All Vendors
deanon

Albacross

Visitor identification platform. High liability exposure from identity resolution and persistent tracking without consent. Medium revenue impact from identified visitor data sold to competitors.

23 IOCs14 detections86% pre-consent12 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Albacross discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

14 detections across 12 sites86% pre-consent activity
CRITICAL

Pre-Consent Activity

Albacross was observed loading and executing before user consent was obtained on 86% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For security teams: IP-based identification reveals organizational infrastructure and visitor patterns exploitable for reconnaissance. For legal: Identity resolution creates GDPR data subject access request obligations for all historical IP matches requiring reverse lookup reconstruction. For marketing: Identified account lists sold to competitors enable targeted outbound to your warmest prospects. For sales: Visitor identification signals leaked to competitors before your SDRs can act on intent data.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Albacross

  • Require Albacross to execute post-consent only with explicit identity resolution disclosure
  • Implement immediate data deletion for identified visitors upon request
  • Add IP tracking and identity resolution disclosure to privacy policy with opt-out mechanism
  • Audit data sharing agreements to identify visitor list buyers

If You're Evaluating Albacross

  • Review DPA for identity resolution data controller/processor responsibilities
  • Assess first-party visitor identification vs. third-party IP matching risk
  • Calculate competitive leakage cost: (Albacross fee + identified visitor list value to competitors)

Negotiation Leverage

  • Identity resolution without consent violates GDPR Article 6 - require explicit opt-in or contract termination
  • Tag manager deployment creates liability gaps - demand technical controls preventing pre-consent execution
  • Identified visitor lists sold to competitors subsidize prospecting - require complete buyer list with pricing transparency and opt-out rights
  • IP tracking converts anonymous traffic to personal data - demand legal opinion on controller/processor responsibilities
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes IP tracking and identity resolution before consent collection. Violates ePrivacy Directive and GDPR consent requirements.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links IP addresses to company accounts and individual contacts via reverse lookup databases. Converts anonymous traffic to identified prospects, triggering full GDPR personal data obligations.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Deploys via tag management system enabling dynamic updates without change control. Creates consent governance gaps and prevents technical enforcement of privacy controls.

IOC Manifest

IOC Manifest

22 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*serve.albacross.com/reveal.js*
Data collection endpoint
TRACK
*serve.albacross.com/track.js*
Tracking script
TRACK
serve.albacross.com
Tracking script
TRACK
tr.albacross.com
Tracking script
EXFIL
serve.albacross.com/reveal.js
Auto-extracted from scan
TRACK
serve.albacross.com/track.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

B2B visitor identification feeding sales intelligence and ABM platforms. Common co-deployments: Salesforce (CRM sync), Demandbase (ABM), ZoomInfo (contact enrichment), intent data platforms. Identified visitor lists sold to competitive intelligence marketplaces.
Loaded By (1)
Osano
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

23 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details