All they did was add their own affiliate link to crypto links that didn't have them. You didn't get tracked from it, and you didn't lose out on anything.

Still sketchy because of the lack of consent, but people act like Brave personally stole money from them.

The other "sketchy crypto stuff" is one of the few actually workable alternatives to funding websites with ads on webpages. Again, Brave took in no money (BAT) that you as an admin / creator would have otherwise had, and they keep it in escrow, they don't claim it.

The only other sketchy thing I can remember is pre-installing a deactivated VPN so that people could pay, push a button and it'd work immediately. Plenty of companies do hacks like that for the sake of UX. Dropbox used to hack macOS its Accessibility permission so people wouldn't have to dive into settings to toggle certain things.

The irony is that Firefox has had their own scandals like surreptitiously installing a hidden ad extension that would advertise for Mr. Robot, but somehow Firefox stans have erased that kerfuffle from their collective memory.