Theswarm | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Theswarm discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

27 detections across 25 sites7% pre-consent activity

MEDIUM

Pre-Consent Activity

Theswarm was observed loading and executing before user consent was obtained on 7% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Requires claims extraction via CDT”

Observed Behavior

Runtime evidence confirms C01/C06/C07/C08/C09/C10 activation

Customer Impact

What This Means For You

Marketing spend trains competitor deanonymization systems. Sales teams using Theswarm see which individuals visit your site, what content they engage with, and when buying intent signals appear. Legal holds 75% exposure risk from consent bypass and cross-domain tracking. Deanonymized profiles accessible to competitors.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Theswarm

→Immediate removal from deanonymization stack
→Legal review of identity data sharing agreements
→Audit CRM integrations for Theswarm data imports
→Notify DPO of consent bypass and cross-domain tracking

If You're Evaluating Theswarm

→First-party visitor identification alternatives
→Self-hosted identity resolution without data sharing
→Consent-compliant deanonymization under lawful basis

Negotiation Leverage

→Theswarm creates legal liability through consent bypass and cross-domain tracking
→100% CAC subsidization means visitor identities train competitor prospecting
→Deanonymized profiles accessible to competitors via shared platform
→Removal required before next privacy audit
→Session replay and behavioral biometrics violate privacy controls

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Bypasses consent controls to capture identity data regardless of user preferences

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures unique behavioral patterns for persistent identity resolution

BTI-C07Session Recording

Full session replay

Impact: Records visitor sessions including form interactions and navigation patterns

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Tracks visitors across multiple domains for unified identity profiles

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Activates before consent mechanisms, defeating privacy controls

BTI-C10Fingerprinting

Device identification

Impact: Creates persistent visitor profiles for deanonymization

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

4 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Theswarm integrates with B2B data providers, CRM systems, and sales engagement platforms. Visitor identity data flows to deanonymization databases where competitors access identified visitor profiles. Cross-domain tracking enables visitor identification across customer properties and partner networks.

Loads (3)

Vector Linkedin Segment

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

6 detection signatures across scripts, domains, cookies, and network endpoints