Xpoint

Active competitor

Direct geo-compliance challenger. RSI DE deployed; FaceTime-RDP gap reproduced; Splash Sports planning to offload in June 2026.

xpoint.techmaxim.mosinVerified yesterday

Compare

USCanadaLATAMMENAiGamingSportsbookOnline lotteryDFS#direct-competitor#us-igaming#bet365#rsi-de#splash-sports-churn#magisk-bypass#unsigned-ios-sdk

Detection scorecard

How Xpoint handles every spoofing technique we test for. Click any cell for findings.

Full matrix →

• Detected
• Partial
• Missed
• Not tested

Competitor	VPN	Proxy	Remote access	Fake GPS app	GPS spoofer	Emulator	Device farm	Jailbreak / Root	Resigned / tampered app	Sideload (PlayCover)	Browser extension	MITM / replay	Tor
Xpoint

Strongest findings

Failed and partial test outcomes ranked for sales impact — what to lean on in a call.

• MISSED★ Pinned

  XPoint / RSI DE: FaceTime RDP undetected — MI user wagered on DE iOS device

  Michigan-based user placed remote wagers on a Delaware-localised iOS device via FaceTime RDP — both casino and sportsbook. Same gap previously confirmed in AZ. Cross-region structural failure, not an operator-specific bug.

  XpointRushStreet Interactive (BetRivers)

  Remote accessBoundary crossing

  1mo ago
• INFO★ Pinned

  Splash Sports planning to offload XPoint in June 2026 — multi-state DFS gap

  Splash Sports is aiming to offload XPoint in June 2026. They have DFS game modes available in different states which XPoint requires them to handle themselves — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.

  XpointSplash Sports

  DisplacementMulti-jurisdiction

  1mo ago
• INFO★ Pinned

  Reddit: two users publicly offer to spoof Bet365 XPoint Verify via Magisk

  Florida user asked on Reddit how to spoof XPoint Verify. Two other users confirmed it is possible and offered help via Magisk. Worth investigating Magisk + XPoint Verify vulnerability.

  Xpointbet365

  SocialJailbreak / Root

  1mo ago
• MISSED★ Pinned

  Xpoint: unsigned iOS SDK + findable SDK = client-side coordinate injection

  Source analysis of the raw iOS + Mac Xpoint SDKs obtained in March: the iOS SDK is unsigned and findable. An attacker can patch the app to inject coordinates before every compliance check.

  Xpoint

  ComplianceMITM / replay

  1mo ago
• MISSED

  Xpoint / BetRivers: rooted Android device allowed through to bet placement

  Rooted Android device with hidden root cleared Xpoint geolocation at BetRivers (RSI). An account that had previously been blocked by GeoComply was no longer blocked once Xpoint took over the integration.

  XpointRushStreet Interactive (BetRivers)

  Jailbreak / Root

  2mo ago
• DETECTED

  Cross-operator: iOS PlayCover sideloading blocked at Bet365 MI, Fanatics TN, Bet Saracen AR ✓

  Desktop-based emulation of iOS applications via PlayCover is successfully restricted across all three tested operators. Bet365 and Fanatics neutralized the vector during authentication; Bet Saracen identified the unauthorized environment at the betting stage.

  Radarbet365

  Sideload (PlayCover)

  2d ago

All findings

Test results and intel tagged to Xpoint.

