Your affiliate program shows impressive numbers. Clicks are rolling in, conversions look healthy, and commissions are being paid out. But here is the uncomfortable truth: a portion of those commissions might be going to fraudsters who never drove a single legitimate customer to your store.
Cookie stuffing is one of the oldest and most damaging forms of affiliate fraud, and it is making headlines again. According to Juniper Research, $84 billion was lost to ad fraud in 2023, with affiliate fraud accounting for a significant share. For eCommerce brands running CPA campaigns, cookie stuffing can silently drain 15% to 25% of your affiliate budget without delivering any real value.
Not sure if cookie stuffing is affecting your campaigns? Send us an export of your click and conversion data, and our team will provide a free audit of your affiliate traffic. No strings attached. Request your free audit here.
What Is Cookie Stuffing?
Cookie stuffing (also called cookie dropping) is an affiliate fraud technique where tracking cookies are placed on users’ browsers without their knowledge or consent. This allows fraudsters to claim commissions on purchases they did not influence, essentially stealing attribution from organic traffic or legitimate affiliates.
The fraud exploits a fundamental principle in affiliate marketing: last-click attribution. When a customer makes a purchase, the affiliate whose tracking cookie was most recently placed on that browser gets credit for the sale. Cookie stuffing abuses this system by secretly planting cookies on thousands of browsers, hoping that some of those users will eventually make a purchase.
Think of it this way: a fraudulent affiliate drops cookies on 100,000 browsers. If just 0.5% of those users happen to buy something from one of the affiliate programs within the cookie window, the fraudster earns commissions on 500 sales they had nothing to do with. The real source of those customers, whether organic search, paid ads, or legitimate affiliates, gets nothing.
The Honey Scandal: Cookie Stuffing Makes Headlines
In December 2024, YouTuber MegaLag released an investigation exposing how PayPal’s Honey browser extension was manipulating affiliate attribution. The allegations? Honey was replacing content creators’ affiliate tracking cookies with its own at checkout, effectively hijacking commissions even when it provided no discount codes.
The fallout was immediate. According to reports tracking the controversy, Honey lost over 6 million users within months, dropping from 20 million to 14 million Chrome users by July 2025. A class action lawsuit was filed on December 29, 2024, seeking over $5 million in damages. By March 2025, Google updated its Chrome Web Store policies to explicitly ban extensions from claiming affiliate commissions without providing actual discounts.
The Honey case demonstrates that cookie stuffing is not limited to shady underground affiliates. Even a browser extension acquired by PayPal for $4 billion was accused of these practices. If it can happen at that scale, it is almost certainly happening in your affiliate program.
Which Brands Are Most at Risk?
Cookie stuffing disproportionately affects large eCommerce brands and established affiliate programs. Why? Because the math works better for fraudsters when commission payouts are higher.
If you are paying $50 per acquisition for a premium product, you become a much more attractive target than a brand paying $2 per lead. Fraudsters focus their efforts where the return is highest. Industries particularly vulnerable include fashion and apparel, electronics, travel booking, financial services, and subscription boxes.
Research suggests that nearly 40% of affiliate marketing traffic may be fraudulent. For brands spending six or seven figures annually on affiliate commissions, even a 10% fraud rate represents a massive leak in the budget.
How Cookie Stuffing Works: The Technical Methods
Fraudsters use several techniques to plant cookies without user awareness:
- Hidden iFrames: Invisible 1×1 pixel frames that load affiliate URLs in the background when a user visits an unrelated website.
- JavaScript injection: Scripts embedded in websites or browser extensions that fire affiliate cookies silently during page load.
- Browser extensions: Tools like coupon finders that intercept the checkout process to inject their own tracking cookies, overwriting existing attribution.
- Image pixel stuffing: Affiliate URLs disguised as image requests, loaded invisibly when pages render.
- Pop-unders and tab-nabbing: Opening hidden browser windows that load affiliate links without the user noticing.
The common thread is that the user never intentionally clicks an affiliate link. They browse normally, unaware that cookies are being dropped. Days or weeks later, when they make a purchase, the fraudulent affiliate claims credit.
How to Detect Cookie Stuffing in Your Affiliate Program
Cookie stuffing leaves patterns in your data. Here are the red flags your team should monitor:
- Abnormally long click-to-conversion times: If clicks are registered days or weeks before the actual purchase, with no site engagement in between, that is a warning sign.
- Low conversion rates with high click volume: An affiliate generating thousands of clicks but converting at 0.1% while your average is 3% needs investigation.
- Geographic mismatches: Clicks originating from one country but conversions happening in another suggest something is wrong with the attribution chain.
- Suspicious timing patterns: Clicks clustered at specific intervals or during unusual hours often indicate automated cookie dropping.
- Session misalignment: A cookie was placed, but analytics show no corresponding site visit or page views from that user at that time.
The challenge is that manual detection requires constant monitoring across potentially thousands of affiliates. By the time you identify a bad actor, they may have already collected months of fraudulent commissions.
How to Stop Cookie Stuffing
You have two approaches: manual review or automated prevention.
Manual review involves regularly auditing your affiliate traffic, analyzing conversion paths, and investigating anomalies. This works for small programs but becomes impossible at scale. It is also reactive, meaning you catch fraud after the damage is done.
Automated prevention screens traffic in real time at both the click and conversion level. This is where specialized affiliate fraud detection becomes essential.
At 24metrics, our platform includes specific filters designed to catch cookie stuffing patterns. The Click Flooding Protection Filter identifies abnormal click volumes from single sources. The Click Spam Filter detects automated clicking patterns and timing anomalies that indicate cookie dropping activity.
Critically, any effective solution must support blocking postbacks to your affiliate network or tracking platform. When fraud is detected, you need the ability to automatically prevent commission payouts to the fraudulent affiliate. Without this capability, detection alone does not protect your budget.
Our click fraud detection and AdSecurity platform provide real-time screening with transparent rejection reasons, so you can see exactly why traffic was flagged and share that data with your partners.
Protect Your Affiliate Program Today
Cookie stuffing is theft. It steals commissions from legitimate affiliates, drains your marketing budget, and distorts your attribution data. The Honey scandal proved that this is not just a problem with underground fraudsters. It happens at every level of the industry.
If you are running an eCommerce affiliate program with meaningful spend, you are a target. The question is whether you are detecting it.
