Our latest digital forensics review uncovers new activity linked to Ajarpay, an obscure payment interface operating through domains such as pwa.ajarpay. Although it presents as a fintech front, closer inspection reveals it may be functioning as a shell layer for rerouted transactions—often masking the true origin of illicit payments.
This investigation draws on network telemetry, domain infrastructure analysis, and transaction metadata patterns, some of which intersect with suspected laundering infrastructure and suspicious IP flows in South Asia, including Pakistan.
🕸 Ajarpay’s Role: A Front-End Shell, Not a Real PSP
Ajarpay does not function like a traditional payment processor. Instead, it appears to serve as a frontend-only layer—a skin that gives off the appearance of a functioning PSP while re-routing traffic to hidden or unauthorized processors behind the scenes.
Signs of obfuscation include:
- Absence of public company registration, licensing, or team identification
- Mobile-first UX patterns mimicking checkout experiences
- URL paths like
/wallet,/topup, or/paynowthat imitate known payment brands - Use of “PWA” (progressive web app) design elements to avoid app store scrutiny
Most notably, the domain pwa.ajarpay appears in transaction logs from redirect-based gambling platforms, grey-market service sites, and affiliate payout bots.
🌍 Pakistan-Related IP Flows: Weak Links, Strong Signals
While no confirmed ownership or operation ties Ajarpay to Pakistan, its recurrence in network records involving rerouted transactions from pk-geo IP blocks raises alarms.
Key findings include:
- Logs showing inbound transaction events from Pakistani telecom ranges, bouncing through ajarpay endpoints before completing at offshore wallet destinations.
- Ajarpay-hosted scripts embedded in Telegram bots used for betting payouts and crypto top-ups, some explicitly labeled “PK safe route”.
- DNS behavior consistent with rotating gateway structures often seen in laundering routes that mask high-risk flows from blacklisted or geofenced regions.
These indicators suggest Ajarpay may be used not directly in Pakistan, but as a midpoint in laundering pipelines that receive, reroute, and disguise transactions originating in or targeting users from the country.
🚨 Risk Profile: Lightweight, Disposable, Dangerous
Ajarpay’s infrastructure is optimized for agility and obfuscation:
- Hosted on fast-deploy CDNs
- Short-lived subdomains (e.g.
pwa.ajarpay) that change frequently - Minimal footprint — designed to disappear if blacklisted
- No user support, refund policy, or institutional traceability
These characteristics match known patterns of pseudo-gateway nodes used in digital laundering chains.
✅ Recommendations
- Flag all activity involving ajarpay-related domains in transaction monitoring systems
- Treat pwa-based payment forms with no licensing info as high risk
- Investigate any rerouted flows involving Pakistani user metadata or telco IPs
- Collaborate with CERT teams and local fintech regulators to track clone wallets and shell pay interfaces
🧨 Conclusion
Ajarpay is not a conventional PSP. It is an interface layer, strategically placed in laundering chains to absorb, redirect, and obfuscate financial flows. While its link to Pakistan remains indirect, the presence of pk-geo IP interactions and spoof routing markers should be taken seriously.
Ongoing surveillance and deeper DNS/SSL fingerprinting may expose more of its infrastructure and associates.