What Madoff’s Bankers Could Teach the Customers of a Polish Crypto Exchange

What Madoff’s Bankers Could Teach the Customers of a Polish Crypto Exchange

2026-04-28

On the afternoon of April 20, 2026, a regulatory filing landed on the Warsaw Stock Exchange’s NewConnect market with the kind of dry, lawyerly cadence that tends to disguise consequence. Femion Technology, a small Polish payments company, was informing investors that its subsidiary TryPay had terminated, with immediate effect, its agreement to process payments for BB Trade Estonia OÜ, the Estonian operator of a crypto exchange known to its hundreds of thousands of Polish users as zondacrypto. The reason given was, by the standards of stock-exchange disclosures, almost gnomic: “The termination resulted from a negative outcome of a risk assessment conducted with respect to the continuation of cooperation under the Agreement.”

Several days earlier, without a press release or a stock-exchange filing — without, in fact, any document at all beyond a brief technical-support notice — a Lithuanian fintech called ZEN.COM had quietly told its users that linking a ZEN account to zondacrypto was no longer available. With that one sentence, ZEN withdrew from an integration that, since November of 2021, had served as the operational backbone of the exchange’s Polish business.

Two channels through which Polish złoty had flowed into Tallinn and back for years closed within a single week. The two institutions doing the closing — one Polish, one Lithuanian, each subject to a different national regulator — had access to information that no ordinary customer of zondacrypto could see. They saw the flows. They knew the balances. They ran the transaction-monitoring required by the European Union’s Fourth Anti-Money-Laundering Directive. And independently, in the same seven days, each of them concluded that whatever they had been seeing could no longer be tolerated.

This is the first, and perhaps the most important, fact in this story.

 

To understand why two letters in one week matter, you have to follow a Polish brand across borders. The exchange that became zondacrypto began life in 2014 as BitBay, a Polish company with Polish customers and a Polish bank. In 2018, the operation moved to a Maltese vehicle, Pinewood Holdings. In 2019, it migrated again, this time to BB Trade Estonia OÜ, in Tallinn. In November of 2021 came a rebrand to “Zonda”; in May of 2023, another, to “zondacrypto.” These were not, in the end, cosmetic moves. Each one carried the operator a step further from Polish supervision.

The Estonian VASP license that BB Trade Estonia carried (registration number FVT000209) allowed the company to serve Polish customers without falling under the supervision of Poland’s Financial Supervision Authority, the Komisja Nadzoru Finansowego, or KNF. The Polish regulator could not reach the operator in Tallinn. What the regulator could reach were Polish payment intermediaries — and that, in the years that followed, is where TryPay and ZEN found themselves, performing a function they were not formally licensed to perform: that of the last link between the Polish banking system and a foreign exchange.

The original payment processor for the Polish flow was a Gdynia-based company called Payment Technology, which by its peak was processing around two hundred and seventy-five million złoty a month for BitBay — roughly seventy million dollars. In April of 2022, Femion Technology acquired Payment Technology and assigned the BB Trade Estonia relationship to its own subsidiary, TryPay, which had previously been processing only fourteen million złoty a month. For TryPay, the move was transformative; for Femion, it was so strategic that the company restructured its entire group around payments.

There is a detail here that becomes important in retrospect. On October 3, 2024, the Gdańsk court declared Payment Technology — the original processor — bankrupt. On June 13, 2025, the KNF imposed an administrative fine of two hundred thousand złoty on the now-insolvent company, citing five separate provisions of the Polish Anti-Money-Laundering Act. Translated from the language of statutes into ordinary speech, the regulator’s decision found that Payment Technology — the institution that, for years, had processed hundreds of millions of złoty a month from Polish bank accounts toward what would become zondacrypto — had failed to identify its client, failed to identify the client’s beneficial owner, failed to monitor the business relationship, failed to document the work it claimed to have done, and failed to train its staff in any of these obligations. Five categories — which is to say, the entire architecture of what an anti-money-laundering compliance program is supposed to be. The fine is final; the company did not appeal.

This is not a coincidence requiring commentary. This is a signal requiring attention.

In November of the same year that BitBay rebranded as Zonda — that is, in 2021 — zondacrypto announced a partnership with ZEN.COM, under the joint marque “zondacrypto powered by ZEN.” A service called Pay with ZEN allowed users to link their exchange account to a ZEN wallet and to move funds in złoty, euros, dollars, lei, koruna, and forint, around the clock, in real time. From the customer’s perspective, this was a “deposit button.” From a regulatory perspective, it was a bridge between a Lithuanian electronic-money institution, or EMI, and an Estonian crypto exchange — a bridge across which Polish money was traveling.

