ACTIVE INVESTIGATION
2026-04-02// INDEPENDENTLY VERIFIED

BROWSERGATELinkedIn Is Scanning Your Browser.We Verified It. Then We Kept Digging.

Every time you visit linkedin.com, JavaScript running in your browser probes for 6,153 browser extensions by name, collects 48 device characteristics to build a unique fingerprint, and transmits the results — encrypted — to LinkedIn's servers and to HUMAN Security (formerly PerimeterX), a cybersecurity firm that processes 20 trillion digital interactions per week.

None of this is disclosed in LinkedIn's privacy policy. LinkedIn's own Senior Engineering Manager confirmed the extension scanning system under oath in German court proceedings.

BLACKOUT://BROWSERGATE_VERIFICATION
LIVE VERIFIED
$ blackout scan linkedin.com --cdt-mcp
[SCAN] Navigating to linkedin.com (guest homepage, no login)
[ALERT] client.protechts.net/PXdOjV695v/main.min.js — 226KB PerimeterX sensor loaded
[ALERT] li.protechts.net hidden iframe — 0px, position: -9999px, aria-hidden="true"
[EVIDENCE] /platform-telemetry/li/apfcDf — 10,922 bytes RSA-encrypted fingerprint
[EVIDENCE] 14 POST requests to /li/track in single page load
[ALERT] crcldu.com nested iframe — DSP/SSP adtech sync layer (UNREPORTED)
[ALERT] Blob Web Workers — off-thread fingerprinting (WebGL, fonts, canvas)
→ ALL BROWSERGATE CLAIMS CONFIRMED + 3 NEW FINDINGS

"LinkedIn named the surveillance orchestrator function AbuseFeaturesCollectionCoordinator. They named it that. On purpose."

— BLACKOUT analysis of chunk.905, module 75023

TL;DR

When you visit LinkedIn — even without logging in — code running in your browser quietly checks whether you have any of 6,153 specific browser extensions installed. It also collects dozens of technical details about your device to build a fingerprint that can identify you even if you clear your cookies or use incognito mode.

All of this happens invisibly. The scanning code runs inside a hidden iframe that's literally zero pixels wide and positioned off-screen. The results are encrypted before being sent back to LinkedIn's servers and to a third-party company called HUMAN Security.

None of this is disclosed in LinkedIn's privacy policy. And because LinkedIn knows your real name, employer, and job title, the extensions you have installed can reveal things about you that are legally protected — your religious beliefs, political views, health conditions, and whether you're secretly looking for a new job.

Below is the evidence. Every claim is independently verified. You can confirm it yourself with browser DevTools (F12).

THREAT_INDICATORS

6,153
Extensions Scanned
Unique Chrome extension IDs
48
Fingerprint Features
Browser characteristics collected
10,922
Encrypted Payload
Bytes of RSA-encrypted data per visit
14
Tracking Requests
li/track POST requests per page load
3
Third Parties
Undisclosed data recipients
3
Hidden Iframes
Layers deep

THE_ATTACK

Two Systems. One Pipeline. Zero Disclosure.

HOW EXTENSION SCANNING WORKS — PLAIN ENGLISH

Chrome extensions can declare certain internal files as "web accessible." When they do, any website can try to load those files. If the load succeeds, the extension is installed. If it fails, it isn't.

LinkedIn's code tries to load a specific file from each of 6,153 extensions — one by one. The success/failure pattern tells LinkedIn exactly which extensions you have installed. This all happens inside your browser's sandbox. LinkedIn doesn't need to access your filesystem or install anything. The browser itself provides the information.

The device fingerprinting works similarly — your browser exposes APIs for screen resolution, GPU hardware, audio processing, installed fonts, and dozens of other characteristics. Individually, each data point is harmless. Combined, they create a unique identifier that persists even if you clear cookies, use incognito mode, or switch accounts. On LinkedIn, that fingerprint is attached to your real name, employer, and job title.

