Cookie stuffing has plagued affiliate marketing for over two decades, costing merchants millions in fraudulent commissions while legitimate affiliates watch their earnings vanish. For anyone working in performance marketing today, understanding this form of fraud is essential, not just to protect your program, but to recognise how enforcement has evolved from civil disputes to federal criminal prosecutions.
This guide traces cookie stuffing from its origins through the landmark eBay prosecutions to the current PayPal Honey controversy, examining what it is, how it works, and why it remains a persistent threat despite high-profile convictions.
Cookie stuffing, also known as cookie dropping, is an affiliate fraud technique where tracking cookies are placed on users' browsers without their knowledge or consent. The fraudster then claims commissions on purchases they played no role in generating.
In legitimate affiliate marketing, the process works simply: a consumer clicks an affiliate's link, a tracking cookie is placed in their browser, and if they subsequently make a purchase, the affiliate earns a commission. The cookie serves as proof that the affiliate drove the sale.
Cookie stuffing subverts this system entirely. The fraudster places cookies on browsers without any click, any referral, or any legitimate promotional activity. If those users happen to purchase something from the merchant later, the fraudster receives credit for sales they never influenced.
The fundamental principle that makes affiliate marketing work is attribution: paying partners who actually drive business. Cookie stuffing breaks this attribution, stealing revenue from merchants, legitimate affiliates, and ultimately consumers who face higher prices as fraud costs get passed along.
Fraudsters have developed increasingly sophisticated techniques over the years. Understanding these methods helps affiliate managers identify suspicious activity in their programs.
Invisible Image Pixels: The simplest and oldest method involves embedding tiny 1×1 pixel images that are invisible to users. When a browser loads the page, it requests the image from a server that responds by setting an affiliate cookie. Users never see anything, but they've been tagged.
Hidden iFrames: An inline frame embeds one HTML page within another. Fraudsters create invisible iFrames that load merchant affiliate pages in the background. The user's browser processes these hidden pages, setting cookies without any visible indication.
JavaScript Injection: Malicious JavaScript code executes automatically when a page loads, redirecting users through affiliate links in the background or directly setting cookies without any redirect at all. This method can be embedded in compromised websites, browser extensions, or third-party scripts.
Pop-Unders: Unlike traditional pop-ups that appear in front of content, pop-unders open behind the current browser window. These hidden windows load affiliate links, set cookies, and close before users notice them.
Browser Extensions: Perhaps the most concerning evolution involves browser extensions that users voluntarily install. These extensions can intercept traffic, modify requests, and inject affiliate cookies across any website the user visits. The PayPal Honey case demonstrates how this vector can operate at massive scale.
Referrer Obfuscation: Sophisticated cookie stuffers use redirect chains through multiple domains to hide the true source of the cookie. Research from 2015 found that over 84% of fraudulent affiliate cookies employed some form of referrer obfuscation to evade detection.
The defining moment for cookie stuffing enforcement came not from a contract dispute or civil lawsuit, but from the FBI's Cyber Crimes Division. What started as eBay investigating suspicious traffic patterns culminated in federal wire fraud prosecutions that established cookie stuffing as a criminal offense.
Shawn Hogan was not a shadowy fraudster operating from the dark corners of the internet. He was the founder and CEO of Digital Point Solutions, a legitimate business software company, and the owner of Digital Point Forums, one of the largest webmaster communities of its era. He was also, by 2006, eBay's single largest affiliate.
The problem was how he achieved that status.
According to court documents, Hogan's scheme operated from approximately 2003 until mid-2007. His method involved modifying his websites to load resources from eBay's servers, thereby setting affiliate cookies on visitors' browsers without any click on an eBay advertisement. When those users later made purchases on eBay, Hogan received commission credit.
The sophistication of the operation made it particularly difficult to detect. Hogan allegedly:
When Commission Junction questioned Hogan about his traffic sources in 2005, he denied any terms of service violations. This denial would later contribute to wire fraud charges, as prosecutors argued it demonstrated intent to deceive.
In August 2008, eBay filed a civil lawsuit against Hogan, Brian Dunning, and Todd Dunning, accusing them of fraud, racketeering under RICO statutes, wire fraud, and unauthorized access to eBay's servers. The civil case was paused when federal prosecutors took interest.
On June 24, 2010, a California grand jury indicted Hogan on ten counts of wire fraud. The charges alleged that between 2006 and June 2007 alone, Hogan earned approximately $15.5 million in commissions from eBay through the cookie stuffing scheme. His total earnings from eBay exceeded $28 million.
The legal theory was significant: wire fraud charges were established not because commission payments crossed state lines, but because the transmission of cookies between states and internationally constituted wire fraud. This interpretation created precedent for treating cookie stuffing as a federal offense.
