It was the perfect pitch: “Stop searching for coupon codes. Let us do it for you.” For years, the Honey browser extension has been the darling of the internet, a tool installed on millions of browsers, endorsed by the world’s biggest creators like MrBeast, and ultimately acquired by PayPal for a staggering $4 billion.
But according to a bombshell investigation by independent journalist MegaLag, the “free money” machine might actually be one of the most sophisticated digital surveillance and fraud operations in history.
From allegations of “economic extortion” against small businesses to a technical scandal rivaling the Volkswagen Dieselgate fraud, the “Honey Files” have exposed a dark underbelly of the affiliate marketing world. This isn’t just about saving $5 on pizza; it’s about wiretapping, data harvesting, and a system designed to steal millions from the very creators who helped build it.
Here is the full story of the Honey scandal that PayPal doesn’t want you to read.
The “Glitch” That Revealed Everything
The unraveling of Honey’s clean image began with a mistake. An anonymous source discovered that Honey had accidentally left their source code exposed within their iOS app. This wasn’t just a minor bug; it was a window into the company’s soul.
For years, users believed Honey was simply scouring the web for public coupon codes. The reality, according to the investigation, is far more invasive. The leaked code revealed that Honey wasn’t just finding codes—it was harvesting them from your private checkout sessions without meaningful consent.
The Privacy Illusion
When you type a private coupon code into a checkout box—say, a unique code given to you by a company for a customer service issue, or a “friends and family” employee discount—Honey’s extension reportedly scrapes that code immediately.
“Honey immediately sends that code directly to their servers,” MegaLag reveals in the investigation. “And then they ask for your consent.”
By the time the extension politely asks if you’d like to share the code, the data has allegedly already left your browser. This mechanism has flooded Honey’s database not just with public promos, but with private, internal, and one-time-use codes that were never meant for the public eye.
Economic Extortion and the Small Business Nightmare
While users rejoiced at finding a 50% off “employee” code for their favorite clothing brand, small business owners were watching their profit margins vanish.
The investigation uncovered that Honey’s database contains over 180,000 online stores. Yet, on their website, they claimed to partner with only 30,000. This discrepancy of nearly 150,000 stores suggests that Honey dragged tens of thousands of businesses onto their platform without consent.
The “Pay to Play” Shakedown
For small businesses, coupon codes are strategic. They are used to track marketing channels, reward loyal VIPs, or help employees. When Honey leaks these codes to 17 million users, the strategy collapses.
When business owners reached out to Honey demanding to be removed from the platform, they were met with what can only be described as a digital protection racket.
- The Plea: “Please remove us. You are leaking private codes and hurting our business.”
- The Response: Honey reportedly refused to remove stores unless they joined Honey’s official affiliate program.
“It’s economic extortion,” MegaLag asserts. “The stores don’t pay for inclusion; they pay for exclusion. They pay for damage control.”
Emails revealed in the investigation show Honey employees ignoring removal requests for months, only offering “control” over coupons if the business agreed to pay commissions. It is a classic shakedown: We created a problem for you, and now we will sell you the solution.
The Data Harvest and the “Unfair Advantage”
Why did PayPal spend $4 billion—more than Google spent to buy YouTube—on a coupon extension? The answer, as is often the case in tech, is data.
Honey isn’t just a coupon tool; it is a massive data vacuum.
The “God View” of Shopping
Internal documents and pitch decks from 2015, long before the PayPal acquisition, show Honey boasting to investors about their “Unfair Advantage.” They explicitly claimed their data allowed them to:
- Predict what a user is about to buy.
- Know exactly how much a user is willing to pay.
- Track cross-site comparison shopping behavior.
An investigation by the German non-profit Data Request found that Honey collected timestamps, unique user IDs, device IDs, and the full URLs of every page visited. From this “metadata,” they could infer incredibly private details—from medical issues to travel plans.
PayPal executives have been caught on tape bragging about this “shopper data” and how it helps them “unlock” value. With PayPal announcing a new ad network based on user spending history, the $4 billion price tag starts to make terrifying sense. They didn’t buy a product; they bought a window into your financial life.
The MrBeast Connection and Targeting Minors
Perhaps the most culturally damaging aspect of the investigation is the alleged targeting of children. Honey has been a massive sponsor of YouTube’s biggest stars, including MrBeast (Jimmy Donaldson).
In one infamous ad read, MrBeast issues a challenge:
“Go to every computer in your house—your mom’s, your dad’s, your sister’s, your brother’s computer—and install Honey.”
This call to action encouraged children to install data-tracking software on devices they did not own, without parental consent.
