Phoebe Gates Raised $43M for an App That Did What Sent People to Prison
I Audited My Own Browser Extensions With Claude Code. Trusting a Founder's Name Isn't a Security Strategy.
Phia raised $43.5M, at a $185M valuation, riding Phoebe Gates' name and a roster of investors that reads like a red carpet. Bloomberg, Ben Edelman, and Capital One Shopping tested the extension on 50+ sites and found the same thing every time: at checkout, it opens a hidden tab, drops its own affiliate code in it, and takes the commission even when it did nothing to earn the sale.
The detail that changes everything is the feature flag. Live on iOS, off on Chrome desktop, because on desktop a tab opening is something you'd actually see. Phia calls it a bug, fixed in 24 hours. The code tells a different story.
The mechanism behind this isn't exotic. It's last-click attribution, the rule running the entire affiliate industry. And if an extension with this much visibility can play it, the 8 I've got installed on my own machine can too, and I wouldn't know. So I ran them through Claude Code, one by one.

$43 Million and a Feature Flag
Phia calls itself an AI-powered personal shopping assistant. Cofounded by Phoebe Gates, backed by $43.5M in funding, a $185M valuation, and a cap table stacked with names like Sydney Sweeney, Kim Kardashian, and Paris Hilton. The kind of lineup that gets covered before the product does.
Then Bloomberg, researcher Ben Edelman, and Capital One Shopping ran their own tests. Same result across more than 50 sites: at the exact moment you hit pay, the extension quietly opens a tab in the background, injects its own affiliate code, and claims the commission. Whether or not it actually found you a discount.
Here's the detail that makes "bug" a hard sell. According to a former Phia hire writing on Substack, the feature triggering this behavior was live on iOS and switched off on Chrome desktop, for a specific reason: on desktop, a tab popping open is something a user would notice, on mobile it isn't. That's not a coincidence you patch after the fact. That's a design choice you make once you already know what gets caught.
Phia's official line is a bug, fixed within 24 hours. I'm not going to guess what Phoebe Gates personally knew or didn't, I have zero interest in doing internet detective work on a 20-something's inbox. What I can read is the code's behavior, and code doesn't have intentions, it has a flag that's on or off depending on who's watching. π¬
Impact.com, the affiliate network Phia ran its commissions through, suspended the account after the reporting broke. That's not a PR statement, that's a payment platform pulling the plug on roughly 1.5M users' worth of extension activity because the numbers didn't add up.
Why the Last Click Always Wins
Affiliate marketing runs on one rule: whoever gets the last click before checkout gets paid. It doesn't matter who actually convinced you to buy, who wrote the honest review, who spent 3 hours comparing specs. Last click wins.
This isn't some niche corner of ecommerce. Last-click attribution governs a market worth around $13B a year in the US, roughly 1 in 6 online purchases. A browser extension sits in the one spot that matters most in that whole chain, between you and the payment button. It can insert itself as the last click on nearly every purchase you make, whether it added value or not, and the rule has no built-in way to tell the difference. That gap isn't a security hole you patch, it's baked into how the rule works. Any extension smart enough to know it can lean on it.
Which is why cookie stuffing isn't just a shady growth hack, it's wire fraud under federal law (18 U.S.C. Β§ 1343). Not hypothetically. Shawn Hogan, once eBay's top affiliate, did 5 months in prison plus a $25k fine for it. Brian Dunning got 15 months and had to pay restitution. On paper, the maximum sentence runs up to 20 years.
Maybe I'm reading too much into a coincidence here, but eBay Ventures is listed among Phia's investors. 20 years ago, eBay worked directly with the FBI to put Hogan away for running the same scheme at a smaller scale.
eBay jailed a man for this exact scheme. Now it just funds it.
Phia Isn't Even the First One
Honey ran the same play at way bigger scale. PayPal-owned, worth roughly $4B, until YouTuber MegaLag put out a video in December 2024 walking through exactly how it stiffed reviewers and creators out of commissions. Chrome lost somewhere between 6 and 8 million users of the extension in the fallout. By March 2025, Google updated the Chrome Web Store policy to explicitly ban the practice.
That's the famous case. Not the only one. McAfee's research team found a cluster of Chrome extensions built specifically for cookie stuffing, no relation to Phia or Honey, sitting at 1.4 million users combined. Different developers, different names, same trick running quietly in the background.
Then there's the acquisition angle, which might be the part worth worrying about most. A tab management extension with 200,000 users got bought out in late 2025. An update rolled out a few weeks later, and it started injecting affiliate links too. The underlying code barely changed, someone just bought the audience and repurposed it. Achievement unlocked: silent supply chain compromise, no boss fight required.
Chrome's policy banning this has been in place since March 2025. The practice hasn't slowed down. Make of that what you want.
