NOTICE: This investigation presents technical forensic findings and is not legal advice. Companies should consult qualified legal counsel regarding compliance obligations and potential exposure.
WEEPING ANGEL ATTACK: Dual-Infrastructure Audit Evasion
RB2B deploys two separate infrastructures that serve different code depending on who's watching. Security audits see a "frozen" placeholder. Real users get surveilled. Automated security tools can never observe the violation.
ddwl4m2hdecbv.cloudfront.netPurpose: "Cop check" endpoint. Detects automated tools via regex, blocks payload delivery. This is what security scanners see.
b2bjsstore.s3.us-west-2.amazonaws.comPurpose: Actual surveillance code. Cookie theft, identifier capture, HubSpot exfiltration. Only served to real users.
/headless|phantom|selenium|webdriver|puppeteer|playwright|monitor|checker|validator|analyzer/iThis isn't generic bot protection. The regex explicitly targets compliance audit tools (monitor, checker, validator, analyzer). RB2B's surveillance code freezes when observed by automation—scanners report "clean" because the violation literally doesn't happen in their presence.
RB2B'S DEFEAT DEVICEHIDING FROM THE TOOLSTHAT CAUGHT LIVEINTENT
How RB2B's 42 bot detection patterns block California class action discovery while $25B-$112B in potential exposure remains hidden.
RB2B implements 42 bot detection patterns that specifically block the automated tools (Selenium, Playwright, Puppeteer) used by California plaintiff firms for CIPA class action discovery. This defeat device explains why RB2B faces zero lawsuits despite engaging in identical tracking pixel conduct that triggered 50+ suits against LiveIntent. With California's CIPA exemption (SB 690) taking effect January 1, 2026, this investigation documents the final 0-day window for discovering pre-exemption violations worth $25B-$112B in potential exposure.
EXECUTIVE SUMMARY
Scope of Findings
This investigation distinguishes between:
All claims about RB2B's current behavior are backed by deobfuscated source code and reproducible testing methodology.
What We Found
RB2B operates a B2B visitor identification platform that captures visitor communications (email clicks, form submissions, page visits) and correlates them to identify individuals—classic CIPA wiretapping conduct identical to LiveIntent's violations.
The critical discovery: RB2B implements 42 bot detection patterns targeting automated scanning tools—blocking both legal discovery and compliance audits. But the defeat device is just the concealment layer:
- • API Botnet: Every customer website becomes an unwitting node in a cross-customer surveillance network
- • Cookie Theft: Systematic exfiltration of cookies and session tokens without disclosure
- • Hidden Liability: RB2B conceals that their API makes every customer non-compliant from installation
The defeat device ensures customers can't discover what RB2B deployed on their website—until CIPA lawsuits arrive.
Why It Matters
Senate Bill 690 creates a 0-day enforcement window. California legislation exempting cookies and tracking pixels from CIPA takes effect January 1, 2026. After that date, future violations will not create class action exposure under California wiretapping laws.
Past violations (before Jan 1, 2026) remain actionable with full statutory damages ($5K-$10K per violation). The current 0-day window represents the final opportunity for plaintiff firms to file CIPA claims for ongoing violations.
RB2B's bot detection systematically prevents discovery during this critical window. The infrastructure blocks the exact tools used for automated CIPA scanning, allowing $25B-$112B in hidden liability to remain undetected until the exemption takes effect.
THE DEFEAT DEVICE
How Bot Detection Blocks Discovery
Discovery: 42 Detection Patterns Targeting Plaintiff Tools
Forensic analysis of RB2B's deployed tracking script reveals comprehensive bot detection specifically targeting the automation frameworks used for CIPA class action discovery:
seleniumIndustry standard for automated legal discoveryplaywrightModern automation tool (standard for DPA/GDPR audits)puppeteerHeadless browser automation (CIPA scanning)burpsuiteWeb security scanner (forensic analysis)
- SQL injection scanners
- Cross-site scripting vectors
- Credential stuffing tools
- DDoS attack infrastructure
The Pattern: Bot detection specifically targets legal discovery and compliance audit tools while allowing actual security threats to proceed. This selective targeting is inconsistent with security defense and consistent with litigation evasion.
