Xpoint
Active competitorDirect geo-compliance challenger. RSI DE deployed; FaceTime-RDP gap reproduced; Splash Sports planning to offload in June 2026.
Detection scorecard
How Xpoint handles every spoofing technique we test for. Click any cell for findings.
| Competitor | VPN | Proxy | Remote access | Fake GPS app | GPS spoofer | Emulator | Device farm | Jailbreak / Root | Resigned / tampered app | Sideload (PlayCover) | Browser extension | MITM / replay | Tor |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Strongest findings
Failed and partial test outcomes ranked for sales impact — what to lean on in a call.
- MISSED★ Pinned
XPoint / BetRivers PA: CIV-88 retest — FaceTime RDP sustained for 1 hour; Tailscale Mac-to-Mac RDP undetected
Follow-up to last week's CIV-88 advanced spoofing review on BetRivers Pennsylvania (XPoint): FaceTime screen sharing sustained a full hour of remote wagering from New Jersey onto an in-state iPhone in PA — sportsbook and casino bets placed continuously with no block. Tailscale Mac-to-Mac RDP via Finder screen sharing also failed detection — unattended full control of the in-state host, geolocation check passes against the host's PA position.
XpointRushStreet Interactive (BetRivers)
Remote access - MISSED★ Pinned
XPoint / BetRivers PA: Tailscale macOS RDP (unattended), Magisk mock-flag suppression, and FaceTime handoff undetected
Advanced spoofing review of BetRivers Pennsylvania (XPoint): two Macs on the same Tailscale account — Mac1 (out of state) gets full unattended control of Mac2 (in PA) via Finder screen sharing. Rooted Android with Magisk + a low-level module suppresses the mock-location flag before BetRivers reads it. FaceTime RDP requires local login + 2FA, then full remote control with no further local presence.
XpointRushStreet Interactive (BetRivers)
Remote accessJailbreak / Root - MISSED★ Pinned
XPoint / BetRivers PA: iOS RDP, Tailscale macOS RDP, and rooted Android mock location undetected; standard RDP + FLA blocked
Compliance analysis of BetRivers Pennsylvania (XPoint) surfaced three undetected attack paths: native iOS remote control via FaceTime and iPhone Mirroring (bets placed from an out-of-state operator on an in-state device), Tailscale combined with macOS native screen sharing, and rooted Android with concealed mock-location telemetry. TeamViewer, AnyDesk, HopToDesk, IP-change checks, Android fake-location apps, and a resigned iOS app were all compliant.
XpointRushStreet Interactive (BetRivers)
Remote accessJailbreak / Root - MISSED★ Pinned
XPoint / Bet365 NJ: macOS↔macOS RDP via Tailscale + Screen Sharing undetected
Using Tailscale to put two Macs on the same private network and macOS's built-in Screen Sharing to drive one from the other, the tester accessed Bet365 NJ from a different physical location and placed wagers. XPoint did not detect the remote session. Follow-up testing across Radar, OpenBet, and GeoComply-integrated clients has been requested.
Xpointbet365
Remote access - MISSED★ Pinned
Bet365 MI (Radar / XPoint): full competitive validation — near-border lag, FaceTime + Windows RDP undetected, UX recovery broken
Full Bet365 MI integration validation surfaced five distinct issues in a single test cycle: unreliable behaviour at 200–1,000 m from the Canadian border, an incorrect 'NJ-residents-only' jurisdiction prompt when crossing Detroit↔Canada, iOS FaceTime RDP undetected (MA → MI), Windows RDP undetected (MA → MI), and persistent app glitches after VPN detection that force a full restart. Multiple compliance and UX gaps across mobile + web layers.
Radarbet365
Near borderBoundary crossing - MISSED★ Pinned
XPoint / RSI BetRivers TN: GPS simulator fully undetected, MI casino bets from Tennessee
Hardware GPS simulator accessory went fully undetected on RSI BetRivers Tennessee (XPoint). Tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered.
