Welcome to this week’s edition of ONSEC iGaming News Weekly Digest, brought to you by the ONSEC team.
The past week underscores how iGaming continues to balance rapid growth with mounting risks. In Europe, the Netherlands is grappling with tax hikes and new licence renewal hurdles, while Sweden faces a troubling slide in channelisation and the UK tightens oversight of social media ads. On the business front, operators like Rivalry and DraftKings are showing the rewards of leaner, data-driven models, and Cyprus is rising as a hub for platform innovation. Yet the Bragg Gaming cyberattack reminds us of the systemic vulnerabilities in the B2B supply chain—an incident with implications far beyond one provider. As ever, the industry stands at the crossroads of compliance, competition, and cybersecurity.
Trends and Analytics
- Underdog Enters Sports Prediction Markets with CFTC-Registered Partner. Fantasy sports and betting platform Underdog is launching CFTC-regulated sports prediction markets in partnership with Crypto.com Derivatives North America (CDNA), becoming the first company to offer fantasy, betting, and prediction contracts in a single app. Unlike traditional sports wagers, users buy tradeable contracts that pay out if a prediction comes true—creating a new, federally regulated alternative in states where sports betting remains illegal, like California and Texas. The move positions Underdog at the forefront of the event trading trend, as major players like FanDuel and DraftKings explore similar paths. However, the model faces scrutiny: state regulators like Ohio’s Casino Control Commission have already warned that such offerings may still fall under local sports betting laws, complicating legal clarity in a rapidly evolving space. Source: IGB
- Cyprus Solidifies Its Role as a Global iGaming Tech Hub. Cyprus has become a key player in the iGaming software space, with local vendors powering major global platforms through fast, modular, and compliance-ready technology. Companies like NuxGame are helping operators launch faster across markets with built-in KYC, AML, crypto support, and scalable infrastructure.Thanks to a strong developer pipeline, close-knit collaboration across teams, and a clear regulatory environment, Cyprus is now known not just for innovation — but for building platforms that are secure, flexible, and ready for global scale. Source: Impact Wealth
- SharpSports and Pine Sports Merge to Blend B2B Data with AI-Powered Betting Tools. Startups SharpSports and Pine Sports have merged, combining SharpSports’ backend infrastructure with Pine’s consumer-facing AI betting assistant, jaXon. The deal aims to accelerate product development and feedback loops by enabling SharpSports to iterate directly with Pine’s 60,000‑subscriber audience and 10,000+ Discord users. Pine’s jaXon, an LLM-based sports betting companion, will now benefit from Sharp’s professional-grade data and athlete-led advisory team (including Marshawn Lynch and Steve Smith Sr.). Meanwhile, Sharp gains a direct B2C feedback channel to refine new tools—like upcoming NFL analytics and white-labeled AI interfaces—before rolling them out to enterprise partners. The NFL season will serve as the merged entity’s proving ground, with both teams targeting casual and professional bettors through a hybrid strategy blending AI, analytics, and athlete-backed distribution. Source: Next
- Rivalry Reports Leaner Growth and Record Player Monetization in Q2. Toronto-based esports betting firm Rivalry posted a 59% smaller net loss in Q2 2025 (C$2.2M), driven by a leaner operating model and sharper focus on player value. Operating expenses dropped 62% YoY to C$3.6M, while net revenue rose 24% from Q1 despite flat marketing spend. CEO Steven Salz credits a 2024 overhaul—including product revamp, layoffs, and rebranding—for the turnaround. The company reported record net revenue per player, 49% quarter-over-quarter growth in monetization, and a 1.5-month payback period on acquisition costs. A strategic review is still underway, with Rivalry exploring options to scale from this newly optimized base. Source: Next
- Elantil Adds Tier-One Sportsbook FIRST to Its MarketplacePlatform provider Elantil has integrated FIRST, a top-tier sportsbook solution known for maximizing operator lifetime value through proprietary tech and in-house trading expertise.The integration gives Elantil’s operator clients direct access to FIRST’s premium sportsbook stack—designed for scalability, localization, and independence from legacy providers. Elantil CTO John Debono called the move a natural fit, citing shared values around innovation and operator-first design. FIRST CEO Tom Light emphasized the collaboration as a way to help ambitious brands unlock their full competitive potential through a modular, performance-driven architecture. Sourse: Next
Law and Regulation
- Sweden’s Channelisation Rate Falls to 85%; Online Casino a Key Concern. Sweden’s gambling regulator Spelinspektionen reported a 1% drop in channelisation to licensed platforms in 2024, falling to 85%. The situation is worse in online casino, where up to 28% of activity may occur on unlicensed sites. The new study used survey and web traffic data, identifying over 2,000 illegal operators. Players cited better odds as a main reason for choosing unlicensed platforms.Trade body BOS criticized the lack of political action, warning that tight restrictions on licensed operators (like bonus bans) are pushing users underground. Legislative reforms are expected later this month. Source: IGB
- ROGA and RGC Launch Industry-Led RG Certification. On September 2, the Responsible Online Gaming Association (ROGA) and Responsible Gambling Council (RGC) unveiled a new certification program aimed at raising responsible gaming standards across the U.S. iGaming sector. The initiative introduces an independent, data-driven framework that assesses operators on self-exclusion tools, player support, marketing ethics, and staff training. It builds on RGC’s trusted RG Check model, already used globally. ROGA, which represents 90% of the U.S. sports betting market by handle (including FanDuel, DraftKings, BetMGM, and bet365), says the new program reflects a shift from regulatory minimums to industry-driven accountability. Certification will signal to players that platforms are meeting higher transparency and protection standards. Source: Next
