← All guides
affiliatereality-checkcontent

Your Amazon Purchase Has an Affiliate Code. On Motorola Phones, Nobody Is Sure Who Put It There.

A 9to5Google investigation found Motorola phones inserting Amazon affiliate codes into app sessions, routing commissions through an influencer's domain using a code that matches none of their public links. The HN thread agreed on what happened. It disagreed, sharply, on who did it. What the evidence actually shows, and why it matters to anyone whose income depends on attribution being accurate.

2026-07-18 · 16 min read
Your Amazon Purchase Has an Affiliate Code. On Motorola Phones, Nobody Is Sure Who Put It There.

In late May, 9to5Google reported that Motorola phones were inserting affiliate codes into Amazon app sessions. The story landed on Hacker News, earned 406 points, and generated 232 comments. The thread agreed on what happened. It disagreed, sharply, on who did it and why.

That disagreement is worth sitting with. Affiliate marketing runs on attribution: the claim that one party introduced a buyer to a seller. When that claim is manufactured at the device level, the machinery that's supposed to pay the people who actually drive sales breaks. Whether what happened with Motorola was corporate policy, a rogue engineer, or something harder to name is a question the evidence doesn't cleanly resolve.

What 9to5Google found

The reported behavior: on Motorola phones, opening the Amazon app triggers a redirect that inserts an affiliate code into the session. The code earns a commission on purchases made during that session. In tracing where the code leads, 9to5Google found something murkier than a straightforward cash-grab.

HN commenter kayson quoted the key passage from the article. We are paraphrasing it here, and leaving out one thing the original included (more on that below).

The phone opens a URL belonging to a fashion influencer's site. That exact URL appears nowhere on the influencer's social media, and the codes don't match either: the redirect uses Amazon affiliate code sramz-kff-008-20, which is different from every code found in links that influencer actually published. 9to5Google's own conclusion: "Something funny is up; this doesn't seem deliberate."

Hold onto that last sentence. We'll come back to it.

The thing we left out is the influencer's name and domain, both of which are in the original report. They are a private person who published nothing connecting them to this, and whose codes specifically do not match the one doing the hijacking. The evidence points away from them, so putting their name next to the word "hijacking" (on a page that outranks nothing today but might tomorrow) costs them something and buys you nothing. The mechanism is the story. If you want the name, the source is one click away; we just won't be the ones repeating it.

The mechanism, as described: open the Amazon app on a Motorola phone, and the phone routes the session through an affiliate code before you see any product or price. That code earns a commission on whatever you buy. The code traces to a domain connected to a real influencer's brand, but uses a tracking code that doesn't match anything that influencer has published publicly.

Three theories, one honest hedge

The HN thread split into roughly three camps.

The first went straight to deliberate corporate behavior. Several commenters pointed to the fact that Motorola is owned by Lenovo, a Chinese company, and argued this fits a pattern. userbinator gave the longer version: around ten to fifteen years ago, Chinese OEMs shipped clean, unlocked Android with no crapware; as some scaled up, they adopted the monetization behavior of larger players. greatgib named Xiaomi as a concrete example, one that built an audience on clean hardware and then reversed course once dominance was established.

The second camp pushed back on the corporate-intent read. ezekiel68 stated it plainly: "If I'm not guilty until proven innocent, then neither is Motorola." londons_explore offered a specific alternative: a rogue employee hoping to get away with it for years, whose cousin plausibly does social media for the influencer in question. That theory would explain both the connection to the domain and the mismatch between the inserted code and anything published publicly.

The third camp made a smaller technical point that matters. jollymonATX in one line: "An affiliate can create multiple codes." In other words, the fact that sramz-kff-008-20 doesn't appear in that influencer's public posts doesn't prove it isn't theirs. Amazon affiliates can generate multiple tracking codes for different placements, campaigns, or arrangements. The mismatch is suspicious, not conclusive.

9to5Google themselves, as that quoted passage shows, landed on "this doesn't seem deliberate." That isn't a cautious editor hedging a headline. It's the reporters who investigated saying their own evidence didn't establish intent. microtonal asked whether the situation implied "a complete lack of code review." pitkali: "Code review just means you need an accomplice." The honest summary of what the thread established: something happened, someone collected the commissions, and the full chain of responsibility is unresolved.

What is clear regardless of intent

An affiliate code is a factual claim. It says: I sent you this buyer.

When Amazon pays a commission on a purchase made under code "sramz-kff-008-20," it's paying on the assertion that whoever holds that code introduced the buyer to the product. If the buyer arrived because they remembered Amazon, typed the URL from habit, opened the app because their partner mentioned a sale, or clicked from a completely unrelated creator's recommendation, the inserted code places a middleman into a transaction that had no middleman. The merchant pays; the buyer pays the same price either way, since the commission comes out of the merchant's affiliate budget.