XpointRushStreet Interactive (BetRivers)
GPS spooferFake GPS app
All findings
Test results and intel tagged to Xpoint.
- XPoint / BetRivers PA: CIV-88 retest — FaceTime RDP sustained for 1 hour; Tailscale Mac-to-Mac RDP undetectedFollow-up to last week's CIV-88 advanced spoofing review on BetRivers Pennsylvania (XPoint): FaceTime screen sharing sustained a full hour of remote wagering from New Jersey onto an in-state iPhone in PA — sportsbook and casino bets placed continuously with no block. Tailscale Mac-to-Mac RDP via Finder screen sharing also failed detection — unattended full control of the in-state host, geolocation check passes against the host's PA position.
- XPoint / BetRivers PA: Tailscale macOS RDP (unattended), Magisk mock-flag suppression, and FaceTime handoff undetectedAdvanced spoofing review of BetRivers Pennsylvania (XPoint): two Macs on the same Tailscale account — Mac1 (out of state) gets full unattended control of Mac2 (in PA) via Finder screen sharing. Rooted Android with Magisk + a low-level module suppresses the mock-location flag before BetRivers reads it. FaceTime RDP requires local login + 2FA, then full remote control with no further local presence.
- XPoint / BetRivers PA: iOS RDP, Tailscale macOS RDP, and rooted Android mock location undetected; standard RDP + FLA blockedCompliance analysis of BetRivers Pennsylvania (XPoint) surfaced three undetected attack paths: native iOS remote control via FaceTime and iPhone Mirroring (bets placed from an out-of-state operator on an in-state device), Tailscale combined with macOS native screen sharing, and rooted Android with concealed mock-location telemetry. TeamViewer, AnyDesk, HopToDesk, IP-change checks, Android fake-location apps, and a resigned iOS app were all compliant.
- Bet365 MI (Radar / XPoint): full competitive validation — near-border lag, FaceTime + Windows RDP undetected, UX recovery brokenFull Bet365 MI integration validation surfaced five distinct issues in a single test cycle: unreliable behaviour at 200–1,000 m from the Canadian border, an incorrect 'NJ-residents-only' jurisdiction prompt when crossing Detroit↔Canada, iOS FaceTime RDP undetected (MA → MI), Windows RDP undetected (MA → MI), and persistent app glitches after VPN detection that force a full restart. Multiple compliance and UX gaps across mobile + web layers.
- XPoint / Bet365 NJ: macOS↔macOS RDP via Tailscale + Screen Sharing undetectedUsing Tailscale to put two Macs on the same private network and macOS's built-in Screen Sharing to drive one from the other, the tester accessed Bet365 NJ from a different physical location and placed wagers. XPoint did not detect the remote session. Follow-up testing across Radar, OpenBet, and GeoComply-integrated clients has been requested.
- XPoint / RSI BetRivers NJ: Tailscale RDP fails detection in most cases, bypass-by-logoutXPoint fails to detect Tailscale-based remote access in most cases against RSI BetRivers NJ, allowing bets from a physically separate location. When detection did trigger it was inconsistent and easily bypassed by logging out and back in. Two attack methods confirmed — one requiring brief one-time approval, one fully unattended.
- XPoint / RSI BetRivers TN: GPS simulator fully undetected, MI casino bets from TennesseeHardware GPS simulator accessory went fully undetected on RSI BetRivers Tennessee (XPoint). Tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered.
- Reddit: two users publicly offer to spoof Bet365 XPoint Verify via MagiskFlorida user asked on Reddit how to spoof XPoint Verify. Two other users confirmed it is possible and offered help via Magisk. Worth investigating Magisk + XPoint Verify vulnerability.
- Splash Sports planning to offload XPoint in June 2026 — multi-state DFS gapSplash Sports is aiming to offload XPoint in June 2026. They have DFS game modes available in different states which XPoint requires them to handle themselves — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.
