How Anonymous Gateways Are Powering Mass Illegal Casino Payments in Europe
An in-depth review of Stellar-related casinos — including WinBay, AllySpin, LuckyMax, Spinbara, alongside multiple rotating “mirror” and “mutation” domains — uncovers a recurring operational scheme. The model combines unauthorized gambling access with deliberate payment-layer camouflage.
Instead of direct gambling transactions, players are funneled through anonymous open-banking checkout pages and multi-step gateway chains. What is advertised as a standard “bank deposit” is frequently executed as a crypto purchase, routed via ChainValley and comparable fiat-to-crypto on/off-ramp services.
Traffic data points to a pronounced geographic bias: Germany dominates transaction flows, with major retail banks repeatedly appearing across the payment journey.
I. When Payment Infrastructure Becomes a Crime Multiplier
Open Banking was introduced to enhance trust, transparency, and efficiency across the European payments landscape. Secure account-to-account transfers, biometric authentication, instant settlement, and data-sharing mechanisms for KYC were meant to reduce fraud and empower consumers.
Evidence collected by the Scam-Or Project shows that this very infrastructure is being systematically repurposed.
Our analysis identified three payment gateways operating through constantly changing domains, with no clear disclosure of ownership, licensing status, or accountable corporate structure. These entities appear to have repurposed open-banking rails to process — based on traffic intelligence — well in excess of one million casino deposit attempts per month, largely originating from Germany and directed toward operators lacking local gambling authorization.
Functional Breakdown of the Scheme
-
From the player’s perspective:
Trusted payment labels such as “Instant Bank Transfer,” “Online Banking,” or “Sofortüberweisung” appear in casino cashier menus. -
From the bank’s perspective:
The transaction is logged as a standard account-to-account transfer to a payment or fintech entity — not a gambling operator. -
From a regulatory standpoint:
The payment flow is categorized as a generic financial or technical service, bypassing gambling-specific MCCs and blocking directives. -
For casino operators:
Funds settle almost instantly, without exposure to chargebacks, card-scheme monitoring, or robust AML controls.
This architecture effectively neutralizes enforcement mechanisms under Germany’s Glücksspielstaatsvertrag 2021, Dutch KSA payment interdictions, and Italy’s ADM licensing framework — while exploiting the credibility of Europe’s banking system to sustain illegal gambling at scale.
II. The Obfuscated Gateway Stack
TransactGrid, PayByBank, and BankLayer
Traffic and referral analysis points to a highly centralized gateway ecosystem optimized for concealment.
-
TransactGrid (checkout.transactgrid.com)
Acts as the primary settlement hub. With more than 760,000 monthly visits, it functions as the final destination for transactions originating from multiple offshore casino brands. -
PayByBank (openbanking.paybybank.net)
Operates as an upstream intake layer. Data shows that virtually all outbound traffic is redirected straight into TransactGrid, suggesting a white-label wrapper designed to add superficial legitimacy. -
BankLayer (checkout.banklayer.org)
Serves almost exclusively the Stellar Group (including Frumzi, AllySpin, and Supabet). It supports rapidly changing “throwaway” domains — for example, frumzi756723.com — used to bypass ISP-level blocking.
III. Germany as the Primary Target Market
Despite holding only an Anjouan gambling license — which does not permit services to players in Germany, the Netherlands, or Italy — Stellar-linked casinos derive more than 92% of their open-banking traffic from Germany.
This concentration is reinforced by:
- German-language interfaces
- Euro-denominated cashier systems
- Payment flows visually aligned with German banking brands, including Postbank and Sparkasse
Taken together, these elements demonstrate intentional and systematic targeting of German consumers, in direct violation of the Glücksspielstaatsvertrag 2021.
IV. Quantifying the Payment Volume
December 2025 Gateway Traffic Overview
| Gateway | Visits | Avg. Session | German Traffic | Usage Profile |
|---|---|---|---|---|
| checkout.transactgrid.com | 760,000 | 4–8 min | 97%+ | Multi-casino |
| openbanking.paybybank.net | 78,000 | 4–8 min | 87% | Multi-casino |
| checkout.banklayer.org | 400,000 | 4–8 min | 92%+ | Stellar-only |
| Total | 1,238,000 | ~6 min | ~95% | Offshore gambling |
Why Session Duration Matters
A complete open-banking transaction typically involves:
- Gateway landing and bank selection
- Redirect to the bank’s authentication environment
- Credential input and 2FA or biometric approval
- Payment confirmation
- Redirect back to the merchant with deposit confirmation
The expected completion time ranges between 4 and 7 minutes.
Observed averages of 4–8 minutes strongly indicate that most sessions represent completed or near-completed transactions rather than accidental visits. When combined with exclusive casino referrals and a 95%+ German traffic share, the data supports the conclusion that approximately 1.2 million illegal deposit attempts occurred in December 2025 alone.
Extrapolated annually: more than 14 million transactions processed through anonymous open-banking gateways for unlicensed offshore casinos.
V. The “Fake Fiat” Mechanism
ChainValley and the VASP Workaround
Certain platforms, including Spinbara (Spinbara1.com), deploy an additional deception layer often described as crypto on-ramp laundering. This process is facilitated by the Polish-registered VASP ChainValley (app.chainvalley.pro).
-
User illusion:
The player believes they are making a traditional bank deposit. -
Actual process:
Funds are used to purchase USDT or BTC, which is then immediately transferred to the casino wallet. -
Regulatory vulnerability:
Operating under a virtual asset license allows ChainValley to process fiat-to-crypto flows while avoiding the scrutiny applied to gambling payment processors — a weakness linked to the low entry threshold of the Polish VASP registry. -
Traffic signal:
Over 217,000 visits in December 2025, with an average duration near five minutes — consistent with a 3D-Secure bank transfer followed by a crypto purchase.
VI. utPay and the Impact of MiCA
Until recently, utPay (app.utpay.io) was a central component of this ecosystem, recording approximately 610,000 visits in December 2025. In January 2026, utPay suspended its crypto services, citing MiCA (Regulation EU 2023/1114).
Regulatory Interpretation
The suspension strongly suggests intervention by the Bank of Lithuania after identifying utPay’s exposure to high-risk gambling traffic. Under MiCA, crypto service providers face heightened scrutiny regarding the nature of their merchant base. A platform with a traffic profile dominated by gambling activity would likely fail the “fit and proper” assessment required for MiCA-compliant CASP authorization.
VII. Compliance Red Flags and Systemic Risk
This payment architecture is explicitly engineered to bypass Gambling MCC 7995:
-
Masked merchant identity:
Banks record transfers to entities such as TransactGrid or ChainValley rather than identifiable casino brands. -
No consumer safeguards:
Open-banking transfers offer no chargeback rights, making them attractive to offshore operators targeting vulnerable players.
Call for Evidence: Players and Insiders
Scam-Or Project continues to trace the bank accounts and payment endpoints associated with TransactGrid, BankLayer, and ChainValley.
- Players who deposited via these systems are encouraged to review their bank statements and identify the listed recipients.
- Industry insiders with information on the beneficial ownership behind TransactGrid or PayByBank are urged to come forward.
Submissions can be made anonymously via the Scam-Or Project whistleblower section, helping expose shadow payment networks that undermine the integrity of Europe’s financial system.