- Netherlands to Require ‘Exit Plans’ for Online Gambling Licences. The Dutch gambling regulator KSA will require all online gambling licence applicants—new and renewing—to submit an “exit plan” starting January 1, 2026. This must detail how the operator will responsibly withdraw from the market if they choose not to renew their licence after the initial five-year term. The change coincides with the upcoming October 2026 expiry of the first Dutch iGaming licences, issued when the market opened in 2021. Operators must also submit updated AML/CTF risk analyses and prove they’ve addressed any past compliance issues. KSA warns that failures to comply could result in rejections—even for current licence holders. Source: IGB
- Dutch Gambling Tax Hike Leaves Holland Casino “Vulnerable” Despite H1 Gains. Holland Casino CFO Ruud Bergervoet warned that the upcoming January 2026 tax hike to 37.8% GGR will place the operator under severe financial strain, despite a profitable first half of 2025. The current rate of 34.2% (up from 30.5%) already added €13.5M in costs, and further increases could erase profits altogether. The operator’s H1 profit of €14.2M was largely boosted by €11.4M in one-time real estate sales and €30M in cost cuts. Without these, profits would have dipped sharply. Meanwhile, online revenue declined due to new deposit limits introduced in October 2024 (€700/month max, or €300 for ages 18–25). Trade groups also report that the tax hike hasn’t yielded expected revenue gains for the government, creating a €200M shortfall from projections. Source: IGB
- UK Closes Loophole on Overseas Gambling Ads Targeting Social Media. The UK’s Committee of Advertising Practice (CAP) has updated its rules to explicitly cover non-paid social media posts by gambling companies licensed in the UK—even if those operators are based overseas. The Advertising Standards Authority (ASA) now has jurisdiction over all UK-targeted marketing, regardless of company location or domain name. This shift closes a major regulatory gap, previously allowing brands like Bet365, Ladbrokes, and Paddy Power to bypass UK ad rules by posting organic content from offshore accounts. Studies show such posts—often sports-themed or humorous—are especially appealing to underage audiences. Industry stakeholders have until December 1 to submit comments. ASA and CAP say the move will ensure consistency in enforcement and better protect UK consumers, especially children. Source: Next
Hacks and Data Breaches
- Bragg Gaming Group Hit by Cyberattack — Internal Systems Breached; No Player Data Compromised. Bragg Gaming—a B2B provider supplying platforms, casino content, and backend solutions—confirmed it suffered a cybersecurity incident on August 16, discovered early Sunday morning. The breach was confined to its internal systems; no personal or customer data appears to have been accessed, and business operations remained unaffected. The company immediately retained third-party cybersecurity experts to contain the incident and is committed to updating stakeholders as more information becomes available. Impact on iGaming: This incident highlights the systemic risk to the iGaming supply chain, as a successful attack on a B2B provider could disrupt operations for numerous iGaming brands that rely on its services, including major casino companies.
- TransUnion Data Breach Exposes Personal Information of 4.4 Million People. On August 28, 2025, the credit reporting agency TransUnion revealed a data breach stemming from a third-party application compromise. The incident exposed highly sensitive personal records, including full names, Personally Identifiable Information (PII), and Social Security Numbers, impacting 4.4 million individuals. The company is offering credit monitoring and identity theft protection to those affected. Impact on iGaming: The exposure of this sensitive data is a foundational risk to iGaming operators, as it provides the raw material for synthetic identity fraud and account takeovers, which can be used to bypass Know Your Customer (KYC) checks. Source: Security Boulevard
- Widespread Salesforce Supply Chain Attack Affects Cloudflare, Google, and Others. A large-scale supply chain attack orchestrated by the hacking group ShinyHunters successfully compromised corporate Salesforce instances at hundreds of companies, including Cloudflare, Google, and Workday. The intrusion was not a software flaw but a social engineering campaign using voice phishing (vishing) to trick employees into authorizing a malicious application. The stolen data was limited to business contact information and support case data, but security experts warn it can be used for further targeted attacks. Impact on iGaming: This type of supply chain attack and the social engineering methods used pose a direct threat to iGaming, as the stolen business contact data can be used to launch targeted spear-phishing campaigns against an operator’s employees to gain a foothold in the company’s network. Source: Cyber Security Dive
From B2B cyberattacks to shifting tax regimes and stricter advertising rules, the past week shows that iGaming’s future will be shaped as much by resilience and regulation as by innovation. Operators are proving that leaner models and smarter platforms can unlock growth, but every gain is tempered by policy uncertainty and systemic risk. For stakeholders across the value chain, the challenge is clear: build trust, secure infrastructure, and adapt quickly. The markets that succeed will be those that see compliance and security not as costs, but as competitive advantages in a rapidly evolving industry.
Leave a comment