What Is an Affiliate Subnetwork? (And Why They're Your Biggest Fraud Risk)

An affiliate subnetwork is a publisher in your affiliate programme that recruits and manages its own pool of sub-publishers. Instead of promoting your brand directly, it acts as a middleman, recruiting dozens or hundreds of individual promoters, such as content sites, affiliates, or technology partners who all operate under a single affiliate ID. You see one entry in your programme. In reality, you've let in an unknown number of publishers you've had minimal to no vetting of.

That distinction matters, because subnetworks are the single biggest source of affiliate fraud we see at Marcode.

This article explains how they work, why the fraud risk is so high, and what you should look for before approving one.

---

How an Affiliate Subnetwork Works

In a standard affiliate programme, the chain looks like this:

Brand → Affiliate Network → Publisher

You approve each publisher individually. You can see who they are, what sites they run, and what promotional methods they use.

A subnetwork inserts an extra layer:

Brand → Affiliate Network → Subnetwork → Sub-Publishers

The subnetwork joins your programme as a single publisher. Behind that one approval, they bring in their own network of sub-publishers, who each promote your brand using the subnetwork's affiliate ID. You have no direct relationship with any of them. For the most part they never went through your approval process.

A sub-publisher could be a legitimate content site, a cashback platform, or a hijacker running fake Google Ads on your brand terms. From your affiliate network's reporting, they all look the same.

---

Why Brands Approve Subnetworks

Subnetworks do offer some genuine advantages, which is why they're common in larger programmes.

The main draw is scale. Instead of individually recruiting and vetting dozens of publishers, you get access to a ready-made pool through a single partnership. Some subnetworks specialise in specific publisher types, such as editorial content sites, international markets, or influencer networks, where it would be impractical to recruit sub-publishers directly. Some subnetworks, such as Skimlinks (who are a trusted partner) have exclusive deals with well known publishers, so the only way you can work with them is via the subnetwork.

For a brand wanting fast growth in a new market, or even just to scale their existing programme quickly it's an appealing shortcut. The problem is what comes with it.

---

Why Subnetworks Are the Highest Fraud Risk in Affiliate Marketing

The risks aren't incidental. They're structural.

You get aggregate reporting, not individual visibility

Most subnetworks only report at the network level. You see total clicks, conversions, and revenue from that one affiliate ID. You don't see which sub-publisher drove which sale. You are unaware of where that sale is coming from.

That means if there is fraudulent activity happening in the subnetwork, it is much harder to diagnose. You don't know who the specific affiliate is driving the sales, so you can't say whether it is realistic or not. Transparency is a major concern.

Their vetting is often non-existent

To maximise their publisher base, many subnetworks accept sub-publishers with minimal or no review. There's often no check on previous fraud violations, no verification of how they plan to promote brands, and no process for reviewing the sites they operate.

The result: your programme becomes accessible to anyone who can pass a subnetwork's low bar for entry, including people who would never get through your own application process.

Banned affiliates can walk straight back in

One of the most common patterns we see: you catch a fraudulent affiliate, remove them from your programme, and think that's the end of it. They join a different subnetwork or even the same one under a different name, and they're back within days.

Because the subnetwork doesn't check whether applicants have been banned elsewhere, and because they appear under the subnetwork's ID rather than their own, you won't know it's the same bad actor. Without visibility into sub-publisher details, there's no way to connect the dots.

We often see fraud stopped on one subnetwork, only to restart the next day via another one.

Hijackers specifically route through subnetworks to avoid detection

Ad hijacking, where an affiliate bids on your brand terms in Google or Bing to intercept clicks and claim commission on sales you'd have received anyway, predominantly comes through subnetworks. The reason is straightforward: subnetworks give hijackers cover.

Operating under a subnetwork's affiliate ID, hijackers are hidden from your standard network reporting. If you're not extracting the SubID, ClickID, and SiteID from the redirect chain, you'll see a violation in your monitoring tool but no clear path to the responsible party.

The same applies to fake discount sites, which use subnetworks to operate dozens of fraudulent coupon pages under a single affiliate ID.

Browser extensions use subnetworks to hide at scale

Rogue browser extensions are one of the most common types of affiliate fraud, and subnetworks are one of their primary routes into programmes. An extension that injects affiliate cookies or claims last-click attribution at checkout can potentially operate across hundreds of brands at once. But to do that, it needs programme access without scrutiny.