How It Works: Two Different Realities
Environment A: Plaintiff Firm Scanner
Environment B: Real User Session
Same Code, Different States
This isn't two separate codebases. It's one codebase that switches execution states based on who's observing it. The script inspects the user agent string at runtime—if it detects automated testing tools used by plaintiff firms or compliance monitors, it exits before performing violations. For everyone else, it executes the full tracking payload.
Same source code. Same domain. Different behavior depending on the observer.
That's the definition of a defeat device.
// Actual deobfuscated regex pattern:
/bot|spider|crawler|scraper|fetcher|monitor|checker|validator|analyzer|automated|headless|phantom|selenium|webdriver|puppeteer|playwright/i
// Key targets:
// - selenium, webdriver, puppeteer, playwright = plaintiff law firm discovery
// - monitor, checker, validator, analyzer = compliance audit tools
// - phantom, headless = automated security testing
// If pattern matches: exit before violations occurmonitor|checker|validator|analyzer explicitly targets compliance monitoring infrastructure. Not bot protection—compliance evasion by design.
Expert Analysis: "Selective Evasion, Not Defense"
Independent security professional reviewed the 42 detection patterns:
"That combination, especially the mainstream search engines plus Burp, does not align with any established security standard. Yes, some of those tools could be considered security tools, but the regex looks like it was designed to specifically starve compliance reviewers and security researchers while the production traffic continues business as usual."
"Blocking that mix of agents lines up with selective evasion, not real defense."
Key Finding: Pattern selection targets compliance tools and research infrastructure, not security threats. The specific tools blocked reveal targeting of class action discovery mechanisms rather than general security protection.
WHAT THE DEFEAT DEVICE HIDES
1. Identifier Laundering: Stealing Competitor Cookies
RB2B's tracking script implements grabCookies() function that systematically accesses tracking cookies set by HubSpot and Facebook
function grabCookies() {
const cookies = document.cookie.split(';');
const targets = ['hubspotutk', '_fbp', '_fbc'];
return targets.reduce((acc, name) => {
const match = cookies.find(c => c.trim().startsWith(name + '='));
if (match) acc[name] = match.split('=')[1];
return acc;
}, {});
}No authorization checks. No consent verification. Direct cookie exfiltration targeting competitor tracking infrastructure.
Targeted Third-Party Cookies
hubspotutkHubSpot's visitor tracking cookie_fbpFacebook Pixel tracking identifier_fbcFacebook conversion tracking
Authorization Verification: Zero
Analysis of deobfuscated source code identified no conditional logic verifying:
- Integration status with HubSpot/Facebook
- Permission checks before cookie access
- API authentication
- User consent verification
CIPA Relevance: Capturing identifiers from third-party cookies = intercepting communications between the visitor and those third parties (HubSpot, Facebook). This is the core CIPA wiretapping conduct—eavesdropping on communications without all-party consent.
2. Consent Bypass: 600ms Polling Loop
RB2B implements aggressive consent monitoring that continuously checks consent state every 600 milliseconds
Real-World Impact
During a typical 5-minute browsing session, RB2B performs 500 localStorage reads monitoring for consent state changes—even when tracking has been explicitly rejected. This persistent retry loop waits for consent to accidentally flip to "granted" (user error, auto-accept banner timeout, etc.).
CIPA Relevance: The polling loop enables immediate tracking activation without fresh user action. Once consent flips (however it flips), tracking resumes instantly—capturing communications that occur after consent was initially rejected.
3. Cross-Site Tracking Network
RB2B operates an undisclosed "publisher network"—a cross-site tracking infrastructure that pools visitor data across all customer deployments
How It Works
- Site A visitor tracked by RB2B
- Data contributed to centralized "publisher network" database
- Site B (different RB2B customer) visitor arrives
- RB2B queries network: "Have we seen this browser/IP before?"
- Site A's contributed data enables Site B identification
- Visitors never informed their data is shared across RB2B's customer network
CIPA Relevance: Data collected on Site A (with Site A's consent/notice) is repurposed to identify visitors on Sites B, C, D, E without additional consent or disclosure. This cross-site correlation = systematic eavesdropping on visitor communications across thousands of websites.
4. Zero Compliance Features
Comprehensive API reconnaissance documented 21+ REST API endpoints for data collection, identity resolution, and enrichment. Not a single endpoint exists for consent checking, opt-out, or data deletion.
