iGaming Weekly Digest: 01/21- US iCasino Records, Prediction-Market Court Clashes, and Identity-Layer Attacks

This week’s iGaming landscape is being shaped by three forces moving fast at once: US iCasino demand hitting new highs, regulatory lines tightening (especially around sweepstakes and prediction markets), and a security environment where identity and access are the first battlefield. Record revenue in core states reinforces where the growth is most durable, while lawmakers and courts push (and pull) on what counts as gambling, what belongs under sports betting regulators, and what sits in a gray zone. At the same time, the pre- ICE 2026 conversation is shifting from “new tech” to “operational trust” — particularly around AI and fraud economics.

Trends & Analytics

1. Pennsylvania sets an iCasino revenue record in December (~$260M).
   Record-setting online casino performance reinforces the “iCasino-first” growth story in core US states. Source: iGaming Business — Pennsylvania sets iGaming revenue record in December
2. Alberta’s open iGaming framework signals market-entry momentum for 2026. Alberta continues laying the groundwork for an Ontario-style competitive market, driving renewed B2B/B2C attention. Source: iGaming Business — Alberta iGaming framework in place for 2026 launch
3. Paraguay posts $32.6M in 2025 gambling revenue after market liberalisation. Early post-liberalisation results underline LatAm growth potential beyond the “big two” markets. Source: iGaming Business — Paraguay gambling generated $32.6 million in 2025 amid market liberalisation
4. ICE Barcelona theme: building trust in AI as iGaming shifts from pilots to operations. Industry leaders focus on adoption blockers (transparency, training, controllability) as AI becomes “core infrastructure.” Source: iGaming Business — Building trust in AI through no-code adoption and user confidence

Law & Regulation

1. Massachusetts judge blocks Kalshi sports prediction markets in the state. A major state-level ruling escalates the legal boundary fight between prediction contracts and regulated sports wagering. Source: Reuters — Kalshi cannot operate sports-prediction market in Massachusetts, judge rules
2. US 2026 bill wave: sweepstakes bans, tax hikes, and sports betting reforms. Legislatures open with broad gambling reform agendas—microbetting limits and ad rules included alongside sweeps crackdowns. Source: iGaming Business — US gambling legislation roundup: sweeps bans, tax hikes and sports betting reforms
3. Georgia sports betting bill returns again for 2026. HB 910 is refiled under lottery oversight with a proposed tax framework—still facing steep political hurdles. Source: iGaming Business — Georgia sports betting bill returns despite dim 2026 prospects
4. ECJ ruling could reshape cross-border player-loss litigation dynamics in Europe. The decision strengthens reliance on local gambling laws—potentially impacting Malta’s contested legal shields and EU operator exposure. Source: iGaming Business — ECJ rules local gambling laws reign in Austrian player losses case
5. Dutch regulator sets 2026 agenda to intensify crackdown on illegal gambling. KSA signals tougher enforcement posture and deeper collaboration—pressure rises on black-market channels and compliance expectations. Source: iGaming Business — Dutch regulator to ‘intensify’ crackdown on illegal gambling

Hacks & Data Breaches

1. ConsentFix: new OAuth-consent phishing technique detailed. Impact on iGaming: admin/affiliate/CRM dashboards tied to Microsoft identities are prime targets for consent-based takeover flows. Source: BleepingComputer — ConsentFix debrief: Insights from the new OAuth phishing attack
2. Grubhub confirms breach and extortion pressure. Impact on iGaming: extortion playbooks and data-theft leverage are increasingly reused across consumer platforms and fintech-adjacent vendors. Source: BleepingComputer — Grubhub confirms hackers stole data in recent security breach
3. CIRO confirms breach scope affecting ~750,000 Canadian investors (post-forensics). Impact on iGaming: large identity datasets amplify phishing/ATO risk—especially for VIPs, payments, and KYC workflows. Source: BleepingComputer — CIRO breach exposed info on 750,000 Canadian investors
4. WordPress plugin bug could grant admin access across tens of thousands of sites. Impact on iGaming: affiliate sites, landing pages, and promo microsites are frequent WP targets—compromise can enable traffic hijack and malware delivery. Source: BleepingComputer — ACF plugin bug gives hackers admin on 50,000 WordPress sites
5. GitLab patches high-severity 2FA bypass. Impact on iGaming: CI/CD compromise can cascade into production tampering, data exposure, or supply-chain style incidents. Source: BleepingComputer — GitLab warns of high-severity 2FA bypass flaws

Final Words

Net-net: the winners in 2026 will be the operators who pair regulated-market scale with defensible operations—clear compliance posture, disciplined identity/access controls, and rapid response to vulnerabilities and vendor risk. If you want a practical, operator-focused view of where your exposure is highest (payments/KYC flows, affiliate tooling, admin panels, CRM/third parties, and front-end frameworks), ONSEC can help. We’re a boutique penetration testing team with 15+ years of experience and 500+ projects delivered globally—specialized in iGaming and modern web/API attack surfaces. If you’d like to sanity-check your 2026 security priorities, book a short call with us: