Skip to main content

Sumsub

Active competitor

IDV + KYC/KYB + AML + fraud network detection. Deep crypto-industry penetration. IP-only geolocation — point-in-time onboarding, not session-level compliance.

sumsub.commaxim.mosinVerified 1mo ago
Compare
GlobalEUUSLATAMAPACCryptoFintechNeobanksiGamingMarketplace#new-verticals#p0#kyc#kyb#aml#idv#crypto-stack#ip-only-geo#compete

Detection scorecard

How Sumsub handles every spoofing technique we test for. Click any cell for findings.

Full matrix →
  • Detected
  • Partial
  • Missed
  • Not tested
CompetitorVPNProxyRemote accessFake GPS appGPS spooferEmulatorDevice farmJailbreak / RootResigned / tampered appSideload (PlayCover)Browser extensionMITM / replayTor

Strongest findings

Failed and partial test outcomes ranked for sales impact — what to lean on in a call.

No findings yet

Once tests land in updates/ with an outcome, they'll surface here.

All findings

Test results and intel tagged to Sumsub.

Operator
Threat
No findings on file for this competitor yet.

Battle card

Talking points for a live sales call.

Sumsub is a verification + ongoing monitoring platform combining device intelligence, IDV, fraud network detection, KYC, KYB, and AML screening. They are widely used in the crypto industry — the most active new vertical for GeoComply — as a full compliance stack for digital-asset exchanges and wallets. **Priority: P0** in the new-verticals set. The Sumsub + Chainalysis combination is becoming the de facto crypto compliance stack — and crypto exchanges may interpret Sumsub's IP-based location signal as "good enough" for geo-compliance. **The structural gap:** Sumsub's location capability is IP-only and point-in-time (at onboarding). GeoComply provides continuous, transaction-level location verification. A crypto user opening an account from behind a residential VPN passes Sumsub's location check; GeoComply flags them. This is the single clearest message for crypto prospects.

Watch out for

  • Deep crypto-industry penetration — most active GeoComply new vertical. Established as 'the' IDV/KYC stack alongside Chainalysis for blockchain analytics.
  • Best-in-class IDV: 200+ countries, 14,000+ document types supported. NFC chip reading, liveness/biometric matching.
  • Comprehensive AML: sanction/PEP screening, adverse media monitoring, transaction monitoring — full compliance stack.
  • Fraud network detection via graph analysis — identifies coordinated identity fraud (shared device networks, linked accounts, recycled document photos).
  • Strong integrations: Stripe, Fireblocks, Chainalysis — embedded in the dominant crypto compliance stack.
  • Webhook delivery + REST API + iOS/Android/Web SDKs.

How we win

  • IP-only geolocation — not multi-signal. No GPS, Wi-Fi, or Bluetooth location signals.
  • Point-in-time onboarding check, not session-level re-verification. KYC is run once; ongoing location enforcement is not.
  • No GPS spoofing detection.
  • No jurisdiction enforcement — produces risk score / flag only, not binary geo-fence enforcement.
  • No published VPN/proxy detection accuracy metric (vs GeoGuard 99.1% / 0% FPR, Kingsmead Security Sept 2025).
  • Onboarding-time address verification uses document address + IP correlation, not verified GPS — a crypto user behind a residential VPN passes the location check.
  • Compliance audit log is KYC/AML-focused (PDF reports), not court-defensible location logs the way regulated gaming requires.

Capability claims

What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.

Geolocation

How accurately and reliably the product determines a user's real location.

  • GPS / OS locationUses native device GPS or OS-level location services.
    Noverifiedstale

    No GPS sensor data used for location verification.

  • Wi-Fi triangulation
    Noverifiedstale
  • IP geolocation
    Yesverifiedstale

    IP-only. Used for onboarding address correlation + transaction-monitoring signals.

  • IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).
    Partialinferredstale
  • Boundary / state-lineHandles users moving across regulated boundaries during an active session.
    Noverifiedstale
  • Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.
    Noverifiedstale
  • Pre-login pre-check
    Partialverifiedstale

    Returns risk score / flag, not pass/fail compliance assertion.

  • Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).
    Noverifiedstale
  • Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.
    Noverifiedstale
  • On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).
    Noverifiedstale

Anti-spoofing detection

Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.

  • VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).
    Partialinferredstale

    Device intelligence SDK includes VPN/proxy signals. No published accuracy metric.

  • Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.
    Partialinferredstale
  • Tor exits
    · Unknownrumorstale
  • Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.
    · Unknownrumorstale
  • Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.
    Noverifiedstale
  • Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.
    Noverifiedstale
  • Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.
    Yesverifiedstale

    Emulator flags in device intelligence SDK.

  • Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.
    Yesverifiedstale

    Fraud network graph clusters device + identity across customer network.

  • Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.
    Partialverifiedstale

    Tamper detection in SDK.

  • Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.
    · Unknownrumorstale
  • Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.
    · Unknownrumorstale
  • Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).
    · Unknownrumorstale
  • Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.
    Partialinferredstale
  • MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.
    · Unknownrumorstale

Identity & KYC

Document verification, biometric liveness, sanctions screening.

