Skip to main content

Radar

Active competitor

Retail-origin location platform pushing into iGaming via IC360 + DraftKings DFS NJ migration. Nine weeks of repeated spoofing failures across four operators. Also competing for ticketing — GC lost the Proof Serve POC to Radar.

radar.commaxim.mosinVerified 1mo ago
Compare
USCanadaEUGlobalDFSSweepstakesSportsbook (NJ DFS)RetailMobility#dev-first#ic360-geo360#mau-pricing#retail-origin#draftkings-dfs-nj#client-side-decisioning

Detection scorecard

How Radar handles every spoofing technique we test for. Click any cell for findings.

Full matrix →
  • Detected
  • Partial
  • Missed
  • Not tested
CompetitorVPNProxyRemote accessFake GPS appGPS spooferEmulatorDevice farmJailbreak / RootResigned / tampered appSideload (PlayCover)Browser extensionMITM / replayTor
Radar

Strongest findings

Failed and partial test outcomes ranked for sales impact — what to lean on in a call.

All findings

Test results and intel tagged to Radar.

Operator
Threat

Battle card

Talking points for a live sales call.

Radar is a retail-origin location platform (founded 2016) that entered iGaming geo-compliance in 2024. The wedge is MAU-based pricing (claimed 50–75% savings vs GeoComply), open-source SDKs on GitHub, aggressive comparison-page marketing ('best Xpoint / OpenBet / GeoComply alternative?'), and a white-label distribution channel through IC360's Geo360. The SDK release cadence (every 3 weeks–couple of months) is shifting from "where is the user" to "can we continuously trust this location" — IP-triggered re-validation, multi-signal decisioning, indoor / floor-level accuracy, BLE beacons, and a modular fraud architecture (v3.31.0, April 2026, even adds offline, server-disconnected geofence-event generation). **As of May 2026, DraftKings has moved its New Jersey DFS web product from GeoComply to Radar** — the Sportsbook and mobile apps stay on GeoComply, and testing is underway on whether dual-vendor introduces compliance gaps.

Watch out for

  • DraftKings DFS NJ (web) migrated to Radar (May 2026) — first major US live-traffic win.
  • Bet365 mobile uses Radar (confirmed April 2026) — XPoint web + Radar mobile dual stack.
  • MAU pricing — restructures the buyer's compliance-cost math at high volume.
  • Open-source SDKs (GitHub) and aggressive search-page marketing ('best <competitor> alternative').
  • Self-serve onboarding: signup → API key in <2 min, sandbox auto-provisioned.
  • Broadest SDK coverage among challengers: iOS, Android, Web, React Native, Flutter, Capacitor, MAUI, Cordova.
  • IC360 / Geo360 white-label gives indirect access to operators we don't see directly.
  • Released v3.31.0 (Apr 24, 2026): offline geolocation event generation, mid-outage geofence tracking, modular fraud architecture.
  • Oxylabs residential proxy + Location Guard extension combo blocked at Bet Saracen AR (May 19) — STATE_NOT_ALLOWED returned even with both layers pointing to in-state AR. Network-level check holds when stacked with state mismatch.
  • Cross-vertical reach: Radar is competing in ticketing fraud. GeoComply LOST the Proof Serve POC to Radar — note for the new-verticals competitive set as well. LexisNexis partnership (2025) also brings them into banking + fintech via ThreatMetrix.
  • AnyDesk + TeamViewer detection confirmed at Saracen AR (May 5) — but TeamViewer flipped to undetected on DraftKings DFS NJ retests (May 13–14).
  • iOS PlayCover sideloading detected at Bet365 MI, Fanatics TN, Bet Saracen AR (May 11) — reconfirmed at Bet365 MI on May 19.

