SHADOW ACCOUNTS & FAKE PLAY STORES
The Identity Theft Engine Behind Galaktika N.V. Exposed
A new phase in the Galaktika N.V. fraud investigation uncovers a far more dangerous mechanism than previously documented. Stolen KYC data is now being systematically reused to create so-called “Shadow Skrill” accounts, while victims are funneled through fake Google Play Store interfaces that distribute malicious APK files. These identities are subsequently recycled across a network of shell companies, most notably Cyperion Solutions and Novaforge.
Our earlier findings on Cyperion and NGPayments already indicated structural abuse of payment rails. The latest evidence confirms this is not an isolated incident but a scalable identity-laundering operation.
Analysis: The “Double-Sided” Fraud Architecture
Fresh material submitted by an affected player reveals a level of coordination that goes far beyond unlicensed gambling. The Galaktika N.V. operation now demonstrates a clear two-phase fraud lifecycle:
- Data Harvesting
- Financial Hijacking
According to publicly available disclosures, Slotoro.bet is owned and operated by Wiraon B.V. (Curaçao), while payment processing is handled by Briantie Limited. This separation forms the backbone of the scheme.
Phase One: The “Fake Play Store” Malware Trap
The investigation confirms that brands such as Boomerang-Bet and Slotoro deploy counterfeit “Get it on Google Play” buttons. Instead of redirecting users to the legitimate Google Play Store, these badges lead directly to raw APK downloads.
How the Trap Works
-
Malicious APK Files
The downloaded applications bypass standard mobile security protections and are designed to extract SMS messages (including 2FA codes), device data, and personal files. -
The Verification Pretext
Users are told that identity verification is mandatory. In reality, this process is used to collect passport scans and personal documents, which are immediately reused or resold inside the network.
This phase ensures a constant supply of fresh identities for downstream financial abuse.
Phase Two: The “Shadow Skrill” Mechanism
The most disturbing finding emerges when comparing bank statements with official Skrill account histories.
What the Victim Sees
- Bank statements show transactions labeled with Skrill descriptors.
- Skrill confirmation emails are received from [email protected].
- The victim’s own Skrill app and web account show no record of the transactions, often displaying “Data not found.”
What This Means
This discrepancy confirms that the victim’s card details are being charged through Skrill infrastructure, but processed via a separate, third-party Skrill account — a so-called “mule” or “Shadow Skrill” account.
By avoiding the victim’s real Skrill account, the operators block chargeback options while leveraging Skrill’s trusted branding to reassure banks.
Definitive Evidence of Identity Laundering
Support records from beef.casino provide decisive proof. A single internal billing profile is shown to be linked to multiple unrelated email addresses, including:
This demonstrates the existence of a shared database of stolen identities inside the Galaktika N.V. ecosystem.
These identities are used to:
- Circumvent “one account per person” restrictions.
- Multiply bonus abuse operations.
- Obscure transaction volumes flowing to offshore entities.
Further background on the Briantie Group reinforces the pattern of rotating corporate shells.
“Shadow Skrill” Accounts: From Theory to Documented Fact
Based on the player’s documentation, the use of unauthorized Skrill accounts is no longer speculative in this case. It is directly supported by evidence.
Key Proof Points
| Evidence Type | Description |
|---|---|
| Transaction Mismatch | Skrill confirmation emails show payments to Cyperion Solutions Limited and Briantie Limited, while the victim’s Skrill account records contain no corresponding entries. |
| Identity Hijacking | Internal beef.casino records link the victim’s billing profile to multiple unauthorized email addresses. |
| Payment Rails | Transactions are routed via NGPayments and Paygate, using misleading bank descriptors such as “SKR*Skrill.com.” |
Together, these elements confirm intentional bypassing of the victim’s own Skrill account.
The Payment Rail: Mapping the Shell Network
To avoid bank scrutiny and blacklist exposure, the operation rotates payment intermediaries. Active nodes currently identified include:
-
Cyperion Solutions Limited (UK / Cyprus)
Primary channel associated with NGPayments. -
Novaforge Limited / Briantie Limited
Backup entities activated when primary routes are restricted. -
Paygate
The technical switching layer connecting fraudulent accounts to regulated processors such as Skrill and Paysafe.
This layered structure allows operators to control both sides of the transaction — the “player” and the “merchant.”
Conclusion & Regulatory Alert
This case exposes a critical weakness within the Paysafe ecosystem (Skrill / Rapid Transfer). The infrastructure is being exploited to process payments through unauthorized accounts using stolen identities.
Regulators including the FCA and CySEC must urgently examine how consultancy-type merchants such as Cyperion Solutions are permitted to process third-party card payments without strict identity matching and account ownership verification.
Whistleblower Call to Action
Are you affected by the Galaktika N.V. network?
Have you discovered unauthorized email addresses linked to your identity or payment profile?
Submit your evidence to the Scam-Or Project whistleblower section. We are particularly interested in internal communications involving the “V.Partners” or “Galaktika” affiliate teams.
Your information could help expose the full scale of this identity-laundering operation.
