AppsFlyer Web SDK Breach Sparks Alarm After Hackers Inject Crypto-Stealing Code Across Thousands of Websites

A brief but alarming cybersecurity incident involving a widely used marketing analytics tool has exposed a new pathway for cryptocurrency theft, highlighting once again how software supply chains can become powerful attack vectors in the digital economy.

Earlier this week, malicious code was injected into the web version of AppsFlyer’s software development kit (SDK), a tool embedded in thousands of websites and applications to track marketing performance and user engagement. The compromised code was designed to quietly manipulate cryptocurrency transactions by intercepting wallet addresses and replacing them with those controlled by attackers.

The technique is particularly dangerous because it operates invisibly to the user. When someone attempts to send cryptocurrency, the malicious script scans the page for wallet input fields. Once detected, the original address is swapped with the attacker’s address before the transaction is completed. Funds sent under those conditions are redirected without the sender realizing the substitution has occurred.

The SDK affected by the incident belongs to AppsFlyer, a company whose analytics platform is integrated into more than 100,000 mobile and web applications used by roughly 15,000 businesses worldwide. Its technology is commonly deployed to measure advertising campaign performance, attribute user acquisition and monitor in-app engagement.

The scale of that ecosystem means even a short-lived compromise can ripple across a large digital footprint.

The breach was first identified by researchers at cybersecurity firm Profero, who reported detecting obfuscated JavaScript code delivered through the official AppsFlyer Web SDK domain. According to their analysis, the malicious payload was engineered to remain discreet by preserving the normal functions of the analytics toolkit while executing hidden instructions in the background.

Those instructions included decoding encrypted strings at runtime and inserting hooks into browser network requests. The script then monitored pages for cryptocurrency wallet activity and silently modified any detected addresses.

Investigators found that the malware specifically targeted several major blockchain ecosystems, including Bitcoin, Ethereum, Solana, Ripple and TRON. By focusing on widely used networks, the attackers maximized the potential reach of the exploit across mainstream cryptocurrency users.

The window of exposure appears to have been relatively short. Researchers believe the malicious payload was active between late March 9 and March 11, though the full scope of the compromise has not yet been confirmed.

AppsFlyer later acknowledged that unauthorized code had been delivered through the Web SDK during what it described as a “domain registrar incident.” The company stated that the issue was detected and contained on March 10 and emphasized that its mobile SDK was not affected by the breach.

According to the company’s initial investigation, there is currently no evidence that customer data stored within AppsFlyer systems was accessed. Nevertheless, the firm has launched a broader forensic review and is working with external security specialists to understand the root cause of the intrusion.

Security experts say the episode underscores a recurring weakness in modern software architecture. Many digital platforms rely heavily on third-party libraries and analytics tools, creating complex chains of trust in which a single compromised component can expose thousands of downstream applications.

Organizations that integrated the affected SDK have been advised to review their telemetry logs for unusual API requests tied to the AppsFlyer domain and verify that they are running known-safe versions of the software.

The incident also follows another controversy earlier this year when the hacking group ShinyHunters claimed to have exploited the same SDK in a separate supply-chain breach targeting the dating platform conglomerate Match Group. That attack allegedly exposed more than 10 million user records across several popular services.

While investigations continue, the latest breach serves as a reminder that in the rapidly expanding digital ecosystem, security risks often emerge not from the core platforms themselves but from the interconnected tools that power them.