Dutch ITFY Offensive Targets HolyLuck Casino Cluster, Payment Rails, and Regulatory Oversight
Forensic Reports Expand Scrutiny Around HolyLuck-Linked Casino Infrastructure
A new Dutch legal-forensic campaign has intensified pressure on the offshore casino sector. ITFY Legal has distributed an extensive forensic cluster report, a Casino Monitor infrastructure analysis, and an additional follow-up memorandum concerning the HolyLuck-linked casino ecosystem. The documents were delivered to casino operators, payment facilitators, regulators, public authorities, infrastructure providers, and supervisory bodies.
The reports build upon earlier investigations published by Scam-Or Project, but significantly extend the analysis through deeper forensic infrastructure mapping, including shared domains, Cloudflare configurations, origin IP ranges, payment descriptors, tracking systems, and apparent staging environments.
Based on Scam-Or Project’s preliminary assessment, the ITFY findings largely confirm and substantially expand prior reporting concerning the HolyLuck / Booms.bet / Lyntec / SENDS payment-rail ecosystem.
Key Findings
Dutch Action Against Offshore Casino Infrastructure
ITFY Legal, operating from the Netherlands, prepared and circulated forensic documentation concerning the HolyLuck Casino Network and related operators.
CRUKS-Registered Player Central To The Case
The reports focus on a Dutch resident registered in the Central Register for Self-Exclusion of Players (CRUKS), who allegedly lost €18,280 across multiple offshore casino brands despite being excluded from remote gambling services targeting Dutch residents.
Alleged Operational Cluster
ITFY claims the casino brands involved should not be viewed as isolated businesses, but as components of a larger interconnected operational network sharing infrastructure, payment layers, legal entities, and mirror-domain architecture.
Earlier Scam-Or Project Findings Reinforced
The ITFY dossier references prior Scam-Or Project investigations involving RevDuck, Sapphire Summit, Lyntec, SENDS/Smartflow, and HolyLuck-linked payment systems while adding a more advanced forensic layer.
Payment Actors and Authorities Alerted
The reports were reportedly distributed to operators, payment service providers, infrastructure companies, regulators, card schemes, and public authorities, including Cloudflare and Google-related channels.
Immediate Operational Changes Observed
According to ITFY, several domains became inaccessible within 24 hours after the reports were served, while the underlying infrastructure allegedly remained active and the total domain footprint expanded.
Dutch Legal-Forensic Initiative Escalates Offshore Casino Investigation
Scam-Or Project obtained a collection of reports and related correspondence from ITFY Legal concerning what is described as the HolyLuck Casino Network and connected operators. The materials were submitted through the Scam-Or Project Complaints section and relate directly to ongoing investigations into offshore casino operations, opaque merchant structures, and payment-rail abuse.
The initial package included a comprehensive forensic cluster analysis together with a Casino Monitor infrastructure report. A one-page addendum followed the next day.
According to the ITFY findings, the matter concerns a Dutch resident listed in the CRUKS exclusion register who allegedly remained able to deposit funds with multiple unlicensed offshore casinos despite restrictions prohibiting such gambling activity for Dutch residents. The total restitution claim reportedly amounts to €18,280.
The initiative goes far beyond an ordinary player complaint. The package was structured as a coordinated escalation targeting casino operators, PSPs, supervisory authorities, infrastructure providers, and government agencies.
Allegations Surrounding The HolyLuck Cluster
The report identifies five main casino operators connected to the alleged player losses:
| Operator | Alleged Deposits |
|---|---|
| HolyLuck Casino | €10,035 |
| Spinstar Casino | €2,855 |
| Spindog Casino | €1,805 |
| Millioner2 Casino | €1,780 |
| InstantCasino | €1,805 |
| Total | €18,280 |
The report states that the calculations rely on reconciled banking records and player-account documentation.
ITFY also connects these brands to a broader network allegedly including:
- Booms.bet
- TrueLuck
- Kokobet
- IgoBet
- Winorio
- Mega.bet
- Bino
- Fano
-
Moko
- Starzino
- Rakebit
- Spinorhino
- Casho-app
- Luckygem
- Baloo
- Betory
- Dragobet
- Zazibet
- Winhero
- PlayMegaWin
According to the forensic assessment, the brands allegedly operate as part of a unified infrastructure and payment ecosystem rather than as unrelated casino projects.
This conclusion aligns with previous Scam-Or Project investigations into multi-layered payment rails supporting offshore gambling operations.
From Earlier Investigations To Advanced Infrastructure Mapping
The ITFY dossier directly references prior Scam-Or Project reporting involving HolyLuck, Booms.bet, RevDuck, Sapphire Summit, Lyntec, and SENDS-related payment structures.
However, the ITFY material goes significantly further by attempting to technically reconstruct the operational cluster through:
- shared domains,
- nameservers,
- origin IP infrastructure,
- MX configurations,
- TLS fingerprints,
- HTML-body hashes,
- payment-presentation layers,
- and staging environments.
The report states that its conclusions rely on:
- forensic infrastructure analysis,
- KSA sanction records,
- UK Companies House filings,
- operator disclosures,
- industry databases,
- and previous investigative reporting.
