How This Briefing Works
This report opens with key findings, then maps the gaps between what Adcash discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Tracking
100% of observed deployments fire before user consent
Pre-Consent Activity
Adcash was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Undisclosed Vendors
17 third-party vendors observed on adcash.com including Brightdata, Firmable, TrenDemon
Undisclosed Party
Not in privacy policy
Undisclosed Sharing
Hidden data recipients
Claims vs. Observed Behavior
Pre-Consent Tracking
“Privacy policy references GDPR compliance”
100% of observed deployments fire before user consent
4 detections across 3 sites, all pre_consent=true
Undisclosed Vendors
“Privacy policy lists Google Analytics and Google DoubleClick as third parties”
17 third-party vendors observed on adcash.com including Brightdata, Firmable, TrenDemon
Runtime scan of adcash.com shows 15 undisclosed vendors
Anonymous Data Claim
“Collects anonymous usage statistics”
Offers targeting based on demographics, interests, or online behavior
Advertiser page describes behavioral targeting capabilities
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Adcash
- →Audit consent implementation immediately — 100% pre-consent rate means your users are tracked before consenting
- →Add Adcash to your CMP vendor list with explicit consent requirements for all ad formats
- →Document GDPR lawful basis for behavioral tracking enabled by Adcash on your properties
- →Review and update privacy policy to disclose all 17 detected vendors, not just the 2 Adcash admits to
If You're Evaluating Adcash
- →Verify consent architecture documentation before any trial — 100% pre-consent rate is the worst possible score
- →Assess whether invasive ad formats align with your brand and compliance requirements
- →Compare with ad networks that have documented consent compliance and transparent vendor disclosures
- →Require contractual consent compliance guarantees with financial penalties for violations
Negotiation Leverage
- →100% pre-consent rate: Every observed Adcash deployment fires before consent — use this to require contractual consent compliance guarantees with automatic termination rights
- →15 undisclosed vendors: Only Google Analytics and DoubleClick disclosed of 17 detected — require complete vendor disclosure as a contract condition
- →Invasive ad formats: Pop-unders, push notifications, and interstitials face increasing regulatory scrutiny — negotiate format restrictions and consent requirements for your inventory
- →195-country exposure: Global operations without demonstrated consent compliance create multi-jurisdictional regulatory risk — leverage for enhanced indemnification clauses
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Ignoring CMP signals
Device identification
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
98 detection signatures across scripts, domains, cookies, and network endpoints