Honey, the free browser extension once hailed as the saviour of online shoppers, has been exposed as a scam, and the extent of its deception has sent shockwaves throughout the digital landscape. Promising to find the best coupon codes and save users money, Honey managed to become a household name, endorsed by influencers like MrBeast, Marques Brownlee, and Linus Tech Tips. But behind the sleek marketing and glowing testimonials lies a web of fraud, unethical practices, and deception – all meticulously unraveled in a multi-year investigation by a vigilant YouTuber by the name of Megalag.
What is Honey, and how does it work?
Honey is a browser extension that claims to automatically find and apply the best coupon codes at checkout, helping users save money without any effort. The extension activates on e-commerce sites, scanning for available discounts and applying them if they’re valid. It also introduces features like “Honey Gold” (now rebranded as PayPal Rewards), a cashback scheme that promises users additional savings.
From a user perspective, Honey’s appeal lies in its simplicity. By clicking a button at checkout, users can allegedly ensure they’re getting the best possible deal. Behind the scenes, however, Honey is not just profiting – its exploiting the very systems that underpin affiliate marketing and e-commerce, leaving creators and consumers worse off.
The extension gained enormous credibility after PayPal purchased it in 2020 for $4 billion. This acquisition seemed to validate its business model, leading millions more to trust and use the tool. But as this investigation uncovered, Honey’s practices reveal a far more sinister story.
Understanding affiliate marketing: The foundation of Honey’s exploitation
To fully grasp Honey’s deceptive practices, it’s crucial to understand how affiliate marketing works. Affiliate marketing is a system where businesses reward individuals or entities (affiliates) for driving traffic or sales to their website. Affiliates achieve this by sharing unique tracking links, often referred to as affiliate links.
When someone clicks an affiliate link, it stores a small piece of data known as a “cookie” in their browser. This cookie identifies the affiliate as the source of the referral and allows the merchant to track their contribution. For instance, if you watch a YouTuber review a product and click their affiliate link to make a purchase, the cookie ensures the YouTuber earns a commission from that sale. This system incentivizes affiliates to promote products and services authentically and is a major source of income for influencers, bloggers, and other content creators. It’s also a great way for their viewers and fans to support them financially.
Affiliate marketing typically operates on a “last click” attribution model. This means the last entity to drive the user to the website (via a click) earns the commission. While this system is straightforward, it also opens the door for abuse, as Honey’s practices demonstrate.
The deceptive practices of Honey
Affiliate link hijacking
At the heart of Honey’s deception is its ability to hijack affiliate links. Influencers and content creators often use affiliate marketing to earn commissions from sales generated through their referral links. Honey intercepts this process in a way that is both unethical and damaging.
Here’s how it works: When a user activates Honey at checkout, the extension replaces the original affiliate cookie with its own. This means the commission, which should rightfully go to the influencer or creator who drove the sale, is instead pocketed by Honey. The user remains unaware of this switch, believing they’ve simply saved money.
Imagine this scenario: A viewer clicks on a YouTuber’s affiliate link to purchase a tech gadget, maybe a new pair of headphones for example. The YouTuber’s link directs the viewer to the merchant’s website and the affiliate cookie is stored. The viewer adds the headphones to their cart, and wants to see if there are any discount codes they can use to get a better deal, so they use the Honey extension to search for any codes they can use. However, when the viewer activates Honey at checkout, the extension replaces the YouTuber’s cookie with its own, effectively stealing the commission. This practice not only deprives creators of their rightful earnings but also undermines the trust between creators and their audiences.
Manipulating last click attribution
Affiliate marketing’s reliance on last click attribution is a double-edged sword. While it simplifies commission tracking, it also creates opportunities for exploitation. Honey exploits this system by simulating referral clicks when users engage with the extension at checkout. This ensures Honey’s affiliate link is always the last one registered, effectively overriding any legitimate links previously clicked by the user.
Honey achieves this by discretely opening a new browser tab when users activate the extension. This tab performs a simulated click on the merchant’s affiliate program, replacing any existing cookies with Honey’s. The tab then closes automatically, leaving users unaware of the switch. This underhanded tactic guarantees Honey receives the commission, regardless of the true source of the referral.
False promises of savings
While Honey promises users the best deals, the reality is far less rosy. The investigation revealed that Honey frequently fails to find competitive discounts. Moreover, merchants who partner with Honey can control which coupons are displayed. This means users might see suboptimal discounts designed to maximize merchant profits rather than genuine savings.
For example, a partnering merchant could suppress higher-value coupons in favour of lower-value ones, ensuring the user believes they’ve received a discount while the merchant’s margins remain intact. This betrayal of consumer trust is a cornerstone of Honey’s business model.
