Executive Summary

Between March 9 and March 11, 2026, the AppsFlyer Web SDK was compromised in a sophisticated supply-chain attack, resulting in the injection of crypto-stealing JavaScript code into thousands of websites and web applications globally. The malicious code, delivered via the trusted AppsFlyer content delivery network, was engineered to intercept and replace cryptocurrency wallet addresses entered by end users, redirecting funds to attacker-controlled wallets. This incident underscores the critical risks inherent in third-party JavaScript dependencies and highlights the need for robust supply-chain security controls. The attack was discovered by independent security researchers and rapidly confirmed by AppsFlyer, which has since remediated the issue and is conducting an ongoing forensic investigation. Organizations leveraging the AppsFlyer Web SDK during the exposure window are strongly advised to review their environments for indicators of compromise and to implement enhanced monitoring and integrity controls for third-party scripts.

Threat Actor Profile

Attribution for this incident remains unconfirmed as of this report. The attack methodology aligns with tactics previously observed in financially motivated cybercriminal groups specializing in supply-chain compromise and JavaScript-based web skimming. While no advanced persistent threat (APT) group has claimed responsibility, the ShinyHunters group has been linked to prior supply-chain attacks involving AppsFlyer and other analytics providers, including the Match Group breach in early 2026. The threat actor demonstrated a high degree of technical sophistication, leveraging a domain registrar compromise to inject malicious code into a widely trusted SDK, and employing advanced obfuscation techniques to evade detection. The operational goal was clearly financial gain through the theft of cryptocurrency, with a secondary objective of maintaining stealth and persistence within the compromised supply chain.

Technical Analysis of Malware/TTPs

The attack vector was a compromise of the AppsFlyer Web SDK distribution at websdk.appsflyer.com. The attacker gained unauthorized access to the domain registrar, enabling the injection of a malicious JavaScript payload into the SDK served to all downstream clients during the exposure window. The injected code was highly obfuscated, utilizing runtime string decoding and anti-analysis techniques to hinder reverse engineering.

Upon execution in the browser context, the malicious script preserved all legitimate AppsFlyer analytics functionality to avoid raising suspicion. It established hooks into DOM events and network requests, specifically monitoring for user input fields associated with cryptocurrency wallet addresses. When a user entered a wallet address for Bitcoin, Ethereum, Solana, Ripple, or TRON, the script dynamically replaced the address with one controlled by the attacker. Simultaneously, the original address and associated metadata (such as page URL, timestamp, and user agent) were exfiltrated to attacker-controlled infrastructure via covert HTTP POST requests.

The payload was designed to be modular and adaptive, allowing for rapid updates or the targeting of additional cryptocurrencies if desired. The use of obfuscated code and the preservation of normal SDK operations significantly delayed detection, increasing the potential impact of the attack.

Exploitation in the Wild

The exploitation phase was rapid and widespread, affecting any website or web application that loaded the AppsFlyer Web SDK from the compromised CDN between March 9, 2026, 22:45 UTC and March 11, 2026. Given the SDK’s integration in over 100,000 web and mobile applications, the potential victim pool was extensive, spanning sectors such as finance, e-commerce, technology, and online services. End users who entered cryptocurrency wallet addresses on affected sites during the exposure window were at direct risk of financial loss.

Reports of anomalous cryptocurrency transactions and wallet address substitutions began surfacing on social media and security forums within hours of the attack’s onset. Security researchers at Profero independently confirmed the presence of the malicious payload and coordinated disclosure with AppsFlyer. The vendor responded by revoking the compromised SDK, notifying customers, and initiating a forensic investigation with external experts. No evidence has emerged to suggest that the AppsFlyer Mobile SDK or backend customer data was affected.

Victimology and Targeting

The attack was indiscriminate in its targeting, impacting any organization or individual utilizing the AppsFlyer Web SDK during the exposure window. The primary victims were end users conducting cryptocurrency transactions on affected platforms, particularly those entering wallet addresses for Bitcoin, Ethereum, Solana, Ripple, or TRON. The attack did not discriminate by sector or geography, with confirmed impacts reported across North America, Europe, Asia-Pacific, and Latin America. High-traffic e-commerce and fintech platforms were disproportionately affected due to their reliance on AppsFlyer for analytics and attribution. The lack of targeting specificity suggests a financially motivated campaign designed for maximum reach and profit.

Mitigation and Countermeasures

Organizations that utilized the AppsFlyer Web SDK between March 9 and March 11, 2026, should immediately review web server and application logs for evidence of unauthorized JavaScript loads from websdk.appsflyer.com during the exposure window. Special attention should be paid to any anomalous cryptocurrency transactions, particularly those involving wallet address substitutions or unexplained fund transfers.

Affected organizations are advised to notify users who may have conducted cryptocurrency transactions during the exposure window, recommending that they verify the integrity of their transactions and monitor for unauthorized activity. Where feasible, revert to a known-good version of the AppsFlyer Web SDK or implement self-hosted SDK deployments to reduce third-party risk.

Long-term, organizations should implement Subresource Integrity (SRI) for all third-party JavaScript dependencies, enabling browsers to verify the cryptographic hash of loaded scripts. Integrity monitoring solutions should be deployed to detect unauthorized changes to critical web assets. Regular supply-chain risk assessments and vendor security reviews are essential to mitigate the risk of similar attacks in the future.

References

BleepingComputer: AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code

Profero Security (researchers who discovered the incident): LinkedIn Post

Medium: AppsFlyer Web SDK Compromise: Independent Payload Analysis

Reddit: AppsFlyer Web SDK Hijacked in Crypto Theft Attack

MITRE ATT&CK: T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain

AppsFlyer Status Page: https://status.appsflyer.com/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chains. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure the resilience of critical business operations. For more information or to discuss how Rescana can help secure your organization’s digital ecosystem, please contact us at ops@rescana.com.