The Exchange That Promised to Keep Your Coins Safe. A Post-Mortem

Kancelaria Prawna Skarbiec · Robert Nogacki, attorney at law

April 19, 2026. Fifth in a series: “Zondacrypto – How to Recover Your Money?” (April 9), “Zondacrypto – The Exchange That Lent Out Your Money” (April 13), “The Keys Are With Suszek: Anatomy of an Alibi” (April 16), “The ZND Token and the Olympic Token: Air in a Can” (April 18).

I. The Signature That Wasn’t

Let’s begin with an operation that takes about five seconds and costs nothing.

Proving that a cryptocurrency exchange controls a given wallet requires from the exchange no financial or technical effort whatsoever. The industry recognizes two equally valid methods. The first is called message signing: the holder of the private key signs an arbitrary message chosen by the auditor, an off-chain operation, instantaneous, with no network fee. The second is the Satoshi Test: a micro-transaction sent from the verified address to an address specified by the auditor – publicly visible in the blockchain explorer. Message signing is regarded by compliance platforms as the “gold standard” for wallet-ownership verification – as Cryptoworth puts it in its audit-methods review, “message signing is now standard practice in crypto audits.” The Satoshi Test is the accepted alternative, used by Kraken and – as 21 Analytics documents – permitted under the FATF Travel Rule and the EU Transfer of Funds Regulation for transactions involving self-hosted wallets. Both methods prove the same minimal thing: that whoever claims to control an address actually possesses the private key to it.

A necessary caveat, which the American Public Company Accounting Oversight Board has raised with some insistence. Neither method proves an exchange’s solvency. They establish control of the address at a given moment – nothing more. They don’t tell you whether the assets at that address cover the exchange’s liabilities to its customers, whether they’ve been borrowed for the occasion, or whether the address represents some fraction of the true reserves. It is the bare minimum, the floor from which any serious proof-of-reserves analysis begins.

And yet: zondacrypto – the Polish-rooted cryptocurrency exchange now operating as BB Trade Estonia OÜ – had four occasions to perform one or the other of these operations. Four occasions over five years to produce a signature or a micro-transaction that would have, in minutes, resolved any question about the assets on its books.

The first came when Crowe DNW OÜ, an Estonian auditing firm, examined the company’s financial statements for the year 2021 in the course of 2022. The auditor, Anton Mullo, concluded his work by disclaiming his opinion – a signal, in auditing language, considerably more grave than a qualified or adverse opinion. It means: I cannot determine what is true about the assets of this company. The second came the following year, when a new auditor, Assertum Audit OÜ, demanded proof of control over the customer cryptocurrencies and received, in exchange, the suggestion that a notarial affidavit might do the trick. The third came with the 2023 statements, when the same auditor reiterated the concern – this time with a qualification of 172 million euros. The fourth came on April 16, 2026, when the company’s chief executive, Przemysław Kral, issued a public statement identifying the address 16aEn4p6hK4FMpLtJGpoQZMZ946sDg1Z6n as the cold wallet holding 4,503 bitcoins – a moment when a single signed message, or a single micro-transaction, would have resolved the dispute with customers and the public in a matter of minutes.

Four occasions. No signature.

I want to pause here, because what follows depends on how one frames the question – and the framing I want to propose is not the one that came to me first.

The company’s defense, as articulated by Kral in his April 16 statement, rests on a single claim: that the private keys to the cold wallets were held by Sylwester Suszek, the founder of the exchange, who vanished on March 10, 2022, and who – as the current management tells it – never transferred the keys to his successors. In this narrative, zondacrypto’s insolvency is not a consequence of anything the current management did, but the aftermath of an unhappy accident: the disappearance of the one person who held control over the critical assets.

I don’t buy this story. In the chapters that follow, and particularly in Chapter V, I’ll show why the chronology of the audits and the successive auditors’ qualifications does not sustain it. But for the sake of argumentative cleanliness – and out of intellectual scruple – I want to set the question up this way instead: even if the story about the keys that disappeared with Suszek were entirely true, it would not, in any way, alter the legal situation of the current management. That observation, not the refutation of Kral’s narrative, is the spine of this article.

Suppose, for the sake of argument, that it was just so. Suppose that on March 10, 2022, in the moment Sylwester Suszek’s phone signal went dark at a gas station in Czeladź, the company lost control of the keys to its cold wallets. Suppose that, at that moment, the company could not return to its customers all the cryptocurrency those customers had entrusted to it in good faith. What should the management have done?

The answer is written, and has long been written, into the commercial law of every developed jurisdiction. The management should, first, have secured the remaining assets. Second – within a few days at most – informed customers that control of their funds had been lost. Third, notified the financial-supervision authorities in Estonia and, as regarded Polish customers, in Poland. Fourth, if the balance sheet showed that remaining assets could not cover liabilities, filed for insolvency within thirty days of identifying the grounds for it. That is the sequence any honest company follows when it encounters a sudden, external catastrophe.

Another path was chosen instead. From March, 2022 to April, 2026 – four full years – zondacrypto not only continued operating but actively drew in new customers, under marketing slogans every word of which lay in stark contradiction to what the management knew or should have known about the company’s condition. This promotional layer is not an addendum to the case. It is the case. Which is why it’s worth quoting what the exchange was telling the people whose money it was preparing to use.

On the official website, zondacrypto.com, in the section titled “Security of Funds”, the company assured its customers, throughout the entire four-year period, that “all funds in cryptocurrencies are held on what are known as cold wallets. This means they are not directly connected to the exchange’s servers. This guarantees that no third party will have access to them.” Read from April, 2026, the sentence acquires a grotesque quality. It turns out that exactly what was meant to guarantee security – the separation of the keys from the exchange’s servers – is precisely the reason, by the management’s own account, that customers cannot now retrieve their funds. The keys were indeed so thoroughly separated from the servers that, as the current management tells it, no one in the present leadership can access them. The “third party” the assurance warned against was, it seems, the current management itself.

Elsewhere on the same site, under the heading “Security”, the assurance was elaborated: “Security is our priority! We look after the security of our customers’ funds in many different ways.” And further: “Customer funds in fiat currencies are guaranteed by the bank. Through this, our customers’ money is protected against every eventuality.” At the same time, the 2024 balance sheet showed that BB Trade Estonia OÜ’s total cash holdings came to 9.7 million euros, while its liabilities to customers came to 722 million euros. The ratio is less than one and a half per cent. “Every eventuality,” it turns out, was rather narrowly defined.

In April, 2026 – literally in the weeks when customers were reporting en masse that they could not withdraw their funds – the company issued a press release: “A Revolution in Security. Meet zondacrypto calling”. One could read: “The security of your funds is our absolute priority. At zondacrypto we’re committed to two-way verification.” The new “zondacrypto calling” feature, billed as “a simple, elegant, and exceptionally effective protective shield for our community,” was meant to protect customers from – as the release explained – third parties who might be impersonating exchange employees. The company was, in short, offering an elaborately constructed defense against hypothetical phishing, in the weeks when the customers’ actual assets were imperiled by something entirely different.

The same April, 2026. The same chief executive who on April 16 says that the reserves of 4,503 bitcoins are in a wallet to which he has no key, because the keys belonged to the vanished Suszek. And who in the same weeks is pushing to the media a press release about “a revolution in security.” This sequence does not permit coincidence.

Throughout the four years, the zondacrypto brand was promoted in campaigns featuring brand ambassadors: the Polish soccer goalkeeper Wojciech Szczęsny, the actors Borys Szyc and Janusz Chabior. The 2024 campaign slogan was “Tales from Crypto.” At the Next Block Expo 2026 conference in Warsaw, where Zonda was named best exchange, the slogan displayed at the booth read “Trade tomorrow, today.” On social media the tagline was “The largest regulated cryptocurrency exchange in Europe.” Every one of these slogans served a single purpose: drawing in the next flow of customer deposits, which the company needed in order to pay out the customers who had already entrusted their crypto to it. In the classical mechanics of a Ponzi scheme, new deposits are what services older withdrawals, and the role of marketing is to keep the inflow steady. In zondacrypto’s case – where, as the management now tells us, customer cryptocurrencies had long ago ceased to be under the company’s control – that role of marketing ceased to be marketing. It became something closer to continuing participation in a criminal enterprise.

This is the point at which criminal law has a great deal to say. Every day on which the company accepted new deposits, knowing that it could not in full honor its obligations to its existing customers, was a separate act satisfying the elements of Article 286 of the Polish Penal Code – fraud, count by count, on each new customer. The defense “we were just maintaining the narrative to prevent panic” does not exist in criminal law. Criminal law says: if you know you cannot perform the contract you are proposing to a new party, and you enter into that contract anyway, taking the party’s money – you have committed fraud. Every new customer whose bitcoin was used to pay out an earlier customer is a new victim. Every advertisement for the ZND token emission, every “Tales from Crypto” campaign, every press release about “an absolute priority of security” falls within the definition of misrepresentation under Article 286, § 1.

So we return to the question I began with. Does the narrative “the keys disappeared with Suszek” matter for the assessment of the current management’s liability?

If the narrative is false – as I’ll show in Chapter V, tracing the chronology of the audits – the current management is liable for the entire shortfall, including its origin, its growth, and its concealment.

