Offshore Casino Vavada: The “Cosmetics” Merchant Behind a Transaction Laundering Network
Introduction
Scam-Or Project’s latest investigation uncovers a complex network connecting the offshore casino Vavada, a Czech “cosmetics” merchant Floxydy, and the payment gateways PayWRX and NetworxPay.
The analysis builds on data initially surfaced by SpinangaCase, which alleged that gambling deposits were disguised as “beauty product” purchases and routed through Canadian and European payment processors. Scam-Or Project independently verified several of these technical traces, identifying overlapping corporate infrastructure and multilingual back-offices that expose regulatory vulnerabilities.
Key Findings
-
Offshore Casino — Vavada (vavada.com), a Curacao-licensed operator with a payment agent in Cyprus.
-
Front Merchant (Floxydy) — A Czech “cosmetics” store (MCC 5977) allegedly used to disguise casino deposits.
-
Processor Network — Payments flowed through PayWRX’s front end and were ultimately handled by NetworxPay, whose back-office appears branded as “Paywrx Connect Ltd.”
-
Technical Evidence — Publicly accessible API documentation and merchant dashboards confirm matching URLs, gateway patterns, and corporate footprints.
-
Regulatory Exposure — Indicators include MCC misclassification, transaction laundering, and AMLD6 non-compliance across EU jurisdictions.
The Transaction Flow: From “Beauty” to Bets
Between October 11–16, 2025, SpinangaCase documented that Floxydy (floxydy.com) processed live transactions appearing on user bank statements as “FLOXYBEATY / MCC 5977”, while the funds topped up casino balances on Vavada.com.
Scam-Or Project verified that the payment flow aligns with this path:
-
Player initiates a “cosmetics” purchase via Floxydy’s checkout page.
-
Transaction routes through PayWRX, a FINTRAC-registered Canadian payment front.
-
The backend processing occurs in NetworxPay, whose portal (backoffice.networxpay.com) displays the footer: “© 2023–2025 Paywrx Connect Ltd” with EN/RU language options.
-
API endpoints (gateway.networxpay.com, docs.networxpay.com) mirror the same structure, suggesting a unified technical stack.
These findings support the theory that PayWRX served as the marketing façade while NetworxPay provided the underlying infrastructure.
Vavada and Magefin: The Curacao–Cyprus Payment Bridge
Corporate Identity
| Entity | Role | Jurisdiction | Registration No. | Address | Licensing |
|---|---|---|---|---|---|
|
Vavada B.V. |
Casino Operator |
Curaçao |
143168 |
Hanchi Snoa 19, Trias Building |
8048/JAZ (Antillephone N.V.) |
|
Magefin Ltd |
EU Payment Agent |
Cyprus |
HE 404179 |
23 Kennedy Avenue, Office 201, 1075 Nicosia |
Not licensed by CySEC or CBC |
Magefin Ltd acts as Vavada’s official EU payment agent, handling card and SEPA transactions for European players. However, it lacks authorization as a payment institution under PSD2, raising compliance and AMLD6 concerns.
A Familiar Offshore Playbook
Vavada follows a pattern often seen in unlicensed gambling operations:
-
The Curacao entity holds the e-gaming license and customer terms.
-
The Cyprus agent manages European inflows through “neutral” merchant descriptors.
-
Settlement is routed offshore to shield the operator from EU enforcement.
When paired with the alleged MCC 5977 cosmetics cover, the model fits established transaction-laundering typologies, where gambling deposits are misrepresented to avoid card-scheme restrictions.
Unlicensed EU Access and Player Onboarding
Scam-Or Project’s test registrations across Austria, Germany, and Italy confirmed that vavada.com accepts EU users without geoblocking or localized compliance notices.
Despite operating under a Curacao license, Vavada presents itself as a legitimate European-facing platform — what SpinangaCase called “a Russian casino in Western disguise.”
The absence of EU licensing (MGA, ADM, or Kansspelautoriteit) underscores deliberate circumvention of regulatory frameworks.
Deposit Channels and Payment Diversity
Vavada offers a wide array of deposit options — a strategy to disperse risk and obscure merchant identities:
-
Credit & Debit Cards — via standard and “alternative” acquirers; no 3-D Secure observed.
-
E-Wallets — including Piastrix, a Russian-linked provider prominent among high-risk casinos.
-
Mobile Payments — Google Pay and Apple Pay, often redirected through shadow domains.
-
Cryptocurrencies — Bitcoin, Ethereum, and USDT, routed via Bybit Pay and Binance Pay (Website) through concealed proxies.
Two notable third-party processors appeared repeatedly:
-
Repayfor.com — operated by Firelaketech LLC (Marshall Islands)
-
Pay-Masters.com — another Marshall Islands-based processor
Both have prior listings on AML risk databases and previous connections to unlicensed casinos.
Anonymous Payment Domains
Scam-Or Project identified non-public domains used in payment redirection — a hallmark of transaction-laundering ecosystems.
