On December 21, 2024, a YouTuber who goes by MegaLag published a 23-minute video called "Exposing the Honey Influencer Scam." Within two weeks the PayPal-owned coupon extension had shed roughly 3 million of its 20 million users, lawsuits were stacking up in a California federal court, and a phrase that almost no shopper had ever heard, last-click attribution, was suddenly the center of the argument.
Here is the part most of the coverage missed. Honey did not invent a new way to cheat. It found a rule that the affiliate industry had been using for twenty years, understood exactly what that rule rewarded, and built a browser extension that collected the reward. The scandal is real. It is also a near-perfect case study in how a payout rule, left unexamined, quietly shapes the behavior of everyone downstream of it.
How a sale gets paid for
Affiliate marketing has one job: figure out who sent a buyer to a store, and pay that person. The plumbing for this has barely changed since the late 1990s. A creator posts a link. You click it. A small file called a cookie lands in your browser, stamped with the creator's affiliate ID and a clock. If you buy something from that store before the clock runs out, usually within 7 to 30 days, the store reads the cookie, sees the ID, and pays a commission.
The question that rule has to answer is what happens when more than one affiliate is involved. You might see a product in a YouTube review, then a week later read a comparison article, then click a deal-site link before you finally check out. Three affiliates, three cookies, one sale. Who gets paid?
The industry's answer, for almost its entire history, has been last click. Whichever affiliate cookie was written most recently before the purchase wins the entire commission. Not a split. Not a weighted share. The last cookie takes everything, and the other two get nothing.
Last click won because it is cheap and unambiguous. A merchant does not have to model a customer journey or argue about credit. It reads one cookie at checkout and pays one party. For a long time that simplicity looked like a feature.
The incentive nobody priced in
Read the rule again and the problem becomes obvious. If the last cookie before checkout takes the whole payout, then the most valuable real estate in the entire funnel is the checkout page itself. Not the review that convinced the buyer. Not the article that compared the options. The final moment, after the decision is already made, when one more cookie can be quietly written.
A rule that pays the last toucher creates a powerful reason to be the last toucher, regardless of whether you did anything to earn the sale. Economists call this a perverse incentive: the rule rewards a behavior that has nothing to do with the outcome the rule was meant to encourage. Last-click attribution was meant to pay the affiliate who drove the sale. What it actually pays is the affiliate who showed up last.
For most of affiliate history this stayed theoretical, because being last was hard. You would have to intercept millions of shoppers at the exact instant before they paid. Then browser extensions arrived, and being last got easy. An extension that sits in the browser is, by design, present on every page including the checkout page. It does not need to compete for the last click. It is already there.
What Honey allegedly did
Honey's pitch to shoppers was simple and genuinely useful: install the extension, and at checkout it scans for working discount codes so you do not have to. PayPal bought it for roughly 4 billion dollars in 2020. By late 2024 it had around 20 million users.
MegaLag's investigation, later corroborated in independent testing by Snopes, alleged a second thing happening at that same checkout moment. When a shopper clicked Honey's "find coupons" button, the extension allegedly injected its own affiliate link into the page. That injection wrote a fresh Honey cookie over whatever affiliate cookie was already there. The creator who actually sent the buyer was overwritten. Honey, now the last cookie, collected the commission.
This works only because of last-click attribution. The merchant's checkout reads the most recent cookie and pays it, exactly as designed. The merchant is not tricked in any technical sense. It follows its own rule and pays Honey. The creator never sees the sale they generated, often never learns it happened, and cannot tell the difference between a fan who did not buy and a fan whose credit was rerouted at the register. Snopes confirmed in repeated tests that using Honey changed the affiliate cookie so the commission flowed to PayPal. In one widely cited test, Honey claimed a 35 dollar commission on a sale while returning the shopper 89 cents in cash back.
Honey did this even when it found no working coupon at all. The "find coupons" click was enough to trigger the cookie swap, which is why critics described it as a form of cookie stuffing, the old affiliate fraud of dropping tracking cookies on people who never clicked a real link.
One further detail mattered. Security researcher Ben Edelman documented what he called a selective stand-down: Honey appeared to behave differently when it suspected an affiliate-industry insider was testing it. Edelman found the extension would honor stand-down rules in full when it detected a new account, a low-earning account, or cookies from network dashboards like Rakuten, CJ, or Awin, and dishonor those same rules for an ordinary shopper. After MegaLag's first video, the extension's stand-down behavior was reportedly reconfigured again, with the points threshold that governs the contested behavior raised to roughly 65,000. A stand-down rule is a voluntary pause. The industry had been relying on extensions to apply it honestly.
The industry reacted to the rule, not just the company
The fallout came fast, and the most telling part is what the affiliate networks said. Rakuten Advertising removed Honey from its network on January 12, 2026, the first major network to do so. Impact.com followed on January 17, stating that Honey had violated its universal stand-down requirements, the policies meant to stop exactly this kind of attribution interference. Awin confirmed Honey had breached its publisher policies and suspended payments.