- XPoint / RSI DE: FaceTime RDP undetected — MI user wagered on DE iOS deviceMichigan-based user placed remote wagers on a Delaware-localised iOS device via FaceTime RDP — both casino and sportsbook. Same gap previously confirmed in AZ. Cross-region structural failure, not an operator-specific bug.
- Xpoint: unsigned iOS SDK + findable SDK = client-side coordinate injectionSource analysis of the raw iOS + Mac Xpoint SDKs obtained in March: the iOS SDK is unsigned and findable. An attacker can patch the app to inject coordinates before every compliance check.
- Social signals (June 30): XPoint desktop/WiFi geo friction on BetRivers; GGPoker freeze flagged; DE boundary complaintJune 30 weekly social brief: since the XPoint migration, a recurring pattern of desktop/WiFi geolocation failures on BetRivers that do not appear on mobile — users blocked on home WiFi while cellular works. GGPoker/WSOP (former 888, XPoint) player reports location-related game freeze. App Store and Twitter complaints reinforce inconsistent geo UX; a Delaware user flagged invalid-location while physically in-state.
- Social signals (June 23): BetRivers XPoint geo friction on Reddit; KYC and support overload spikingJune 23 weekly social brief: no Reddit volume spike, but clear XPoint disapproval on BetRivers — PC geo failures, home WiFi blocked while cellular works. KYC verification failures (~every third r/betrivers post) and overloaded support (no email replies for days, multi-hour phone waits) are spiking. Full BetRivers report in progress.
- XPoint / bet365 MI + BetRivers MI: commercial RDP blocked pre-wager; RustDesk blocked at ~290 s interval check (install alone silent)Remote desktop retest on bet365 Michigan and BetRivers Michigan (XPoint): HopToDesk, AnyDesk, and TeamViewer all detected and blocked before a bet could be placed — a measurable improvement. RustDesk was blocked at the first interval check (~290 seconds / ~4.5 minutes) on both operators; prior launch-order lag was not reproduced. RustDesk is only flagged while actively running — not when merely installed.
- Social signals (June 16): World Cup flat; Bet365 geo volume down but same friction themes; KYC complaints +63%June 16 weekly social brief: FIFA World Cup has not increased overall feedback volume. Bet365 geolocation complaints dropped from 12 (older period) to 4 (recent period) but the BrowserGuard / plugin friction themes persist — mandatory third-party download, geo check wiping the betslip, location dropout during live betting. KYC complaints rose from 0.8 to 1.3 per day (+63%); KYC share of total signals jumped from 14% to 33%.
- XPoint / bet365 MI: RustDesk evades detection when launched after the geolocation client (launch-order flaw)XPoint fails to detect RustDesk on Windows and macOS if the remote-access tool is opened after the geolocation client is already running. Launching RustDesk first triggers an immediate flag; opening it mid-session let 50+ consecutive location checks pass, and detection only resumed after a manual client reboot — evidence of a one-time startup scan rather than real-time monitoring.
- Cross-operator: iOS PlayCover sideloading blocked at Bet365 MI, Fanatics TN, Bet Saracen AR ✓Desktop-based emulation of iOS applications via PlayCover is successfully restricted across all three tested operators. Bet365 and Fanatics neutralized the vector during authentication; Bet Saracen identified the unauthorized environment at the betting stage.
- Bet365 confirmed dual-stack: XPoint web + Radar mobileConfirmed in the April 7 weekly research: Bet365 runs XPoint on the web and Radar on mobile. Even the flagship XPoint reference is split across two geo providers.
- RushStreet (XPoint) Android review: kicked off during tournaments, lost moneyRushStreet (XPoint) Android Play Store review: 'I've been playing poker and lately it's been freezing up, losing location, and I've got kicked off and lost money on tournaments.'
