Sumsub
Active competitorIDV + KYC/KYB + AML + fraud network detection. Deep crypto-industry penetration. IP-only geolocation — point-in-time onboarding, not session-level compliance.
Detection scorecard
How Sumsub handles every spoofing technique we test for. Click any cell for findings.
| Competitor | VPN | Proxy | Remote access | Fake GPS app | GPS spoofer | Emulator | Device farm | Jailbreak / Root | Resigned / tampered app | Sideload (PlayCover) | Browser extension | MITM / replay | Tor |
|---|
Strongest findings
Failed and partial test outcomes ranked for sales impact — what to lean on in a call.
No findings yet
Once tests land in updates/ with an outcome, they'll surface here.
All findings
Test results and intel tagged to Sumsub.
Battle card
Talking points for a live sales call.
Sumsub is a verification + ongoing monitoring platform combining device intelligence, IDV, fraud network detection, KYC, KYB, and AML screening. They are widely used in the crypto industry — the most active new vertical for GeoComply — as a full compliance stack for digital-asset exchanges and wallets. **Priority: P0** in the new-verticals set. The Sumsub + Chainalysis combination is becoming the de facto crypto compliance stack — and crypto exchanges may interpret Sumsub's IP-based location signal as "good enough" for geo-compliance. **The structural gap:** Sumsub's location capability is IP-only and point-in-time (at onboarding). GeoComply provides continuous, transaction-level location verification. A crypto user opening an account from behind a residential VPN passes Sumsub's location check; GeoComply flags them. This is the single clearest message for crypto prospects.
Watch out for
- Deep crypto-industry penetration — most active GeoComply new vertical. Established as 'the' IDV/KYC stack alongside Chainalysis for blockchain analytics.
- Best-in-class IDV: 200+ countries, 14,000+ document types supported. NFC chip reading, liveness/biometric matching.
- Comprehensive AML: sanction/PEP screening, adverse media monitoring, transaction monitoring — full compliance stack.
- Fraud network detection via graph analysis — identifies coordinated identity fraud (shared device networks, linked accounts, recycled document photos).
- Strong integrations: Stripe, Fireblocks, Chainalysis — embedded in the dominant crypto compliance stack.
- Webhook delivery + REST API + iOS/Android/Web SDKs.
How we win
- IP-only geolocation — not multi-signal. No GPS, Wi-Fi, or Bluetooth location signals.
- Point-in-time onboarding check, not session-level re-verification. KYC is run once; ongoing location enforcement is not.
- No GPS spoofing detection.
- No jurisdiction enforcement — produces risk score / flag only, not binary geo-fence enforcement.
- No published VPN/proxy detection accuracy metric (vs GeoGuard 99.1% / 0% FPR, Kingsmead Security Sept 2025).
- Onboarding-time address verification uses document address + IP correlation, not verified GPS — a crypto user behind a residential VPN passes the location check.
- Compliance audit log is KYC/AML-focused (PDF reports), not court-defensible location logs the way regulated gaming requires.
Capability claims
What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.
Geolocation
How accurately and reliably the product determines a user's real location.
- GPS / OS locationUses native device GPS or OS-level location services.○ Noverifiedstale
No GPS sensor data used for location verification.
- Wi-Fi triangulation○ Noverifiedstale
- IP geolocation● Yesverifiedstale
IP-only. Used for onboarding address correlation + transaction-monitoring signals.
- IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).◐ Partialinferredstale
- Boundary / state-lineHandles users moving across regulated boundaries during an active session.○ Noverifiedstale
- Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.○ Noverifiedstale
- Pre-login pre-check◐ Partialverifiedstale
Returns risk score / flag, not pass/fail compliance assertion.
- Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).○ Noverifiedstale
- Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.○ Noverifiedstale
- On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).○ Noverifiedstale
Anti-spoofing detection
Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.
- VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).◐ Partialinferredstale
Device intelligence SDK includes VPN/proxy signals. No published accuracy metric.
- Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.◐ Partialinferredstale
- Tor exits· Unknownrumorstale
- Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.· Unknownrumorstale
- Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.○ Noverifiedstale
- Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.○ Noverifiedstale
- Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.● Yesverifiedstale
Emulator flags in device intelligence SDK.
- Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.● Yesverifiedstale
Fraud network graph clusters device + identity across customer network.
- Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.◐ Partialverifiedstale
Tamper detection in SDK.
- Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.· Unknownrumorstale
- Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.· Unknownrumorstale
- Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).· Unknownrumorstale
- Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.◐ Partialinferredstale
- MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.· Unknownrumorstale
Identity & KYC
Document verification, biometric liveness, sanctions screening.
- Document scan / OCR● Yesverifiedstale
Document OCR + NFC chip reading. 14,000+ document types, 200+ countries — best-in-class.