If the narrative is true – the current management is liable for something different, but no less grave: that from March, 2022, knowing it had lost control over customer assets, it continued operating for four years, drawing in further depositors under marketing slogans whose falsity was evident to it. Instead of announcing “We’ve lost control of part of your cryptocurrencies. We are required to declare bankruptcy and to safeguard what remains” – which would have been the conduct of an honest management facing this situation – the management chose the path of pulling in new customers into a scheme in which it counted on the inflow of new deposits to mask the deficit long enough that it might be concealed forever.

In the first version, the management is liable for original fraud and its continuation. In the second, it is liable for consequential fraud, perpetrated and consolidated over four years, consisting in false assurances to successive customers about the safety of their funds. For the purposes of Article 286 of the Penal Code, the distinction between these two versions is not material. They are two different chains of criminal conduct leading to identical legal classification.

The rest of this article is concerned primarily with the first version, showing why the narrative about Suszek’s keys is implausible on its own terms. But I want the reader to bear in mind: even if every word of that narrative were true, the current management’s liability would be in no way diminished. The truthfulness of the narrative decides only which category of crime the conduct will fall into – not whether it will fall into any such category.

In this light, the four occasions for signing a message that I mentioned earlier take on an additional dimension. Each time the company could have produced proof of control over customer assets and didn’t, it was sustaining the narrative that “funds are safe.” And each time it sustained that narrative, it was accepting new customers in circumstances in which those customers were owed – as a matter of contractual loyalty and of the information obligation codified in Article 71 of the EU’s Markets in Crypto-Assets Regulation – a statement of a rather different content.

A second question opens, perhaps more important than the first. What was happening, in the period 2022–2026, to the money that customers, moved by the marketing slogans of a company whose management knew of a fundamental balance-sheet gap, continued to deposit? Customer liabilities rose from 164 million euros in 2022 to 722 million in 2024 – a fourfold increase over two years. Those funds physically arrived at BB Trade Estonia OÜ. They were booked somewhere. They had a counterweight somewhere. Something was happening to them. For four years. Day by day.

The answer – to which the analysis of the balance sheet, the regulatory history, the chain of terms of service, and above all the price of bitcoin points – is that the customers were never really depositors. They were participants in something no one named to them, but whose mechanism a man from Boston worked out one hundred years ago.

II. The Architecture of the Group. Who Holds Whom, Who Pays Whom

Between the customer who transfers a bitcoin to zondacrypto.com and the ultimate beneficial owner of the exchange lies a corporate structure spanning five jurisdictions and nine entities. It’s worth pausing on this structure, because its form alone – even before we look at the accounting – suggests a logic of extraction that becomes legible only from the top down.

At the top sits Divisio Holding AG, a Swiss stock corporation, registered at Baarerstrasse 78 in Zug (c/o Dr. André Terlinden, the standard domicile address of a law office – a typical practice for Swiss holding vehicles), with a capital of 100,000 Swiss francs, registered June 24, 2021, UID CHE-161.370.248. The ZND token white paper dated June 27, 2024 – the group’s official regulatory document in connection with its token issuance – states plainly on page 11: “the sole shareholder of DIVISIO HOLDING AG is Przemysław Kral, CEO of zondacrypto.” Divisio conducts no operational business. Its role is to hold shares in the operating subsidiaries.

The timing is worth noting: the Swiss vehicle was established a month after Kral assumed control of zondacrypto. Sylwester Suszek, the founder, stepped down as CEO in May, 2021, and Divisio Holding AG was registered on June 24, 2021. The new management’s first decision was not to restructure the exchange’s operations, not to reorganize the technical team, not to audit the reserves – but to establish a private holding vehicle in a Swiss jurisdiction. This order of events will recur through this article as a pattern.

Below Divisio sits BB Trade Estonia OÜ, registered in Estonia (registry 14814864), with its seat at Harju, Tallinn. This is the operational heart of the exchange – the entity that holds the licenses, maintains customer accounts, and is subject to the regulatory regime of the European Union’s Markets in Crypto-Assets Regulation (MiCA). It is also the entity whose consolidated financial statements we’ll be reading. Its board comprises Przemysław Kral (chairman), Karolina Gwózdź, and Ilie Cernișev; the management report is signed by Kral alone.

Below BB Trade Estonia OÜ, in turn, sit five subsidiaries in a 100-per-cent-owned structure:

Orion Software sp. z o.o. – a Polish limited-liability company based in Katowice, KRS registry 0000827257. Classification PKD 62.01.Z – software development. The president of the board is Przemysław Kral. The statutory capital was raised, step by step, from 5,000 zlotys to 3,005,000 zlotys through three successive capital increases in July, 2022, March, 2024, and July, 2024. Operationally, the company invoices BB Trade Estonia OÜ for IT services.

Zonda Token AG – a Swiss stock corporation, UID CHE-221.704.071, registered on December 14, 2021, with its seat in Zug at the same domicile as Divisio Holding AG. The board includes Przemysław Kral and Karolina Gwózdź. The company was brought into the group in January, 2022, which corresponds to the date of the domicile change in the Swiss commercial register. In the balance sheet it figures as a long-term investment of low book value; its operational role remains obscure.

ZND Ventures OÜ – an Estonian limited-liability company, registry 16382854, registered on December 6, 2021. Capital 10,000 euros. Employees, per the registry: zero. In 2022, BB Trade Estonia OÜ held 50 per cent of the shares; on January 10, 2024, it bought out the remaining 50 per cent and now holds 100 per cent. Kral is authorized representative (since June 28, 2023). The company’s earlier names were “Norion OÜ” (September 19, 2022 to May 26, 2023) and before that “Stenotype OÜ” (December 6, 2021 to September 19, 2022). These were historical names disclosed by the Estonian commercial register.

ZND.CO OÜ – an Estonian limited-liability company, registry 16874675, registered on December 6, 2023. Capital 10,000 euros. Employees: zero. Revenue: zero. The ZND white paper (page 16) states: “the entity responsible for the development of the software licensed to the Issuer and used by the Issuer to operate the Platform is ZND.CO OÜ.” Its managing director is Wojciech Piotr Sroka – who also runs ICEO Group. Until May 14, 2025, the company was jointly owned, 50 per cent by ZND Ventures OÜ and 50 per cent by ICEO RED 0 OÜ (that is, ICEO/Sroka). On May 14, 2025, ZND Ventures OÜ bought out ICEO’s stake; from that date, the company belongs entirely to the BB Trade Estonia OÜ group.

BB Trade Estonia Italian Branch – an operational branch in Italy, OAM number PSV48 (registration confirmed on zondacrypto’s official page). A branch, not a separate company – which means its liabilities are liabilities of BB Trade Estonia OÜ.

BB Trade Bahamas Ltd – a Bahamian company, included in the consolidated group in 2024. The jurisdictional purpose is self-evident; operational details unknown.

Outside the formal group sits ICEO Group, a conglomerate controlled by Wojciech Sroka: ICEO LAB Ltd. (United Kingdom, Companies House no. 11384164), ICEO RED 0 OÜ (Estonia, 16536033), ICEO RED I OÜ (Estonia, 16769599). The ZND white paper itself concedes, on page 33, “there is a significant conflict of interest” arising from the fact that ICEO was “responsible for the technical, economic and legal design of the ZND Token” while simultaneously holding a stake in ZND.CO OÜ – the company that licenses the software to BB Trade Estonia OÜ. This conflict of interest was acknowledged as significant by the company itself, in a regulatory document. It’s worth noting that during this same period Wojciech Sroka served as a board member of ZND Ventures OÜ (the entity 100-per-cent owned by BB Trade Estonia), signing its 2024 financial statements. Which means the same person simultaneously: (a) led a company inside the BB Trade/Divisio group, (b) held a 50-per-cent stake in ZND.CO OÜ through ICEO RED 0 OÜ, and (c) ran the external ICEO conglomerate. The conflict of interest the ZND white paper acknowledges as “significant” turns out, in the light of the ZND Ventures statements, to be deeper still – it encompasses simultaneous leadership roles on both sides of the relationship. The buyout of ICEO from ZND.CO OÜ in May, 2025 – to which we’ll return in Chapter IX – was an attempt to resolve this conflict ex post, during preparations for the MiCA CASP authorization application.

Graphically, the structure looks like this:

         Przemysław Janusz Kral (natural person)

               │

               │ 100%

               ▼

         Divisio Holding AG (Switzerland)

               │

               │ 100%

               ▼

      BB Trade Estonia OÜ (Estonia) ← CUSTOMER DEPOSITS ARRIVE HERE

               │

  ┌────────────┬───────────┴───────────┬────────────┬──────────┐

  │ 100%    │ 100%         │ 100%    │ 100%   │

  ▼      ▼            ▼      ▼     ▼

Orion Software  Zonda Token AG   ZND Ventures BB Trade  Italian

(Poland, IT)   (Switzerland)    OÜ (Estonia) Bahamas  Branch

                      │

                      │ 100% (from 05/14/2025)

                      ▼

                   ZND.CO OÜ (Estonia)

                   [ZND Platform software]

                      │

                      │ until 05/14/2025: 50% ICEO

                      ▼

                   ICEO RED 0 OÜ ← Wojciech Sroka

                      │

                   ICEO Group (UK/Estonia)

The diagram may look tangled, but it serves one simple observation: the entire group has a single ultimate beneficiary – Przemysław Kral. There are no outside investors with voting rights. There is no supervisory board with independent members (worth noting: only in March, 2025, on the eve of the CASP application, did the company announce the appointment of a three-person supervisory board comprising Bühler, Dżaniaszwili, and Chiellini – after six years of operation). A decision to transfer funds from one entity in the group to another is, from an ownership standpoint, a decision by Kral to move funds from Kral to Kral. With this one distinction: at the point of origin, those funds don’t belong to Kral. They belong to customers of the regulated Estonian entity.