- Reddit on Bet365 XPoint: wrong-state detection (MD→NJ), endless Verify install loopMarch 24 weekly: Bet365 (XPoint) generating strong negative signal — wrong-state detection (MD placed in NJ), endless XPoint Verify install loop on desktop, multiple posts explicitly naming the provider switch as the root cause.
Battle card
Talking points for a live sales call.
Xpoint is a gaming-focused geolocation company (Miami, FL; founded 2019) that positions itself as the modern alternative and second-source provider to GeoComply in North American iGaming and sportsbook. It is licensed in 20+ US states and Ontario, live in Brazil and the UAE, and operates the only credible challenger-tier desktop plugin (Xpoint Verify). The sales wedge is cost reduction via the patent-pending Trust Mode (~20% fewer checks on residential/office Wi-Fi), a developer-friendly auth model (clientKey per session at runtime, no license expiry, JWT response, automatic re-geolocation), and willingness to enter as a failover alongside Radar. **As of May 2026, Splash Sports is planning to offload XPoint in June 2026** citing missing multi-state DFS support — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.
Watch out for
- Bet365 displacement (~2024) is a flagship reference for any Tier-1 evaluating second-source.
- RushStreet Interactive AZ migration (Jan 2026) — first confirmed live-traffic switch from GeoComply.
- RSI Delaware deployed across casino + sportsbook (April 2026).
- Only challenger with a PLC-class desktop plugin (Xpoint Verify), iOS + Android + macOS + Windows.
- Developer-friendly SDK: clientKey per session, JWT response, jurisdictionArea field returned in response (eases multi-state).
- Patent-pending Trust Mode resonates with operators counting per-check spend.
- Bet365 TN replay-attack: network-level attacks fully blocked (May 11) — MITM compliant.
- International ahead of us in Brazil and the UAE (Play971 — first regulated entity in UAE).
- Bet365 dual-stack confirmed: XPoint on web, Radar on mobile (Apr 7) — even in their flagship, geo is split.
How we win
- GPS simulator FULLY UNDETECTED at RSI BetRivers TN (May 19, CIV-48) — hardware GPS simulator went undetected, Tennessee tester logged into MI app and played a casino game with no errors or restrictions.
- Tailscale-driven RDP UNDETECTED at RSI BetRivers NJ (May 19, CIV-73) — fails detection in most cases. When detection triggers it's inconsistent and easily bypassed by logging out and back in. Two attack methods confirmed (one-time-approval + fully unattended). Third cross-region RDP failure on RSI (AZ + DE + NJ).
- FaceTime RDP NOT detected at RSI Delaware (Apr 7) — MI user wagered on DE-localised iOS device across casino + sportsbook. Same gap as previously confirmed in AZ — cross-region structural failure.
- Active session SUSPENDED at the DE-MD border before any spoofing attempt was made (Apr 7) — over-aggressive boundary enforcement.
- Near-border performance considerably lower than GeoComply: inconsistent pass/fail points + erroneous failures even when moving away from the boundary (Apr 7). Reported ~22% pass rate at 250m vs GeoComply's 90.2%.
- Static/mobile toggling requirement creates major UX friction near MD + DE borders, vs GeoComply's seamless PA experience (Apr 7).
- macOS installation requests access to documents folder — known security concern (Apr 7).
- False positive: AnyDesk installed (but not actively running) blocks betting on Xpoint Verify (Apr 7) — operationally expensive support load.
- Mac CPU 1-minute interval spikes from 0.5% → 16% during poker gameplay (Apr 7).
- Splash Sports is planning to offload XPoint in June 2026 (Apr 7, reconfirmed Apr 14) — XPoint has no Multipass / multi-state DFS equivalent, no Dynamic Boundaries equivalent.
- Unsigned iOS SDK + findable SDK (raw iOS + Mac SDKs obtained, Mar 24): an attacker can patch the app to inject coordinates, placing the user inside a permitted jurisdiction BEFORE every compliance check.