Operator

Threat

• SocialJailbreak / Rootbet3651mo agoReddit: two users publicly offer to spoof Bet365 XPoint Verify via MagiskFlorida user asked on Reddit how to spoof XPoint Verify. Two other users confirmed it is possible and offered help via Magisk. Worth investigating Magisk + XPoint Verify vulnerability.
• DisplacementMulti-jurisdictionSplash Sports1mo agoSplash Sports planning to offload XPoint in June 2026 — multi-state DFS gapSplash Sports is aiming to offload XPoint in June 2026. They have DFS game modes available in different states which XPoint requires them to handle themselves — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.
• Remote accessBoundary crossingNear borderRushStreet Interactive (BetRivers)1mo agoXPoint / RSI DE: FaceTime RDP undetected — MI user wagered on DE iOS deviceMichigan-based user placed remote wagers on a Delaware-localised iOS device via FaceTime RDP — both casino and sportsbook. Same gap previously confirmed in AZ. Cross-region structural failure, not an operator-specific bug.
• ComplianceMITM / replayGPS spoofer1mo agoXpoint: unsigned iOS SDK + findable SDK = client-side coordinate injectionSource analysis of the raw iOS + Mac Xpoint SDKs obtained in March: the iOS SDK is unsigned and findable. An attacker can patch the app to inject coordinates before every compliance check.
• Sideload (PlayCover)bet365Fanatics Sportsbook2d agoCross-operator: iOS PlayCover sideloading blocked at Bet365 MI, Fanatics TN, Bet Saracen AR ✓Desktop-based emulation of iOS applications via PlayCover is successfully restricted across all three tested operators. Bet365 and Fanatics neutralized the vector during authentication; Bet Saracen identified the unauthorized environment at the betting stage.
• Partnershipbet3651mo agoBet365 confirmed dual-stack: XPoint web + Radar mobileConfirmed in the April 7 weekly research: Bet365 runs XPoint on the web and Radar on mobile. Even the flagship XPoint reference is split across two geo providers.
• SocialRushStreet Interactive (BetRivers)1mo agoRushStreet (XPoint) Android review: kicked off during tournaments, lost moneyRushStreet (XPoint) Android Play Store review: 'I've been playing poker and lately it's been freezing up, losing location, and I've got kicked off and lost money on tournaments.'
• Socialbet3652mo agoReddit on Bet365 XPoint: wrong-state detection (MD→NJ), endless Verify install loopMarch 24 weekly: Bet365 (XPoint) generating strong negative signal — wrong-state detection (MD placed in NJ), endless XPoint Verify install loop on desktop, multiple posts explicitly naming the provider switch as the root cause.
• Jailbreak / RootRushStreet Interactive (BetRivers)2mo agoXpoint / BetRivers: rooted Android device allowed through to bet placementRooted Android device with hidden root cleared Xpoint geolocation at BetRivers (RSI). An account that had previously been blocked by GeoComply was no longer blocked once Xpoint took over the integration.

Battle card

Talking points for a live sales call.

Xpoint is a gaming-focused geolocation company (Miami, FL; founded 2019) that positions itself as the modern alternative and second-source provider to GeoComply in North American iGaming and sportsbook. It is licensed in 20+ US states and Ontario, live in Brazil and the UAE, and operates the only credible challenger-tier desktop plugin (Xpoint Verify). The sales wedge is cost reduction via the patent-pending Trust Mode (~20% fewer checks on residential/office Wi-Fi), a developer-friendly auth model (clientKey per session at runtime, no license expiry, JWT response, automatic re-geolocation), and willingness to enter as a failover alongside Radar. **As of May 2026, Splash Sports is planning to offload XPoint in June 2026** citing missing multi-state DFS support — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.

Watch out for

• Bet365 displacement (~2024) is a flagship reference for any Tier-1 evaluating second-source.
• RushStreet Interactive AZ migration (Jan 2026) — first confirmed live-traffic switch from GeoComply.
• RSI Delaware deployed across casino + sportsbook (April 2026).
• Only challenger with a PLC-class desktop plugin (Xpoint Verify), iOS + Android + macOS + Windows.
• Developer-friendly SDK: clientKey per session, JWT response, jurisdictionArea field returned in response (eases multi-state).
• Patent-pending Trust Mode resonates with operators counting per-check spend.
• Bet365 TN replay-attack: network-level attacks fully blocked (May 11) — MITM compliant.
• International ahead of us in Brazil and the UAE (Play971 — first regulated entity in UAE).
• Bet365 dual-stack confirmed: XPoint on web, Radar on mobile (Apr 7) — even in their flagship, geo is split.

