Target
chaturbate-bots.com
A full fingerprint of the hosting, frontend, backend APIs, and third-party services behind the site — reverse-engineered from HTTP headers, HTML, CSS tokens, and 1.2 MB of JavaScript bundles.
React Server Components on the App Router. Pages are statically prerendered (SSG/ISR) and served from Vercel's edge cache.
React under the hood, compiled with Turbopack — Next.js's Rust-based bundler — rather than Webpack.
Utility-first CSS. The v4 engine is given away by heavy color-mix() output and --tw-* variables.
Radix-based components keyed by semantic design tokens, paired with lucide-react icons.
Vercel's Geist typeface, self-hosted as woff2 via next/font — zero layout shift, no Google Fonts call.
Babel/core-js polyfills are bundled for older-browser support — a standard part of the Next.js build pipeline.
Served from Vercel's edge with full CDN caching — pages return cache HITs.
Google Analytics 4 loaded through Google Tag Manager.
Vercel's own web-analytics script runs alongside GA4.
Rich schema.org markup spanning 10 entity types for search visibility.
Strict-Transport-Security enforced for 2 years.
Primary sales / support runs through Telegram.
The core "traffic" service is a Fastify (Node.js) API fronted by Cloudflare. Base URLs are pulled live from Firestore, with hardcoded fallbacks in the bundle.
Firestore stores operator settings (settings/public, admin/settings): the BTC wallet & traffic-server URLs. Firebase Auth gates admin login.
| Method | Endpoint | Host | Purpose |
|---|---|---|---|
| POST | /start-traffic | apirouting.live | Begin a bot/viewer session (sends modelName) |
| POST | /stop-traffic | apirouting.live | End session — fired via navigator.sendBeacon on unload |
| POST | /heartbeat | apirouting.live | Keep-alive ping while a session runs |
| GET | /api/btc-price | Next.js route | Fetch current Bitcoin price for checkout |
Crypto-only billing. A hardcoded BTC wallet (overridable via Firestore) pairs with the live price route.
Backend URLs aren't baked in — they're read at runtime from Firestore so servers can be rotated without a redeploy. The bundle holds only fallbacks.
Google reCAPTCHA Enterprise guards forms/actions — 45 references throughout the bundle.
Client-side IP geolocation of each visitor on load.
Pulls live model thumbnails straight from Chaturbate's own media CDN (MMCDN).
| Host | Resolves To | Response | Verdict |
|---|---|---|---|
traffic-api.apirouting.live | Cloudflare | JSON 404 (app) | LIVE |
info-api.apirouting.live | Cloudflare | JSON 404 (app) | LIVE |
dvdp5qq7-3000.euw.devtunnels.ms | Azure · 20.103.221.187 | 404 · empty body | INACTIVE |
dvdp5qq7-3001.euw.devtunnels.ms | Azure · 20.103.221.187 | 404 · empty body | INACTIVE |
The frontend resolves the backend address from Firestore at runtime, then drives the traffic engine — start → heartbeat → stop — through Cloudflare to the Fastify origin.
The exact client ↔ backend message sequence for one traffic session — every call, its trigger, and its payload, decompiled from the React bundle. Animated packets show direction of flow.
/api/btc-price/start-trafficok · 400 "limit 100" (RO) · already_running/heartbeat/stop-trafficnavigator.sendBeacon() — the only call guaranteed to fire during page unload.
fetch(…, keepalive:true) — retries the teardown if the beacon was rejected.
Retrying ev() wrapper — 3 retries, 1s backoff, on HTTP 408 / 5xx.
A 404 can prove a service is alive. The signal isn't the status code — it's who generates the body. A framework-shaped JSON 404 means the origin app ran; an empty edge 404 means nothing answered behind the proxy.
Error-body fingerprinting beats version banners. "Route GET:/ not found" is uniquely Fastify, just as Cannot GET / is Express — no version string required.
Config-in-Firestore hides the real backend. Reading the API address at runtime lets the operator rotate or conceal servers without a redeploy — the shipped bundle only contains fallbacks.
Tailwind v3 vs v4 needs no version string. v4 compiles to color-mix() + @layer output; 441 color-mix calls is a reliable tell.
Cloudflare in front is deliberate. It hides the origin IP and adds WAF/DDoS protection — sensible for a traffic-generating, abuse-prone service that is itself a likely target.
AI-builder leakage is real. 72 [v0] markers and a localhost dev-tunnel fallback shipping to prod are classic artifacts of an AI-scaffolded app that wasn't fully hardened.