How we win

  • GPS simulator: REPEATABLE bypass at Bet365 MI (May 19) — first login error, second login succeeded with no further checks. Restriction not re-applied on re-entry. Also bypassed FanDuel WV from Vietnam (Mar 24).
  • Bet365 NJ: Tailscale + RealVNC RDP undetected for 25+ minutes of continuous real-money betting (May 19, CIV-69).
  • DraftKings DFS NJ: full integration validation surfaced three independent failures (May 19, CIV-65) — RDP inconsistent (Zoom + AnyDesk undetected; TeamViewer flipped from blocked to undetected across consecutive retests); cross-border session lag of 100–150m past the PA→NJ line vs GeoComply 2–5m; generic 'Account Locked' messaging with no user guidance.
  • Resigned iOS app NOT detected at Bet Saracen AR (May 19, CIV-44) — modified iOS app placed bets from Michigan, unmodified app correctly blocked. Same gap previously confirmed at FanDuel WV (Mar 31). Detection earlier reported at Saracen on May 11 did not hold.
  • Rooted Android with hidden root (Magisk) NOT detected — confirmed at FanDuel WV (Mar 24, Mar 31, Apr 7) and Saracen AR (Apr 7). Allowed illegal cross-state bets from Tennessee.
  • VMOS device-farm detection is flaky — undetected at FanDuel WV on second attempt (Apr 7), then failed at Bet Saracen AR (May 11), but successfully detected at FD WV pending Android release (Mar 31).
  • Jailbroken root-hidden iOS NOT detected at Sleeper Sports, PrizePicks, Fliff (Apr 7) — three operators, one structural gap.
  • PlayCover on ARM macOS bypassed FanDuel WV (May 11) even though it was blocked at Bet365 MI, Fanatics TN, and Saracen AR — operator-integration-dependent.
  • Chrome browser extension (Location Guard) NOT detected at Underdog DFS (Apr 28) — undetected spoofing via a free browser plugin.
  • Border crossing: 1-minute grace period after entering a restricted zone at Underdog DFS (Apr 28); 100–150m post-border session lag at DraftKings DFS NJ (May 19).
  • Reactive state-selector logic at FanDuel WV — TN user initially verified on WV platform; misleading 'account sharing' error instead of regulatory message (Mar 31).
  • Proxy betting allowed at Radar — just asks the user to 'wait additional time' (Mar 31).
  • OK-border proximity: validation fails until 100m (iOS) / 220m (Android) from the line (Apr 14).
  • Static desktop verification failed at 1,750m from the OK border via public Wi-Fi (Apr 14). Threshold undetermined.
  • Mobile-hotspot incompatibility on Mac/Windows desktop (Apr 14).
  • Auto-launch on system startup without consent (Mac + Windows, Apr 14).
  • Mac 44% pass rate at 100m from the AR border; Windows users hit persistent lockout after a single failure with an atypical 'fraud_jumped_single_device' flag (May 5).
  • Pre-loaded Windows 'Remote Screen Sharing' triggers silent account restriction — false-positive RDP flag (May 5).
  • Radar Verify desktop app is Chrome-incompatible on Mac + Windows (Mar 24). Inconsistent across macOS 26.0.1 vs 26.3.1 and Chrome 146 vs 147 (Apr 14).
  • Generic 'Account Locked' / 'account security' messaging across BetSaracen + DraftKings DFS NJ — no diagnostic data for end users (Apr 14, Apr 28, May 19).
  • Device-counting logic flaw at Underdog DFS: every login recorded as a new device; breaks multi-account detection (Apr 28).
  • Open-source unobfuscated SDK with client-side compliance decisioning and GPS injection methods in the public API (May 5 monthly brief).
  • Publishable API key baked into app at build time — potential replay-attack surface (Mar 31).

Capability claims

What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.

Geolocation

How accurately and reliably the product determines a user's real location.

  • GPS / OS locationUses native device GPS or OS-level location services.
    Yesverified
  • Wi-Fi triangulation
    Yesinferredstale
  • IP geolocation
    Yesverifiedstale
  • IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).
    Partialverified

    v3.x adds IP-triggered re-validation per Radar SDK release analysis; depth in regulated contexts unverified.

  • Boundary / state-lineHandles users moving across regulated boundaries during an active session.
    Noverified

    DraftKings DFS NJ: ~100–150m post-border session lag crossing PA→NJ (vs GeoComply 2–5m); session-state issue carries prior-state restriction across the line. Underdog DFS: ~1 minute grace period after entering a restricted zone (Apr 28).

  • Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.
    Noverified

    DraftKings DFS NJ 100–150m lag (May 19). Saracen AR: Mac 44% at 100m; Windows persistent lockout after single failure with 'fraud_jumped_single_device' flag. No successful bet within 1km of AR border on Win+hotspot (Mar 24). OK border: validation fails until 100m iOS / 220m Android (Apr 14).

  • Pre-login pre-check
    Partialinferredstale

    trackVerified() returns signed JWT with passed boolean and failureReasons[].

  • Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).
    Noverified

    DraftKings DFS NJ session-state issue carrying prior-state restriction across the line (May 19). FanDuel WV: reactive state selector — TN user initially verified on WV platform (Mar 31). No Multipass / Dynamic Boundaries equivalent.

  • Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.
    Partialverified

    Radar Verify exists but is Chrome-incompatible (Mac+Win), auto-launches without consent on startup, and breaks across macOS / Chrome point releases.

  • On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).
    Partialverifiedstale

    Roadmap signal: floor-level accuracy + BLE beacons added in v3.x — not yet a regulated-iGaming product.

Anti-spoofing detection

Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.

  • VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).
    Partialverified

    Enterprise Fraud module only; not on standard plan. Bet365 TN replay-attack passed (May 11).

  • Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.
    Partialverified

    Bet Saracen AR: Oxylabs residential proxy + Location Guard extension combo BLOCKED with STATE_NOT_ALLOWED (May 19) — network-level check held when stacked with state mismatch. But Radar historically allows proxy betting with a 'wait additional time' message (Mar 31).

  • Tor exits
    · Unknownrumorstale
  • Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.
    Noverified

    Bet365 NJ: Tailscale + RealVNC UNDETECTED for 25+ min of continuous bets (May 19, CIV-69). DraftKings DFS NJ: Zoom + AnyDesk UNDETECTED; TeamViewer blocked May 8 then UNDETECTED on retests May 13–14 (CIV-65). Bet Saracen AR positives (AnyDesk + TeamViewer blocked May 5) did not generalise. Pre-loaded Windows 'Remote Screen Sharing' fires false-positive silent account block (May 5).

  • Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.
    Partialverified
  • Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.
    Noverified

    Bet365 MI: hardware GPS simulator triggered an error on first login then was IGNORED on the second login attempt — repeatable bypass with real-money bets placed from TN (May 19, CIV-48). FanDuel WV: GPS simulator bypassed from Vietnam (Mar 24).

  • Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.
    · Unknownrumorstale
  • Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.
    Partialverified

    VMOS detected once at FD WV (Mar 31) then UNDETECTED on second attempt (Apr 7) and UNDETECTED at Bet Saracen AR (May 11). Inconsistent.

  • Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.
    Noverified

    Rooted Android (hidden root / Magisk) NOT detected at FD WV + Saracen AR. Jailbroken root-hidden iOS NOT detected at Sleeper, PrizePicks, Fliff.

  • Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.
    Noverified

    Bet Saracen AR: resigned iOS app placed bets from MI; unmodified app correctly blocked on the same account (May 19, CIV-44). FanDuel WV: same gap (Mar 31). The May 11 Saracen + Fanatics 'detected' result did not hold under the May 19 retest — gap evolved or detection was build-specific.

  • Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.
    Partialverified

    PlayCover ARM-macOS BLOCKED at Bet365 MI (May 11 + reconfirmed May 19), Fanatics TN (May 11 + May 19), Saracen AR (May 11); BYPASSED at FD WV (May 11).

  • Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).
    Partialverified

    Underdog DFS: Chrome extension (Location Guard) NOT detected — undetected spoofing via a free extension (Apr 28). BUT Bet Saracen AR: Oxylabs proxy + Location Guard combo pointing to in-state AR was BLOCKED with STATE_NOT_ALLOWED (May 19, CIV-44) — Saracen-specific positive on top of a Chrome-extension network signal.

  • Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.
    Noverified

    Bet365 MI: GPS-simulator restriction triggered on first login was NOT re-applied on re-entry — session state effectively whitelisted the device (May 19). RSI BetRivers NJ analogue at XPoint: detection can be cleared by logout/login.

  • MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.
    Yesverified

    Bet365 TN replay-attack test: network-level attacks fully blocked. Minor visibility gap in verification flow but not exploitable in practice.

Identity & KYC

Document verification, biometric liveness, sanctions screening.

