WordPress Plugins
GuardPress ForgeCache SiteVault SiteVault Lite SEObolt Royal Links Royal Affiliates FormForge Royal MCP Royal SMTP RoyalComply Royal Access Royal Ledger
Free Tools
SERP Preview Schema Validator Meta Tag Checker SSL Checker HTTP Headers Site Scanner Plugin Scanner Royal Links (Chrome) Royal Access (Chrome)
Pricing Blog Case Studies Switch to Royal Plugin Graveyard Support My Account Cart
Affiliate

Coupon-Code Hijacking: The Affiliate Attribution War That Just Hit Court

The Honey lawsuit, Selective StandDown, and the moment last-click attribution became case law.

By Jameson · May 1, 2026 · 8 min read
Coupon code hijacking and affiliate attribution lawsuit

On December 21, 2024, MegaLag published a 23-minute investigation into PayPal-owned Honey, alleging the browser extension swaps creator affiliate cookies for its own at checkout. Eight days later, three law firms filed a class action in the Northern District of California. By January 2025, Honey's Chrome user count fell from 20 million to 17 million. By January 12, 2026, PayPal acknowledged a hidden “Selective StandDown” mechanism in Honey's code and announced it had been disabled. The lawsuit, now consolidated as In re PayPal Honey Browser Extension Litigation (5:24-cv-09470), is alive in court with a 101-page amended complaint filed January 5, 2026. This is the moment last-click attribution stopped being theoretical and became case law.

If you run a WordPress affiliate program, this is not a story about creators. It is a story about the attribution mechanism your plugin uses to decide who gets paid.

How Coupon Extensions Hijack Last-Click Attribution

Most affiliate programs run on last-click attribution. A creator publishes a tracking link. A reader clicks it, lands on the merchant, and a cookie is set in their browser. If the reader buys within the cookie window (commonly 1 to 30 days), the merchant credits the creator.

Coupon browser extensions exploit one detail of that model. When the reader reaches checkout, the extension pops open to "find a coupon." That popup is a click. Plaintiffs in the Honey case allege that click triggers a server-side action that overwrites the creator's tracking cookie with the extension's own affiliate cookie, even when no valid coupon is found and no discount is applied. Last-click rules then award the commission to the extension, not the creator who drove the sale.

The technical term for this is cookie stuffing. The legal complaint calls it intentional interference with contractual relations, unjust enrichment, and conversion under California law.

The Honey Cookie Gate

Honey ran on Chrome with roughly 20 million active users heading into late 2024. Big-name creators including MrBeast, Marques Brownlee, and Emma Chamberlain had endorsed the extension as a money-saver. MegaLag's December 21 video reframed the relationship: the creators promoting Honey, plaintiffs allege, were the same creators whose affiliate commissions Honey was redirecting.

On December 29, 2024, Wendover Productions, Ali Spagnola, and Devin Stone (LegalEagle) filed Wendover Productions v. PayPal in the Northern District of California. The complaint alleges intentional interference with contractual and prospective economic relations, unjust enrichment, conversion, and violations of California's Unfair Competition Law.

On November 21, 2025, Judge Beth Labson Freeman dismissed the consolidated case without prejudice. The court ruled that the plaintiffs had not sufficiently shown they were entitled to the disputed commissions under the actual merchant agreements at issue. The judge gave 45 days to amend.

On January 5, 2026, plaintiffs filed a 101-page Second Amended Consolidated Class Action Complaint with ten named plaintiffs and attached real affiliate contracts, including agreements with merchants like Bergdorf Goodman that document specific commission percentages and "qualifying link" definitions Honey allegedly violated. The case is alive.

Selective StandDown: The Detail That Changed the Story

The most damning part of MegaLag's follow-up reporting is a system internally referred to as "SSD" or Selective StandDown. According to digital-forensics analysis cited in the videos and PPC.land reporting, Honey's code allegedly profiled each user before deciding whether to swap cookies.

The profile factors plaintiffs and researchers describe:

  1. Whether the user was logged into affiliate-network sites (a tester signal).
  2. Browser cookies indicating compliance-testing setups.
  3. Email addresses containing "test."
  4. Account age (new accounts flagged as likely testers).
  5. Cashback point balance in the user's Honey account.

If the profile suggested a compliance tester, Honey allegedly stood down. If the profile suggested a regular shopper, the cookie swap proceeded. The point threshold required to trigger the swap allegedly rose from around 501 points in 2022 to over 65,000 points by 2024, making the behavior nearly invisible to casual auditors. The earliest version of the SSD code is documented in archive analysis as far back as Honey 10.5.2 in October 2017.

The mechanism was reportedly stored on cloud-hosted configuration files refreshed hourly. That meant Honey could change attribution behavior across 14 million users without shipping an extension update or notifying affiliate networks.

PayPal acknowledged the SSD code on January 12, 2026, and announced it had been disabled.

It's Not Just Honey

Coupon-extension cases now name a wider field. Capital One Financial faces separate litigation over its Capital One Shopping extension, formerly Wikibuy, which plaintiffs allege simulates artificial referral clicks to inject its cookie even when users have not interacted with a coupon prompt. Microsoft quietly retired its built-in Edge coupon feature on May 31, 2025, amid the wave of legal pressure.

Other extensions named in active investigations or plaintiff filings include Rakuten, RetailMeNot, Karma, Piggy, Ibotta, Cently, Drop, SlickDeals, Avast Safe Price, Coupert, Earny, BeFrugal, PriceBlink, Invisible Hand, Swagbucks, and Coupon Cabin. The legal theory is the same across cases. The technical mechanism varies.