III. The Chain of Terms of Service. A Clause That Arrived Too Late – and Left Too Early

Before we turn to the balance sheet, we must pause at something that in the prior articles in this series has appeared only in fragments: the chronology of zondacrypto’s terms of service. It is only in the light of that chronology that the full scale of the operation I’ve been writing about becomes visible. It is only then, too, that we can see just how evidentiarily thin the company’s defense in the civil and criminal proceedings to come will turn out to be.

The exchange that today operates under the zondacrypto brand has gone through several rebrandings and jurisdictional migrations over its lifetime. It was BitBay sp. z o.o. in Katowice. It was Pinewood Holdings Limited in Malta (from May, 2018). It was Pinewood Estonia OÜ in Tallinn (from November 1, 2019). And since 2021 it has been BB Trade Estonia OÜ, under the brand Zonda, renamed in 2023 to zondacrypto. Each of these operational changes was accompanied by an updated terms of service. And each of those terms, through the end of 2024, conformed consistently to exactly the same legal model.

That model can be put in a sentence: the exchange was not entitled to dispose of customer cryptocurrencies for any purpose other than the execution of their orders.

The Katowice version (BitBay sp. z o.o., 2017). The terms’ Section 3 stated in so many words that customer fiat funds “remain at the exclusive disposition of the User (no possibility of disposition of the deposited funds by BitBay beyond instructions issued by Users).” Analogous assurances applied to cryptocurrencies. The platform declared only the functions of matching counterparties and safeguarding assets on external, independent cold wallets.

The Maltese version (Pinewood Holdings Limited, May, 2018 – October, 2019). After the company migrated to Malta in response to recommendations from the Polish Financial Supervision Authority concerning Polish cryptocurrency operators, the terms continued in substantially the same form. The company’s marketing materials emphasized: customer cryptocurrencies are “held offline, away from the platform’s servers.” No investment clause. No lending clause. Not even a suggestion that customer funds could be used in any way beyond their safekeeping.

The early Estonian version (Pinewood Estonia OÜ, October 24, 2019). Upon migration to Estonia, the company issued a statement to customers: “the funds of all our users will be secure – we hold them in independent bank accounts and on external cold wallets, to which neither the platform nor the operator has access.” The new terms – again, no investment clause. The changes concerned adaptation to Estonian law, not modification of the exchange’s powers over customer cryptocurrencies.

The Zonda version (BB Trade Estonia OÜ, 2021–2024). After the rebranding to Zonda, the terms added in Section 5, paragraph 21 (or an analogous provision, depending on the version) a stipulation that the customer consented to the exchange’s authority to “hold funds transferred by the Customer, denominated in FIAT currencies or in Cryptocurrencies, with various external operators, in its own name but on the Customer’s behalf.” Note the phrase “on the Customer’s behalf.” The construction – known in civil law as a mandatum – means that the exchange may entrust assets to external custodians but must do so in the customer’s legal interest, never on its own account. This is not an investment clause. It confers no right to lend. It confers no right to operate delta-neutral strategies. It confers no right to act as a market maker.

And now the crucial fact, the one that reframes the whole case.

The December 30, 2024 version. For the first time in the platform’s history, the terms of service contained the following provision: “By accepting these Terms, the Customer consents to the use by zondacrypto in its own name of funds transferred to the Customer’s account, denominated in FIAT Currencies or Cryptocurrencies, as well as Cryptocurrencies acquired by the Customer in transactions conducted on the Exchange, and any digital assets, without obligation to pay the Customer any interest for the time during which zondacrypto used those funds.” This clause is not a gentle extension of the prior model. It is a change in the very nature of the legal relationship – from custody to quasi-loan. From this moment, under this version of the terms, the exchange may do whatever it sees fit with customer funds, without paying the customer any compensation on that account.

The provision appeared six months after the launch of the ZND Earn service in December, 2023; two months after the emission of the ZND token; in the same financial year in which the balance sheet showed a “customer-fund-use” line of 82.7 million euros.

The July 19, 2025 version (current). The “use on its own account” clause – is gone. In its place appears language about “holding or administering Cryptocurrencies” (Section 2, paragraph 3b). And in Section 2, paragraph 7, a new addition: the exchange “does not engage in speculation on Cryptocurrency prices (…) and is not a so-called market maker.” Simultaneously, a separate Terms of Service for the ZND Earn and ZND Farming Service took effect, relocating all the investment-related provisions into a segregated opt-in service; Section 7, paragraph 4 of that document permits the use of Earn-customer funds “for a range of operations conducted by zondacrypto or its related entities, including (…) the offering of secured loans, etc.”

Now trace the sequence in order.

Through December, 2024 – the terms of service do not permit the investment of customer funds in any form. In December, 2024 – the investment clause appears. In July, 2025 – the clause is removed from the main terms and relocated to a separate Earn-service document, which the customer must opt into consciously by moving funds to a dedicated ZND Platform.

This sequence carries three implications.

First, from the perspective of customers who deposited funds before December 30, 2024 – that is, the vast majority of the exchange’s customers – no legal basis existed, at the moment of contracting, for the investment of their cryptocurrencies. The contract each customer entered in 2019, 2021, 2022, or 2023 guaranteed a pure custodial model. Under Article 385¹, § 1 of the Polish Civil Code, the unilateral insertion of a clause in December, 2024 that fundamentally alters the nature of that relationship does not bind the customer. Its insertion through tacit acceptance (continued use of the service = acceptance of the new terms) – as UOKiK, the Polish competition and consumer-protection authority, has consistently held, and as Article 8, § 2 of the Electronic Services Act provides – is, in cases of material detriment to the consumer, not effective. A customer who never received individual, express notice of the change is not bound by it.

Second, from the company’s perspective – the 2022 and 2023 balance sheets, which showed “customer-fund-use” of 26.2 million and 19 million euros, respectively, and the 2024 balance sheet of 82.7 million, document operations conducted before the investment clause appeared in the terms. In other words: the company was using customer funds long before it inserted into the contract with customers the provision that might have permitted it. The December 30, 2024 clause was not creating a legal basis for current operations. It was trying to create one retroactively for operations already performed.

Third, the maneuver of July 19, 2025 – removing the investment clause from the main terms and relocating it to a separate Earn/Farming document – occurred in direct temporal proximity to the company’s deepening withdrawal problems, to its preparations for the MiCA CASP authorization application, and to the growing attention of regulators. If the December, 2024 clause was – in the management’s intent – an attempt to legalize actions already taken, the July, 2025 change was the reverse attempt: removing the attempting-to-legalize clause in order to shore up the narrative the company needed in its conversation with the regulator and the prospective trustee (“we never invested, we only held”). In six months, the same people, at the same company, inserted a clause into the terms and then removed it, camouflaging operations they had undertaken on the basis of no effective clause at all.

The argument directed at Earn customers – those who did sign the separate terms – was the principal subject of my April 13 article, “The Exchange That Lent Out Your Money.” Let me briefly restate it, and systematize it as three parallel points.

Argument one – scale. In Note 21 of the 2024 financial statements, the company reported interest income from Earn of 536,228 euros and interest expenses of 544,791 euros. At an annual reward rate of one to two per cent net – typical for Earn programs in this risk class – the capital actually engaged in the program in 2024 came to something between 25 and 50 million euros. But the “customer-fund-use” liability on the balance sheet rose in the same year to 82.7 million euros. The difference – at least 30 million euros of funds used in 2024 that have no counterpart in customer participation in Earn. That is a sum that could not be covered by the consent provided for in Section 7, paragraph 4, because the customers from whom it came never gave that consent. And that’s before one considers that Laen 7 alone (75 million euros in cryptocurrency) exceeds the entire estimated Earn capital by itself, meaning the defense “we invested only the funds of Earn customers, who consented to it” fails as a matter of arithmetic.

Argument two – form. Note one word in Section 7, paragraph 4 of the Earn terms. It is the word “secured.” The drafter of these terms – for all their generosity to the company – saw fit to limit the category of loans that could be made from customer funds to secured loans. Laen 7, as Note 3 of the 2024 financial statements flatly acknowledges, is unsecured (“Osad laenud on antud tagatiseta”). The only collateral disclosed in the document is a ten-million-euro mortgage against a loan with a 2.88-million balance, and an 18-ETH pledge against a 334,000-euro loan. Laen 7 does not appear in the collateral schedule. Even under the most forgiving reading of the Earn terms, Laen 7 exceeds the consent provided in them.

Argument three – time. The Earn terms took effect on July 19, 2025. The Earn service was launched in December, 2023 – eighteen months earlier, under no publicly known terms. Intragroup loans were booked in the 2022 and 2023 statements. The “customer-fund-use” line was 26.2 million euros in 2022 and 19 million in 2023. The document on which the company could defend these operations as covered by consent did not exist during the period when consent was required.

Three arguments, each sufficient on its own to undo the defense of “Earn customers consented.” The scale of the fund use exceeds the scale of the program. The form of the fund use (unsecured lending) exceeds the scope of the terms. The time of the fund use precedes the effective date of the terms. Together, they form a picture in which the Earn terms of July, 2025 – as, before them, the clause of December 30, 2024 in the main terms – function as a retroactive legalization of operations that had been carried on for years on no legal basis at all.

