Operator
Threat
RadarDisplacementComplianceDraftKingsDraftKings DFS NJ migrated from GeoComply to Radar (web only)Confirmed provider transition: DraftKings has moved its New Jersey DFS web product from GeoComply to Radar. Sportsbook and mobile apps stay on GeoComply. Dual-vendor compliance testing underway.- RadarResigned / tampered appDevice farmSideload (PlayCover)FanDuelRadar / FanDuel WV: three exploitation methods bypass restrictions from TennesseeConfirmed compliance vulnerabilities at FanDuel WV: users can bypass geographical restrictions from Tennessee via iOS app resigning, virtualised environment emulation via VMOS, and sideloading via PlayCover on ARM-based macOS. Each technique successfully facilitated out-of-state betting.
OpenBetRemote accessComplianceFanatics SportsbookOpenBet / Fanatics TN: HopToDesk + iPhone screen mirroring bypassed detectionFanatics TN flagship deployment: HopToDesk + iPhone screen mirroring both bypassed OpenBet Locator's RDP protocols. Out-of-Tennessee wagering succeeded on both iOS and Android.- RadarNear borderUX / messagingBetSaracenRadar / Saracen AR: 100m from border — Mac 44% pass rate, Windows persistent lockoutSaracen AR proximity testing: success rates remained high beyond 350m from the state line, but at 100m Mac devices only cleared 44% of verifications. Windows users experienced a persistent lockout after a single failure, complicated by an atypical 'fraud_jumped_single_device' flag during betting attempts.
- SocialDraftKingsFanDuelMonthly social brief: location verification failures = 38% of all complaintsMay 5 monthly brief: location verification failures dominate end-user complaints (38% of all findings), with DraftKings (11) and FanDuel (9) generating the highest complaint volumes across March 30 – April 27.
- RadarBrowser extensionComplianceUnderdog FantasyRadar / Underdog DFS: Chrome extension (Location Guard) undetectedUnderdog DFS browser-based Radar deployment: location-spoofing via the free Location Guard Chrome extension was not detected. Free, no technical skill required.
- RadarJailbreak / RootSleeperPrizePicksRadar: jailbroken root-hidden iOS not detected at Sleeper, PrizePicks, FliffThree operators, one structural gap: jailbroken root-hidden iOS devices bypass geolocation controls on Sleeper Sports, PrizePicks, and Fliff. Users can wager from prohibited locations without detection.
XpointSocialJailbreak / Rootbet365Reddit: two users publicly offer to spoof Bet365 XPoint Verify via MagiskFlorida user asked on Reddit how to spoof XPoint Verify. Two other users confirmed it is possible and offered help via Magisk. Worth investigating Magisk + XPoint Verify vulnerability.- XpointDisplacementMulti-jurisdictionSplash SportsSplash Sports planning to offload XPoint in June 2026 — multi-state DFS gapSplash Sports is aiming to offload XPoint in June 2026. They have DFS game modes available in different states which XPoint requires them to handle themselves — XPoint has no Multipass equivalent and no Dynamic Boundaries equivalent.
- OpenBetDisplacementComplianceTQJ 'Todos Querem Jogar' switched OpenBet off — now running IP-onlyBrazil operator Todos Querem Jogar (Bet do Milhão) switched OpenBet off — described as 'worked poorly and caused UX issues'. Now using IP only as primary geolocation, with no proper geo-enforcement.
- XpointRemote accessBoundary crossingNear borderRushStreet Interactive (BetRivers)XPoint / RSI DE: FaceTime RDP undetected — MI user wagered on DE iOS deviceMichigan-based user placed remote wagers on a Delaware-localised iOS device via FaceTime RDP — both casino and sportsbook. Same gap previously confirmed in AZ. Cross-region structural failure, not an operator-specific bug.
