How This Briefing Works
This report opens with key findings, then maps the gaps between what Lead Forensics discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
collection
HIGH
They Claim
“Does not identify personal IP addresses or mobile devices”
Observed Behavior
All visitor IPs are collected and transmitted to Lead Forensics servers; business/personal classification occurs after collection, not before
sharing
MEDIUM
They Claim
“Does not share, rent, or sell data to third parties”
Observed Behavior
The 1.4B IP database is enriched by aggregate traffic from all customer websites, which benefits all platform users including potential competitors
compliance
HIGH
They Claim
“GDPR compliant via Legitimate Interest Assessment”
Observed Behavior
Legitimate interest for deanonymization faces increasing regulatory challenge, particularly when combined with contact enrichment that appends PII without data subject consent
pending
UNKNOWN
They Claim
“Awaiting scanner verification”
Observed Behavior
Pre-consent loading behavior, cookie deployment patterns, and actual third-party network requests not yet verified by BLACKOUT scanner
Customer Impact
What This Means For You
For customers deploying Lead Forensics, the primary revenue risk is compliance exposure. Deanonymization vendors operating under legitimate interest face increasing regulatory scrutiny, particularly in the EU. A regulatory enforcement action against Lead Forensics' data practices could invalidate the legal basis for all customer data obtained through the platform, potentially requiring deletion of leads and contacts derived from the service.
Competitive intelligence leakage is a structural risk. Because Lead Forensics aggregates traffic data across its entire customer base to maintain and grow its IP database, your website visitor patterns become part of a shared intelligence asset. Competitors using the same platform benefit from the same database enriched by your traffic. Additionally, the contact data appended to visitor records may be stale, inaccurate, or associated with individuals who have objected to processing, creating deliverability and reputation risk for outbound campaigns built on this data.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Lead Forensics
- →- Audit whether the Lead Forensics JavaScript loads before or after consent is obtained, and verify that no data is transmitted pre-consent - Request a complete Data Processing Agreement (DPA) and review the specific third-party data suppliers involved in contact enrichment - Verify that your privacy policy explicitly discloses the use of IP-based visitor identification and contact data enrichment - Assess whether legitimate interest is a defensible legal basis for deanonymization in your operating jurisdictions - Monitor the data flowing into your CRM from Lead Forensics to ensure contact records have valid opt-out mechanisms
Negotiation Leverage
- →Customers have meaningful leverage in negotiations with Lead Forensics because the platform depends on widespread JavaScript deployment across customer websites to maintain and grow its IP database. Key questions to ask: What specific third-party data suppliers provide the contact enrichment data? How is your IP database maintained and what role does aggregate customer traffic play in enrichment? What happens to data collected from our website visitors if we terminate the contract? What is the data retention period for visitor IP addresses that do not match a business record?
- →Contractual protections to demand include: explicit data deletion upon contract termination with certification, indemnification for regulatory actions arising from Lead Forensics' data practices, a prohibition on using your website traffic data to enrich the broader database or benefit other customers, and right-to-audit clauses covering both Lead Forensics and their third-party data suppliers.
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
Impact: The tracking snippet must load before consent to capture the IP address during the HTTP handshake, creating a structural tension with consent-first requirements under ePrivacy and GDPR.
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
137 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*secure.leadforensics.com/js/*.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/webtoffee-cookie-consent/lite/frontend/js/script.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/webtoffee-cookie-consent/lite/frontend/js/gcm.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Lead-Forensics/js/wistia-videos.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Divi/includes/builder/feature/dynamic-assets/assets/js/jquery.fitvids.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Divi/core/admin/js/common.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/dflip/assets/js/dflip.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/dist/js/splide-extension-auto-scroll.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/js/jquery.json.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Lead-Forensics/js/all-pages.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/dist/dom-ready.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/vendor-theme.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Divi/js/scripts.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/dist/js/splide.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/utils.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/js/gravityforms.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/splide-options.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/js/placeholders.jquery.js*
Tracking script
TRACK
*www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/scripts-theme.js*
Tracking script
TRACK
*www.leadforensics.com/wp-includes/js/dist/a11y.js*
Tracking script
TRACK
www.leadforensics.com/wp-content/plugins/webtoffee-cookie-consent/lite/frontend/js/script.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/webtoffee-cookie-consent/lite/frontend/js/gcm.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Lead-Forensics/js/wistia-videos.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/js/156541.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/js/1392.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/dist/js/splide.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/dist/js/splide-extension-auto-scroll.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Lead-Forensics/splide-slider/splide-options.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Lead-Forensics/js/all-pages.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Divi/js/scripts.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/dflip/assets/js/dflip.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Divi/includes/builder/feature/dynamic-assets/assets/js/jquery.fitvids.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/themes/Divi/core/admin/js/common.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/dist/dom-ready.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-includes/js/dist/a11y.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/js/jquery.json.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/js/gravityforms.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/utils.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/vendor-theme.min.js
Auto-extracted from scan
TRACK
www.leadforensics.com/wp-content/plugins/gravityforms/assets/js/dist/scripts-theme.min.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/Track/Capture.aspx
Auto-extracted from scan
TRACK
secure.leadforensics.com/apollo/capture
Auto-extracted from scan
TRACK
secure.leadforensics.com/js/209457.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/js/13832.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/js/805535.js
Auto-extracted from scan
TRACK
secure.leadforensics.com/apollo/callback/demandbase
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Lead Forensics maintains native CRM integrations with Salesforce, HubSpot, Pipedrive, Microsoft Dynamics, and Zoho CRM, enabling automatic push of identified visitor data into sales pipelines. The platform transfers company name, address, industry, page visit data, and enriched contact details directly into CRM records and timeline events.
The data supply chain involves unnamed third-party data suppliers who provide the contact enrichment layer (names, emails, phone numbers, LinkedIn profiles). Lead Forensics acknowledges these are "well known companies" with contractual agreements but does not publicly identify them. Data may be transferred to the USA, with Lead Forensics citing lawful mechanisms for cross-border transfers. The platform's 1.4 billion IP address database is proprietary and continuously growing, fed in part by the aggregate traffic patterns observed across all customer deployments.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
137 detection signatures across scripts, domains, cookies, and network endpoints