Let me sum up. As regards customers who deposited funds before December, 2024 – the terms never contemplated the right to invest those funds. As regards customers who deposited funds between December, 2024 and July, 2025 – the clause existed but was inserted unilaterally, without individual consent, most likely ineffective under Article 385¹ of the Civil Code. As regards Earn customers after July, 2025 – the clause exists, but it covers only secured loans, which are absent from the balance sheet. In all three groups, for every operation the company performed on customer funds, effective contractual basis is lacking.

A question arises, here, that cannot be avoided. If, from 2018 through the end of 2024, the terms explicitly forbade the investment of customer funds, then the “customer-fund-use” lines on the balance sheet – 26.2 million in 2022, 19 million in 2023, 82.7 million in 2024 – mean that the company, in a financial document audited by a statutory auditor, declared its use of assets over which it had no contractual right. This is not a matter of interpretation. It is an outright acknowledgment, in an accounting document, of conduct in breach of contract with the customer.

And from the acknowledgment of breach of contract to the legal assessment of that breach – the distance is short, and runs through Article 284 of the Penal Code (misappropriation), Article 286 (fraud), and Article 296 (causing damage in commercial transactions by a person charged with managing the property of an entity to which the assets were entrusted).

IV. The Balance Sheet, on the Assumption That the BTC Was Never There

Let’s turn now to the question that this article’s title poses. What remains on the balance sheet if we assume the 4,503 BTC from Kral’s statement never existed as an operational reserve of the company?

This is a technical question, because BB Trade Estonia OÜ’s consolidated balance sheet is a document with two layers: a layer of verifiable assets (cash, receivables, participations, platform) and a layer of unverifiable assets (customer cryptocurrencies in the company’s wallets). Two successive auditors – Crowe DNW OÜ in the 2021 audit and Assertum Audit OÜ in the 2022 and 2023 audits – flagged the second layer as impossible to verify. For 2021, the auditor disclaimed his opinion. For 2022, a qualified opinion, in which the auditor stated plainly that the assets “are in part held by third parties that do not issue confirmations in arrears or other documents capable of confirming the existence of those assets.” For 2023, a further qualification, this time in the amount of 172 million euros, and a note about the management’s proposal that the proof of control be replaced with a notarial affidavit.

Which warrants a technical aside – more careful this time than in the opening of this article, because what matters here is not the triviality of the proof, but its absolute availability. Message signing, in which the holder of a private key signs a message chosen by the auditor, is an off-chain operation: it requires no network fee, no waiting for block confirmation, no disclosure of the operational wallet. The signature is generated locally, in seconds, and can be verified by anyone with the public wallet address. The Satoshi Test is a more costly alternative (the Bitcoin network fee now runs around $0.48 per BitInfoCharts) and slower (block confirmation times on Bitcoin currently average 10 to 40 minutes per YCharts; Kraken in its verification process sets a three-hour window) but still technically undemanding. Either form of proof – for a company actually controlling the wallet – presents no difficulty whatsoever.

Yet: in the financial statements for 2021, 2022, 2023, and 2024, audited by successive auditors in 2022, 2023, 2024, and 2025, the company never produced a signed message or a micro-transaction. Nor did it produce them on April 16, 2026, when it publicly identified the address 16aEn… as its cold wallet – a moment when even the simplest proof of control could have resolved the entire dispute within minutes.

There are not many explanations for such a persistent refusal that are consistent with logic and the fundamentals of cryptography. The most economical is one: the company did not sign, because there was nothing to sign with. An argument, not a proof, but the argument leaves a mark on the walls of the case, because every alternative explanation requires assumptions more expensive than the hypothesis itself.

Let’s take this assumption for a working hypothesis, and see what the balance sheet looks like in its light.

Variant A – the company declares. The consolidated balance sheet as of December 31, 2024:

Item	Amount (EUR)
Assets: Cash	9,726,239
Assets: Cryptocurrencies (varud)	594,127,140
– of which customer cryptocurrencies	565,415,120
– of which own + ZND	28,712,020
Assets: Loans granted	121,256,817
Assets: Intangibles (platform)	35,517,123
Assets: Investments in subsidiaries	21,800,000
Assets: Other	23,510,000
Total assets	805,937,319
Liabilities: to customers	722,000,000
Liabilities: customer-fund-use	82,700,000
Liabilities: ZND token obligations	9,860,000
Liabilities: other	21,660,000
Total liabilities	836,220,000

In Variant A, the assets marginally fall short of the liabilities (by about 30 million euros), which the auditor regularizes in the equity line as accumulated losses. The company is presented as technically solvent, with substantial reserves in cryptocurrencies, but under pressure.

Variant B – the reserves don’t exist.

Remove the 565,415,120 euros of customer cryptocurrencies from the assets side of the ledger, on the hypothesis that the company has no verifiable control over them. Leave intact the other cryptocurrencies (28.7 million, which presumably include the ZND the company issued itself, as well as what it actually holds in operational wallets).

Total verifiable assets drop from 805 million to about 240 million. Liabilities remain as they are.

A gap of half a billion euros. 530 million euros between what was promised to customers and what the company can document as held. This gap – in Variant B – corresponds exactly to the “customer cryptocurrencies” line that the auditor did not confirm.

I am not claiming at this point that Variant B is definitively true. I am claiming that Variant B is the balance-sheet correlate of the hypothesis that the reserves never existed. And that in Variant B, all the other observations – the auditors’ qualifications, the refusal to produce on-chain proof, the declaration of the ghost wallet from 2016, the proposal of a notarial affidavit instead of a transaction, the absence of an exchange tag on BitInfoCharts – become coherent. In Variant A, they are puzzles in need of explanation. In Variant B, they require none.

Let’s proceed. What changes in Variant B?

It changes the meaning of three balance-sheet lines, which in Variant A can still be defended as “ordinary business decisions” and in Variant B become channels through which customer deposits were extracted into the Kral structure.

Loans (121 million euros). In Variant A – normal receivables, liquidity management, intragroup lending to related entities “supporting the company regulatorily.” In Variant B – the only line of verifiable assets in which customer deposits could have been concealed. Laen 7, 75 million euros in cryptocurrency, unsecured, variable interest, maturing 2025 – under Variant B, this is an operation in which the company took part of a customer deposit (in crypto) and transferred it to a related entity, booking it on the assets side as a “receivable.” From an accounting standpoint – an asset. From a customer’s standpoint – their bitcoins are no longer on the exchange’s wallet; they are in someone’s private vault.

Platform (35.5 million euros). In Variant A – an intangible, amortized over ten years, capitalized IT costs. In Variant B – an item whose fair value cannot be verified, because it is an internally produced software. The company can book any IT expense against it (5.7 million euros in 2024, of which 3.89 million capitalized) and there is no market reference price to confirm that valuation. It is a bucket into which costs paid to Orion Software sp. z o.o. in Poland can be poured, and which reduces the risk of detection that customer money is leaving.

Investments in subsidiaries (21.8 million euros). In Variant A – participations in Orion Software, Zonda Token AG, ZND Ventures. In Variant B – jurisdictionally sealed value, brought into the group out of customer funds. Raising Orion Software’s capital from 5,000 zlotys to 3 million zlotys requires the payment of 700,000 euros. Those euros physically moved from Estonia to Poland, from one entity in the group to another. In the Polish KRS they appear as Polish-company statutory capital. On the consolidated balance sheet – consolidation zeroes them out (because it is the group to itself). But from a customer’s standpoint: the money moved from the regulated entity to the unregulated one.

If the assumption that the BTC was never there is correct, then these three lines together – 121 + 35.5 + 21.8 = 178 million euros – represent the entire value the company could build out of customer deposits, over three years, without having to disclose the balance-sheet gap. The gap remains – in Variant B, it is 530 million. But of those 530 million, 178 million have crystallized, in the balance sheet, as assets linked to the Kral group.

The remainder – the difference between 530 and 178 – is the gap the company does not acknowledge. Its reflection is visible in the drop of the hot wallet’s BTC balance to 0.086 BTC (per the Recoveris analysis, published by money.pl) and in the impossibility of customer withdrawals since April, 2026. That is what’s left when one stops believing that an asset unverified for six years exists simply because someone has written its value into a financial statement.

V. The Mechanics of the Ponzi: What Happened to Successive Deposits

The structure, the balance sheet, the terms of service – all of this stays on paper. But in real economic life, something simpler and more concrete happens every day. A customer deposits a bitcoin. Another customer withdraws a bitcoin. Somewhere in a server room in Tallinn, balances are updated. The exchange reports profits. The management raises its own compensation. Everything works.

Until, one day, it doesn’t.

The reconstruction I want to offer in this chapter is provisional – it is not a final determination, and finality in these matters belongs, in any event, to the court. But it is the only reconstruction consistent with all the data I’ve been able to gather from the balance sheets, the terms of service, the commercial registers, and the on-chain record. I’ll divide it into five phases.

Phase One – through the end of 2021. The gap forms. We do not know exactly when zondacrypto’s cryptocurrency assets ceased to fully cover its liabilities to customers. We know with certainty that no later than the balance-sheet date of December 31, 2021, the gap already existed – because the auditor Crowe DNW OÜ (Anton Mullo), in examining the statements for that year during 2022, disclaimed his opinion. A disclaimer was not a signal of minor doubt. It was a communication that, in the idiom of the audit profession, reads: we are unable to determine whether the assets of this company exist in the amounts declared. The 2021 financial statements disclose customer cryptocurrencies of 485 million euros. The auditor essentially rejected that figure in its entirety.