Notice the framing. Networks did not say Honey hacked anything. They said Honey violated stand-down rules, the patches the industry had bolted on precisely because it knew last click was exploitable. The defenses already existed. They were just trust-based, and they assumed a large publisher would not push them.
Honey's user base kept falling through 2025, down to roughly 12 million Chrome users by year's end, an eight million drop from the 20 million it had before the video. The legal story is messier. A consolidated class action, filed in the Northern District of California starting December 29, 2024 by creators including Sam Denby of Wendover Productions and the channel GamersNexus, argued conversion, unjust enrichment, and unfair competition.
On November 21, 2025, US District Judge Beth Labson Freeman dismissed it, and her reasoning is the sharpest comment on attribution in the whole episode. She found the creators had not shown a concrete injury traceable to PayPal, because their complaint never spelled out what their contracts with the merchants actually promised them. PayPal had argued that last-click attribution is a standard industry practice it does not control, and that any commission decision is the merchant's. The judge gave the plaintiffs 45 days to amend. They refiled in early January 2026 with a longer complaint citing specific merchant affiliate agreements.
Strip out the legal language and the court said something uncomfortable: if a creator's deal pays on last click, and Honey was last, then the system worked as written. You cannot easily sue your way out of a rule you agreed to. The fix is the rule.
What replaces last click
The honest lesson of the Honey scandal is that last-click attribution was never neutral. It is a design choice, and like any design choice it rewards some behavior and punishes other behavior. For two decades it rewarded showing up last. The industry is now, slowly, choosing differently.
Three shifts are underway, and the Honey case accelerated all of them.
The first is multi-touch attribution: instead of paying one cookie, the merchant records every affiliate touch in the journey and splits the commission across them. A YouTube review that started the journey can keep a share even if a deal site closed it. This is harder to compute and harder to explain, and a checkout-only player like Honey earns far less under it because it contributed no early touch to be credited for.
The second is the move off cookies entirely, toward server-side tracking. When the merchant's own server records the referral through a conversion API rather than trusting a file in the browser, a browser extension has nothing to overwrite. The point of attribution control was always to take it out of the browser, where extensions live.
The third, and the most consequential, is incrementality. The question stops being who touched the sale last and becomes which affiliates produced sales that would not have happened otherwise. By that test, an extension that activates only at checkout, after the buyer has already chosen the product and the store, looks much weaker. The buyer was going to convert. Honey was just standing at the door. Incrementality testing is built to expose that, and a growing share of marketers now run these experiments rather than reading a last-click dashboard.
There is a reason this gets urgent now. Shoppers increasingly start inside an AI assistant, asking it to compare options and find deals. The click, the single event that last-click attribution is built on, happens later in the journey or sometimes not at all. A model that depends on cleanly ordering clicks struggles when the influence happened in a chat window that never set a cookie. Last click was already brittle. AI-mediated shopping makes its brittleness impossible to ignore.
What to take from it
It is tempting to file the Honey story under fraud and move on. That misses the more useful point. Honey did not beat the affiliate system. It read the affiliate system accurately and acted on what the rule rewarded. Any incentive structure left in place long enough will be found and used by whoever benefits most, and they will not feel like they are cheating, because technically they are following the rule.
For anyone running or relying on an affiliate program, the practical questions are concrete. Do you know which attribution model your program uses, and what behavior it quietly pays for? Do your contracts say what happens when several affiliates touch one sale? Are you measuring incrementality, or just reading whichever cookie survived to checkout? The Honey scandal handed the industry a free, very public stress test of last-click attribution. The rule failed it. The work now is deciding what to write in its place.
Council summary
This post argues that the Honey scandal is best read as a failure of last-click attribution, not a one-off fraud: a rule that pays whichever affiliate cookie is written last gave a checkout-stage browser extension an obvious reason to write the last cookie, and Honey took it. The council verified the load-bearing facts against primary and trade sources: the December 21, 2024 MegaLag video and its 23-minute length, PayPal's roughly 4 billion dollar acquisition, the 35 dollar versus 89 cents test, Ben Edelman's selective stand-down finding, the Rakuten, Impact.com, and Awin removals, and Judge Beth Labson Freeman's November 21, 2025 dismissal with a 45-day window to amend. Two numbers were corrected: the year-end Chrome user count was overstated and is now set to roughly 12 million, and an unverifiable claim about a stand-down timer changing from 6 minutes to 1 hour was replaced with the documented points-threshold change. Allegations are now consistently framed as allegations. The takeaway for anyone running an affiliate program is concrete: know which attribution model you pay on, write down what happens when several affiliates touch one sale, and measure incrementality instead of trusting whichever cookie survived to checkout.
Comments