OpenBet / Fanatics TN: HopToDesk remote session connects, but the Place Bet button is hidden from the remote operator
Source. June 8, 2026 weekly sync.
Ticket. CIV-89: Fanatics / OpenBet Locator — spoofing testing updates.
What we tested
The Tennessee half of the Fanatics remote-access retest: HopToDesk remote control on Android against the Fanatics TN app (OpenBet Locator), with the remote operator driving the in-state device.
What happened
- ⚠️ Remote-control session established. HopToDesk connected and the remote operator had full control of the Android device — the session itself was not blocked.
- ✓ Place Bet button hidden from the remote operator. Bets could not be placed remotely without local (in-person) interaction on the device.
Why it matters
A partial outcome. The remote-access tool was not detected or blocked outright, but the wagering action was withheld from the remote session, so the fraud could not be completed remotely. The protection is not consistent across states and tools, though: on Fanatics MI this week, TeamViewer screen mirroring allowed full remote betting from Tennessee. An attacker who can supply even brief local interaction — or who finds a tool/state combination without the hidden-button behaviour — may still get through.
Cross-reference
- Fanatics MI (OpenBet) — GPS simulator + TeamViewer screen mirroring undetected, bets placed from Tennessee (CIV-89) — the Michigan half of the same retest, where remote betting did succeed.
- Fanatics MI (OpenBet) — HopToDesk undetected on Android; TeamViewer + AnyDesk blocked (June 2, CIV-64) — HopToDesk on Android in Michigan a cycle earlier, where it slipped through at install and during an active session.