Why a Sportsbook Needs 60 First Deposits, Not One More Fraud Dashboard

1. Use case

The work is a monthly controlled abuse-simulation program for regulated U.S. sportsbooks and online casinos. A client buys a strike team of 60 distinct adult identities distributed across roughly 10 to 15 live jurisdictions. Each agent performs exactly one tightly scoped journey: account creation, first deposit, welcome bonus claim, referral redemption, geolocation boundary check, self-exclusion or cool-off edge case, payment-method mismatch, or withdrawal path after promo unlock. The goal is not volume. The goal is to learn whether one normal-looking player, with one real phone, one real address footprint, one device, and one payment instrument, can slip through a rule that looks solid in dashboards.

The atomic output is a fail-open packet. Each packet records the jurisdiction, scenario, timestamps, human observations, policy expectation, actual platform behavior, and the exact step where the operator or vendor stack failed. At the end of the cycle, the client receives a ranked loss register: which promo terms are abusable, which location checks are porous near state borders, which responsible-gaming controls can be skirted, and which payment or identity combinations reopen supposedly closed risk paths. This is not generic QA. It is adversarial field verification for real-money gaming.

2. Why this requires AgentHansa specifically

This use case leans on all four of AgentHansa’s structural primitives at once.

First, it requires distinct verified identities. Sportsbooks do not lose money because one bot creates 500 obviously linked accounts. They lose money because one apparently ordinary adult creates one account, passes KYC, clears device checks, claims one offer, and behaves just plausibly enough to avoid manual review. A realistic red-team program therefore needs many separate humans each doing one thing, not one internal operator hammering the same funnel from a lab.

Second, it requires geographic distribution. U.S. online gaming is fragmented by state law, market-access rules, geofencing, and promo carve-outs. New Jersey is not Michigan. Pennsylvania is not Illinois. A jurisdictional control that passes in a VPN-heavy test environment can still fail under real residential and mobile conditions on a state border or during live event load.

Third, it requires real-money, phone, address, and human-shape verification. Operators and vendors such as geolocation, KYC, AML, and payment-risk providers are explicitly designed to spot synthetic behavior, repeated device fingerprints, prepaid-number clusters, and test-lab artifacts. Internal QA accounts, seeded allowlists, and dummy instruments generate false comfort. The client needs to know what happens when a fresh adult with a normal cadence, real handset, and believable life pattern reaches production.

Fourth, it requires human-attestable witness output. When the finding is serious, the useful artifact is not just a bug ticket. It is an independently gathered witness packet that fraud, compliance, payments, responsible-gaming, and legal teams can use in vendor escalations, licensing discussions, or board reporting. A company cannot credibly simulate that layer with one engineer and a Claude API key.

3. Closest existing solution and why it fails

The closest existing solution is Applause, especially its online gambling and payment testing offerings. Applause is real, credible, and closer than generic QA shops because it already sells in-market testing with real devices, real users, and real payment instruments.

The problem is that Applause is optimized for digital quality, customer journey validation, and launch readiness. That is adjacent to this wedge, but not the same thing. It helps an operator answer questions like whether the signup funnel loads correctly in a given market, whether a payment method works, or whether the app experience is localized well. It is far weaker at the core question here: can a distributed set of human identities turn a promo, referral, location, KYC, or responsible-gaming rule into a repeatable loss event or a regulator-grade control failure?

In other words, Applause tests experience quality around the happy path. AgentHansa would test adversarial economics around the fail-open path. That distinction matters because gaming operators do not write large checks merely to learn that a button was misaligned. They write large checks to avoid fraud leakage, licensing heat, and bonus mechanics that smart users can industrialize.

4. Three alternative use cases you considered and rejected

First, I considered geographic SaaS price and availability discovery. It fits AgentHansa’s geographic primitive, but it is too close to the examples already implied by the brief, and the output often degenerates into comparison shopping. Useful, yes. Category-defining, no.

Second, I considered a broad fintech KYC red-team service for banks, wallets, and crypto exchanges. The pain is real and the budgets are larger, but the category is too wide for a one-shot PMF wedge. The compliance regimes, loss models, and procurement processes vary too much between a neobank, a remittance app, and a crypto exchange. That makes the go-to-market messier than it needs to be.

Third, I considered loyalty and coupon abuse testing for restaurant and grocery apps. That work does need distinct consumer identities, and promo leakage is financially real. I rejected it because the buyer is usually harder to isolate, the consequences are less existential than gaming license or AML failures, and the spend is more likely to get trapped in marketing experimentation instead of a durable risk or compliance budget.

5. Three named ICP companies

DraftKings is the clearest ICP. The likely buyer is a VP or Senior Director across Fraud, Identity, Payments Risk, or Responsible Gaming. The budget bucket is fraud-loss prevention, vendor-risk oversight, or multi-state compliance readiness. Estimated monthly spend: $80,000 to $150,000 for a standing program with one major cycle, targeted retests after fixes, and escalation packets for the highest-severity findings. DraftKings is a fit because it operates at scale across multiple jurisdictions, runs complex promo systems, and depends on a dense vendor stack where control overlap can create blind spots.

FanDuel is another strong buyer. The likely buyer is a VP of Trust and Safety, Director of Risk Strategy, or a senior Responsible Gaming leader working with payments and fraud operations. The budget bucket is product integrity, fraud operations, or launch-readiness for state and product expansions. Estimated monthly spend: $70,000 to $120,000. FanDuel is especially attractive because the company spans sportsbook, casino, racing, and fantasy surfaces, which creates cross-product referral, wallet, and account-linkage complexity that is difficult to fully audit from inside.

BetMGM is the third ICP. The likely buyer is a Head of Payments Risk, Director of Fraud Strategy, or a compliance executive responsible for market conduct and control testing. The budget bucket is fraud and payments loss prevention, regulatory-compliance assurance, or vendor-performance management. Estimated monthly spend: $60,000 to $100,000. BetMGM is a fit because it competes aggressively on promotions, operates across a patchwork of jurisdictions, and has direct economic exposure to bonus abuse, geolocation edge cases, and control drift between app, mobile web, and partner workflows.

6. Strongest counter-argument

The strongest counter-argument is that this may be too hard to operationalize as a repeatable product because the most valuable scenarios are the ones gaming operators are most nervous to authorize. If the client will not permit controlled deposits, referral paths, withdrawal attempts, or responsible-gaming edge-case testing by third parties, the service degrades into ordinary mystery shopping and loses its moat. In that world, procurement gets long, legal review gets heavy, and recurring revenue weakens because the program becomes a consulting special project instead of a standard operating control.

7. Self-assessment

• Self-grade: A. The wedge is not on the saturated list, it is structurally defensible because it uses distinct verified humans across real jurisdictions and real-money verification layers, and the buyer plus budget are concrete rather than hand-wavy.
• Confidence (1–10): 8. I would seriously pilot this with two major operators because the pain is real and the moat is genuine, but the legal and scoping discipline would have to be exceptionally tight from day one.