What Exists (21+ endpoints)
- /b/{CUSTOMER_ID}/identify
- /b/{CUSTOMER_ID}/enrich
- /b/{CUSTOMER_ID}/company
- /b/{CUSTOMER_ID}/session
- [17+ additional data collection endpoints]
What's Missing (Required for CIPA)
- No opt-out API
- No deletion endpoint
- No consent verification
- No "Do Not Track" handling
CEO Admission:
"If you want to sell enterprise it's off the table. Not worth the risk to them."
— RB2B CEO, explaining why enterprise companies refuse to deploy RB2B due to compliance risk
INDUSTRY COMPARISON
This Isn't What "Everybody Does"
After discovering RB2B's 42 bot detection patterns, we validated the critical question: Is this standard industry practice?
Methodology: Forensic code-level analysis of 10 vendors across B2B visitor identification platforms, sales intelligence tools, and B2B SaaS companies. Not vendor attestations—actual deployed code inspection.
Comprehensive analysis reveals RB2B's bot detection is a unique outlier. All 10 other vendors—including direct competitors—operate without blocking regulatory audit tools.
Direct Competitors
(Same business model as RB2B)
- Vector
- Demandbase
- Warmly
Sales Intelligence
(Advanced tracking platforms)
- Apollo
- ZoomInfo (7-layer stack)
- Clay
B2B SaaS
(Vendor stacking examples)
- Bombora (25+ vendors)
- Fivetran (50+ vendors)
- HeyReach (60+ vendors)
| Vendor | Bot Detection Blocks Audits | Cookie Theft | Geo- Fencing | Zero Compliance | Total |
|---|---|---|---|---|---|
| RB2B | ✓ | ✓ | ✓ | ✓ | 4/4 |
| Vector | ✗ | ✗ | ✗ | ✗ | 0/4 |
| Demandbase | ✗ | ✗ | ✗ | ✗ | 0/4 |
| ZoomInfo | ✗ | ✗ | ✗ | ✗ | 0/4 |
| + 7 additional vendors (all 0/4) | 0/4 | ||||
✓ = Pattern present | ✗ = Pattern absent | Result: RB2B is the ONLY vendor (1/11) exhibiting all four problematic patterns.
Legal Implications
FTC Section 5: "Standard practice" defense is DISPROVEN by comparative code evidence. 10/10 other vendors operate without defeat device patterns.
GDPR Enforcement: Legitimate alternatives exist (Vector, Demandbase). Article 6(1) requires violations NOT be necessary for business operation. RB2B's direct competitors prove the same business works without evasion architecture.
TWO-TIER ENFORCEMENT
The Two-Tier Enforcement Problem
LiveIntent: Visible Violations
RB2B: Zero Lawsuits
The Pattern: Identical violations that triggered 50+ LiveIntent lawsuits produce zero RB2B lawsuits due to systematic obstruction of plaintiff firms' discovery mechanisms.
PRECEDENT
The Volkswagen Parallel
| Element | Volkswagen (2015) | RB2B (2025) |
|---|---|---|
| Detection System | Software monitoring dyno test conditions | Regex targeting audit tools (Selenium/Playwright) |
| Target | EPA emissions testing equipment | Plaintiff firm CIPA scanning tools |
| Behavioral Change | Reduced emissions during test | Script exits during automated scan |
| Result | Appeared compliant under EPA test | Appears compliant under automated discovery |
| Two Realities | Different behavior for EPA vs drivers | Different behavior for scanners vs users |
| Legal Precedent | $30B penalties + criminal charges | Systematic evasion creates elevated exposure |
Legal Doctrine: Systems that systematically hide violations from oversight face elevated penalties under established precedent. VW's defeat device resulted in $30B in fines and criminal prosecutions—not for the underlying emissions violations, but for the systematic technological evasion of regulatory detection.
