A SINGLE PAGE LOAD on 6sense.com triggers an extraordinary surveillance cascade: 13 hosts syncing cookies, 17 hash exfiltrations, PII deanonymization (name + phone), a CMP defeat device harvesting pre-consent data, and TrenDemon SDK with eval()-based arbitrary code execution loading from the compromised polyfill.io domain. ## SUPPLY CHAIN COMPROMISE: polyfill.io on Privacy Policy Page TrenDemon SDK (loaded on 6sense.com) includes a dependency on polyfill.io/v3/polyfill.min.js. This domain was acquired by Chinese company Funnull in February 2024 and subsequently used to inject malicious code into websites. **This script loads while users read 6sense's privacy policy** - the page that should inform them of data practices instead exposes them to a known compromised CDN. 6sense deploys Ketch CMP (documented in BTI-2025-0022 as a consent defeat device) which harvests Marketo tracking cookies from visitors and transmits them to ketchcdn.com. This creates undisclosed cross-vendor identity aggregation where visiting 6sense's Trust Center ironically results in marketing cookie exfiltration. The researcher was identified by name ("Ronin") and geolocated to state level (Alabama) while researching 6sense's privacy practices. This is not a collection of separate issues - it's a coordinated surveillance architecture deployed by a company that sells "privacy-compliant intent data."
This advisory exists to warn companies running 6sense on their sites. We do not notify vendors. We do not provide remediation windows. If you're using this vendor, this is your evidence.
- 6sense.com (vendor's own site)
If You're Running 6sense
Block Ketch on 6sense domains
Effort: trivialBlock 6sense epsilon tracking
Effort: trivialRequest accurate subprocessor disclosure
Effort: moderateBlock TrenDemon SDK (eval() supply chain risk)
Effort: trivialWhat It Costs You
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Signal Corruption
Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can’t be trusted.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
BTI-C: Behavioral Codes
“They take your ability to see what they're taking.”
“They take your visitor identity and connect it everywhere.”
“They take device signatures to track users who block cookies.”
“They take control of your consent UI to get the answer they want.”
“They take permanent residence in your users' browsers.”
“They take your anonymous visitors and sell them as leads to your competitors.”
“They don't take anything directly. They're the gun, not the bullet.”
BTSS Score Breakdown
Technical Evidence
Code Evidence
Ketch harvesting Marketo cookie
POST /web/v3/consent/6_sense/get HTTP/2
Host: global.ketchcdn.com
Content-Type: application/json
{
"identities": {
"_mkto_trk": "id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80",
"swb_default_property": "670110ef-a747-4a9a-b62c-f8513dbb6c10"
},
"purposes": {...}
}
Pre-consent identity log with region
POST /web/v2/log HTTP/2
Host: global.ketchcdn.com
hasConsent=false
&event_type=once_identities
®ion=US-AL
&ids=eyJfbWt0b190cmsioiJpZDo5NTgtVFRNLTc0NCZ0b2tlbj1fbWNoLTZzZW5zZS...
Network Evidence
https://global.ketchcdn.com/web/v3/consent/6_sense/getKetch consent endpoint with Marketo cookie
https://global.ketchcdn.com/web/v2/logPre-consent identity logging
https://analytics.google.com/g/collect?uid=RoninGoogle Analytics with named user ID
https://epsilon.6sense.com/v3/company/details6sense deanonymization payload #1 - returns identified company/contact data
https://eps.6sc.co/v3/company/details6sense deanonymization payload #2 - redundant/failover endpoint
Evidence Package
Reproduction Steps
## Reproduction Steps 1. **Visit 6sense.com** with DevTools open 2. **Filter Network by** `ketchcdn.com` 3. **Find POST to** `/web/v3/consent/6_sense/get` 4. **Examine request payload** for `identities` object 5. **Decode any Base64 `ids=` parameters** to reveal Marketo cookie 6. **Check Response headers** for AWSALB without security flags 7. **Visit Trust page** and observe full tracking continues
Legal Touchpoints
Failure to disclose specific processing purposes. Ketch is not disclosed as aggregating Marketo cookies. FingerprintJS framed as "fraud prevention" obscures its fingerprinting function.
Cross-vendor data sharing without adequate disclosure. Marketo cookies transmitted to Ketch constitutes "sale" or "sharing" under CCPA.
Deceptive practices through subprocessor misrepresentation. Calling FingerprintJS "Account Fraud Prevention" when it's device fingerprinting for advertising is materially misleading.
Citation Templates
“Vendor shall not engage in behaviors classified under BTI-2025-0023 (6sense), including BTI-C12 (BTI-C12).”“BTI Advisory BTI-2025-0023 documents 6sense engaging in BTI-C12 (BTSS 9.2, CRITICAL).”“We have identified 6sense as exhibiting BTI-C12 behavior per BTI Advisory BTI-2025-0023. Full details: deployblackout.com/bti/BTI-2025-0023”