In affiliate marketing, every partner link contains a unique tracking identifier (a cookie or URL parameter) that allows commission to be attributed to the correct publisher. Fraud consists of hijacking this attribution—claiming credit for the work of another publisher or partner, usually without the advertiser’s or original partner’s knowledge. One such method is known as cookie stuffing, which involves “injecting” affiliate cookies into a user’s browser without their awareness. These artificial cookies increase the chances that the fraudster—not the legitimate traffic source—will receive commission for a purchase.

How plugin-based fraud works

Most often, browser extensions with broad permissions are used to manipulate the purchasing process. These activities generally fall into two categories:

• Malicious extensions (malware): Fraudsters install or take over otherwise legitimate extensions (e.g., via supply chain attacks) and insert code that automatically injects affiliate links or partner cookies into every visited store page. One example is the “Dormant Colors” campaign—Guardio Labs discovered several extensions that automatically redirected users to the same shopping sites with added affiliate parameters, so every subsequent purchase generated commission for the plugin authors. Similarly, AdGuard researchers found that hijacked plugins (e.g., fake ad blockers) could silently inject affiliate cookies into the user’s browser. Traffic driven by such plugins is considered invalid: TrafficWatchdog defines Invalid Clicks as those generated by automated programs or malware, with no real intention to purchase.

• Seemingly helpful extensions (cashback, charitable, coupon-based): Many plugins promote themselves as money-saving tools or those supporting social causes (e.g., auto-finding discount codes, cashback features, or donating a share of commission to charities). For instance, the popular plugin Honey (now PayPal Honey) promises users the best discount codes, but investigators accused it of "dropping" original affiliate links from content creators and injecting its own tracking links at the final stage of purchase. Other extensions such as Rakuten, Ibotta, Cently, Coupert, Swagbucks, and Karma (CashBack & Donations) operate similarly. The user sees a notification about a found discount or cashback offer and clicks through—meanwhile, the plugin quietly replaces the influencer’s cookie with its own. As a result, the plugin—not the original content creator—gets the “last click” credit and earns the commission. Google responded to the Honey scandal by updating its Chrome policy: extensions are now banned from injecting affiliate links unless they provide clear value to the user. In other words, affiliate links can no longer be "snuck in" unless they offer a real discount, rebate, or other evident benefit to the buyer.

Commission hijacking workflow

A typical scenario looks like this:

Initial setup: A content creator or store provides the user with a valid affiliate link (e.g., in an article, newsletter, or video). If the user makes a purchase, the creator should earn a commission.

Plugin interference: As the user browses products and nears checkout, the plugin detects this behavior—perhaps showing a pop-up offering to search for discounts or promising cashback.

Injecting its own attribution: Even if no additional discount is applied, the plugin replaces the original affiliate cookie (or link) with its own tracking ID. This causes the affiliate system to credit the extension with the “last click.”

Payout: The plugin’s partners (usually the affiliate platform operator) receive the commission from the sale—at the expense of the creator who actually drove the customer to the site.

This “theft machine” is remarkably efficient: even if the creator’s original promotion worked perfectly, one swapped parameter can reroute the money to a fraudster. As a result, affiliate platforms and advertisers end up paying commission for sales that were effectively “hijacked” by browser plugins. As affiliate expert Lee-Ann Johnstone points out, after reviewing the data, total sales usually remain the same, but commission spending drops—because fraudsters don’t share part of the margin via legitimate discounts or codes.

Real-world cases

In recent years, major corporate cases have revealed the scale of the problem. The Capital One Shopping extension (formerly Wikibuy) was sued for generating “fake clicks” and hijacking commission through artificial interaction just before purchase. Similarly, the PayPal Honey case erupted after bloggers exposed how Honey’s code-switching system “stole” influencer revenue. Google then updated Chrome Web Store policies, banning extensions from automatically replacing affiliate links.

Fraudsters rely on many popular plugins. Investigations have named tools such as Honey (PayPal), Rakuten, Piggy, SlickDeals, CamelCamelCamel (Camelizer), Avast SafePrice, Coupert, Earny, BeFrugal, RetailMeNot, Drop, Ibotta, Cently, Swagbucks, CouponCabin, Karma, and others. They typically follow the same pattern: the plugin offers the user a cashback percentage or donation to charity—and in exchange, hijacks the commission. For example, the Karma plugin advertises itself as a tool that shares its earnings with selected charities. But even in such cases, one must carefully verify whether the original traffic creator’s affiliate code is being replaced by another.

How to detect and prevent fraud

Although these abuses are hard to detect with the naked eye, analytical tools and procedures are available that significantly complicate fraudsters’ operations. For instance, TrafficWatchdog offers a ClickScanner module that monitors ad campaign clicks for irregularities. This technology identifies “invalid clicks” based on IAB standards—i.e., traffic generated by bots or programs without genuine purchase intent. This enables the detection of mass clicking from malware or suspicious actions performed through extensions.

A proper affiliate audit should also include an analysis of conversion patterns: for example, a sharp drop in affiliate revenue despite steady sales may indicate commission hijacking. Manual checks are also important—comparing cookie and tracking logs, and contacting the affiliate platform if doubts arise. Tools like ClickScanner don’t block extensions themselves, but they do facilitate fraud detection by flagging unusual traffic and issuing alerts.

Finally, it’s wise to follow Google’s recommendations: install only trusted extensions and periodically review permissions of those already installed. On the e-commerce side, it’s helpful to monitor payment source data for mysterious “secondary affiliates”—if someone suddenly reports a high volume of last-clicks without changes in organic traffic, it’s a red flag.

In short: the key is combining campaign monitoring with trustworthy traffic analysis tools. This makes it possible to identify that a legitimate traffic creator lost commission due to plugin activity—before serious losses occur.

Sources: Industry articles and research (Times of India, Affiverse, Guardio/Bleeping Computer, AdGuard)