- Biometric liveness● Yesverifiedstale
Liveness + biometric matching.
- Sanctions / PEP● Yesverifiedstale
PEP / SDN / sanction databases + adverse media monitoring.
- AML / responsible gaming● Yesverifiedstale
Transaction monitoring + ongoing re-verification triggers.
- Reusable identity● Yesverifiedstale
Platform coverage
Which surfaces the SDK / product runs on.
- iOS native● Yesverifiedstale
- Android native● Yesverifiedstale
- Web / browser● Yesverifiedstale
- React Native· Unknownrumorstale
- Flutter· Unknownrumorstale
- Unity· Unknowninferredstale
- .NET / desktop· Unknownrumorstale
- Server-side API● Yesverifiedstale
REST API.
Compliance & certification
Regulatory coverage and certifications.
- US state-licensed (iGaming/sportsbook)○ Noverifiedstale
Not a gaming-commission certified geo-compliance vendor.
- US tribal / on-property○ Noverifiedstale
- Canadian provincial○ Noinferredstale
- European (MGA/UKGC)● Yesverifiedstale
- LatAm (Brazil SPA)● Yesverifiedstale
- SOC 2 Type II● Yesinferredstale
- ISO 27001● Yesinferredstale
- GLI-certified· Unknowninferredstale
Fraud & device intelligence
Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.
- Device fingerprint● Yesverifiedstale
Device fingerprint + tamper detection in SDK.
- IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).◐ Partialinferredstale
IP signals used; no published database size.
- Behavioral signals◐ Partialinferredstale
- Velocity / impossible travel● Yesverifiedstale
Transaction velocity monitoring.
- Bot detection· Unknowninferredstale
- Account takeover◐ Partialinferredstale
- Chargeback mgmt○ Noverifiedstale
Ops & integration
How easy the product is to integrate, observe, and operate.
- Self-serve onboarding· Unknowninferredstale
- Case management UI● Yesverifiedstale
Case management + compliance workflow exports (CSV, PDF audit reports).
- Webhook delivery● Yesverifiedstale
Webhook delivery for real-time event triggers.
- Real-time API● Yesverifiedstale
- Analytics dashboard● Yesverifiedstale
- Audit log export◐ Partialverifiedstale
KYC/AML audit PDFs. Not court-defensible location logs.
- Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).· Unknownrumorstale
- SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.· Unknowninferredstale
Commercial
Pricing model and go-to-market shape.
- Usage-based pricing● Yesinferredstale
Per-verification pricing typical for IDV.
- Flat license / enterprise◐ Partialinferredstale
- Free tier / trial· Unknowninferredstale
- Publicly listed pricing○ Noverifiedstale
- Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).● Yesverifiedstale
IDV + KYC + AML + fraud bundled under one platform — primary commercial pitch.
Resources
Briefings, source docs, and external links.
Website (1)
Sumsub is the dominant KYC/AML stack in crypto — the most active new vertical for GeoComply. The risk in crypto deals is that prospects see Sumsub's IP-based location flag as "good enough" for geo-compliance, conflating KYC with jurisdictional compliance. They are not the same regulatory requirement.
Talking points for displacement / co-sell deals
- KYC is point-in-time; GeoComply is session-level. Sumsub verifies who you are at onboarding. GeoComply verifies where you are at every transaction. These are different compliance questions.
- Onboarding-time address verification uses document address + IP correlation, not verified GPS. A crypto user opening an account from behind a residential VPN passes Sumsub's location check while GeoComply would flag them. This is the clearest, most concise message for crypto prospects.
- Sumsub + Chainalysis is becoming the de facto crypto compliance stack. Build a clear integration story to embed GeoComply as the location layer in this ecosystem.
- The co-sell story is exceptionally strong: Sumsub verifies who you are (IDV + KYC) and monitors your transactions (AML). GeoComply verifies where you are at every transaction. Together they answer both regulatory questions: Is this person who they claim to be? Are they where they're allowed to transact?
- Crypto is the active battleground. Anticipate Sumsub appearing in every crypto/digital-asset evaluation. Default position: complement, not compete.
Where they overlap with GeoComply
- Crypto exchanges + digital asset platforms — Sumsub is incumbent for KYC/AML, GeoComply is the location-compliance layer.
- iGaming: Sumsub appears in iGaming operator KYC stacks; geo-compliance is a separate procurement.
- Fintech / neobanks: shared evaluation funnel; Sumsub is the consolidated identity stack.
Open testing scope
- Independent VPN/proxy detection benchmark — Sumsub has no published accuracy.
- GPS spoofing detection — not applicable; Sumsub doesn't claim it.
- Chainalysis integration map — understand where the location layer fits in the Sumsub + Chainalysis crypto stack.