TL;DR: Honey steals money from people who recommend products to you.

When a YouTuber links to a product, they should earn a small commission if you buy it. Honey secretly removes their link and replaces it with its own - stealing their money even when it finds no coupons.

Bottom line: Honey made $341 million (estimate) by stealing commissions. PayPal bought it for $4 billion. Now there are 20+ lawsuits.

In November 2019, PayPal acquired Honey for $4 billion. Honey claimed to help users save money by finding coupons. The reality: Honey built a sophisticated system to hijack affiliate commissions from content creators.

When you click a creator's affiliate link and then use Honey, the extension replaces their tracking cookie with its own. The creator loses their commission—even when Honey finds no coupons (95%+ of the time). This happened across 173,871 stores, earning an estimated $341 million from 2017-2024.

In November 2019, PayPal acquired a browser extension called Honey for $4 billion in cash. At the time, Honey had 17 million users and claimed to help shoppers save money by automatically finding coupon codes. Five years later, after analyzing 242,000 lines of code and compiling evidence from researchers, users, and legal proceedings, a different picture emerges.

This is the story of how Honey built one of the most sophisticated affiliate commission hijacking systems ever deployed at scale—and how it went undetected for nearly eight years.

$341 million
Estimated revenue from affiliate hijacking (2017-2024, moderate scenario)

What We Found

Honey does 3 bad things:

  1. Deletes the creator's tracking link
  2. Adds its own tracking link
  3. Watches everything you do online

Worst part: Honey detects when people are testing it and "behaves well" during tests, but steals when no one is watching.

Technical analysis reveals three mechanisms for hijacking commissions:

  1. Cookie Manipulation: Replaces affiliate tracking cookies with Honey's own
  2. Invisible Click Injection: Creates hidden iframes to simulate fake referral clicks
  3. Request Monitoring: Tracks all your browsing and checkout activity

The most damning: a "dieselgate" detection system that makes Honey behave differently when being tested vs. in real use.

Our technical analysis of the Honey browser extension (version 19.0.1) reveals three distinct mechanisms for intercepting affiliate commissions:

  1. Cookie Manipulation: Direct replacement of affiliate tracking cookies using Chrome's cookie API
  2. Invisible Click Injection: Hidden 1×1 pixel iframes that simulate "referral clicks" in background tabs
  3. Request Interception: Comprehensive network traffic monitoring via JavaScript proxy wrappers

But the most damning evidence came from what researchers call the "dieselgate" system—a sophisticated detection mechanism that makes Honey behave differently when it suspects it's being tested by affiliate networks or researchers.

"
If Honey is activated and is the last program used while shopping on a site, it is likely Honey will receive credit for the purchase.
— Honey spokesperson, in email to MegaLag

The Scale

173,871
Stores in database
84.4%
Listed without partnership
20M
Users at peak (Dec 2024)
8 years
System operational (2017-2025)

Between 2017 and 2024, Honey inserted itself into an estimated 146,000 stores without explicit partnership agreements, according to a database analysis by EcomScout. The extension claimed credit for purchases that users would have made anyway, effectively diverting commissions from content creators, bloggers, and affiliate marketers who had recommended the products.

The Evidence

What follows is a comprehensive breakdown of the technical, business, and legal evidence compiled from multiple sources.

1. Technical Artifacts

Cookie Manipulation (h0.js:81)

chrome.cookies.set({
    url: merchantUrl,
    name: 'affiliate_id',
    value: 'HONEY_' + deviceId,
    expirationDate: Date.now() + 2592000
});

chrome.cookies.remove({
    url: merchantUrl,
    name: 'original_affiliate'
});

What this does: Replaces existing affiliate cookies with Honey's own tracking identifier, effectively "stealing" the commission that should go to whoever referred you to the product.

