How This Briefing Works
This report opens with key findings, then maps the gaps between what Cookiebot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
1 gaps
pending
UNKNOWN
They Claim
“Awaiting scanner verification”
Observed Behavior
Runtime analysis needed to confirm exact pre-consent cookie behavior and timing, server endpoints contacted before consent, TCF string propagation to downstream vendors, data payloads in network requests, and behavior differences between TCF-enabled and standalone configurations.
Customer Impact
What This Means For You
Organizations using Cookiebot face a compliance paradox: the tool deployed to prove consent management may itself be the consent violation. The Wiesbaden court precedent means any EU regulator can challenge Cookiebot deployments on data transfer grounds. TCF integration means consent choices are shared with ad tech vendors who may not honor them, creating liability that flows back to the website operator — not Cookiebot. For organizations in regulated industries (finance, healthcare, government), Cookiebot's pre-consent JavaScript execution and third-country data transfers represent audit findings that cannot be explained away by having a consent tool. The cost of remediation includes not just replacing the CMP but re-evaluating every vendor that received TCF consent signals through it.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Cookiebot
- →- Audit Cookiebot's pre-consent network requests using HAR capture to identify exactly what data is transmitted before any consent choice is made. - Evaluate whether TCF integration is enabled and, if so, inventory every vendor receiving consent strings through the framework. - Request Cookiebot's current Data Processing Agreement and verify the legal basis for any data transfers to US-based infrastructure. - Consider whether a self-hosted or server-side consent solution would eliminate the pre-consent JavaScript execution risk. - Document Cookiebot's own cookie footprint (CookieConsent, CookiebotConsent, etc.) and include it in your organization's cookie disclosure.
Negotiation Leverage
- →Cookiebot's primary leverage point is the Wiesbaden court ruling — any organization deploying Cookiebot should understand that a German court found the platform's data transfer practices violate GDPR. Ask Cookiebot for written guarantees about server location and data residency. Demand documentation of exactly which cloud providers process visitor data and under which jurisdictions. If TCF is enabled, require a list of all vendors receiving consent strings and evidence that those vendors actually check consent before processing. The Belgian DPA's finding that TCF itself violates GDPR is a strong negotiation tool — Cookiebot cannot guarantee compliance through a framework regulators have already deemed noncompliant. Use this to negotiate data processing terms, request contractual indemnification for consent failures, or justify switching to a CMP that does not depend on the TCF framework.
Runtime Detections
Runtime Detections
7 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
Impact: IAB TCF integration generates TC Strings encoding visitor consent choices and shares them with every TCF-registered vendor on the page. Adalytics research showed many vendors do not check these signals before processing data.
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
Impact: Cookiebot JavaScript executes before any consent is collected. Sets identification cookies (CookieConsent, CookiebotConsent) and communicates with external servers pre-consent. The consent tool itself operates without consent.
