XPoint / Bet365 NJ: macOS↔macOS RDP via Tailscale + Screen Sharing undetected
Source. May 26, 2026 weekly sync.
Ticket. CIV-73: Bet365 NJ — Remote Desktop via macOS Screen Sharing (XPoint).
What we tested
A common fraud pattern: one computer remotely controls another computer in a different location to place bets. We tested whether Bet365's geolocation provider could detect this when the operator runs on XPoint (Bet365 NJ).
Stack used:
- Tailscale — a networking tool that connects two computers over the internet as if they were on the same local network.
- macOS Screen Sharing — Apple's built-in remote-desktop feature, driven through the Tailscale link.
What happened
- ✗ Tester accessed Bet365 NJ from a different physical location through the macOS↔macOS remote session.
- ✗ XPoint failed to detect this remote-access method. Bets were placed without interruption.
Why it matters
This is a clean compliance gap on a vector specifically targeted by remote-betting fraud. The bypass uses entirely off-the-shelf, legal tools — Tailscale and a feature already built into macOS — with no exotic configuration.
Follow-up testing across Radar, OpenBet, and GeoComply-integrated clients has been requested to scope whether this is XPoint-specific or a broader macOS RDP detection gap across providers.
Cross-reference
- Bet365 NJ (Radar) — Tailscale + RealVNC RDP undetected for 25+ minutes — same operator, different geo provider, same Tailscale-based attack pattern.
- RSI BetRivers NJ (XPoint) — Tailscale RDP inconsistent (May 19) — second XPoint integration where Tailscale-based RDP is unreliably detected.