.

    If you possess:

    • Bank statements identifying the receiving entity
    • Communication records
    • Evidence of denied refunds

    Submit the material via the Scam-Or Project whistleblower section.

    Documented cases may contribute to regulatory scrutiny and potential recovery actions for affected users.

    tags: Contiant, Klyme, Winhero, yapily, Yapily Connect
    share:
    F X L T P T R W
    add a comment
    Article Categories:
    AllOffshore BrokerFintechHigh-risk Payment ProcessorsGambling SchemesIllegal GamblingCrypto CompliancePopular Investigations

    Have questions? We can help!

    Fill out the form for a consultation on disclosures and fraud issues.

    Add A Comment
    Leave A Reply

    Related Posts