LinkedIn's Code (chunk.905)

2.7MB Webpack bundle, module 75023
  • AED (Active Extension Detection) — fires fetch() to chrome-extension:// URLs for 6,153 extensions simultaneously
  • Spectroscopy — walks the entire DOM tree searching for chrome-extension:// strings in text nodes and attributes
  • Staggered scanning — configurable delay between probes to avoid detection in network monitors
  • requestIdleCallback — scan runs only when browser is idle. Zero visible performance impact.

PerimeterX Sensor (226KB)

client.protechts.net/PXdOjV695v/main.min.js
  • Canvas fingerprinting — renders hidden elements with Unicode, hashes the output
  • WebGL fingerprinting — GPU renderer, vendor, 65+ parameters
  • Behavioral biometrics — mouse movements (200ms), keystrokes, scroll, touch patterns
  • Blob Web Workers — fingerprinting runs off-thread in ephemeral Workers. Invisible to DevTools.

In plain terms: LinkedIn runs two separate surveillance systems simultaneously. Their own code inventories your browser extensions. A third-party sensor fingerprints your device hardware. Both systems are designed to be invisible — they run in hidden iframes, use encrypted payloads, and execute in background threads that don't appear in standard debugging tools. This isn't incidental data collection. This is infrastructure purpose-built to operate without detection.

DATA FLOW

linkedin.com (visible page)
  └── li.protechts.net/index.html (hidden: 0px, -9999px, aria-hidden="true", id="humanThirdPartyIframe")
        ├── client.protechts.net/PXdOjV695v/main.min.js (226KB sensor)
        │   ├── Blob Web Workers (canvas, WebGL, font fingerprinting — off-thread)
        │   ├── POST → collector-pxdojv695v.protechts.net/api/v2/msft
        │   └── GET → tzm.protechts.net/ns (timing beacon)
        │
        ├── crcldu.com/bd/sync.html (NESTED hidden iframe — adtech data sync)
        │   └── crcldu.com/bd/auditor.js (session audit, x-session-id)
        │
        └── fst-ec.perimeterx.net (fingerprint verification — PX real domain)

All results → RSA encryption (apfcDfPK) → /platform-telemetry/li/apfcDf (10,922 bytes)
                                         → /li/track (14 POST requests per page load)
                                         → collector-pxdojv695v.protechts.net

WHAT_THEY_SCAN_FOR

LinkedIn knows your name, employer, and job title. The extensions it scans for can reveal the rest.

LinkedIn's scan list includes extensions that reveal religious practice, political views, disability status, and job search activity. Because LinkedIn ties scan results to verified professional identities, the privacy implications are severe. Under EU law (GDPR Article 9), processing data that reveals these characteristics is not regulated — it is prohibited.

Religious Beliefs

PROHIBITED

PordaAI (5,000 users) — 'Blur Haram objects, Real-time AI for Islamic values'. Deen Shield — 'Blocks haram sites, Quran Home Tab'.

Political Opinions

PROHIBITED

Anti-Zionist Tag, Anti-woke, No more Musk, Vote With Your Money, Political Circus, LinkedIn Political Content Blocker, NoPolitiLinked.

Health & Disability

PROHIBITED

Simplify (79 users) — described as 'for neurodivergent users'. Reveals neurological conditions of named professionals.

Employment Status

PROHIBITED

509 job search extensions (1.4M users). Reveals who is secretly looking for work — on the platform where their current employer can see their profile.

Competitor Intelligence

COMPETITIVE INTEL

200+ competing sales tools scanned: Apollo, Lusha, ZoomInfo, HubSpot, Salesforce. Maps which companies use which competitor products.

Security Posture

SECURITY EXPOSURE

Malwarebytes (10M users), VPNs, password managers, privacy tools. Reveals which companies use security tools and which don't.

WHO_IS_HUMAN_SECURITY

The "cybersecurity firm you've never heard of" processes 20 trillion interactions per week.

HUMAN Security (formerly PerimeterX) was formed from the merger of White Ops and PerimeterX in 2022. ~500 employees, 500+ customers, ~$1.5B valuation. Leadership drawn from military and intelligence backgrounds. Sells to government and enterprise via Carahsoft.