- RadarResigned / tampered appComplianceFanDuelRadar / FanDuel WV: tampered iOS app placed bets from TennesseeResigned iOS FanDuel app — modified to bypass security controls — successfully placed bets from TN on the WV platform. Radar failed to detect the modification.
- XpointComplianceMITM / replayGPS spooferXpoint: unsigned iOS SDK + findable SDK = client-side coordinate injectionSource analysis of the raw iOS + Mac Xpoint SDKs obtained in March: the iOS SDK is unsigned and findable. An attacker can patch the app to inject coordinates before every compliance check.
- RadarGPS spooferFanDuelRadar / FanDuel WV bypassed by GPS simulator device from VietnamFD WV testing: location verification was bypassed using a GPS simulator device, with the tester apparently located in Vietnam. Radar accepted the spoofed coordinates.
- RadarSideload (PlayCover)bet365Fanatics SportsbookCross-operator: iOS PlayCover sideloading blocked at Bet365 MI, Fanatics TN, Bet Saracen AR ✓Desktop-based emulation of iOS applications via PlayCover is successfully restricted across all three tested operators. Bet365 and Fanatics neutralized the vector during authentication; Bet Saracen identified the unauthorized environment at the betting stage.
- RadarDevice farmBetSaracenRadar / Bet Saracen AR: VMOS not detected — but PlayCover + resigned iOS blocked ✓Radar was unable to identify virtualized device simulation through VMOS, which permitted a successful out-of-state bet from Tennessee. However, Radar correctly detected and restricted sideloading via PlayCover and the use of resigned iOS apps during the betting process.
- ComplianceMITM / replayRobinhood (Prediction Markets)RobinHood (TN, prediction markets): no device-level geolocation — IP-only, trivially bypassedReplay-attack testing on RobinHood TN: no device-level geolocation in place. RobinHood relies solely on IP to verify player location. Basic spoofing tools went undetected — bypass requires zero technical skill.
- RadarRemote accessBetSaracenRadar / Saracen AR: AnyDesk + TeamViewer correctly restrictedSaracen AR Radar deployment: active sessions via AnyDesk and TeamViewer were effectively restricted. A rare positive Radar result — worth recording for parity.
- RadarRemote accessUX / messagingBetSaracenRadar / Saracen AR: pre-loaded Windows 'Remote Screen Sharing' silently blocks accountsThe pre-loaded Windows Remote Desktop Connection app ('Remote Screen Sharing') triggers account restrictions without notifying the user. Significant risk for support teams — high ticket volumes and player dissatisfaction with no clear resolution path.
- RadarSDK releaseComplianceRadar v3.31.0 (Apr 24, 2026): SDK generates geofence events offline, without serverNotable Radar SDK release: when the backend is unreachable, the SDK generates geofence entry/exit events directly on the device from cached data, tagged as offline. Backend-toggled. Watch point: does this satisfy regulatory requirements?
- OpenBetSocialFanatics SportsbookFanatics (OpenBet) account suspension immediately after a winning streakApril 28 weekly: Two new KYC entries for Fanatics. Users report selfie/ID scans failing repeatedly on sign-up, and a separate account suspension immediately following a winning streak — funds held, bank statements submitted, no resolution.
- RadarUX / messagingBetSaracenRadar desktop UX issues: auto-launch, hotspot incompatibility, 4% CPU pulses, macOS/Chrome compat gapsApril 14 testing surfaced five distinct desktop UX problems on Radar Verify: persistent install download prompts, auto-launch on system startup without consent, 4% CPU spikes every 10s at 600m from the border, mobile-hotspot incompatibility, and inconsistent behaviour across macOS 26.0.1 vs 26.3.1 and Chrome 146 vs 147.
- RadarNear borderBetSaracenRadar near-border: validation fails until 100m (iOS) and 220m (Android) from OK lineProximity Constraints — validation unsuccessful until reaching 100m (iOS) / 220m (Android) from the OK state line. Static desktop verification failed at 1,750m from the border via public Wi-Fi (Mac/Windows). Success threshold remains undetermined.