ZEN.COM is, as it happens, the largest independent EMI in Lithuania by revenue, with consolidated 2025 group revenues exceeding one hundred and fifteen million euros and roughly seventeen percent market share in the third quarter of last year. In October of 2025, ZEN appointed Andrzej Duda — Poland’s most recent former President — to its supervisory board. In April of 2026, ZEN finalized the acquisition of a Ukrainian institution, PINbank, that had been confiscated from a Russian oligarch.

It was an impressive expansion. The question that the Lithuanian central bank had begun asking, however, was whether the expansion was matched by compliance maturity. And here Polish coverage, which only caught up with the story in December of 2025, missed a piece of context that, for Lithuanian observers, was unmistakable. The 1.8-million-euro fine that the Bank of Lithuania imposed on ZEN that month was not a first warning. It was a third.

 

What the Bank of Lithuania actually saw, when it conducted its supervisory review of ZEN.COM for the period between October 1, 2022, and February 15, 2024, makes for a portrait when read at distance.

It saw enhanced-due-diligence procedures for high-risk clients that existed on paper but were not consistently applied in practice. It saw a transaction-monitoring system that detected unusual activity but did not generate the alerts the Lithuanian regime requires — alerts that, under Lithuania’s goAML reporting framework, must reach the Financial Crime Investigation Service within three hours of a reasonable suspicion arising. (Three hours is among the shortest reporting windows in the European Union; “inadequate monitoring” in this context does not mean a delay of weeks. It means a structural inability to fire an alert at all.) It saw client funds that were not properly safeguarded — the very issue for which ZEN had received a sixty-thousand-euro fine in 2021. And it saw what the regulator described, with the kind of formulation any compliance officer recognizes immediately, as an “AML internal control” that “was not independent from business interests” — a polite way of saying that the second line of defense had been functioning as a sales-support team rather than as a control on sales.

Most damaging of all, the regulator concluded that ZEN had reported inaccurate data to it, including incorrect figures on active clients, accounts opened, and transaction volumes — three of the parameters that a regulator uses to calibrate the intensity of its supervision. False numbers in those three categories are not bookkeeping errors. They are an interference with the regulator’s capacity to do its job.

The fine — roughly 1.8 million euros — was the largest in the Bank of Lithuania’s history against an independent EMI. It was also the third in a sequence. The earlier two, of sixty thousand and thirty thousand euros respectively, dated from 2021, before ZEN’s relationship with Zonda even began — and concerned, in essence, the same problems: poor safeguarding, inaccurate reporting. The 2025 decision was less a one-time stumble than a pattern reaching its third decimal place.

ZEN appealed the decision in February of 2026 to the Lithuanian administrative court. A representative for the company offered a measured public statement: ZEN, he said, was “not contesting the supervisory process itself” but was exercising its right, “as a regulated entity, to seek clarity on certain legal interpretations.” A trained reader will hear two notes in that formulation. The first: the company is conceding that the underlying state of affairs required correction. The second: the dispute is over interpretation, not facts.

There is a separate detail that the Lithuanian trade press recorded plainly and the Polish coverage did not. After the decision, ZEN agreed with the Bank of Lithuania on a remediation plan and submitted a voluntary audit report to confirm implementation. The compliance deadline was set for March 31, 2026. The Bank of Lithuania noted, however, that the voluntary audit had not assessed practical implementation — it had assessed document compliance. The auditors had verified that the company had policies. They had not verified that the policies meant anything in practice. The distinction is the entire question.

There is also the matter of ZEN’s processing of payments for online gambling platforms that are illegal in Poland. In April of 2026, the Polish news network TVN24 reported that ZEN had been handling payments for several gaming and “skin-betting” sites — Key-Drop, Skin.Club, CSGOroll — that appeared on a register of forbidden domains maintained by the Polish Ministry of Finance. The technical scheme was straightforward enough: payments were routed first through Cypriot intermediaries, which allowed ZEN to maintain that it was processing for E.U.-registered entities and not for gambling operators. The geo-blocking that ZEN had announced for Polish users, the journalists found, did not actually work. ZEN’s defense was jurisdictional: as a Lithuanian company, it was not bound by Polish gambling law. This was formally correct, and entirely beside the point. Lithuanian anti-money-laundering rules apply territorially according to the location of the service provider — that is, according to where ZEN is sitting — not according to where the end customer happens to be placing his bet.