Ido Safruti

CTO, HUMAN Security

PerimeterX co-founder. Military intelligence background. Led R&D and product strategy.

Tamer Hassan

Chairman, HUMAN Security

White Ops co-founder. Military background. Fast Company #1 Most Creative Person 2019.

Stu Solomon

CEO, HUMAN Security

Former President, Recorded Future ($2.65B Mastercard acquisition). 25yr military career.

Omri Iluz

Former President (departed)

PerimeterX co-founder. Departed to found Lumia Security.

CORPORATE STRUCTURE

HUMAN SECURITY (~$1.5B valuation, 500+ customers, 20T interactions/week)
  ├── White Ops (founded 2012) ──► acquired by Goldman Sachs/ClearSky/NightDragon (2020)
  ├── PerimeterX (founded 2014) ──► merged with HUMAN (2022)
  └── clean.io (acquired 2022) ──► anti-malvertising

LEADERSHIP
  ├── Stu Solomon (CEO) — ex-President of Recorded Future
  ├── Ido Safruti (CTO) — PerimeterX co-founder, military intelligence background
  ├── Tamer Hassan (Chairman) — White Ops co-founder, military background
  └── Omri Iluz (departed) — PerimeterX co-founder, now Lumia Security

CAPITAL: Goldman Sachs · NightDragon · ClearSky · Blackstone ($100M debt)
GOVERNMENT: Carahsoft partnership ──► federal + military sales channel

NEW_FINDING: CRCLDU.COM

Inside the hidden iframe, there's another hidden iframe. And it raises serious questions.

crcldu.com — an undocumented domain that loads as a nested iframe inside LinkedIn's PerimeterX iframe. Same WHOIS privacy service as protechts.net. Seen on 10,000+ pages via urlscan.io. It serves auditor.js — a 200KB heavily obfuscated script containing a custom bytecode interpreter, 1,230 check definitions, and 112 encrypted function payloads. That's not a cookie sync pixel. That's infrastructure.

CONFIRMED

  • Certificate Transparency logs show TLS certificates were issued for dsp.crcldu.com, ssp.crcldu.com, adv.crcldu.com, and pub.crcldu.com. Someone at HUMAN Security requested these certificates.
  • These subdomains do not currently resolve. DNS returns NXDOMAIN. The infrastructure may have been decommissioned, or it may be internal-only.
  • The base domain crcldu.com is live (Cloudflare) and serves auditor.js — 200KB of code protected by XOR encryption, base64 encoding, and a custom virtual machine interpreter. This level of obfuscation exceeds what bot detection requires.
  • The decoded payload contains 1,230 check definitions and 112 encrypted function routines. No ads.txt or sellers.json files are published on any associated domain.
dsp.crcldu.com
Demand-Side Platform
CERT ISSUED / DNS INACTIVE
ssp.crcldu.com
Supply-Side Platform
CERT ISSUED / DNS INACTIVE
adv.crcldu.com
Advertiser
CERT ISSUED / DNS INACTIVE
pub.crcldu.com
Publisher
CERT ISSUED / DNS INACTIVE

DSP, SSP, Advertiser, Publisher — these are the four roles in a programmatic advertising exchange. That's the infrastructure that powers real-time ad bidding. It decides which ads you see and how much your attention is worth.

The question is not whether this infrastructure is currently active. The question is why a company that sells bot detection requested TLS certificates for ad exchange infrastructure in the first place, and why that domain is loading inside a hidden iframe on linkedin.com alongside a 200KB obfuscated script with 1,230 check definitions.

WHAT WE DON'T KNOW YET

We have not confirmed end-to-end data flow from crcldu.com to an active ad exchange. The subdomains don't currently resolve. It's possible the infrastructure was planned but never activated, or was active and later decommissioned. We're being transparent about the boundary between what we've confirmed and what the evidence implies.

What we can confirm: bot detection does not require demand-side and supply-side platform infrastructure. The certificates existed. The domain is active. The code is obfuscated far beyond what bot detection justifies. And nobody — not LinkedIn, not HUMAN Security, not any privacy policy — has ever disclosed that crcldu.com exists.

