RobinHood (TN, prediction markets): no device-level geolocation — IP-only, trivially bypassed
What we tested. RobinHood Tennessee prediction-markets product. Internal ticket CIV-60: RobinHood - RAT. Replay-attack test cycle (May 11 weekly).
What happened. No device-level geolocation in place. RobinHood relies solely on IP address to verify player location. Basic location- spoofing tools went undetected. A player can bypass all location restrictions without any sophisticated technical knowledge.
Why it matters. This is not a geo vendor finding — RobinHood is not using a geolocation product. It falls significantly short of regulated gaming standards and represents a meaningful compliance exposure. Worth tracking as a competitive opportunity (RobinHood prediction markets is a greenfield for a real geo product) and as context when evaluating competitor footprints in prediction markets (Kalshi, Polymarket are also in Locance's expansion list).
Cross-reference, same test cycle. Bet365 TN (Radar) replay-attack: network-level attacks fully blocked. Minor visibility gap in the verification flow but not exploitable in practice — no compliance risk.