Devin Stone, an attorney and creator behind the LegalEagle YouTube channel, has filed a lawsuit against PayPal. The lawyer alleges that the browser extension ‘Honey’ that the fintech company owns is usurping affiliate commissions from content creators. This it does by automatically substituting its own links during user transactions.

Stone claims in his lawsuit that PayPal, through Honey, is systematically diverting commissions from rightful earners, thus undermining the affiliate marketing system. The browser extension automatically applies coupon codes during online shopping, which PayPal acquired for $4 billion in 2019 

According to the lawsuit, when viewers with the Honey extension installed click on a creator’s affiliate link, the extension replaces it with its own affiliate link at the point of purchase—even in cases where the extension doesn’t provide any discount to the consumer. This results in the commission being paid to Honey instead of the original content creator.

The lawsuit highlights what Stone describes as an “ironic” practice: PayPal recruits content creators to promote the Honey extension to their audiences, which then allegedly enables the technology to redirect future commission earnings from those same creators.

Stone characterizes the extension as a “sleeping leech” that remains dormant in users’ browsers until a transaction occurs, at which point it “infects” the creator’s ability to earn from future sponsorships and affiliate relationships.

PayPal disputed these allegations. In a statement to The Verge, the company said it would “vigorously” defend itself, maintaining that “Honey follows industry rules and practices, including last-click attribution.”

The lawsuit seeks class-action status, with Stone actively recruiting other creators to join the legal action. This legal challenge follows recent criticism from other content creators, including YouTuber MegaLag, who previously characterized Honey as a “scam stealing money from influencers.”

Content creators have been the targets of cyber fraud lately. In December, CloudSEK researchers uncovered a large-scale phishing operation targeting YouTubers through fake promotional offers, with over 200,000 creators affected by the campaign.

The operation relies on malicious files hosted on trusted platforms like OneDrive, typically disguised as partnership agreements or promotional materials. These password-protected archives contain executables that, when opened, deploy malware designed to steal login credentials and session cookies or enable remote system access.