Live HAR capture during authenticated Suno session. 1,326 outbound POST requests transmitting user identifiers, clip IDs, creative process events, and full DOM session recordings to 15+ third-party tracker networks. This is not analytics — this is exfiltration.
User reported window distortion (weird shapes) at 20:00 EST. Chrome PID 32772 consumed 2,303.7 CPU seconds (38+ minutes of solid processing) with 183 MB RAM and 1,072 handles — consistent with the Microsoft Clarity session replay loop documented in the Suno Tracker Report. The compositor loop forces repeated GPU repaints that cause window geometry corruption across the desktop.
| PID | RAM | CPU (sec) | Handles | Assessment |
|---|---|---|---|---|
| 6148 | 31 MB | 48.1 | 442 | Normal |
| 11744 | 25 MB | 128.6 | 370 | Elevated |
| 16548 | 31 MB | 43.9 | 426 | Normal |
| 25676 | 12 MB | 82.7 | 303 | Normal |
| 26152 | 28 MB | 75.8 | 373 | Normal |
| 26892 | 135 MB | 523.8 | 491 | 🔴 TRACKER RENDERER |
| 28992 | 133 MB | 838.0 | 2,047 | 🔴 HEAVY ABUSE — 2K HANDLES |
| 32772 | 183 MB | 2,303.7 | 1,072 | 🔴 COMPOSITOR LOOP — WARPING SOURCE |
| File Path | Size | Tracker Hits | Status |
|---|---|---|---|
| \ActorSafetyLists\8.6294.2057\listdata.json | 718.5 KB | ⚡ FOUND | |
| \component_crx_cache\...\model.tflite | 2,673 KB | ⚡ FOUND | |
| \Default\Extensions\aeblfdkh...\background.js
HP AI for Print extension — previously flagged |
2,954 KB | 🔴 CRITICAL | |
| \optimization_guide_model_store\...\ruleset1 | 11.7 KB | ⚡ FOUND |
Incidents logged after cleanup. Despite destroying cached tracker artifacts, damage recurs every time Chrome reconnects to tracker domains — persistent, self-regenerating exploitation chains that burn CPU and corrupt GPU compositor state until DNS-blocked.
Desktop-wide window warping during Suno session. Two Chrome renderers consuming extreme CPU — Clarity MutationObserver loop.
Analysis: PID 600: 1,733 handles (4x normal) — Clarity replay signature. Combined CPU burn: 791s (13.2 min).
Incident logged by VNR SCAN Protocol v1.0 | Automated process kill executed
Warping persisted after Chrome kill. GPU abuse migrated to Brave despite Shields. Same MutationObserver loop in Brave renderers.
Critical: Shields block network requests but not inline scripts. Clarity runs locally — shield-based blocking is fundamentally insufficient. Requires DOM-layer stripping (Project Fortress).
Incident logged by VNR SCAN Protocol v1.0 | User activity: AI chat (Grok/x.ai) — NOT Suno
System memory exhaustion: 13.7 GB total, only 0.9 GB free. DWM cannot allocate GPU surfaces → frame geometry corruption → desktop-wide warping.
Compounding: Tracker CPU burn inflates renderer memory → pushes past 13.7 GB ceiling → desktop-wide geometry corruption until trackers killed or memory freed.
Root cause analysis by VNR SCAN Protocol v1.0 | Full process inventory preserved
Each cleanup round gets harder. Across three documented cleanup cycles, Suno's tracker infrastructure exhibited progressive persistence — artifacts re-seed into deeper browser directories, new self-hosted domains evade existing blocklists, and the OS increasingly resists programmatic remediation.
Conclusion: Suno's tracker stack is not static. Every visit plants deeper artifacts that survive standard cleanup. Round 1 needed 5 targets. Round 3 needed 32. This validates the "Step Zero" doctrine — the only effective countermeasure is to never go back.
Finding documented by VNR SCAN Protocol v1.0 | 3-round longitudinal observation | Operator: Voss Neural Research
VNR performed a live network capture on March 9, 2026 during an authenticated Suno session. The capture revealed that hCaptcha has NOT been replaced by Cloudflare Turnstile — both systems run simultaneously. More critically, Suno hosts hCaptcha infrastructure on their own subdomains to evade ad blockers and privacy extensions.
Instead of loading from hcaptcha.com (which can be blocked), Suno
serves the hCaptcha PoW engine from their own infrastructure:
Why this matters: Existing hosts-file blocklists that target
hcaptcha.com, js.hcaptcha.com,
assets.hcaptcha.com
will NOT catch the self-hosted variant. You must also block
hcaptcha-assets-prod.suno.com and
hcaptcha-endpoint-prod.suno.com.