- RadarSDK releaseRadar SDK release analysis: shifting from 'where is the user?' to 'can we continuously trust this location?'Radar release cadence: every 3 weeks to a couple of months. Strategic direction: continuous-trust location decisioning via IP-triggered re-validation, multi-signal decisioning (motion/device/network alongside GPS), indoor/floor-level accuracy with BLE beacons, and a modular plugin-based fraud architecture.
- SocialFanDuelFanDuel: $12,000 payout denied due to 'suspicious location' flagApril 14 weekly: FanDuel dominated complaints — one high-impact case: user denied a $12,000 payout due to a 'suspicious location' flag. DraftKings simultaneously hit with 10+ minute location-check delays.
- XpointPartnershipbet365Bet365 confirmed dual-stack: XPoint web + Radar mobileConfirmed in the April 7 weekly research: Bet365 runs XPoint on the web and Radar on mobile. Even the flagship XPoint reference is split across two geo providers.
- RadarResigned / tampered appBetSaracenRadar / Saracen AR: resigned iOS app detected with clear error messaging ✓Saracen AR testing confirmed Radar flagged a resigned iOS app with appropriate error messaging, preventing betting activity while ensuring the account was not blocked. This contradicts our FD WV result. Follow-up validation scheduled pending the next iOS app release.
- RadarDevice farmFanDuelRadar / FanDuel WV: VMOS not detected on second attempt — regression vs Mar 31VMOS emulator usage not detected on the second attempt. Allowed bets from TN on the WV app. Contradicts the March 31 success — the detector is either regressed or flaky.
- XpointSocialRushStreet Interactive (BetRivers)RushStreet (XPoint) Android review: kicked off during tournaments, lost moneyRushStreet (XPoint) Android Play Store review: 'I've been playing poker and lately it's been freezing up, losing location, and I've got kicked off and lost money on tournaments.'
- RadarProxyFanDuelRadar / FanDuel WV: proxy betting allowed — system just asks user to 'wait additional time'Radar is allowing proxy betting and just asks the user to wait some additional time if someone else used the account in another location. Reactive enforcement with misleading 'account sharing' messaging.
- RadarDevice farmFanDuelRadar / FanDuel WV: VMOS Android device-farm successfully detected ✓Device Farm / VMOS (Android) — Radar successfully identified the virtual OS environment used to manipulate device integrity. Follow-up validation scheduled pending the next Android app release.
- RadarNear borderUX / messagingBetSaracenRadar / Saracen AR desktop: Chrome-incompatible Verify app + no bet within 1km of AR borderRadar Verify desktop app does not work on Chrome (confirmed Windows + Mac). No successful bet within 1km of the AR border on a Windows laptop with mobile hotspot — Radar kept switching between 'State not Allowed' and 'Buffer Zone' errors.
- XpointSocialbet365Reddit on Bet365 XPoint: wrong-state detection (MD→NJ), endless Verify install loopMarch 24 weekly: Bet365 (XPoint) generating strong negative signal — wrong-state detection (MD placed in NJ), endless XPoint Verify install loop on desktop, multiple posts explicitly naming the provider switch as the root cause.
- OpenBetSocialFanatics SportsbookReddit on Fanatics: 'Why they didn't go with GeoComply like everyone else is beyond me'March 24 weekly sync: Fanatics / OpenBet sentiment is highly negative and openly pro-GeoComply across Reddit. Players report multi-week geolocation failures, CS dead ends, inability to withdraw funds without passing geo.
- XpointJailbreak / RootRushStreet Interactive (BetRivers)Xpoint / BetRivers: rooted Android device allowed through to bet placementRooted Android device with hidden root cleared Xpoint geolocation at BetRivers (RSI). An account that had previously been blocked by GeoComply was no longer blocked once Xpoint took over the integration.