Radar / Wind Creek Casino Online PA: iOS RDP, DroidVNC + Tailscale, and Android VPN undetected (results June 19)
Source. June 23, 2026 weekly sync.
Ticket. CIV-91: Wind Creek Bethlehem PA — environment compliance updates.
What we tested
Full integration testing of Wind Creek Casino Online PA (Radar) across iOS, Android, and browser. Results delivered June 19.
What happened
| Test | Result | Detail |
|---|---|---|
| RDP — iOS FaceTime & iPhone Mirroring | ✗ Non-compliant | Not detected. User outside PA (TN) remotely controls an in-state iPhone and places bets. In-state user must log in first; remote user controls the screen from there. |
| RDP — Android DroidVNC + Tailscale | ✗ Non-compliant | Not detected. Remote user in an excluded state places bets on a PA Android device using DroidVNC and Tailscale together. |
| VPN — Android (Turbo VPN) | ✗ Non-compliant | Not detected on Android. User logged in, placed bets, and played casino with VPN active. |
| VPN — iOS | ✓ Compliant | VPN detected at login and mid-session. |
| RDP — Android (TeamViewer, AnyDesk, HopToDesk) | ✓ Compliant | Detected at login or interval check. |
| Fake location — Android (FLA) | ✓ Compliant | Detected before and during a gaming session. |
| Cross-border into exclusion state | ✓ Compliant | User fails geolocation at or just past the border (~90 m buffer). |
| Rooted Android + mocked location | ⚠️ Compliant* | User fails for mock location / jurisdiction errors. Root itself not detected, but mocked location is caught. With GPS JoyStick the failure took longer — suggesting IP mismatch or low confidence score rather than direct root detection. |
UX issues — new user flow & deposit
Operator-side friction observed during the same test cycle (not Radar detection failures, but worth tracking):
- Android Galaxy S16 deposit loop: debit card deposit failed and sent the user into a loop — account flagged for Wind Creek approval with no timeline and no clear prompt. User attempted 3 times before abandoning.
- ID verification false positive: notification asked user to close any app using the camera (triggered by screen recording). User bypassed by restarting the app — screen recording continued undetected.
- No autofill for address, phone, or email on either platform.
- Deposit methods limited to PayPal, Venmo, and debit card only.
Why it matters
Three undetected vectors on the same Radar deployment while the "standard toolkit" checks pass — native iOS screen sharing, Android DroidVNC + Tailscale, and Android VPN. The compliant iOS VPN handling directly contrasts with the undetected iOS RDP gap.
Cross-reference
- BetRivers PA (XPoint) — advanced spoofing review (June 23, CIV-88) — parallel Pennsylvania operator testing.
- Underdog DFS (Radar) — Tailscale undetected (June 2, CIV-81).