- Compliance decisions + raw coordinates returned in plaintext to the client with a public GPS injection method (May 5 monthly brief).
- Magisk bypass publicly discussed on Reddit (Bet365 Florida user, Apr 7 + Apr 14) — two users offered help.
- Bet365 (XPoint web) ongoing social signal: wrong-state (MD→NJ), endless install loop, app freeze + bet slip erasure, '1-star verification is trash', delete-and-reinstall every session.
- RushStreet (XPoint) poker users report losing money on tournaments after freezes / location loss / kick-off.
Capability claims
What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.
Geolocation
How accurately and reliably the product determines a user's real location.
- GPS / OS locationUses native device GPS or OS-level location services.● Yesverified
Native iOS / Android SDK; WiFi + GPS + IP + Cellular signals only.
- Wi-Fi triangulation● Yesinferredstale
- IP geolocation● Yesverifiedstale
- IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).· Unknownrumorstale
No built-in MyIP-equivalent service confirmed in SDK comparison.
- Boundary / state-lineHandles users moving across regulated boundaries during an active session.◐ Partialverified
RSI DE: active session suspended simply by crossing DE-MD border before any spoofing — over-aggressive enforcement. BetRivers tribal-border failures previously observed.
- Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.◐ Partialverified
Reported 22% pass rate at 250m vs GeoComply 90.2%; inconsistent pass/fail at RSI DE with erroneous failures even moving away from the boundary.
- Pre-login pre-check● Yesinferredstale
- Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).◐ Partialverified
jurisdictionArea field returned in response — useful for multi-state operators. BUT no Multipass / Dynamic Boundaries equivalent — Splash Sports planning to offload June 2026 over multi-state DFS gap.
- Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.● Yesverified
Xpoint Verify exists across iOS / Android / macOS / Windows — but Chrome-incompatible, manual launch every restart, ~30% CPU idle on Windows, 1-min CPU spikes to 16% on Mac during poker, macOS install requests Documents folder access.
- On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).○ Noverifiedstale
No PinPoint-equivalent BLE geofencing product.
Anti-spoofing detection
Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.
- VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).◐ Partialverified
Detects commercial VPN; depth unverified vs GeoGuard's 310M+ IP DB.
- Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.◐ Partialinferredstale
- Tor exits· Unknownrumorstale
- Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.○ Noverified
RSI BetRivers NJ: Tailscale RDP fails detection in most cases; when triggered, easily bypassed by logout/login. Two attack methods confirmed (May 19, CIV-73). RSI DE: FaceTime RDP NOT detected (Apr 7). RSI AZ: same gap previously. Third cross-region failure. False positive: AnyDesk installed (not running) silently blocks betting.
- Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.○ Noverified
FLA on Android undetected; previously-blocked GeoComply account no longer blocked once XPoint took over.
- Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.○ Noverified
RSI BetRivers TN: hardware GPS simulator FULLY UNDETECTED — MI casino bets played from TN with no errors or restrictions (May 19, CIV-48). Unsigned iOS SDK + findable SDK allows coordinate injection before every compliance check; public GPS injection method exposed (Mar 24).
- Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.· Unknownrumorstale
Marketing claims emulator detection (BlueStacks, Genymotion). No internal test on file — research priority.
- Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.· Unknownrumorstale
Not yet tested.
- Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.○ Noverified
Rooted Android (hidden root) allowed through to bet placement at BetRivers — account previously blocked by GeoComply was no longer blocked once Xpoint took over.
- Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.○ Noverified
Unsigned iOS SDK can be patched to inject coordinates — major SDK vulnerability.
- Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.● Yesverified
Bet365 MI PlayCover sideloading neutralised during authentication.
- Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).· Unknownrumorstale
- Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.◐ Partialinferredstale
- MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.● Yesverified
MITM tests partially completed — Xpoint blocks the requested vectors. Bet365 TN replay-attack: network-level fully blocked. Some test cases pending re-run.