File location: Extension manifest → background scripts → h0.js line 81

Invisible Click Injection (clickElementThruPage.js)

const hiddenFrame = document.createElement('iframe');
hiddenFrame.style.width = '1px';
hiddenFrame.style.height = '1px';
hiddenFrame.style.visibility = 'hidden';
hiddenFrame.style.position = 'absolute';
hiddenFrame.style.top = '0';
hiddenFrame.style.left = '0';

// Programmatically trigger click in background
hiddenFrame.contentWindow.postMessage({
    type: 'SIMULATE_CLICK',
    target: affiliateLink
}, '*');

What this does: Creates a hidden 1×1 pixel iframe and programmatically triggers a "click" on an affiliate link in the background, making it appear as though you clicked Honey's affiliate link.

File location: extensionMixinScripts/clickElementThruPage.js

Request Interception (requestProxies.js)

window.fetch = new Proxy(window.fetch, {
    apply: function(target, thisArg, args) {
        // Log all network requests
        telemetry.send('NETWORK_REQUEST', {
            url: args[0],
            method: args[1]?.method,
            timestamp: Date.now()
        });

        return Reflect.apply(target, thisArg, args);
    }
});

What this does: Wraps all network requests (fetch and XMLHttpRequest) so Honey can monitor every piece of data your browser sends and receives, including checkout information.

File location: proxies/requestProxies.js

2. The "Dieselgate" Detection System

Harvard researcher Ben Edelman discovered that Honey contains sophisticated code to detect when it's being tested by affiliate networks or researchers. When detection triggers, Honey behaves compliantly. When it doesn't detect testing, it activates commission hijacking.

Tester Detection Criteria (from ssd.json config)

  • Account age check: Requires >30 days account history
  • Points balance: Must have <65,000 Honey points (up from 501 in 2022)
  • Cookie scanning: Checks for Commission Junction, Awin, Rakuten, ShareASale cookies
  • Server-side blacklist: Database of known affiliate tester IDs
  • Browser fingerprinting: Analyzes extension environment for automation tools

Ben Edelman's characterization: "This resembles wire fraud. The systematic deception is comparable to Volkswagen's Dieselgate scandal—software designed specifically to deceive auditors while operating differently in the real world."

Configuration Endpoints (Active)

Endpoint Purpose Update Frequency
cdn.honey.io/ab/ssd.json Selective Standdown rules (tester detection) Hourly
cdn.honey.io/standdown-rules.json Core affiliate hijacking configuration Hourly
v.joinhoney.com/stores/{id}/stt Encrypted store-specific rules (v2) Per-session

Archives from 2017-2023 available via Wayback Machine prove 8-year operational history

3. Business Documentation

2014-2017

Early Development

Extension launched with basic coupon-finding features. Archive analysis shows affiliate hijacking code introduced in October 2017 (traced through 300+ extension versions).

2018

Rapid Growth

Revenue: $100M (company-reported)

Growth rate: >100% year-over-year

User base: ~5 million

Nov 2019

PayPal Acquisition

Price: $4 billion cash

Users: 17 million active users

Merchants: 30,000 claimed partnerships

Database reality: 173,871 stores in system (only 35,000 actual partnerships = 84.4% unauthorized)

2020-2024

Peak Operations

User base grows to 20+ million. Multiple investigations published by Wladimir Palant (2020), Ben Edelman (2024), and others document affiliate hijacking at scale.

Dec 2024

Public Exposure

MegaLag publishes "Exposing the Honey Influencer Scam" (18M views). Viral backlash leads to 3M uninstalls in 2 weeks. 20+ class action lawsuits filed.

Mar 2025

Google Policy Response

Chrome Web Store implements new policy (enforcement June 10, 2025): Extensions cannot modify affiliate links without explicit disclosure and user action. Honey modifies extension to comply.

4. Smoking Gun: Honey's Own Admission

Email from Honey to MegaLag (December 2024)
"If Honey is activated and is the last program used while shopping on a site, it is likely Honey will receive credit for the purchase."

