Shadow Banking at LuckyWins: Exposing the Open Banking and “Fake FIAT” Payment Rails Behind Novatrix SRL
A recent Thursday test of LuckyWins’ “Playback Thursday” promotion once again revealed a familiar compliance pattern typical of offshore casino ecosystems: weak or misleading gambling licensing claims, rotating mirror domains designed to bypass restrictions, and payment channels that interact with regulated EU and UK financial infrastructure.
LuckyWins, operated by Costa Rica–registered Novatrix SRL, advertises a license issued by the Tobique Gaming Commission. However, this credential does not represent a legally recognized authorization to provide gambling services across Europe, Great Britain, or most North American jurisdictions.
Key Findings
1. Unlicensed Operations and Domain Rotation
LuckyWins is run by Novatrix SRL, a company registered in Costa Rica. The platform relies on rotating mirror domains such as www.luckywins2.com to remain accessible after blocks or enforcement actions.
The operator also references the Tobique Gaming Commission (TGC) as its licensing authority. This entity functions as a self-regulatory registry and holds no recognized regulatory authority within the EU, the United Kingdom, or North America.
2. Open Banking Exploitation
LuckyWins appears to leverage open banking payment rails through:
- Contiant, an unlicensed Bulgarian fintech gateway
- Yapily Connect UAB, a licensed Lithuanian Electronic Money Institution (EMI)
Through this structure, payments are initiated directly from European banking platforms such as Revolut and routed toward the offshore merchant.
3. The “Fake FIAT” Crypto Conversion Pipeline
A separate payment mechanism disguises cryptocurrency purchases as standard bank transfers. This process involves ChainValley, a Polish Virtual Asset Service Provider (VASP) widely considered the operational successor to the suspended Lithuanian processor utPay.
Players believe they are transferring fiat funds to a casino account. In reality, the transaction is converted into USDC stablecoins, which are then forwarded to wallets controlled by the casino operator.
4. Direct E-Wallet Processing
The e-wallet provider MiFinity, regulated by both the UK Financial Conduct Authority (FCA) and the Malta Financial Services Authority (MFSA), appears to facilitate direct deposits to Novatrix SRL despite the merchant’s lack of regional licensing.
Compliance Analysis: Anatomy of the Payment Rail Structure
1. The Merchant Layer — Novatrix SRL and the “Tobique” Licensing Facade
Understanding the merchant structure is critical to evaluating the compliance risks. Novatrix SRL, incorporated in Costa Rica, operates LuckyWins despite the jurisdiction not issuing internationally recognized interactive gaming licenses.
To create the appearance of legitimacy, LuckyWins prominently displays a license badge from the Tobique Gaming Commission.
However:
- The TGC functions primarily as a registry rather than a regulator
- It has no supervisory authority in European or North American gambling markets
- It cannot grant legal access to players in the EU or the UK
As a result, LuckyWins continues to market its services in regulated markets without the required local authorizations.
The casino also deploys mirror domains, including luckywins2.com, which allow the operator to circumvent ISP blocks and regulatory blacklists.
2. Open Banking Exploitation: Contiant and Yapily
Open banking infrastructure was designed to increase financial transparency and consumer choice. However, the LuckyWins setup demonstrates how the system can be exploited for transaction laundering.
When a player selects Revolut at the casino cashier, the payment is routed through a multi-layer infrastructure:
-
Gateway Layer
Traffic first reaches paywith.contiant.com, an infrastructure operated by the Bulgarian fintech Contiant, which currently appears to operate without clear licensing. -
Payment Initiation Layer
The transaction request is forwarded through Yapily Connect UAB, a licensed Lithuanian EMI providing Payment Initiation Service Provider (PISP) functionality. -
Settlement Layer
Yapily triggers the transfer via oba.revolut.com, with Novatrix SRL listed as the ultimate beneficiary.
By leveraging a licensed PISP such as Yapily, the transaction may circumvent the typical risk-scoring and fraud detection systems applied by consumer banks.
3. The “Fake FIAT” Mechanism: ChainValley and PPRO
To avoid restrictions associated with gambling Merchant Category Codes (MCC 7995), offshore operators increasingly rely on crypto conversion layers disguised as bank transfers.
At LuckyWins, users selecting standard bank transfers are redirected to app.chainvalley.pro.
The ChainValley Structure
ChainValley Sp. z o.o., registered in Poland, operates as a licensed Virtual Asset Service Provider (VASP).
Following the shutdown of utPay, ChainValley appears to have captured a significant share of the same transaction flows.
Transaction Mechanism
The payment flow operates as follows:
- The user initiates a bank transfer.
- The funds are routed through ChainValley’s infrastructure.
- ChainValley executes an immediate cryptocurrency purchase, typically USDC.
- The digital assets are automatically forwarded to wallets controlled by Novatrix SRL.
The PPRO Infrastructure Link
ChainValley requires fiat settlement partners to operate. Web traffic analysis conducted in January suggests that 88.5% of outbound traffic from ChainValley payment links routes toward PPRO (ppro.com).
PPRO, a global B2B payments infrastructure provider regulated as:
- a Payment Institution in Luxembourg, and
- an Electronic Money Institution in the United Kingdom
appears to act as the fiat settlement layer behind these transactions.
4. The MiFinity Processing Channel
While the open banking and crypto rails rely on technical layering, MiFinity represents a more direct payment route.
Operating under regulatory oversight from:
- the MFSA (Malta) and
- the FCA (United Kingdom)
MiFinity enables users to deposit funds directly into merchant accounts linked to Novatrix SRL.
Processing payments for a merchant actively targeting UK and EU players without regional licenses raises questions regarding standard EMI compliance requirements and merchant due-diligence procedures.
Ecosystem Overview
| Entity / Domain | Jurisdiction | Regulatory Status | Role in the LuckyWins Infrastructure |
|---|---|---|---|
| Novatrix SRL (luckywins.com, luckywins2.com) | Costa Rica | Unlicensed (Tobique GC pseudo-license) | Casino operator |
| Contiant (paywith.contiant.com) | Bulgaria | Unlicensed | Open banking gateway |
| Yapily Connect UAB | Lithuania | Licensed EMI (Bank of Lithuania) | Payment initiation provider |
| ChainValley Sp. z o.o. / app.chainvalley.pro | Poland | Registered VASP | Crypto on-ramp / “Fake FIAT” processor |
| PPRO (ppro.com) | Luxembourg / UK | Licensed PI / EMI | Fiat settlement infrastructure |
| MiFinity (mifinity.com, mifinity.mt) | Malta / UK | Licensed EMI (MFSA / FCA) | Direct e-wallet payments |
| Siti (checkout.siti.ws) | Unknown | Unknown | Secondary SEPA gateway |
Call for Information: Help Expose the Payment Network
The movement of funds through offshore gambling networks often depends on intermediaries within regulated European financial infrastructure.
Scam-Or Project is calling on industry insiders who may have knowledge of the payment flows connected to LuckyWins and Novatrix SRL.
We are particularly interested in information from:
-
Employees at PPRO
Are internal risk committees aware that ChainValley infrastructure may be processing “fake FIAT” casino payments? -
Compliance teams at Yapily or MiFinity
Who approved merchant relationships connected to the Costa Rican entity Novatrix SRL? -
Payment gateway developers or infrastructure operators
Who controls the payment gateways checkout.siti.ws and Contiant?
If you possess processing agreements, internal compliance documentation, or bank settlement records related to LuckyWins, ChainValley, or Novatrix SRL, your information could help clarify the network.
Sensitive submissions can be provided confidentially through the Scam-Or Project whistleblower section, where the identity and security of sources are protected.