The investigation highlights that Honey’s privacy policy claims the service is for adults 18+. Yet, they aggressively sponsored Minecraft, Roblox, and cartoon channels. Honey executives were even recorded admitting, “Every kid in America knows what Honey is… My 5-year-old brother installed Honey.”
This wasn’t accidental viral growth; it was a calculated strategy to bypass parental consent laws by weaponizing the trust children place in their favorite YouTubers.
“Cookie Gate” — The Dieselgate of the Internet
If the ethical violations aren’t enough, the “Honey Files” investigation uncovered technical evidence of what appears to be massive, systemic fraud against the affiliate marketing industry. This is the “Volkswagen Dieselgate” moment for the creator economy.
The “Stand Down” Rule
In affiliate marketing, there is a golden rule called “Stand Down.” If a user clicks a link from a Creator A (e.g., a tech reviewer), and then goes to checkout, Honey is supposed to disable itself. It should not pop up and overwrite the creator’s cookie to steal the commission.
Honey claimed to follow this rule. The investigation proves otherwise.
The SSD (Selective Stand Down) System
Honey engineered a secret system called SSD. Its purpose was to determine if the user was a “civilian” (a regular shopper) or a “cop” (a compliance tester from an affiliate network).
The code checks for:
- Account Age: Is the account new? (Likely a tester).
- Points Balance: Does the user have 0 points? (Likely a tester).
- Network Cookies: Does the browser have cookies from affiliate networks like CJ or Awin? (Likely a network employee).
The Fraud: If Honey detects you are a tester or an industry insider, it follows the rules and stands down. If Honey detects you are a regular user (logged in, high points, no industry cookies), it breaks the rules, ignores the creator’s affiliate link, injects its own cookie, and steals the commission.
“It’s a kill switch,” MegaLag explains. “They are attempting to stand down as little as possible while avoiding getting caught.”
Security researcher Ben Edelman, a Harvard-educated expert on ad fraud, reviewed the findings and stated, “It certainly is intended to conceal… This kind of misconduct… looks like a violation of wire fraud.”
The PayPal Cover-Up?
Perhaps the most damning evidence is what happened after the allegations surfaced.
Following the initial scrutiny and the filing of class-action lawsuits, the rules governing this “Selective Stand Down” system quietly changed. The requirement to trigger the “safe” mode was raised to a staggering 65,000 Honey Gold points—an amount almost impossible for a normal user to accrue.
This effectively turned off the fraud mechanism for the masses, likely in an attempt to sanitize the operation before regulators could look too closely. However, the investigation found they accidentally left a “backdoor” open for specific retailers, allowing the fraud to be replicated and proven on video.
The End of an Era?
The “Honey Files” investigation paints a picture of a company that grew too fast, cut too many corners, and institutionalized theft as a business model.
- For Consumers: You are the product. Your data is being harvested, and the “best deal” promise is often a mirage of expired coupons used to keep you engaged.
- For Creators: You have potentially lost millions in commissions to a tool that overwrote your hard-earned traffic.
- For Businesses: You were strong-armed into a platform that degraded your brand and leaked your internal data.
As of this writing, PayPal faces over 20 class-action lawsuits accusing them of wiretapping, computer hacking, unfair competition, and unjust enrichment.
The advice from the experts? Uninstall.
If you value your privacy, your favorite creators, and the health of the online marketplace, the free coupons might just be too expensive.
Frequently Asked Questions (FAQ)
Is the Honey app safe to use?
Recent investigations have raised serious concerns. While the app functions as a coupon finder, it has been accused of aggressive data harvesting, collecting full browsing history, and scraping private checkout information. Security experts have labeled some of its behaviors as similar to spyware.
Does Honey really steal commissions from YouTubers?
Evidence suggests it does. The “Selective Stand Down” system was allegedly designed to overwrite affiliate cookies from other creators. If you click a creator’s link and then use Honey, Honey often claims the commission for itself, depriving the creator of their earnings.
Does Honey sell my data?
Honey is owned by PayPal, and their business model relies heavily on data. They track shopping habits, purchase history, and cross-site behavior to build a “God View” of your financial life, which is then used for targeted advertising and market prediction.
What is the lawsuit against PayPal and Honey about?
There are multiple class-action lawsuits filed against PayPal and Honey. The allegations range from wiretapping (illegal interception of electronic communications) and computer hacking to unjust enrichment and violations of consumer privacy laws.
How do I uninstall Honey?
You can remove Honey by right-clicking the extension icon in your browser toolbar (Chrome, Firefox, Edge, or Safari) and selecting “Remove from [Browser Name].” You should also verify it is removed from your browser’s “Manage Extensions” menu.
Did you use Honey? Have you noticed strange behavior at checkout? Let us know in the comments below. Share this article to spread the truth about the $4 billion extension spying on your browser.
