How This Briefing Works
This report opens with key findings, then maps the gaps between what Apify discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
1 detection across 1 site100% pre-consent activity1 critical disclosure gap
CRITICAL
Transparency
26+ vendors detected at runtime
GDPR Art 13GDPR Art 14ePrivacy Directive
CRITICAL
Pre-Consent Activity
Apify was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
GDPRePrivacy
HIGH
Data Processing
Leadfeeder, TrenDemon, G2 perform visitor identification
GDPR Art 5(1)(a)
HIGH
Consent
100% pre-consent tracking rate
GDPR Art 6GDPR Art 7ePrivacy Art 5(3)
HIGH
Undisclosed Party
Not in privacy policy
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X09BTI-X12
Transparency
GDPR Art 13 · GDPR Art 14 · ePrivacy DirectiveCRITICAL
They Claim
“Cookie policy discloses 7 vendors”
Observed Behavior
26+ vendors detected at runtime
Runtime scan of apify.com
Data Processing
GDPR Art 5(1)(a)HIGH
They Claim
“Aggregate data does not contain any personal data”
Observed Behavior
Leadfeeder, TrenDemon, G2 perform visitor identification
Detection of B2B identification scripts pre-consent
Consent
GDPR Art 6 · GDPR Art 7 · ePrivacy Art 5(3)HIGH
They Claim
“GDPR compliant”
Observed Behavior
100% pre-consent tracking rate
All detected vendors fire before consent banner interaction
Documentation
GDPR Art 28MEDIUM
They Claim
“Subprocessors available at trust portal”
Observed Behavior
Full list requires NDA
GDPR info page states NDA required for sub-processor list
Customer Impact
What This Means For You
YOUR web scraping and automation workflows through Apify route through a platform with 19 undisclosed vendor dependencies. YOUR scraping targets and automation patterns — competitive intelligence about your data strategy — flow through a vendor that runs Leadfeeder and TrenDemon on its own site. If YOUR development team visits apify.com for documentation, YOUR corporate identity is captured by B2B identification vendors before consent. YOUR compliance posture is affected: claiming "maximum security and privacy" while underdisclosing vendors by nearly 4x calls into question Apify's data handling for your scraping payloads.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Apify
- →Audit your own privacy policy for completeness — Apify's vendor sprawl may be inherited if you embed their tracking
- →Request their full subprocessor list to understand actual data flows beyond the 7 disclosed
- →Implement server-side integration to minimize client-side script exposure from Apify
- →Review data processing agreements to ensure your scraping data is not used for Apify's own intelligence
If You're Evaluating Apify
- →Request complete subprocessor list and compare against 26 detected vendors before signing
- →Test Apify in staging and audit all network requests to understand the full vendor ecosystem
- →Negotiate data isolation guarantees for your scraping targets and automation patterns
- →Require contractual representations on data confidentiality matching their maximum security claim
Negotiation Leverage
- →Vendor disclosure gap: 26 vendors detected vs. 7 disclosed — nearly 4x undercount; require complete vendor disclosure as a contract condition
- →B2B identification on site: Leadfeeder and TrenDemon actively identify corporate visitors — use this to negotiate removal of identification vendors or require consent-first architecture
- →Maximum security claim: Marketing claims maximum security and privacy while underdisclosing vendors — leverage for enhanced security audit rights and data protection guarantees
- →Scraping data sensitivity: Your scraping targets and patterns reveal competitive intelligence — negotiate data usage restrictions and payload confidentiality guarantees
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
307 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
EXFIL
*apify.com/ext/bootstrap.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/webpack-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/main-app-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/global-error-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/*-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/layout-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/error-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/not-found-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/890-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/7-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/*.*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/638.*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/230.*.js*
Data collection endpoint
EXFIL
*knitting.apify.com/js/lean-stitch-main.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/ajs-destination.*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/schemaFilter.*.js*
Data collection endpoint
EXFIL
*status.apify.com/api/v2/status.json*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/%5B...catchAllPage%5D/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/217-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/templates/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/ideas/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/change-log/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/pricing/page-*.js*
Data collection endpoint
EXFIL
*apify.com/_next/static/chunks/app/challenge/page-*.js*
Data collection endpoint
EXFIL
