Competitive Intelligence โ Weekly Sync
๐ Week 8 โ May 19, 2026 ยท โฑ 30 minutes ยท ๐ฅ Weekly cadence
Agendaโ
| # | Topic |
|---|---|
| 1 | Competitive and Client Testing โ Key Findings |
| 2 | Competitive Research โ Key Findings |
| 3 | Win/Loss โ Competitive Win-Backs (Salesforce) |
| 4 | Social Media โ Key Findings |
| 5 | What's Next โ Open Planning |
1 ยท Competitive and Client Testing (Julia) โ Key Findingsโ
Confirmed compliance vulnerabilities โ GPS Simulator bypassโ
- โ Bet365 MI (Radar) โ GPS simulator bypass, re-entry restriction not re-applied
Hardware GPS simulator accessory spoofed the tester's physical location. After an initial login error, a second login attempt succeeded with no further location checks enforced. Real-money bets placed from Tennessee on the MI casino. Restriction not re-applied on re-entry โ repeatable compliance gap.
๐ซ CIV-48 โ Test Fake Location using GPS Simulator Accessory on Competitor Apps - โ RSI BetRivers TN (XPoint) โ GPS simulator fully undetected
Hardware GPS simulator went fully undetected. Tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered.
๐ซ CIV-48
Confirmed compliance vulnerabilities โ Remote Desktop undetectedโ
- โ Bet365 NJ (Radar) โ Tailscale + RealVNC undetected for 25+ minutes
Mac remotely controlled an Android device on a separate network via Tailscale + RealVNC. Tester placed bets continuously for over 25 minutes with no interruptions, timeouts, or restrictions. Radar's geolocation checks did not detect the remote session at any point.
๐ซ CIV-69 โ Bet365 NJ โ RDP Testing on Android - โ RSI BetRivers NJ (XPoint) โ Tailscale RDP fails detection, inconsistent when it triggers
XPoint fails to detect Tailscale-based remote access in most cases, allowing bets from a physically separate location. When detection did occur it was inconsistent and easily bypassed by logging out and back in. Two attack methods confirmed โ one requiring brief one-time approval, one fully unattended.
๐ซ CIV-73 โ BetRivers NJ โ RDP via macOS
Confirmed compliance vulnerability โ Resigned iOS appโ
- โ Bet Saracen AR (Radar) โ modified ("resigned") iOS app placed bets from Michigan
A modified version of the Bet Saracen iOS app โ altered to remove Apple's integrity protections โ was used to place bets remotely from Michigan with no issues. The same account on the unmodified app was correctly blocked. Direct fraud and compliance risk: bad actors can use modified apps to bet from any location.
๐ซ CIV-44 โ Saracen Arkansas โ Radar: verify the wagering experience for static connection closer to the border
Confirmed compliance vulnerabilities โ Fanatics TN (OpenBet Locator)โ
- โ Fanatics TN (OpenBet) โ border accuracy gap, WV session maintained 10m inside Virginia (iOS)
Close-to-border testing on iOS: active West Virginia casino game session was maintained consistently while standing 10m inside the Virginia border. Not reproduced on Android. Meaningful risk where homes or businesses sit directly on the state line.
๐ซ CIV-59 โ Fanatics โ OpenBet Locator | adv spoofing - โ Fanatics TN (OpenBet) โ TeamViewer screen mirroring undetected (NY โ TN bets placed)
A tester in New York placed bets on the Tennessee platform via TeamViewer screen mirroring. FaceTime RDP was detected and blocked correctly โ TeamViewer was not.
๐ซ CIV-59
DraftKings DFS NJ (Radar) โ full integration validation resultsโ
- โ DraftKings DFS NJ (Radar) โ RDP inconsistent, cross-border lag, generic UX
Full validation of the post-migration integration:- RDP detection: inconsistent. Zoom and AnyDesk NOT detected during active remote sessions. TeamViewer blocked in initial testing (May 8) but went undetected in two retests on May 13โ14 โ unreliable detection behaviour.
- Cross-border session lag: ~100โ150m past the PAโNJ state border (vs GeoComply's 2โ5m range). Users entering NJ without a prior PA session were unaffected โ points to a session-state issue on the provider side.
- Generic error messaging. Both RDP detection and cross-border blocking surface a generic "Account Locked" message with no user guidance.
