Beauty and the Beast
The return of a global icon like Celine Dion to the stage is more than just another concert, for fans, it is a once in a lifetime historic return. But where there is massive demand and widespread excitement, fraudsters see a golden opportunity. In this research, Group-IB discovered a sophisticated multi-layered scam scheme targeting fans eager to secure their tickets for Celine Dion’s upcoming French tour.
Group-IB analysts tracked a coordinated effort that blends high-pressure social engineering with technical digital manipulation. From scammers directly embedding themselves into online fanbase communities, to a network of professional fraudulent websites, built on the looks of official ticketing platforms, the “game” is played to perfection.
In this article, we break down how fraudsters abuse and manipulate the technical features of platforms like Ticketmaster to sell the same ticket indefinitely, or Shopify to appear like a legitimate merchant, leaving victims with empty wallets and no way into the venue.
Key discoveries
- Fraudsters are engaging in fraudulent sales of Celine Dion Paris concert tickets through social networks.
- Official platforms such as Ticketmaster are being misused, their legitimate ticket transfer feature exploited by fraudsters to resell the same tickets indefinitely to multiple victims.
- Fake websites reproducing official ticketing distributors are also being created to trick victims into making fraudulent ticket purchases..
- These fraudulent websites abuse Shopify’s legitimate payment infrastructure, and appear derived from a shared scam kit used in similar events in the past.
- Emotional manipulation plays a central role in the scheme, as fraudsters prey on victims desperate to find tickets for this highly sought after event.
Who may find this blog interesting:
- Cybersecurity and fraud teams
- Music industry
- Event industry
- Law enforcement investigators
- Cyber security researchers
- Informed online consumers
Group-IB Threat Intelligence and Fraud Protection Portals:
Group-IB customers can access our Threat Intelligence and/or Fraud Protection portals for more information about this scam:
How is the Scam Conducted Through Social Networks?
Initial step: Social media contact
Scammers aren’t just mass-sending phishing links anymore, they are playing a “long game” by embedding themselves into Facebook Groups and Facebook Marketplace. By hanging out in fan-centric spaces, they build a fake sense of community and trust before they ever mention a sale.
The biggest giveaway is the timeline anomaly. In this case, fraudsters claimed to have tickets available before the official presale date of April 6th, which would be impossible. In fact, if someone claims to have tickets before the venue has even released them, it is very likely, if not guaranteed, to be fraudulent.
Once the fraudsters have the victims’ attention, they switch to high-pressure social engineering tactics: they systematically create a sense of urgency by using a recurrent script. This artificial urgency is designed to make the victims act on impulse rather than logic.
Fraudster Urging the Victim (translated from French) Scammer: Okay. Well, keep me updated as fast as possible because I've received about fifteen messages, so it might go fairly quickly, but yeah, no problem.
Second step: Abusing the Ticketmaster platform
Once the victim is manipulated into proceeding with the ticket purchase, the scammers request to bypass official resale sites by insisting on a direct “peer to peer” bank transfer. They will request that money be deposited directly into a specified bank account, and upon payment confirmation, the victim actually receives a valid Ticketmaster link containing a dgital ticket with an entry code.
Fraudster Explaining the Payment Process (translated from French) Scammer: Then, I'll do the transfer via Ticketmaster. You will receive a link by email. You click on it, it redirects you to Ticketmaster, you log in to your account or create an account, and you will have your tickets on your profile as if you had bought the seats. And once transferred, I no longer have access to the seats. You have them on your Ticketmaster account as if you had bought them yourself in pre-sale or whatever. Let me know.
However, the core of the fraud relies on a duplication model. The fraudsters are distributing the exact same digital ticket, with identical entry codes, to multiple victims. Since the tickets are single-use, only the first person to scan the ticket at the venue’s access control points will get in, everyone else, will be turned away.
Another major red flag is in the payment details. The name registered to the bank account given doesn’t match the seller’s name on their Facebook profile. Even if scammers try to change the display name of a stolen or compromised account, it happens that the accounts reveal their original names in the urls, which gives us hints that we are facing a fraudster through a fake/stolen account.

Figure 1: Example of a Facebook profile used by a fraudster in this scheme, with a fake name that doesn’t match the account name in the URL.

Figure 2: A discussion with the fraudster sharing his RIB to purchase tickets via direct funds transfer.
After successfully receiving the money, the scammers usually take steps to hide their tracks. In one of Group-IB’s documented cases, after collecting all the evidence, the scammer’s Facebook profile was deactivated. This could be either a calculated move to delete the account to cover their tracks, or the profile may have been banned because of reports from victims. In either case, this tactic cuts off all communications between scammers and victims, making it harder to trace the individuals behind the scheme or for victims to seek recourse.
