All Vendors
data_enrichment

Crunchbase

Crunchbase fires before consent on 100% of observed deployments — every single page load triggers behavioral biometrics, session recording, cross-domain sync, and identity resolution before visitors have any opportunity to express consent preferences.

88 IOCs14 detections100% pre-consent13 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Crunchbase discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

14 detections across 13 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Crunchbase was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

8 BTI behavioral codes detected with 100% pre-consent firing rate. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

8 BTI behavioral codes detected with 100% pre-consent firing rate. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If Crunchbase is deployed on your site, every visitor is being subjected to behavioral biometrics, session recording, and identity resolution on every single page load — before they ever see a consent prompt. Your high-value business visitors are being deanonymized and their identity data feeds into Crunchbase's enrichment platform, effectively making your site a free data collection point for Crunchbase's commercial products. The 100% pre-consent rate means there is no CMP configuration that currently prevents this — Crunchbase fires regardless of consent state. You face unavoidable per-pageview regulatory violations in every jurisdiction with consent requirements.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Crunchbase

  • Verify immediately whether Crunchbase is firing before your CMP — 100% pre-consent rate means your consent implementation is not gating their collection
  • Audit your DPA with Crunchbase for coverage of behavioral biometrics, session recording, and cross-domain sync — capabilities that likely exceed your agreement scope
  • Request from Crunchbase a complete accounting of how visitor data from your site is used in their enrichment products
  • Assess joint controller liability exposure under GDPR Art. 26 given cross-domain identity sync

If You're Evaluating Crunchbase

  • Require Crunchbase to implement consent-gating as a precondition before any deployment on your properties
  • Demand contractual prohibition on using visitor data collected from your site in Crunchbase's commercial enrichment products
  • Evaluate server-side Crunchbase data integration as an alternative that eliminates client-side behavioral collection entirely
  • Consider whether business data display value justifies the regulatory and intelligence leakage exposure

Negotiation Leverage

  • 100% pre-consent firing rate is the most aggressive in this analysis group — document as evidence of systematic consent violation and demand immediate technical remediation
  • 8 BTI behavioral codes is the highest count in this group — use to justify comprehensive DPA renegotiation with enhanced audit rights
  • Cross-domain sync + identity resolution means your visitor data enriches Crunchbase's commercial products — demand either data use restrictions or revenue sharing for the intelligence you provide
  • Crunchbase's brand recognition creates leverage — they cannot afford public disclosure of 100% pre-consent behavioral surveillance on embedded widgets
  • Server-side API alternative exists — use as negotiation baseline: either fix client-side consent compliance or you migrate to server-side integration
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Evasion infrastructure on a platform with 100% pre-consent firing means Crunchbase may present differently during audits than in production — particularly concerning given the gap between expected functionality (business data) and actual behavior (full behavioral surveillance).

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Keystroke and mouse tracking from a business data enrichment platform is fundamentally outside user expectations. Visitors interacting with Crunchbase company data do not expect their behavioral patterns to be captured and profiled.

BTI-C07Session Recording

Full session replay

Impact: Full session replay from a data enrichment widget means Crunchbase captures complete user sessions — including interactions with other parts of your site beyond Crunchbase content. This data feeds into their enrichment platform.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity stitching across domains means business professionals visiting your site are correlated with their activity across Crunchbase's 13-site deployment network. This effectively turns your site into a data collection point for Crunchbase's business intelligence products.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 100% pre-consent rate means there is no consent coverage whatsoever. Every page load on every observed deployment fires Crunchbase's full collection stack before consent — creating unavoidable per-pageview regulatory violations.

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting enables persistent identification of business visitors across sessions and devices, feeding Crunchbase's enrichment capabilities while circumventing privacy controls your visitors rely on.

BTI-C14Identity Resolution

PII deanonymization

Impact: PII deanonymization means your site visitors — particularly high-value business professionals — are being identified and that identity data flows into Crunchbase's enrichment platform. You are effectively providing free visitor intelligence to Crunchbase.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Tag management infrastructure serves as the delivery mechanism for Crunchbase's behavioral collection and cross-domain sync capabilities, often loading additional resources beyond the core business data widget.

IOC Manifest

IOC Manifest

73 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.crunchbase.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*www.crunchbase.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*www.crunchbase.com/polyfills.*.js*
Tracking script
TRACK
*www.crunchbase.com/runtime.*.js*
Tracking script
TRACK
*www.crunchbase.com/vendor.*.js*
Tracking script
TRACK
*www.crunchbase.com/main.*.js*
Tracking script
TRACK
*www.crunchbase.com/common.*.js*
Tracking script
TRACK
*www.crunchbase.com/src_app_routed-lazy_home-anon_home-anon_module_ts.*.js*
Tracking script
TRACK
*www.crunchbase.com/default-src_app_shared_components_home_featured-lists_featured-lists_component_ts-src_app_sha-ba*.*.js*
Tracking script
TRACK
*www.crunchbase.com/src_app_shared_scout_components_scout-hover-toolbar_scout-hover-toolbar_component_ts.*.js*
Tracking script
TRACK
*www.crunchbase.com/src_app_shared_scout_components_scout-side-nav_scout-side-nav_component_ts.*.js*
Tracking script
TRACK
www.crunchbase.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
www.crunchbase.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
TRACK
www.crunchbase.com/runtime.2f350c3b9a65ef3b.js
Auto-extracted from scan
TRACK
www.crunchbase.com/polyfills.a004782d830d10ca.js
Auto-extracted from scan
TRACK
www.crunchbase.com/vendor.f53283e76365af12.js
Auto-extracted from scan
TRACK
www.crunchbase.com/main.998286cd4e37b148.js
Auto-extracted from scan
TRACK
www.crunchbase.com/default-src_app_shared_components_home_featured-lists_featured-lists_component_ts-src_app_sha-ba3025.e87f64a30c4cecde.js
Auto-extracted from scan
TRACK
www.crunchbase.com/common.a41d308efc894400.js
Auto-extracted from scan
TRACK
www.crunchbase.com/src_app_routed-lazy_home-anon_home-anon_module_ts.a399b1ce83dc067b.js
Auto-extracted from scan
TRACK
www.crunchbase.com/src_app_shared_scout_components_scout-hover-toolbar_scout-hover-toolbar_component_ts.0e445e17d787cffd.js
Auto-extracted from scan
TRACK
www.crunchbase.com/src_app_shared_scout_components_scout-side-nav_scout-side-nav_component_ts.8dc58ddbee142a7e.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Crunchbase is a widely recognized business data platform owned by Crunchbase Inc., often embedded on B2B sites to display company information, funding data, and industry intelligence. However, their client-side deployment extends far beyond data display. With cross-domain sync (C08) and identity resolution (C14), Crunchbase operates as a bidirectional data flow — your site provides visitor behavioral data and identity signals that feed back into Crunchbase's enrichment products. The 4-cookie footprint combined with 11 scripts and 2 domains indicates a mature tracking infrastructure. Sites deploying Crunchbase typically also run other B2B enrichment tools, creating compound identity resolution exposure.
Loads (4)
Shopping GoogleGoogleanalytics4TaboolaLinkedin
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

88 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details