For VPN Brands

Stop Paying VPN Affiliates for Customers Who Were Already Buying.

Up to 12% of commissions in unmonitored programs are paid on brand-hijacked traffic — BrandVerity, 2025. For a mid-market VPN at $80 per sale and 5,000 conversions a month, that is a $200,000 annual leak. Your first confirmed cases land in 24 hours. If we find nothing, you don’t pay.

Get a Free Brand Scan View Sample Case File

No credit card requiredBuilt for VPN affiliate programs30-day full refund · Evidence yours either way

Best fit for VPN programs with 50+ active affiliates or $10K+ in monthly commissions.

Built by an independent team in the EU. No VC funding. No sales calls. Just evidence.

Real Case File
CONFIRMED HIJACK
Singapore · 2026
Affiliate brand-bid hijack on coupon query
query████████coupon
networkAwin
publisher id#941621
violatorbarakatalan.com
Redirect chain
Google Ad↓barakatalan.com↓awin1.com↓████████·brand
Forward-ready for network compliance

Live

suspicious bidders surfaced

Field Ledger

The numbers from the floor.

Every affiliate program we've ever scanned has had unauthorized bidders on its brand name. These are the numbers, pulled live from the scanner fleet.

400Brands ScannedPre-launch & early-access programs

3,100Bidders SurfacedConfirmed + likely unauthorized

9Scan Regions LiveNorth America, Europe, Asia, Oceania

6Networks IdentifiedPublisher IDs extracted from every hop

Updated hourly · numbers rounded down

Network Coverage

The six networks we decode.

Every tracking parameter in your fraud redirect chain — parsed, labelled, and traced back to the publisher account. The number your affiliate manager needs to file a dispute.

Live

Awin

awinaffid=

Publisher ID

Live

Impact

irclickid=

Click Tracking

Live

CJ Affiliate

cjevent=

Click Tracking

Live

ShareASale

Publisher ID

Live

Webgains

siteid=

Publisher ID

Live

PaidOnResults

porc=

Click Tracking

If your brand is being bid on through any of these networks, we pull the publisher ID out of the redirect chain and hand it to you with the screenshot, the ad copy, and the timestamp. No network relationship required.

VPN Field Patterns

Four patterns running against your VPN program right now.

Every claim below is sourced from public research and active litigation — not vendor positioning. VPN brands sit at the high end of every fraud surface because the economics line up: 30–40% recurring commissions, 30–90 day cookie windows, global virtual goods, and coupon-driven buyer behavior at every renewal.

Pattern 01

Coupon-keyword intercept

"[Your VPN] coupon" — 8k–18k US searches/month

Affiliates bid on the modifier query, not the bare brand. The user lands on a thin coupon page with a fake reveal button that fires the affiliate cookie before redirecting to your real site. Up to 12% of commissions in unmonitored programs are paid on traffic the brand would have captured organically. CPCs on these queries inflate 30–50% versus an uncontested auction.

Source · BrandVerity 2025 commission-leakage benchmark; brand+coupon search volume from public keyword tooling.

Pattern 02

Typosquat lookalike domains

980+ documented; ProtonVPN 29% maliciousness rate

Domains registered in the last 60 days with privacy-protected WHOIS, running Google Ads on your branded query, dropping cookies via affiliate redirects, then forwarding to your checkout. Researchers identified 980+ lookalike domains targeting major VPN providers in 2024 — 14% maliciousness baseline, with ProtonVPN at 29% (the highest in the cohort). ExpressVPN secured at least 22 typosquat domains defensively. UDRP filings cost ~$1,500 and resolve in 45–60 days once you have the evidence.

Source · TechRadar VPN typosquat investigation, 2024.

Pattern 03

Browser-extension attribution override

$35 commission stolen, $0.89 returned to the user

Coupon-finder extensions silently fire the affiliate cookie at checkout, overwriting whatever channel actually drove the sale. The active In re PayPal Honey litigation (5:24-cv-09470, N.D. Cal., before Judge Beth Labson Freeman) cites a NordVPN sale in which Honey allegedly captured a $35 commission while returning the user $0.89 — a 97.5% theft ratio. Honey lost ~3 million Chrome users within 14 days of the December 2024 MegaLag exposure. The case remains active as of April 2026; both NordVPN and ExpressVPN run aggressive coupon-affiliate programs against the same attack surface.

Source · Cohen Milstein docket, In re PayPal Honey Browser Extension Litigation, 5:24-cv-09470 N.D. Cal., active April 2026.