 

To see what is at stake here, it helps to leave Tallinn and Vilnius for a moment and travel to Manhattan, in the spring of 2007.

The setting was a midtown lunch. John Hogan, the chief risk officer of JPMorgan Chase’s investment bank, was eating with a colleague named Matt Zames. Zames, in the course of conversation, mentioned to Hogan that there was, in his words, “a well-known cloud over the head” of a man named Bernard Madoff, and that Madoff’s investment returns were “speculated to be part of a Ponzi scheme.” Hogan returned to his office and instructed a junior analyst to perform a Google search. The search did not, the analyst reported, produce hard evidence. The matter was closed.

I bring this anecdote up at the head of the section because, when an American prosecutor obtained a copy of the e-mail Hogan sent during that lunch — I am sitting at lunch with [the JPMC executive] who just told me that there is a well-known cloud over the head of Madoff and his returns are speculated to be part of a ponzi scheme — and put it into the public record, he did so as paragraph 45 of a document titled “Statement of Facts,” which JPMorgan Chase Bank, N.A., signed and “admitted and stipulated” to be true and accurate. This was January 6, 2014: the day the bank entered into a Deferred Prosecution Agreement with the United States Attorney for the Southern District of New York, paid 1.7 billion dollars in forfeiture, and accepted a two-count criminal information charging it with failing to maintain an effective anti-money-laundering program and failing to file a suspicious-activity report.

There is a particular kind of clarity that arrives when a global bank concedes that what its prosecutor says about it is, in fact, what happened. The Statement of Facts that JPMorgan signed describes mechanisms whose later iterations one can recognize, with a certain shock of recognition, in the records of a Polish payment processor handling a Polish crypto exchange.

For more than two decades, Madoff’s Ponzi scheme — which at its collapse held what was thought to be sixty-five billion dollars and was actually held together by some three hundred million in real assets — ran almost entirely through a single demand-deposit account at JPMorgan and its predecessors, an account that became known in the bankruptcy proceedings as the “703 Account.” Between 1986 and December of 2008, that account received and disbursed roughly a hundred and fifty billion dollars, almost all of it from Madoff investors. In August of 2008, the balance peaked at 5.6 billion. By the day of Madoff’s arrest, on December 11, 2008, it was 234 million. A Court of Appeals for the Second Circuit later described the obvious anomaly: an account through which billions were flowing, allegedly to purchase securities, showed a “glaring absence of securities activity.” Nobody at the bank, on the surface, was buying anything.

There were red flags before the Hogan lunch, and red flags afterward. In the mid-1990s, employees of JPMorgan’s Private Bank predecessor identified a series of “round-trip” transactions, of tens of millions of dollars a day for years, between Madoff and a Private Bank client. In November of 1994, a Private Bank employee called the abuses “outrageous” and informed both Madoff and the client that the bank was aware that Madoff was using the float. (The client’s response, recorded in an internal memo, was that “if Bernie is using the float, it is fine with me, he makes a lot of money for my account.”) Two years later, a competitor bank — in the Statement of Facts it appears, in a flourish that Don DeLillo might admire, simply as “Madoff Bank 2” — investigated the same transactions, concluded they had no legitimate business purpose, terminated its relationship with Madoff Securities, and filed a suspicious-activity report. JPMorgan was informed of the closure. The bank did not file its own SAR. It did not terminate the relationship. It asked the Private Bank client to repay the interest, and went on with the business.

In January of 2007, JPMorgan’s automated AML system flagged the 703 Account: in a single day, the account had received seven hundred and fifty-seven million dollars in third-party wires, twenty-seven times its average daily inflow, almost all of it from Madoff “feeder” funds. The investigators closed the alert with a note that the activity was “not unusual compared to the account’s prior activity.” When they tried to consult the know-your-customer file for Madoff Securities, they received an error message indicating that no file was available. They did not pursue the matter further than a glance at the company’s website.