  • Document scan / OCR
    Yesverifiedstale

    Document OCR + NFC chip reading. 14,000+ document types, 200+ countries — best-in-class.

  • Biometric liveness
    Yesverifiedstale

    Liveness + biometric matching.

  • Sanctions / PEP
    Yesverifiedstale

    PEP / SDN / sanction databases + adverse media monitoring.

  • AML / responsible gaming
    Yesverifiedstale

    Transaction monitoring + ongoing re-verification triggers.

  • Reusable identity
    Yesverifiedstale

Platform coverage

Which surfaces the SDK / product runs on.

  • iOS native
    Yesverifiedstale
  • Android native
    Yesverifiedstale
  • Web / browser
    Yesverifiedstale
  • React Native
    · Unknownrumorstale
  • Flutter
    · Unknownrumorstale
  • Unity
    · Unknowninferredstale
  • .NET / desktop
    · Unknownrumorstale
  • Server-side API
    Yesverifiedstale

    REST API.

Compliance & certification

Regulatory coverage and certifications.

  • US state-licensed (iGaming/sportsbook)
    Noverifiedstale

    Not a gaming-commission certified geo-compliance vendor.

  • US tribal / on-property
    Noverifiedstale
  • Canadian provincial
    Noinferredstale
  • European (MGA/UKGC)
    Yesverifiedstale
  • LatAm (Brazil SPA)
    Yesverifiedstale
  • SOC 2 Type II
    Yesinferredstale
  • ISO 27001
    Yesinferredstale
  • GLI-certified
    · Unknowninferredstale

Fraud & device intelligence

Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.

  • Device fingerprint
    Yesverifiedstale

    Device fingerprint + tamper detection in SDK.

  • IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).
    Partialinferredstale

    IP signals used; no published database size.

  • Behavioral signals
    Partialinferredstale
  • Velocity / impossible travel
    Yesverifiedstale

    Transaction velocity monitoring.

  • Bot detection
    · Unknowninferredstale
  • Account takeover
    Partialinferredstale
  • Chargeback mgmt
    Noverifiedstale

Ops & integration

How easy the product is to integrate, observe, and operate.

  • Self-serve onboarding
    · Unknowninferredstale
  • Case management UI
    Yesverifiedstale

    Case management + compliance workflow exports (CSV, PDF audit reports).

  • Webhook delivery
    Yesverifiedstale

    Webhook delivery for real-time event triggers.

  • Real-time API
    Yesverifiedstale
  • Analytics dashboard
    Yesverifiedstale
  • Audit log export
    Partialverifiedstale

    KYC/AML audit PDFs. Not court-defensible location logs.

  • Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).
    · Unknownrumorstale
  • SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.
    · Unknowninferredstale

Commercial

Pricing model and go-to-market shape.

  • Usage-based pricing
    Yesinferredstale

    Per-verification pricing typical for IDV.

  • Flat license / enterprise
    Partialinferredstale
  • Free tier / trial
    · Unknowninferredstale
  • Publicly listed pricing
    Noverifiedstale
  • Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).
    Yesverifiedstale

    IDV + KYC + AML + fraud bundled under one platform — primary commercial pitch.

P0 in the new-verticals set

Sumsub is the dominant KYC/AML stack in crypto — the most active new vertical for GeoComply. The risk in crypto deals is that prospects see Sumsub's IP-based location flag as "good enough" for geo-compliance, conflating KYC with jurisdictional compliance. They are not the same regulatory requirement.

Talking points for displacement / co-sell deals

  1. KYC is point-in-time; GeoComply is session-level. Sumsub verifies who you are at onboarding. GeoComply verifies where you are at every transaction. These are different compliance questions.
  2. Onboarding-time address verification uses document address + IP correlation, not verified GPS. A crypto user opening an account from behind a residential VPN passes Sumsub's location check while GeoComply would flag them. This is the clearest, most concise message for crypto prospects.
  3. Sumsub + Chainalysis is becoming the de facto crypto compliance stack. Build a clear integration story to embed GeoComply as the location layer in this ecosystem.
  4. The co-sell story is exceptionally strong: Sumsub verifies who you are (IDV + KYC) and monitors your transactions (AML). GeoComply verifies where you are at every transaction. Together they answer both regulatory questions: Is this person who they claim to be? Are they where they're allowed to transact?
  5. Crypto is the active battleground. Anticipate Sumsub appearing in every crypto/digital-asset evaluation. Default position: complement, not compete.

Where they overlap with GeoComply

  • Crypto exchanges + digital asset platforms — Sumsub is incumbent for KYC/AML, GeoComply is the location-compliance layer.
  • iGaming: Sumsub appears in iGaming operator KYC stacks; geo-compliance is a separate procurement.
  • Fintech / neobanks: shared evaluation funnel; Sumsub is the consolidated identity stack.

Open testing scope

  • Independent VPN/proxy detection benchmark — Sumsub has no published accuracy.
  • GPS spoofing detection — not applicable; Sumsub doesn't claim it.
  • Chainalysis integration map — understand where the location layer fits in the Sumsub + Chainalysis crypto stack.