  • Document scan / OCR
    Noverifiedstale
  • Biometric liveness
    Noverifiedstale
  • Sanctions / PEP
    Noverifiedstale
  • AML / responsible gaming
    · Unknowninferredstale
  • Reusable identity
    · Unknowninferredstale

Platform coverage

Which surfaces the SDK / product runs on.

  • iOS native
    Yesverified
  • Android native
    Yesverified
  • Web / browser
    Yesverified
  • React Native
    Yesverifiedstale
  • Flutter
    Yesverifiedstale
  • Unity
    · Unknowninferredstale
  • .NET / desktop
    Partialverifiedstale

    Verify app exists; MAUI bindings unclear; macOS / Chrome version compat fragile.

  • Server-side API
    Yesverifiedstale

Compliance & certification

Regulatory coverage and certifications.

  • US state-licensed (iGaming/sportsbook)
    Partialverified

    BetSaracen AR + DraftKings DFS NJ (web, May 2026) + FanDuel WV + Bet365 mobile (multi-state) are the confirmed regulated US sportsbook/DFS deployments.

  • US tribal / on-property
    Noinferredstale
  • Canadian provincial
    Noinferredstale
  • European (MGA/UKGC)
    Noinferredstale
  • LatAm (Brazil SPA)
    · Unknowninferredstale
  • SOC 2 Type II
    Yesinferredstale

    Referenced in trust pages — verify before quoting.

  • ISO 27001
    · Unknowninferredstale
  • GLI-certified
    · Unknowninferredstale

Fraud & device intelligence

Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.

  • Device fingerprint
    Noverified

    Logic flaw: every login at Underdog DFS recorded as a new device — defeats multi-account detection.

  • IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).
    Partialverifiedstale

    Enterprise plan only; no published DB size or refresh cadence.

  • Behavioral signals
    Noinferredstale
  • Velocity / impossible travel
    Partialverifiedstale

    Impossible-travel check listed as a trackVerified() signal.

  • Bot detection
    · Unknowninferredstale
  • Account takeover
    · Unknowninferredstale
  • Chargeback mgmt
    · Unknowninferredstale

Ops & integration

How easy the product is to integrate, observe, and operate.

  • Self-serve onboarding
    Yesverifiedstale

    Signup → key in <2 min, sandbox keys auto-provisioned.

  • Case management UI
    Noverifiedstale
  • Webhook delivery
    Yesverifiedstale
  • Real-time API
    Yesverifiedstale

    p50 50ms / p90 150ms; lightweight checks only.

  • Analytics dashboard
    Yesverifiedstale
  • Audit log export
    Partialinferredstale
  • Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).
    Noverifiedstale

    trackVerified() returns signed JWT with passed boolean + visible failureReasons[]; client-side compliance decisioning surfaced in May 5 monthly brief.

  • SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.
    Noverified

    Open-source unobfuscated SDK; publishable API key baked into app at build time; GPS injection methods exposed in public API.

Commercial

Pricing model and go-to-market shape.

  • Usage-based pricing
    Yesverifiedstale

    MAU-based pricing (vs per-transaction).

  • Flat license / enterprise
    · Unknowninferredstale
  • Free tier / trial
    Yesverifiedstale
  • Publicly listed pricing
    Yesverifiedstale
  • Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).
    Partialverifiedstale

    White-labelled into IC360's Geo360 product suite.

Resources

Briefings, source docs, and external links.

Case study (1)

Drive doc (2)

Website (1)

Pricing (1)

News (1)

Drive folder (1)

Radar's failures are repeated, not one-offs

Across eight weekly syncs (Mar 24 → May 19, 2026), Radar produced compliance gaps at five different operators (FanDuel WV, Bet Saracen AR, Sleeper / PrizePicks / Fliff, Underdog DFS, Bet365 NJ + MI, DraftKings DFS NJ) for at least ten distinct spoof vectors (rooted hidden Android, resigned iOS, GPS- simulator with re-entry bypass, Tailscale-driven RDP, multi-tool RDP inconsistency, VMOS, PlayCover ARM-macOS, browser extension, jailbroken iOS, proxy betting, near-border lag). Treat the Radar matrix row as the operative competitive document — every cell is verified-by-test as of the listed date.