How we win

• FaceTime RDP NOT detected at RSI Delaware (Apr 7) — MI user wagered on DE-localised iOS device across casino + sportsbook. Same gap as previously confirmed in AZ — cross-region structural failure.
• Active session SUSPENDED at the DE-MD border before any spoofing attempt was made (Apr 7) — over-aggressive boundary enforcement.
• Near-border performance considerably lower than GeoComply: inconsistent pass/fail points + erroneous failures even when moving away from the boundary (Apr 7). Reported ~22% pass rate at 250m vs GeoComply's 90.2%.
• Static/mobile toggling requirement creates major UX friction near MD + DE borders, vs GeoComply's seamless PA experience (Apr 7).
• macOS installation requests access to documents folder — known security concern (Apr 7).
• False positive: AnyDesk installed (but not actively running) blocks betting on Xpoint Verify (Apr 7) — operationally expensive support load.
• Mac CPU 1-minute interval spikes from 0.5% → 16% during poker gameplay (Apr 7).
• Splash Sports is planning to offload XPoint in June 2026 (Apr 7, reconfirmed Apr 14) — XPoint has no Multipass / multi-state DFS equivalent, no Dynamic Boundaries equivalent.
• Unsigned iOS SDK + findable SDK (raw iOS + Mac SDKs obtained, Mar 24): an attacker can patch the app to inject coordinates, placing the user inside a permitted jurisdiction BEFORE every compliance check.
• Compliance decisions + raw coordinates returned in plaintext to the client with a public GPS injection method (May 5 monthly brief).
• Magisk bypass publicly discussed on Reddit (Bet365 Florida user, Apr 7 + Apr 14) — two users offered help.
• Bet365 (XPoint web) ongoing social signal: wrong-state (MD→NJ), endless install loop, app freeze + bet slip erasure, '1-star verification is trash', delete-and-reinstall every session.
• RushStreet (XPoint) poker users report losing money on tournaments after freezes / location loss / kick-off.

Capability claims

What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.

Geolocation

How accurately and reliably the product determines a user's real location.

• GPS / OS locationUses native device GPS or OS-level location services.
  ● Yesverified

  Native iOS / Android SDK; WiFi + GPS + IP + Cellular signals only.

• Wi-Fi triangulation
  ● Yesinferredstale
• IP geolocation
  ● Yesverifiedstale
• IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).
  · Unknownrumorstale

  No built-in MyIP-equivalent service confirmed in SDK comparison.

• Boundary / state-lineHandles users moving across regulated boundaries during an active session.
  ◐ Partialverified

  RSI DE: active session suspended simply by crossing DE-MD border before any spoofing — over-aggressive enforcement. BetRivers tribal-border failures previously observed.

• Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.
  ◐ Partialverified

  Reported 22% pass rate at 250m vs GeoComply 90.2%; inconsistent pass/fail at RSI DE with erroneous failures even moving away from the boundary.

• Pre-login pre-check
  ● Yesinferredstale
• Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).
  ◐ Partialverified

  jurisdictionArea field returned in response — useful for multi-state operators. BUT no Multipass / Dynamic Boundaries equivalent — Splash Sports planning to offload June 2026 over multi-state DFS gap.

• Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.
  ● Yesverified

  Xpoint Verify exists across iOS / Android / macOS / Windows — but Chrome-incompatible, manual launch every restart, ~30% CPU idle on Windows, 1-min CPU spikes to 16% on Mac during poker, macOS install requests Documents folder access.

• On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).
  ○ Noverifiedstale

  No PinPoint-equivalent BLE geofencing product.

Anti-spoofing detection

Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.

• VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).
  ◐ Partialverified

  Detects commercial VPN; depth unverified vs GeoGuard's 310M+ IP DB.

• Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.
  ◐ Partialinferredstale
• Tor exits
  · Unknownrumorstale
• Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.
  ○ Noverified

  FaceTime RDP NOT detected at RSI DE — MI user placed remote wagers on DE iOS across casino + sportsbook. Same gap as in AZ. False positive: AnyDesk installed (not running) silently blocks betting.

• Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.
  ○ Noverified

  FLA on Android undetected; previously-blocked GeoComply account no longer blocked once XPoint took over.

• Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.
  ○ Noverified

  Unsigned iOS SDK + findable SDK allows coordinate injection before every compliance check; public GPS injection method exposed.

• Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.
  · Unknownrumorstale

  Marketing claims emulator detection (BlueStacks, Genymotion). No internal test on file — research priority.

• Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.
  · Unknownrumorstale

  Not yet tested.

• Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.
  ○ Noverified

  Rooted Android (hidden root) allowed through to bet placement at BetRivers — account previously blocked by GeoComply was no longer blocked once Xpoint took over.

• Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.
  ○ Noverified

  Unsigned iOS SDK can be patched to inject coordinates — major SDK vulnerability.

• Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.
  ● Yesverified

  Bet365 MI PlayCover sideloading neutralised during authentication.

• Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).
  · Unknownrumorstale
• Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.
  ◐ Partialinferredstale
• MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.
  ● Yesverified

  MITM tests partially completed — Xpoint blocks the requested vectors. Bet365 TN replay-attack: network-level fully blocked. Some test cases pending re-run.

Identity & KYC

Document verification, biometric liveness, sanctions screening.

• Document scan / OCR
  ○ Noverifiedstale
• Biometric liveness
  ○ Noverifiedstale
• Sanctions / PEP
  ○ Noverifiedstale
• AML / responsible gaming
  ○ Noverifiedstale
• Reusable identity
  · Unknowninferredstale

Platform coverage

Which surfaces the SDK / product runs on.

• iOS native
  ● Yesverifiedstale
• Android native
  ● Yesverifiedstale
• Web / browser
  ● Yesverifiedstale

  Browser-based check via Xpoint Verify app; does not work on Chrome.

• React Native
  · Unknownrumorstale
• Flutter
  · Unknownrumorstale
• Unity
  · Unknowninferredstale
• .NET / desktop
  ● Yesverifiedstale

  Xpoint Verify PC/Mac SDK.

• Server-side API
  ● Yesverifiedstale

Compliance & certification

Regulatory coverage and certifications.

• US state-licensed (iGaming/sportsbook)
  ● Yesverified

  Licensed in 20 states + DC; flagships are bet365 multi-state, RSI AZ (Jan 2026 migration), RSI DE (Apr 2026).

• US tribal / on-property
  ◐ Partialverifiedstale

  BetRivers tribal-border failures observed in testing.

• Canadian provincial
  ● Yesverifiedstale

  Ontario via SkillOnNet (2022) and Playtech integration.

• European (MGA/UKGC)
  ○ Noinferredstale
• LatAm (Brazil SPA)
  ● Yesverifiedstale

  Live with undisclosed Brazil operators.

• SOC 2 Type II
  · Unknowninferredstale
• ISO 27001
  · Unknowninferredstale
• GLI-certified
  ◐ Partialrumorstale

Fraud & device intelligence

Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.

• Device fingerprint
  ● Yesinferredstale
• IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).
  ◐ Partialinferredstale

  Built-in VPN/proxy detection but no GeoGuard-class published IP database.

• Behavioral signals
  ◐ Partialrumorstale
• Velocity / impossible travel
  ◐ Partialinferredstale
• Bot detection
  ◐ Partialinferredstale
• Account takeover
  · Unknowninferredstale
• Chargeback mgmt
  ○ Noverifiedstale

Ops & integration

How easy the product is to integrate, observe, and operate.

• Self-serve onboarding
  · Unknowninferredstale
• Case management UI
  ◐ Partialinferredstale
• Webhook delivery
  ● Yesinferredstale
• Real-time API
  ● Yesverifiedstale
• Analytics dashboard
  ● Yesinferredstale
• Audit log export
  ◐ Partialinferredstale
• Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).
  ○ Noverified

  Returns compliance decisions + raw coordinates in plaintext; status / errors / nextCheckInterval / JWT all visible.

• SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.
  ○ Noverified

  Raw iOS + Mac SDKs obtainable; unsigned iOS SDK; clientKey never expires per session; coordinate-injection patch is single point of total compromise.

Commercial

Pricing model and go-to-market shape.

• Usage-based pricing
  ● Yesverifiedstale

  Per-check pricing; Trust Mode markets ~20% per-check reduction.

• Flat license / enterprise
  ◐ Partialinferredstale
• Free tier / trial
  · Unknowninferredstale
• Publicly listed pricing
  ○ Noverifiedstale
• Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).
  ◐ Partialverifiedstale

  Bundled via Playtech for SkillOnNet/High Roller in Ontario. Co-deployed alongside OpenBet Locator at Fanatics.