BTI-C10Fingerprinting
Device identification
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
273 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-tracking.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/lz-string-UNqkxtPb.js*
Tracking script
TRACK
*www.cookiebot.com/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/geolocation-Cj0U0pz0.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-main.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-main-pricing.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-user-language.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-wp-plugin-link.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-search-form/js/cb-search-form.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/field/js/field.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-hero-product/js/cb-hero-product.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-floating-form/js/cb-floating-form.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-testimonials/js/cb-testimonials.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-footer/js/cb-footer.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-home-page-sticky-cta.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-header/js/cb-header.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-params-loader.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/themes/cookiebot/dist/plugins/wpcf7/js/cb-wpcf7-client.js*
Tracking script
TRACK
*www.cookiebot.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.cookiebot.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/plugins/contact-form-7/includes/js/index.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg_cb.js*
Tracking script
TRACK
*www.cookiebot.com/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js*
Tracking script
TRACK
*www.cookiebot.com/en/wp-content/themes/cookiebot/dist/chunks/swipe-detector-Bu6PCowm.js*
Tracking script
TRACK
*consent.cookiebot.com/uc.js*
Tracking script
TRACK
*consentcdn.cookiebot.com/consentconfig/*-*-4b1a-85d7-*/settings.json*
Tracking script
TRACK
*consent.cookiebot.com/*-*-4b1a-85d7-*/cc.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-tracking.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-us-redirect-cancel.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-params-loader.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-user-language.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-home-page-sticky-cta.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/field/js/field.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-search-form/js/cb-search-form.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/blocks/cb-testimonials/js/cb-testimonials.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/plugins/contact-form-7/includes/swv/js/index.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/plugins/contact-form-7/includes/js/index.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-main-pricing.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-main.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-header/js/cb-header.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/blocks/cb-hero-product/js/cb-hero-product.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-footer/js/cb-footer.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-wp-plugin-link.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg_cb.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/plugins/wpcf7/js/cb-wpcf7-client.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/lz-string-UNqkxtPb.js*
Tracking script
TRACK
*www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/swipe-detector-Bu6PCowm.js*
Tracking script
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-tracking.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/lz-string-UNqkxtPb.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/chunks/geolocation-Cj0U0pz0.js
Auto-extracted from scan
TRACK
www.cookiebot.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-header/js/cb-header.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-main.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-main-pricing.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-user-language.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-params-loader.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-wp-plugin-link.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/js/cb-home-page-sticky-cta.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-search-form/js/cb-search-form.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/field/js/field.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-hero-product/js/cb-hero-product.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-floating-form/js/cb-floating-form.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/themes/cookiebot/dist/plugins/wpcf7/js/cb-wpcf7-client.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/plugins/contact-form-7/includes/js/index.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/blocks/cb-testimonials/js/cb-testimonials.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/components/templates/cb-footer/js/cb-footer.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg_cb.min.js
Auto-extracted from scan
TRACK
consent.cookiebot.com/uc.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js
Auto-extracted from scan
TRACK
www.cookiebot.com/en/wp-content/themes/cookiebot/dist/chunks/swipe-detector-Bu6PCowm.js
Auto-extracted from scan
TRACK
consent.cookiebot.com/c99c74a8-8388-4b1a-85d7-bea3bbed4aca/cc.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-tracking.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-us-redirect-cancel.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/hooks-BG5B1TyJ.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-header/js/cb-header.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-main.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-main-pricing.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-user-language.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-params-loader.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-wp-plugin-link.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/js/cb-home-page-sticky-cta.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-search-form/js/cb-search-form.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/field/js/field.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/blocks/cb-hero-product/js/cb-hero-product.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/plugins/wpcf7/js/cb-wpcf7-client.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/plugins/contact-form-7/includes/swv/js/index.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/plugins/contact-form-7/includes/js/index.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/blocks/cb-testimonials/js/cb-testimonials.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/components/templates/cb-footer/js/cb-footer.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/plugins/uc-leadgen-bubble/assets/js/uc_lg_cb.min.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/lz-string-UNqkxtPb.js
Auto-extracted from scan
TRACK
www.cookiebot.com/us/wp-content/themes/cookiebot/dist/chunks/swipe-detector-Bu6PCowm.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Cookiebot is owned by Usercentrics (acquired 2022) and operates as the SMB-focused product in the Usercentrics portfolio. It integrates deeply with the IAB Transparency and Consent Framework (TCF 2.3), Google Consent Mode v2, and Google Tag Manager. The platform is commonly deployed alongside Google Analytics, Google Ads, Meta Pixel, and programmatic advertising stacks. Cookiebot is available as a WordPress plugin (500,000+ installs), Shopify app, and standalone JavaScript embed. Its cloud infrastructure runs on Akamai CDN with backend services historically hosted on US-based cloud providers. The platform lists 13,000+ pre-categorized cookies in its database, positioning itself as the consent layer between visitors and the broader ad tech ecosystem.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
273 detection signatures across scripts, domains, cookies, and network endpoints