๐ซ CIV-65 โ DraftKings DFS โ validate the competitor's integration
Unsuccessful spoofing methods (positive results)โ
- โ iOS PlayCover sideloading blocked at Bet365 MI (Radar) and Fanatics TN (OpenBet)
Desktop-based emulation of iOS via PlayCover successfully blocked at the login stage on both platforms. No geolocation bypass possible.
๐ซ CIV-48 ยท CIV-61 โ iOS โ spoofing testing with PlayCover tool - โ Fanatics TN (OpenBet) โ GPS simulator detected with specific error message
GPS simulator triggered a clear, specific error: "Your location has abruptly changed. Please disable apps that alter your device's location and retry." Notably more informative than the generic messaging seen at other operators.
๐ซ CIV-48 - โ Fanatics NJ (OpenBet) โ droidVNC-NG RDP immediately blocked and named in the error message
RDP via droidVNC-NG on Android, controlled by RealVNC Viewer over Tailscale, was immediately blocked. The error message explicitly named the remote-control application in use.
๐ซ CIV-70 โ BetFanatics โ RDP Testing on Android via DroidVNC - โ Bet Saracen AR (Radar) โ Oxylabs residential proxy + Location Guard extension combo blocked
Residential proxy (Oxylabs) combined with Location Guard browser extension, both pointing to an in-state Arkansas address, was still detected as out-of-state.STATE_NOT_ALLOWEDerror returned. Browser-level spoofing tools are insufficient to bypass the network-level check at this operator.
๐ซ CIV-44
Man-in-the-Middle attack testingโ
- โ RobinHood TN โ SSL certificate pinning blocks network interception on iOS + Android
Charles Proxy was unable to capture any geolocation-related traffic on iOS. On Android, mitmproxy produced a TLS handshake failure, rendering the app unusable for interception. Note: RobinHood does not use a device-level geolocation SDK โ location verification is IP-based only. While MITM protection is in place, the overall compliance posture remains significantly weaker than SDK-based solutions.
๐ซ CIV-60 โ RobinHood โ RAT
2 ยท Competitive Research (Valeria) โ Key Findingsโ
Placeholder โ Valeria to add.
3 ยท End-user Feedback (Valeria) โ Key Findingsโ
๐ Full dataset: Social Media Competitive Signals ยท Reddit + X/Twitter public posts. Monitoring initiated March 2026.
Placeholder โ Valeria to add.
4 ยท What's Next โ Plan for Next Weekโ
Field Testingโ
- Bet365 NJ (Radar) โ full validation following the confirmed RDP gap
- Fanatics TN (OpenBet Locator) โ Rooted Android / Hidden Root, Jailbroken iOS โ all test accounts blocked (verify scope)
- Alberta launch โ test competitors on the market (GeoLocs / Mkodo)
- Saracen AR (Radar) โ RAT (?), RDP
Betting Heroโ
- Bet365 MI โ full Radar / XPoint integration research
- Fanatics MI (OpenBet Locator) โ RDP retest, VMOS (needs training of the BH team)
- P0 โ Saracen AR (Radar Verify app, retest) โ conduct full competitor validation
Integrations teamโ
- TBD
All findings this weekโ
- Bet365 MI (Radar): GPS simulator bypass (FAIL)
- RSI BetRivers TN (XPoint): GPS simulator undetected (FAIL)
- Bet365 NJ (Radar): Tailscale + RealVNC RDP undetected (FAIL)
- RSI BetRivers NJ (XPoint): Tailscale RDP inconsistent (FAIL)
- Bet Saracen AR (Radar): resigned iOS app placed bets from MI (FAIL)
- Fanatics TN (OpenBet): border accuracy gap, WV session 10m into Virginia (FAIL)
- Fanatics TN (OpenBet): TeamViewer screen mirroring undetected (FAIL)
- DraftKings DFS NJ (Radar): RDP inconsistent + cross-border lag + generic UX (FAIL)
- Cross-operator: PlayCover blocked at Bet365 MI + Fanatics TN (PASS)
- Fanatics TN (OpenBet): GPS simulator detected with specific UX (PASS)
- Fanatics NJ (OpenBet): droidVNC-NG RDP blocked and named (PASS)
- Bet Saracen AR (Radar): Oxylabs + Location Guard combination blocked (PASS)
- RobinHood TN: SSL cert pinning blocks MITM on iOS + Android (PASS)
Competitor profilesโ
Radar โ ยท Xpoint โ ยท OpenBet โ ยท GeoLocs โ ยท Locance โ