Identity & KYC
Document verification, biometric liveness, sanctions screening.
- Document scan / OCR○ Noverifiedstale
- Biometric liveness○ Noverifiedstale
- Sanctions / PEP○ Noverifiedstale
- AML / responsible gaming○ Noverifiedstale
- Reusable identity· Unknowninferredstale
Platform coverage
Which surfaces the SDK / product runs on.
- iOS native● Yesverifiedstale
- Android native● Yesverifiedstale
- Web / browser● Yesverifiedstale
Browser-based check via Xpoint Verify app; does not work on Chrome.
- React Native· Unknownrumorstale
- Flutter· Unknownrumorstale
- Unity· Unknowninferredstale
- .NET / desktop● Yesverifiedstale
Xpoint Verify PC/Mac SDK.
- Server-side API● Yesverifiedstale
Compliance & certification
Regulatory coverage and certifications.
- US state-licensed (iGaming/sportsbook)● Yesverified
Licensed in 20 states + DC; flagships are bet365 multi-state (web), RSI AZ (Jan 2026 migration), RSI DE (Apr 2026), RSI BetRivers NJ + TN (active deployments, both producing compliance failures May 19).
- US tribal / on-property◐ Partialverifiedstale
BetRivers tribal-border failures observed in testing.
- Canadian provincial● Yesverifiedstale
Ontario via SkillOnNet (2022) and Playtech integration.
- European (MGA/UKGC)○ Noinferredstale
- LatAm (Brazil SPA)● Yesverifiedstale
Live with undisclosed Brazil operators.
- SOC 2 Type II· Unknowninferredstale
- ISO 27001· Unknowninferredstale
- GLI-certified◐ Partialrumorstale
Fraud & device intelligence
Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.
- Device fingerprint● Yesinferredstale
- IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).◐ Partialinferredstale
Built-in VPN/proxy detection but no GeoGuard-class published IP database.
- Behavioral signals◐ Partialrumorstale
- Velocity / impossible travel◐ Partialinferredstale
- Bot detection◐ Partialinferredstale
- Account takeover· Unknowninferredstale
- Chargeback mgmt○ Noverifiedstale
Ops & integration
How easy the product is to integrate, observe, and operate.
- Self-serve onboarding· Unknowninferredstale
- Case management UI◐ Partialinferredstale
- Webhook delivery● Yesinferredstale
- Real-time API● Yesverifiedstale
- Analytics dashboard● Yesinferredstale
- Audit log export◐ Partialinferredstale
- Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).○ Noverified
Returns compliance decisions + raw coordinates in plaintext; status / errors / nextCheckInterval / JWT all visible.
- SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.○ Noverified
Raw iOS + Mac SDKs obtainable; unsigned iOS SDK; clientKey never expires per session; coordinate-injection patch is single point of total compromise.
Commercial
Pricing model and go-to-market shape.
- Usage-based pricing● Yesverifiedstale
Per-check pricing; Trust Mode markets ~20% per-check reduction.
- Flat license / enterprise◐ Partialinferredstale
- Free tier / trial· Unknowninferredstale
- Publicly listed pricing○ Noverifiedstale
- Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).◐ Partialverifiedstale
Bundled via Playtech for SkillOnNet/High Roller in Ontario. Co-deployed alongside OpenBet Locator at Fanatics.
Resources
Briefings, source docs, and external links.
Case study (1)
- Xpoint Competitive Intelligence Brief — March 2026docs.google.com
Primary briefing — Trust Mode, Bet365, RushStreet migration, near-border, RSI DE.
Drive doc (1)
- Xpoint ↔ GeoComply SDK comparisondocs.google.com
Side-by-side SDK comparison + Xpoint document with security breach analysis added Mar 31.
Website (1)
News (1)
- Bettor Capital growth round (Dec 2025)xpoint.tech
Funding accelerates R&D + team expansion at a critical competitive moment.