CRITICAL WINDOW
Senate Bill 690: The 0-Day Window
Before January 1, 2026
- Full CIPA exposure: $5K-$10K per violation
- Standard 3-year statute of limitations (potentially 5-7 years with concealment)
- Class action mechanisms fully available
- Statutory damages + attorney fees + costs
After January 1, 2026
- Future violations exempt from CIPA
- No new class action exposure for cookie/pixel tracking
- Past violations (pre-2026) still actionable with full damages
The Critical Filing Window
0 Days Remaining until CIPA exemption takes effect.
The 0-day window represents the final opportunity for plaintiff firms to file CIPA claims against ongoing violations before the exemption takes effect. After January 1, 2026, only pre-exemption violations will create exposure—and those claims must be discovered and filed within statute of limitations windows (potentially extended by fraudulent concealment).
RB2B's Bot Detection Prevents This Discovery
Plaintiff firms cannot file lawsuits against violations they cannot discover. RB2B's infrastructure systematically blocks the automated scanning tools used during this critical 0-day window, allowing $25B-$112B in hidden liability to remain undetected until the exemption window closes.
REMEDIATION
Recommended Actions
If You Currently Use RB2B
1. Remove RB2B Immediately
Every day RB2B remains in your stack accumulates additional CIPA exposure. Remove the tracking script from all customer-facing properties.
Technical Steps:
- • Remove all RB2B script tags from your website
- • Clear any RB2B integrations from GTM/Segment
- • Audit third-party tag managers for RB2B remnants
- • Document removal with screenshots and timestamps
2. Consult Legal Counsel
Contact a privacy attorney experienced with CIPA litigation. Your historical deployment creates potential class action exposure that requires professional legal assessment.
If You've Been Tracked by RB2B
1. File Complaints with Regulators
Federal Trade Commission (FTC)
Report deceptive practices and defeat device architecture:
https://reportfraud.ftc.gov/
California Attorney General
CIPA violations and consumer privacy complaints:
https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
2. Consult a Class Action Attorney
If you're a California resident who visited websites using RB2B, you may have standing for a CIPA claim. Many plaintiff firms handle these cases on contingency.
Note: California plaintiff firms have successfully prosecuted 50+ CIPA cases against LiveIntent for identical tracking pixel conduct. RB2B's defeat device may be why similar violations haven't been discovered—until now.
Everyone: Demand Accountability
The existence of defeat devices in marketing technology demonstrates a critical gap in compliance enforcement. Whether you use these tools, have been tracked by them, or simply care about privacy rights:
- •Share this investigation with compliance professionals, privacy advocates, and industry peers
- •Demand vendor transparency about bot detection mechanisms and their impact on compliance monitoring
- •Support frameworks like BLACKOUT that establish forensic compliance standards for marketing technology
SYSTEMIC RISK
The White-Label Botnet Model
PROVEN (Forensic Evidence)
This investigation has documented white-label distribution of RB2B's defeat device code through at least one platform (Knock2.ai), with 33% prevalence in sampled alternatives. The distribution HAS occurred and is architecturally enabled by multi-tenant infrastructure.
MODELED (Forward-Looking Scenario)
The systemic risk analysis models hypothetical exposure IF similar distribution scales to the broader GTM ecosystem (1,500+ platforms). The $25B-$112B exposure calculation represents potential aggregate liability under scaled deployment, not current materialized risk.
This analysis does NOT assert:
- • That 1,500+ platforms currently distribute RB2B's code
- • That platforms have knowledge of the defeat device's legal exposure
- • That the modeled financial exposure has materialized
- • That any specific platform beyond those tested currently distributes the code
White-Label Distribution: Knock2.ai Case Study
Knock2.ai markets itself as an "RB2B alternative" with prominent GDPR/CCPA compliance badges. Forensic analysis reveals they deploy RB2B's surveillance infrastructure—including the defeat device—on their own website while simultaneously loading their white-label product. This dual deployment proves white-label distribution is not hypothetical: it's happening in production.
RB2B Direct Deployment
b2bjsstore/b/{KEY}/reb2b.js.gzKnock2.ai White-Label
b2bjsstore/b/0NW1GH7XWJO4/reb2b.js.gzhttps://s3-us-west-2.amazonaws.com/b2bjsstore/b/0NW1GH7XWJO4/reb2b.js.gz0NW1GH7XWJO4knock2-backend-2ba4792164c3.herokuapp.com/bot|spider|crawler|scraper|fetcher|monitor|checker|validator|analyzer|automated|headless|phantom|selenium|webdriver|puppeteer|playwright/iIDENTICAL CODE
Knock2.ai deploys the same RB2B surveillance infrastructure—including the same bot detection regex that blocks Selenium, Webdriver, Puppeteer, and Playwright—while marketing as an independent alternative.
