Papaya Ltd.

Payment Solution Provider

DAREX Tier: Not applicable (digital assets service providers only)

Papaya Ltd is a Malta-authorized Electronic Money Institution (EMI) powering the Blackcatcard ecosystem. While providing legitimate SEPA and card services, the firm has been flagged for systemic AML failures, leading to a major €279,756 FIAU fine in 2023. Links to sanctioned individuals (historic) and a focus on high-risk jurisdictions necessitate heightened merchant and counterparty scrutiny.

R42 Risk Signal

🔴 Risk Signal: RED (High Risk) Confidence Grade: A (95%) * Reasoning: The assignment of a Red signal is driven by the 2023 FIAU administrative penalty which cited “systemic” failures in identifying Source of Wealth and monitoring high-risk clients. Furthermore, the company’s former director, Frederic Villa, was sanctioned by OFAC in 2023 for ties to Russian sanctions-evasion networks. While Papaya dissociated from Villa, the residual compliance “taint” and its business model (B2B correspondent banking for other fintechs) present high structural risk.

Key Data Table

Feature Data Details
Primary Brand Blackcatcard
Main Domain papaya.eu / blackcatcard.com / blackcat.app
Legal Entity Papaya Ltd
Jurisdiction Malta
Reg. Number C 55146
Registered Address 31, Sliema Road, Gzira, GZR 1637, Malta
Regulatory Status Authorized EMI (Financial Institutions Act, Cap. 376)
Regulator Malta Financial Services Authority (MFSA)
Ultimate Beneficial Owner (UBO) Igor Badanov (Significant Control) / Igor Tsybolyuk (CEO)
Auditor KSi Malta (Current/Recent filings)

5) Operational Overview

Papaya operates as a dual-facing fintech:

  1. B2C: Direct consumer banking through the Blackcatcard app, offering IBANs, Mastercards, and crypto-asset integration.

  2. B2B: Acting as a “Banking-as-a-Service” (BaaS) provider, enabling other (often unlicensed) fintech startups to issue cards and process SEPA payments under Papaya’s license.

Regulatory Framework

  • EMI License: Authorized to issue e-money and provide payment services.

  • Passporting: Licensed to operate across the EEA via MiFID/PSD2 passporting.

  • AML/CFT: Subject to Malta’s PMLA (Prevention of Money Laundering Act).

Ownership & Executives

  • Igor Tsybolyuk: Current CEO and public face of the company.

  • Igor Badanov: Frequently cited in regulatory filings as a key controller/BO.

  • Historical Note: Frederic Villa (former Director) was designated by the US Treasury (OFAC) on Feb 24, 2023, as part of a Swiss-Italian network aiding the Russian military. Papaya terminated his position immediately following the news.

Corporate Structure

  • Parent: Historically linked to various holding companies in Cyprus and Malta.

  • Partnerships: Crypto services are technically outsourced to Manerio Sp. z o.o. (Poland) to bypass direct EMI crypto restrictions in certain jurisdictions.

Technical Footprint

  • IP Space: Cloudflare-protected infrastructure.

  • App Ecosystem: Available on Google Play and Apple App Store (Blackcatcard).

  • Associated Domains: fintech.papaya.eu, blackcatcard.online, m.blackcatcard.com.

Merchant/Customer Footprint

  • Heavy presence in Eastern Europe and the CIS region.

  • Popular among “digital nomads” and users requiring non-resident EU IBANs.

  • B2B clients include white-label card programs for crypto exchanges and affiliate marketing platforms.

Enforcement/Litigation History

  • June 2023: FIAU Fine of €279,756. Failures included:

    • Failure to establish Source of Wealth (SoW).

    • Inadequate monitoring of multi-million Euro transactions.

    • Failure to classify high-risk customers correctly (specifically those with “personal connections” to the UBO).

  • Litigation: Active appeals against regulatory fines are common for Maltese EMIs, though the fine remains a public record of failing.

Red Flags

  • 🚩 Sanctions Proximity: Historic ties to OFAC-sanctioned leadership.

  • 🚩 AML Failures: Direct evidence of “systemic” due diligence shortcomings.

  • 🚩 High-Risk Client Base: Focus on non-resident accounts and high-velocity crypto-related transfers.

  • 🚩 Complex UBO Relations: FIAU noted “personal connections” between Papaya’s BO and high-risk customers, suggesting potential conflict of interest or “friendly” oversight.

Merchant Due-Diligence (MDD) Checklist

  • [ ] Verify current SEPA participation status (via EPC register).

  • [ ] Request updated AML/KYC Policy regarding “Source of Wealth” (given FIAU findings).

  • [ ] Screening: Check for any ongoing “Follow-up Directives” from the FIAU.

  • [ ] Confirm crypto-segregation: Ensure crypto funds are legally held by Manerio Sp. z o.o. and not the EMI entity.

Evidence Box (Sources)

Update Log

  • April 2026: Profile updated to reflect continued EMI status despite historical penalties.

  • June 2023: Major update following FIAU fine publication.

  • Feb 2023: Emergency update following OFAC designation of former director.

Whistle42 Call to Action

Do you have inside information regarding Papaya Ltd’s high-risk merchant onboarding or potential AML bypasses? Report anonymously via Whistle42 to help maintain financial integrity.

Rate and write a review

Your email address will not be published. Required fields are marked *

Regulatory &
Risk Snapshot

DAREX Tier:
Not applicable (digital assets service providers only)
DAREX reflects structural regulatory exposure and operational continuity sensitivity. It is not a credit rating or solvency assessment.
Learn more about the DAREX methodology →

Risk Signals:

Rails & Exposures:

Main Jurisdiction(s):

Malta
Write a review Review
Report listing
Svg Vector Icons : http://www.onlinewebfonts.com/icon