THE_HYPOCRISY

We scanned humansecurity.com. 36 third-party domains. Extension scanning on their own site.

The company that sells "trust" runs a registered California data broker (ZoomInfo) that base64-encodes your IP address, ContentSquare session recording, HockeyStack vendor-on-vendor DOM scanning, LiveRamp identity resolution, and LinkedIn tracking as the first network request. Plus their own PerimeterX product fingerprinting their own visitors.

Why this matters: HUMAN Security tells its customers that its technology protects user privacy. But on its own website — where it controls every decision — it chose to deploy a data broker, session recording, identity resolution, and its own fingerprinting. These aren't inherited defaults. These are deliberate choices by the people who built the system. If this is how they treat their own visitors, what does the technology do when it's running on someone else's site?

ZoomInfoData Broker

Registered CA data broker. Base64-encodes visitor IP as _vtok. API key exposed in browser.

ContentSquareSession Recording

Every mouse movement, scroll, click, and form interaction recorded and replayed.

HockeyStackVendor Scanner

Scans the DOM to detect other vendors, loads bridge scripts to siphon their data.

LinkedInAd Tracking

li/track — the FIRST network request fired on page load.

LiveRampIdentity Resolution

Cookie sync to LiveRamp's cross-device identity graph.

PerimeterXOwn Product

Extension scanning confirmed: 4 chrome-extension:// probes in network traffic.

CLAIMS_VS_REALITY

What HUMAN Security says. What we observed.

From HUMAN Security's own Data Security & Privacy FAQ, last updated March 23, 2026.

THEIR CLAIMPrivacy FAQ, "What customer data does HUMAN store?"

"HUMAN stores the following customer data: IP Address, Connection metadata, Mouse interaction events"

WHAT WE OBSERVED

We observed: canvas fingerprinting, WebGL fingerprinting (65+ parameters), audio fingerprinting, font enumeration, battery API, WebRTC local IP extraction, CPU core count, device RAM, Do Not Track preference (collected then ignored), incognito detection, behavioral biometrics (mouse, keyboard, touch, scroll with configured sampling intervals), and installed browser extension probing — all running inside invisible blob Web Workers.

THEIR CLAIMPrivacy FAQ, "Does HUMAN resell user data?"

"HUMAN does not resell or transmit user data, other than as required to perform our services"

WHAT WE OBSERVED

crcldu.com — loaded as a nested hidden iframe inside the PerimeterX iframe — has subdomains for DSP (demand-side platform), SSP (supply-side platform), advertiser, and publisher infrastructure. That is the architecture of a programmatic advertising data pipeline.

THEIR CLAIMPrivacy FAQ, "Privacy by Design"

"Privacy is on by default at HUMAN Security — we minimize the collection of identifying information"

WHAT WE OBSERVED

48 browser fingerprint features collected. 6,153 extension probes fired. Hidden zero-pixel iframe (0px, position: absolute, left: -9999px, aria-hidden="true"). RSA-encrypted payloads unreadable in DevTools. Blob Web Workers running off-thread to avoid detection. Triple-redundant data exfiltration with automatic fallback.

THEIR CLAIMPrivacy FAQ, "Privacy by Design" principle 7

"We are clear about our privacy commitments"

WHAT WE OBSERVED

LinkedIn's privacy policy contains zero mention of extension scanning. The hidden iframe is named "humanThirdPartyIframe" with aria-hidden="true", positioned at left: -9999px. The PerimeterX sensor uses string table obfuscation (fn(455), fn(474)) to resist static analysis. The payload is RSA-encrypted before transmission.

Every claim above is from HUMAN Security's own published FAQ. Every observation is from BLACKOUT's live analysis on April 2, 2026. The code is running right now. You can verify it yourself with F12.

This is not a disagreement about interpretation. HUMAN Security says it stores "IP Address, Connection metadata, Mouse interaction events." We observed canvas fingerprinting, WebGL hardware enumeration, audio processing fingerprints, font detection, battery status, CPU core counts, RAM capacity, incognito detection, and 6,153 extension probes — none of which are "connection metadata." Either the FAQ is incomplete, or the technology does more than the company describes to its own customers.