Through this investigation, Group-IB analysts had the opportunities to speak with different sellers, who are no longer faceless entities, but people trying to weaponize the emotional hype to cloud judgment. Whether it is a voice message or a high-pressure script in a private chat, the goal is always the same: the use of social engineering to bypass victim skepticism. However, this is only one side of the coin. While some scammers are focusing on social media, others prefer to design more technical traps for those who prefer to buy their tickets on “official websites”.
How is the scam conducted through fake websites ?
Exploiting the Shopify platform
The fraudulent websites observed through the course of this research were all found to exploit Shopify’s payment infrastructure and impersonate official distributors in order to appear legitimate to victims. However, the extent of this scam campaign does not stop at the impersonation of ticketing distributors such as AXS or Ticketmaster. Group-IB has also identified fake websites designed to mimic the official online presence of the singer as well as the venue stadium, Paris La Défense Arena, where the concert would take place.

Figure 3: Example of a fake website to buy concert tickets.
Examples of Shopify clone website
| Domain | Marque usurpée |
| axs-billetterie[.]com | AXS |
| celinedion-billetterie[.]com | AXS / generic |
| celinedion-paris-billetterie[.]com | AXS / generic |
| billeteriecelinedion[.]com | Generic FR |
| celinedionparistickets[.]com | Generic (EN) |
| www.celinedionparistickets[.]com | Generic (EN) |
| tickets-celinedion[.]com | Generic FR |
| celinedion-2026[.]com | Generic (EN) |
| celinedionofficial[.]com | Official (impersonated |
| celinedion-france[.]com | AXS / generic |
| celinedion2026tour[.]com | Official (impersonated |
| celinedion[.]co | Official (impersonated |
| fr-celinedionparis[.]com | Generic FR |
| celinedionparsifr[.]com | Generic FR |
| ticketmaster-celinedion[.]com | Ticketmaster |
| ticketmaster-celinedion[.]fr | Ticketmaster |
| celine-dion-paris[.]com | Generic FR |
| celinedionparis[.]com | Generic FR |
| celinedion-paris[.]com | Generic FR |
| celinedionofficial[.]com | Official (impersonation) |
| celinedion-fr[.]com | Generic FR |
| celine-dion-arena[.]com | Arena (impersonation) |
| celinedion-parisladefense-arena[.]com | Arena (impersonation) |
Many of these websites have a dedicated payment page displayed through the use of the sub domain -pay.
Examples of payment interface
| Domain |
| pay.ticketmaster-celinedion[.]com |
| pay.celinedion-parisladefense-arena[.]com |
| pay.celinedionparistickets[.]com |
| pay.celinedion-paris[.]fr |
| pay.celinedionparis[.]com |
Last but not least, some pages also have a personal account interface which imitates the same connection system as in Ticketmaster or AXS (official distributors of tickets). These pages are found through the use of sub domain -account. and are displaying a Shopify client ID (OAuth).
Examples of authentication pages
| Domain | Shopify ID OAuth |
| account.celinedion-parisladefense-arena[.]com | a53f5577-962a-4b5c-96cd-03e498fb55d5 |
| account.celinedion-paris-billetterie[.]com | 96d99313-0cf3-46ba-948f-066e2979c652 |
| account.celine-dion-arena[.]com | 4983cefd-9810-444e-9eb0-64b4933878eb |
| account.ticketmaster-celinedion[.]fr | 7e7dbd4b-c5a9-4d4e-af60-64fd673ea525 |
To be noted that the account pages, Include the full set of parameters for a Shopify OAuth 2.0 flow in the URL:

Figure 4: Authentication flow parameters.
The customer-account-api:full scope is exclusive to the Shopify Customer Account API. This scope provides access to a customer account’s order history, email address, shipping addresses, and saved payment methods.
Moreover, by analysing the websites deeper, we can see in their internal structure that they are using the same patterns as used in Shopify. If we analyse, for instance, the first website of the list: axs-billetterie[.]com we can see that its images are using the path:

Figure 5: Internal path structure.
The use of /cdn/shop/files/ is very specific to the Shopify platform This is Shopify’s proprietary content delivery network (CDN), which is automatically enabled for all stores hosted on their infrastructure.
Same particularity can be observed for the authentication path which is also an exclusive path to the Shopify platform:

Figure 6: Authentication path usage.
