AppsFlyer SDK Hijacked to Deploy Crypto-Stealing Malware
Basically, hackers used a popular tool to steal cryptocurrency by changing wallet addresses on websites.
What Happened This week, the AppsFlyer Web SDK was hijacked in a serious supply-chain attack. Malicious code was injected into the SDK, which is widely used for marketing analytics by over 15,000 businesses globally. The compromised code was designed to intercept cryptocurrency wallet addresses entered by users on various websites. Instead of sending funds to the intended wallet, the
What Happened
This week, the AppsFlyer Web SDK was hijacked in a serious supply-chain attack. Malicious code was injected into the SDK, which is widely used for marketing analytics by over 15,000 businesses globally. The compromised code was designed to intercept cryptocurrency wallet addresses entered by users on various websites. Instead of sending funds to the intended wallet, the malicious code redirected them to the attackers' wallets.
The attack was discovered by Profero researchers, who found obfuscated JavaScript being delivered through the official AppsFlyer domain. This incident highlights the vulnerabilities that can arise when third-party SDKs are compromised, affecting countless downstream applications and their users. The attack window is believed to have occurred between March 9 and March 11, 2026.
Who's Affected
The impact of this attack is significant, considering the 100,000 mobile and web applications that utilize the AppsFlyer SDK. Users of these applications, especially those involved in cryptocurrency transactions, are at risk. The compromised SDK targeted major cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON. This broad targeting means that a large number of users could potentially have their funds diverted.
AppsFlyer itself has stated that it detected and contained the incident on March 10. However, the full scope of the attack remains uncertain. While they confirmed that no customer data was accessed on their systems, the potential for financial loss among users is a serious concern.
What Data Was Exposed
The malicious JavaScript code was crafted to maintain normal SDK functionality while secretly monitoring for cryptocurrency wallet input. When a user entered their wallet address, the code would replace it with the attacker's address, exfiltrating the original address along with any associated metadata. This means that any cryptocurrency transactions made during the attack could have been compromised.
The incident raises alarms about the security of third-party SDKs, which are often trusted components in many applications. The fact that this attack could occur through a widely used SDK underscores the need for vigilance in monitoring third-party dependencies.
What You Should Do
Organizations using the AppsFlyer SDK should take immediate action. It's crucial to review telemetry logs for any suspicious API requests originating from websdk.appsflyer.com. Downgrading to known-good versions of the SDK may also be necessary. Additionally, companies should investigate any potential compromises and communicate with their users about the risks involved.
AppsFlyer is currently working with external forensic experts to understand the full impact of the incident and has promised to provide updates as the investigation progresses. Users should remain cautious and monitor their cryptocurrency transactions closely during this time.