Cyprus’s top financial regulator has moved to suspend the investment license of Conotoxia Ltd, widening a regulatory crackdown that first erupted in Poland last year and has since snowballed into a multinational compliance crisis.

The Cyprus Securities and Exchange Commission (CySEC) on Wednesday cited serious governance and shareholder suitability lapses at Conotoxia Ltd — a subsidiary of the troubled Polish fintech group behind currency exchange platform Cinkciarz.pl — suspending the company’s authorization to offer investment services, onboard new clients, or advertise.

The regulator pointed to breaches in board structure, shareholder vetting, and client asset protection, warning that Conotoxia’s current operations pose “risks to investor protection and market integrity.” The firm now has 30 days to patch up its governance framework or risk permanent revocation.

In an official announcement, CySEC said it was suspending the company’s authorization in full, under section 10(1) of Directive DI87-05, due to “suspicions of an alleged violation” of the country’s Investment Services Law of 2017. Conotoxia, registered under license number 336/17 and legal entity identifier (LEI) 213800HDYRDQAUPVMM26, was found to have potentially failed to meet key licensing conditions, particularly those tied to management structure, shareholder suitability, and organizational safeguards.”

This is the latest chapter in a saga that began last October, when Poland’s Financial Supervision Authority (KNF) revoked the payment license of Conotoxia Sp. z o.o., the Warsaw-based parent entity, citing serious failures in safeguarding customer funds. Since then, the fintech’s reputation has unraveled across Europe.

Polish prosecutors quickly followed the KNF decision with fraud charges, alleging that the company’s top brass misled investors and misused client funds. More than 2,000 consumer complaints were filed, and in early 2025, authorities froze hundreds of accounts linked to the firm. In July, the group’s chief accountant was detained in connection with a suspected 100 million złoty (~$25 million) fraud.

Conotoxia denied wrongdoing and responded by shuttering its Polish branch in February, redirecting business to its Cyprus hub — the very arm now under suspension. At the same time, the group launched a sweeping legal counteroffensive, accusing Polish regulators and domestic banks of orchestrating a “coordinated attack” to force the firm out of the market. The fintech claims over €350 million in damages and hinted at a U.S. class-action lawsuit.

Meanwhile, its consumer-facing websites — conotoxia.com and cinkciarz.pl — have gone offline, fueling speculation that the fintech’s European footprint is rapidly contracting.

CySEC’s intervention reflects growing scrutiny of so-called “passported” investment firms operating across EU borders. Regulators appear increasingly unwilling to tolerate governance breakdowns even in subsidiaries located far from the original misconduct.