Pattern 04

AI-spun review/coupon rings

1,000+ subdomains, 1 affiliate ID, 0 public response

QuoIntelligence's March 2025 investigation traced a single fraud network operating 7 primary domains, 1,000+ subdomains, and 500+ fake LinkedIn / Medium / Tumblr / WordPress accounts — all funneling traffic into NordVPN affiliate ID 103411 (and Casinia/iGaming via ID 82813 in parallel). Templated account names (NextGenix832, BrightForge637) suggest LLM-generated infrastructure; activity peaked Oct–Dec 2024. NordVPN never publicly addressed the report or termination. The cost of standing up this kind of infrastructure has dropped 100× since 2020.

Source · QuoIntelligence, “Affiliate Fraud at Scale: AI, Black-Hat SEO, Social Media, and Brand Abuse in iGaming and VPNs,” March 2025.

Brand-bidding fraud sources: BrandVerity 2025 (commission leakage rate), QuoIntelligence March 2025 (AI-driven affiliate-fraud investigation), TechRadar 2024 (VPN typosquat survey), Cohen Milstein / N.D. Cal. docket 5:24-cv-09470 (active Honey/PayPal class action).

Anchor Cases

The receipts. Not vendor marketing.

The two most consequential public records of organized affiliate fraud in the VPN space. We didn't produce these. Independent researchers and federal court filings did.

Case QI-2025-03Reported March 2025Documented

NordVPN affiliate ID 103411 — AI-driven fraud network

One affiliate ID. 1,000+ subdomains. Zero public response.

subdomains in network: 1,000+
fake LinkedIn / Medium / Tumblr accounts: 500+
single NordVPN affiliate account: ID 103411
active operating window: Apr–Dec 2024

QuoIntelligence's investigators traced 7 primary domains and over 1,000 subdomains — all funneling into NordVPN affiliate ID 103411 (and Casinia/iGaming via ID 82813 in parallel). LLM-generated content, templated LinkedIn naming (NextGenix832, BrightForge637), aligned with NordVPN's seasonal promotional windows. Activity intensified Oct–Dec 2024. NordVPN never publicly addressed the report, the affiliate ID, or any termination. This is the single most thoroughly-documented case of organized VPN affiliate fraud on the public record.

Source · QuoIntelligence, “Affiliate Fraud at Scale: AI, Black-Hat SEO, Social Media, and Brand Abuse in iGaming and VPNs,” March 2025.

Case 5:24-cv-09470Filed Dec 2024 — active Apr 2026Active

In re PayPal Honey Browser Extension Litigation (N.D. Cal.)

$35 commission stolen on a NordVPN sale. $0.89 returned to the user.

PayPal acquisition price for Honey (2020): $4B
alleged NordVPN commission / user reward: $35 / $0.89
Chrome users lost in 14 days post-MegaLag: ~3M
before Judge Beth Labson Freeman: Active

Consolidated class action in the Northern District of California. Plaintiffs allege Honey systematically replaced creator affiliate cookies at checkout with its own — including on high-payout VPN flows. The cited NordVPN example: a $35 commission diverted while the user received $0.89 in coupon value. Lead plaintiffs include Wendover Productions and LegalEagle. A 101-page second amended complaint was filed January 2026 with merchant contracts attached. Both NordVPN and ExpressVPN run the exact coupon-affiliate programs this attack vector exploits.

Source · Cohen Milstein docket; In re PayPal Honey Browser Extension Litigation, 5:24-cv-09470, N.D. Cal. (active April 2026).

Not ready to hand us your domain?

Read the 15,000-word Affiliate Brand-Bidding Fraud Playbook.

Twelve sections on detection, recovery, and prevention. Free. Ungated. No email required. Take it and run your own audit if you'd rather not hand us your domain yet.

Open the playbook

Exhibit A · Real Case

One Case File. One Hundred Percent Confirmed.

Pulled directly from our live detection database. Brand name shown exactly as the violator displayed it publicly — that's the violation. Violator domain, network, publisher ID, coupon codes, and redirect chain preserved as captured. This is what lands in a customer's inbox within 24 hours.

Classification

CONFIRMED FRAUD

Confidence

100%

Region scanned

🇸🇬 Singapore

Detected

2026-04-23 · 12:08 UTC

The search

query: [brand name] coupon

Target: a mid-market VPN brand. Free scan requested by the brand.

