The Yapily Leaks: Internal Email Exposes Blacklisting of Whistleblowers instead of Illegal Casinos

A recent data leak via an accidental email has exposed questionable compliance practices at the Open Banking platform Yapily. Instead of investigating a reported illegal casino, Yapily’s compliance team instructed their partner, Klyme, to blacklist the complaining user. This case highlights the role of Open Banking facilitators in the illegal gambling industry.

Key Findings:

• Accidental Leak: Yapily’s compliance team accidentally forwarded an internal instruction to a complaining customer instead of their partner, Klyme (www.klyme.io).
• Retaliation vs. Remediation: The internal email explicitly requests that the user (PSU) be blacklisted from using Yapily’s services, rather than suspending the illegal merchant.
• Regulatory Arbitrage: Despite the user being Dutch and the casino violating Dutch law, Yapily only inquired about access restrictions for Lithuania—likely to appease their home regulator (Bank of Lithuania) while ignoring cross-border illegality.
• Delayed Response: The compliance team took nearly two months (Dec 2025 to Feb 2026) to address a serious AML and regulatory complaint.
• The Klyme Connection: The emails confirm that Klyme (klyme.io) acts as the merchant/intermediary using Yapily’s license to process payments for the unlicensed casino Winhero.

The Whistleblower Report

FinTelegram has received a new submission via our Whistle42 platform involving Yapily, a UK and Lithuania-based Open Banking infrastructure provider. A Dutch player deposited funds into the unlicensed online casino Winhero (www.winhero.com) using Yapily’s payment rails.

The leaked Yapily email to Klyme

When the player realized the casino was operating illegally in the Netherlands—without authorization from the Kansspelautoriteit—they filed a formal complaint with Yapily in December 2025, requesting a refund and clarification on Yapily’s KYC checks.

The “Oops” Moment

For nearly two months, the player received only silence. Then, in February 2026, they received a reply. However, the email from [email protected] was not meant for the player. It was an internal directive addressed to the “Klyme Team,” which was CC’d to the player by mistake.

This accidental disclosure provides a rare, unvarnished look into how High-Risk payment processors handle consumer complaints regarding illegal activities.

Analysis: Protect the Volume, Block the Complainer

The leaked email (see screenshots below) reveals a shocking approach to compliance.

1. Shooting the Messenger In the email, Yapily’s Compliance officer writes: “We are also requesting that the Payment Service User identified would be blacklisted from using Yapily’s services to send funds to any of your clients.” Rather than investigating why their infrastructure is servicing an unlicensed casino, Yapily’s immediate reaction was to ban the whistleblower to prevent further complaints. This suggests a “kill the messenger” culture intended to protect transaction volumes.
2. The Lithuanian Loophole The player explicitly stated they were Dutch and that the casino was violating Dutch law. However, Yapily’s internal questions to Klyme were: “Description of the measures the merchant implements to restrict access for players from Lithuania.” Yapily Connect UAB (website) is licensed by the Bank of Lithuania (No. LB002045). By focusing solely on Lithuanian players, Yapily appears to be engaging in “compliance theater”—ensuring they look clean to their direct regulator while knowingly facilitating illegal transactions in other EU jurisdictions like the Netherlands and Germany.
3. The Klyme & Winhero Stack The email confirms that Klyme is the entity integrating Yapily’s Open Banking API. Klyme appears to be acting as the payment aggregator for Winhero. This structure is similar to the “payment stacks” FinTelegram has previously uncovered, such as the cooperation between Yapily and the Bulgarian Contiant, which also facilitated high-risk gambling traffic.

Download the Yapily Compliance Report 2026 here.

Conclusion

The evidence suggests that Yapily and its partner Klyme are failing in their duty of care. When alerted to money laundering risks and illegal gambling (unlicensed solicitation in the Netherlands), the response was to shield the merchant and ban the consumer.

This incident raises serious questions about Yapily’s monitoring capabilities. If they cannot identify that a merchant is an unlicensed casino until a user complains, and their response to the complaint is to blacklist the user, their AML/CTF frameworks are fundamentally flawed.

We have made the full compliance report, including the raw screenshots and email headers, available for download here.

Call to Action: Help Us Expose the Stacks

This case proves that user reports frighten these operators. The accidental email shows that Yapily is terrified of “urgent legal matters” but reacts by trying to silence the user.

We need your help to uncover more.

Are you a player who has deposited at an illegal casino (e.g., Winhero, NineCasino, various Curacao brands) using Yapily, Klyme, Contiant, or Volt?

• Did you use “Instant Bank Transfer” or Open Banking?
• Have you been refused a refund?
• Do you have bank statements showing the receiver of funds?

Report it to Whistle42! FinTelegram and Whistle42 will use this data to assist lawyers and regulators in holding these facilitators accountable. Your information could be the key to recovering losses for thousands of players.