14 domains on initial page load expanded to 22 domains during song generation — 8 new tracker domains activated by the Create action:
| Domain | Provider | Triggered By |
|---|---|---|
| hcaptcha-assets-prod.suno.com | hCaptcha (Suno-hosted) | 🔴 Song Generation |
| hcaptcha-endpoint-prod.suno.com | hCaptcha (Suno-hosted) | 🔴 Song Generation |
| analytics.google.com | Song Generation | |
| googleads.g.doubleclick.net | Google Ads / DoubleClick | Song Generation |
| bat.bing.com | Microsoft Bing UET | Song Generation |
| b.applovin.com | AppLovin | Song Generation |
| collector.agentio.com | Agentio | Song Generation |
| sdk-api-v1.singular.net | Singular | Song Generation |
Deep binary scan of Comet browser's Local Storage LevelDB files found hCaptcha configuration and trust cache data actively stored across dozens of origins — not just suno.com:
Live capture executed: 2026-03-09 03:24–03:30 EST | 206 resources loaded | Authenticated session
The extension aeblfdkhhhdcdjpifhhbdiojplfjncoa has been
fully eliminated. Its background.js (2.9 MB) contained
references to 58 tracker domains including Suno,
Criteo, Tapad, Maze,
and 45 DoubleClick references. The following actions were taken:
Extension ID: aeblfdkhhhdcdjpifhhbdiojplfjncoa | Status: ELIMINATED
After documenting the attack chain across two browsers (Chrome and Brave), identifying the root cause (memory exhaustion via tracker-induced CPU loops), and confirming that network-level shields are insufficient (Brave Shields cannot block inline Clarity scripts), VNR deployed the only permanent solution available without a custom browser: a DNS-level domain blocklist injected right into the Windows hosts file.
This blocks tracker domains at the operating system layer — before any
browser,
extension, or shield has a chance to process the request. When a tracker script attempts to phone home to
clarity.ms, hcaptcha.com, or
pixel.tapad.com, the DNS resolution returns 0.0.0.0 —
a dead route. The script loads but cannot transmit, breaking the feedback loop.
Browser shields intercept network requests to known tracker domains. But the Clarity session replay script is embedded inline in the page source. It performs DOM serialization, mutation recording, and GPU-thrashing repaints entirely in the local renderer process.
DNS-level blocking doesn't stop execution, but breaks the feedback loop.
When transmission to clarity.ms fails (0.0.0.0), the script's
retry/buffer logic exhausts and stops the abusive observation cycle.
The real solution requires a custom browser (Project Fortress) that strips these scripts at the DOM parsing layer.
GPU compositor warping is compounded by memory pressure (system at >90% utilization). Recommendations:
--renderer-process-limit=4
Before a single note plays, the page fires 71+ tracker scripts in
parallel.
These aren't loaded one at a time — they're injected simultaneously via <script async> tags,
each from a different third-party domain. The browser's network thread fans out to 30+ external servers
before
the UI has finished rendering.
hCaptcha doesn't just verify you're human — it runs a Proof-of-Work (PoW)
computation
that uses your CPU to solve cryptographic hash puzzles. The script contains references to blockchain
terminology:
hashNonce, prevHash.
Your machine is literally mining while you think about what song to generate. It runs silently in a Web
Worker, avoiding the browser's "unresponsive" warning.
This is the one that warps your windows.
Microsoft Clarity records every mouse movement, scroll, click, and DOM mutation by hooking MutationObserver. On a complex page like Suno, this creates a feedback loop:
The saturated GPU compositor starves every other window of compositor time — causing desktop-wide geometry corruption.
Incognito mode provides zero meaningful protection. Tracker stacks persist identification through SharedWorker and BroadcastChannel
APIs to communicate across tabs. Combined with canvas and WebGL fingerprinting, identitfication continues
without cookies.
Keeping a Suno tab open for hours accumulates massive tracker state. Clarity writes hundreds of megabytes of session replay data to IndexedDB. Combined with hCaptcha PoW caches and retargeting pixels, a single Chrome profile can bloat to 9.6 GB. This persists in SQLite databases, ignoring basic "clear history" commands.
HP silently installs this extension via Windows Group Policy. It intercepts every HTTP request with full
data
privileges. Its 2.9 MB background.js contacts 45 DoubleClick
tracking domains. It amplifies the tracker stack by injecting this
payload into every page, tracking even on clean sites. It requires registry nuke to permanently clear.
Extension directory, CRX cache, and registry policies destroyed. 58 tracker domain references permanently removed from Chrome.
ActorSafetyLists, component_crx_cache, optimization_guide_model_store, Cache_Data, and Code Cache all destroyed. Clean regeneration on next launch.
Tracker domains blackholed to 0.0.0.0 via Windows hosts file. hCaptcha, Clarity, Braze, Criteo, Tapad, and others permanently unreachable.
No cleanup tool can protect you while the source remains installed. Delete your Suno account. Don't go back to it. This is the only way to ensure your CPU's safety and guarantee that VNR SCAN is effective.
DNS LOCKER blocklist + tracker removal scripts + browser profile cleaner.
Everything documented on this page, packaged for your machine.
Pay what you want. Free is fine. We're not here to sell — we're here
to stop this.
Step 1: Delete Suno | Step 2: Run LOCKER | Step 3: Verify Clean