Skip to main content

4 posts tagged with "mkodo"

View All Tags
MissedComplianceMITM / replayUX / messaging

GeoLocs / mkodo — Casumo Casino (QC/ON border): KYC bypass with fake Quebec address; Ontario licence suspended May 14

GeoLocsCasumo Casino
geolocsmkodocasumoontarioquebec

Source. June 23, 2026 weekly sync.
Ticket. CIV-55: mkodo / GeoLocs — full validation.

What we tested

Full validation of mkodo's GeoLocs product via Casumo Casino, tested from the Quebec side of the Ontario–Quebec border. Casumo's Ontario licence was suspended May 14 — relevant context for the operating posture during testing.

What happened

Compliance gaps

  • KYC bypassed with fake Quebec addressOntario ID and Ontario billing address both accepted; $10 deposit completed despite contradictory jurisdiction documentation.

Blocks / working detections

  • Ontario users correctly blocked from registering in-province.
  • ⚠️ DevTools intermittently detected on Mac.
  • Hardware locale evaluation — Canadian-purchased iPhone shown a maintenance page (US iPhone worked — likely device locale detection).

UX issues

  • Games failed to load across all platforms and scenarios under normal conditions — app largely non-functional in QC.

Why it matters

The KYC bypass is a direct regulatory exposure independent of geolocation accuracy: fabricated Quebec credentials plus contradictory Ontario documentation still produced a funded account. The Quebec gaming failures mean the platform is effectively unusable in that territory today — but the KYC gap would matter on any functional deployment path.

Cross-reference

GeoLocs profile → · June 23 weekly sync →

DetectedCompliance

GeoLocs / mkodo at OLG iOS: session terminated immediately when device location services are disabled ✓

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgioslocation-services

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest.

What we tested

Whether the OLG iOS app (GeoLocs / mkodo geolocation) would correctly refuse to operate when device location services were turned off — i.e. the most basic compliance pre-condition (no location signal → no wager).

What happened

  • Session was terminated immediately on detection of disabled location services.

Why it matters

The baseline check works. A platform that allows wagering with no location data is unambiguously non-compliant; this vendor correctly refuses, on iOS, at session start.

That said — pair this with the OLG / GeoLocs VPN gap recorded the same week: the vendor does enforce when the device claims to be unable to locate, but falls down when the device claims to be located somewhere it isn't. The two findings together describe the shape of the gap: GeoLocs trusts the device's location signal too uncritically when that signal is present.

Cross-reference

GeoLocs profile → · May 26 weekly sync →

MissedVPNComplianceUX / messaging

GeoLocs / mkodo at OLG (Ontario): VPN-from-Ontario allowed when location services are on; Netherlands VPN only blocked on re-entry, no user-facing error

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgvpnontario

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Two VPN scenarios against the OLG (Ontario Lottery and Gaming) web app, geolocated by GeoLocs / mkodo:

  1. Ontario-based VPN — exit-node inside the licensed jurisdiction.
  2. Netherlands-based VPN — out-of-jurisdiction exit node.

In both cases device location services were left active so the system had a real GPS signal alongside the VPN IP.

What happened

  • Ontario-based VPN was authorised when location services remained active. Unrestricted gameplay and wagering were permitted — the VPN itself was not flagged.
  • Netherlands-based VPN did not trigger any immediate session termination. The user was able to keep playing.
  • Detection only fired on re-entry — when the user exited a game and tried to come back in, the system finally prohibited access.
  • No explanatory error notification was shown to the user at the point of block. Silent failure on a compliance event.

Why it matters

Two distinct failure modes in one test:

  1. VPN-tolerance when device GPS agrees. A VPN with an in-state exit-node is fine, even though VPN-detection is a normal column of any modern compliance stack. Anyone wanting to obscure their network identity inside Ontario faces no friction.
  2. Late, silent block on out-of-state VPN. The system does eventually detect the Netherlands VPN, but only at a session boundary — and tells the user nothing. From the user's perspective the platform "just stopped working."

This combines into a UX-and-compliance double failure: the wrong thing is allowed, the right thing is detected too late, and the user is never told what happened.

Cross-reference

GeoLocs profile → · May 26 weekly sync →

MissedVPNFake GPS appEmulator

High Flyer Casino TN: location spoofing succeeds on iOS + Android — bets placed from outside Tennessee, blocks only enforced at game level

GeoLocsHigh Flyer Casino
geolocsmkodohighflyer-tniosandroid

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Whether High Flyer Casino (Tennessee) could be accessed and wagered on from outside the licensed state using common consumer-grade spoofing combinations:

  • iOS — Safari + iAnyGo location-spoofing tool + VPN.
  • Android — equivalent setup.
  • iOS Emulator — for comparison against the native iOS path.

What happened

  • iOS path succeeded. Bets placed from outside Tennessee with no website-level block.
  • Android path succeeded. Same outcome.
  • iOS Emulator test produced identical results to native Android — the platform does not differentiate the emulated environment.
  • Some individual games returned location errors — but this enforcement comes from the game providers themselves, not from the sportsbook integration. Coverage is therefore inconsistent and per-title rather than per-jurisdiction.

Why it matters

The geolocation controls at the platform level are effectively absent for this operator on the most common consumer spoofing toolchain (VPN + commodity iOS spoofer). When detection does fire, it fires from game providers rather than from the operator's compliance layer — meaning enforcement depends on which game the user happens to open, not on a coherent jurisdictional decision.

Cross-reference

GeoLocs profile → · May 26 weekly sync →