Phantom Browser

Triangle Coherence: Timezone, Country, Locale

CreepJS and similar correlators reject sessions where the JavaScript-reported timezone disagrees with the IP geolocation, or where either disagrees with navigator.language. Phantom Browser enforces a triangle invariant at profile-build time: if the proxy egresses through Los Angeles, the timezone is locked to America/Los_Angeles and the locale is locked to a US English variant. The hermes profile, for example, ships with timezone=America/Los_Angeles, city=Los Angeles, ZIP=90014, and a Decodo mobile session targeting user-...-country-us-city-los_angeles-sessionduration-60. The three corners of the triangle are derived from one source, not three.

Deterministic Noise Seeds

Every profile carries deterministic SHA-256-derived seeds for canvas, audio, WebGL, cursor, font, mediaDevices, battery, and clientRects noise. The seeds are computed as u32(profile_uuid + label) with no separator, matching the seed derivation used elsewhere in the iSN.BiZ automation pipeline so the desktop app and downstream tooling generate the same bits for a given identity. The reason matters: CreepJS 2025 explicitly flags inconsistent per-call noise as bot behaviour. Real browsers produce stable canvas hashes session over session; only naive randomized spoofers re-roll on every render. Phantom Browser produces stable, identity-locked noise that survives re-launch.

Font Spoofing by Device Category

Font enumeration is one of the cheapest and most-trusted fingerprint surfaces. A real Apple M1 MacBook ships a specific set of seventy-odd system fonts; a real Windows 11 desktop ships a different set; a fresh Linux install ships a third. Phantom Browser injects font lists scoped by deviceCategory — macbook_m1, windows_desktop, linux_workstation — so a profile claiming to be an Apple M1 with macOS reports the seventy fonts that machine actually ships, not the host operating system's font list.

Multi-Tier IP Reputation Gate

Before any profile launches, the chosen Decodo session has to clear a reputation threshold. The launcher's --scan-ip mode rotates Decodo session IDs in parallel, queries each candidate through ip.decodo.com/json for first-hop ISP and ASN data, and then runs the IP through a three-tier reputation chain: IPQualityScore first, then ProxyCheck.io, then AbuseIPDB. Default threshold is fraud_score ≤ 30. When IPQS quota is exhausted the gate falls through to ProxyCheck; when ProxyCheck is exhausted, AbuseIPDB takes over. If every provider is simultaneously down the launcher refuses to launch on an unscored session unless IPQS_ALLOW_UNSCORED=1 is set explicitly in the environment.

Aggregated ISP labels are kept across providers because providers disagree: Decodo's first-hop label may say Verizon 5G Home while ProxyCheck says Cellco Partnership. The classifier checks every label against a substring blocklist (5g home, fios, fixed wireless, hotspot) so a single bad label vetoes the IP even when the others look clean.

Mobile-Carrier Gate — Why Server-Side ASN Targeting Fails

Decodo exposes server-side asn-N targeting parameters, but live testing in 2026 confirmed two failure modes: server-side targeting silently falls back to whatever pool is available (three sequential carrier requests came back as the same T-Mobile session), and the mobile pool itself contains misclassified Verizon 5G Home and FiOS residential IPs the carrier filter is supposed to exclude. Phantom Browser therefore classifies every candidate IP client-side after the proxy egresses.

The classifier runs in two modes. "any" mode (default) accepts mobile and residential IPs and rejects only datacenter and hosting (AWS 16509, Google 15169, Cloudflare 13335, OVH 16276, Hetzner 24940, DigitalOcean 14061, Vultr 20473, M247 9009, and a dozen more), with hard-reject ISP substring markers hosting, datacenter, cloud, vps, colocation. "mobile" mode (set via IPQS_CARRIER_MODE=mobile) restricts to true cellular allowlist ASNs and additionally rejects residential ISP ASNs Comcast 7922, Charter Spectrum 20115, AT&T residential 7018, and Verizon Business 701 / 702.

CreepJS-Aligned Detection Dashboard

Every Camoufox launch opens with a built-in detection dashboard as the first tab. Operators see eleven coherence panels — IP & Proxy, WebRTC Leak Test, Navigator, Screen & Display, WebGL Fingerprint, Canvas Fingerprint, Timezone & Locale, Geolocation, Audio Fingerprint, Bot Detection, and Fonts — each with a live pass / fail / warn indicator. Before sending a profile against a real target, the operator confirms every panel says PASS. The dashboard surfaces the actual fields a real fingerprinter sees, not a generic "you are anonymous" claim.

