Don’t Get Scammed During the Hypest Moment in History

This year’s Summer Olympics in Tokyo may arguably be one of the hypest and most technologically advanced sporting events in history. Unfortunately, many people will not be able to attend in person, and will miss out on the debut appearance of surfing and skateboarding at the Olympics and their chance to high-five Human Support Robots.

With an estimated 7.8 million tickets for sale, the Olympics will draw massive crowds but will also bring major heartbreak and risk for spectators around the world who are hoping to experience the games in person. To make matters worse, of the projected 7.8 million available tickets, it’s estimated that only 30% will be reserved for international sale…and I have bad news for you. Most of those tickets are already sold out.

An Opportunistic Landscape

Only residents of Japan can purchase tickets directly from the Official Tokyo 2020 ticketing website. Those of us who live outside of Japan must purchase tickets from an Authorized Ticket Reseller. For example, CoSport is the authorized ticket reseller for residents of the United States. But due to high demand, Authorized Ticket Resellers have been selling out almost immediately around the world. Even athletes will likely have a hard time acquiring extra tickets for their friends and family. 

This extreme demand, coupled with a limited availability of tickets, has created an opportunistic landscape for cyber criminals and a serious risk for spectators who have missed out on the opportunities to obtain Olympic tickets from official retailers.

[You may also like: How E-tailers Can Better Manage the Automated Threat Landscape]

The threat is so real that Japan has passed legislation making ticket scalping illegal. The first lottery drawing even happened after the law went into effect. Those caught scalping Olympic tickets in Japan have no excuse and could be placed in jail or fined.

Stressing Application Resources

The high demand for tickets has also put a stress on networks and application resources dedicated to the ticket distribution process. Ticketing websites over the last year have faced a number of problems during lottery signups, lottery drawings and standard ticket sales, due to the large flood of traffic from hopeful spectators.

For example, signups for the first round of Japan’s domestic lottery opened up on May 9th and ran until May 28, 2019. This process was severally impacted within the first hour, due to a flood of hundreds of thousands of users trying to enter the lottery for a chance to purchase a ticket. This traffic persisted throughout the month and it was reported that the official ticketing website saw 24.25 million requests during May 2019.

The most impressive part about the demand in the first round was that 7.5 million residents of japan signed up for the lottery with their Olympic ID. To put this in perspective, there are only 7.8 million tickets available for the Summer Olympics, in total!

While Olympic organizers and authorities have done everything they can to prevent ticket fraud, profiteers have been able to find ways to bypass Japan’s Olympic ticketing system.

In an interview posted in Japan Today, Mr Z, a ticket scalper, detailed how he bypassed Japan’s lottery restrictions for profit. Mr Z leveraged a network of 400 Chinese residents in Japan who work as line standers. For those unfamiliar with this line of work, line standers are used to physically or digitally stand in line for a buyer.  Typically, they are used for popular concert tickets or limited release clothing items. Mr Z’s group of 400 human bots were able to register and obtain 80 tickets for resell during the first round on Japan’s lottery. 

The problem isn’t just a simple (yet effective) bypass of incentivizing Chinese residents living in Japan to register for the lottery, strictly for the purpose of reselling their tickets. The problem also includes e-commerce bots designed to automate the process of purchasing an item or creating an account.

[You may also like: The Growing Threat of Payment Fraud for Online Retailers]

Last year, Olympic organizers discovered that 6,900 tickets were purchased in the first round of the domestic lottery with fraudulently created Olympic IDs. The organizers revealed that around 30,000 official Olympic IDs were created by a scalping group in an attempt to game the domestic lottery. All tickets purchased by the criminal group were cancelled without a refund.

Beware Cyber Criminals

With the Olympics fast approaching, one thing is for certain: cyber criminals will be looking to profit by targeting unsuspecting spectators who missed out on purchasing official tickets with lures containing ticket offers, travel packages and other giveaways.

For example, an Olympic secondary ticket marketplace,, was recently compromised by a Magecart infection. Magecart is a criminal group that digitally skims credit card information from online payment forms by injecting malicious JavaScript into their targeted website.

Users who visit secondary ticket marketplaces looking for a last hope ticket can expect to be targeted by everything from fraudulent resellers to organized criminal groups looking to skim payment and personal information from your legitimate purchase.  

[You may also like: How E-commerce Sites Can Counter ‘AuthBots’]

If you are planning on attending the 2020 Summer Olympics in Japan and still have not purchased an official ticket from an authorized reseller, exercise caution while searching for tickets or packages in the secondary marketplace. 

Because of the hype and high demand associated with the 2020 Summer Olympics in Tokyo, criminals will be looking to scam and profit off of those desperately searching for coveted Olympics tickets in the resell market. Criminals will be looking to leverage phishing attacks with Olympic-related lures to target their victims. Remember to legit check emails, and digital offers for tickets! Odds are, the offer is suspect and malicious in nature.

Download Radware’s “Hackers Almanac” to learn more.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center