Full Report
The AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack. [...]
Analysis Summary
# Incident Report: AppsFlyer Web SDK Supply-Chain Hijack
## Executive Summary
In March 2026, the AppsFlyer Web SDK was compromised in a supply-chain attack via a domain registrar incident. Attackers injected malicious JavaScript into the SDK to intercept and replace cryptocurrency wallet addresses on downstream websites. The incident affected a segment of AppsFlyer’s 15,000 customers for approximately 48 hours before being contained.
## Incident Details
- **Discovery Date:** March 9, 2026
- **Incident Date:** March 9 – March 11, 2026
- **Affected Organization:** AppsFlyer
- **Sector:** Marketing Analytics / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 9, 2026, 22:45 UTC
- **Vector:** Domain Registrar Compromise
- **Details:** Attackers gained control over the AppsFlyer domain registration, allowing them to serve unauthorized code from the official SDK endpoint.
### Lateral Movement
- **Movement:** Not applicable in the traditional sense; this was a supply-chain "leap" where malicious code was automatically pulled from `websdk[.]appsflyer[.]com` by end-user browsers visiting client websites.
### Data Exfiltration/Impact
- **Impact:** The malicious script monitored for cryptocurrency wallet addresses (BTC, ETH, SOL, XRP, TRX). It replaced legitimate recipient addresses with attacker-controlled addresses to divert funds and exfiltrated the original wallet metadata.
### Detection & Response
- **Detection:** Discovered by researchers at Profero and reported by users on community platforms like Reddit.
- **Response:** AppsFlyer identified the domain registrar issue on March 10 and contained the incident by March 11.
## Attack Methodology
- **Initial Access:** Domain Registrar Hijacking.
- **Persistence:** Injection into a trusted, widely deployed third-party library.
- **Defense Evasion:** Use of obfuscated JavaScript; the script preserved original SDK functionality to avoid breaking website features that would alert developers.
- **Credential Access:** N/A.
- **Discovery:** Webpage hooking to identify input fields and wallet address patterns.
- **Collection:** Interception of wallet addresses and associated transaction metadata.
- **Exfiltration:** HTTPS requests to attacker-controlled infrastructure.
- **Impact:** Financial theft via "clipper" malware functionality (address replacement).
## Impact Assessment
- **Financial:** Potentially high for end-users whose crypto transactions were diverted; total stolen amount is unverified.
- **Data Breach:** Exfiltration of wallet addresses and metadata; however, AppsFlyer stated no evidence of breaches to their internal customer database.
- **Operational:** Temporary disruption to the Web SDK service and requirement for customers to audit logs.
- **Reputational:** Significant; this follows a prior claim by threat actors (ShinyHunters) involving the same SDK earlier in the year.
## Indicators of Compromise
- **Network Indicators:**
- `websdk[.]appsflyer[.]com` (Source of malicious payload during the window)
- Suspicious API calls to unknown external endpoints from the SDK context.
- **File Indicators:**
- Obfuscated JavaScript injected into the standard AppsFlyer Web SDK library.
- **Behavioral Indicators:**
- Automated replacement of alphanumeric strings matching crypto wallet regex patterns in web forms.
## Response Actions
- **Containment:** Regained control of the domain registrar account to stop the delivery of malicious code.
- **Eradication:** Replaced the malicious JavaScript with the legitimate, clean version of the SDK.
- **Recovery:** Notified affected customers directly and engaged external forensic experts for a full investigation.
## Lessons Learned
- **Registrar Security:** Domain registrars are a critical point of failure in supply chains; lack of MFA or registrar locks can lead to global compromises.
- **Sub-resource Integrity:** Organizations relying on third-party SDKs often fail to implement integrity checks (e.g., SRI tags), allowing modified scripts to run without alert.
- **Third-Party Risk:** Even marketing and analytics tools can be weaponized for high-value financial theft.
## Recommendations
- **Implement Sub-resource Integrity (SRI):** Use SRI hashes for all third-party scripts to ensure the browser only executes the intended, unmodified code.
- **Content Security Policy (CSP):** Tighten CSP headers to restrict the domains to which scripts can exfiltrate data.
- **Monitoring:** Monitor for unusual changes in web application behavior, specifically regarding financial input fields.
- **Registrar Hardening:** Use registrars that support hardware-based MFA and "Registry Lock" services to prevent unauthorized DNS or ownership changes.