Skip to main content

Competitive Intelligence โ€” Weekly Sync

๐Ÿ“… Week 8 โ€” May 19, 2026 ยท โฑ 30 minutes ยท ๐Ÿ‘ฅ Weekly cadence

Agendaโ€‹

#Topic
1Competitive and Client Testing โ€” Key Findings
2Competitive Research โ€” Key Findings
3Win/Loss โ€” Competitive Win-Backs (Salesforce)
4Social Media โ€” Key Findings
5What's Next โ€” Open Planning

1 ยท Competitive and Client Testing (Julia) โ€” Key Findingsโ€‹

Confirmed compliance vulnerabilities โ€” GPS Simulator bypassโ€‹

  • โœ— Bet365 MI (Radar) โ€” GPS simulator bypass, re-entry restriction not re-applied
    Hardware GPS simulator accessory spoofed the tester's physical location. After an initial login error, a second login attempt succeeded with no further location checks enforced. Real-money bets placed from Tennessee on the MI casino. Restriction not re-applied on re-entry โ€” repeatable compliance gap.
    ๐ŸŽซ CIV-48 โ€” Test Fake Location using GPS Simulator Accessory on Competitor Apps
  • โœ— RSI BetRivers TN (XPoint) โ€” GPS simulator fully undetected
    Hardware GPS simulator went fully undetected. Tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered.
    ๐ŸŽซ CIV-48

Confirmed compliance vulnerabilities โ€” Remote Desktop undetectedโ€‹

  • โœ— Bet365 NJ (Radar) โ€” Tailscale + RealVNC undetected for 25+ minutes
    Mac remotely controlled an Android device on a separate network via Tailscale + RealVNC. Tester placed bets continuously for over 25 minutes with no interruptions, timeouts, or restrictions. Radar's geolocation checks did not detect the remote session at any point.
    ๐ŸŽซ CIV-69 โ€” Bet365 NJ โ€” RDP Testing on Android
  • โœ— RSI BetRivers NJ (XPoint) โ€” Tailscale RDP fails detection, inconsistent when it triggers
    XPoint fails to detect Tailscale-based remote access in most cases, allowing bets from a physically separate location. When detection did occur it was inconsistent and easily bypassed by logging out and back in. Two attack methods confirmed โ€” one requiring brief one-time approval, one fully unattended.
    ๐ŸŽซ CIV-73 โ€” BetRivers NJ โ€” RDP via macOS

Confirmed compliance vulnerability โ€” Resigned iOS appโ€‹

  • โœ— Bet Saracen AR (Radar) โ€” modified ("resigned") iOS app placed bets from Michigan
    A modified version of the Bet Saracen iOS app โ€” altered to remove Apple's integrity protections โ€” was used to place bets remotely from Michigan with no issues. The same account on the unmodified app was correctly blocked. Direct fraud and compliance risk: bad actors can use modified apps to bet from any location.
    ๐ŸŽซ CIV-44 โ€” Saracen Arkansas โ€” Radar: verify the wagering experience for static connection closer to the border

Confirmed compliance vulnerabilities โ€” Fanatics TN (OpenBet Locator)โ€‹

DraftKings DFS NJ (Radar) โ€” full integration validation resultsโ€‹

  • โœ— DraftKings DFS NJ (Radar) โ€” RDP inconsistent, cross-border lag, generic UX
    Full validation of the post-migration integration:
    • RDP detection: inconsistent. Zoom and AnyDesk NOT detected during active remote sessions. TeamViewer blocked in initial testing (May 8) but went undetected in two retests on May 13โ€“14 โ€” unreliable detection behaviour.
    • Cross-border session lag: ~100โ€“150m past the PAโ†’NJ state border (vs GeoComply's 2โ€“5m range). Users entering NJ without a prior PA session were unaffected โ€” points to a session-state issue on the provider side.
    • Generic error messaging. Both RDP detection and cross-border blocking surface a generic "Account Locked" message with no user guidance.
      ๐ŸŽซ CIV-65 โ€” DraftKings DFS โ€” validate the competitor's integration

Unsuccessful spoofing methods (positive results)โ€‹

Man-in-the-Middle attack testingโ€‹

  • โœ“ RobinHood TN โ€” SSL certificate pinning blocks network interception on iOS + Android
    Charles Proxy was unable to capture any geolocation-related traffic on iOS. On Android, mitmproxy produced a TLS handshake failure, rendering the app unusable for interception. Note: RobinHood does not use a device-level geolocation SDK โ€” location verification is IP-based only. While MITM protection is in place, the overall compliance posture remains significantly weaker than SDK-based solutions.
    ๐ŸŽซ CIV-60 โ€” RobinHood โ€” RAT

2 ยท Competitive Research (Valeria) โ€” Key Findingsโ€‹

Placeholder โ€” Valeria to add.


3 ยท End-user Feedback (Valeria) โ€” Key Findingsโ€‹

๐Ÿ“Š Full dataset: Social Media Competitive Signals ยท Reddit + X/Twitter public posts. Monitoring initiated March 2026.

Placeholder โ€” Valeria to add.


4 ยท What's Next โ€” Plan for Next Weekโ€‹

Field Testingโ€‹

  • Bet365 NJ (Radar) โ€” full validation following the confirmed RDP gap
  • Fanatics TN (OpenBet Locator) โ€” Rooted Android / Hidden Root, Jailbroken iOS โ€” all test accounts blocked (verify scope)
  • Alberta launch โ€” test competitors on the market (GeoLocs / Mkodo)
  • Saracen AR (Radar) โ€” RAT (?), RDP

Betting Heroโ€‹

  • Bet365 MI โ€” full Radar / XPoint integration research
  • Fanatics MI (OpenBet Locator) โ€” RDP retest, VMOS (needs training of the BH team)
  • P0 โ€” Saracen AR (Radar Verify app, retest) โ€” conduct full competitor validation

Integrations teamโ€‹

  • TBD

All findings this weekโ€‹

Competitor profilesโ€‹

Radar โ†’ ยท Xpoint โ†’ ยท OpenBet โ†’ ยท GeoLocs โ†’ ยท Locance โ†’