At that moment, the world price of bitcoin was at its all-time high – about $68,800 in November, 2021. It would have taken some 7,200 bitcoins to cover the entire declared stock of customer cryptocurrencies. Seven thousand bitcoins is a quantity a company operating billions in annual transactions should be able to evidence in the course of a single afternoon – by signing messages with the private keys to its operational wallets. That did not happen. The auditor did not receive such evidence. He disclaimed his opinion, and by that the company gained at least an additional twelve months to resolve the situation – or to camouflage it further.

The chronological precision of this moment is critical. On the balance-sheet date – December 31, 2021 – Sylwester Suszek had not been CEO for more than seven months. He stepped down in May, 2021. Which means that the state of the cryptocurrencies the auditor, in 2022, could not verify was a state inherited by the new management team in May, 2021, and sustained by them for seven months, until the books closed. The new management had seven months to, if there really were access problems with the predecessor’s keys, undertake corrective measures – to gather all the necessary information from the outgoing CEO, to reorganize the reserves, and to present them in the statements in a verifiable form. That did not happen. The 2021 financial statements, audited in 2022 – that is, already after Suszek’s disappearance in March, 2022 – were presented in such a way that the auditor had to disclaim his opinion.

In the light of the opening of this article, this observation carries two layers. In the first variant – where we accept Kral’s narrative as true (Suszek held the keys; he vanished with them) – Kral’s management had, from Suszek’s May, 2021 resignation to the balance-sheet date of December 31, 2021, a full seven months to take stock of the situation and its scale. It had another two to three months until Suszek’s disappearance on March 10, 2022 – a window during which Suszek was alive and could, in principle, have cooperated. It had further months until the auditor arrived to examine the 2021 statements. In all those windows, the management took actions aimed at a single end: presenting the statements in such a way that the gap would not be visible. It took no action aimed at the opposite end – transparently disclosing the problem. In the second variant – where Kral’s narrative is untrue – the situation is simpler: the gap already existed before Suszek’s departure, and it was being consistently camouflaged from that point forward by the present management.

In both variants – as I emphasized in the opening – the liability of the current management is unchanged. What differs is the initiating fact that begins that liability. But both variants share a common observation: from May, 2021 to this day, every decision about reporting, public communication, and the acceptance of new customers was a decision of Kral and his management, not of Suszek. Suszek did not adopt the December, 2024 terms of service. Suszek did not issue the “revolution in security” communiqué of April, 2026. Suszek did not explain the 76-million-zloty transfer to Kraken as market-making. Each of these decisions – regardless of what, exactly, the Kral management inherited – was an autonomous choice by the current leadership, made in full knowledge of the true state of the reserves.

The auditor for the 2021 statements (Anton Mullo, Crowe DNW OÜ) was replaced the following year by Assertum Audit OÜ (Sergei Tšistjakov). The replacement of an auditor in the year following a disclaimer is, within the audit profession, a practice whose meaning is unambiguous: the company is looking for a reviewer who will be less inquisitive. In zondacrypto’s case, the subsequent auditor proved to be not less, but comparably inquisitive – because he, too, issued qualifications for 2022 and 2023. Only the opinion for 2024 came back clean, in circumstances in which nothing about the substance of the case had changed.

Suszek’s disappearance on March 10, 2022 – a separate thread to which I refer here only for chronology. Suszek meets, at a gas station in Czeladź, a man known as Marian W., whom the Polish prosecutor’s office has since charged with unlawful deprivation of liberty (Article 189, § 1 of the Penal Code) in connection with Suszek’s disappearance, and who in a separate investigation faces charges related to what the press calls the “fuel mafia.” Around 3:08 p.m., Suszek’s phone signal goes dark. From that moment, he remains a missing person. Regardless of the circumstances of his disappearance – which is the subject of a separate criminal proceeding and not the topic of this article – it was the obligation of zondacrypto’s management, from that day onward, to safeguard the interests of the exchange’s customers, not to continue drawing them into a scheme that the disappeared founder could no longer either confirm or deny.

Phase Two – 2022–2024. The gap grows. Beginning in 2022, the financial statements begin to show lines that earlier statements did not contain. Intragroup loans grow – from 6.4 million in 2022 to 12.3 million in 2023 to 93.6 million in 2024. Management compensation explodes, from 42,000 euros to 169,000 to 815,000. Orion Software sp. z o.o.’s capital is raised – first in July, 2022, then in March, 2024, and again in July, 2024. The “customer-fund-use” liability rises from roughly 2 million in 2022 to 19 million in 2023 to 82.7 million in 2024.

The critical dynamic of this phase: liabilities to customers grow faster than verifiable reserves. Customers continue to deposit (the exchange has a million users, trading volume in the billions). New deposits flow in. Old deposits remain unwithdrawn – because the exchange continues to operate, withdrawals do happen, customers have no reason to panic. The net inflow remains positive.

A positive net inflow permits one thing: new deposits cover old withdrawals. Customer A comes for his bitcoin – the company pays him out from a wallet containing customers B, C, and D’s bitcoins. B, C, and D are not withdrawing at that moment, so the gap is invisible. A doesn’t know that he’s received someone else’s bitcoin. B, C, and D don’t know that their bitcoins are gone. The balance sheet is summarily in order, because the exchange’s accounting system operates on balances, not on individual units of crypto. Day in, day out, from month to month, the system runs.

There is a term for this mechanic, one that has appeared in American prosecutorial indictments hundreds of times. It comes from the name of Charles Ponzi, an Italian immigrant in Boston who, in 1920, promised investors a fifty-per-cent return in ninety days and who was, in fact, paying dividends to early participants out of the deposits of the next. The modern legal definition adds one word: a Ponzi scheme is a structure in which obligations to earlier participants are paid from deposits of later participants, rather than from real operational income. It functions as long as the inflow exceeds the outflow. The moment it ceases to – it ends.

From the classical Ponzi model, the mechanism I’m describing differs in one respect. Ponzi promised his participants fifty per cent. His participants were investors, who came seeking something more than what they put in. zondacrypto’s customers were not investors. They were using an exchange that, under its own terms, was only to hold their assets – promising nothing, investing nothing, delivering nothing. A zondacrypto customer was not seeking more than he put in. He was seeking the same as he left. That minimal expected invariance – known in the whole of Western financial civilization as a deposit – the company treated as operational capital.

Which brings us to the mechanism that distinguishes a Ponzi scheme based on fiat currency from a Ponzi scheme based on bitcoin. And this difference turned out, for zondacrypto, to be catastrophic.

An interlude – the price of bitcoin, 2021–2026. In November, 2021, the height of that year’s bull run, bitcoin cost about $68,800. In November, 2022, at the bottom of the bear market following the FTX collapse, it cost about $15,500 – a decline of 77 per cent. In December, 2024, during the next rally, it passed $93,000. In October, 2025, it reached an all-time high near $126,000. In April, 2026, at the moment of writing, it stands at about $75,000.

What do these numbers have to do with the Ponzi scheme at zondacrypto?

Everything. Because for a Ponzi based on fiat currency, the dynamic is linear. A dollar deposited yesterday is a dollar owed today. The only risk of the scheme is that of nominal flow – keeping new deposits above old withdrawals. For a Ponzi based on bitcoin, the dynamic is nonlinear and hostile to the perpetrator. A bitcoin deposited at $40,000 and subsequently demanded for withdrawal when bitcoin costs $80,000 is a bitcoin whose obligation, expressed in fiat, has doubled. If the company used that customer’s bitcoin to pay out an earlier customer, and now cannot buy a bitcoin on the market to replace it, the company’s fiat liability to that customer is, in effect, being funded out of zero. Every price increase of bitcoin after an obligation was incurred – is a deepening of the gap. Every withdrawal in a bull market – is a strike against reserves that the company cannot even replenish nominally, because it lacks sufficient cash.

The years 2022 to 2025 presented zondacrypto with exactly this dynamic. Bitcoin rose from $15,500 (November, 2022) to $126,000 (October, 2025) – an eightfold increase in three years. Every customer who deposited at $20,000 and wanted to withdraw at $100,000, to take a stylized example, was bleeding the company. Every withdrawal bled. Every bleed widened the wound. And at the end of that process – spread over five years – there remained a company with a hot wallet of 0.086 BTC, liabilities to customers of 722 million euros, and a statement about a cold wallet whose wallet, for nine years, nobody has controlled.

Phase Three – 2024. The ZND Token as Drip. In 2024, the existing dynamic begins to run out of room. Operating costs rise (IT 5.7 million, advertising 5.7 million, management compensation 815,000). Intragroup loans grow (Laen 7 – 75 million). The net inflow is probably diminishing (we lack precise data, but the fact that the company had to reach for a token emission suggests that ordinary financing was no longer enough). Above all – as we’ve just seen – the fiat gap in the liabilities grows with bitcoin’s price, which in November of that year passes $100,000.

In October, 2024, the company issued the ZND token. The emission raised 11.7 million euros in new cash. The 2024 statements reveal that income related to the token (19.5 million euros in the “muud äritulud” category) accounted for ninety-five per cent of other operating income of the group. Without the token, 2024’s balance sheet would have closed at a loss.

The ZND white paper, on page 28, requires that participation in the emission occur by the transfer of funds from zondacrypto to the ZND Platform. That is: customers who bought ZND were required to move their funds from one segment of the group to another. From a customer’s perspective – they remained in the same structure. From a balance-sheet perspective – their liability changed from “deposit” (cryptocurrency, owed 1:1) to “issuance” (token, owed according to a vesting schedule). The 2024 statements show a new line: “ZND tokeniga seotud kohustised” – 9.86 million euros. This is an obligation to deliver tokens that are today worth a fraction of that amount.