Based on the initial review, the forensic analysis appears broadly consistent with previously published findings while adding considerable technical depth.
Infrastructure Methodology And Technical Signals
The Casino Monitor report outlines a clustering methodology based on publicly accessible forensic sources, including:
- Certificate Transparency logs,
- urlscan.io,
- Wayback Machine archives,
- and manual forensic correlation.
For each accessible domain, ITFY reportedly collected and compared:
- nameservers,
- IP addresses,
- hosting /24 blocks,
- MX records,
- SSL certificate fingerprints,
- and HTML-body hashes.
Domains sharing matching technical fingerprints were grouped into operational clusters.
The report highlights several infrastructure indicators, including:
- multiple Cloudflare nameserver pairs suggesting separate Cloudflare account compartments;
- convergence toward the same origin infrastructure, particularly the 82.139.216.0/24 block;
- shared MX configurations;
- highly similar payment-page templates;
- exposed development and staging environments;
- analytics and tracking domains connected to casino operations.
One of the most notable findings involves allegedly separate Cloudflare account structures ultimately converging on the same backend infrastructure. ITFY interprets this as deliberate compartmentalisation designed to isolate public-facing exposure while maintaining shared operational infrastructure underneath.
According to the report, HolyLuck, TrueLuck, Booms.bet, Spinstar, Moko, and several additional domains allegedly resolve into the same 82.139.216.0/24 infrastructure environment.
Payment Rails And Merchant Presentation Layers
The investigation also focuses heavily on payment infrastructure and merchant presentation mechanisms.
According to ITFY, the disputed transactions allegedly involved or intersected with multiple payment actors and routing systems, including:
- Visa
- Klarna
- Skrill/Paysafe
- Mangopay
- SaferSepa / AB Mano Bankas
- MiFinity
- Trustly/Brite
- Worldpay
- Mollie
The report further states that several payment disputes and investigative procedures were initiated, with some early outcomes reportedly favorable to the claimant.
Particular attention is given to Lyntec Limited and the descriptor:
“GEMCEBR LONDON GBR”
The report alleges that Lyntec Limited operated as a UK-linked card-processing front while transactions were reportedly coded under MCC 5816 (Digital Goods) rather than MCC 7995 (Gambling).
If verified, such practices could potentially indicate transaction laundering structures where gambling-related payments are disguised as digital-goods purchases.
Addendum Suggests Operational Reaction Inside The Cluster
A follow-up addendum circulated by ITFY on 9 May 2026 claimed that substantial changes had already occurred inside the cluster shortly after service of the original reports.
According to the addendum:
- the shared 82.139.216.0/24 infrastructure allegedly expanded from 67 domains to 79 domains;
- several domains became unreachable, including:
- instantcasino.com
- millioner.com
- millioner2.com
- clickholyluck.com
- clickwinorio.com
- boomstrackers.com
- trackingbino.bet
ITFY interprets these developments as evidence of active operational rotation rather than dissolution of the infrastructure.
In practical terms, this suggests that front-end domains, trackers, or payment pages may disappear or rotate while the underlying backend systems remain operational.
The addendum also describes a newly identified development pipeline allegedly involving:
- lottopark.work
- whitelotto.work
The report further references exposed subdomains such as:
- admin
- aff
- api
- casino
- manager
- mailhog
- phpmyadmin
ITFY additionally notes the appearance of Polish DevOps terminology within path structures, which it considers operationally relevant for Dutch and Polish authorities.
Initial Position Of Scam-Or Project
Scam-Or Project has not adopted every legal conclusion presented in the ITFY reports. Nevertheless, based on the initial review, the forensic materials appear detailed, structured, and highly relevant to ongoing investigations into offshore casino ecosystems and associated payment rails.
The findings substantially align with previous reporting concerning:
- HolyLuck
- Booms.bet
- Sapphire Summit
- Lyntec
- SENDS/Smartflow
- RevDuck
- related payment infrastructure
The addendum may prove particularly significant because it suggests that the reports may already be generating operational responses inside the affected network.
If casino domains, tracking systems, or staging environments begin changing immediately after formal legal notifications, regulators, PSPs, and infrastructure providers may face increasing pressure to examine these ecosystems more closely.
Scam-Or Project will continue reviewing the ITFY materials and plans additional reporting concerning:
- payment facilitators,
- merchant descriptors,
- Cloudflare and Google-linked infrastructure,
- CRUKS-related implications,
- Polish-linked operational domains,
- and the broader offshore casino ecosystem.
Call For Information
Scam-Or Project invites insiders, former employees, payment processors, acquiring banks, compliance professionals, affected players, and technical investigators to provide additional information concerning:
- HolyLuck Casino Network
- Booms.bet
- Spinstar
- Spindog
- Millioner2
- InstantCasino
- Lyntec Limited
- SENDS/Smartflow
- Mangopay
- Skrill/Paysafe
- Klarna
- SaferSepa
- Brite
- Trustly
- Cloudflare-hosted casino infrastructure
- related merchant descriptors
Information may be submitted securely through the Scam-Or Project whistleblower section.