The ad we caught

Sponsored · www.barakatalan.com/fastestvpn/coupons
www.barakatalan.com/fastestvpn/coupons — FastestVPN Coupon Code | Upto 93% Discount & Offers

The redirect chain

Google Ad — sponsored slot
barakatalan.com (coupon site)
awin1.com/cread.php — tracking redirect
[brand].com — landing

The publisher (smoking gun)

networkAwin
publisher id#941621
merchant id#90211

A static publisher ID — not a click hash. The exact account number the brand forwards to Awin compliance to get the affiliate terminated.

Unauthorized coupon codes

AR26CM24

Exploiting codes never issued to this publisher. Commissions on these conversions are recoverable.

Detection signals

Landing page contains known affiliate network links
Strong affiliate params: awinaffid present
Known affiliate network: Awin
Coupon codes found: AR26, CM24
Multi-domain redirect chain (3 domains)
Coupon/deal site detected: barakatalan.com
Coupon site bidding on coupon/discount keyword
COMBO: Coupon site + affiliate params + coupon codes
FLOOR: Coupon site + coupon keyword + coupon codes visible
Publisher accounts detected: Awin #941621

This is one report from one scan. In unmonitored programs, this is rarely the only case — first scans often surface multiple violators across coupon, promo, and review queries.

Scan Your Brand for Free →

Evidence to Action

Detection is step one. Here's the rest of the workflow.

A case file is only useful if it converts to terminated affiliates and recovered commissions. We hand off ready-to-forward evidence; your team and the affiliate networks do the enforcement. Here's the actual sequence after the PDF lands in your inbox.

Forward the dossier to network compliance.

Each case file is forwarding-ready: screenshot, redirect chain, publisher ID, ad copy, timestamp, region. You attach it to a one-line email to Awin, Impact, CJ, or whichever network the violator is registered with. The static publisher ID is the unique key compliance teams need to act.

You — about 5 minutes per case.

Dispute the commissions paid on hijacked traffic.

Many networks and programs have locking or reversal windows, often around 30–90 days depending on the platform and contract. The publisher ID and timestamped evidence are exactly what their commission-dispute process needs. We include the Pro-tier C&D template language for the cases that escalate.

Network compliance — same day to several business days once evidence is accepted.

Affiliate gets actioned.

Networks vary, but the dossier gives them what they need to review, reverse, remove, or escalate the publisher account. In repeat-offender cases (cross-brand violations, typosquats, cloaking), the network can block the publisher network-wide. The operational outcome: you stop paying that affiliate, and so does every other brand on the network.

Network — outcome and timing vary by platform and severity.

AdCrime produces the dossier. Your affiliate manager forwards it. The network does the termination and the clawback. We don't replace your network compliance team — we hand them the one thing they can't produce on their own: the static publisher ID, with evidence, in 24 hours.

The Perimeter

You Don't Have A Fraud Problem. You Have A Perimeter Problem.

Affiliate fraud isn't a leak you plug once. It's a probe. Fraudsters test your brand keywords every week — new domains, new networks, new cloaks. The moment they see you've stopped watching, they're back inside two weeks.

We've watched it happen.

Month 1 — with AdCrime

We surface 20–100 violators.

You send the dossiers to Awin, Impact, CJ. Commissions killed. Offenders booted. Your first real look at the damage.

Month 2–3 — with AdCrime

The smart ones stop trying.

Your scans come back cleaner. Your CAC drops. Your commission line stops bleeding. The perimeter is doing its job.

Month 4 — without AdCrime

Old offenders test new domains.

New geos, new networks, new cloaks. Affiliate fraud is a probe, not a one-off — once the watch ends, the cheap attempts come back.

Month 4 — with AdCrime

The cheap attempts drop off.

Because the brand is visibly watched. Sophisticated fraudsters still try sometimes, but the volume falls when the perimeter is obvious.

That's not a product failing because it found nothing. That's a product working because it found nothing. You don't rip the cameras out of your warehouse the month no one robbed it.

Fraudsters usually test the brands that look unwatched.

The Math

One Caught Coupon Affiliate Pays for a Year of AdCrime.

NordVPN pays affiliates 100% on monthly plans, 40% on multi-year, plus 30% recurring on renewals. ExpressVPN pays $36 flat per annual plan with a 90-day cookie. Surfshark pays 40% revenue share. These are the most aggressive affiliate economics in any consumer category — and 12% of commissions in unmonitored programs are paid on brand-hijacked traffic (BrandVerity, 2025). Here's what that costs three typical VPN programs, per month.