The person who loses in this transaction is whoever legitimately influenced that buyer and whose code didn't make it into the session: a creator who linked the product, a review site that drove the click, a content business built specifically around Amazon recommendations. Their commission exists on the assumption that when they send someone to Amazon, that referral gets credited. When a device substitutes a different code before the session begins, that assumption is broken at a layer the creator has no control over and often no visibility into.

Two ways attribution breaks

We wrote about attribution decay in an earlier piece. The mechanism there is passive: a commission is paid once. The customer is kept forever by the brand. On purchase one, the creator gets paid. On purchase two or ten, the customer returns to the store directly, and the creator earns nothing. It compounds quietly, by design. The commenter in that thread put it in one sentence: "if they get repeat customers be sure you're pricing that as well since the next time they may go directly to the store instead of your unique tracking link."

This is the other side of the same structural problem. There, attribution decays over time. Here, it gets replaced at the moment of the first sale. Either way, the link between who drove the sale and who gets paid is weaker than it looks from the outside.

Both failures share a root: the affiliate system trusts that the code reaching the merchant accurately represents who deserves credit, and every affiliate program is built on that assumption. Neither Amazon's TOS nor most program agreements have much language about what happens when a device (rather than a competitor's link or a careless browser) substitutes a different code.

How code gets into production without a boardroom vote

Commenter mschuster91 offered the most useful technical observation in the thread. Asked whether the behavior would imply "a complete lack of code review," they replied:

"You'd be surprised how many websites use Google Tag Manager to allow their marketing department to roll out trackers and other JS snippet directly into the site's root context. GTM et al's sole reason of existence is to provide marketing people with a way to bypass corporate IT."

The point extends beyond websites. In a device context, marketing partnerships, pre-installed SDKs, and third-party monetization layers can inject behavior without necessarily going through the same review chain as core OS code. macintux added: "Bury it in a sufficiently-large PR and there's a very good chance it'll be rubber-stamped because no one wants to take the time to carefully review the entire set of changes."

GuestFAUniverse put the bottom line clearly: "No matter how you turn it, that doesn't build trust in the Motorola brand, if a single employee can push that (hypothetical) code." That's accurate whether it was an individual acting alone, a team that didn't examine what they were deploying, or a commercial arrangement that didn't survive scrutiny. The effect on attribution is the same.

Is there a stealth ad in this thread?

We run the stealth-ad-detector over every thread we cover. The check is whether the post or top comments contain product placements dressed as authentic experience. This thread is different in character from the subreddits we usually analyze: it's a news discussion, not a "my honest numbers" success story, and the comments run skeptical to hostile rather than promotional.

The closest framing device is sourcegrift's comment ("If an anti-worker company is getting fleeced, nothing wrong with that"), which isn't a product pitch but does distribute sympathy in a way that redirects attention from the original question. We flag it the same way we'd flag any framing that positions you before you've had time to read.

The thread doesn't have the four sales funnels in forty-five comments that we catalogued in the affiliate revenue piece. It has something less common: a contested story where the most important question (who benefits and how much) is exactly what the evidence can't fully answer.

Our own receipts, since we are in this business

We run affiliate links. One, currently. It's in the payments article, labeled in the text as a referral link, with a clean non-referral alternative sitting directly next to it. That link has earned $32.56 all time. Those are the receipts.

We're in the same business as the people whose code may or may not have ended up on Motorola phones. Several orders of magnitude smaller, with a ledger that fits in one sentence. We write this piece because we found the story worth analyzing, and because we spend most of our time thinking about this exact question: who claims credit for a purchase, how attribution works, and who loses when it breaks. It would be odd to analyze it without saying that plainly.

The difference between what we do and what the 9to5Google story describes isn't a moral category. It's one practical fact: when our referral link earns something, the person clicking it knows the arrangement before they click. They can use the clean link instead. The Motorola code, whoever installed it and for whatever reason, was never disclosed to the buyer. The buyer had no way to see the arrangement or route around it.

What this means if attribution is your income

The Motorola story, unresolved as it is, describes a category of risk that most affiliate program terms don't address: someone else claiming your attribution upstream.

The standard risk model runs one direction: your cookie gets overwritten by a competitor's link, your attribution window expires before the purchase completes, or the customer returns to the merchant directly the second time. Those are documented failure modes, and most experienced affiliates price them in.

The Motorola scenario is different. The substitution happens before the buyer has reached your link at all, at the device or OS level, before any creator enters the picture. Most affiliate agreements are silent on this. They describe what you must do to earn a commission, what the merchant controls, what counts as fraud on your side. They say very little about what happens when a third party inserts a different code on hardware your customer owns.

That gap isn't unique to Motorola. Coupon browser extensions have run the same play for years, overwriting creator codes in the final seconds before checkout, claiming commission on a sale the creator spent months building an audience to drive. The Motorola case puts the behavior at a lower level of the stack. The affiliate system has no obvious answer for it, because it wasn't designed with this vector in mind.

The thread's 406 upvotes and 232 comments spent a morning on the question. It's worth keeping open longer than that.