Applying directly to each brand would expose the extension's behaviour during vetting. Joining a subnetwork sidesteps that entirely. The extension operator gets access to multiple programmes through a single subnetwork approval, and the resulting conversions appear in your reporting under the subnetwork's affiliate ID. Nothing in that report tells you the sales are coming from an extension intercepting customers at checkout rather than content driving genuine traffic.

The scale here is significant. A single extension, operating through a handful of subnetworks, can embed itself in dozens of programmes simultaneously. Each brand sees a plausible-looking revenue contribution from an affiliate they recognise. None of them see the full picture.

Marcode monitors browser extensions directly, identifying which extensions are active, which affiliate IDs they're using, and whether those IDs route through a subnetwork. That combination of extension detection and sub-publisher identification is what makes it possible to act on the problem rather than just observe it.

Performance that doesn't add up is a major red flag

One of the clearest signals that a subnetwork is harbouring fraud is performance data that's wildly out of line with comparable activity elsewhere in your programme.

If you run an influencer subnetwork alongside direct influencer partnerships and the subnetwork is delivering a 10% conversion rate while your direct influencer activity converts at 2%, that discrepancy needs an explanation. Legitimate influencer traffic behaves in roughly predictable ways. A fivefold difference doesn't happen without a reason.

The same applies to revenue spikes. A subnetwork that delivers a consistent volume and then suddenly drives a significant surge, with no corresponding campaign, seasonal reason, or obvious traffic source, should raise immediate questions. Fraudsters can turn volume up quickly. Legitimate publishers can't.

Without sub-publisher visibility, you can't interrogate the data. You just see the aggregate number and have no way to understand what's behind it. That's another reason the transparency gap is so damaging: it stops you from asking the right questions in the first place.

Don't take the evidence subnetworks provide at face value

When you raise a concern about unusual performance, a common response is for the subnetwork to send you a list of publishers or influencers who supposedly drove the sales. On the surface, this looks like transparency. In practice, it often isn't.

The sites and profiles on that list deserve scrutiny. If an influencer supposedly drove a significant volume of conversions for your brand, check their profile. Do they have the audience size to make that plausible? Have they actually posted about your brand? Is the engagement real? Often the answer is no. A micro-influencer with a few thousand followers is not generating hundreds of conversions in a week.

More sophisticated fraudsters go further. They inject a legitimate publisher or influencer's ID into the URL path of their traffic, making it appear in reporting as though the sale came from a genuine source when it actually came from an extension, a hijacker, or a completely different traffic source. The subnetwork can then point to that publisher ID as evidence of legitimate activity.

Treat any evidence a subnetwork provides as a starting point for your own verification, not a final answer. If the numbers don't match what that publisher could realistically generate, push back hard.

---

What Affiliate Networks Require from Subnetworks (and Why It's Rarely Enforced)

Most major affiliate networks have policies that are supposed to address the visibility problem. Awin, CJ, Impact, and Rakuten all require subnetworks to disclose their sub-publishers and pass through tracking identifiers so brands can see where traffic is actually coming from. These policies exist specifically because the industry recognised the fraud risk.

In practice, compliance is inconsistent at best.

Networks operate at scale. Policing whether every subnetwork is correctly passing sub-publisher tracking parameters on every conversion isn't something that happens systematically. It falls to brands to notice when data is missing, raise it with their network account manager, and follow up. Most brands don't have the visibility to know the data should be there in the first place.

There are two places tracking data needs to be present: in the click, and in the transaction.

The click is what happens when someone follows a link to your site. The tracking parameters in that URL — SubID, ClickID, SiteID — identify the sub-publisher who sent the visitor. The transaction is what happens when that visitor converts and a sale is recorded in the network.

For a brand to know which sub-publisher drove a specific sale, the tracking ID from the click needs to be passed back with the transaction. On Awin, for example, subnetworks are required to include a clickref with every transaction — a reference that ties the recorded sale back to the click, and by extension to the sub-publisher who sent it. Without it, the sale appears in your transaction report attributed to the subnetwork, but with no information about which sub-publisher was responsible.

