AppsFlyer Web SDK Compromised in Sophisticated Supply-Chain Attack Targeting Cryptocurrency Transactions
Between March 9 and March 11, 2026, a supply-chain attack compromised the AppsFlyer Web SDK, injecting malicious JavaScript into thousands of websites and applications worldwide. The attack, discovered by independent security researchers and confirmed by AppsFlyer, exploited a trusted content delivery network (CDN) to deliver crypto-stealing code that intercepted and replaced cryptocurrency wallet addresses entered by users, redirecting funds to attacker-controlled wallets.
The malicious payload was embedded in the websdk.appsflyer.com distribution, leveraging a domain registrar compromise to inject obfuscated JavaScript into the SDK. The code preserved legitimate analytics functionality while silently monitoring user input for Bitcoin, Ethereum, Solana, Ripple, and TRON wallet addresses. When detected, it dynamically substituted the victim’s address with one controlled by the attacker, exfiltrating transaction details via covert HTTP requests.
The attack affected over 100,000 web and mobile applications across finance, e-commerce, and technology sectors, with confirmed impacts in North America, Europe, Asia-Pacific, and Latin America. High-traffic platforms relying on AppsFlyer for analytics were disproportionately targeted. While attribution remains unconfirmed, the tactics align with financially motivated cybercriminal groups, including potential links to ShinyHunters, which has been tied to prior supply-chain attacks.
AppsFlyer responded by revoking the compromised SDK, notifying customers, and launching a forensic investigation. No evidence suggests the AppsFlyer Mobile SDK or backend data was affected. Organizations using the Web SDK during the exposure window were advised to review logs for indicators of compromise and implement Subresource Integrity (SRI) and enhanced monitoring to mitigate future risks.
AppsFlyer cybersecurity rating report: https://www.rankiteo.com/company/appsflyer
"id": "APP1773995645",
"linkid": "appsflyer",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over 100,000 web and mobile '
'applications',
'industry': 'Technology, Marketing Analytics',
'location': 'Global (North America, Europe, '
'Asia-Pacific, Latin America)',
'name': 'AppsFlyer',
'size': 'Large',
'type': 'Technology (Analytics SDK Provider)'}],
'attack_vector': 'Compromised CDN (domain registrar compromise)',
'customer_advisories': 'Yes (advised to review logs for IOCs and implement '
'SRI)',
'data_breach': {'data_exfiltration': 'Yes (via covert HTTP requests)',
'personally_identifiable_information': 'Cryptocurrency wallet '
'addresses',
'sensitivity_of_data': 'High (financial, personally '
'identifiable transaction data)',
'type_of_data_compromised': 'Cryptocurrency wallet addresses, '
'transaction details'},
'date_detected': '2026-03-11',
'description': 'Between March 9 and March 11, 2026, a supply-chain attack '
'compromised the AppsFlyer Web SDK, injecting malicious '
'JavaScript into thousands of websites and applications '
'worldwide. The attack exploited a trusted content delivery '
'network (CDN) to deliver crypto-stealing code that '
'intercepted and replaced cryptocurrency wallet addresses '
'entered by users, redirecting funds to attacker-controlled '
'wallets.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Cryptocurrency wallet addresses, transaction '
'details',
'financial_loss': 'Funds redirected to attacker-controlled wallets',
'operational_impact': 'Potential loss of user trust, disrupted '
'cryptocurrency transactions',
'payment_information_risk': 'Cryptocurrency wallet addresses and '
'transaction details',
'systems_affected': 'Over 100,000 web and mobile applications '
'using AppsFlyer Web SDK'},
'initial_access_broker': {'entry_point': 'Domain registrar compromise '
'(websdk.appsflyer.com)',
'high_value_targets': 'Cryptocurrency wallet '
'addresses'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for stricter third-party SDK security, '
'implementation of Subresource Integrity (SRI), and '
'enhanced monitoring of trusted CDNs.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Revoked compromised SDK, '
'forensic investigation, '
'customer advisories, '
'recommended SRI and '
'enhanced monitoring',
'root_causes': 'Compromised domain registrar '
'leading to malicious JavaScript '
'injection into trusted CDN'},
'recommendations': 'Implement Subresource Integrity (SRI), enhance monitoring '
'of third-party dependencies, conduct regular security '
'audits of CDNs, and educate users on verifying wallet '
'addresses.',
'references': [{'source': 'Independent security researchers, AppsFlyer'}],
'response': {'communication_strategy': 'Customer advisories issued',
'containment_measures': 'Revoked compromised SDK, notified '
'customers',
'enhanced_monitoring': 'Recommended',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Implementation of Subresource Integrity '
'(SRI) and enhanced monitoring recommended',
'remediation_measures': 'Forensic investigation, advised '
'customers to review logs for IOCs'},
'stakeholder_advisories': 'Yes (customers notified)',
'threat_actor': 'Financially motivated cybercriminal group (potential links '
'to ShinyHunters)',
'title': 'AppsFlyer Web SDK Compromised in Sophisticated Supply-Chain Attack '
'Targeting Cryptocurrency Transactions',
'type': 'Supply-Chain Attack',
'vulnerability_exploited': 'Trusted third-party SDK distribution '
'(websdk.appsflyer.com)'}