Skip to main content

5 posts tagged with "ciV-48"

View All Tags
DetectedGPS spoofer

OpenBet / Fanatics MI: GPS spoofing hardware detected — new market confirms the TN result ✓

OpenBetFanatics Sportsbook
openbetfanatics-migps-simulatorpositiveciV-48

Source. May 26, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS-spoofing accessory was used against Fanatics Michigan (OpenBet Locator) — a market not previously exercised on this vector. The TN result from the prior cycle was the benchmark to compare against.

What happened

  • Real-time location-anomaly warning surfaced as soon as the spoofed position diverged from the device's plausible motion model.
  • Session prevented from continuing — wagering blocked.

Why it matters

Two-market confirmation of OpenBet's GPS-simulator handling. The prior Tennessee result is no longer a single-data-point; Fanatics MI now provides an independent replication of the same defensive behaviour against the same hardware vector. This raises confidence that the detection is integration-level rather than a quirk of one operator deployment.

Cross-reference

OpenBet profile → · May 26 weekly sync →

DetectedSideload (PlayCover)

Cross-operator: iOS PlayCover sideloading blocked at Bet365 MI (Radar) and Fanatics TN (OpenBet) ✓

RadarOpenBetbet365Fanatics Sportsbook
radaropenbetplaycoversideloadpositive

Source. May 19, 2026 weekly sync.
Tickets. CIV-48 · CIV-61: iOS — spoofing testing with PlayCover tool.

What we tested

Desktop-based emulation of iOS apps via PlayCover on ARM-based macOS, attempted against two operators in two jurisdictions:

OperatorGeo providerResult
Bet365 MIRadar (mobile) / XPoint (web)✓ Blocked at login stage
Fanatics TNOpenBet Locator✓ Blocked at login stage

What happened

No geolocation bypass possible. Both platforms neutralised the PlayCover environment before any compliance check ran — the apps refused to authenticate at all when running under PlayCover.

Why it matters

PlayCover is the most credible iOS-on-Mac sideloading tool. Two different geo vendors blocking it on two different operators in the same test cycle is a clean "compliant tier" signal — and consistent with the cross-operator PlayCover block we recorded on May 11.

The standing outlier remains FanDuel WV (Radar), where PlayCover bypassed the platform on May 11. PlayCover is therefore a vendor-handled vector when the operator integration is fully wired up, and an operator-integration gap when it isn't.

Cross-reference

Radar profile → · OpenBet profile → · May 19 weekly sync →

DetectedGPS spooferFake GPS appUX / messaging

OpenBet / Fanatics TN: GPS simulator detected with a specific, informative error message ✓

OpenBetFanatics Sportsbook
openbetfanatics-tngps-simulatorpositiveciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48.

What we tested

The same hardware GPS simulator accessory used against Bet365 MI (Radar) and RSI BetRivers TN (XPoint) this week — applied to the Fanatics Tennessee (OpenBet Locator) deployment.

What happened

Detected and named. The GPS simulator triggered a clear, specific error message:

"Your location has abruptly changed. Please disable apps that alter your device's location and retry."

This is notably more informative than the generic messaging seen at the other operators in the same test cycle — it tells the player exactly what kind of tampering was detected and what to do.

Why it matters

Two things are worth recording here:

  1. OpenBet handles GPS-simulator hardware. This is the third spoofing vector this week where OpenBet's detection held while Radar / XPoint's did not (alongside droidVNC-NG RDP blocked at Fanatics NJ and PlayCover blocked at Fanatics TN).
  2. The UX is materially better. Compare with Radar's generic "Account Locked" messaging on DraftKings DFS NJ this week — same kind of compliance event, two very different player experiences. Specific, actionable error messaging reduces support load and shortens the recovery path for legitimate users.

Cross-reference (GPS simulator across providers this week)

OperatorProviderResult
Bet365 MIRadarBypassed via re-entry
RSI BetRivers TNXPointFully undetected
Fanatics TNOpenBet Locator✓ Detected with specific error (this finding)

OpenBet was the only provider to handle this vector cleanly this cycle.

OpenBet profile → · May 19 weekly sync →

MissedGPS spooferFake GPS app★ Pinned

Radar / Bet365 MI: GPS simulator accessory bypass, restriction not re-applied on re-entry

Radarbet365
radarbet365-migps-simulatorciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS simulator accessory was used to spoof the tester's physical location while connecting to Bet365 Michigan (Radar deployment) from Tennessee.

What happened

  • First login attempt — an error was returned (location restriction triggered).
  • Second login attempt — succeeded with no further location checks enforced. The tester opened a casino game and placed real-money bets from Tennessee.
  • The restriction that appeared on the first login was not re-applied on re-entry — the bypass is repeatable.

Why it matters

This is a structural detection failure, not a one-off bug: the GPS simulator was identified once, then the operator's session state effectively whitelisted the device. Anyone who has triggered a restriction once can simply log out and back in to bypass it.

Combined with the Bet365 NJ Tailscale RDP gap confirmed in the same week, Bet365's Radar integration is producing two distinct, easily-reproducible spoof methods across two different states.

Cross-reference

  • GPS simulator at FanDuel WV (Radar) — previously bypassed from Vietnam (March 24, 2026). The GPS-simulator gap is not new and not WV-specific.
  • PlayCover at Bet365 MIblocked the same week. Bet365 catches the iOS-on-Mac vector but misses the hardware-GPS vector.
  • GPS simulator at Fanatics TN (OpenBet)detected with a clear, specific error message. OpenBet handles this vector; Radar does not.

Radar profile → · May 19 weekly sync →

MissedGPS spooferFake GPS app★ Pinned

XPoint / RSI BetRivers TN: GPS simulator fully undetected, MI casino bets from Tennessee

XpointRushStreet Interactive (BetRivers)
xpointrsi-betriversgps-simulatorciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS simulator accessory was used against the RSI BetRivers Tennessee (XPoint) deployment.

What happened

The GPS simulator went fully undetected — no first-login error, no session-mid restriction. The tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered at any point.

Why it matters

This is the cleaner-cut version of the Bet365 MI Radar gap on the same vector this week. Where Bet365 (Radar) flagged the simulator on first login and then forgot about it, RSI BetRivers (XPoint) never flagged it at all.

This is also consistent with our standing position on XPoint's unsigned iOS SDK (March 24): the SDK ships with a public GPS injection method and can be patched to inject coordinates before every compliance check. A hardware GPS-simulator accessory is a more expensive way to achieve the same outcome — and it still works.

Cross-reference

XPoint profile → · May 19 weekly sync →