In October of 2008, an analyst on JPMorgan’s London-based Equity Exotics Desk drafted what came to be known as the October 16 Memo. The Memo questioned the bank’s ability to verify Madoff’s trading activity or even the existence of his assets. It noted Madoff’s “odd choice” of a small, unknown accounting firm. It observed that some of the feeder-fund managers themselves “appear[ed] very defensive and almost scared of Madoff,” to the point where “no one dares to ask any serious questions as long as the performance is good.” On October 29, 2008, on the strength of the Memo, JPMorgan filed a suspicious-activity report — but it filed it in the United Kingdom, with the Serious Organised Crime Agency. It did not file one in the United States, the country where Madoff was operating, where the 703 Account was located, and where the bank was headquartered.

In the weeks that followed, JPMorgan also began withdrawing its own money from the Madoff feeder funds. By the time of Madoff’s arrest in December, the bank had pulled approximately two hundred and seventy-six million dollars of its proprietary capital out of those funds. It did not inform American regulators. It did not inform other investors. It did not file an American SAR. The 703 Account, meanwhile, continued to drain: 5.6 billion in August of 2008; 3.7 billion on October 16, the day of the Memo; 3 billion on October 29, the day JPMorgan reported Madoff to the British; 550 million five days after that. About ninety per cent of the balance went out the door, in those few weeks, to investors being paid fictitious “redemptions” with the money of other investors who would not be paid at all.

When the Statement of Facts that JPMorgan signed in 2014 calculated the bank’s forfeiture amount — the 1.7 billion dollars — it calibrated the figure to the funds that had moved through Madoff’s accounts at the bank between October 29, 2008, and Madoff’s arrest. The number, the prosecutor wrote, was “substantially greater than the value of all the funds redeemed by JPMC from the Madoff-linked feeder funds.” Which is to say: the criminal penalty was set, deliberately, to the amount the bank had let flow onward to other victims after the bank itself had decided that the money was probably going into a pyramid.

The 1.7 billion dollars went, by the federal “remission process” administered under 28 C.F.R. Part 9, to Madoff’s victims. This is a detail worth holding onto.

 

There is a public commentary, of the kind that tends to surface in the comment sections beneath articles about cases like zondacrypto’s, that runs as follows: anti-money-laundering law is not, strictly speaking, a tool for consumer protection. Its primary function is to detect money laundering, not to compensate the customer at the end of the chain.

That is true. It is also incomplete in a way worth being precise about.

Polish AML law imposes obligations on what it calls an “obligated institution” — TryPay, in the case at hand — toward its own client. The client of TryPay, in the AML sense, was not the individual Pole depositing five thousand złoty. The client of TryPay was BB Trade Estonia OÜ, the operator of zondacrypto. It was BB Trade Estonia whose risk TryPay was supposed to be assessing. It was BB Trade Estonia whose source of funds TryPay was supposed to be verifying. It was BB Trade Estonia whose business model TryPay was supposed to be classifying as high or low risk. The KNF’s June 2025 decision against Payment Technology — TryPay’s predecessor in this very relationship — found, very precisely, that none of this had been done. The breach was not abstract. It concerned the specific client whose later collapse stranded the Polish customers.

The DPA of January 6, 2014 — the JPMorgan settlement — answered the rest of the comment-section objection in a way that no academic exposition could. The mechanics of how the United States compensated Madoff’s victims were these: the prosecutor identified a violation of the Bank Secrecy Act; the bank entered a Deferred Prosecution Agreement; the forfeiture sum was calibrated to the money that had flowed onward after the bank should have intervened; the funds were distributed to the victims through the federal remission process. The argument that AML is not a consumer-protection tool collapses, in such a moment, into observation: the consumer is being paid out of the AML enforcement.

In Polish law, the same mechanic exists, in a different idiom. Article 46 § 1 of the Penal Code allows a court, in a criminal proceeding, to order an obligation to repair damage to the injured party. Article 45 permits the forfeiture of pecuniary benefits, with subsequent distribution. The instruments are not identical to the American remission process, but the logic is the same.

There is, in any event, a deeper argument in the zondacrypto case — one that does not require the AML analogy at all.

For at least four consecutive years, BB Trade Estonia OÜ filed with the Estonian commercial register, e-äriregister, an audited annual report. The reports are public. They cost a few euros to download (or nothing at all, for a regulated entity with an obligation to read them). And, read in sequence, they tell a story that any compliance officer at any payment intermediary servicing this client should have been able to read in an afternoon.

