The Shadow Page Scandal: How Platform Giants Hijack Nonprofit Identity
GoFundMe created 1.4 million unauthorized donation pages using scraped IRS data, demonstrating why nonprofits must own their digital presence or risk losing control of their brand, their donors, and their revenue.
In October 2025, the nonprofit sector discovered that one of the largest crowdfunding platforms had been operating an unauthorized fundraising operation at massive scale. GoFundMe had auto-generated donation pages for over 1.4 million nonprofits without their knowledge or consent, using publicly available IRS 990 data to populate pages with mission statements, employer identification numbers, and organizational logos.
The mechanism was elegant in its exploitation: scrape public tax data, create official-looking pages, and leverage the platform's enormous domain authority to outrank the nonprofits' own websites in search results. When a donor searched "Donate to [Charity Name]," they were intercepted by a GoFundMe page that looked legitimate but served the platform's interests rather than the organization's. This wasn't a bug or an oversight—it was a business model built on appropriating nonprofit identity at industrial scale.
The Anatomy of Digital Identity Theft
To understand why this scandal matters, we need to understand how search engines determine what content to show. When multiple pages compete for the same search query, platforms with higher domain authority consistently win. GoFundMe, as a tech giant handling billions in transactions, possesses massive SEO weight. A small nonprofit's WordPress site, no matter how well-optimized, cannot compete.
Shadow Page
An unauthorized web page created by a third party using a nonprofit's name, logo, and mission without consent, designed to intercept donor traffic through superior search engine positioning. The page mimics official fundraising while directing fees, data, and control to the platform operator.
The shadow pages displayed detailed organizational information scraped from IRS filings—the same data that makes nonprofits transparent to regulators made them vulnerable to exploitation. Mission statements, financial summaries, and organizational details were all publicly available. GoFundMe simply automated the process of turning this data into competing donation portals. The result was a parallel fundraising universe where nonprofits had no visibility into who was donating, what they were being told, or how much money was being diverted.
This represents a new category of threat that most nonprofit technology strategies fail to address. Traditional cybersecurity focuses on preventing unauthorized access to your systems. Shadow pages don't require access—they simply clone your public identity and redirect your donors before they ever reach you.
The Hidden Revenue Extraction
The unauthorized pages weren't just intercepting traffic—they were extracting revenue through a mechanism designed to confuse donors. The checkout flow on these shadow pages included a default "tip" option, typically set at 15% to 16.5% of the donation amount. The interface made this tip appear as though it helped the charity cover processing costs. In reality, 100% of the tip went directly to GoFundMe. The nonprofit received nothing from it.
Standard Processing Fee
Legitimate payment processors charge 3-5% to cover credit card processing, security, and infrastructure costs. This is disclosed, expected, and necessary for digital transactions. The nonprofit understands and accepts this cost.
Deceptive Platform Tip
A pre-selected "tip" of 15%+ framed as helping the charity, but flowing entirely to the platform. The donor believes they're covering costs for the nonprofit; the nonprofit never sees the money and may not know the page exists.
The reputational damage compounds the financial harm. When donors eventually discovered that their "tips" didn't support the charity, many directed their anger at the nonprofits themselves. Organizations reported receiving complaints about being "greedy" for charging high fees—fees they never set and never received. The platform extracted revenue while the nonprofit absorbed the reputational cost.
This pattern reveals something important about the aggregator business model: when you don't own the donor relationship, you don't control the donor experience. Someone else is making promises in your name, and you're accountable for promises you never made.
The Legal and Regulatory Response
The shadow page scandal triggered legal action on multiple fronts. The Watts Law Firm LLP, alongside Arnold Gallagher, filed a class action lawsuit alleging exploitation of nonprofit identities and diversion of funds. Their argument centers on a straightforward principle: using an organization's name and identity to generate SEO traffic for a competing donation page constitutes identity theft, regardless of whether any explicit hacking occurred.
California's regulatory response provided additional legal framework through Assembly Bill 488, which establishes that charitable fundraising platforms cannot solicit donations for a nonprofit without written consent. The law requires platforms to verify that recipient organizations are in good standing, to provide transparent disclosure of all fees, and to distribute funds promptly. Critically, it affirms that solicitation without consent is illegal—full stop.
Key Insight
California AB 488 establishes that platforms must obtain written consent before soliciting in a nonprofit's name. This transforms unauthorized shadow pages from an ethical violation into a regulatory violation with enforcement mechanisms.
The anticipated legal action seeks to recover lost revenue, fees extracted through deceptive tips, reputational damages, and the operational costs nonprofits incurred responding to the crisis. Beyond financial recovery, the lawsuits aim to establish precedent that digital identity carries the same protections as physical identity—that "cloning" an organization's public presence for commercial gain isn't a gray area but a clear violation.
