Cookie Stuffing

In the world of affiliate marketing fraud, cookie stuffing is a method used by fraudulent affiliates to trick websites into thinking they have sent them traffic when they have not done so. 

The practice is also called cookie dropping and is one of the most common and widespread types of this fraud, in use for decades.

A cookie stuffer is purposefully trying to gain commission for referring a user to a website without doing so. 

The cookie contains false information that says the user was convinced by the affiliate and clicked through from the latter’s site. 

As a result:

  • the affiliate receives money
  • the visitor is being taken advantage of
  • the deceived website pays up for a service it has not received, losing money
  • other affiliates lose out, as the wrong affiliate is credited
  • marketing metrics are skewed as they become inaccurate

According to research by TrackAd, cookie stuffing accounted for 62% of all affiliate fraud that took place in 2018. 

cookie stuffing in browsers

Cookie stuffing is used by black hat affiliate marketers to trick websites into thinking they have sent them traffic and/or customers. The ultimate goal is profit.

Affiliate networks and marketers make money from referring visitors to other sites, who pay for this service. 

Unfortunately, this sector of the digital economy is rife with affiliate fraud and certain industries rely more on affiliates than others, as we’ll see in more detail later. 

With cookie stuffing, the fraudster affiliate’s goal is to make the website believe that said user has completed an action (such as a purchase or sign-up) because they were convinced to do so by the affiliate. 

However, the affiliate has simply stuffed numerous cookies into the user’s browser, without informing or convincing the user about the products and websites the third-party cookies mention.

The user might eventually visit one or more of the websites in question and purchase some products. When this happens, the affiliate will receive a kickback – which is not deserved nor based on legitimate affiliate activities. 

From the above, it is obvious that cookie stuffing is a numbers game. The cookies are numerous – hence the “stuffing” – and websites do this to every single visitor. 

Although the vast majority of these cookies do not amount to anything, they are injected into visitors’ browsers automatically, using scripts, and their sheer number ensures some will eventually work. 

What’s more, cookies are usually stuffed from pages that generally relate to the visitor’s search intentions. For example, someone who has googled Ultra HD televisions or advice on choosing the Ultra HD TV that suits their needs is more likely to eventually buy one online. 

Some websites with TV selection advice might use cookie stuffing to ensure that when this person does buy one of the most widely available, the affiliate will receive money – although they have not directly sent that user to the shop nor convinced them about that TV set in particular. 

It should be made clear that the actual purchase could take place weeks or even months after the user first visited that website, and they do not need to have seen or read anything to do with the product on the fraudulent affiliate website.

In other words, cookie stuffing is false, planted evidence that the affiliate has helped sell the product, though they did no such thing.

cookie stuffing facts

Cookie stuffing typically goes like this:

  1. Someone visits an affiliate website.
  2. The website generates dozens, if not hundreds, of cookies for various popular and related products, and sometimes for various different shops.
  3. These cookies are covertly dropped onto the visitor’s browser. The user is not aware of this. These cookies remain in the browser unless they are deleted.
  4. (Much) later, the user visits one of those online shops and buys one of the products.

You can also stuff cookies via browser injection. This is a bit trickier to pull off but essentially consists of the fraudsters building or buying browser extensions and using them to drop affiliate cookies on organic traffic that is on the vendor’s website.

Cookie stuffing casts a wide net. It follows the principle that this user will probably want to buy one of dozens of different products on one of several different sites, rather than only the one they were looking for or read about.

The above is disingenuous because:

  • The cookies aren’t truthful – i.e. the affiliate did not speak to the user about said product or website.
  • It goes against most affiliaton programs’ terms and conditions.
  • This is illegal in some locales – for instance, it has been charged as wire fraud in the USA (all fraud that involves telecommunications, including the internet).
  • Privacy and data security legislation such as the GDPR expressly forbids the collection of data without explicit consent.

Interestingly, around the first decade of the century, it was believed that affiliate marketing was very safe and could not involve fraud, because merchants only pay when legitimate purchases are made. Unfortunately, fraudsters had already found ways around this, as they are wont to do.

As Ben Edelman from Harvard Business School put it back in 2013, in an email published on Ecommerce Bytes:

“Affiliate fraud is a real problem. For more than a decade, advertisers mistakenly thought affiliate marketing was ‘fraud proof’ because affiliates only get paid when users make purchases. But it turns out the system can still be gamed – including via affiliates using all manner of schemes to claim commissions on purchases that would have happened anyway.”

Some of the most common cookie stuffing methods include:

  • WordPress plugins 
  • images
  • JavaScript 
  • PHP scripts 
  • browser extensions
  • frames and iframes 
  • popups 
  • stylesheets 

All cookie stuffing happens without the user’s knowledge. 

In 2013, two of eBay’s top affiliates were charged with wire fraud and eventually convicted for making at least $28 million in fees through cookie stuffing widgets. 

One of the two men, Shawn Hogan, ran a widget stuffing at least 650,000 eBay cookies while the other, Brian Dunning, stuffed about 20,000 using a similar method. With $8.257 million in revenue in 2013, eBay was already a popular website that was attracting several types of auction fraud – and had been for years.

As a writeup on puts it, 

“The obvious problem was that neither widget did anything overt to encourage people to buy stuff on eBay. Hogan and Dunning got paid by coincidence.”

Although the news of their arrest and subsequent conviction shook the affiliate industry to the core and dissuaded some from trying such methods, others simply found better ways to cover their tracks. 

  • Affiliates end up paying the fraudster/stuffer for misattributed services.
  • Legitimate marketing partners can lose out, as their results look comparatively worse.
  • Merchant marketing and sales teams are fed false information about what works and what does not for their customer base.
  • Consumers are taken advantage of.

Cookie stuffing affects all industries where affiliates are used. These include:

  • iGaming and gambling
  • CFD, forex and other types of online trading
  • online shopping, including fitness and beauty 
  • the travel and hospitality industry
  • cryptocurrency exchanges and investment platforms
  • loan providers 
  • online dating apps and websites

These are usually very competitive industries with a strong online presence. 

In terms of ecommerce, the nature of cookie stuffing makes it more likely that big online retailers – or those that are well known in their sector – will be targeted, as we saw above with eBay, for example.

Techniques that help put an end to cookie stuffing on your platform include traffic monitoring, device fingerprinting and behavior analysis. 

For instance, looking at when the affiliate cookie was generated as well as how quick the user was to pick and choose their product on an eshop can help point to whether the cookie is truly related to the purchase in question or not.

Fraud experts explain that the dead giveaway is your affiliate’s conversion rates: clicks vs purchases. Cookie stuffing is so broad that their conversion rates will be miserable compared to other channels.

Comprehensive anti-fraud platforms can also help identify which affiliates use such black hat methods, saving merchants significant amounts of money and ultimately achieving better quality partnerships with reputable affiliates. 

Fighting Back Against Fraudsters

From elaborate new schemes to fraud-as-a-service, fraud is growing more complex by the day – but there are ways to fight back.

Learn more


  • Business Insider: eBay’s Top Affiliate Marketer Was Just Sentenced To Federal Prison
  • Ecommerce Bytes: eBay Affiliate Pleads Guilty in Cookie-Stuffing Scam
  • Statista: Annual net revenue of eBay from 2013 to 2020
  • TrackAd: Cookie Stuffing: What you need to know about fraud in CPA platforms
  • Martech: Cookie-Stuffing Could Land eBay’s Top Two Affiliates In Jail

Related Terms

Related Articles

Contact Us for a Demo

Feel free to reach out to us for a demo!