In January 2025, Brazil implemented a sweeping overhaul of its online gambling regulations in an effort to reduce fraud, tax evasion, money laundering, and harmful advertising practices in the market. 

These are not cosmetic changes — betting companies must implement a host of strict anti-fraud measures, including provisions that require companies to frequently verify the physical location of active user devices and block users attempting to place bets through VPNs or proxy servers. What’s behind these changes, and how can businesses meet these compliance challenges?

Making online gambling safer in Brazil 

The rules come in response to rising public concern over the lack of regulation governing online gambling since Brazil legalized it in 2018. Government estimates show that 52 million Brazilians have started wagering online since then, making it the third-largest sports betting market in the world. The Macao News described the market prior to the new rules as a “Wild West” rife with illegal activity and exploitative practices, including fraud and money laundering. 

To show how serious it is about the new measures, in October 2024, the government shut down more than 2,000 gambling websites owned by companies that had not yet started an application for a license. As of January 1, 2025, when the new law entered into force, only 14 companies had fully met the new requirements. It’s not hard to see why — the new compliance regime is a tall order. 

Broadly speaking, the new Know Your Customer (KYC) rules require companies to: 

1. Verify users’ identities with facial recognition and ID documents, and perform checks against Brazil’s taxpayer registry and lists of politically exposed persons (PEPs).
2. Verify that players are physically in Brazil and where they say they are, both to guarantee that taxes are paid on winnings and to help prevent unauthorized access to accounts.

The rest of this article covers the second part, which deals with verifying location and detecting the kinds of compromised devices that facilitate unauthorized account access.

Block visitors who spoof their location

These KYC processes will be familiar to those who understand banking regulations, but there’s another that is novel to many: verifying physical location. 

Under these new rules, betting companies must implement a verification system that checks a user’s location not only prior to making a first bet after login, but again every 30 minutes. They need a robust system that can detect VPNs and location-obscuring tactics such as remote desktop software, rootkits, or proxies. Verification systems must be able to identify when a user makes an impossible location change given the time span between checks and then block attempts to place bets when a suspicious location change is detected. 

Block jailbroken and rooted devices

Companies must also gather information that indicates whether a user’s mobile device has been tampered with on a fundamental level through rooting or jailbreaking. Fraudsters use these  types of devices to spoof location, conduct man-in-the-middle (MiTM) attacks, and spread malware, so the rules require you to detect and block these devices. Jailbroken devices pose many cybersecurity risks, so it’s a good idea to keep them away from your users and systems regardless. 

So, how do you go about doing all this tracking?

Many security signals, one platform

Device intelligence is a method that identifies users by utilizing device fingerprinting as the foundational technique alongside other methods like VPN detection and IP geolocation. Together, they provide the location-based visitor information required to comply with the gambling law. Specifically, Fingerprint’s IP Geolocation Smart Signal provides geolocation data for each user.

Fingerprint generates a unique identifier, regardless of browser, location, or device type. This visitor identifier remains consistent over months and even years, ensuring a highly accurate visitor location history. 

Spot location spoofing in real time 

Fingerprint’s Smart Signals help you determine the location of a user in real time with tools for detecting the actual location of an IP address. These signals include:

• IP Geolocation (browser and mobile): The law requires you to log user IP addresses every time a device connects to your site and every 30 minutes thereafter. It also requires you to provide details about the user’s location. Fingerprint offers multiple techniques to determine a visitor’s true IP address, even when they try to spoof with anonymizing tools. The IP Geolocation Smart Signal includes information about a user’s estimated physical location, including city, country, time zone, and their ISP.
• VPN Detection (browser and mobile): To block any attempts to connect to the betting network with a VPN or proxy service, this Smart Signal evaluates information such as mismatched time zones, operating system settings, and connections from known VPN providers to provide a simple Boolean (i.e., a yes or no response) as to whether a VPN is in use, along with a confidence score. 
• Remote Tools Detection (browser only): Your system is required to detect these types of attempts and block them before a bet is placed, again to ensure that bettors are where they say they are. This tool allows you to detect when a user tries to access the network via apps such as AnyDesk, TeamViewer, and RDP. 

Fingerprint also tells you whether a mobile device has been rooted or jailbroken, which may be an indicator that the device is being used for fraudulent activity. 

Fingerprint provides all these real-time signals with industry-leading accuracy, and you can use the data we provide to configure your systems to automatically block these potentially suspicious devices when they’re detected or flag them for review. 

Additionally, Fingerprint is compliant with global privacy and data regulations such as CCPA and GDPR, and it works well alongside digital identity verification platforms to provide an additional layer of security without compromising user experience. 

Build a trusted, compliant platform  

Despite the complicated rules, Brazil’s market growth in online betting makes it an attractive prospect. A report from the International Betting Integrity Association predicts sports betting turnover in Brazil will reach $34 billion by 2028, and other countries, including Argentina, are implementing similar regulations. Companies that do the work to build robust anti-fraud tech stacks for online betting operations will have a compliance (and competitive) advantage when entering new markets. Fingerprint can help satisfy regulators and bolster trust in your platform by making sure your users are who they say they are.