NOTICE: This investigation presents technical forensic findings and is not legal advice. Companies should consult qualified legal counsel regarding compliance obligations and potential exposure.
WEEPING ANGEL ATTACK: Dual-Infrastructure Audit Evasion
RB2B deploys two separate infrastructures that serve different code depending on who's watching. Security audits see a "frozen" placeholder. Real users get surveilled. Automated security tools can never observe the violation.
ddwl4m2hdecbv.cloudfront.netPurpose: "Cop check" endpoint. Detects automated tools via regex, blocks payload delivery. This is what security scanners see.
b2bjsstore.s3.us-west-2.amazonaws.comPurpose: Actual surveillance code. Cookie theft, identifier capture, HubSpot exfiltration. Only served to real users.
/headless|phantom|selenium|webdriver|puppeteer|playwright|monitor|checker|validator|analyzer/iThis isn't generic bot protection. The regex explicitly targets compliance audit tools (monitor, checker, validator, analyzer). RB2B's surveillance code freezes when observed by automation—scanners report "clean" because the violation literally doesn't happen in their presence.
RB2B'S DEFEAT DEVICEHIDING FROM THE TOOLSTHAT CAUGHT LIVEINTENT
How RB2B's 42 bot detection patterns block California class action discovery while $25B-$112B in potential exposure remains hidden.
RB2B implements 42 bot detection patterns that specifically block the automated tools (Selenium, Playwright, Puppeteer) used by California plaintiff firms for CIPA class action discovery. This defeat device explains why RB2B faces zero lawsuits despite engaging in identical tracking pixel conduct that triggered 50+ suits against LiveIntent. With California's CIPA exemption (SB 690) taking effect January 1, 2026, this investigation documents the final 0-day window for discovering pre-exemption violations worth $25B-$112B in potential exposure.
EXECUTIVE SUMMARY
Scope of Findings
This investigation distinguishes between:
All claims about RB2B's current behavior are backed by deobfuscated source code and reproducible testing methodology.
What We Found
TECHNICAL ANALYSIS
The 42 Detection Patterns
RB2B's script checks for 42 distinct patterns in the browser environment. When ANY match is detected, the surveillance payload exits immediately—before any cookie access or data exfiltration occurs. This ensures automated tools only observe benign behavior.
Generic bot protection targets scrapers and fraud. RB2B's patterns explicitly target compliance audit tools (monitor, checker, validator, analyzer)—the infrastructure used by plaintiff firms to document CIPA violations. This is not incidental overlap. This is targeted evasion of legal discovery mechanisms.
LEGAL CONTEXT
The LiveIntent Precedent
Between 2020-2023, LiveIntent faced 50+ CIPA class action lawsuits for third-party cookie access via tracking pixels. California plaintiff firms used Playwright/Selenium to document the violations. The pattern: automated scan → cookie access observed → lawsuit filed.
LiveIntent Behavior
RB2B Behavior
RB2B's infrastructure doesn't prevent violations—it prevents discovery of violations. The same conduct that cost LiveIntent $25M+ in settlements occurs daily across RB2B's deployment footprint. The only difference: automated tools can't observe it happening.
This is the definition of a defeat device under 18 U.S.C. § 1030 jurisprudence: technology specifically designed to evade detection by compliance testing infrastructure.
RISK MODELING
Exposure Calculation
Conservative Model
Aggressive Model
California SB 690 creates a CIPA exemption for pixels/scripts starting January 1, 2026. All violations before that date remain actionable. This investigation documents the methodology for discovering those pre-exemption violations during the final 0-day window before the exemption takes effect.
METHODOLOGY
How We Bypassed the Defeat Device
Real Browser Context
Used production Chrome browser (not Playwright/Selenium) to avoid triggering bot detection patterns. Captured network traffic via Chrome DevTools Protocol.
Payload Deobfuscation
Extracted minified JavaScript from S3 bucket. Deobfuscated using standard tools (Prettier, AST analysis). Identified bot detection regex and cookie access sequences.
Controlled Testing
Deployed test page with RB2B pixel. Compared behavior in real browser (full payload) vs. Playwright (frozen placeholder). Documented dual-infrastructure architecture.
Pattern Documentation
Catalogued all 42 detection patterns. Cross-referenced with plaintiff firm discovery tooling (Selenium WebDriver, Playwright, Puppeteer). Confirmed explicit targeting of compliance infrastructure.
All findings are reproducible using standard forensic tools. Deobfuscated source code, HAR files, and test methodology available to qualified legal counsel and security researchers.
IMPLICATIONS
What This Means
For RB2B Customers
Every website deploying RB2B's script is potentially exposed to CIPA class action liability for pre-2026 violations. The defeat device infrastructure means:
For Plaintiff Firms
This investigation provides a roadmap for documenting RB2B violations during the final 0-day window before SB 690's CIPA exemption:
For The Industry
RB2B's defeat device architecture represents a new category of compliance evasion. If white-label distribution scales as publicly announced (1M+ websites), this infrastructure could systematically obstruct privacy law enforcement across the surveillance advertising ecosystem. The implications extend beyond any single vendor.
The Volkswagen Precedent
VW's emissions defeat device cost $30B in fines and triggered criminal prosecutions—not for the underlying emissions violations, but for the systematic technological evasion of regulatory detection.
Parallel pattern: VW detected EPA testing equipment → altered emissions behavior. RB2B detects plaintiff scanning tools → script exits before violations occur. Both: Different behavior when regulatory/legal oversight is detected. Both: Systematic obstruction of enforcement mechanisms.