They'll buy the md5-email-to-cookies from one provider (e.g. Lotame, Liveramp, etc) then use that to onboard email+contact data they've purchased from companies that have email address-to-personal data (e.g. MVF, ZoomInfo, etc).
IF that was done as purely a lead qualification step, it's a good way to take legitimate content syndication done by a third party into direct marketing, but there's no technical reason they need to be leads or have any level of qualification -- and only a weak market force (poor conversion rate) that prevents it from being more widespread.
I've been approached by a company that trades e-commerce transaction data, for personal data tied to IPs.
As in, you give me your customer data, and I'll tell you who visited your site based solely on the IP address.
We declined, but it's tempting.