Zondacrypto – The Exchange That Lent Your Money
“Client funds have been further invested.” This is not a line from an indictment. It is a sentence from the official financial statements of BB Trade Estonia OÜ — the operator of zondacrypto — filed with the Estonian commercial register and digitally signed by the exchange’s chief executive.
I. The Sentence That Changes Everything
The Estonian commercial register (ariregister.rik.ee) holds the consolidated annual reports of BB Trade Estonia OÜ, the company behind the zondacrypto cryptocurrency exchange. These are public documents, digitally signed by the members of the management board and subjected to independent audit. They are not secret. Anyone can download them.
In the 2024 annual report, in Note 12 (Võlad ja ettemaksed — Liabilities and prepayments), in the penultimate paragraph, the following sentence appears:
“Kliendi vahendid on edasi investeeritud nii lühi kui ka pikaaaliselt.”
In translation: “Client funds have been further invested both on a short-term and long-term basis.”
The document was digitally signed by Przemysław Janusz Kral, member of the management board, on July 29, 2025. The auditor’s opinion was issued by Sergei Tšistjakov (sworn auditor No. 481, Assertum Audit OÜ).
Now let us open the zondacrypto Terms and Conditions — the same document that every customer accepts upon registration — and read Section 8, paragraph 21:
“zondacrypto does not use Customer funds, whether in FIAT currencies or Cryptocurrencies, for its own account. These funds are held solely for the purpose of executing Customer orders. zondacrypto does not engage in any investment activity with respect to Customer assets, does not invest them, does not lend them, does not bet on them, and does not derive any economic benefit from them.”
Two documents from the same entity. One says: we do not invest, we do not lend. The other says: we invested. Both signed. Both publicly available.
This is not an unfair contract term. This is not an ambiguous privacy policy. This is a documented contradiction between the terms of service and the official financial statements, filed with a public register under penalty of criminal liability in Estonia.
II. Seventy-Five Million Euros of Your Cryptocurrency
The 2024 annual report, Note 9 (Laenunõuded — Loan receivables), item Laen 7:
| Item | Amount | Interest rate | Currency | Maturity |
|---|---|---|---|---|
| Loan 7 | €75,016,307 | Variable | Cryptocurrency | 2025 |
Seventy-five million euros. In cryptocurrency. At a variable interest rate. With a maturity date that has already passed.
For context: a year earlier, BB Trade Estonia OÜ’s total loan receivables stood at €12.3 million. In 2024 — €93.6 million. A 7.6-fold increase in a single year. Loan 7 alone accounts for eighty per cent of the total loan portfolio and more than ninety-two per cent of its year-on-year growth.
Who is the borrower? The report does not explicitly say. But Note 3 (Nõuded ja ettemaksed) discloses that “Muud nõuded summas 30 451 398 eurot on teostatud ettemaksed seotud osapoolele” — more than thirty million euros in prepayments to related parties. Note 24 (Seotud osapooled — Related parties) reveals that short-term receivables from related parties stand at €30.5 million, up from €8.3 million the year before. The parent company: Divisio Holding A.G., registered in Switzerland.
And the collateral securing this loan? The report states explicitly: “Osad laenud on antud tagatiseta” — some loans have been granted without collateral. The only collateral described is a €10 million mortgage (securing a smaller loan of €2.9 million) and 18 ETH (securing a loan of €334,000). Loan 7, at seventy-five million? No collateral is listed.
The exchange might argue that Loan 7 is funded through its ZND Earn product — under which customers voluntarily transfer ownership of their crypto assets for a fixed period in exchange for interest. But the numbers do not support this. Note 21 of the 2024 report shows interest income from Earn at €536,228, and Note 22 shows interest expense for the programme at €544,791. If seventy-five million euros in cryptocurrency had originated from Earn, the interest flows would be an order of magnitude larger. Earn is a fraction of Loan 7’s scale.
Step back for a moment and see this through the eyes of a customer. You deposited Bitcoin on zondacrypto. The Terms and Conditions promised your assets would be “held solely for the purpose of executing Customer orders.” Meanwhile — according to the official financial statements — your Bitcoin may have been lent to an unidentified party on variable terms, without collateral, with a repayment deadline that fell in 2025. And when, in April of 2026, you tried to withdraw, the hot wallet was empty.