NETWORK_MAP

Every Domain Involved — All Confirmed Live

A single visit to linkedin.com triggers connections to all of the following domains. Most of them are invisible — they load inside hidden iframes or execute in background threads. None of them are mentioned in LinkedIn's privacy policy. Every domain below was confirmed active on April 2, 2026.

client.protechts.netHUMAN SecurityPerimeterX sensor script (226KB)CONFIRMED
collector-pxdojv695v.protechts.netHUMAN SecurityFingerprint data collectionCONFIRMED
tzm.protechts.netHUMAN SecurityTiming/tracking beaconCONFIRMED
li.protechts.netHUMAN SecurityHidden iframe staging (0px, -9999px, aria-hidden)CONFIRMED
crcldu.comHUMAN SecurityAdtech data sync — DSP/SSP/ADV/PUB subdomainsCONFIRMED
fst-ec.perimeterx.netHUMAN SecurityFingerprint verification (real PX domain)CONFIRMED
merchantpool1.linkedin.comLinkedIn/MicrosoftSeparate fingerprinting scriptCONFIRMED
linkedin.com/li/trackLinkedIn/MicrosoftTelemetry endpoint (14 POSTs/pageload)CONFIRMED
linkedin.com/platform-telemetry/li/apfcDfLinkedIn/MicrosoftEncrypted fingerprint exfiltrationCONFIRMED
google.com/recaptcha/enterprise.jsGooglereCAPTCHA v3 silent executionCONFIRMED

GROWTH_TIMELINE

From 38 to 6,153. 12 new extensions per day.

2017
38Dan Andrews first documents LinkedIn extension scanning
2024
~461Josef Kadlec documents growth
May 2025
~1,000Scan list doubles
Dec 2025
5,45910x growth since 2024
Feb 2026
6,16712 new extensions added per day
Apr 2, 2026
6,153BLACKOUT independent verification

This isn't slowing down. LinkedIn is adding roughly 12 new extensions to the scan list every day. The first researcher to document this found 38 extensions in 2017. Nine years later, it's 6,153 — a 16,000% increase. No regulator has intervened. No browser vendor has blocked it. No mainstream press outlet has covered it. The surveillance infrastructure is growing unchecked because nobody with the tools to observe it has published the evidence. Until now.

LEGAL_EXPOSURE

Maximum GDPR Penalty

$11.27B

4% of Microsoft FY2025 revenue ($281.72B). Per violation. GDPR Article 83(5).

Jurisdictions

32

Countries where Article 9 protections apply. 27 EU + 3 EEA + UK + Switzerland. ~500 million people.

VIOLATIONS

GDPR Article 9 — Processing prohibited data (religion, politics, health, employment)
GDPR Article 6 — No legal basis for extension scanning
ePrivacy Directive — Terminal equipment access without consent
German §202a StGB — Unauthorized data access
German §23 GeschGehG — Trade secret theft
UK Computer Misuse Act 1990 — Unauthorized access
California CCPA/CPRA — Unauthorized collection
Digital Markets Act — Expanded surveillance of tools the DMA was designed to protect

EVIDENCE_AND_METHODOLOGY

Independent Verification

BLACKOUT Analysis (April 2, 2026)

  • Live network capture on linkedin.com via Chrome DevTools
  • PerimeterX sensor (226KB) downloaded and analyzed
  • LinkedIn chunk.905 (2.7MB) independently verified — 6,153 extension IDs confirmed
  • Blob Web Workers intercepted via URL.createObjectURL hook
  • crcldu.com adtech infrastructure discovered and profiled
  • humansecurity.com audited — 36 third-party domains documented
  • LinkedIn Insight Tag tested on third-party site — confirmed clean of extension scanning

BrowserGate / Fairlinked (Feb-Mar 2026)

  • JavaScript bundle with 6,222 extension IDs (Dec 2025 version)
  • Video demonstration of scanning in Chrome DevTools
  • SHA-512 timestamped evidence package (RFC 3161)
  • Sworn affidavit from LinkedIn Senior Engineering Manager
  • Legal proceedings filed under the Digital Markets Act
  • Chrome extension for detecting LinkedIn scanning

Sworn Affidavit — Milinda Lakkam, LinkedIn Senior Manager

"These models do not take the use of any particular browser extension(s) into account."

