Is PayPal’s Honey Misleading Users? We Investigate

Why Trust Techopedia

From Mr. Beast to the L.A. Clippers, a web browser extension endorsed by top influencers and organizations faces fraud accusations.

Honey, a browser extension designed to search for coupons and provide better deals for online shoppers, is used by millions and owned by PayPal. However, critics allege that Honey deliberately pockets commissions on every purchase and prioritizes its own profits over consumer savings.

Could this popular money-saving tool be secretly profiting at your expense? Let’s dig deeper.

Key Takeaways

  • Honey employs aggressive tactics, including excessive pop-ups, intrusive notifications, and forced tab openings, creating a disruptive and potentially harmful user experience.
  • The tool intercepts affiliate marketing links, deletes the original cookies, and replaces them with its own, redirecting commissions intended for influencers and businesses to itself.
  • Honey’s actions are largely hidden from users, with its code-altering behavior without explicit consent or clear disclosure. This lack of transparency raises serious concerns about user privacy and data security.
  • Its practices may constitute fraud and raise significant ethical concerns, currently impacting PayPal’s reputation and potentially leading to legal challenges.

All You Need to Know About Honey Fraud Allegations

A recently released multi-year investigation by Mega Lab uncovered how the PayPal-owned browser extension, Honey, is hard-coded to claim ‘Last Click Attribution’ — an online marketing model that awards all commission credit for a purchase to the final touchpoint in the buyer’s journey.

While last-click attribution is the global standard in e-commerce, research suggests that Honey goes to great lengths to secure this final click for itself.

Techopedia spoke to Simon Wijckmans, CEO at c/side, a third-party scripts security and performance company. Wijckmans explained: “When users purchased via an affiliate link with Honey installed, commissions intended for creators were redirected to Honey. Additionally, Honey misrepresented deals as the best discounts while partnering with companies to hide better offers.”

Advertisements
Techopedia's simulations revealed that Honey deletes and replaces affiliate cookies to claim last-click attribution and pocket commissions.
Techopedia’s simulations revealed that Honey deletes and replaces affiliate cookies to claim last-click attribution and pocket commissions. Source: Techopedia, Screenshot

Wijckmans highlighted that Honey exemplifies the risks associated with third-party browser extensions, particularly those where updates and changes occur behind closed doors, hidden from public scrutiny.

“Chrome extensions are auto-updated and can behave entirely dynamically, which allows for a bad actor to perform very stealthy attacks. In a worst-case scenario, browser extensions like Honey could inject malware, steal sensitive data, or redirect users to other websites.”

Sharing insights from web browser security research, Wijckmans emphasized the need for user-side security technologies to actively monitor and control the behavior of extensions in real-time.

How Last Click Works & Why Honey’s Version of It Is Way Off

Influencers, e-commerce platforms, and other online businesses often use affiliate marketing links to promote products — such as a computer featured on a YouTube channel. Typically, companies pay influencers and businesses a commission for every product sold through their affiliate link.

When a user clicks on such a link, an affiliate marketing cookie is created in their browser. This cookie helps the vendor track who referred the sale and determines who earns the commission based on the last click.

However, Mega Labs’ investigation revealed that Honey is deleting and replacing these affiliate marketing cookies with its own.

The outcome? Influencers and creators promoting the products lose their commission, while Honey claims the last-click attribution and pockets the earnings.

Techopedia's simulations revealed that Honey deletes and replaces affiliate cookies to claim last-click attribution and pocket commissions.
Techopedia’s simulations revealed that Honey deletes and replaces affiliate cookies to claim last-click attribution and pocket commissions. Source: Techopedia, Screenshot

Our Findings: Honey’s Cookie Switching & Chaotic Interruptions

Mega Labs presented convincing evidence of ‘last click’ cookies being deleted and replaced by Honey, new tabs and pop-ups redirecting users to Honey referral links, and influencers on social media losing their commissions as a result.

Techopedia conducted its own investigation to validate Mega Labs’ findings. It confirmed that cookies are indeed being altered, and referral or affiliate marketing links are being replaced. This activity was particularly evident during the checkout process as we ran simulations of random purchases.

Furthermore, we identified additional unethical practices by Honey that come alarmingly close to constituting fraud.

At several points, we attempted to apply coupon codes provided by Honey, but none of them worked.
At several points, we attempted to apply coupon codes provided by Honey, but none of them worked. Source: Techpoedia, Screenshot

Unlike the structured and clean demonstration in Mega Labs’ video, our interactions with Honey were far more chaotic.

