Everyone enjoys saving money while shopping, especially with
free apps that find the best online deals. However, no one likes discovering
that a money-saving tool is secretly taking more than it saves. A popular
YouTube creator claims PayPal's browser extension, Honey, has been doing just
that.
Honey gained millions of users by offering free coupon codes and cashback rewards across 30,000 retailers, making it a favorite among influencers like Mr. Beast and MKBHD, who have promoted it under sponsorships. But New Zealand-based tech investigator MegaLag alleges that "Honey is a scam" and possibly the biggest influencer scam ever.
Affiliate marketing allows influencers and businesses to earn commissions when users purchase products through their affiliate links.When a user clicks such a link, a cookie tracks the referral and ensures the commission goes to the rightful source based on the last-click rule.
Mega Labs discovered that Honey interferes by deleting these affiliate cookies and replacing them with its own. As a result, influencers promoting the products lose their commissions, while Honey takes credit for the sale and keeps the earnings.
Simulations revealed that Honey deletes and replaces
affiliate cookies to claim last-click attribution and pocket commissions.Mega Labs provided strong evidence that Honey deletes and replaces ‘last click’ cookies, opens new tabs or pop-ups redirecting to its referral links, and disrupts influencer commissions.
In my independent investigation, I confirmed these findings: Honey alters cookies and overrides referral or affiliate links, especially during checkout simulations. Additionally, I uncovered other unethical practices by Honey that verge on fraudulent behavior.
Chaotic Interactions with Honey
Unlike the structured demonstration in Mega Labs’ video, my experience with Honey was disorganized and intrusive.
During testing, Honey frequently opened tabs, changed its icon colors, and sent constant notifications—behaving more like adware than a helpful extension. It repeatedly bombarded me with alerts about coupons, cash rewards, and "better deals," even when no such offers existed.
Honey also runs persistently in the background and often takes over during checkout. Clicking “Add to Cart” or “Complete Checkout” triggered an onslaught of pop-ups and full-page takeovers, claiming to secure rewards while dominating the entire browsing experience.
Honey’s Stealthy Tab Redirects
I confirmed that Honey manipulates last-click attribution by opening new tabs with redirect links.
For example, while shopping on https://us-store.msi.com, Honey automatically opened a new tab containing a redirect link. The redirect lasted only a second and pointed to:
The link includes a unique identifier tied to an affiliate program. After the redirect, the shopping site reappeared, now with a new unique identifier in place. This process alters cookies and ensures Honey claims the referral.
Honey’s Questionable Tactics
Opening unrequested tabs with redirect links is a tactic often linked to cybercriminal activity.
Honey clearly positions itself between influencers, businesses, and consumers, exploiting its role to manipulate last-click attribution. This behavior is so blatant that even non-tech-savvy users might sense something is wrong.
The extension’s lack of transparency and its deceptive manipulation of cookie data raise serious concerns about its ethical practices.
The Impact: Accountability and Ethics
PayPal’s $4 billion acquisition of Honey highlights its significant role in e-commerce, boasting over 17 million users across platforms like Windows, Mac, iOS, and Android. Honey operates seamlessly on browsers including Chrome, Safari, Firefox, Opera, and Edge, with a quick and accessible installation process.
However, allegations of cookie abuse, affiliate link manipulation, and stealing commissions from users and influencers pose serious concerns. These practices align with the definition of fraud as “wrongful or criminal deception for financial gain,” placing Honey and PayPal under scrutiny. This investigation raises critical questions about PayPal’s accountability in enabling such behavior.
My Take on This Research
As a cybersecurity researcher, I’ve encountered numerous instances of adware and browser-based malware. However, this is the first time I’ve found software from a major company like PayPal exhibiting behaviors eerily similar to malware.
Honey is intentionally coded to disrupt online shopping, particularly at checkout, by replacing original referral links with its own affiliate ID—behavior far from industry standards.
The core problem lies in its lack of transparency. If users were informed of its intent to redirect and earn commissions, they could make informed choices. From a technical standpoint, Honey’s actions—manipulating browser data and positioning itself as an intermediary—can be seen as a privacy invasion akin to hacking.