In other words – the ZND emission was not an additional line of business. It was a conversion of obligations. A customer who had a bitcoin worth 50,000 euros with the company, after the emission had ZND tokens of a book value of 50,000 euros, but a present market value of 125 euros (at a 99.75-per-cent price collapse). The company converted a real crypto obligation into a fictitious token obligation – and reduced its financial exposure by 99.75 per cent without having to pay the customer anything.

Two months after the token emission – on December 30, 2024 – the main terms of service acquired, for the first time in the platform’s history, the clause permitting “use by zondacrypto in its own name” of customer funds, described in Chapter III. The temporal coincidence is not accidental. A company that in October performed an emission converting part of its crypto liabilities into token liabilities, in December supplements its documents retroactively with a clause intended to legalize the use of the remainder. First the missing piece – a new money line. Second missing piece – a new documentary line. Both introduced in the same quarter, in the same logic.

Phase Four – 2025. Farming as Deepening. In July, 2025, the ZND Earn and Farming Terms take effect – I’ve discussed them above. Farming (Section 11 of the terms) is a mechanical extension of Earn, with this difference: the customer voluntarily consents to receive rewards in the ZND token, rather than in the original currency of his deposit. The terms (Section 13) promise, in exchange, a bonus – ten per cent for 50 per cent ZND payouts, twenty per cent for full.

From the customer’s standpoint, it looks like an option: you can, but you don’t have to. From the company’s standpoint, it is a mechanism of systematic obligation conversion. Every customer who accepts 100 per cent payouts in ZND reduces to zero the company’s obligation in real crypto. In exchange, he receives a promise of payout in a token the company issues out of thin air. From a balance-sheet standpoint – an ideal operation. From a customer’s standpoint – a loss of value.

Phase Five – spring, 2026. The End. From March, 2026, the hot wallet’s BTC balance drops to 0.086 BTC (analysis by Recoveris published by money.pl). Withdrawals are frozen. Support sends customers messages about a “malfunction in the automatic hot-wallet replenishment system” – which, in Ponzi mechanics, means the net inflow has turned negative and that old withdrawals can no longer be funded with new deposits. On April 6, Kral sets the restoration of withdrawals for April 12. On April 12 – withdrawals are not restored. On April 16 – the statement about the cold wallet of 4,503 BTC and the “Suszek-had-the-keys” narrative. Public on-chain verification takes one day. The address turns out to be a publicly known dormant wallet from March, 2016.

In this reconstruction, each phase follows from the one before it. Every step has its justification in growing liabilities and shrinking reserves. And every step leaves a mark on the balance sheet – not a direct mark (“we defrauded the customers,” which is nowhere in any chart of accounts), but an indirect one (“Laen 7,” “Orion Software capital,” “liabilities from customer-fund-use”). Those marks, read in sequence, compose a narrative whose only coherent explanation is the hypothesis of a Ponzi mechanism.

VI. Where, Exactly, the Money Went

The mechanism of the previous chapter is architecture. This chapter is accounting. Every Ponzi scheme leaves a trace in the books – not as the line item “we defrauded our customers,” which is in no chart of accounts, but as a combination of items that look innocent one by one, and that together compose an image one cannot give any reading but one.

The data – from the publicly available financial statements of BB Trade Estonia OÜ for the years 2022–2024.

Intragroup loans. Receivables on loans rose from 6.4 million (2022) to 93.6 million (2024) = 87 million euros of new loans in two years. Among them: Laen 7 (75 million, cryptocurrency, maturing 2025, unsecured) and Laen 6 (14.4 million, three currencies, maturing 2025). The borrowers – undisclosed in the statements, but the profile (variable interest, unsecured, currencies matching the group’s operations) points to related entities.

Prepayments (ettemaksed) to related entities. Grew from 39,000 (2022) to 8.3 million (2023) to 30.5 million (2024) = 30 million euros of cumulative prepayments made to the class “Olulise osalusega juriidilisest isikust omanikud” – legal entities holding significant ownership interest. Plainly: companies connected to the ultimate beneficial owner.

ZND Ventures OÜ – a case study of a single path. To illustrate what a specific transfer from BB Trade Estonia OÜ to a related entity looks like, let’s trace one in detail. ZND Ventures OÜ’s 2024 financial statements – prepared by a company wholly owned by BB Trade Estonia OÜ – reveal the following facts. The loan granted by BB Trade Estonia to ZND Ventures rose from 4,914,500 euros at year-end 2023 to 8,852,000 euros at year-end 2024 – 3,937,500 euros of fresh capital transferred in a single year. All loans are interest-free (“Perioodi arvestatud intress” is zero). This is not financing on market terms. It is a capital transfer between group companies, labeled as a loan.

And not only that. In December, 2024, per Note 6 of the financial statements, the sole shareholder of ZND Ventures – that is, BB Trade Estonia OÜ – decided to convert 2,500,000 euros of its receivable into capital reserve in the subsidiary (“2024. detsembris konverteeriti osa omanikult saadud laenu omakapitaliks – vabatahtlikuks reserviks”). The significance of this operation, from the standpoint of BB Trade Estonia’s own creditors – that is, zondacrypto’s customers – is unambiguous. It converted a liquid asset – a receivable that BB Trade could recover – into an illiquid one: a stake in a company whose total equity is 1,385 thousand euros against liabilities exceeding 8.9 million, with an annual loss of 885,000. Money that in principle could have returned to BB Trade and funded customer withdrawals was, in December, 2024, sealed inside a company without cash flow.

The substance of that company – ZND Ventures – is a separate thread worth briefly showing. Intangibles on the balance sheet at 10,263,774 euros, of which 7.49 million is a “tokenization platform” in operation, and 2.77 million is projects in progress. Revenue generated by that platform in 2024: 28,000 euros – entirely from related parties, zero from external customers. Employees: zero. All services are purchased from related parties – in 2023, 4,072,891 euros. The classic pattern: an intangible asset valued in millions on the basis of invoices from related parties, generating revenue exclusively from those parties, without any operational substance vis-à-vis the outside market.

And finally – the ZND Ventures OÜ auditor’s opinion contains an explicit going-concern qualification (“Tegevuse jätkuvusega seotud oluline ebakindlus”): short-term liabilities exceed current assets by about 8.8 million euros. The auditor noted additionally that the company did not provide a note on its loan obligations and did not cross-reference Note 8 in the balance sheet – that is, did not disclose the key information about intragroup financing terms. Another auditor in another group company signals that something cannot be verified. The BB Trade Estonia pattern repeats itself at ZND Ventures.

What this case illustrates in the broader picture. The prepayments and intragroup loans that I mentioned above as aggregates (30 million in ettemaksed, 93.6 million in loans) are not abstract numbers on a balance sheet. They are concrete streams that flow to specific companies, where they land as interest-free loans, are converted into capital, booked as investments in intangibles, and cease to be liquid. Customers’ money, by the time it reaches the destination of the path that leads through BB Trade Estonia’s balance sheet, becomes “tokenization platforms” with 28,000 euros of revenue, companies with zero employees and going-concern qualifications. When the customer asks “where is my money,” the answer is in Note 4 of ZND Ventures’ financial statements: it is in an intangible asset valued at 10.3 million euros, which in 2024 served customers for 28,000 euros of business. It is there. Just: recovering it requires realizing value from an asset that the statutory auditor cannot fully verify.

Orion Software sp. z o.o. capitalization. Statutory capital raised from 5,000 zlotys to 3,005,000 zlotys = 3,000,000 zlotys ≈ 700,000 euros paid in by BB Trade Estonia OÜ to the Polish company. Plus the “muud muutused” (other changes) item in the 2024 statements in the ownership-title-of-Orion-Software line, 6.3 million euros, from capital increase and supplementary reserve. Together – around 7 million euros of flow to the Polish operating company.

Management compensation. Three-year cumulative: 42,000 + 169,000 + 815,000 = 1,026,000 euros. For a group serving a million customers, this is, in balance-sheet scale, a modest figure. But on the scale of the cash that remained with the company (9.7 million euros at year-end 2024) – already 10.6 per cent. Ten per cent of available liquidity went to three people’s compensation.

IT costs shifted to subsidiaries. In 2024, BB Trade Estonia OÜ incurred IT costs totaling 5.7 million euros. Of that, 3.89 million capitalized as outlays on the platform – a balance-sheet item that allows cost spread over time, but does not reduce the real outflow of cash. Who provided these services? The statements don’t say explicitly, but the group structure points to two candidates: Orion Software sp. z o.o. (Poland, classification PKD 62.01.Z) and ZND.CO OÜ (Estonia, software company). The former has its seat in Katowice, Kral as its president, capital raised precisely during this period. The latter – zero employees, 10,000 euros of capital, but “designated” in the white paper as the software licensor for BB Trade Estonia OÜ. In practice – with a high degree of probability – Orion Software invoices BB Trade Estonia OÜ (or ZND.CO OÜ), and the payments accumulate in Poland as margin, which can then be paid out in the form of compensation or dividends.

Marketing paid in tokens. The “reklaam” item of 5.7 million euros in 2024 – of which, as Note 18 of the statements openly acknowledges, 2.36 million euros were paid in ZND tokens. Plus commissions 1.45 million euros (of which 1.30 million in ZND). Plus platform registration fees 153,000 euros in ZND. Together – 3.8 million euros of operating expenses “paid” with an asset issued by the company itself, without any actual cash outflow. Cash remained in the till, but the counterparty received a token that was quickly losing value – which generated additional selling pressure.

