All Vendors
session_replay

LuckyOrange

LuckyOrange delivers session replay and heatmapping achieving 100/100 CAC subsidization through CRO intelligence monetization. Four BTI codes including identity resolution create 95/100 legal exposure while feeding competitor optimization insights.

52 IOCs4 detections50% pre-consent3 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what LuckyOrange discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

4 detections across 3 sites50% pre-consent activity
CRITICAL

Pre-Consent Activity

LuckyOrange was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

CRO teams discover optimization insights in competitor landing pages within 30 days. Product teams see A/B test winners replicated in competitor experiences. Legal inherits GDPR exposure from session recording without explicit surveillance consent. RevOps loses competitive advantage as conversion intelligence feeds competitor funnel optimization.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use LuckyOrange

  • Audit session replay consent language—"analytics" consent insufficient for surveillance
  • Extract identity resolution evidence showing cross-session tracking
  • Map CRO insights to competitor landing page optimization timing

If You're Evaluating LuckyOrange

  • Quantify A/B test intelligence leakage through anonymized data syndication
  • Calculate CRO intelligence monetization (your tests, their consulting revenue)
  • Document GDPR Article 6 violations—session replay requires explicit surveillance consent

Negotiation Leverage

  • LuckyOrange session replays capture form inputs and cart contents—PII exposure documented
  • 100/100 CAC subsidization through CRO intelligence syndication to consulting networks
  • Consent bypass (C09) initiates recording pre-authorization—GDPR Article 6 violations timestamped
  • Identity resolution (C14) creates persistent profiles from anonymous sessions without user awareness
  • Heatmap data reveals UX weaknesses competitors exploit in their designs
  • 95/100 legal exposure—session recording requires explicit surveillance consent under GDPR
  • Evidence pack includes pre-consent session captures and cross-session identity proof
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Mouse movement and scroll patterns captured to generate heatmaps revealing user intent

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity persistence across sessions enables long-term conversion funnel analysis

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Session recording initiates on page load before consent resolution

BTI-C14Identity Resolution

PII deanonymization

Impact: Anonymous session stitching creates persistent identity across visits and devices

IOC Manifest

IOC Manifest

50 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*tools.luckyorange.com/core/lo.js*
Tracking script
TRACK
*tools.luckyorange.com/core/web-vitals.js*
Tracking script
TRACK
*tools.luckyorange.com/core/core.js*
Tracking script
TRACK
*tools.luckyorange.com/messenger/bootstrap.js*
Tracking script
TRACK
*tools.luckyorange.com/integrations/integration-optimizely/core/main.js*
Tracking script
TRACK
*tools.luckyorange.com/integrations/integration-google-analytics/core/main.js*
Tracking script
TRACK
*tools.luckyorange.com/core/frame.js*
Tracking script
TRACK
*tools.luckyorange.com/messenger/js/app.*.js*
Tracking script
TRACK
*tools.luckyorange.com/messenger/js/chunk-vendors.*.js*
Tracking script
TRACK
d10lpsik1i8c69.cloudfront.net
Tracking script
TRACK
tools.luckyorange.com
Tracking script
TRACK
tools.luckyorange.com/core/lo.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/core/web-vitals.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/core/core.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/messenger/bootstrap.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/integrations/integration-optimizely/core/main.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/integrations/integration-google-analytics/core/main.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/core/frame.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/messenger/js/app.ffe3e7e4.js
Auto-extracted from scan
TRACK
tools.luckyorange.com/messenger/js/chunk-vendors.5e9052ad.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

LuckyOrange commonly deploys alongside Hotjar and Crazy Egg, triplicating heatmap and session replay infrastructure. Integration with Google Optimize creates redundant A/B testing that compounds behavioral data exposure.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

52 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details