Cookie StuffingHow This Affiliate Fraud Tactic Has Changed & Evolved

Cookie Stuffing: What Will Advertisers Face Next in a Post-Cookie World?

Cookie stuffing. The term may sound like it describes chocolate chips or marshmallows. In the world of affiliate advertising, though, it’s a devious way for fraudsters to siphon away unearned money behind an advertiser’s back.

Affiliate marketing is a marketing channel where publishers earn a commission by promoting another brand’s product or service. Affiliate marketing fraud, or affiliate fraud, is a process where criminals circumvent the system in order to claim unearned sales commissions.

Done correctly, affiliate marketing can be a robust tool for driving traffic to your website. However, fraud from illegitimate schemes means you could be paying commissions on bogus sales. If you work with affiliates, you need to get the scoop on cookie stuffing… before you get burned.

What is Cookie Stuffing?

Cookie Stuffing

[noun]/kʊ ● kē ● stu ● fiNG/

Cookie stuffing is a practice by which a fraudster uses web cookies to collect affiliate commissions on goods they did not sell.

Affiliate marketers use cookies to promote brands by embedding a unique tracking code in a marketing link. Cookies let brands measure an affiliate's performance, while affiliates can earn commissions based on the traffic or conversions they bring to the brand's website. The advertiser only pays out when they make a sale, while the affiliate can earn passive income through their online presence.

At least, that’s how it’s supposed to work.

In contrast to the legitimate use of cookies by affiliate marketers, cookie stuffing is considered a black-hat marketing technique. It’s a practice by which fraudsters use cookies to collect commissions on goods they didn’t really sell. So, the scammer is basically tricking their advertiser into paying for customer traffic that the affiliate never actually produced.

How Does Cookie Stuffing Work?

The fraudster begins by joining an online affiliate community or developing independent relationships with advertisers. Then, every time someone lands on the fraudster’s site, they attach a number of third-party cookies to the user’s web browser, mostly tied to major retailers like eBay, Amazon, Walmart, etc. Later, if that user happens to visit one of these sites and make a purchase, the cookie would make it appear to the advertiser that the lead was driven by the affiliate.

Common methods fraudsters use to sneak cookies onto a site include:

Consumers have to click through from the affiliate’s site to the advertiser’s site and make a purchase to legitimize a commission. With cookie stuffing, though, the advertiser pays a commission, even though the fraudster didn’t earn it. The fraudulent cookie might even override another cookie placed by a legitimate affiliate, meaning they don’t get the commission they earned.

Cookie Stuffing Case Study: The Honey Browser Extension

Honey was founded in 2012 as a deal-finding browser extension. The value proposition for shoppers was extremely straightforward: install the free extension, and it would find and automatically apply the best coupon codes for buyers at checkout.

In 2020, PayPal acquired Honey for roughly $4 billion in cash. At the time, it was PayPal’s biggest acquisition ever. The only problem was that Honey’s business model was essentially cookie stuffing.

In December 2024, YouTuber MegaLag conducted a technical deep-dive into Honey, showing that the browser extension replaced affiliate-tracking cookies from honest referrers with its own at checkout — fraudulently stealing commissions in a classic cookie stuffing scheme. MegaLag’s investigation also showed that Honey scammed consumers too. Instead of providing the best coupon at checkout, Honey would intentionally hide better offers in order to display coupon codes from its own partnering stores.

Following these allegations, YouTubers LegalEagle, Wendover Productions, and others filed a class action against Honey. In March 2025, Google also updated its Chrome Web Store policies to prohibit extensions from claiming affiliate commissions without providing discounts to users.

This double whammy was devastating for Honey. Within two weeks of MegaLag’s investigation, Honey had lost about 3 million users. The browser extension lost another million users following Google’s policy changes. By the end of 2025, Honey had lost 8 of its 20 million users, and in January 2026, Rakuten Advertising, one of the world’s largest affiliate networks, ditched the Honey browser extension.

In the same month, PayPal acknowledged that Honey had been stealing commissions and disabled the code. However, the company took a defensive stance, stating that “The code causing this behavior has been identified and no longer has an impact. The code was implemented prior to PayPal’s acquisition, and appears to affect less than 0.1% of Honey’s traffic.” Nonetheless, the scandal did serious damage to Honey’s brand reputation.