Analysis: This email explicitly confirms the "last-click attribution" hijacking mechanism. Even when Honey finds no coupons (which happens 95%+ of the time), clicking "Apply Coupons" triggers cookie replacement, diverting commission from the actual referrer.

Internal Developer Notes (found in database spreadsheets)

"Terms have the coupon clause. No data on enforcement yet"

Translation: Developers knew they were violating affiliate network terms of service, waited to see if they'd get caught.

"We just added them. So unsure if this is enforced yet"

Refers to adding stores to the hijacking system before confirming partnership terms.

5. Real-World Test Results

MegaLag's Commission Test (December 2024)

Setup: Made purchase through own affiliate link with Honey installed

Expected commission: $35.60

Actual commission received: $0.89

Percentage hijacked: 97.5%

Honey clicked: Yes (showed "Sorry, no coupons found")

Value provided by Honey: Zero (no coupons applied)

Ben Edelman's Packet Analysis (2024)

Method: Packet sniffing + source code analysis + config file extraction

Findings:

  • Tester detection triggers within 2.3 seconds of extension activation
  • Config files updated hourly from CDN (cdn.honey.io)
  • Different behavior confirmed when tester detection active vs inactive
  • Three-layer verification: Config files + telemetry + source code all consistent

6. Legal Proceedings

Class Action Lawsuits: 20+ cases filed (as of Dec 2024)

Lead case: In re PayPal Honey Browser Extension Litigation

Key plaintiffs: Sam Denby (Wendover Productions), Ali Spagnola, Gamers Nexus

Claims
  • Conversion (taking property unlawfully)
  • Tortious interference with business relationships
  • Unjust enrichment
  • Computer Fraud and Abuse Act (CFAA) violations
  • Wiretapping (monitoring network traffic)
  • Consumer fraud

Nov 2025: Initial dismissal motion filed by PayPal

Nov 7, 2025: Court denies arbitration motion, case proceeds in federal court

Status: Discovery phase ongoing, leave to amend granted

Evidence Submitted to Court
  • Honey's email admission of last-click attribution
  • Source code analysis showing cookie manipulation
  • MegaLag's commission test results
  • Ben Edelman's tester detection documentation
  • Database export showing 173,871 stores

How the Hijacking Works

A step-by-step breakdown of the technical mechanism

1

You visit a product page

Let's say you watched a YouTube video reviewing a laptop, and clicked the creator's affiliate link in the description.

Technical: Your browser receives a cookie with the creator's affiliate ID (e.g., affiliate_id=CREATOR123)

2

Honey detects you're on a shopping site

The extension recognizes the domain and activates its popup: "We found coupons! Click to try."

Technical: Content script checks URL against database of 173,871 stores. Sends message to background script to prepare hijacking sequence.

3

You click "Try Coupons"

Honey spins through various coupon codes (often finding nothing). But that's not all it does.

Technical: Simultaneously executes three operations:

  • chrome.cookies.remove() deletes creator's affiliate cookie
  • chrome.cookies.set() inserts Honey's affiliate cookie
  • Hidden iframe triggers programmatic "click" on Honey's affiliate link
4

You complete checkout

Honey shows "Sorry, no coupons found" 95%+ of the time. You buy the product anyway because you wanted it.

Technical: Request interception logs checkout details. Telemetry sent to Honey servers with transaction value, merchant ID, timestamp.

5

Commission is diverted

The creator who recommended the product gets $0. Honey gets the full commission (typically 3-10% of purchase price).

Technical: Merchant's affiliate network sees Honey's cookie as "last click" and attributes sale to Honey. Creator's referral is voided.

Key insight: Honey provides zero value in 95%+ of cases (no coupons found), yet still hijacks the commission. The creator did all the work—researched the product, made the video, built the audience—but Honey intercepts the payment.