Confirmed gaming clients (May 2026)

OperatorSegmentMarketUse case
DraftKings DFSDFS (web only)NJ (May 2026)First US live-traffic migration off GeoComply. Full validation (May 19, CIV-65) surfaced RDP inconsistency, 100–150m cross-border lag, and generic 'Account Locked' UX.
Bet365 mobileSportsbook / iGamingUS multi-stateBet365 web → XPoint; mobile → Radar (confirmed April 2026). MI: GPS-simulator bypass on re-entry (May 19, CIV-48). NJ: Tailscale RDP undetected for 25+ minutes (May 19, CIV-69).
FanDuel WVSportsbookUS — WVEight weeks of repeated spoof failures.
Bet SaracenSportsbookUS — ArkansasRegulated sportsbook reference; PlayCover + resigned iOS detected, VMOS not detected.
Underdog FantasyDFSUS multi-stateChrome-extension spoof + device-counting flaw + 1-min border-crossing grace.
SleeperDFSUS multi-stateJailbroken root-hidden iOS not detected.
PrizePicksDFSUS multi-stateJailbroken root-hidden iOS not detected. Note: also Xpoint Lite client.
FliffSocial / sweepstakesUS multi-stateJailbroken root-hidden iOS not detected.
Ballers SportsbookSportsbookUS — licensed statesJurisdiction enforcement.
1/ST BETHorse racing / wageringUS multi-stateJurisdiction enforcement.
EveriGaming tech vendorUS multi-stateSDK embedded in vendor platform.
IC360 / Geo360Compliance vendor white-labelUS multi-stateRadar powers Geo360.
Estrella BetSportsbookBrazilConfirmed in Betting Hero's May 5 next-week scope.

Strategic direction — Radar SDK release analysis (April 2026)

Strategic direction is clear: shifting from "where is the user?" to "can we continuously trust this location?" Releases every 3 weeks to a couple of months. Notable: v3.31.0 (Apr 24, 2026) added on-device offline geolocation-event generation — when their backend is unreachable, the SDK generates geofence entry/exit events from cached data, tagged as offline. This is a watch point — we don't know yet whether offline-generated events satisfy regulatory requirements in gaming markets. GitHub monitoring is active.

Other axes of movement:

  • IP-triggered re-validation — location re-checked on network/IP change
  • Multi-signal decisioning — motion, device context, network alongside GPS
  • Indoor / vertical accuracy — floor-level detection on mobile + BLE beacons
  • Modular fraud architecture — plugin-based, allows rapid new detection logic

Talking points for displacement deals

  1. DraftKings DFS NJ moved (May 2026), but only the DFS web product. Sportsbook + mobile stayed on GeoComply. This is a partial-displacement template, not a wholesale loss — sales narrative is "we keep the high-stakes stuff."
  2. MAU vs per-transaction is not apples-to-apples. Operators with high-engagement players blow past MAU thresholds and lose the price advantage fast.
  3. Eight verified spoof failures across four operators is not a tier-down — it's a non-starter. Lead the conversation with the Radar matrix row.
  4. Near-border accuracy is missing. No successful bet within 1km of the AR border in testing (Mar 24); Mac 44% pass rate at 100m (May 5).
  5. Client-side compliance decisioning and an open-source unobfuscated SDK is the structural problem — even if specific gaps get patched, the architecture exposes detection logic to the player.
  6. IC360's Geo360 is the harder threat. Operators evaluating IC360 may not realise Radar is the engine — surface this in any account where IC360 is a vendor.

Open testing scope (carry-forward from weekly syncs)

  • Bet365 NJ full validation — follow up on the May 19 RDP gap (CIV-69)
  • Saracen AR (Radar Verify app) full revalidation — P0 for Betting Hero this week
  • Saracen AR — RAT (?), RDP follow-ups — Field Testing
  • Bet365 MI — full Radar / XPoint integration research — Betting Hero
  • GPS Simulator — Radar + XPoint (continuing)
  • PlayCover — FD WV (outlier follow-up)
  • Device farm VMOS — FD WV, Fanatics, BetRivers
  • Saracen AR: Remote Screen Sharing across Windows laptops, Residential VPN out-of-state, additional RDPs (VNC, MS Teams, RustDesk)