Executive Summary
RB2B is a B2B visitor identification platform owned by Retention.com (Austin, TX) that deanonymizes website visitors by harvesting personal emails, LinkedIn profiles, and company data. The platform deploys sophisticated defeat device infrastructure targeting 60+ compliance audit tools (Playwright, Puppeteer, Selenium) to evade regulatory oversight. Despite claims of SOC2 Type II, GDPR, and CCPA compliance, runtime analysis reveals 5.1% pre-consent tracking, HubSpot/Facebook cookie theft ("identifier laundering"), and 87% of third-party vendors on their site undisclosed in privacy documentation. Founder Adam Robinson (ex-Lehman Brothers) has publicly described the methodology as "email laundering" - applying financial CDO methodology to consumer data.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
RB2B corrupts attribution by intercepting HubSpot and Facebook cookies, creating a parallel identity graph that competes with legitimate marketing attribution. The stolen hubspotutk cookie is copied to _reb2butk after a 2000ms delay to capture enriched identifiers, then used for cross-site correlation that pollutes first-party measurement.
Signal Corruption
Core business model is demand signal theft. RB2B identifies anonymous visitors on competitor websites and routes those leads to paying customers. Companies using RB2B receive competitor intent signals; companies being scraped by RB2B lose competitive intelligence to rivals. White-label network (Knock2.ai, Clay) amplifies signal leakage.
Legal Tail Risk
Defeat device infrastructure creates audit-proof attack surface. 60+ bot detection patterns disable tracking during compliance scans, meaning security assessments never see actual behavior. S3 bucket aliases (b2bjsstore) provide CDN-evasion fallback. Base64-encoded endpoints hide IP-API geolocation calls from static analysis.
GTM Attack Surface
Nine BTI-X violations create substantial regulatory exposure. SOC2/GDPR/CCPA claims combined with pre-consent tracking (X05), defeat devices (X04), and anonymous claims contradicted by PII harvesting (X09) constitute material misrepresentation. Cookie theft from HubSpot/Facebook without authorization may violate CFAA. GDPR Article 3(2) triggered via UK deployments (Cognism).