Summing up the identified flows of customer money in 2024:

• Loans to related parties (Laen 7 + growth in ettemaksed): 75 + 22 = 97 million euros
• Orion Software capital and related transfers: 7 million euros
• Platform costs that can be directed to subsidiaries: 89 million euros
• Management compensation: 8 million euros

This is about 108 million euros of outflow from the regulated entity to the Kral structure. In one year. Against total customer deposits of 722 million at year-end 2024.

That is the answer to the question at the center of this article.

VII. The Role of the ZND Token and ZND Farming in Obligation Conversion

In Chapters III and V, we’ve already identified the role of the ZND token in the group’s structure. Here let me sharpen it, because the Earn terms of July, 2025 allow a precise description of the mechanism.

A customer who participates in ZND Earn entrusts his cryptocurrencies to the company under a subscription plan of between 30 and 180 days, for which the company pays him a specified reward rate. The difference between Earn and Farming is not the structure of the service – it’s the form of reward. In Earn, the reward is in the original currency of the deposit (deposited bitcoin means reward in bitcoin). In Farming, the reward can be partially or fully converted into ZND. The terms provide as follows:

Section 11, paragraph 3: “Under the ZND Farming Service, the ZND User instructs zondacrypto to exchange part or all of the Rewards due him into Tokens.”

Section 13, paragraph 2: “The Bonus is paid to Users in Token, at an amount of: a) 10% of the value of all Rewards granted to the User during the entire Subscription Plan, in case of choosing the 50%-in-Token option; b) 20% of the value of all Rewards granted to the User (…) in case of choosing the 100%-in-Token option.”

Let’s now construct numerically what the customer intuits at the outset of this chapter. He deposits 1 BTC into the program for 90 days, at an annual rate of five per cent. The expected reward: 1 × 0.05 × (90/365) = 0.01233 BTC, which at the moment of contracting (BTC price ~60,000 euros) comes to about 740 euros.

Earn scenario (0% in Token): the customer receives 0.01233 BTC. The company is required to deliver a real bitcoin. Its balance-sheet obligation: 0.01233 BTC = 740 euros. After 90 days – satisfied.

Farming scenario (100% in Token, 20% bonus): the customer receives 740 euros of value in ZND (converted at the Current Rate from the date of exchange, per Section 11, paragraph 3), plus a bonus of 148 euros in ZND. Total: 888 euros of value at the moment of conversion. But value at the moment of delivery to the customer – uncertain, because the token loses value. The company’s balance-sheet obligation: not 740 euros in BTC, but an obligation to deliver tokens of 888 euros of value from the day of conversion. The company doesn’t have to deliver BTC. It has to deliver ZND.

From the balance-sheet standpoint of the company, the difference is fundamental. Under Earn, the company reduces its BTC reserves by 0.01233. Under Farming – it doesn’t. Instead, it issues from its “Ecosystem Incentives” pool (15 per cent of the token supply, managed by the company per the white paper, p. 30) the corresponding amount of ZND. This quantity of tokens, from the moment of issuance, enters active market circulation, where it is subject to valuation.

Key mechanism: the more customers choose Farming over Earn, the less real crypto the company has to hold in reserve. The 20-per-cent bonus is the incentive to choose Farming. The incentive is attractive to the customer at the moment of choice (because 888 euros looks better than 740 euros), but catastrophic at settlement (because 888 euros in a token that has lost 99 per cent of its value is really 8.88 euros).

The scale of this conversion is hard to estimate without access to the company’s internal data. But there are hints. Note 12 of the 2024 statements shows “ZND tokeniga seotud kohustised” at 9.86 million euros – these are obligations to customers for tokens not yet delivered (prepayments from emission) and tokens allocated but awaiting delivery per the vesting schedule. This item grew from 200,000 euros in 2023 to 9.86 million in 2024 – a fiftyfold increase in one year.

We have, then, a mechanism of dual function. Function one – the token emission draws in from customers 11.7 million euros of cash in 2024 (cash that reaches the company at the moment of purchase). Function two – Farming converts crypto obligations into token obligations, reducing exposure to real cryptocurrency and shifting the price risk to the customer. Both functions together compose what in Chapter V we called the “drip” – the mechanism of prolonging the Ponzi’s life, which without an inflow of new cash and conversion of obligations could not have covered customer withdrawals.

VIII. Kraken. The Physical Transfer

Up to this point I’ve been describing intragroup flows – money that moved from BB Trade Estonia OÜ to companies controlled by the same ultimate beneficial owner. Orion Software in Poland. ZND.CO OÜ in Tallinn. Laen 7 to an undisclosed borrower. Management compensation. Prepayments to related entities. All these streams shared a common feature: value was shifting within the Kral structure, from one pocket to another.

There is, however, one thread that does not fit the pattern, and that customers filing criminal complaints have raised. According to information documented in the complaints filed with the Polish National Prosecutor’s Office in Katowice, and in press coverage of zondacrypto’s problems, in the period immediately preceding the outbreak of the withdrawal crisis the company transferred cryptocurrency assets to the Kraken platform – one of the largest foreign cryptocurrency exchanges, operator Payward Ltd., based in the United Kingdom – in an amount exceeding 76 million zlotys. The transfer occurred at a time when zondacrypto customers were reporting en masse their inability to withdraw their own funds, and the company was simultaneously assuring the public of full solvency.

The company – in accounts fragments of which reached customer correspondence and the press – explained the transfer as “market-making activity.” The explanation, even on the most charitable reading, raises more questions than it answers.

First, the management’s defense is self-contradictory. In a statement on April 14, 2026, posted on X, Chief Executive Kral said: “Investing customer funds is not to be confused with liquidity management (market making).” The same company earlier, in correspondence with customers about the Kraken transfer, explained the operation as precisely “market-making activity.” Two successive defensive formulations of the company are mutually exclusive: if the transfer was market-making, then it was what Section 2, paragraph 7 of the terms of service effective July 19, 2025, prohibits (the exchange “does not engage in speculation on Cryptocurrency prices (…) and is not a so-called market maker”); if, on the other hand, it was not market-making but liquidity management, then the company contradicts itself, because the earlier communication was untrue. A defense that oscillates between two mutually exclusive propositions depending on its audience is not a defense. It is a stalling tactic.

Second – and this is an argument not so much contractual as structural – market-making on a cryptocurrency exchange is, by definition, not an activity conducted with customer assets. The industry standard, as analyses by MHC Digital Group and Hyrotrader describe the structure of the market-maker market, distinguishes two models: designated market maker (the project provides the animator with tokens in exchange for liquidity provision) and principal market maker (the animator operates on its own capital, assuming the full position risk). The first model has no application to an exchange operator that is not itself the issuer of the customers’ tokens; the second requires that the capital on which the animator operates be assigned to its own balance sheet, not to the custodial assets of customers. Using customer assets to carry on market-making is not an “aggressive interpretation” of that activity. It is its opposite – it is what, in the history of the cryptocurrency market, produced the collapse of FTX (the Alameda/FTX commingling that came to light in November, 2022) and the penalties imposed on Binance (commingling confirmed by the CFTC in July, 2023). If zondacrypto transferred customer assets to Kraken for purposes of “liquidity management,” it was conducting an activity that industry law classifies unambiguously as pathology.

Third – and this is the strongest argument in law, because it does not rest on a private document or an industry standard but on a directly applicable European Union regulation – this prohibition is codified in MiCAR. Regulation 2023/1114 (MiCAR), fully in force since December 30, 2024, in Article 70 prohibits crypto-asset service providers (CASPs) from conducting on-own-account activities in a manner conflicting with customer interests. Article 75, paragraph 7 further imposes a legal-segregation requirement of customer assets from the provider’s own assets: “The retained crypto-assets are legally separated from the crypto-asset service provider’s assets.” Customer assets, in the sense of this provision, are not part of the company’s balance sheet from which the company may conduct market-making – they are fiduciarily held property, which in the event of the CASP’s insolvency is not subject to execution on behalf of the company’s creditors. Article 76 of MiCAR adds an express ban on dealing on own account for trading-platform operators.

Reuse of customer assets under MiCAR is permitted only on a very narrow basis – with prior express consent of the customer and ex ante disclosures regarding risk. Tacit acceptance of terms under the “continued use = consent” regime, as I wrote in Chapter III, does not satisfy the criterion of express consent within the meaning of MiCAR. No interpretation of the December 30, 2024 terms meets the criterion of ex ante disclosures regarding risk connected with the specific Kraken operation.

Fourth – and this is a fact that independently fills in the picture – on July 16, 2025, the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo, FIU) entered BB Trade Estonia OÜ on the list of entities that had not fulfilled regulatory obligations. The specific charge: failure to submit a statutory auditor’s report on own funds. The significance of this entry becomes fully visible only in the context of a defense based on market-making. A company that claims to be conducting market-making should have no difficulty producing a document confirming that it holds own capital sufficient to conduct such activity. That document was not produced. The Estonian regulator formally reprimanded the company for it. If the management maintains that the 76-million-zloty transfer came from own capital (because that is the only permissible narrative), it has no way to prove it – because it did not submit the report. And if the transfer did not come from own capital, it came from customer assets, which would make it a breach of MiCAR.