Worse still, Honey’s claims of “scouring the Internet” for the best deals are often unfounded. Independent tests have shown users can frequently find better discounts through manual searches or alternative tools. The discrepancy between promise and reality further erodes Honey’s credibility.
The cost to content creators
The impact of Honey’s practices on influencers and content creators cannot be overstated. Many creators rely on affiliate marketing to sustain their channels and content. By poaching affiliate commissions, Honey has deprived countless creators of significant revenue. A notable example is Linus Tech Tips (LTT), a prominent tech-focused YouTube channel that once promoted Honey extensively. It wasn’t until 2022 that LTT discovered Honey was cannibalizing their affiliate commissions. They promptly ended their partnership but remained relatively quiet about the matter. This silence likely left other creators unaware of the threat Honey posed to their earnings.
The question remains: How many creators have suffered financial losses due to Honey’s fraud? Given the scale of its operations, the total impact could amount to millions of dollars.
The broader implications for consumers
Honey’s deceit doesn’t end with creators. Users themselves are victims of the extension’s practices. Despite marketing itself as a consumer-first tool, Honey prioritizes merchant partnerships and profit over genuine savings for its users.
Manipulated discounts
One of the most egregious examples of Honey’s betrayal is its selective display of discounts. Merchants partnered with Honey can dictate which coupons are shown, meaning users might never see the best deals available. This manipulation directly contradicts Honey’s claim of finding every working coupon code on the Internet.
Misleading marketing
Honey’s advertising has long promised users effortless savings. Phrases like “Honey searches the known Internet for every promo code ever used” create the illusion of a comprehensive, impartial tool. In reality, Honey’s primary goal is to maximize its own revenue, even if it means misleading its users.
Connecting Honey’s practices to cybersecurity
The Honey scandal is a warning sign for the cybersecurity industry. It shows that there are virtually countless ways in which bad actors can exploit the vulnerabilities present in the digital ecosystem.
Honey’s methods thrived in the shadows of opaque systems. The hidden replacement of affiliate links, discrete opening of new browser tabs, and manipulation of cookies were all enabled by a lack of transparency. This case shows an urgent need to prioritize transparency in all aspects of digital interaction. Users must be informed about what happens when they interact with extensions, tools, and platforms. Transparency should be a non-negotiable standard, not just an industry ideal.
For too long, companies like Honey have exploited loopholes in the digital economy, profiting at the expense of both consumers and creators. It’s time for regulators and industry leaders to establish clear accountability measures. This includes audits of browser extensions, as well as legal consequences for companies that engage in deceptive behaviour. Accountability is what restores trust in the tools we rely on.
Honey’s business model exemplifies the old adage: “If a product is free, you are the product.” It’s a reminder that “free” often comes with hidden costs. In Honey’s cast, users unknowingly became participants in unethical practices, sacrificing both their money and their trust in the process. This is a call to action for all of us: to demand greater honesty from the platforms we use and to critically evaluate the real price of convenience.
As for us, the cybersecurity community must respond with innovation. Affiliate marketing systems must evolve to include mechanisms that resist tampering. Cookie stuffing is a relatively novel attack method, and it’s been exploited in the past with little to no recourse for victims. Back in 2014, Shawn Hogan, a prominent figure in eBay’s affiliate program was convicted of wire fraud for engaging in cookie stuffing and received a five-month long federal prison sentence along with a $25,000 fine. Honey, so far, has faced no legal consequences despite being investigated by the Better Business Bureau. Potential solutions to this problem already exist, such as dynamic click attribution, which shares commissions among all contributing sources. Blockchain-based (or other immutable) tracking systems can also enhance transparency and fairness.
And for what I believe to be most important: There should be a renewed, global effort to educate users about the risks of unregulated tools such as this.
Lessons learned
The Honey case is a microcosm of broader challenges in our society. When discussing situations like this, we need to think about the kind of world we want to build. Do we want a future where trust is an illusion, where convenience trumps ethics, and where corporations can exploit without consequence? Or do we desire a future that values transparency, accountability, and fairness?
It is always time to act. Regulators, technologists, creators, consumers, must come together to see the warning signs, to demand better. Our future depends on it.
For consumers, the lesson is clear: Be cautious of tools that promise too much and demand too little. For creators, the takeaway is to diversify revenue streams and carefully vet potential partnerships. And for the tech industry, the Honey case should push us all to create stronger safeguards to protect everyone from harm.
This was a profound betrayal of trust that is already leaving lasting scars on the digital ecosystem. While PayPal and Honey may have profited from their deceptive practices, the fallout has eroded trust in browser extensions, affiliate marketing, and even some of the influencers who promoted the tool, not knowing what was going on.