How This Briefing Works
This report opens with key findings, then maps the gaps between what Hunter discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Hunter was observed loading and executing before user consent was obtained on 3% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys session replay + behavioral biometrics + cross-domain syncing + consent bypass + tag manager (VRS 90 extreme surveillance)
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Hunter
- →Remove Hunter from tag manager immediately - tag deployment makes compliance impossible
- →Demand deletion of all session replay, behavioral biometric, and cross-domain sync data
- →Request list of all data-sharing partners to assess total liability exposure
- →Terminate contract - VRS 90 represents unacceptable risk for email enrichment tool
If You're Evaluating Hunter
- →REJECT Hunter - VRS 90 surveillance for email finding is indefensible
- →Migrate to API-only enrichment: Clearbit API (no website tracking), ZoomInfo API (backend only)
- →Use manual email verification instead of automated surveillance infrastructure
Negotiation Leverage
- →Hunter VRS 90 represents extreme surveillance: session replay + behavioral biometrics + cross-domain syncing + tag manager persistence for email enrichment tool
- →Five simultaneous GDPR violations create indefensible regulatory position - no legitimate interest or business necessity defense for this architecture
- →Tag manager deployment prevents customer control - Hunter can modify tracking server-side without visibility or consent
- →Email enrichment DOES NOT require session recording or behavioral fingerprinting - architecture is vendor choice that transfers maximum liability to customer
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures mouse movements, scroll patterns, interaction timing to create behavioral fingerprints. GDPR Article 9 special category data violation - requires explicit consent, pre-consent capture creates maximum penalty exposure.
Full session replay
Impact: Records full user sessions including email verification attempts (reveals marketing targets), form inputs, navigation patterns. May capture sensitive personal data without consent - creates privacy violation with severe reputational risk.
Identity stitching
Impact: Syncs visitor identities with data broker/ad network partners before consent. Creates per-visitor violation multiplied by number of sync recipients - exponential penalty exposure through unauthorized data transfers.
Ignoring CMP signals
Impact: All tracking loads before consent opportunity - creates per-visitor GDPR Article 7 violation. Combined with session replay, biometrics, and cross-domain syncing, elevates to Article 9 special category + Article 44 data transfer violations.
Container/loader (neutral)
Impact: Deployment via tag manager enables Hunter to modify surveillance behavior server-side without customer visibility. Customer cannot verify compliance even after configuration - creates uncontrollable ongoing liability.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
127 detection signatures across scripts, domains, cookies, and network endpoints