AppsFlyer SDK Hijacked to Steal Crypto via Supply Chain Attack

A supply chain attack on AppsFlyer's Web SDK exposed thousands of websites to cryptocurrency-stealing malware this week. Attackers compromised the marketing analytics provider's domain registrar and injected malicious JavaScript that silently swaps cryptocurrency wallet addresses with attacker-controlled alternatives.

Security firm Profero discovered the compromise on March 9, 2026, after detecting anomalous behavior in scripts served from websdk.appsflyer.com. AppsFlyer confirmed the incident the following day and expanded the exposure window to March 9 20:40 UTC through March 10 10:30 UTC.

How the Attack Worked

The attackers gained access through AppsFlyer's domain registrar, allowing them to redirect SDK requests to infrastructure serving the malicious payload. Any website loading the AppsFlyer Web SDK during the exposure window automatically served the compromised JavaScript to visitors—no changes to the target sites required.

The payload is a sophisticated "clipper" designed to intercept cryptocurrency transactions. When a user copies or enters a wallet address on an affected site, the malware swaps it with an attacker-controlled address. Victims who don't notice the switch send funds directly to the attackers.

Targeted cryptocurrencies include Bitcoin, Ethereum, Solana, Ripple, TRON, and Monero. The malware dynamically fetches wallet addresses from command-and-control infrastructure, rotating them regularly to complicate blocking efforts.

Technical Sophistication

Security researchers analyzing the payload describe it as a professional-grade interception framework. The ~170 KB minified JavaScript file employs multi-layered base91 string encoding with 17 distinct shuffled alphabets, making static analysis difficult.

The malware operates through several components:

• Network Hooking: Replaces globalThis.fetch and patches XMLHttpRequest.prototype to intercept all HTTP requests and responses
• DOM Monitoring: Uses MutationObserver to watch input fields in real-time
• Shadow DOM Bypass: Patches attachShadow to penetrate secure form components designed for input isolation
• C2 Communication: Fetches wallet addresses dynamically and exfiltrates original addresses via XOR-encrypted POST requests

Every fetch and XMLHttpRequest passes through attacker-controlled proxies, potentially exposing authentication tokens, session data, and API calls beyond just cryptocurrency addresses.

Scale of Exposure

AppsFlyer provides marketing analytics SDK used by over 15,000 businesses worldwide across more than 100,000 mobile and web applications. E-commerce platforms, fintech services, healthcare portals, and SaaS providers commonly embed the SDK across checkout flows and user forms.

The mobile SDK was not affected, limiting the blast radius to web properties. However, websites that cached the compromised script locally may have continued serving it beyond the official exposure window.

This incident mirrors the December Trust Wallet Chrome extension compromise that drained $7 million from users through a similar supply chain attack vector. Cryptocurrency infrastructure has become a prime target for supply chain attacks as attackers recognize the direct path to financial theft.

PCI DSS Compliance Implications

Feroot Security noted that PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 mandate continuous inventory and integrity monitoring of scripts on payment pages. Organizations running AppsFlyer's SDK on payment flows may face compliance questions about their monitoring and incident response capabilities.

Third-party JavaScript dependencies create persistent blind spots in web application security. Scripts execute directly in browsers with access to form fields, keystrokes, authentication tokens, and user-submitted data before it reaches server-side protections.

Response and Remediation

AppsFlyer stated the issue has been resolved and customers received direct communication about the incident. The company's investigation found no evidence that customer data on AppsFlyer systems was accessed—the attack targeted end users of websites embedding the SDK, not AppsFlyer's own infrastructure.

Organizations that used the AppsFlyer Web SDK should:

1. Verify which version of the SDK was loaded during the exposure window
2. Review network logs for suspicious outbound connections during March 9-10
3. Consider implementing Subresource Integrity (SRI) hashes for third-party scripts
4. Alert users who may have initiated cryptocurrency transactions during the window
5. Monitor for unauthorized transactions in corporate or user wallets

Lithuanian authorities recently arrested a suspect connected to clipper malware operations that stole cryptocurrency through address swapping—the same technique used in this attack. The AppsFlyer incident demonstrates how supply chain compromise amplifies the reach of such schemes.

Why This Matters

Third-party SDK compromises represent an escalating threat that existing security controls often miss. Web application firewalls, endpoint detection, and network monitoring typically don't inspect JavaScript executing in user browsers. Attackers who compromise widely-deployed SDKs gain instant access to thousands of targets with a single point of intrusion.

The Lazarus Group's recent npm and PyPI supply chain attacks targeting blockchain developers show state-sponsored actors are actively exploiting this attack surface. Private criminal groups are following the same playbook.

Organizations should audit their third-party JavaScript dependencies, implement script integrity verification where possible, and establish incident response procedures for supply chain compromises. The days of blindly trusting CDN-hosted scripts are over.