During our tests, Honey frequently opened tabs, pushed notifications, changed its icon colors, and interrupted our screens so often that it felt more like dealing with adware or malware than a helpful extension.

Throughout our simulated purchases, Honey consistently made its presence known — relentlessly and, at times, annoyingly. It bombarded us with notifications about coupons, cash rewards, and links to supposedly better deals, even when no such offers were available.

We also discovered that Honey runs persistently in the browser’s background. Even when there’s no deal to offer, it still pops up.

The chaos escalated when we clicked “Add to Cart” or “Complete Checkout.” Then, Honey often took over the entire webpage, claiming it could secure a cash reward for us. Notifications popped up from the top of the screen, the right side, and sometimes completely dominated the webpage.

Honey behaves like adware, constantly interfering with the user experience. It switches cookies, opens tabs, and redirects users to claim last-click attribution, even if the shopping journey began elsewhere.
Honey behaves like adware, constantly interfering with the user experience. It switches cookies, opens tabs, and redirects users to claim last-click attribution, even if the shopping journey began elsewhere. Source: Techopedia, Screenshot

Honey Open New Tabs with Stealth

We can also confirm that Honey uses redirect links to manipulate final click attribution by opening new tabs. For instance, while shopping on https://us-store.msi.com, it automatically opened a new tab with a redirect link designed to change cookies. The redirect lasted just one second and pointed to the following URL:

https://www[.]joinhoney[.]com/p/b9a80f1c-d544-4fe3-8fd0-7b7a589aa388?ext_screenview_id=9096287628432688087&ext_comparison_shopping_product_id=1_9505ed84be32f0c7c6670da1c431bccb_9505ed84be32f0c7c6670da1c431bccb

The long string of characters in the link (e.g., b9a80f1c-d544-4fe3-8fd0-7b7a589aa388) appears to be a unique identifier tied to a specific affiliate or referral program.

This link disappeared almost instantly, and the shopping site we were testing returned — with a different unique identifier in place.

Honey opened a new tab (secretly, on the left of our browser) and redirected away from the original affiliated marketing link.
Honey opened a new tab (secretly, on the left of our browser) and redirected away from the original affiliated marketing link. Source: Techopedia, Screenshot

Opening unrequested tabs with redirect links is a tactic commonly associated with cybercriminals.

It quickly became evident that Honey positions itself between influencers, media outlets, businesses promoting products, and the consumer. The behavior is so obvious that even a non-tech-savvy user would likely sense that something is amiss with the extension.

The lack of transparency, combined with a deceptively coded browser extension that manipulates last-click attribution cookie data, is deeply troubling.

The Impact: Where the Buck Stops?

PayPal’s acquisition of Honey for $4 billion — a staggering amount for a coupon browser extension — underscores its value in the e-commerce landscape. Honey is believed to have over 17 million users and operates across platforms like Windows, Mac, iOS, and Android.

As a web browser extension, it does not discriminate: Honey runs on Chrome, Safari, Firefox, Opera, and Edge. Its free installation process takes seconds and is accessible to a large audience.

However, the alleged practices of stealing money from users and influencers, abusing cookies, and manipulating affiliate links without the knowledge of promoters or consumers carry major implications.

The definition of fraud is “wrongful or criminal deception intended to result in financial or personal gain.” It allegedly fits Honey like a glove. This investigation raises serious questions about PayPal’s accountability and places the company in a highly uncomfortable position.

The Bottom Line

As a cybersecurity researcher, I have encountered countless examples of adware, browser stealers, and other types of malware. However, I cannot recall a time when I investigated legitimate software created by a major company like PayPal and found it to share behaviors strikingly similar to malware.

Honey is specifically coded to interfere with users’ online shopping experiences, particularly during the checkout process. It deliberately removes all traces of the original links that led users to a product and replaces them with its own affiliate ID. This behavior is not an industry standard.

Honey’s biggest issue is its lack of transparency. Individuals could have made informed decisions if the extension had been upfront about its intent to redirect users and earn commissions on their purchases. From a technical perspective, Honey’s behavior amounts to hacking users’ browser data, which can be considered an invasion of privacy. It aggressively positions itself as the “man in the middle” for all user transactions.

We strongly recommend investigating any app or browser extension before installing it and reading online reviews to understand what others have experienced.

FAQs

What is Honey, and how does it work?

Why is Honey being compared to malware?

Is using Honey safe for consumers?

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.