Correlation is not causation. But the question is obvious: did the exchange fail to pay out client cryptocurrency because it had lent it?
III. How Much Did the Exchange Take from Its Customers?
The annual reports disclose a line item that is difficult to overlook: “kohustused seoses kliendi vahendite kasutamisega” — liabilities related to the use of client funds. This is the amount that the company itself reports as client funds it has used and owes back, above and beyond standard deposit obligations.
The 2022 report (Note 2) states: “kasutatud klientide raha summa on kokku 26 220 117 eurot.” The 2023 report (Note 12) puts the figure at €19,034,508. The 2024 report (Note 12) — €82,745,189.
| Year | Client funds used by the exchange (EUR) | Source |
|---|---|---|
| 2022 | 26,220,117 | Note 2, 2022 report |
| 2023 | 19,034,508 | Note 12, 2023 report |
| 2024 | 82,745,189 | Note 12, 2024 report |
A note on consistency: the 2023 report, presenting comparative data for 2022, shows the same line item at just €1,835,679 — more than fourteen times lower than the 2022 report’s own figure. Neither document explains the discrepancy. Two explanations are possible: a reclassification of balance-sheet items between reporting years, or a silent correction. Both are concerning — the first means that comparing data across reports is unreliable; the second means the company quietly altered the presentation of its obligations to clients.
Regardless of how one interprets the 2022 figure, the trend over the most recent two years — for which comparative data is internally consistent — is unambiguous: a rise from nineteen million to €82.7 million in a single year. More than fourfold.
The reports for 2022 and 2023 did not conceal the underlying practice. Note 2 of the 2023 report — and identically in the 2022 report — states explicitly: “Vastavalt kehtivatele kliendilepingu tingimustele on ettevõttel õigus kasutada klientide kontodel olevaid vahendeid. Ettevõte on antud võimalust kasutanud” — “In accordance with the applicable terms of the client agreement, the company has the right to use funds in client accounts. The company has exercised this right.”
Hold that sentence: “the company has the right to use funds in client accounts.” This is a statement from the financial report. Now return to the Terms and Conditions (Section 8, paragraph 21): “does not invest them, does not lend them.“
One nuance deserves notice. The financial statements invoke “kliendilepingu tingimused” — the terms of the client agreement — as the legal basis for using client funds. The Terms and Conditions (Section 8, paragraph 21) expressly prohibit it. If these documents are the same instrument, we have a contradiction within a single contract. If “kliendilepingu tingimused” refers to a separate document, we have a system in which one document publicly promises the client protection while another, perhaps less visible one, takes it away. Neither interpretation is favourable to the exchange.
IV. Three Years in Which the Auditor Could Not Confirm the Money Existed
This is the thread that no one analysing this matter can afford to skip.
2021 — the auditor declines to issue an opinion. Crowe DNW OÜ (sworn auditor Anton Mullo, No. 714) disclaimed its opinion (loobus arvamuse avaldamisest) due to scope limitations. This is the most serious signal an auditor can send — more serious than an adverse opinion, because it means: I cannot determine what is true.
2022 — qualified opinion (new auditor). Assertum Audit OÜ (Sergei Tšistjakov, No. 481) issued a qualified opinion (märkusega arvamus). The qualification had two bases. The first was formal: given the disclaimer on the 2021 statements, the auditor could not confirm the comparative data for the prior year. The second was substantive — and far more significant: cryptocurrency assets worth €155 million “are partly held by third parties (service providers) who do not issue retrospective confirmations or other relevant documentary evidence that could confirm the existence of these assets at a given point in time.” Blockchain systems in some cases “did not allow the retrieval of historical data or the determination of the exact amount held in a wallet at a given moment.”
2023 — qualified opinion again. This time, the auditor identified €172 million in cryptocurrency that had been “identified, but could not be tested to determine whether the group has substantive control over these assets.” Management proposed a notarial confirmation as a substitute for actual proof of control. The auditor did not accept this. Additionally, the auditor could not test €1.8 million in revenue due to limitations of the exchange’s information system.
