AppsFlyer — one of the world’s largest mobile attribution platforms, with its SDK embedded in thousands of iOS and Android applications including crypto wallets and fintech apps — suffered a supply chain breach where its SDK was manipulated to intercept cryptocurrency transaction addresses. The compromised SDK code substituted attacker-controlled cryptocurrency wallet addresses for legitimate recipient addresses in apps that displayed crypto send confirmations, enabling theft of funds from users who believed they were sending crypto to legitimate recipients. This ‘address substitution’ attack is a sophisticated mobile supply chain attack that exploits the ubiquity of analytics SDKs in mobile applications. Downstream theft of cryptocurrency from affected app users was reported. AppsFlyer is used by approximately 80% of top-grossing mobile apps globally for marketing attribution, making any SDK compromise an extreme supply chain risk.