A new investigation by YouTuber MegaLag alleges that Honey, the popular coupon extension acquired by PayPal for $4 billion, engineered a sophisticated system to hijack affiliate commissions from content creators while hiding the practice from industry regulators.
MegaLag released the second part of his series on the company this week, presenting code analysis that suggests the software selectively overrides influencer tracking links.
The video features Ben Edelman, a Harvard-educated security researcher and former professor, who characterised the alleged behaviour as resembling wire fraud.
The controversy centres on a mechanism called Selective Stand Down, or SSD. In the affiliate marketing industry, a “stand down” policy requires coupon extensions to disable themselves if a user has already clicked a creator’s affiliate link. This ensures the creator, not the coupon tool, gets paid for the sale.
MegaLag claims Honey complies with this rule only when it detects that a user is likely a compliance tester.
The investigation suggests the extension analyses browser cookies, email addresses, and account age to profile the user. If the user appears to be a regulator, indicated by a new account or specific tracking cookies, Honey stands down and behaves correctly.
However, if the user appears to be a regular shopper with a history of activity, the investigation alleges that Honey ignores the creator’s link and injects its own tracking code. This action effectively claims the commission for the sale, diverting revenue from the influencer to Honey.
Edelman, who reviewed the findings, said the system is not random but designed to maximise revenue while minimising the risk of getting caught. He noted that while criminal charges for corporate misconduct are rare, the intentional falsification of results for professional testers could constitute wire fraud.
The investigation also challenges recent statements by Honey co-founder Ryan Hudson. Following previous accusations, Hudson denied that the company poached commissions. MegaLag’s new video argues that the SSD code dates back to 2017, years before PayPal acquired the company in 2020.
The report also highlights a quiet update to Honey’s internal rules following the initial public outcry. The extension reportedly increased the threshold for users to be considered “safe” to exploit, a move the investigator suggests was an attempt by PayPal to limit the scope of the alleged theft without removing the system entirely.
Honey, founded in 2012 by Ryan Hudson and George Ruan, was acquired by PayPal in 2020 for a record-breaking $4 billion. While Hudson has previously denied that Honey is a “scam” and insisted the company follows standard “last-click” attribution rules, he has yet to address the specific allegations regarding the unauthorised store database or the targeting of minors raised in this latest report.