The 2021 report, filed in November of 2022, carried what is known in the auditing profession as a disclaimer of opinion. This is the most extreme reservation an auditor can issue: a public statement that he cannot tell you whether the financial statements before him reflect financial reality. The auditor in question, Anton Mullo of the Estonian firm Crowe DNW, listed his reasons. The balance sheet contained Bitcoin holdings worth a hundred and forty-five million euros, kept in a wallet to which the management of the company, “citing internal security procedures,” had refused him access. There were further crypto holdings worth nine million more, for which management had produced neither statements nor wallet addresses. There was a Litecoin position of two million euros for which management had produced an address “in an old format,” which could not be verified on any public blockchain explorer. There were tokens — QARK, BCP, XBX — that were being valued, the auditor noted, at “the company’s internal exchange rates,” because no external market for them existed.

But the most revealing entry was a line of customer liabilities of thirty-four million euros which, the auditor reported, “could not be allocated to specific customers due to the architecture of the company’s accounting system.” The company holding these funds, in other words, was reporting that it could not tell you which of its customers the funds belonged to.

This is not a “watch this space” signal. It is a signal that — under Article 41 § 1 of the Polish AML statute, which speaks in plain terms about the suspension of business relationships pending clarification — would warrant an immediate intervention by any obligated institution holding a relationship with the company. Such an institution had a legal obligation to read the report; the auditor’s disclaimer of opinion was not a private letter to the management. It was filed in a public registry on November 30, 2022.

Nothing was suspended. The processing continued.

The pattern thereafter does not soften. The 2022 report, filed in January of 2024, carried an opinion with reservations: the new auditor, Sergei Tšistjakov, of Assertum Audit, could not verify a hundred and fifty-five million euros of crypto holdings, because the third parties holding the wallets did not provide confirmations. The 2023 report, filed in June of 2024, carried another reservation: a hundred and seventy-two million euros of crypto holdings whose existence could not be tested against any external evidence of the company’s “meaningful control.” The 2024 report, filed at the end of July of last year, finally carried a clean opinion — but the bilance, when read carefully, made clear that the structural problems had not vanished. They had only migrated.

In a single year, BB Trade Estonia issued loans to related parties in the amount of about ninety million euros. One of those loans — for seventy-five million euros, denominated in cryptocurrency, at a variable rate — was a single instrument. The “other receivables” line on the balance sheet contained an additional thirty million euros in “advance payments to a related party,” with no contract title, no described counter-performance. And in the same year, the company’s liabilities to its customers had grown from three hundred and eight million euros to six hundred and forty-eight million — of which a category newly labeled “liabilities arising from the use of customer funds” had grown from nineteen million to eighty-three million.

Liabilities arising from the use of customer funds. The phrase deserves its own line.

 

It is here that one needs to lay the company’s customer agreements next to its audited reports.

Between 2018 and 2022, the operator of the exchange — under its various brands — issued at least six successive versions of its customer terms and conditions: October 5, 2018; May 9, 2019; October 1, 2019, the day after BB Trade Estonia OÜ was incorporated; June 15, 2020; October 26, 2021, the day of the rebrand to Zonda and the launch of “Pay with ZEN”; and April 1, 2022, the day on which BB Trade Estonia OÜ became the legal counterparty to the customer relationship. Each of these versions required active acceptance by the customer. Each of them stated, in essence, the same thing: that customer funds were segregated from the funds of the company, that the company was acting in a fiduciary capacity, and that the customer’s virtual assets were secured in a manner that prevented the company from disposing of them without the customer’s instruction. These are the foundational representations on which any licensed exchange, any EMI, any bank, makes its relationship with a customer legible at all.

The audited reports, meanwhile, were saying something else.

The 2020 report noted that the company had “exercised its right to use customer funds” in the amount of nine hundred and six thousand euros. The 2021 report, the one with the disclaimer of opinion, contained an explicit citation, in Annex 12, of the operative customer terms: “according to the current customer agreement terms, the company has the right to use the funds held in customer accounts.” (That sentence was filed in a public register on November 30, 2022.) The 2022 report renamed the line item; it now read “liabilities arising from the use of customer funds,” and it stood at 1.8 million euros. The 2023 report: nineteen million. The 2024 report: 82.7 million.

Read in succession — 906,000; 1.8 million; 19 million; 82.7 million euros — that is not a sequence of exceptional events. It is a straight line of exponential growth across four consecutive fiscal years, three successive boards of management, two successive auditors, and six successive versions of customer-facing terms. Every one of those variables could have been the moment of correction. None of them was.