Example:
Selecting Google Pay triggers a redirect to checkout.transactes.com, a domain lacking any legal imprint or SSL ownership traceable to Vavada or Magefin. On the resulting page, the payee appears as “fastpayway”, effectively concealing the true gambling transaction.
Similar infrastructure was previously seen in investigations into Donbet, Rolletto, and Stake.com, confirming an industry-wide pattern of hidden payment gateways.
Crypto Infrastructure: An Extra Layer of Obfuscation
For cryptocurrency deposits, Vavada employs an additional proxy: zicrosync.com, an anonymous domain relaying API calls to Bybit Pay and Binance Pay.
This setup obscures both the receiving wallet and the merchant beneficiary — a clear AML vulnerability that undermines blockchain traceability.
Compliance & Regulatory Exposure
Transaction Laundering via MCC
Classifying gambling transactions as MCC 5977 (Cosmetics Stores) violates card-scheme rules and may trigger acquirer sanctions or fines. Historic U.S. prosecutions of gambling processors show that regulators treat such MCC mislabeling as intentional deception. A relevant case is detailed in this Money Laundering Compliance News report, which described how U.S. banks were misused through a fake payment processor in a similar online-gambling sting.
AMLD6 Implications
Mixing gambling and crypto flows within one processor stack introduces source-of-funds (SoF) and ownership-transparency issues. The evidence suggests limited KYC depth and insufficient disclosure of merchant hierarchies — contrary to EU AMLD6 standards.
Jurisdictional Risk
Russian-language back-office elements and potential ruble corridors (as noted by SpinangaCase) further expose processors to sanctions and KYC red flags, especially if post-2022 payment routes touched Russian entities.
Entity Overview
| Entity / Domain | Jurisdiction | Registration | Function | Connections | Notes |
|---|---|---|---|---|---|
|
Vavada B.V. (Website) |
Curaçao |
143168 |
Casino operator (8048/JAZ license) |
Linked with Magefin Ltd; serviced by PayWRX/NetworxPay |
Verified via public registry |
|
Magefin Ltd |
Cyprus |
HE 404179 |
EU payment agent |
Handles card/SEPA flows |
Cyprus Registrar filings |
|
Floxydy / FLOXYBEATY (Website) |
Czech Rep. |
— |
Front merchant (MCC 5977) |
Routed via PayWRX → NetworxPay |
SpinangaCase evidence |
|
PayWRX Connect Ltd (website) |
Canada |
— |
Processor front |
Connected to NetworxPay backend |
Back-office footer and API |
|
NetworxPay |
— |
— |
Payment gateway |
Processes PayWRX traffic |
EN/RU merchant panel |
|
checkout.transactes.com |
— |
— |
Google Pay redirect domain |
Anonymous |
No public imprint |
|
zicrosync.com |
— |
— |
Crypto relay |
Bybit / Binance proxy (Website) |
Conceals receiving wallets |
|
Repayfor (Website) |
Marshall Islands |
— |
Alt card processor |
Firelaketech LLC |
High-risk merchant service |
|
Pay-Masters (Website) |
Marshall Islands |
— |
Alt card processor |
— |
Recurrent gambling facilitator |
|
Piastrix (Website) |
Russia-linked |
— |
E-wallet |
— |
Used by Vavada |
|
Jetonbank |
Belize |
— |
E-wallet / transfer |
— |
Offshore settlement route |
What Insiders Can Provide
Scam-Or Project invites information to corroborate the chain of transactions and internal control lapses. Evidence sought includes:
-
Merchant onboarding packs (MIDs, MCC codes, acquirer identities)
-
Gateway logs or receipts linking Vavada deposits to FLOXY* descriptors
-
Settlement or chargeback statements showing descriptor rotations
-
Communication records between [email protected], PayWRX, and NetworxPay (headers only; PII can be redacted)
Whistleblowers may submit encrypted materials via Scam-Or Project website — confidentiality guaranteed.
Actionable Takeaways for Banks and Processors
Financial institutions should implement enhanced monitoring for:
-
Descriptors beginning with “FLOXY” under MCC 5977*
-
Transaction velocities or chargeback anomalies tied to EU/EEA cardholders
-
Referral URLs containing “networxpay.com”
These indicators, when combined, form a clear transaction-laundering typology aligning with current FATF and FIU advisories.
Editorial Note
This report draws on materials from SpinangaCase (Parts I–III) and independent verification by Scam-Or Project.
While SpinangaCase provided initial artifacts, Scam-Or analysts validated technical details of the NetworxPay back-office and API endpoints.
Further documentation from acquirers, processors, or insiders remains welcome.
Conclusion
The Vavada–Floxydy–PayWRX–NetworxPay chain exemplifies how offshore casinos bypass EU and card-scheme rules through layered merchant identities and misleading descriptors.
Behind the appearance of a simple “cosmetics” store lies a sophisticated payment laundering system — one that regulators, banks, and compliance officers can no longer afford to ignore.