After years of legal proceedings, Hogan pleaded guilty to a single count of wire fraud in December 2012. In May 2014, he was sentenced to five months in federal prison and fined $25,000. Given the alleged $28 million in fraudulent commissions, the sentence struck many in the industry as remarkably light.
Brian Dunning ran Kessler's Flying Circus and was eBay's second most prolific affiliate. Court documents alleged he employed similar techniques to Hogan, earning approximately $5.3 million in commissions between 2006 and June 2007.
During legal proceedings, Dunning admitted to collaborating with Hogan in executing the fraud, claiming he offered to teach Hogan key techniques. Hogan denied this, alleging Dunning copied his methods. Dunning also alleged he paid an account manager at Commission Junction for insider knowledge of how the affiliate network operated, though this claim was never officially confirmed.
Dunning was indicted on five counts of wire fraud. Like Hogan, he eventually pleaded guilty to a single count and was sentenced to 15 months in prison followed by three years of supervised release.
The eBay prosecutions extended beyond the primary perpetrators to those who enabled cookie stuffing at scale. Christopher Kennedy created SauceKit, a cookie stuffing program he sold through his website and promoted on black hat marketing forums.
For $450 per month, SauceKit provided turnkey cookie stuffing capabilities. The service generated and served image links that performed cookie stuffing on behalf of clients. Kennedy allegedly posted that one client made almost $10,000 in a single month using the software.
Despite receiving a cease and desist letter from eBay in March 2009, Kennedy continued selling SauceKit. An FBI informant purchased the software in August 2009, establishing evidence for criminal charges.
In February 2010, Kennedy was charged with conspiracy to commit wire fraud. When federal authorities confiscated his servers, they allegedly seized his customer list, creating concern among buyers that they could face investigation themselves.
Kennedy pleaded guilty and in June 2012 was sentenced to six months in prison, three years of supervised release with significant restrictions on computer use, and ordered to pay $407,934.39 in restitution to eBay.
The eBay prosecutions established several critical precedents that continue to shape affiliate fraud enforcement:
Cookie stuffing constitutes wire fraud. The transmission of cookies across state lines satisfies the “wire” element of the offense, regardless of whether commission payments themselves crossed state lines.
Denying TOS violations can strengthen fraud charges. When Hogan and Dunning denied cookie stuffing to Commission Junction, prosecutors used these denials as evidence of intent to deceive.
Creating and selling fraud tools carries criminal liability. Kennedy's prosecution demonstrated that enabling fraud, not just committing it directly, can result in federal charges.
Prison sentences are possible. While the sentences were relatively light given the amounts involved, they established that cookie stuffing can result in incarceration, not just financial penalties.
Nearly a decade after the eBay prosecutions concluded, cookie stuffing returned to headlines through an unlikely source: a browser extension owned by PayPal that 20 million people had voluntarily installed.
In December 2024, YouTuber MegaLag released an investigative video that would reshape how the affiliate industry viewed browser extensions. After analysing hundreds of documents and communications between Honey and merchants, the investigation alleged that PayPal's Honey browser extension systematically replaced content creators' affiliate tracking cookies with its own.
The mechanism was sophisticated. When a user with Honey installed approached checkout on a merchant's website, the extension would allegedly:
Critically, this allegedly occurred regardless of whether Honey actually provided any coupon code or discount. The extension marketed itself as a coupon finder, but the cookie replacement allegedly happened even when no coupons were available or when users dismissed the Honey popup without using it.
The effect on content creators was significant. If an influencer promoted a product through their affiliate link, and their viewer had Honey installed, the commission from that sale could be redirected to PayPal even though Honey played no role in driving the purchase.
The market response was swift and dramatic. Within two weeks of the MegaLag video publication, Honey lost approximately 3 million of its 20 million Chrome users. By July 2025, user numbers had dropped to 14 million, representing a 30% decline from pre-controversy levels.
Major content creator partnerships collapsed. Linus Media Group, which had featured approximately 160 sponsored Honey segments garnering 194 million views, terminated their relationship with the extension. Matt Mullenweg, founder of WordPress, publicly characterised Honey's behavior as “particularly egregious.”
On December 29, 2024, less than a week after the MegaLag investigation, a class action lawsuit was filed against PayPal in federal court. The complaint, brought by content creators including Wendover Productions and represented by multiple law firms including one operated by YouTuber LegalEagle, alleged intentional interference with contractual relations, unjust enrichment, and violation of California's Unfair Competition Law.
A second lawsuit followed on January 3, 2025, filed by GamersNexus through Cotchett, Pitre & McCarthy.
