SHADOW ACCOUNTS & FAKE PLAY STORES: The Deadly Identity Theft Cycle of Galaktika N.V. Uncovered

A massive escalation in the Galaktika N.V. fraud case reveals that stolen KYC data is being used to create “Shadow Skrill” accounts. Victims are lured via fake Google Play Store interfaces into downloading malicious APKs, while their identities are laundered through a web of shell companies including Cyperion Solutions and Novaforge.

Read our initial report on Cyperion and NGPayments here.

Analysis: The “Double-Sided” Fraud Architecture

The latest evidence provided by a player exposes a level of sophistication that moves beyond simple unlicensed gambling into organized cybercrime. The “Galaktika Scheme” now shows a clear two-stage lifecycle: Data Harvesting and Financial Hijacking. According to the website Slotoro.bet is owned and operated by Wiraon B.V., Curaçao, while payments are managed by Briantie Limited.

1. The “Fake Play Store” Malware Trap The investigation confirms that brands like Boomerang-Bet and Slotoro are using fraudulent “Get it on Google Play” badges. Instead of the secure Play Store, users are redirected to download a raw .apk file.

• The Malware: These files are designed to bypass device security to harvest SMS codes (for 2FA) and personal files.
• The Verification Scam: The “mandatory verification” is a front for identity theft. Once the victim uploads their passport, the data is immediately sold or reused within the network.

2. The “Shadow Skrill” Phenomenon The most alarming discovery is the discrepancy between the player’s bank statements and their official Skrill history.

• The Mechanism: The victim receives “official” Skrill confirmation emails, but their app history shows “Data not found.”
• The Interpretation: This confirms that the operators are using the victim’s card details on a third-party Skrill account (a “mule” account). By using a different account, they ensure the victim cannot easily charge back the transaction through the Skrill interface, while still using Skrill’s “clean” branding to pacify the victim’s bank.

3. Definitive Proof of Identity Laundering The support logs from beef.casino provide a “smoking gun.” Seeing a personal billing account linked to suspicious addresses like [email protected] and [email protected] proves that the Galaktika N.V. ecosystem operates a shared database of stolen identities. These identities are likely used to:

• Bypass “one account per person” rules for bonus abuse.
• Layer transactions to hide the volume of money flowing to offshore entities.

The Shadow Skrill Accounts Explained

Based on the documentation provided by the player, the existence of “Shadow Skrill” accounts (unauthorized Skrill accounts created using stolen identities to process third-party cards) has moved beyond a working hypothesis and is a documented fact in this specific case.

The certainty of this claim is supported by three primary pieces of evidence found in the player’s files:

• The Transaction Discrepancy: The player provided official transaction confirmation emails from [email protected] for payments totaling hundreds of euros to entities like Cyperion Solutions Limited and Briantie Limited. However, the player’s official Skrill app and web history show “Data not found” or no record of these transactions. This confirms that while the player’s card was charged via Skrill’s infrastructure, it was not processed through their personal Skrill account.
• Direct Proof of Identity Hijacking: Evidence from the support area of beef.casino (an associated brand) shows the player’s internal billing profile linked to multiple unauthorized third-party email addresses, such as [email protected], [email protected], and [email protected]. This is definitive proof that their KYC (Know Your Customer) data and payment information are being used by the operator to manage a network of “mule” accounts.
• The “NGPayments” / “Paygate” Rail: The documentation shows that the payments were routed through technical instruments labeled NGPayments and Paygate. These gateways act as the bridge that allows the fraudulent accounts to interface with regulated processors like Skrill and Paysafe while using misleading descriptors like “SKR*Skrill.com” on bank statements to pacify the victim’s bank.

The documentation proves a deliberate bypass of the player’s own Skrill account. By using stolen identity data harvested through malicious APK files (masquerading as Google Play apps), the operators have successfully created a parallel financial structure where they control both the “player” account and the “merchant” entity, leaving the victim with no recourse through standard consumer protection channels.

The Payment Rail: Mapping the Shells

The transaction flow utilizes a rotating cast of “Payment Agents” to stay ahead of bank blacklists. The current active nodes in this network include:

• Cyperion Solutions Limited: (UK/Cyprus) The primary conduit for “NGPayments.”
• Novaforge Limited / Briantie Limited: Secondary shells used when primary accounts are throttled.
• Paygate: The technical switchboard for these transactions.

Conclusion & Regulatory Warning

This case proves that Paysafe (Skrill/Rapid Transfer) has a critical vulnerability: their infrastructure is being used to facilitate “unauthorized account” processing. Regulators like the FCA and CySEC must investigate why merchant accounts for “consultancies” like Cyperion Solutions are permitted to process third-party cards without matching the account owner’s identity.

Whistleblower Call to Action: Are you a victim of the Galaktika N.V. network? Did you find your identity used on unauthorized emails? Please send your evidence to Whistle42. We are especially looking for internal communications from the “V.Partners” or “Galaktika” affiliate teams.