71+ hidden trackers, undisclosed proof-of-work computation, behavioral fingerprinting, session replay, and cross-device surveillance infrastructure discovered running behind a music generation website.
A forensic analysis of browser data from a personal workstation used to access Suno.com revealed an extensive, undisclosed surveillance and computational exploitation infrastructure far beyond what any music generation service requires.
A single Suno tab running for months with 25+ tracker scripts is equivalent to running 25 small background applications on a user's computer simultaneously, none of which were designed to run for more than a few hours. The computer wasn't "almost dying" — it was being strip-mined for data.
Critical Discovery: hCaptcha is self-hosted on Suno's own subdomains to evade ad blockers and privacy tools. Our deobfuscation of the captured 300KB api.js script revealed a custom bytecode virtual machine with 619 obfuscated functions, 35,000+ encoded instructions, and a full behavioral biometrics pipeline capturing mouse, touch, keyboard, and device motion data. The script uses Private State Tokens to track users across sessions — even in incognito mode.
These services literally record everything a user does on the page — every mouse movement, click, scroll, and keystroke.
Push notifications, email campaigns, user segmentation, and behavioral re-engagement.
Every major advertising platform has a pixel running on Suno — each one tracking your behavior and linking it to your identity on that platform.
The most alarming discovery. Suno self-hosts hCaptcha on its own subdomains to evade ad blockers, then runs invisible proof-of-work computations on your CPU — without disclosure or consent. Our deobfuscation of the captured 300KB script revealed a deeply obfuscated surveillance and computation framework.
VNR deobfuscated hCaptcha's captured api.js (300KB, minified) and found:
a custom bytecode virtual machine with 67 opcodes, 35,000+ encoded
instructions,
and an XOR-shifted string table designed to prevent static analysis.
The script runs SHA-256 proof-of-work challenges via SubtleCrypto and
WebAssembly
acceleration — the same computational technique used in cryptocurrency mining.
It captures full behavioral biometrics (mouse, touch, keyboard, device motion)
and uses Private State Tokens issued by pst-issuer.hcaptcha.com
to track users across sessions, even in incognito mode.
hcaptcha-endpoint-prod.suno.com) to bypass ad blockers and privacy lists
that block *.hcaptcha.com. This is a deliberate evasion tactic.chrome-extension:// URLs.pst-issuer.hcaptcha.com that persist across browsing sessions
and survive incognito mode. Combined with Storage Access API requests,
this creates a dual-layer persistence mechanism that works even when
third-party cookies are blocked.
getElementById, querySelector,
Element.click(), and even console.log
with Proxy objects that intercept calls from every other script
on the page — effectively surveilling all JavaScript execution.
These services link a user's identity across different devices, browsers, and platforms — building a comprehensive profile.
42 additional tracking domains set cookies through the ad pixels above. These aren't directly loaded by Suno's page but get synced through redirect chains, so ad networks can identify you across the entire web.
| # | Domain | Company | Function |
|---|---|---|---|
| 30 | .adnxs.com | Xandr (Microsoft) | Programmatic ad exchange |
| 31 | .adsrvr.org | The Trade Desk | Demand-side platform |
| 33 | .agkn.com | Acxiom | Links online identity to offline data |
| 38 | .criteo.com | Criteo | Retargeting — shows Suno ads after a user visits |
| 39 | .crwdcntrl.net | Lotame | Aggregates browsing into audience segments |
| 40 | .demdex.net | Adobe | Enterprise data management platform |
| 41 | .doubleclick.net | Persistent ad ID across the entire web | |
| 45 | .id5-sync.com | ID5 | Universal ID surviving cookie deletion |
| 49 | .liadm.com | LiveIntent | Email-based identity resolution |
| 52 | .pippio.com | LiveRamp | Connects cookies, email, phone, device IDs |
| 54 | .quantserve.com | Quantcast | Audience measurement and bidding |
| 56 | .rubiconproject.com | Magnite | Largest programmatic ad exchange |
| 61 | .taboola.com | Taboola | Clickbait "recommended content" ads |
+ 29 additional ad exchange domains documented in the full encyclopedia.
The combined resource cost of 25+ persistent JavaScript tracker files running simultaneously in a single browser tab.
| Resource | Fresh Tab | After 24h | After 1 Week | After 1 Month |
|---|---|---|---|---|
| RAM | ~500 MB | ~800 MB | ~1.5 GB | ~3+ GB |
| CPU | ~10% | ~12% | ~15% | ~20%+ |
| Connections | ~30 | ~30-40 | ~50+ | ~60+ |
| IndexedDB | ~2 MB | ~10 MB | ~50 MB | ~200+ MB |
Normal UI update — waveform render, track list change, generation status poll.
Serializes the DOM change for session replay recording. Adds measurement elements.
Adds data attributes, measurement elements, or shadow nodes for recording.
The observer fires on its own modifications. After weeks of running, the internal mutation queue grows unbounded, processing stale mutations mixed with current ones.
GPU-rendered and CPU-rendered layers composite at different rates and positions. CSS transform matrices produce incorrect results. The screen warps, slants, and distorts.
This tracker stack potentially violates multiple federal and state statutes.
Unauthorized use of computing resources via hCaptcha's undisclosed proof-of-work computation without informed consent.
Unfair and deceptive trade practices. Undisclosed session replay, hidden ad tracking via security subdomains, and system-degrading tracker stacks.
Pervasive tracking, A/B testing enrollment, and cross-device identity graphs without plain, specific consent.
South Carolina statute covering unauthorized use of computer resources — applicable to undisclosed PoW computation via hCaptcha on the investigator's workstation.
All forensic data was extracted from local browser profile databases only. No live network calls were made during evidence collection. Evidence was extracted from SQLite databases, LevelDB stores, IndexedDB, LocalStorage, and cookie stores across five browser profiles (Comet, Brave, Edge, Chrome, and an isolated Chromium instance). All raw extraction data has been preserved with original timestamps.
VNR provides free, open-source cleanup tools to purge tracker artifacts from your browser profiles.