Indie / niche VPN

Affiliates: ~30 active
Monthly sales: 800 / mo
Commission rate: 30%
Average order: $50
Commission spend: $12,000 / mo

Leaking at 12%

$1,440per month

~$17K / yr

Mid-market VPN

Affiliates: ~150 active
Monthly sales: 5,000 / mo
Commission rate: 35%
Average order: $80
Commission spend: $140,000 / mo

Leaking at 12%

$16,800per month

~$202K / yr

Top-tier VPN

Affiliates: ~400 active
Monthly sales: 20,000 / mo
Commission rate: 40%
Average order: $100
Commission spend: $800,000 / mo

Leaking at 12%

$96,000per month

~$1.15M / yr

AdCrime Pro is $449 / month. The smallest scenario above recovers it in under a week.

Sources: Impact Affiliate Benchmark 2025 (AOV $123), BrandVerity (12% commission leak rate), Search Engine Land 2025 (brand-bidding economics).

The Deal

Free First Scan. 30-Day Full Refund. Evidence Is Yours Either Way.

In our pre-launch and early-access scans of active affiliate programs, every qualifying program surfaced unauthorized or likely-unauthorized bidders. The first scan is free — if we find nothing, you walk away with nothing lost.

If the evidence is worth paying for, you keep the monitoring on. And if in the next 30 days you want out — didn't find enough, don't like the reports, changed your mind, whatever — reply with the word refund. Every dollar back. No call. No form. No “let's hop on a quick sync.”

You keep every piece of evidence we surfaced. Forever. Even if you refund.

All I'm Asking Is That You Look.

Look — I'm not going to ask you to decide if this is worth it from a landing page. That would be insane. The whole point of AdCrime is that the fraud is invisible until somebody looks. So all I'm asking is that you let me look. Sign up, let us scan your program, and read the evidence we send you. If it's worth what we're charging, you keep it. If it isn't, you walk away — no questions, no card charge, no hard feelings.

“Day one or day thirty — if you're not happy, I'm not happy.”

That's the whole deal.

I Guarantee It.

— Mario Vaher
  Founder, AdCrime
  Rural Estonia

Pricing

One Confirmed Violator Can Cover the Plan.

The first scan is always free. If we find fraud and you subscribe, you have 30 days to walk for any reason. Keep the evidence either way.

Entry

Your First Look at the Damage

$149/mo

100 credits / month

Best for: Your first branded-search audit.

What you get

Affiliate IDs, networks, coupon codes
Screenshots + redirect chains
AI-assisted fraud classification
100 scan credits / month
9-region scout network coverage
Unlimited domains
Daily / weekly email reports

One confirmed violator, with the evidence to act on it, can pay for the plan.

≈ Monitor 1 brand, 3 keywords, 1 region, daily.

Free first scan + 30-day full refund

Start Monitoring →

Pro

The Commission Recovery System

$449/mo

500 credits / month

Best for: Ongoing multi-region enforcement.

What you get

Everything in Entry
C&D letter templates (lawyer-reviewed)
500 scan credits / month (5×)
Priority scanning queue
CSV exports
Slack real-time alerts

Built to catch repeat offenders across regions — where most leaked commissions hide.

≈ Monitor 2 brands, 5 keywords, 3 regions, daily.

Free first scan + 30-day full refund

Start Monitoring →

Enterprise

The Full Perimeter

$999/mo

1,500 credits / month

Best for: Always-on coverage at scale.

What you get

Everything in Pro
Auto-generated dispute packs per network
API access (FastAPI)
1,500 scan credits / month (3×)
Dedicated AI fraud classifierBETA
Telegram priority support
Personalized scan regions on demand

At portfolio scale, leaked commissions compound — continuous coverage is the cheaper line item.

≈ Monitor 5+ brands across all regions, daily.

Free first scan + 30-day full refund

Start Monitoring →

Comparable tools often start around $500+/mo, add crawling fees, require trials or demos, or bundle affiliate compliance into broader enterprise suites.

Agency

Running Multiple Brands? White-Label the Whole Thing.

Starts at

$2,499/mo

Built for agencies, holding companies, and ecommerce groups monitoring several brands at once. Custom quote, custom workflows, white-label everything.

Talk to us

Everything in Enterprise
Multi-brand dashboard (manage unlimited client brands)
White-label PDF reports (your logo on every dossier)
Unlimited team seats + role-based access
Dedicated account rep
Custom integrations and workflows
Quarterly executive reviews

How Credits Work

1 credit = 1 keyword in 1 region before any automatic volume discount.

Larger configurations get cheaper per-unit pricing, but cost always increases when you add more keywords or regions.

Unused subscription credits roll forward for one billing cycle.

Example workload

3 keywords × 3 regions × daily cadence fits comfortably inside Entry.