apify.com/_next/static/chunks/webpack-a56076fa7de20707.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4bd1b696-9b4cf2178ac52564.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7564-a9c81071cac63672.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/main-app-f87a6758a2a6bbcf.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5134-3fc79158755e0f28.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/global-error-3850a466bf7289cf.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/e37a0b60-cd239ce21c847284.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/aaea2bcf-f411fa155c931a1c.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/fa2cb6f9-30a7b7f0aed35b47.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/1d2b3754-eff5e5ce72477846.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/8190-036825cba4b466ee.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5239-e169da0e5880b32d.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/3609-f98a280030eeeeb0.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7153-0c3d841d6b59b2f3.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4097-b9930b3338e3e380.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7425-05a6ea6ab7fac40f.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4136-a85193c1f644de42.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5582-ffe947fe20c4437e.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/890-0aa102453a7870dd.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6340-94d66ee15a279257.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/1401-dbcfd28df6518461.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/layout-3e31030d25c9cc08.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2098-d3773672fb662422.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/1021-43af74553edb3ddd.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5935-9ece91d327ffbdf1.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/error-361f6a6e9bc3b6c4.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/not-found-c2c748a294dea124.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5ff6dcb3-d394168d4ff8f42a.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7-29eb6311d28d42be.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6970-ad923d10e6fbfcb4.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6635-90ae9fe854fece72.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7300-f479c3283695e826.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2131-7427cf3fe04dcbe7.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/page-a7d91d5231b0230c.js
Auto-extracted from scan
EXFIL
apify.com/ext/bootstrap.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2854.41c2e1811422fe09.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/638.0a87315ea888d777.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2608.40f53ac5cc095116.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/8492.6bf8ae37460072c9.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4595.f8d8c6cf929ad90a.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/9298.b11788e2f4721780.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7867.42c310e98649c896.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5152.1c41560661abbcc3.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/230.d8f52cf55d4c0939.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2075.9d69b78af1b75632.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4032.1e29d87faca12500.js
Auto-extracted from scan
EXFIL
knitting.apify.com/js/lean-stitch-main.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/ajs-destination.4619fddd6e841041.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/schemaFilter.252fff50ccb4d92c.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4b1a69f1-d0348d745ce3fdd6.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/25b8c134-67ab55f19c42b62c.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/c16f53c3-041ab702c0366ecc.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4126-9fd9baf144999b49.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6442-06b5c8bf9ca72ace.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4430-9a478e08223ef3f3.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/4443-efbc7556c34667f9.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7066-42aecfeda1abc71a.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2762-f2e1dc827fb4402f.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/217-14dc6298e2d09823.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5989-ee1170ece998c849.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7949-eeaf00ad9a962d27.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/9288-d640902d4114b7f6.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2487-a3233c809a7b8c4f.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/5779-e4044a4d7b252424.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2100-6ccc08de3af48b82.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/%5B...catchAllPage%5D/page-13f939fd2f8eef27.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6001-67c121d18115d556.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/6143-c87cb0a044fd34d4.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/templates/page-44ea01d0c0a5b073.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/9367-f5cb1f9d2b0ecc7c.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/9154-6ec3cfa44c551db0.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/1267-8fa39a508788b17e.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/1048-bb73bf178ba5d586.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/ideas/page-27cf3aedb6519601.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/change-log/page-63ef045410e41c8b.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/2175-2aa3117a776aa316.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/7149-cc2c9da6d90a6e6b.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/9928-6385dfe07fcc638b.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/pricing/page-f9646be51291e40b.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/3106-71b418d8a3b12eb6.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/8728-cc4432187948cf86.js
Auto-extracted from scan
EXFIL
apify.com/_next/static/chunks/app/challenge/page-f1d8747e4ab41b2a.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Apify operates as a web scraping infrastructure provider. Their GTM footprint shows: (1) UPSTREAM - Loaded via direct script integration on customer sites for scraping orchestration; (2) DOWNSTREAM - Loads extensive marketing/analytics stack including Google ecosystem (GA4, Ads, DoubleClick), Microsoft (Clarity, BingAds), social pixels (LinkedIn, Twitter, TikTok, Reddit), B2B identification (Leadfeeder, TrenDemon, G2), and customer engagement (HubSpot, Intercom, Segment). OneTrust CMP present but not preventing pre-consent execution. The vendor sprawl (26+ vendors) is unusually high for a B2B infrastructure company, suggesting aggressive growth marketing prioritized over privacy engineering.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
328 detection signatures across scripts, domains, cookies, and network endpoints