Raiffeisen Bank’s Russian division recently identified a sophisticated scheme of affiliate marketing fraud that was artificially inflating customer acquisition costs while cannibalizing organic and paid search traffic. The discovery was made following a collaborative investigation between the bank’s internal marketing team and analysts from OWOX BI, a leading data analytics firm. By leveraging raw data processing and cloud-based warehousing, the financial institution was able to pinpoint specific dishonest affiliates who were utilizing malicious browser extensions to hijack attribution and claim unearned commissions.
The investigation began when Raiffeisen’s marketing department noticed a troubling trend in their performance metrics. Despite a significant increase in the budget allocated to Cost Per Action (CPA) affiliate networks, overall revenue and the number of new loan and credit card applications remained stagnant. Furthermore, internal technical logs revealed a recurring anomaly: customers frequently experienced session breaks while in the middle of filling out application forms on the bank’s website. These technical glitches, combined with the soaring costs of affiliate traffic, led the bank to suspect that their traffic source data was being manipulated by external actors.
The Mechanics of Attribution Theft in Digital Banking
In the competitive landscape of digital banking, affiliate marketing is a cornerstone of customer acquisition. Banks pay "webmasters" or affiliates a fixed commission for every successful lead or completed application. This model, known as CPA, relies heavily on "last-click" attribution, where the last source the user clicked before converting is credited with the sale.
Raiffeisen’s hypothesis focused on a technique known as source substitution or "cookie stuffing." The bank suspected that users were unknowingly installing browser extensions designed to offer discounts or coupons. When a user navigated to the Raiffeisen checkout or application page, these extensions would trigger a pop-up window offering a generic discount or a reminder of a reward. If the user clicked any part of this pop-up, the extension would instantly rewrite the traffic source data in the user’s browser cookies.
By injecting their own affiliate ID at the very last moment of the transaction, the fraudulent partners could claim credit for a customer who might have originally arrived at the site via a paid Google search (CPC) or through a direct organic search. This not only resulted in the bank paying commissions for customers they had already "won" through other channels but also created technical friction. The act of rewriting the cookie often forced a refresh or a session reset, explaining the session breaks reported by frustrated applicants.
Chronology of the Investigation and Data Integration
To validate these suspicions, Raiffeisen Bank required a level of data granularity that standard web analytics tools could not provide. Most off-the-shelf analytics platforms use sampled data and do not provide the hit-level timestamps necessary to track rapid changes in user sessions. The bank partnered with OWOX BI to implement a more robust data architecture.

The first phase of the project involved the implementation of the OWOX BI Pipeline. This tool was used to bypass the limitations of standard Google Analytics by streaming raw, unsampled data directly from the bank’s website into Google BigQuery. This move was critical for two reasons: first, it ensured the data met the high security and compliance standards required for the banking sector; second, it allowed analysts to see the exact timestamp of every single "hit" or interaction a user had with the site.
In the second phase, analysts defined the specific parameters needed to detect the fraud. They focused on collecting four primary data points: the Client ID (a unique identifier for each browser), the Hit Timestamp (to the millisecond), the Page Path (to track where the user was in the funnel), and the Traffic Source (to see who was claiming credit for the visit).
The third phase involved a deep dive into the sequence of user actions. By querying the BigQuery database, the team looked for a very specific pattern: a user who is active on an application page, followed by a sudden session termination, and an immediate new session start on the same page within less than 60 seconds, but with a different traffic source.
Analyzing the Data: Evidence of Bad Faith
The results of the data processing were definitive. By filtering the raw logs, the OWOX BI team was able to isolate thousands of instances where a user’s traffic source was changed mid-application. The data revealed that several affiliate partners were systematically "robbing" other marketing channels.
The analysis showed that a significant portion of the traffic being credited to specific CPA networks was, in fact, originally sourced from organic search or the bank’s own paid search campaigns. For example, a user would find the bank through a Google search for "low-interest credit cards," click an official bank ad, and begin the application. While they were typing their information, a browser extension would trigger a "discount" pop-up. The moment the user interacted with it, the extension would refresh the session with an affiliate tracking link. To the bank’s automated systems, it looked as though the affiliate had sent the customer, and the bank would subsequently pay that affiliate a commission, despite having already paid for the initial CPC click.
To make the data actionable for the marketing team, the analysts imported the findings from BigQuery into a pivot table via Google Sheets. This report identified the specific "Webmaster IDs" associated with the suspicious session breaks. It provided a clear breakdown of how many transactions were stolen from which channels, allowing the bank to quantify the financial damage.
Official Response and Strategic Adjustments
Upon reviewing the evidence, Raiffeisen Bank took immediate corrective action. The bank’s marketing leadership, headed by Dmitriy Berezin, utilized the reports to confront the affiliate networks. The data provided an irrefutable "paper trail" of the fraudulent activity, showing the exact moments when the source substitution occurred.

As a direct result of the investigation, Raiffeisen Bank terminated its relationship with two major affiliate partners found to be acting in bad faith. By removing these entities from their marketing mix, the bank was able to significantly reduce its customer acquisition costs without seeing a corresponding drop in actual conversions. The "lost" conversions simply reverted to their original, rightful channels—organic and CPC—which were already being tracked and funded.
Dmitriy Berezin, Head of Online Sales at Raiffeisen Bank, emphasized that the project was not just about catching fraud, but about optimizing the entire marketing ecosystem. With over eight years of experience in digital marketing and a focus on customer engagement, Berezin noted that protecting the integrity of the customer journey is paramount. The session breaks caused by the fraudulent extensions were not just a financial drain; they were a user experience failure that could have driven potential customers to competitors.
Broader Impact and Industry Implications
The Raiffeisen case highlights a growing challenge in the global digital economy. Ad fraud is estimated to cost businesses billions of dollars annually, with affiliate fraud being one of the most difficult types to detect due to its "last-click" nature. Financial institutions are particularly lucrative targets for such schemes because the commissions for banking products are often much higher than those in retail or travel.
This investigation underscores the necessity for companies to move beyond basic analytics and toward comprehensive data ownership. The use of cloud warehouses like BigQuery and streaming pipelines allows companies to perform forensic-level analysis that was previously impossible. For the broader industry, the Raiffeisen case serves as a blueprint for how to combat "cookie stuffing" and attribution theft.
Furthermore, this event illustrates the evolving role of the web analyst. Victoriia Pashchenko, the lead analyst from OWOX BI on this project, noted that the ability to track the sequence of user actions across sessions is the "holy grail" of performance marketing. Without the ability to see what happens between the clicks, companies remain vulnerable to automated scripts and malicious extensions that exploit the gaps in traditional tracking.
In the long term, Raiffeisen Bank has integrated this monitoring system into its regular reporting workflow. The bank now maintains a dashboard that flags suspicious session resets and source changes in real-time. This proactive stance ensures that marketing budgets are allocated to partners who provide genuine value and reach new audiences, rather than those who simply intercept existing customers at the finish line.
The successful resolution of this challenge has allowed Raiffeisen to reallocate its saved budget into more productive areas, such as improving the user interface of their digital banking apps and expanding their reach in legitimate, high-performing channels. As digital fraud becomes more sophisticated, the marriage of marketing expertise and deep data science remains the most effective defense for modern enterprises.








