By Affiverse

Megalag & Honey Saga Update: Detection, Evasion, Testing Manipulation Claims Spotlight in Latest Video

Article
January 6, 2026 Featured Story, Industry News
Share
Honey Saga Update

YouTuber MegaLag released a third investigative video on 30 December expanding on previous allegations against PayPal Honey with technical evidence suggesting the browser extension was engineered to detect compliance testing. Working alongside security researcher Ben Edelman, the investigation documented what Edelman termed a “selective standdown” system software allegedly designed to behave differently when it suspected an industry insider was monitoring or testing for rule violations.


The technical findings centre on user profiling mechanisms that assessed whether someone represented a legitimate shopper or an affiliate industry tester. According to the research, when Honey determined a user might be conducting compliance checks, the system honoured standdown rules protecting earlier affiliate referrers. When the extension assessed the user as a regular shopper, it allegedly disregarded those same protections. Edelman compared the approach to Volkswagen's “Dieselgate” scandal, where vehicles detected emissions testing and temporarily reduced pollution output.


How the Alleged Detection System Operated


Edelman extracted source code from Honey's browser plugin and collected configuration files through packet sniffing, comparing findings against historical versions archived from October 2017. The research documented that Honey maintained configuration files setting thresholds for when the extension would respect standdown protocols. Following MegaLag's initial December 2024 investigation, these thresholds allegedly increased to 65,000 cashback points under base rules. However, researchers identified that Rakuten-specific rules requiring only 5,000 points remained in the system an oversight enabling demonstration of the architecture's continued operation.


The investigation claims the system incorporated server-side controls allowing instant global deactivation without users or networks detecting changes through normal extension monitoring. This raises questions similar to those explored in our previous coverage of how browser extensions could be enabling widespread affiliate commission theft, where tracking manipulation occurs beyond the visibility of standard compliance monitoring.


Industry Standdown Standards Could Come Under More Scrutiny


Standdown protocols represent industry standards protecting affiliates who introduce customers earlier in the conversion journey. When browser extensions or cashback tools ultimately convert sales, standdown rules ensure original referring affiliates receive appropriate attribution credit rather than having cookies overwritten by last-click partners who provided no genuine influence.
UK cashback and loyalty publishers recently gained clarity on cookie classification following ICO guidance confirming that cookies used to reward customers qualify as strictly necessary, exempting them from consent requirements. This development, detailed in the APMA's industry response, provides legitimate cashback providers with clearer operational frameworks while highlighting the importance of distinguishing between compliant reward mechanisms and extensions that manipulate attribution without providing genuine value.


The Affiliate and Partner Marketing Association conducted an independent audit examining ten UK affiliate networks and platforms. Attribution rules prioritising earlier affiliate contributions activated for 80 percent of test scenarios, demonstrating industry implementation of protective measures. However, the findings noted variation in how technology functioned across different browsers and advertiser configurations. As detailed in the analysis of navigating the future of affiliate tracking, these inconsistencies create vulnerabilities sophisticated actors could potentially exploit.


APMA research produced seven recommendations including mandatory standdown for cashback and loyalty extensions, stronger prevention of manual reactivation undermining attribution logic, and industry-wide standardisation of tagging conventions. The association emphasised that subnetworks allowing affiliates to operate outside attribution safeguards represented risks requiring greater visibility.


What This Means for Program Verification


Affiliate program managers face immediate verification priorities. Networks implementing standdown and soft-click protocols require confirmation that protections function consistently across all browser types and affiliate categories. Managers cannot assume network rules operate uniformly without direct testing across multiple scenarios a reality underscored by these latest allegations. 

_________________________________________________________________________________________


You can hear more about this in our next podcast episode due out on THURSDAY this week with Ishtvan Torpoi who shares a strategic approach to working with coupon extensions within your affiliate program as he talks with Lee-Ann Johnstone, your host. 

_________________________________________________________________________________________

Examining conversion paths for patterns indicating checkout-level intervention helps identify where extensions override legitimate affiliate attribution. As we explored in our guide to attribution hijacking, tools providing visibility into complete pre-conversion and post-conversion click sequences reveal instances where tracking manipulations occur. Regular audits comparing expected attribution patterns against actual commission distributions highlight discrepancies requiring investigation.


Programs operating through subnetworks need explicit verification that attribution safeguards apply uniformly. Subnetwork transparency regarding soft-click implementation enables informed decisions about partnership continuation. Understanding the full path to conversion becomes critical for identifying fraudulent activity before it drains program budgets.


Server-to-server tracking provides the strongest protection against browser-based attribution manipulation. Networks have been actively encouraging brands to migrate to S2S tracking for enhanced fraud prevention and cleaner attribution data. For programs unable to implement S2S immediately, first-party cookie strategies offer interim protection while migration plans develop. Affiliate link tracking software now incorporates these privacy-first approaches as standard functionality.


Broader Investigation Continues


MegaLag indicated that additional content addressing broader industry implications remains forthcoming. The current investigation focuses specifically on technical mechanisms allegedly enabling detection evasion, with the creator promising further analysis of systematic practices affecting affiliate marketing attribution.


The research collaboration between MegaLag and Edelman represents independent verification through multiple methodologies. Edelman confirmed findings from first principles, adding his own analysis and cross-checking with historical observation records. This technical documentation provides reference material for legal proceedings and regulatory reviews evaluating the allegations building on earlier developments covered in our analysis of Honey investigation deepening to reveal new browser extension risks.


As we reported in our recent coverage of the earlier video referencing cookie hijacking, the broader legal and regulatory response will determine whether technical documentation substantiates claims of systematic rule circumvention.


The Takeaways for Program Managers


It’s important to check and verify that standdown and soft-click implementations function consistently across all scenarios in your program rather than assuming network protections operate uniformly. Read the documentation from the browser extension you’re working with and the platform you’re integrated to. Testing protocols should include scenarios mimicking both regular users and industry testers to confirm consistent behaviour regardless of perceived user type.


Server-to-server tracking migration provides the strongest protection against browser-based attribution manipulation. Programs unable to implement S2S immediately should prioritise first-party cookie strategies while developing migration plans.


Regular audits examining conversion paths, attribution patterns and partner behaviour identify potential manipulation before it impacts program economics. Enhanced tracking visualisation revealing complete customer journeys enables managers to distinguish between legitimate affiliate contribution and checkout-level attribution hijacking providing no genuine value.