Drive folder (1)
Raw iOS + Mac SDKs were obtained in March 2026. The iOS SDK is unsigned and findable, and the response payload returns raw coordinates + compliance decision in plaintext. An attacker can patch the app to inject coordinates before every compliance check, making the user appear inside a permitted jurisdiction. This is a category gap, not a fixable bug — the architecture exposes the trust boundary to the client.
Confirmed gaming clients (May 2026)
| Operator | Segment | Market | Notes |
|---|---|---|---|
| bet365 | Sportsbook / iGaming | US multi-state | Web-side only (mobile is on Radar). Flagship reference. |
| RushStreet Interactive (BetRivers) | Sportsbook / iGaming | AZ, DE, NJ, TN | AZ migrated from GeoComply Jan 2026; DE deployed April 2026; NJ + TN active deployments. NJ Tailscale RDP undetected May 19; TN hardware GPS simulator undetected May 19. |
| Fanatics Sportsbook | Sportsbook | US 22 states + DC | Co-deployed with OpenBet Locator; XPoint selected per region. |
| PrizePicks | DFS | US multi-state | Via Xpoint Lite. |
| Sporttrade | Sports-betting exchange | US — NJ (initial) | First US live deployment (2022). |
| PlayStar | iGaming | US — NJ | NJ iGaming compliance. |
| Crab Sports | Sportsbook | US — Maryland | Maryland state compliance. |
| SkillOnNet (PlayOJO, SpinGenie, SlotsMagic) | iGaming | Ontario | First-ever Xpoint Verify deployment (2022). |
| High Roller Technologies | iGaming | Ontario | Via Playtech (2025). |
| High 5 Casino | Social casino | US multi-state | Xpoint Lite (2025). |
| UAE Lottery / Play971 | Lottery / Betting | UAE | First regulated entity in the UAE. |
| Splash Sports | DFS | US multi-state | ⚠️ Planning to offload XPoint June 2026 — multi-state DFS handling missed. |
| Undisclosed Brazil operators | Various | Brazil | Live; counterparts not publicly named. |
Talking points for displacement deals
- The Splash Sports offload narrative is the new headline. A client publicly planning to leave XPoint in June 2026 over missing multi-state DFS support proves what we always say: no Multipass equivalent, no Dynamic Boundaries equivalent. Lead with this in DFS conversations.
- The RDP gap is now confirmed in three RSI states (AZ + DE + NJ). FaceTime in AZ + DE (Apr 7) and Tailscale in NJ (May 19, CIV-73) — structural, not operator-specific.
- GPS-simulator hardware sails through XPoint at RSI BetRivers TN (May 19, CIV-48). MI casino bets placed from Tennessee with no detection. Same week, OpenBet caught the same hardware at Fanatics TN with a specific error message — the gap is real and competitor-visible.
- The RSI DE deployment is producing complaints from week 1. Account suspension on DE-MD crossing before any spoofing. Static/mobile toggling friction. AnyDesk-installed false positives. Documents-folder access on macOS install. The "modern challenger UX" pitch is contradicted by the actual install + session experience.
- Trust Mode is a cost story; near-border pass rate (22% vs 90.2%) is a revenue story. Show booked-bet curves as a function of distance to the state line.
- Bet365 dual-stack (XPoint web + Radar mobile) is now publicly confirmed — even the flagship needed a co-provider.
- Magisk bypass on Bet365 XPoint Verify is publicly discussed on Reddit. Two users offered help. This is a regulated-market vulnerability being openly shared.
Open testing scope (carry-forward from weekly syncs)
- MITM test cases — retest some cases (some passed, some pending)
- Replay-attack on Bet365 — Network-level blocked (May 11), document the visibility gap for posterity
- GitHub monitoring — Xpoint repo subscribed (April 14)
- GPS Simulator — Radar + XPoint with GPS-simulator device (May)
- DroidVNC — test across competitors (May)
- bet365 MI — full validation (May)