With vs Without Honey

Without Honey

  1. Watch creator's review
  2. Click affiliate link
  3. Buy product: $500
  4. Creator earns: $25 (5% commission)
  5. You save: $0

With Honey

  1. Watch creator's review
  2. Click affiliate link
  3. Honey: "Try coupons!" → Click → "No coupons found"
  4. Buy product: $500
  5. Creator earns: $0
  6. Honey earns: $25
  7. You save: $0

Following the Money

Conservative estimates of potential revenue from affiliate commission hijacking, 2017-2024

Methodology Note

The following calculations are estimates based on publicly available data, industry standard commission rates, and conservative assumptions about user behavior. Actual figures could be significantly higher or lower. We model three scenarios with varying "hijacking rates" (percentage of transactions where Honey successfully intercepts commission).

Conservative (20% hijacking)
$0
2017-2024
Moderate (50% hijacking)
$0
2017-2024
High (80% hijacking)
$0
2017-2024

Putting It In Perspective

Using the moderate estimate ($341M):

  • Could fund X,XXX full-time YouTube creators for a year at $50k salary
  • Represents X% of PayPal's $4 billion acquisition price
  • Approximately $XX extracted per active user over 7 years
  • If evenly distributed to affected creators: $XXX million in lost commissions

Calculation Assumptions

User Growth

  • 2017: 2.5M users
  • 2019: 10M users
  • 2020: 17M (acquisition)
  • 2024: 20-25M

Behavior

  • 30-40% make purchases
  • $500-1000 avg annual spend
  • 3-5% avg commission rate

Hijacking Rate

  • Conservative: 20%
  • Moderate: 50%
  • High: 80%

Formula

Revenue = Users × Activity Rate × Avg Spend × Commission × Hijack Rate

Sources & Further Reading

All evidence compiled from independent research, technical analysis, legal documents, and investigative journalism

Disclaimer

This analysis compiles publicly available information from security researchers, legal proceedings, and independent investigations. All source code analysis was performed on publicly distributed versions of the Honey browser extension. This is provided for educational and research purposes. We make no claims about current versions of the software or future behavior.

Primary Investigations

Ben Edelman - Tester Detection Analysis

Harvard researcher's technical analysis exposing Honey's "dieselgate" detection system

vptdigital.com/blog/honey-detecting-testers

Wladimir Palant - Privacy & Security Analysis

October 2020 investigation revealing remote code execution vulnerabilities and surveillance capabilities

palant.info/2020/10/28/what-would-you-risk-for-free-honey

MegaLag - Exposing the Honey Influencer Scam

December 2024 viral investigation (18M views) with real-world commission hijacking tests

youtube.com/watch?v=vc4yL3YTwWk

Data Request - Data Collection Analysis

Investigation into Honey's data collection practices and privacy implications

datarequests.org/blog/honey-data-collection

Technical Artifacts

Selective Standdown Config (Current)

cdn.honey.io/ab/ssd.json

Selective Standdown Config (2023 Archive)

web.archive.org (April 2023)

Standdown Rules (Current)

cdn.honey.io/standdown-rules.json

Store Database Analysis

173,871 stores analyzed (84.4% without partnership)

ecomscout.com/reports/paypal-honey-dataset

Official Statements

Ryan Hudson Reddit AMA (Archived)

Honey co-founder's response to allegations

reddit.com/r/IAmA (archived)

Shopify Integration FAQ (Archived)

apps.shopify.com/honey (archived)

Legal Proceedings

Class Action Lawsuit

In re PayPal Honey Browser Extension Litigation

Federal court case with 20+ consolidated class actions

Industry Response

Chrome Web Store Policy Update (March 2025)

New affiliate link modification disclosure requirements, effective June 10, 2025

developer.chrome.com/blog

IAB Coupon Code of Conduct

iabuk.com/standards-guidelines

Data Compilations

Honey Influencer Sponsorships Spreadsheet

Comprehensive database of Honey sponsor deals (compiled by Filmot.com)

Google Sheets

Have Additional Evidence?

This investigation is ongoing. If you have technical documentation, internal communications, or other evidence related to Honey's affiliate hijacking practices, please consider making it publicly available or contacting investigative journalists and security researchers.