Digital Sovereignty as Defense
The shadow page scandal illustrates a fundamental vulnerability in how many nonprofits approach digital fundraising. The aggregator model—where platforms like GoFundMe or Facebook host donation functionality on their domains—creates structural dependency that can be exploited. When you're a tenant on someone else's platform, you're subject to their rules, their algorithms, and their business model changes.
Aggregator Model (Platform Rental)
The platform owns the page, the URL, and the donor data. You receive periodic disbursements and summary reports. The platform controls the donor experience, the fee structure, and the SEO. You're a passive recipient in someone else's system.
Direct Vendor Model (Digital Sovereignty)
You hire a vendor via contract for specific services. The donation form lives on your domain. Donor data flows to your CRM. Funds settle in your merchant account. You control the experience, the relationships, and the long-term asset value.
The distinction between these models isn't merely operational—it's existential. In the aggregator model, your donor relationships are mediated through a third party who has different incentives than you do. Their optimization target is platform growth and revenue extraction. Your optimization target is donor retention and mission advancement. These goals align some of the time and diverge the rest.
Digital sovereignty means owning the infrastructure through which donors interact with your organization. This includes: your donation forms on your domain, your donor data in your database, your merchant account receiving direct deposits, and your analytics tracking donor behavior. When you own these elements, no platform can intercept your donors, misrepresent your fees, or extract hidden revenue from your transactions.
Protecting Your Organization
The shadow page scandal offers concrete lessons for nonprofit technology strategy. First, audit your digital presence regularly. Search for your organization's name with terms like "donate" or "support" and examine what appears. If third-party pages rank above your own, you have a visibility problem that needs addressing regardless of whether those pages are malicious.
Second, invest in your own domain authority. The reason GoFundMe's shadow pages outranked legitimate nonprofit sites is that the platform had accumulated far more SEO weight. Consistent content creation, proper technical SEO, and building genuine backlinks from partners and supporters all strengthen your position. This isn't just marketing—it's defensive infrastructure.
Third, maintain direct donor relationships through owned channels. Every donation that flows through a third-party platform is a donor relationship you don't fully control. Email lists, donor databases, and direct communication channels should live in systems you own and operate. When platforms change policies or, as in this case, actively exploit nonprofit identity, organizations with direct relationships can adapt. Those dependent on platforms have no recourse.
Finally, understand your legal protections. California's AB 488 establishes clear requirements for charitable fundraising platforms, but enforcement depends on organizations understanding their rights and reporting violations. If you discover unauthorized pages soliciting in your name, document them, report them to your state's Attorney General, and consider whether collective legal action serves your interests.
Summary
The shadow page scandal exposed a structural vulnerability in nonprofit digital fundraising: when organizations rely on third-party platforms rather than owned infrastructure, they surrender control over their identity, their donor relationships, and their revenue streams. GoFundMe's creation of 1.4 million unauthorized pages demonstrated that this vulnerability can be exploited at industrial scale, with real financial and reputational consequences for organizations that did nothing wrong except trust the wrong model.
The solution isn't to avoid technology—it's to own it. Digital sovereignty means controlling the infrastructure through which donors interact with your mission. It means your domain, your data, your merchant account, and your donor relationships. Platforms that serve nonprofits as vendors, under contract and with clear accountability, offer genuine value. Platforms that position nonprofits as passive beneficiaries of someone else's system create dependency that can and will be exploited.
| Element | Aggregator Model Risk | Sovereignty Model Control |
|---|---|---|
| Donation Page | Platform owns URL, controls content | Your domain, your design, your messaging |
| Donor Data | Platform controls access and export | Direct flow to your CRM |
| Fee Structure | Platform sets fees, may add hidden charges | Transparent processor fees under contract |
| SEO Value | Builds platform's domain authority | Builds your domain authority |
| Brand Control | Platform can modify presentation | Complete control over donor experience |
References
- California Legislative Information. (2021). AB-488 Charitable organizations: charitable fundraising platforms and platform charities. California State Legislature. Legislature →
- Watts Law Firm LLP. (2025). GoFundMe Lawsuit: Legal Action Against Unauthorized Nonprofit Fundraising. Watts Law Firm. Watts Law →
- California Office of the Attorney General. (2024). Charitable Fundraising Platforms and Platform Charities: Final Regulations. California Department of Justice. CA AG →
- Davis Wright Tremaine LLP. (2024). AB 488: California Issues Final Regulations for Online Charitable Fundraising Law. DWT Insights. DWT →
Toxic Revenue Part 2: The GoFundMe Shadow Page Scandal
Hear this research discussed in depth on the Fundraising Command Center Podcast.