2024 — clean opinion. The qualifications that had accompanied the reports for three consecutive years disappeared. The same auditor — Sergei Tšistjakov, of the same firm, Assertum Audit OÜ — issued an unqualified opinion. We do not know what changed — but the question is warranted: did the company resolve the problems the auditor had identified, or did it simply furnish documentation that the auditor had previously declined to accept?
A note: We do not claim that any of these audit opinions are improper. We describe a publicly available sequence: three years in which independent auditors were unable to confirm the exchange’s control over client cryptocurrency worth hundreds of millions of euros, followed by a year of clean opinion — issued by the same sworn auditor — followed by a liquidity crisis and a withdrawal freeze.
V. The Token Keeping the Exchange Alive
In October of 2024, zondacrypto issued its own token, ZND, on the Ethereum blockchain (ERC-20). Total supply: seven hundred million tokens. The pre-sale raised €11.7 million.
But the significance of ZND to the exchange’s financial statements extends far beyond the pre-sale. Note 16 of the 2024 report (Muud äritulud — Other operating income) reveals that ZND-related revenue totalled approximately €19.5 million — against total operating income of €26.6 million. The share: seventy-three per cent.
Put differently: three-quarters of zondacrypto’s operating revenue in 2024 came from a token that the company itself had created. Without ZND, the operating result would have been deeply negative. The business model of an exchange serving a million customers is sustained by an asset that — like any utility token without fundamental external demand — is structurally exposed to a collapse in value.
The exchange itself acknowledges in Note 18 that it used ZND tokens to settle a portion of its expenses: advertising paid in ZND — €2.36 million; commissions — €1.30 million; platform registration fees — €0.15 million. The token has become the exchange’s internal operating currency — which raises questions about the reliability of its market valuation.
VI. What the Board Earns While Customers Cannot Withdraw
Note 24 of the annual reports discloses board compensation:
| Year | Board compensation (EUR) | Year-on-year change |
|---|---|---|
| 2021 | 0 | — |
| 2022 | 41,825 | — |
| 2023 | 181,671 | 4.3× |
| 2024 | 824,847 | 4.5× |
From 2022 to 2024, board compensation increased twentyfold. During the same period, the company extended a €75 million unsecured loan in client cryptocurrency, auditors were unable for three consecutive years to confirm control over client assets, and in April of 2026 — months after the report was signed — the exchange stopped paying out.
VII. The Petrol Station in Czeladź
Every story has its beginning. This one starts on March 10, 2022, when Sylwester Suszek — the founder of BitBay, Poland’s first and largest cryptocurrency exchange — drove to a petrol station in Czeladź to meet a man whom prosecutors would describe as the suspected head of a criminal organization. Suszek’s phone pinged the station at 3:08 P.M. After that — nothing.
Suszek was no longer the C.E.O. by then. He had stepped down in May of 2021. The new chief executive was Przemysław Kral — the former head of legal, who had earlier been granted power of attorney over the founder’s personal assets. Suszek’s sister has said publicly that she believes he is dead. Poland’s National Prosecutor’s Office is investigating.
The circumstances under which Kral assumed control — holding a power of attorney over the assets of a person who vanished in circumstances linked to organized crime — raise questions that do not yet have public answers. We do not claim that these circumstances prove anything. We observe that, in ordinary commercial life, such a configuration would prompt questions from any compliance officer.
VIII. Twelve Years of Evasion
The history of BitBay and zondacrypto is the history of regulatory evasion in every jurisdiction the exchange has operated. Not through lawbreaking — through the exploitation of gaps.
Poland, 2014–2018
BitBay was founded in Katowice in 2014, served a million users, and processed roughly twenty billion dollars in annual volume — without any license. On February 5, 2018, the K.N.F. placed BitBay on its public warning list and filed a criminal notification with the prosecutor. The proceedings were discontinued — not because the activity was lawful, but because the elements of a criminal offense could not be established under the law as it then existed.