What Affiliate Networks Did About It

Two of the largest affiliate networks moved without waiting for court rulings. Awin publicly confirmed Honey had violated affiliate policies and suspended payments. Impact.com kicked Honey off its network entirely, citing the SSD evidence.

Removing an extension with 17 million users from a major network is unusual. Networks profit from gross merchandise volume, including Honey's. The decision suggests the documented behavior was severe enough that the long-term cost of association exceeded short-term commission revenue.

What This Means for WordPress Affiliate Programs

If you run an affiliate program on WordPress, three things change.

Last-click is no longer a defensible default. Programs running cookie-only, last-click attribution accept whatever the reader's browser environment decides. A coupon extension installed in that browser can rewrite the answer at checkout. No plugin setting prevents this if the entire stack is cookie-and-last-click.

Coupon-code attribution becomes a primary signal, not a backup. A unique coupon code published by a creator survives any browser extension. The extension cannot rewrite a discount code already entered into the cart. Programs that resolve attribution by code first, cookie second, behave correctly even when extensions intervene.

Priority-resolution rules matter more than tracking layers. When two attribution signals disagree (creator's URL parameter says "Sam," Honey's cookie says "Honey"), the program needs an explicit rule. Most plugins default to the last cookie wins. That rule is exactly what the lawsuits target.

Royal Affiliate Pro ships a 7-level priority resolution system that lets program operators define which signal beats which when conflicts occur. Coupon attribution, URL parameter capture, and HTTP Referer are first-class tracking layers, not fallbacks. Self-referral blocking, IP-based fraud detection, and proxy detection are bundled in the fraud suite. The architecture treats cookies as one signal among several, not the only signal.

The case for that architecture used to be theoretical. After January 12, 2026, it is not.

What To Do This Week

If you operate an affiliate program:

  1. Audit your attribution stack. Does your plugin resolve coupon code first, cookie second? If not, that is the rule to change.
  2. Issue unique coupon codes to your top creators. Even a 5% promo code is a parallel attribution signal that survives extensions.
  3. Review your priority resolution rules. The phrase "last cookie wins" is the line in the sand the Honey case is testing.
  4. Track conversions by attribution source. If "direct browser extension" suddenly dominates a creator's segment, you have a hijack signal worth investigating.

If you are an affiliate:

  1. Ask programs you work with how they handle coupon-extension conflicts. The answers reveal who is paying attention.
  2. Use unique codes in addition to tracking links wherever the program supports it.
  3. Test your attribution. Buy through your own link with Honey, Karma, and Capital One Shopping installed. Watch which credit lands.

Sources

  • MegaLag, "Exposing the Honey Influencer Scam" (December 21, 2024)
  • In re PayPal Honey Browser Extension Litigation, 5:24-cv-09470 (N.D. Cal.)
  • Second Amended Consolidated Class Action Complaint (January 5, 2026)
  • Cohen Milstein case file: PayPal Honey Browser Extension Litigation
  • Ben Edelman, "Honey's Dieselgate: Detecting and Tricking Testers"
  • Awin policy statement on Honey
  • Impact.com network removal announcement
  • PPC.land reporting on SSD mechanism
FAQ

Frequently Asked Questions

Is the Honey lawsuit settled?

No. The case was dismissed without prejudice on November 21, 2025, then refiled with a Second Amended Complaint on January 5, 2026. It remains active in the Northern District of California as of May 2026.

Did PayPal admit to the SSD mechanism?

PayPal acknowledged the code existed and announced on January 12, 2026, that it had been disabled. PayPal disputes the legal characterization of the mechanism.

Are coupon extensions illegal in the US?

The mechanism is the subject of active civil litigation. Courts have not ruled on the underlying conduct. Conduct that violates a specific affiliate-network agreement can result in network removal regardless of legal status, which is what Awin and Impact.com cited.

Does Royal Affiliate Pro stop coupon-extension hijacking?

Royal Affiliate Pro's 7-level priority resolution lets operators rank coupon-code attribution above last-cookie, which is the configuration that defeats the documented Honey mechanism. No plugin can prevent an extension from setting a cookie in the user's browser; what plugins can do is decide which signal counts.

Will affiliate marketing collapse if coupon extensions keep doing this?

No. The likely outcomes are a shift toward coupon-code attribution as the primary signal, network-level enforcement against extensions that cookie-stuff, and platform changes from Chrome and Edge that gate extension cookie behavior. Programs that adapt early will absorb the share that hijacked extensions lose.

Keep Reading

Related Articles

Affiliate

AI Agents Are About to Break Affiliate Links. Here's What's Coming.

Cookies, pixels, and Referer headers all fail when an agent buys for you. Two attribution methods survive.

By Jameson
 Affiliate

GA4 Quietly Broke Your Affiliate Tracking. Here's the 7-Point Audit.

Why GA4 underreports affiliate revenue by 50% and the seven settings that fix it.

By Jameson
 SEO

llms.txt: Control How AI Crawlers See Your Site

The new standard for telling AI crawlers what to index and what to skip.

By Jameson

Run an Affiliate Program That Survives Extensions

Royal Affiliate Pro's 7-level priority resolution lets you rank coupon-code attribution above last-cookie. Self-referral blocking, IP rate limiting, and proxy detection ship with the fraud suite.

GET ROYAL AFFILIATE PRO