How This Briefing Works
This report opens with key findings, then maps the gaps between what Blackwoodseven discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
24 detections across 24 sites4% pre-consent activity
MEDIUM
Pre-Consent Activity
Blackwoodseven was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
GDPRePrivacy
HIGH
Consent Bypass
8 vendors fire pre-consent including Bytemine, Leadfeeder, Scoreplex, HubSpot, YouTube
GDPR Art. 6GDPR Art. 7CCPA 1798.100
HIGH
Vendor Disclosure Gap
Cookie policy lists ~9 vendors but 37 distinct vendors detected
GDPR Art. 13GDPR Art. 14CCPA 1798.110
HIGH
Undisclosed Party
Not in privacy policy
HIGH
Undisclosed Sharing
Hidden data recipients
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X10
Consent Bypass
GDPR Art. 6 · GDPR Art. 7 · CCPA 1798.100HIGH
They Claim
“GDPR/CCPA compliant with cookie consent mechanism”
Observed Behavior
8 vendors fire pre-consent including Bytemine, Leadfeeder, Scoreplex, HubSpot, YouTube
intel_detections shows pre_consent=true for 8 distinct vendors on blackwoodseven.com scans
Vendor Disclosure Gap
GDPR Art. 13 · GDPR Art. 14 · CCPA 1798.110HIGH
They Claim
“Cookie policy lists third-party vendors”
Observed Behavior
Cookie policy lists ~9 vendors but 37 distinct vendors detected
Comparison of cookie policy vendors vs intel_detections vendor_slug count
Customer Impact
What This Means For You
YOUR marketing attribution data processed through Blackwood Seven's HamiltonAI platform flows through a vendor ecosystem 4x larger than disclosed. YOUR budget optimization recommendations may be influenced by undisclosed data flows to vendors like Leadfeeder, which fires pre-consent and identifies YOUR corporate visitors. As a Kantar subsidiary owned by Bain Capital, YOUR data is processed within a conglomerate with extensive data aggregation capabilities — YOUR marketing performance data could inform Kantar's broader intelligence products. Under GDPR, YOUR records of processing must account for Blackwood Seven's actual 37-vendor chain, not their disclosed 9.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Blackwoodseven
- →Audit what data Blackwood Seven's HamiltonAI platform collects from your properties and where it flows within Kantar
- →Review your DPA to ensure it covers the actual 37-vendor ecosystem, not just the 9 disclosed in their cookie policy
- →Implement consent gating for any Blackwood Seven scripts to prevent pre-consent data collection
- →Request documentation on data flows between Blackwood Seven, Kantar, and Bain Capital portfolio companies
If You're Evaluating Blackwoodseven
- →Request Blackwood Seven's complete vendor and subprocessor list before any engagement
- →Verify whether HamiltonAI platform data stays within Blackwood Seven or flows to parent company Kantar
- →Compare marketing mix modeling alternatives that do not carry conglomerate data aggregation risk
- →Require contractual restrictions on data usage beyond your specific attribution use case
Negotiation Leverage
- →Cookie policy undercount: 37 vendors detected vs. 9 disclosed — a 4x gap demonstrating systematic disclosure failures; use this to negotiate complete vendor transparency as a contract condition
- →Pre-consent vendor firing: 8 vendors including Leadfeeder, HubSpot, and YouTube fire before consent — leverage this to require consent architecture improvements in any implementation
- →Kantar subsidiary risk: As a Kantar/Bain Capital entity, data flows may extend beyond Blackwood Seven — negotiate explicit restrictions on data sharing within the Kantar corporate family
- →Leadfeeder pre-consent: B2B visitor identification fires before consent, exposing corporate visitor data — use this to negotiate removal of identity resolution vendors from your deployment
Runtime Detections
Runtime Detections
5 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
IOC Manifest
IOC Manifest
157 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*blackwoodseven.com/wp-content/themes/astra/assets/js/minified/flexibility.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/sticky-header-effects-for-elementor/assets/js/she-header.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/essential-blocks/assets/js/eb-blocks-localize.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/themes/astra/assets/js/minified/style.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/uploads/astra-addon/astra-addon-*-*.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/astra-addon/assets/js/minified/purify.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/lightbox.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/section-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/video.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-content/plugins/elementor/assets/js/image-carousel.*.bundle.js*
Tracking script
TRACK
*blackwoodseven.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
blackwoodseven.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/sticky-header-effects-for-elementor/assets/js/she-header.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/essential-blocks/assets/js/eb-blocks-localize.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/themes/astra/assets/js/minified/style.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/uploads/astra-addon/astra-addon-69735d104a4893-77448999.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/astra-addon/assets/js/minified/purify.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/lightbox.d1799e507b570f6b0496.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/section-frontend-handlers.d85ab872da118940910d.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor-pro/assets/js/nav-menu.8521a0597c50611efdc6.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/video.86d44e46e43d0807e708.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-content/plugins/elementor/assets/js/image-carousel.6167d20b95b33386757b.bundle.min.js
Auto-extracted from scan
TRACK
blackwoodseven.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Blackwood Seven operates as a subsidiary of Kantar (owned by Bain Capital since 2019). The HamiltonAI platform is loaded on client marketing sites for attribution measurement. On their own site, they deploy a complex stack: HubSpot for marketing automation, Google Analytics/Ads for measurement, LinkedIn and Twitter for social/B2B, and notably Leadfeeder for B2B visitor identification. The presence of data enrichment vendors (Firmable, HG Insights, Versium) suggests they themselves use intent data services similar to what they help clients measure. The irony of an attribution vendor having poor attribution hygiene on their own properties is notable.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
159 detection signatures across scripts, domains, cookies, and network endpoints