Resources

Briefings, source docs, and external links.

📊Case study (1)

• Xpoint Competitive Intelligence Brief — March 2026docs.google.com

  Primary briefing — Trust Mode, Bet365, RushStreet migration, near-border, RSI DE.

📄Drive doc (1)

• Xpoint ↔ GeoComply SDK comparisondocs.google.com

  Side-by-side SDK comparison + Xpoint document with security breach analysis added Mar 31.

🌐Website (1)

• Xpoint marketing sitexpoint.tech

📰News (1)

• Bettor Capital growth round (Dec 2025)xpoint.tech

  Funding accelerates R&D + team expansion at a critical competitive moment.

📁Drive folder (1)

• Drive folder (full archive)drive.google.com

Structural SDK exposure

Raw iOS + Mac SDKs were obtained in March 2026. The iOS SDK is unsigned and findable, and the response payload returns raw coordinates + compliance decision in plaintext. An attacker can patch the app to inject coordinates before every compliance check, making the user appear inside a permitted jurisdiction. This is a category gap, not a fixable bug — the architecture exposes the trust boundary to the client.

Confirmed gaming clients (May 2026)

Operator	Segment	Market	Notes
bet365	Sportsbook / iGaming	US multi-state	Web-side only (mobile is on Radar). Flagship reference.
RushStreet Interactive (BetRivers)	Sportsbook / iGaming	AZ + DE	AZ migrated from GeoComply Jan 2026; DE deployed April 2026.
Fanatics Sportsbook	Sportsbook	US 22 states + DC	Co-deployed with OpenBet Locator; XPoint selected per region.
PrizePicks	DFS	US multi-state	Via Xpoint Lite.
Sporttrade	Sports-betting exchange	US — NJ (initial)	First US live deployment (2022).
PlayStar	iGaming	US — NJ	NJ iGaming compliance.
Crab Sports	Sportsbook	US — Maryland	Maryland state compliance.
SkillOnNet (PlayOJO, SpinGenie, SlotsMagic)	iGaming	Ontario	First-ever Xpoint Verify deployment (2022).
High Roller Technologies	iGaming	Ontario	Via Playtech (2025).
High 5 Casino	Social casino	US multi-state	Xpoint Lite (2025).
UAE Lottery / Play971	Lottery / Betting	UAE	First regulated entity in the UAE.
Splash Sports	DFS	US multi-state	⚠️ Planning to offload XPoint June 2026 — multi-state DFS handling missed.
Undisclosed Brazil operators	Various	Brazil	Live; counterparts not publicly named.

Talking points for displacement deals

1. The Splash Sports offload narrative is the new headline. A client publicly planning to leave XPoint in June 2026 over missing multi-state DFS support proves what we always say: no Multipass equivalent, no Dynamic Boundaries equivalent. Lead with this in DFS conversations.
2. The RSI DE deployment is producing complaints from week 1. Account suspension on DE-MD crossing before any spoofing. Static/mobile toggling friction. AnyDesk-installed false positives. Documents-folder access on macOS install. The "modern challenger UX" pitch is contradicted by the actual install + session experience.
3. The FaceTime RDP gap is now cross-region (AZ + DE) — structural, not operator-specific.
4. Trust Mode is a cost story; near-border pass rate (22% vs 90.2%) is a revenue story. Show booked-bet curves as a function of distance to the state line.
5. Bet365 dual-stack (XPoint web + Radar mobile) is now publicly confirmed — even the flagship needed a co-provider.
6. Magisk bypass on Bet365 XPoint Verify is publicly discussed on Reddit. Two users offered help. This is a regulated-market vulnerability being openly shared.

Open testing scope (carry-forward from weekly syncs)

• MITM test cases — retest some cases (some passed, some pending)
• Replay-attack on Bet365 — Network-level blocked (May 11), document the visibility gap for posterity
• GitHub monitoring — Xpoint repo subscribed (April 14)
• GPS Simulator — Radar + XPoint with GPS-simulator device (May)
• DroidVNC — test across competitors (May)
• bet365 MI — full validation (May)