5 Ways Cookie Hijacking Is Destroying Your ROI

February 2026 | Croupier Blog

Cookie-based attribution has a structural problem: the tracking cookie is a mutable value that any script on the page can overwrite. Browser extensions figured this out. So did fraudsters. So did the platforms that report their own performance to you. The result is that a meaningful portion of attribution data in any cookie-dependent campaign is wrong — silently, without any error state on the dashboard.

These are the five concrete failure modes.

1. Extension Overwrite at Checkout

In December 2024, MegaLag published an investigation showing that PayPal's Honey extension was replacing affiliate tracking cookies at the moment of checkout — the highest-intent point in the funnel, where attribution credit is finally locked in. Honey had reached that moment at scale: it had sponsored roughly 5,000 videos across 1,000 YouTube channels, accumulating 7.8 billion views. Creators who promoted Honey were, in many cases, promoting a tool that then diverted their own commissions. In one documented instance, Honey redirected a $35 affiliate commission and returned 89 cents of "Honey Gold" to the user.

The mechanism is simple: last-write-wins on the tracking cookie. Any extension that executes at checkout can write its own attribution value and claim the conversion.

2. Industry-Wide Last-Click Theft

Honey was the most visible case, but not the only one. Capital One Shopping faced identical allegations and settled in December 2025. Rakuten faced four separate complaints alleging its extension used hidden browser tabs to insert itself into affiliate attribution chains — a different method, the same outcome. By January 2026, Rakuten had removed Honey from its network, cutting off approximately 2,000 retail partners. Impact.com followed.

The pattern is structural, not incidental. Any shopping extension with a large install base has an economic incentive to insert itself at checkout. The affiliate attribution model creates that incentive by making cookie possession at conversion the only thing that determines who gets paid.

3. Platform Self-Reporting Inflates Your Numbers

When a conversion happens, who counts it? Usually the platform that ran the ad — which has a direct interest in showing strong performance. Independent audits have found that platform self-reported conversion numbers inflate actual performance by 30 to 50 percent. The advertiser's dashboard shows a healthy return on ad spend; the platform's pixel fires on a conversion and reports it; neither event involves an independent verification of whether the sale was actually caused by the ad.

Cookie-based attribution can't distinguish between a click that caused a purchase and a click that happened to precede a purchase the user would have made anyway. Platforms count both. The advertiser pays for both.

4. Ad Verification Vendors Miss Most Bot Traffic

Advertisers typically address fraud concerns by routing spend through ad verification vendors — DoubleVerify, Integral Ad Science, and similar services. These vendors are supposed to filter invalid traffic. Adalytics analysis found they missed between 21 and 77 percent of bot traffic, depending on the campaign and measurement context.

This matters for attribution specifically because bots generate cookies. A bot click creates a tracking cookie just like a human click. If the bot triggers a conversion event — or if a real conversion happens on a device that also received bot traffic — the cookie can carry the wrong attribution. Verification vendors operating at the impression level don't have visibility into the conversion-level attribution that happens later.

5. Cross-Device Gaps and Conversion Dead Zones

A user sees an ad on their phone, clicks through, browses, and closes the tab. Three days later they buy on their desktop. The affiliate cookie from the phone never made it to the desktop session. A different cookie — or no cookie — gets credit.

Cookie-based attribution is single-device by design. Probabilistic cross-device matching exists, but it relies on statistical inference rather than deterministic linkage. In practice, a meaningful share of conversions that were causally influenced by a click go unattributed, while conversions that were incidentally preceded by a click get fully attributed. The advertiser is paying for the wrong signal.

The Common Thread

All five failure modes share the same root cause: the tracking cookie is an unsigned, mutable value. Any script can overwrite it. Any platform can self-report against it. Any verification vendor can miss the fraud that corrupts it. Any device boundary can break it.

Cryptographic attribution replaces the cookie with a signed token issued by the advertiser. The advertiser holds the private key and signs coupons using Ed25519 blind signatures, so no extension can overwrite the attribution without invalidating the signature, and no platform can self-report against a coupon book the advertiser controls. At conversion, the advertiser checks the signature — not a cookie value written by someone else. If the signature is valid, the conversion counts. If not, it doesn't. There's no ambiguity, and no third party in a position to inflate the number.


Croupier is a blind relay for cryptographic coupon books. Learn more or request early access.

← Back to all posts