Session Warming and Cookie Persistence

A fresh profile with no cookies and no browsing history is itself a signal. Phantom Browser's --warm mode walks the profile through a configurable list of warming URLs (Wikipedia, weather, BBC, Reuters, Stack Overflow, Reddit, Hacker News, Amazon, eBay, IMDb, ESPN, NYT, GitHub trending, and twelve more) before idling for interactive use. Every cookie picked up during warming — Cloudflare bot-management cookies, ad-network identifiers, regional preference cookies — is persisted to the profile's cookie jar on SIGTERM and reloaded on the next launch, so the second session starts with the trust signal of a returning visitor.

Launcher CLI Surface

The launcher accepts a profile JSON as its single positional argument and a small set of orthogonal flags. --headless and --headed select display mode. --humanize and --no-humanize toggle Camoufox's input humanization (cursor jitter, scroll easing, dwell-time variance). --cookie-dir <path> sets the per-profile cookie directory. --cdp-port <port> exposes the Playwright CDP websocket on a unique port. --warm runs the warming-URL walk before idling. --scan-ip rotates Decodo session IDs in parallel until one passes the reputation gate at fraud_score ≤ 30. --preflight runs the detection dashboard checks and exits without idling, useful for CI and headless validation.

Profile JSON Schema

Every profile is a single JSON document containing a fingerprint block (os, screen WxH, cores, memory in GB, webglVendor, webglRenderer, userAgent, timezone, locale), a noiseSeeds block (the eight u32 SHA-256-derived seeds), a proxy block (subscription, host, port, username, password placeholder), an identity block (persona name, ZIP, city, state, email), and a cdpPort. Ports are unique across the fleet — the live deployment uses 9222–9230 for one band and 6001–7005 for a second — so a single host can multiplex dozens of independent CDP-driven Camoufox processes without collision.

Credential Resolution & Env Loader

Profile JSON stores proxy passwords as the literal placeholder SET_IN_ENV_OR_1PASSWORD. The launcher resolves the placeholder at runtime via env_loader.read_env_var(), which reads from a .env alongside the scripts directory. DECODO_PASS resolves the mobile credential, DECODO_RESIDENTIAL_PASS the residential one. Selection is driven by profile.proxy.subscription (mobile or residential). Reputation-provider keys (IPQS_API_KEY, PROXYCHECK_API_KEY, ABUSEIPDB_API_KEY) resolve through the same loader.

IP Cache & Reputation Memoization

Reputation calls are cached in ~/Library/Application Support/com.phantombrowser.app/ip_cache.json keyed by Decodo session ID with a default TTL of ten minutes. The cache holds at most forty entries (FIFO eviction) and lets --scan-ip rotations skip re-querying recently-seen sessions. Quota-exhaustion flags for IPQS, ProxyCheck, and AbuseIPDB are tracked per-process so a single 429 stops further calls for the rest of the launcher's lifetime, dropping straight to the next provider in the chain.

Camoufox driver, fingerprint injection, IP scan, reputation gate, cookie load and save

BrowserForge generator with deterministic SHA-256 noise-seed derivation per profile UUID

Typed credential resolution from .env for Decodo, IPQS, ProxyCheck, AbuseIPDB

Per-profile launch wrapper — mobile session, in-memory cred injection, exec into launcher

CreepJS-aligned eleven-panel coherence dashboard, first tab on every launch

25-site warming list for cookie acquisition before idle and interactive use

OSINT & Investigative Research

Open-source intelligence collection — people search, public-records research, social-media reconnaissance — routinely runs into geofencing, rate limiting, and bot-detection walls. Phantom Browser gives the analyst an identity-isolated profile per investigation: a Los Angeles mobile-carrier persona for one case, a New York residential persona for the next. Every profile boots with verified IP coherence and a real cookie history, so collection completes without the platform learning the operator.

Durable Scraping & Data Collection

Public data behind Cloudflare Bot Management, PerimeterX, or Akamai bot-detection layers. The Playwright CDP socket on each profile lets a scraper drive Camoufox the same way it would drive headless Chrome — but every request egresses through a reputation-scored residential or mobile IP, every fingerprint surface is coherent, and every session resumes with the cookies it earned last time. Collection that breaks weekly on a generic headless setup runs for months on a Phantom Browser profile.

Account Warming & Adversarial-Resistant Automation

Long-lived account work — trust building, content publishing, controlled testing of detection stacks — demands the same identity returning from the same coherent fingerprint over weeks, not a fresh randomized profile every session. Phantom Browser treats identity as the durable unit. The hermes profile in the live fleet is the canonical example: ARM macOS fingerprint, LA timezone, T-Mobile mobile egress, persistent cookies, dedicated mailbox — the same coherent presence on every launch.