And last but not least the use of ?v= and &width= is quite specific to Shopify use as well as the listing of product /products/ as in /products/celine-dion-samedi-19-septembre-2026-19h30.
Independent fraudsters but the same phishing kit?
While we may think that the Shopify exploit is used by multiple individuals, having a closer look to the account interfaces shown above can provide us with an assumption of an initial kit behind the multiple websites. By checking the state OAuth in the full url of the websites, we may notice the following:
| Domain | state OAuth |
| account.celinedion-parisladefense-arena[.]com | hWNArFqsvrke3GcGkFZxAqQd |
| account.celinedion-paris-billetterie[.]com | hWNArFqrU84fIsT8RqGf7zPf |
| account.celine-dion-arena[.]com | hWNArFqrbMvKRksSv7JganvH |
| account.ticketmaster-celinedion[.]fr | hWNAmhJgfrrdQ1bVJJXLbgCh |
This hWNA prefix seen in the examples above is not a random set of characters, and its presence for all the above domains is also not a coincidence. This is a shared, low-entropy random string generator, which is a common feature of standard phishing kits. Through this, we can deduce that these websites were created using the same toolkit
Finally, despite the French domain name, content, and obvious French-speaking target audience, all OAuth parameters contain locale=en-GB. This copy-and-paste error suggests that the kit was designed for an English-speaking audience and was repurposed without adjusting its technical parameters. It may not even be a stretch to suggest that we could be facing a recycling of the same kit used for similar international events in the past such as the 2024 Oasis tour in the UK, or the 2023–2024 Taylor Swift Eras Tour in the UK as well.
The technical evidence gathered in Group-IB’s research, from identical “hWNA” OAuth strings, to the repurposed UK English version of the scam kit, paints a clear picture. While these could appear as isolated scams, the evidence leads us to believe that we are facing the use of a single kit, deployed to systematically exploit this music event.
Conclusion: Think Twice
Ultimately, we see that such an event generates excitement and provides scammers with another opportunity to make a fortune at the expense of unsuspecting fans. Scammers are using increasingly sophisticated techniques, such as embedding themselves into social networking fan groups and speaking directly to their victims via voice messages to make the interaction more personal and gain their victims’ trust more easily. Furthermore, official ticketing platforms are being misused to make scams seem legitimate.
Whether through social media or fake websites created specifically for the event, it is becoming increasingly difficult for fans to distinguish real information from fake. This is especially true for entertainment and music concerts since their adoration for the performing artist usually clouds their judgment, making them easier targets for malicious actors well-versed in this type of fraud.
Recommendations
- Always visit the official websites of official distributors of such events (in this case, AXS, Ticketmaster and Fnac).
- If buying a ticket from a reseller, the preference would be to purchase a physical ticket in person.
- If you fell for such a scam, directly call your bank to lodge an objection on your credit card or any payment you may have made.
- Always check the url of the website you are visiting to notice any suspicious information and compare the prices of the ticket with the prices on the official websites.
- If you are unsure whether a website is fake, there are public tools available for consumers to check a website’s reputation such as https://urlscan.com , https://virustotal.com , https://scamadviser.com/
Group-IB Fraud Matrix
Scam scheme conducted through social media:
Scam scheme conducted through fake websites:
Indicators of Compromise (IOCs)
Domains used by fraudsters
| URLS | |
| hxxps://pay.ticketmaster-celinedion[.]com/ | |
| hxxps://pay.celinedion-parisladefense-arena[.]com/ | |
| hxxps://pay.celinedionparistickets[.]com/ | |
| hxxps://pay.celinedion-paris[.]fr/ | |
| hxxps://pay.celinedionparis[.]com/ | |