In June of 2020, TVN’s Superwizjer — Poland’s equivalent of “60 Minutes” — aired a documentary documenting the presence of individuals convicted of serious crimes in the ownership structure. The journalists reported being offered a million złoty to abandon the investigation; when they declined, the offers gave way to threats. BitBay disputed the findings and threatened legal action.
A note on sourcing: We report the findings of investigative journalists and the exchange’s response. Many of these claims have not been confirmed by a final court judgment.
Malta, 2018–2020
When the K.N.F. warning made Polish banking relationships untenable, the exchange relocated to Malta — “Blockchain Island.” The interest was enormous: eighty-three companies entered the transitory period, with industry giants including Binance publicly associating themselves with Malta’s regulatory brand.
The results: by April of 2020, fifty-seven of the eighty-three companies had neither submitted a letter of intent nor filed a cessation notice. Roughly seventy per cent evaporated. By August of 2021, the M.F.S.A. had issued just eleven V.F.A. licenses. Out of an estimated pipeline of over three hundred and forty firms — fewer than five per cent ultimately received a license. In July of 2021, the M.F.S.A. warned that Binance “is not licensed nor authorised by the MFSA.”
BitBay did not obtain a V.F.A. license. It left Malta before completing the process.
On June 23, 2021, the F.A.T.F. placed Malta on its list of jurisdictions under increased monitoring — the grey list. Malta became the first E.U. Member State ever to be grey-listed. The principal deficiencies: inaccurate beneficial-ownership data, “virtually no successful cases involving politically exposed persons.” The systemic A.M.L. failures existed in full during BitBay’s Malta tenure.
Estonia, 2020–present
BB Trade Estonia OÜ obtained one of fourteen hundred and forty-seven Estonian VASP licenses — issued in one to two weeks, to firms two-thirds of which shared the same registered address and seventy-five per cent of which had nominee board members. The fifteen largest VASP entities collectively employed twenty-seven people in Estonia. The F.I.U. Director described what he found during license-renewal reviews as “situations that would surprise every supervisor.”
When Estonia tightened requirements in March of 2022, roughly four hundred entities left the market within weeks. MONEYVAL confirmed that the VASP sector was “exposed to high ML and TF risks.” By May of 2025, only thirty-nine licenses remained valid. As of MONEYVAL’s December, 2025, report — no CASP licenses had been issued by the Finantsinspektsioon. Estonia remains on enhanced follow-up with twelve “partially compliant” ratings out of forty F.A.T.F. Recommendations.
IX. Tallinn — The City That Missed Two Hundred Billion Euros
Under the same Estonian licensing regime that governs zondacrypto, entities operated whose histories should serve as a warning to any regulator.
Danske Bank: The European Record
Between 2007 and 2015, approximately two hundred billion euros in suspicious transactions flowed through Danske Bank’s Tallinn branch. The Finantsinspektsioon conducted an A.M.L. inspection as early as 2007, finding deficiencies. In 2014, it identified “long-lasting, systemic violations.” The branch continued operating for another four years. The S.E.C. complaint confirms: “internal AML controls had failed” as early as 2007. The institutional picture: early detection, followed by prolonged supervisory passivity.
The aftermath: two billion dollars in U.S. forfeitures, four hundred and thirteen million to the S.E.C., five hundred million in Danish penalties, forced branch closure.
Garantex: A Room in a Law Firm
Garantex Europe OÜ held an Estonian VASP license. When the F.I.U. investigated, it found that in ninety per cent of cases the exchange had not verified its clients’ identities. When officers raided its “offices,” they found a single room provided by a law firm. The F.I.U. revoked the license on February 24, 2022 — yet Garantex continued operating. The U.S. Treasury sanctioned Garantex for facilitating more than a hundred million dollars in transactions linked to darknet markets and the ransomware group Conti. In March of 2025, the D.O.J. dismantled Garantex’s online infrastructure in coördination with Germany and Finland.
