AppsFlyer Web SDK Compromised in Cryptocurrency Theft Attack

AppsFlyer Web SDK Compromised in Cryptocurrency Theft Attack

First seen 14 Mar 2026, 16:56 UTC BleepingcomputerRescanaScworld 82% similarity 64.5

Article Content

Browse articles
ThreatCluster

The AppsFlyer Web SDK was hijacked this week, allowing attackers to inject malicious code aimed at stealing cryptocurrency. The compromised SDK, utilized by over 15,000 businesses and 100,000 applications, intercepted wallet addresses entered by users and replaced them with attacker-controlled addresses. This supply-chain attack was identified by Profero researchers, who discovered obfuscated JavaScript being delivered through the SDK. The malicious payload monitored for cryptocurrency wallet input and exfiltrated original addresses while redirecting funds. The attack is believed to have occurred between March 9 and March 11, 2026. AppsFlyer confirmed a domain registrar incident on March 10, which temporarily exposed the SDK to unauthorized code. They stated that the issue has been resolved and that no customer data was accessed. Ongoing investigations are assessing the full impact of the incident.

Key Points: • The AppsFlyer Web SDK was hijacked to steal cryptocurrency through a supply-chain attack. • The attack affected thousands of applications, potentially compromising user funds. • AppsFlyer confirmed unauthorized code delivery but stated no customer data was accessed.

ThreatCluster AI

Timeline

2026-03-09
Malicious payload discovered in AppsFlyer SDK.
2026-03-10
AppsFlyer confirmed domain registrar incident.
2026-03-11
Attack exposure window believed to have ended.
2026-03-14
BleepingComputer published details of the incident.

Community

Browse all →