Multi-brand daily monitoring across multiple regions usually pushes teams into Pro.

Enterprise exists for programs that want broad, always-on coverage without rationing usage.

Honest Filter

Who AdCrime Isn't For.

If any of these describe you, don't sign up. We'll save you a refund email and we'll save us a disappointed customer.

You don't run an affiliate program.

AdCrime only detects affiliates bidding on your brand. No affiliates, no fraud to detect. We're the wrong tool.

You have fewer than 20 active affiliates.

At that size you can audit your program manually in an afternoon. We become worth it around 20–30 active publishers.

Your monthly affiliate commissions are under $10K.

The exposure is real even at this scale, but the operational overhead of paid monitoring rarely justifies itself yet. Run manual spot checks until the program grows, then come back.

You want a demo call, a discovery session, and a 6-week procurement cycle.

Every tool on this page except ours offers that. We optimize for the affiliate manager who wants evidence in 24 hours, not a pipeline meeting.

Everyone else: run your free scan →

FAQ

VPN Brand FAQ

We scan real Google Ads search results from 9 regions — just like a customer searching "[your VPN] coupon" would. When we find sponsored ads leading to affiliate tracking URLs, we capture the full evidence: ad screenshot, redirect chain, the static publisher ID extracted from awinaffid / irclickid / cjevent / siteid params, the affiliate network, the coupon codes used, and the destination URL. Every detection is classified with a confidence score and ready to forward to Awin, Impact, CJ, or whichever network the violator is registered with.

Yes. Our redirect-chain capture follows every hop from the Google Ad click through to your real checkout, so a typosquat domain inserted as a middle hop shows up in the chain. TechRadar researchers identified 980+ lookalike domains targeting VPN brands in their 2024 survey — ProtonVPN saw a 29% maliciousness rate, the highest in the cohort. ExpressVPN has secured at least 22 typosquatted domains defensively. UDRP filings cost ~$1,500 and resolve in 45–60 days once you have evidence.

Browser-extension cookie injection at checkout is harder to catch from SERP scanning alone because there is no Google Ad on the search results page — the extension is doing the work client-side. The signal shows up in your attribution data: one or two affiliate publishers with impossibly high conversion rates, very short click-to-conversion windows, and a disproportionate share of commissions from users who also touched your brand through non-affiliate channels in the same session. We help you cross-reference. The active In re PayPal Honey class action (5:24-cv-09470, N.D. Cal.) cites a NordVPN sale where Honey allegedly captured a $35 commission while returning the user $0.89.

No — and this is the most expensive misunderstanding in the VPN affiliate channel. Awin, Impact, CJ, ShareASale and the rest are paid as a percentage of commission volume. Every fraudulent commission that flows through their platform is also a commission they take a cut on. Their compliance teams are reactive: they act on complaints. They don’t go looking for violations on your behalf. AdCrime is the system that finds the complaints you’d otherwise miss — with the static publisher ID, the screenshot, the redirect chain, and the timestamp the network needs to terminate the affiliate. You forward our dossier to Awin or Impact, they enforce it the same day. QuoIntelligence’s March 2025 NordVPN report is the cleanest illustration: 1,000+ subdomains, 500+ fake social-media accounts, single affiliate ID 103411 — and no public NordVPN response, no termination, no acknowledgment. The detection has to come from outside the network.

Three things: 1. We show you full evidence upfront — your free scan includes affiliate IDs, redirect chains, screenshots, and network details. No sales call required to see what we find. 2. Our classification engine uses multi-pass detection with AI-assisted scoring that distinguishes real affiliate abuse from competitors and legitimate ads, which means fewer false positives. Enterprise accounts get access to our AI fraud analyst that can evaluate edge cases and explain its reasoning. 3. Pricing: most brand bidding tools start at $500–1,200/month. AdCrime starts at $149/month with credit-based pricing and full API access on Enterprise.

Every plan includes all 9 regions out of the box: United States, Canada, Mexico, United Kingdom, Germany, Romania, Singapore, Hong Kong, and Australia. That covers North America, Europe, Asia, and Oceania. Need coverage in a specific market? Enterprise plans include custom scan regions — if a meaningful share of your VPN revenue comes from Brazil, India, or Japan, we’ll spin up a scanner there. Talk to us at mario@adcrime.com.

Final Check

Ready to find out if affiliates are bidding on your brand?

Free scan. No credit card. Results in 24 hours. If the problem is real, you'll have proof worth acting on.

Get a Free Brand Scan

Questions? mario@adcrime.com