Fifth – the transfer of funds abroad in conditions of imminent insolvency, carried out at a time when creditors cannot obtain what is due to them, fulfills – depending on the mental state of those making the transfer – the elements of several crimes at once. Article 300, §§ 1 and 2 of the Polish Penal Code (frustration or reduction of creditor satisfaction in the face of imminent insolvency). Article 301, § 1 of the Penal Code (prejudice to creditors through the transfer of assets). In a situation in which the management knew – and must have known, because it had access to the financial statements and to customer-withdrawal data – that the company was approaching liquidity insolvency, the transfer of 76 million zlotys outside the group before the disclosure of problems is not an operational idea. It is a decision whose criminal-law assessment depends only on the establishment of intent.

We thus have a situation in which a single act – a 76-million-zloty transfer to Kraken – simultaneously: (a) breaches the company’s own terms of service (Section 2, paragraph 7 of July 19, 2025), (b) violates directly applicable Articles 70, 75, paragraph 7, and 76 of MiCAR, (c) fits within the elements of Articles 300–301 of the Polish Penal Code, (d) correlates in time with the company’s failure of a statutory reporting obligation to the Estonian FIU regarding own funds, (e) rests on a narrative internally inconsistent (“it was market-making” against “it was not market-making”). Each of these five arguments, independently, justifies a request for explanations. Together they constitute material that cannot be overlooked either in a supervisory proceeding before the Estonian Financial Supervision Authority or in a criminal proceeding before the Polish National Prosecutor’s Office.

IX. The Moment of Detaching ICEO. Why May, 2025 Matters

In every case in which a structure was designed in advance, there appears a date whose significance the perpetrators do not register at the moment of action – because at that moment it seems to them they are acting preventively, not evidentially. In the Kral group’s case, that date is May 14, 2025.

Until May 14, 2025, ZND.CO OÜ – the company that, per the white paper, was developing the ZND Platform software – had two shareholders: ZND Ventures OÜ (that is, BB Trade Estonia OÜ indirectly, after the January, 2024 buyout) at 50 per cent, and ICEO RED 0 OÜ at 50 per cent. The second shareholder is Wojciech Sroka’s company, the head of ICEO Group. The ZND white paper acknowledged this arrangement as a significant conflict of interest (p. 33): “the parties designing the Token and providing the technological layer of the Platform are interconnected.”

On May 14, 2025 – ZND Ventures OÜ bought out the entire ICEO stake. It now holds 100 per cent of the shares in ZND.CO OÜ. The transaction price is not disclosed in the register.

Why does this date matter?

For three reasons.

First, as evidence of prior knowledge. The buyout of ICEO from ZND.CO immediately preceded the submission of the MiCA CASP application. A CASP applicant has to show the supervisory authority a clean corporate structure, free of evident conflicts of interest. The management evidently knew that the pre-May, 2025 configuration was problematic for the application. It “cleaned it up” before filing. Cleaning up what one knew was a problem is knowledge of the problem.

Second, as a shift in the burden of evidence. Until May, 2025, ICEO RED 0 OÜ had access to internal documents of ZND.CO, including to the financial data underlying the software license agreements. After May, 2025 – it doesn’t. An investigation into past operations must include that pre-May, 2025 period, during which Sroka had visibility into ZND.CO’s conduct – documentation that today, after the buyout, may be harder to obtain, but which within ICEO Group should be present in corporate records.

Third, as a price signal. Per the rules of EU accounting, the purchase price of 50-per-cent shares in a related-party transaction should be determined on an arm’s-length basis and supported by an independent valuation. The ZND.CO balance sheet as of the end of 2024 showed assets of a modest scale – a small-capital company with no employees, licensing software. And yet the buyout was significant enough to warrant a separate operation and recorded in the register. Which means the transaction price must have been worth the trouble. An independent assessment – outside this article, which is the prosecutor’s task – would permit an estimate of the value of the software license the group had been paying at inflated prices to an external party in which the same person held a stake as also led a company within the group.

X. Synthesis. What Follows from the Whole

Let me now gather the observations from Chapters II through IX into a unified reconstruction of the path of customer money – admitting the possibility that the 4,503 BTC reserve never existed as an operational asset of the group.

Step 1. A customer deposits funds – fiat or crypto – to an account at zondacrypto.com. An obligation to the customer appears on BB Trade Estonia OÜ’s balance sheet. Under the main terms of service – those funds should be preserved in full for the customer.

Step 2. The funds are booked as “varud – krüptovääringud” on the balance sheet, without physical verification by the auditor (qualifications to the 2021, 2022, 2023 statements – issued successively by Crowe DNW OÜ and Assertum Audit OÜ in 2022, 2023, and 2024). Management proposes to the auditor a notarial affidavit in place of on-chain proof. The auditor declines. Management persists with the figure.

Step 3. Throughout the period 2018–2024, the exchange’s terms – in their successive BitBay, Pinewood, Zonda, and ZondaCrypto versions – contain no clause permitting the investment of customer funds. The model is consistently custodial: safekeeping on the customer’s behalf, nothing more. Only on December 30, 2024, does the main terms of service acquire, for the first time, a clause about “use by zondacrypto in its own name” of customer funds. That clause is inserted through tacit acceptance, with no individual notice – likely ineffective under Article 385¹, § 1 of the Polish Civil Code and Article 8, § 2 of the Electronic Services Act. On July 19, 2025, the clause is removed from the main terms and relocated to a separate Earn/Farming terms document.

Step 4. The company transfers part of the customer funds to a related party in the form of an unsecured loan – Laen 7, 75 million euros in cryptocurrency, maturing 2025. On the balance sheet it appears as an asset (a receivable). In reality – the cryptocurrency that originally belonged to customers is now at the disposition of an entity related to the ultimate beneficial owner. The transaction occurs in a period in which none of the then-applicable terms of service permitted such use of customer funds.

Step 5. Part of the customer funds – on a smaller scale but systematically – leaves in the form of ettemaksed to related parties (30 million euros in 2024), as capitalization of the subsidiary Orion Software (7 million in 2024), as management compensation (815,000 euros in 2024), as IT costs (5.7 million euros in 2024, of which a large portion to intragroup entities).

Step 6. The company launches the ZND token emission in October, 2024. 11.7 million euros of cash flow into the company from new customer deposits. These customers, to acquire the token, have to move their funds from zondacrypto to the ZND Platform – within the same group. From the standpoint of the terms – a voluntary transfer. From the standpoint of substance – a change in the nature of the obligation, from deposit to issuance.

Step 7. With the launch of Farming, customers are incentivized (a 10–20 per cent bonus) to convert their rewards from real cryptocurrencies into ZND tokens. Every conversion reduces the company’s exposure in real assets and increases its exposure in assets issued ex nihilo. At December 31, 2024, “ZND tokeniga seotud kohustised” reaches 9.86 million euros – a fiftyfold increase in the year.

Step 8. In the period immediately preceding the spring, 2026 withdrawal crisis, the company transfers assets exceeding 76 million zlotys to the Kraken foreign exchange, characterizing this as “market-making activity.” This transfer – in light of Section 2, paragraph 7 of the terms of July 19, 2025, which expressly prohibits the company from market-making activity – is either a breach of the company’s own terms or a concealed removal of assets outside the group structure in conditions of imminent insolvency (Articles 300–301 of the Polish Penal Code).

Step 9. The system functions as long as the net inflow of deposits is positive. Customers deposit more than they withdraw. Old withdrawals are covered from new deposits. The exchange reports profits. Management raises its own compensation. The capital of Orion Software in Poland grows. Everything is in place.

Step 10. Spring, 2026. The net inflow of deposits turns negative. External causes (a 40-per-cent correction in BTC price from the October peak of $126,000, a slowdown in the crypto market, MiCA regulatory pressure) and internal (growing rumors about the company’s problems) mean customers are withdrawing more than depositing. What is especially significant – even with a downward price correction, the fiat gap remains much larger than in 2022, because customers who deposited at $20,000 or $40,000 per BTC are now demanding to withdraw at $75,000 per BTC. The hot wallet’s BTC balance drops to 0.086 BTC. The company cannot cover the withdrawals, because its assets – apart from the unverifiable “customer cryptocurrencies” line – consist of uncollectible intragroup receivables, intangibles hard to realize, and shares in subsidiaries controlled by the same beneficial owner.

Step 11. The company issues the statement about the 4,503 BTC cold wallet, identifying the address 16aEn4p6hK4FMpLtJGpoQZMZ946sDg1Z6n. The address turns out to be a publicly known dormant wallet from March, 2016, without any trace of outgoing activity since. The company adds a narrative about keys held by Sylwester Suszek, missing since 2022. No part of the narrative is verifiable, and none explains why, over nine years, the wallet made not a single outgoing transaction in conditions in which the exchange was processing millions of operations.

At the end of that path the picture is the following. Liabilities to customers: 722 million euros. Verifiable cash: 9.7 million. Verifiable assets total: about 200 million. Unverified assets: 565 million (the “customer cryptocurrencies” line). Gap between liabilities and verifiable assets: 530 million euros.

If the 4,503 BTC from the cold wallet turn out to be a fiction – as, we’ve shown in Chapter IV, is the hypothesis most consistent with the totality of the evidence – customers are left with something like twenty-seven per cent coverage. And of those twenty-seven per cent, most is hidden in unsecured loans to related parties, in intangibles internal to the group, and in shares of subsidiaries whose execution will take years.

If the 4,503 BTC turn out to be true, the company is nonetheless unable to prove it, because the entire narrative rests on the keys of a missing person. Even the optimistic assumption gives customers no practical access to those funds.