This is where compliance most commonly breaks down. Many subnetworks don't pass the clickref or equivalent identifier back with transactions, either through poor implementation or deliberate omission. The click happened, the sale fired, commissions were paid — but your transaction report has no sub-publisher attribution. You have no way to know which part of the subnetwork drove that revenue, which makes it impossible to identify whether any of it was fraudulent.

Networks don't catch this systematically. Most brands don't notice until they start investigating a specific problem and realise the data they expected to be there simply isn't.

This is the gap Marcode closes. Rather than relying on what a subnetwork chooses to pass through their own reporting, Marcode extracts sub-publisher identifiers directly from the redirect chain at the point of detection. When a violation is caught, the full redirect chain is captured and analysed regardless of whether the subnetwork is meeting their network's reporting obligations. The SubID, ClickID, and SiteID are pulled from the URL itself, giving you the evidence you need to hold the subnetwork accountable even when they haven't volunteered the information.

---

What We See at Marcode

We're often asked whether subnetwork fraud is a minor edge case or a genuine problem. It's the latter. The overwhelming majority of fraudulent activity we detect comes through subnetworks, not direct publishers.

The most striking example we've seen: a large consumer-facing brand had 12 subnetworks live simultaneously, all of which were being actively used by hijackers. Each subnetwork was a separate route in, and each one was hiding the same types of bad actors behind aggregate reporting. The brand had no visibility into what was actually happening because the violations all appeared under subnetwork affiliate IDs.

When know, because of ad accounts, fake websites, and redirect chains, the same fraudulent operators were appearing across multiple subnetworks. They'd been removed from one route in and found another. Some had been doing it for months.

That's the compounding problem with subnetworks: it's not just that one subnetwork might harbour a bad actor. It's that bad actors spread across multiple subnetworks simultaneously, and without monitoring you have no way to know.

We commmonly get contacted when a brand has suspicions about the revenue a subnetwork is driving, but can't prove it. We provide that evidence.

Marcode's automated analysis runs constantly, so you can quickly identify subnetworks that are a repeat problem, and when a bad actor moves onto a new subnetwork. It's how brands can move from "we know there's fraud" to "here's who's doing it and here's the evidence."

---

The APMA Subnetworks Matrix: Useful, With Caveats

The Affiliate and Partner Marketing Association (APMA) publishes a subnetworks matrix evaluating over 20 networks across transparency, publisher management, technology, and support. It's a useful starting point when you're assessing whether to work with a particular subnetwork.

That said, it's worth understanding how it's put together: the data is largely self-reported. Subnetworks fill in their own answers. There's no independent audit of whether what they claim about their vetting processes or transparency standards actually holds up in practice.

So treat the matrix as directional rather than definitive. A subnetwork that scores well is worth investigating further. A subnetwork that scores poorly, or that didn't respond to the survey at all, should be a significant red flag. But a strong score doesn't mean you can skip due diligence.

The matrix is available through the APMA research library at theapma.co.uk.

---

Key Takeaways

• A subnetwork is a publisher that manages its own pool of sub-publishers, all operating under a single affiliate ID in your programme
• There are real advantages: scale, niche reach, and access to publishers you couldn't recruit directly. Some, like Skimlinks, are genuinely well-run
• The core risk is visibility: you approve one entity but get an unknown number of publishers you've never vetted
• The vast majority of affiliate fraud, including ad hijacking, fake discount sites, and rogue browser extensions, routes through subnetworks
• Browser extensions in particular use subnetworks to embed across dozens of programmes simultaneously without individual scrutiny
• Banned affiliates routinely rejoin programmes through subnetworks, often across multiple networks at once
• Performance that looks wildly out of line with comparable activity, and subnetwork-provided evidence that doesn't survive basic scrutiny, are both strong fraud signals
• Major affiliate networks require subnetworks to pass sub-publisher tracking data, but enforcement is inconsistent and many don't comply
• Marcode extracts SubID, ClickID, and SiteID directly from the redirect chain, giving you the evidence you need regardless of what the subnetwork reports

---

For practical guidance on vetting subnetworks before you approve them, monitoring them once they're live, and knowing when to remove one, see our follow-up guide: [How to Vet and Manage Affiliate Subnetworks].

If you're already dealing with suspected subnetwork fraud, Marcode can help. We detect hijacking, fake discount sites, and rogue browser extensions, extract sub-publisher identifiers from the redirect chain regardless of what the subnetwork reports, and give you the evidence you need to act.