Cryptocurrency Stealer via AppsFlyer Web SDK
Summary
Hide ▲
Show ▼
Malicious JavaScript code delivered through the AppsFlyer Web SDK intercepted cryptocurrency wallet addresses on websites, replacing them with attacker-controlled addresses to divert funds. The payload was served from the official domain 'websdk.appsflyer.com' and targeted Bitcoin, Ethereum, Solana, Ripple, and TRON addresses. The incident impacted thousands of applications and end users, with the exposure window likely between March 9 and March 11, 2026. AppsFlyer confirmed unauthorized code delivery but stated the mobile SDK was unaffected and the issue has been resolved.
Timeline
-
14.03.2026 16:36 1 articles · 5h ago
Malicious JavaScript Delivered via AppsFlyer Web SDK
On March 9, 2026, Profero researchers discovered a malicious payload served by the AppsFlyer Web SDK from its official domain, 'websdk.appsflyer.com.' The payload intercepted cryptocurrency wallet addresses and replaced them with attacker-controlled addresses. The exposure window is suspected to be between March 9, 22:45 UTC, and March 11, 2026. AppsFlyer confirmed unauthorized code delivery but stated the mobile SDK was unaffected and the issue has been resolved.
Show sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36
Information Snippets
-
The malicious JavaScript code intercepted and replaced cryptocurrency wallet addresses with attacker-controlled addresses.
First reported: 14.03.2026 16:361 source, 1 articleShow sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36
-
The payload was served from the official AppsFlyer Web SDK domain 'websdk.appsflyer.com'.
First reported: 14.03.2026 16:361 source, 1 articleShow sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36
-
The targeted cryptocurrency addresses include Bitcoin, Ethereum, Solana, Ripple, and TRON.
First reported: 14.03.2026 16:361 source, 1 articleShow sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36
-
The exposure window is suspected to be between March 9, 22:45 UTC, and March 11, 2026.
First reported: 14.03.2026 16:361 source, 1 articleShow sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36
-
AppsFlyer confirmed unauthorized code delivery but stated the mobile SDK was unaffected and the issue has been resolved.
First reported: 14.03.2026 16:361 source, 1 articleShow sources
- AppsFlyer Web SDK used to spread crypto stealer JavaScript code — www.bleepingcomputer.com — 14.03.2026 16:36