Same paragraph: LinkedIn's systems "may have taken action against LinkedIn users that happen to have [XXXXXX] installed."

Filed February 6, 2026, Mountain View, California. Under penalty of perjury.

WHY_THIS_MATTERS

This isn't just a LinkedIn problem. It's a supply chain problem on your website.

If you run a LinkedIn Insight Tag, a Demandbase tag, or any vendor using HUMAN Security's bot detection, you're deploying third-party code on your website that you have not audited, that your visitors have not consented to, and that your privacy policy almost certainly does not describe. That's not a security problem. That's a revenue problem.

If You're a CISO

Every third-party script on your website is an attack surface you own but don't control. The LinkedIn Insight Tag itself is clean — we verified that. But LinkedIn's own site runs HUMAN Security's fingerprinting, and Demandbase independently embeds the same technology. How many of your vendors load hidden iframes you've never seen? How many spawn blob Web Workers that run off-thread?

You can't protect what you can't observe.

If You're a CFO or GC

GDPR Article 9 fines are 4% of global revenue. If a vendor on your site collects prohibited data — religious beliefs, political opinions, health conditions — you are the data controller. Your vendor contract won't save you. Your consent banner won't save you. The regulators fine the company whose website the visitor was on, not the third-party script that did the collecting.

Vendor risk is your liability.

If You're a CMO or RevOps Leader

Your GTM stack is supposed to drive pipeline. But every vendor you add is also leaking signal to competitors. HockeyStack scans the DOM to detect other vendors on your page. LinkedIn maps which companies use which competitor products. ZoomInfo deanonymizes your visitors and shares the data. Your stack isn't just measuring — it's broadcasting.

Your vendors are your competitors' intelligence source.

If You're a DPO or Privacy Lead

Your cookie consent banner covers the vendors you know about. But consent doesn't cover what you don't disclose. If a vendor on your site loads a hidden iframe from a domain your privacy policy doesn't list, that fires fingerprinting scripts your DPA doesn't mention, that syncs data to an adtech pipeline your DPIA hasn't assessed — your consent mechanism is theater.

You can't consent to what you don't know is happening.

How many vendors on your site are doing things
your privacy policy doesn't describe?

LinkedIn's Insight Tag is clean. But the company behind it runs a 48-feature fingerprinting system with hidden iframes, blob Workers, and adtech data sync on its own domain. What are YOUR vendors doing when nobody's watching?

The only way to know is to observe them at runtime. That's what BLACKOUT does.

WHAT_BLACKOUT_DOES

We don't take vendors at their word. We scan. We observe. We report.

Observe

BLACKOUT scans your website like a visitor would — headless browser, full network capture, HAR recording, cookie inventory, consent pass analysis. We see every script, every pixel, every hidden iframe, every beacon.

Understand

Every vendor detected is matched against 600+ profiles in our Vendor Intelligence Database. Behavior is classified against the Four Horsemen of GTM collapse: signal integrity, data exposure, compliance risk, and attack surface.

Defend

Continuous monitoring, drift detection, vendor risk scoring, and evidence-grade reports your legal team can actually use. Know what's on your site, what it does, and what it costs you — before a regulator tells you.

This investigation took one session.

We verified BrowserGate, dissected the PerimeterX sensor, discovered crcldu.com, audited humansecurity.com, tested the Insight Tag, intercepted blob Workers, and mapped the full data flow — in a single afternoon. Imagine what continuous monitoring reveals.

Scan Your Site

Your GTM stack is a liability
until you can prove otherwise.

BLACKOUT is GTM Security. We monitor what vendors actually do on your website — at runtime, with evidence, with consequences.

BrowserGate InvestigationScan Your Site Free