PayPal's defense centered on several arguments: that last-click attribution is simply how affiliate marketing works, that users authorised Honey's data access when installing the extension, and that merchants control commission allocation through their own agreements.
In November 2025, PayPal successfully moved to dismiss the complaint, though the judge granted plaintiffs 45 days to amend their filing. The court found that plaintiffs failed to adequately demonstrate they were entitled to the disputed commissions under their merchant contracts.
In January 2026, plaintiffs filed a Second Amended Consolidated Class Action Complaint with significantly more detail, including specific merchant contract language and documented test purchases showing commission diversion. The case continues in federal court.
The controversy prompted regulatory and industry action beyond the courtroom:
Google Policy Changes: In March 2025, Google updated Chrome Web Store policies to explicitly prohibit extensions from claiming affiliate commissions without providing discounts. This policy change directly addressed the practices alleged in the Honey investigation.
Network Action: In January 2026, Rakuten Advertising removed Honey from its affiliate network, becoming the first major network to take such action.
PayPal Acknowledgment: On January 12, 2026, PayPal acknowledged the existence of the controversial code and announced it had been disabled.
Extension Modifications: Honey modified its extension to stop claiming affiliate revenue in cases where no discount was provided, aligning with Google's updated policies.
The Honey case differs from the eBay prosecutions in important ways. Rather than individual bad actors exploiting a merchant's affiliate program, this involves a corporate subsidiary of a public company allegedly building commission diversion into its core product. The outcome will likely shape how the industry treats browser extensions and similar technologies for years to come.
Despite federal prosecutions and millions in settlements, cookie stuffing remains an active threat. Research suggests cookie stuffing schemes affect between 5% and 10% of all affiliate marketing transactions. Several factors explain its persistence:
Low Barrier to Entry: The technical skills required for basic cookie stuffing are minimal. Embedding a hidden image or iframe requires only basic HTML knowledge.
Detection Challenges: Sophisticated cookie stuffers use referrer obfuscation, geographic filtering, and frequency capping to make their traffic appear legitimate. Attribution hijacking often goes undetected until significant damage has occurred.
Last-Click Attribution Vulnerability: The industry's widespread reliance on last-click attribution creates systematic vulnerability. Whoever sets the final cookie before purchase receives credit, regardless of who actually influenced the sale.
Enforcement Inconsistency: While the eBay cases resulted in criminal convictions, most cookie stuffing incidents result only in affiliate termination or civil disputes. The expected cost of getting caught often remains lower than the potential profit.
Browser Extension Vector: Users voluntarily installing extensions that engage in cookie stuffing complicates enforcement. The extensions can claim users consented to their behavior through terms of service, even if users didn't understand what they were agreeing to.
For affiliate program managers, protection requires layered defenses. Here are practical measures drawn from industry best practices:
Monitor for Anomalies: Watch for affiliates with unusually high conversion rates combined with low click volumes. Cookie stuffing generates sales without proportional traffic.
Shorten Cookie Windows: While cookie duration involves legitimate business tradeoffs, shorter windows reduce the opportunity for stuffed cookies to generate fraudulent commissions.
Implement Click Validation: Require demonstrable user interaction before setting affiliate cookies. If there's no click, there should be no cookie.
Use Server-to-Server Tracking: Processing attribution data server-side makes manipulation more difficult than client-side cookie tracking.
Audit Traffic Sources: Require affiliates to disclose their traffic sources and promotional methods. Investigate affiliates who cannot or will not explain how they generate conversions.
Vet Browser Extensions: If your program includes browser extension affiliates, understand exactly how they interact with your checkout process. Request technical documentation and test their behavior yourself.
Build Direct Relationships: Affiliates with whom you have direct relationships and clear communication are less likely to engage in fraud than anonymous network participants. Strong partnerships create mutual accountability.
Cookie stuffing has evolved significantly since the early days of hidden pixels on forum posts. Today's threats involve sophisticated browser extensions, malware distribution, and corporate-scale operations. But the fundamental fraud remains unchanged: claiming credit for sales you didn't generate.
The eBay prosecutions established that cookie stuffing can be a federal crime. The PayPal Honey controversy demonstrates that even mainstream, widely-used products can allegedly engage in these practices. For affiliate marketers, the lesson is clear: understanding cookie stuffing isn't optional. It's essential for protecting your commissions, your program, and your merchants' trust.
As the industry moves toward more sophisticated fraud detection and tracking methodologies, cookie stuffing will likely continue adapting. The affiliates and program managers who stay informed about these techniques will be best positioned to identify fraud, protect legitimate earnings, and maintain the integrity that makes performance marketing valuable.