| hxxps://celinedionparistickets[.]com/ | |
| hxxps://celinedion-paris[.]fr/ | |
| hxxps://celinedion-paris[.]fr/ | |
| hxxps://celinedion[.]co/ | |
| hxxps://account.celinedion-parisladefense-arena[.]com/authentication/login?client_id=a53f5577-962a-4b5c-96cd-03e498fb55d5&locale=en-US&redirect_uri=%2Fauthentication%2Foauth%2Fauthorize%3Fclient_id%3Da53f5577-962a-4b5c-96cd-03e498fb55d5%26locale%3Den-US%26nonce%3D4cd5dff3-c483-4abd-a99e-c90be7965ef0%26redirect_uri%3Dhttps%253A%252F%252Faccount.celinedion-parisladefense-arena.com%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bcustomer-account-api%253Afull%26state%3DhWNArFqsvrke3GcGkFZxAqQd | |
| hxxps://account.celinedion-paris-billetterie[.]com/authentication/login?client_id=96d99313-0cf3-46ba-948f-066e2979c652&locale=en-US&redirect_uri=%2Fauthentication%2Foauth%2Fauthorize%3Fclient_id%3D96d99313-0cf3-46ba-948f-066e2979c652%26locale%3Den-US%26nonce%3D13b6260a-3cc5-4f4f-84d7-cb314641b7dc%26redirect_uri%3Dhttps%253A%252F%252Faccount.celinedion-paris-billetterie.com%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bcustomer-account-api%253Afull%26state%3DhWNArFqrU84fIsT8RqGf7zPf | |
| hxxps://account.celine-dion-arena[.]com/authentication/login?client_id=4983cefd-9810-444e-9eb0-64b4933878eb&locale=en-US&redirect_uri=%2Fauthentication%2Foauth%2Fauthorize%3Fclient_id%3D4983cefd-9810-444e-9eb0-64b4933878eb%26locale%3Den-US%26nonce%3Dc4f2c148-2acb-4684-b19e-097d64ab8dd6%26redirect_uri%3Dhttps%253A%252F%252Faccount.celine-dion-arena.com%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bcustomer-account-api%253Afull%26state%3DhWNArFqrbMvKRksSv7JganvH | |
| hxxps://celine-dion-arena[.]com/ | |
| hxxps://celinedion-2026[.]com/ | |
| hxxps://celinedion-2026[.]com/ | |
| hxxps://celinedionofficial[.]com/ | |
| hxxps://ticketmaster-celinedion[.]com/ | |
| hxxps://ticketmaster-celinedion[.]fr/ | |
| hxxps://account.ticketmaster-celinedion[.]fr/authentication/login?client_id=7e7dbd4b-c5a9-4d4e-af60-64fd673ea525&locale=en-US&redirect_uri=%2Fauthentication%2Foauth%2Fauthorize%3Fclient_id%3D7e7dbd4b-c5a9-4d4e-af60-64fd673ea525%26locale%3Den-US%26nonce%3Dcdc91d10-2a95-4f80-92cd-ba9204a5edd7%26redirect_uri%3Dhttps%253A%252F%252Faccount.ticketmaster-celinedion.fr%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bcustomer-account-api%253Afull%26state%3DhWNAmhJgfrrdQ1bVJJXLbgCh | |
| hxxps://www.celinedion2026tour[.]com/ | |
| hxxps://tickets-celinedion[.]com/ | |
| hxxps://celinedion-parisladefense-arena[.]com/ | |
| hxxps://fr-celinedionparis[.]com/ | |
| hxxps://celinedion-fr[.]com/ | |
| hxxps://www.celine-dion-paris[.]com/ | |
| hxxps://celinedion-paris[.]com/ | |
| hxxps://celinedionofficial[.]com/ | |
| hxxps://celinedionparis[.]com/ | |
| hxxps://celinedionparis[.]com/ | |
| hxxps://celinedionparis[.]com/ | |
| hxxps://celinedion-paris[.]com/ | |
| hxxps://celinedionviptickets[.]com/ | |
| hxxps://billeteriecelinedion[.]com/en/ | |
| hxxps://celinedion-france[.]com/ | |
| hxxps://celinedion-france[.]com/cart | |
| hxxps://celinedion-paris-billetterie[.]com/ |
Shopify ID
| URLS | Shopify customer ID |
| account.celinedion-parisladefense-arena[.]com | a53f5577-962a-4b5c-96cd-03e498fb55d5 |
| account.celinedion-paris-billetterie[.]com | 96d99313-0cf3-46ba-948f-066e2979c652 |
| account.celine-dion-arena[.]com | 4983cefd-9810-444e-9eb0-64b4933878eb |
| account.ticketmaster-celinedion[.]fr | 7e7dbd4b-c5a9-4d4e-af60-64fd673ea525 |
State OAuth
| URLS | State OAuth |
| account.celinedion-parisladefense-arena[.]com | hWNArFqsvrke3GcGkFZxAqQd |
| account.celinedion-paris-billetterie[.]com | hWNArFqrU84fIsT8RqGf7zPf |
| account.celine-dion-arena[.]com | hWNArFqrbMvKRksSv7JganvH |
| account.ticketmaster-celinedion[.]fr | hWNAmhJgfrrdQ1bVJJXLbgCh |
DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.
Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.
This blog may reference legitimate third-party services such as Shopify, Ticketmaster, AXS, Fnac, and others, solely to illustrate cases where threat actors have abused or misused these platforms.
This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.
All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.