Is Cookie Stuffing Still a Threat?

While better browser detection has made it more difficult for affiliate fraudsters to engage in cookie stuffing, this threat is far from neutralized. An estimated 17% of affiliate traffic remains fraudulent, a threat that costs businesses an estimated $3.4 billion a year.

One reason for this is because browsers have delayed deprecation of third-party cookies. For example, Google originally announced that third-party cookies would be going away on Chrome, the world’s most popular browser by market share, by the end of 2024. But, in April 2025, Google reversed course, saying instead that third-party cookies would remain in chrome by default. Users, meanwhile, could decide whether to allow or block third-party cookies themselves.

For this reason, cookie stuffing remains an active threat for merchants. Here’s an overview of the situation:

In 2020, Google announced its intention to phase out third-party cookies in its Chrome browser by the end of 2023. This decision was made in response to growing privacy concerns and regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). While other browsers like Safari and Firefox had already taken steps to block third-party cookies, Chrome's dominance in the browser market made this a significant development.

Except... that didn’t happen. In mid-2025, Google axed their initial decision to deprecate third-party cookies. To ease privacy concerns, users could instead configure their own cookie and privacy settings.

To give users more control over their cookie settings, Google launched the Privacy Sandbox, a privacy-preserving initiative for the web. One of the key technologies under this initiative was the Federated Learning of Cohorts (FLoC). Instead of tracking individual browsing behavior, FLoC groups users with similar browsing patterns into “cohorts.” Advertisers can then target these cohorts without directly accessing individual user data. This provided a level of user privacy while still enabling targeted advertising.

However, after six years of opposition from the ad industry, regulatory pressure surrounding anti-competitive practices, and a lack of interest from users, Google officially retired the Privacy Sandbox Initiative in October 2025.

We’re essentially back to square one: third-party cookies aren’t going away, after all. This means that affiliates can continue to conduct cross-site tracking and deliver personalized ads to users.

It also means that cookie stuffing remains an ever-present threat, even though it’s become more targeted and arguably less of a concern than before. However, as the Honey incident illustrates, it would be remiss for merchants to dismiss cookie stuffing as a threat from a bygone era. In many cases, this scam is alive and well.

Legal Consequences of Cookie Stuffing

Many affiliate marketing networks explicitly prohibit cookie stuffing. But this fraudulent practice isn’t just a private matter between affiliates. In certain cases, it can become a criminal matter, too.

Specifically, cookie stuffing has been successfully prosecuted as a form of federal wire fraud under 18 USC § 1343, which carries a maximum penalty of up to 20 years in prison.

Two notable criminal cookie stuffing incidents unraveled when eBay collaborated with the FBI to launch a sting investigation beginning in June 2006. The operation, codenamed “Trip Wire,” targeted two affiliate marketers, Shawn Hogan and Brian Dunning. During the investigation, eBay and the FBI uncovered that Hogan and Dunning had earned a combined $35 million in affiliate commissions they were not entitled to via cookie stuffing.

Both defendants were subsequently convicted of wire fraud. Hogan was sentenced to five months in federal prison, fined $25,000, and ordered to serve three years of probation. Dunning, meanwhile, received a 15-month prison sentence.

How Can I Identify Cookie Stuffing?

Concerned that some of your affiliates may be engaged in cookie stuffing? Here are a few signs to look for that might suggest your partners are up to no good:

Know Your Affiliates

Implementing manual approval is one of the best methods to ensure that your affiliates are honest. Each applicant to your affiliate program should be screened and reviewed to ensure that it is a reputable and trusted lead source. You can also look into each applicant’s customer service skills to know that they will represent your brand well.

Of course, affiliate cookie stuffing is only one of many potential threats to your next ad campaign. Other malicious forms of affiliate fraud are out there waiting to drain your campaign and flood your business with costly chargebacks.

Chargebacks911® offers products specifically designed to detect, identify, and prevent fraud and chargebacks. Regardless of the size of your affiliate marketing campaign, we can help optimize your advertising, reduce risk, and turn potential liabilities into profit opportunities. Contact us today to learn more.