I Ran My Extensions Through Claude Code
A store badge doesn't tell you what code does at checkout. Neither does a 4.8 rating, a big name on the board, or "50,000+ users." None of that is a security control, it's social proof, and social proof doesn't read source code. Two fake AITOPIA extensions carried Chrome's own "Featured" badge and still managed to exfiltrate 900,000 ChatGPT and DeepSeek conversations before anyone caught it (the badge is Google vouching for update hygiene and store compliance, not for what the code actually does at runtime).
And the part that actually surprised me: you don't need Claude Code or any tool at all to start checking. A .crx file is just a zip archive with a different extension. Rename it, unzip it, and the manifest and source are sitting right there in plain text. Most people never do this because it feels like it requires a reverse engineering background. It doesn't, it requires an unzip command and 5 minutes.
So instead of trusting any of it, I pulled the source for the 8 extensions I actually have installed and ran each one through Claude Code with the same prompt:
Here is the source code for the extension [name]. I want to know if its behavior matches its advertised function.
1. List every permission requested in manifest.json, and for each one, tell me whether the extension's stated purpose actually justifies it.
2. Find every network call (fetch, XMLHttpRequest, chrome.tabs.create, chrome.tabs.update) and tell me which domain it targets.
3. For each call you find: does it stay limited to data already present on the page I'm visiting, or does it reach out to an external database, a third-party service, or an affiliate domain?
4. Flag any chrome.tabs.create or window.open that fires without a visible user action, and check if that tab gets closed automatically right after (classic cookie stuffing pattern).
5. Compare the list of contacted domains against the extension's public description on the store.
What KDSpy Actually Does
One result I can actually stand behind: KDSpy, an extension I use to track Kindle sales data. The audit came back clean, it only works with data already sitting on the Amazon page I'm looking at, no calls out to some proprietary database, nothing exfiltrated anywhere. Sonnet choked on parsing the minified build the first time around, had to point Opus at it instead, small tax for auditing an obfuscated bundle. π€
I ran the other 7 through the same prompt too. I'm not going to pretend I have a clean verdict on each one. That would be its own article, and slapping a blanket "safe" on 7 extensions based on one afternoon of prompting is exactly the overconfidence this whole piece is trying to avoid.
Half of these extensions I don't even remember installing on purpose. One of them showed up because a client wanted a PDF-to-CSV converter for an invoice export, and I never uninstalled it after the contract wrapped 2 years ago. It still has clipboard access. I have no idea why a CSV converter needs clipboard access. That's a problem for a different Tuesday.
Static audit through Claude Code has one honest limit worth naming. It reads the code as written, it can't see behavior that depends on a config file pulled in remotely after the fact, and heavily obfuscated code can hide plenty from a first pass. A clean scan today isn't a permanent guarantee, especially after the next update or the next change of ownership.
What KDSpy gets right is basically the mirror image of what Phia got wrong: it reads what's in front of it and stops there. I ran the same discipline on 8 months of unsupervised AI agent pip installs a while back, same principle, different layer of the stack. Turns out Claude Code storing 600 credentials in plaintext is the same story too, no badge on any store would have told you that either. The moment you stop reading what a tool actually does and start trusting what it claims to do, you've already lost.
The Next Version Won't Open a Tab
Agentic traffic is up 7,851% according to HUMAN Security's 2026 report. Morgan Stanley expects almost half of online shoppers to use AI agents by 2030, accounting for about 25% of their spending. That's not a distant hypothetical anymore, that's a curve already bending.
An agent buying on your behalf has no reason to notice a hidden tab opening and closing. You might, in theory, catch the flicker if you're staring at the screen at the exact moment it happens. An agent isn't staring at anything, it's just executing the checkout flow it was told to run, no HAL 9000 dramatics, just quiet compliance. The last-click problem doesn't go away with AI shopping. It just gets a lot harder to catch mid-transaction.
I checked KDSpy because it seemed like the safest bet on my list, the one extension I'd have vouched for without looking twice. It came back clean. That's not really the point. The point is I had no way of knowing that until I actually looked, and neither did anyone who clicked install on Phia because Phoebe Gates' name was on the funding round.
Sources
- TechCrunch: Phia accused of cookie stuffing
- Sneha Rampalli, I almost worked at Phia
- McAfee Labs: Malicious cookie stuffing Chrome extensions
- Is That Chrome Extension Safe? 7 Checks Before Install
- ppc.land, on HUMAN Security's 2026 agentic traffic report
- commercetools, citing Morgan Stanley's agentic commerce forecast
This post may contain affiliate links. If you click them, I might earn a small commission (costs you nothing, and helps me keep shipping quality articles every day for your reading pleasure).
Cookie stuffing sent people to prison in the 2000s, but Phia just raised $43M doing it with a feature flag. Before you ship anything with affiliate code or hidden redirects, check the demo-vs-product checklist in the kit, specifically the production visibility and error recovery sections that catch this stuff.