The Web SDK of AppsFlyer was briefly compromised earlier this week, allowing attackers to inject malicious code as part of a supply chain attack aimed at stealing cryptocurrency.
The malicious payload was capable of intercepting cryptocurrency wallet addresses entered by users on affected websites. It would then swap these addresses with ones controlled by the attackers, redirecting funds without the user’s knowledge.
AppsFlyer’s SDK is widely integrated across thousands of platforms for marketing analytics, including tracking user engagement and retention. The company reports that over 15,000 businesses rely on its SDK across more than 100,000 mobile and web applications, making it a prominent “mobile measurement partner” (MMP) solution for campaign attribution and in-app activity tracking.
The issue was initially identified by researchers at Profero, who "confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK." However, AppsFlyer has only acknowledged a domain availability issue that appeared on its status page on March 10, 2026.
Profero detected the malicious activity on March 9, when the compromised SDK, hosted on its official domain ‘websdk.appsflyer.com,’ began distributing harmful code. Multiple users also flagged the suspicious behavior.
“While the full scope, duration, and root cause of the incident remain unverified, the activity highlights how threat actors can abuse trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users,” Profero explains.
The injected JavaScript was engineered to keep the SDK functioning normally while secretly executing malicious actions. It dynamically decoded hidden instructions and intercepted browser network requests.
Once active, the malware monitored web pages for cryptocurrency wallet inputs. Upon detecting a wallet address, it replaced it with an attacker-controlled one and simultaneously transmitted the original address along with related data to external servers.
The attack targeted several major cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON, potentially affecting a broad range of digital transactions.
Researchers estimate the exposure window lasted from March 9 at 22:45 UTC to March 11, although it remains unclear whether the compromise extended beyond this timeframe.
In response to inquiries, AppsFlyer confirmed that unauthorized code had been delivered through its SDK.
"AppsFlyer detected and contained a domain registrar incident on March 10 that temporarily exposed the AppsFlyer Web SDK running on a segment of customer websites to unauthorized code.
"The mobile SDK was not affected, and our investigation to date has not identified evidence that customer data on AppsFlyer systems was accessed. We take this incident very seriously and have been actively communicating with customers," AppsFlyer told BleepingComputer.
The company added that the issue has now been resolved and that affected customers were directly notified with updates.
"The mobile SDK has remained safe to use throughout the process, and the web SDK is safe to use."
AppsFlyer stated that the investigation is still ongoing in collaboration with external forensic specialists, with further details expected once the analysis is complete.
Due to uncertainties surrounding the extent and root cause of the breach, security experts recommend that organizations using the SDK examine telemetry logs for unusual API activity linked to websdk.appsflyer.com, revert to verified safe SDK versions, and assess any potential compromise.
This incident follows another cybersecurity concern earlier in the year, when the hacking group ShinyHunters alleged exploiting the SDK in a supply chain attack targeting Match Group, reportedly exposing over 10 million user records from platforms like Hinge, Match.com, and OkCupid.