All Vendors
deanon
RB2B

RB2B

RB2B deploys defeat device infrastructure targeting 60+ compliance audit tools while claiming SOC 2 and GDPR compliance. Runtime analysis reveals pre-consent tracking, systematic cookie theft from HubSpot and Facebook, and 87% of third-party vendors on their own site undisclosed in privacy documentation.

49 IOCs160 detections5% pre-consent128 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what RB2B discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

160 detections across 128 sites5% pre-consent activity3 critical disclosure gaps
CRITICAL

Defeat Device

60+ bot detection patterns disable tracking during compliance audits

FTC Section 5 (Deceptive Practices)GDPR Article 5 (Transparency)CCPA Section 1798.100
CRITICAL

Cookie Theft

Steals cookies without authorization via grabCookies() function

CFAA (Unauthorized Access)GDPR Article 6 (Lawful Basis)ePrivacy Directive
CRITICAL

Anonymous Claim Contradiction

API returns personal emails, LinkedIn profiles, phone numbers, job titles per visitor

GDPR Article 4 (Personal Data Definition)CCPA Section 1798.140
MEDIUM

Pre-Consent Activity

RB2B was observed loading and executing before user consent was obtained on 5% of sites where it was detected.

GDPRePrivacy
HIGH

Subprocessor Gap

62 third-party vendors detected on rb2b.com

GDPR Article 28 (Sub-processor Disclosure)CCPA Section 1798.110
Disclosure Gaps

Claims vs. Observed Behavior

6 gaps
3 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X06BTI-X08BTI-X09BTI-X10BTI-X12

Defeat Device

FTC Section 5 (Deceptive Practices) · GDPR Article 5 (Transparency) · CCPA Section 1798.100CRITICAL
They Claim

SOC2 Type II, GDPR, CCPA Compliant

Observed Behavior

60+ bot detection patterns disable tracking during compliance audits

Deobfuscated reb2b.js contains user-agent filtering for Playwright, Puppeteer, Selenium, ChromeDriver, Postman, and 55+ other audit tools

Anonymous Claim Contradiction

GDPR Article 4 (Personal Data Definition) · CCPA Section 1798.140CRITICAL
They Claim

Data is aggregated, anonymized or de-identified

Observed Behavior

API returns personal emails, LinkedIn profiles, phone numbers, job titles per visitor

Postman collection at rb2b-api shows full PII response including 5+ business emails per person

Subprocessor Gap

GDPR Article 28 (Sub-processor Disclosure) · CCPA Section 1798.110HIGH
They Claim

8 data partners disclosed in privacy policy

Observed Behavior

62 third-party vendors detected on rb2b.com

Runtime scan of rb2b.com detected 62 vendors; 54 undisclosed (87% gap)

API Contradiction

FTC Section 5 (Material Misrepresentation)MEDIUM
They Claim

Support documentation states We do not currently offer an API

Observed Behavior

Public API page at rb2b.com/apis and complete Postman collection

Three contradictory sources: support docs, website API page, Postman collection

Customer Impact

What This Means For You

If RB2B is deployed on your site, your privacy policy is almost certainly inaccurate. You have inherited 54+ undisclosed sub-processors through their script, creating direct GDPR Article 28 liability. Their 5.1% pre-consent tracking rate means data is being collected from your visitors before consent is granted — that is your regulatory exposure, not theirs. Their defeat device infrastructure means any compliance audit you run will see different behavior than what your actual visitors experience, making your audit results unreliable. HubSpot and Facebook cookie values are being copied to RB2B-controlled keys without authorization from either platform, which may violate your integration agreements. If you are subject to GDPR, CCPA, or ePrivacy Directive, RB2B creates material compliance gaps that your existing consent mechanism does not cover.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use RB2B

  • Audit your privacy policy for 54+ undisclosed sub-processors inherited from RB2B
  • Review consent mechanisms — 5.1% pre-consent rate creates direct GDPR liability
  • Verify HubSpot/Facebook integrations are aware of RB2B cookie theft
  • Request SOC2 report directly — trust portal access is not public verification
  • Consider that compliance audits see different behavior than production due to defeat devices

If You're Evaluating RB2B

  • Run compliance audit with non-standard user agent to observe actual behavior
  • Review deobfuscated script for bot detection targeting your audit tools
  • Verify all 8 disclosed data partners vs your requirements
  • Understand white-label network exposure (Knock2.ai, Clay)
  • Assess GDPR Article 3(2) exposure if any EU/UK visitors

Negotiation Leverage

  • The subprocessor gap: they disclose 8 data partners but their own site loads 62 third-party vendors. Request a complete, current subprocessor list and contractually require 30-day advance notice of changes — they cannot comply because they do not control their own supply chain.
  • The defeat device: their code detects and disables tracking for 60+ compliance audit tools including Playwright, Puppeteer, and Selenium. Ask them to explain why their SOC 2 certification should be considered valid when their code is specifically designed to behave differently during audits. Request their SOC 2 report directly — it is behind a gated trust portal, not publicly verifiable.
  • The consent contradiction: they claim GDPR and CCPA compliance but have a documented 5.1% pre-consent tracking rate across 128 sites. Request evidence of their lawful basis for processing under GDPR Article 6, specifically for the pre-consent data collection window. These are not theoretical risks — each point is backed by observed runtime behavior across multiple sites and scan dates.
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

39 INDICATORS

Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
ddwl4m2hdecbv.cloudfront.net/b/
Tracking script
TRACK
b2bjsstore.s3
Tracking script
TRACK
s3-us-west-2.amazonaws.com/b2bjsstore
Tracking script
TRACK
s3.us-west-2.amazonaws.com/b2bjsstore
Tracking script
TRACK
reb2b.js
Tracking script
Ecosystem

Ecosystem & Supply Chain

RB2B operates as core infrastructure in a visitor deanonymization supply chain. Parent company Retention.com ($22M ARR, 6 employees) provides the technology platform. RB2B is loaded via Google Tag Manager on customer sites, often bundled by intermediaries including Warmly, Koala, and Knock2.ai (white-label using RB2B backend). The platform steals cookies from HubSpot and Facebook to build cross-site identity graphs. On RB2B's own site, 62 third-party vendors were detected including LeadRocket, Scoreplex, Aviato, LiveIntent, Peer39, and Sojern - creating a dense surveillance mesh. Data flows to IP-API for geolocation, then to customer CRMs (HubSpot, Salesforce) via integrations.
Loads (1)
Metapixel
Loaded By (6)
AdyntelCrustdataFlowlaOsanoSequelUnify Intent
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

49 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details