The AppsFlyer SDK Hijack: How a Trusted Marketing Script Became the Largest Crypto Address-Swapping Attack in 2026

On March 9, 2026, security researchers at Profero noticed something terrifying: obfuscated JavaScript was being served from websdk.appsflyer.com — the official domain of one of the world's largest marketing analytics SDKs, used by over 15,000 businesses across 100,000 applications. The injected code did one thing brilliantly: it watched for cryptocurrency wallet addresses on any page, silently replaced them with attacker-controlled addresses, and exfiltrated the originals. Bitcoin, Ethereum, Solana, Ripple, TRON — all targeted. This wasn't a smart contract exploit. No flash loans. No oracle manipulation. Just a compromised third-party script running with full page access on thousands of websites, including DeFi frontends, exchanges, and fintech platforms. The Kill Chain: From Domain Registrar to Wallet Drain The attack unfolded in three stages: Stage 1: Domain Registrar Compromise (March 9) AppsFlyer later confirmed a "domain registrar incident" that allowed attackers to inject unautho

The AppsFlyer SDK Hijack: How a Trusted Marketing Script Became the Largest Crypto Address-Swapping Attack in 2026

Related Articles

Monuses and Heaps

How Much Weight Should You Actually Carry When Rucking?

Nvidia’s Open Model Super Panel Made a Strong Case for Open Agents

[MM’s] Boot Notes — The Day Zero Blueprint — Configuration That Survives Production

Bluesky announces $100M Series B after CEO transition

Related Articles

News
Monuses and Heaps
Lobsters • 26m ago

News
How Much Weight Should You Actually Carry When Rucking?
Medium Programming • 39m ago

News
Nvidia’s Open Model Super Panel Made a Strong Case for Open Agents
DZone • 44m ago

News
[MM’s] Boot Notes — The Day Zero Blueprint — Configuration That Survives Production
Medium Programming • 48m ago

News
Bluesky announces $100M Series B after CEO transition
TechCrunch • 49m ago