What this means, for the customer who at registration accepted a clause guaranteeing the segregation of his funds, is that the same company was, in the same period, publicly attesting to its auditor that it was using the funds, that it could not say which customer’s funds were which, and that it had been deploying them — one notes the destination — in loans to related parties. The constructive elements of Articles 84 and 86 of the Polish Civil Code, governing actions taken under a mistake induced by the other party to a contract, do not, in such a configuration, require lengthy proof. One simply lays the two documents alongside each other.

For an intermediary — a TryPay, a ZEN — the same fact has a different weight. The intermediary’s obligation, under the AML statute, was not to read the customer’s mind; it was to read the customer’s filings. Each year, those filings reaffirmed and deepened the gap between what BB Trade Estonia was telling its customers and what BB Trade Estonia was telling its auditor. Permanence is the word for what this was. A first-year compliance officer, encountering it in 2022, might have called the problem an isolated accounting irregularity. A third-year officer, encountering the same item in successive reports through 2024, would have had no honest way of doing so. He would have been looking at a structural feature of the business model — a feature that, under the AML statute’s risk-based approach, requires either enhanced due diligence or termination. What TryPay finally did on April 20, 2026, was the textbook response. It came roughly three and a half years late.

 

There is a useful obverse to all of this. In the United States, the trustee in the Madoff bankruptcy, Irving Picard, spent years — and tens of billions of dollars in litigation — attempting to reconstruct what JPMorgan had seen on the 703 Account. The Statement of Facts that the Department of Justice ultimately produced, in January of 2014, drew on internal e-mails, lunch-table memoranda, and confidential due-diligence files that no one outside the bank had been able to see for the entire duration of the scheme. The October 16 Memo had to be subpoenaed. The Hogan e-mail had to be subpoenaed. The Madoff Banker 1 certifications, recurring annually since the mid-1990s, had to be subpoenaed. It was only in the document that JPMorgan signed — admits and stipulates — that the documentary trail became, finally, public.

The audited reports of BB Trade Estonia, by contrast, are not anyone’s secret. They were filed in a state register in Tallinn at the moment of their making. The 2021 disclaimer of opinion has been openly available since November 30, 2022. The “liabilities arising from the use of customer funds,” in their growing trajectory, have been openly available since the dates on which each report was filed. There was, for the Polish AML compliance officer at TryPay, or the Lithuanian AML compliance officer at ZEN, no requirement to wait for a federal prosecutor in Manhattan. There was no requirement to wait for anything, in fact, except for the company’s own annual filing.

That is the difference, and it is the difference that defines the legal terrain Polish customers are now standing on.

 

Picard, as it happened, lost his appellate challenges. In June of 2013, the United States Court of Appeals for the Second Circuit upheld the dismissal of his claims against JPMorgan, HSBC, UniCredit, and UBS — claims that totaled approximately thirty billion dollars — on a doctrinal point known as in pari delicto. The court held that Picard, suing in the shoes of Madoff’s company, could not pursue third parties for participation in the fraud that the company itself had committed. Trustees, the court explained, may exercise the rights of the corporation in bankruptcy. They may not exercise the rights of the corporation’s creditors, who in such cases must sue on their own behalf, for their own injuries.

But the same court, in footnote 29 of the same opinion, was careful to record that its dismissal did not immunize the banks from anything. “It is not apparent,” the panel wrote, “why customers cannot bring their own actions against defendants. In fact, defendants make plain that customers have already filed such actions.” Three of those actions — MLSMK Investment Co. v. JPMorgan Chase, Shapiro v. JPMorgan Chase, Hill v. JPMorgan Chase — were named in the same paragraph.

This distinction matters more, perhaps, than the doctrinal headline. The trustee’s case for thirty billion ended on a procedural rock. The customers’ cases continued. So did the criminal track, six months later, with the DPA. So, indeed, are the customers’ cases continuing today: as recently as October of 2025, HSBC announced that it was setting aside 1.1 billion dollars to cover potential payouts in a Madoff-related action still pending in Luxembourg. Seventeen years after the fraud collapsed. The financial term is tail risk. The civilian term is that some bills come due late.

 

For the Polish customer of zondacrypto, then — the one who, in the spring of 2026, is wondering what just happened to his money — the lesson of the Madoff bankers, set against the open Estonian filings, is something more practical than the brand of doctrinal melancholy in which much commentary has been wading.