HashFlare: Five Hundred and Seventy-Seven Million from Tallinn
HashFlare raised more than five hundred and seventy-seven million dollars from four hundred and forty thousand investors. The platform operated at one per cent of its advertised mining capacity. In February of 2025, its founders pleaded guilty in the United States to fraud. Prosecutors appealed what they characterized as an “unusually lenient” sentence.
The Common Thread
In each of these cases, Estonian-registered entities exploited the gap between the country’s digital reputation and its supervisory capacity. The pattern: simplified registration creates the appearance of compliance; actual supervision proves insufficient; the crisis becomes visible only when foreign prosecutors intervene.
X. April, 2026 — The Day the Future Caught Up with the Past
On April 5th and 6th, 2026, money.pl and Wirtualna Polska published a Recoveris analysis: zondacrypto’s BTC reserves had fallen by 99.7 per cent — from 55.7 BTC in August of 2024 to 0.086 BTC. Transfers of approximately seventy-six million złoty to an unspecified exchange.
C.E.O. Kral declared forty-five hundred BTC in cold storage and set a deadline for restoring withdrawals: April 12th. As of this article’s publication — April 13th — no Proof of Reserves has been released, withdrawals remain frozen, and the National Prosecutor’s Office has expanded its investigation to encompass the reserve irregularities.
In the light of the annual reports, the question of where client cryptocurrency has gone acquires a concrete — and troubling — working hypothesis: the exchange may have lent it. This is not speculation. It is a logical inference drawn from three official documents: the Terms and Conditions (we do not lend), the annual report (we invested; Loan 7: €75 million in cryptocurrency), and the on-chain data (hot wallet nearly empty).
XI. The Question That Now Sounds Different
In recent weeks, we asked: who did a million people trust? An exchange with a missing founder, an unfinished license in Malta, an Estonian regulator that missed two hundred billion euros, and a history in which very little is certain.
The annual reports change the character of that question. We are no longer asking about trust. We are asking something more concrete: what did the exchange do with the money it promised only to hold?
The answer — in the exchange’s own words — is: it invested it. It lent seventy-five million euros in cryptocurrency. Without collateral. On variable terms. With a repayment deadline that has already passed.
Many of the facts presented in this article are the subject of pending proceedings. We do not prejudge anyone’s guilt or liability. But we note that the official financial statements of BB Trade Estonia OÜ — signed by the board, audited by a sworn auditor, filed with the Estonian commercial register — document practices that the Terms and Conditions of the same company expressly prohibit.
On July 1, 2026, every Estonian VASP license expires. Zondacrypto must secure a MiCA-compliant CASP authorization — or cease operations in the European Union. The window for effective legal action will not remain open indefinitely.
Robert Nogacki – licensed legal counsel (radca prawny, WA-9026), Founder of Kancelaria Prawna Skarbiec.
There are lawyers who practice law. And there are those who deal with problems for which the law has no ready answer. For over twenty years, Kancelaria Skarbiec has worked at the intersection of tax law, corporate structures, and the deeply human reluctance to give the state more than the state is owed. We advise entrepreneurs from over a dozen countries – from those on the Forbes list to those whose bank account was just seized by the tax authority and who do not know what to do tomorrow morning.
One of the most frequently cited experts on tax law in Polish media – he writes for Rzeczpospolita, Dziennik Gazeta Prawna, and Parkiet not because it looks good on a résumé, but because certain things cannot be explained in a court filing and someone needs to say them out loud. Author of AI Decoding Satoshi Nakamoto: Artificial Intelligence on the Trail of Bitcoin’s Creator. Co-author of the award-winning book Bezpieczeństwo współczesnej firmy (Security of a Modern Company).
Kancelaria Skarbiec holds top positions in the tax law firm rankings of Dziennik Gazeta Prawna. Four-time winner of the European Medal, recipient of the title International Tax Planning Law Firm of the Year in Poland.
He specializes in tax disputes with fiscal authorities, international tax planning, crypto-asset regulation, and asset protection. Since 2006, he has led the WGI case – one of the longest-running criminal proceedings in the history of the Polish financial market – because there are things you do not leave half-done, even if they take two decades. He believes the law is too serious to be treated only seriously – and that the best legal advice is the kind that ensures the client never has to stand before a court.