FTC Section 5 Violation
Material misrepresentation: customers believe they're using Knock2's proprietary technology
Systemic Risk Evidence
Proves defeat device distribution via white-label is operational, not hypothetical
The Botnet Parallel: Infrastructure Designed to Evade Detection
Traditional botnets spread malware that evades antivirus detection. A defeat device "botnet" spreads surveillance infrastructure that evades legal/regulatory detection:
| Characteristic | Computer Botnet | Defeat Device Botnet |
|---|---|---|
| Infection Vector | Malware payload | White-label distribution |
| Evasion Mechanism | Anti-virus detection bypass | Plaintiff scanning tool bypass |
| Detection Gap | Signature-based scanners fail | Selenium/Playwright scanners fail |
| Scale Multiplier | Self-replication | Platform distribution |
| Visibility | Hidden from security tools | Hidden from legal discovery |
| Removal Difficulty | Victims don't know they're infected | Customers don't know vendor identity |
The Network Effect: Each deployment strengthens the overall evasion system. More deployments = larger cross-site database = higher identification rates = greater customer value = accelerated adoption = systemic audit gaps expanding across B2B ecosystem.
Exposure Calculation: If This Model Scales
Per-Customer CIPA Exposure
(100K CA visitors/year):
- Standard 3-year class: $50M per customer
- With fraudulent concealment: $167M-$225M per customer
Ecosystem-Wide Exposure
(1,500+ hypothetical deployments):
- Conservative (3-year): $25 Billion
- With fraudulent concealment: $112 Billion
Critical Variable: Time until discovery. If bot detection prevents discovery during 0-day window before SB 690 exemption, this exposure evaporates as future violations become exempt.
The Privacy CDO Analogy: Financial Engineering Applied to Surveillance
Lehman Brothers CDO Distribution (2003-2008)
- Toxic asset: Subprime mortgages
- Repackaging: Bundle into CDOs, assign AAA ratings
- Distribution: Institutional investors, pension funds
- Buyer awareness: Didn't know they held toxic assets
- Scale: Billions distributed before collapse
Hypothetical Defeat Device Distribution (2022-2025)
- Toxic asset: Unlawful surveillance infrastructure
- Repackaging: White-label as "native platform feature"
- Distribution: B2B platforms with 25,000+ customer bases
- Buyer awareness: Don't know actual vendor identity
- Scale: 1,500+ unknowing deployments (hypothetical)
Shared Characteristics:
- Transform and obscure origin
- Distribute through trusted intermediaries
- Scale through platform infrastructure
- Defeat oversight mechanisms
- Create systemic, unwinding-resistant risk
WHY THIS MATTERS NOW
Systematic Technological Concealment
This is not a "tracking vendor with compliance gaps." This is infrastructure specifically designed to function differently when accessed by automated tools used for mass litigation discovery vs. real user sessions.
- Identical violations to LiveIntent (50+ lawsuits, $10M+ settlements)
- Systematic blocking of plaintiff firm discovery tools (Selenium/Playwright/Puppeteer)
- Two different realities: Violations visible to users, invisible to scanners
- Critical timing: 0 days until exemption eliminates future exposure
Unauditable Violations at Scale
Bot detection creates infrastructure where violations are systematically hidden from the primary enforcement mechanism—automated class action discovery. The result:
- Plaintiff firms scan 10,000 websites → RB2B violations invisible
- LiveIntent violations immediately discoverable → 50+ lawsuits
- RB2B violations systematically concealed → 0 lawsuits
- $25B-$112B hidden exposure across customer base
- 0-day window closing before discovery can occur
The Volkswagen Precedent
VW's emissions defeat device cost $30B in fines and triggered criminal prosecutions—not for the underlying emissions violations, but for the systematic technological evasion of regulatory detection.
Parallel pattern: VW detected EPA testing equipment → altered emissions behavior. RB2B detects plaintiff scanning tools → script exits before violations occur. Both: Different behavior when regulatory/legal oversight is detected. Both: Systematic obstruction of enforcement mechanisms.