The money lost in a financial pyramid, the cases of the past two decades have suggested, rarely sits with the perpetrator. It sits with those who handled his operations. There are, in the Polish case, at least three avenues through which the customer can pursue that fact. The first — submitting a claim to the Estonian bankruptcy trustee of BB Trade Estonia — is necessary as a matter of form, and probably of limited material value: recovery rates in crypto-exchange insolvencies tend to land in the single digits. The second — the criminal investigation already underway at the Regional Prosecutor’s Office in Katowice, which is treating the customers’ losses as exceeding three billion złoty — is more promising, particularly if the procurator-led case is eventually expanded to include charges of fraud (Article 286 § 1) against the operator and abetting (Article 18 § 3) against the intermediaries who continued processing in the face of the public filings. Article 46 § 1 of the Polish Penal Code, in such a case, would create a mechanism functionally analogous to what Section 853(i)(1) and 28 C.F.R. Part 9 created in the JPMorgan settlement: a route by which money flows from a regulated institution back to the people whose money it was.

The third avenue — and here the Madoff comparison closes — is direct civil action against the intermediaries themselves. TryPay is a Polish licensed payment institution, supervised by the KNF, and an obligated institution under the Polish AML statute. It said, in its public stock-exchange filing of April 20, 2026, that its risk assessment of the continuation of the BB Trade Estonia relationship had produced a negative result. That sentence — issued under Article 17(1) of the Market Abuse Regulation as inside information — is not, in procedural terms, an allegation by a plaintiff. It is an admission by what may yet become a defendant. ZEN.COM has no equivalent disclosure obligation, but the operational fact is parallel: an institution that on April 14 was running an integrated “Pay with ZEN” service for zondacrypto was, on April 17, no longer doing so. The reason, under European AML rules, can be only one thing.

It bears noting that the banks that handled Madoff never made any such public statement. There was no JPMorgan filing in the autumn of 2008 saying that the continuation of cooperation with Bernard L. Madoff Investment Securities was unacceptable on risk grounds. The reason their litigation took five years from the collapse to the DPA, and seventeen years from the collapse to HSBC’s recent reserve, is that the trustee and the customers had to construct, by inference and subpoena, what the banks had concluded internally and never said.

The Polish customer of zondacrypto begins from a different place. He has the disclosures. He has the public filings. He has, in BB Trade Estonia’s annual reports, the constructive knowledge of every intermediary who had a regulatory duty to read them. He has the KNF decision. He has the Bank of Lithuania decision. He has, in TryPay’s own ESPI report, a sentence whose evidentiary character is rare in the history of cases like this one.

It is a starting point, not a conclusion. Whether the Polish doctrine of liability under Articles 415 and 422 of the Civil Code, married to the AML obligations and to the specific facts of misrepresentation between the customer terms and the audited filings, will prove robust enough to compensate the people whose money is in Tallinn, is a matter for the Polish courts, and for the years that will follow. The Lithuanian route, where investor litigation against financial intermediaries is more developed, may prove parallel.

What is certain is the direction of the gaze. Customers who, in April of 2026, are looking only at Tallinn are looking the wrong way. Money does not leave its mark with the recipient at the end of the chain. It leaves the mark at the points of control through which it moved. Madoff demonstrated this. The banks that handled him are still paying — in civil settlements, in criminal forfeiture, in reserves announced seventeen years after the fact.

The customer of zondacrypto has one further advantage that the customer of Madoff did not. The red flags were never hidden in the internal systems of the intermediary. They were not extracted by a federal prosecutor over five years. They were filed, every November or every January, in a public register in Tallinn, in the language of the country’s commercial code, and bound at the end with a name and a license number. Anyone with an obligation to read them could read them. The question of why they were not read — or were read and ignored — is the question that the litigation, when it comes, will be about.

Topical publications

A Wallet, a Decade, a Question
2026-04-25

A Wallet, a Decade, a Question

The address that the C.E.O. of zondacrypto pointed to as proof of 4,503 BTC in reserves has not made a…

read more
Swiss Investment of Zonda
2026-04-22

Swiss Investment of Zonda

How four annual reports from a European crypto exchange tell us—and then stop telling us— about a Swiss bank, about…

read more
Sylwester Suszek – The Exit, in Five Acts
2026-04-21

Sylwester Suszek – The Exit, in...

By Robert Nogacki · Skarbiec Law Firm · April 21, 2026 On April 16, 2026, the president of zondacrypto, a…

read more
See more publications