As the 2026 FIFA World Cup draws closer, cybercriminals are moving fast to cash in on the excitement. Researchers have uncovered a massive fraud operation targeting fans of the world’s biggest football tournament, with over 300 fake domains already live.
The operation is sophisticated, well-funded, and built to deceive even cautious users. With billions of dollars at stake, this campaign is one of the most serious cyber threats tied to a major sporting event.
The campaign exploits the enormous demand for FIFA World Cup 2026 tickets, hosted across the United States, Canada, and Mexico.
More than 150 million tickets were requested within just the first 14 days of the sales window, creating the desperate urgency that scammers thrive on.
Fraudsters have built a wide network of fake websites designed to look exactly like official FIFA platforms, and victims who land on these pages have no easy way to tell they are on a fraudulent site.
Group-IB said in a report shared with Cyber Security News (CSN) that researchers identified six distinct fraud schemes, four independent threat actors, and over 3,500 fraudulent domains impersonating FIFA’s web presence.
At the center sits the threat actor designated GHOST STADIUM, a Chinese-speaking, financially motivated operator running a coordinated phishing campaign across more than 300 domains. The total financial losses from this campaign alone could reach into the billions.
Six separate fraud schemes are running in parallel, each targeting football fans differently. These include credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft.
Each scheme has its own monetisation method, making the entire operation difficult to dismantle with a single takedown. Together, they form a growing fraud ecosystem actively expanding as the tournament approaches.
Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets at prices between $5 and $50 per pair.
These were not stolen through targeted phishing but harvested incidentally by mass infostealer campaigns dominated by the Vidar and Lumma malware families.
Approximately 170,000 infostealer logs containing FIFA references have been identified, showing how wide the credential theft pipeline has grown well ahead of kick-off.
GHOST STADIUM Phishing Campaign
The GHOST STADIUM phishing kit is a custom React-based single-page application that clones the official FIFA website with near pixel-perfect accuracy.
Built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community, the kit replicates FIFA’s PingIdentity SSO login flow using a real client_id taken directly from the actual FIFA SSO.
After stealing credentials, a password reset function locks victims out immediately, then silently redirects them to the real FIFA site so the attack looks like a successful login.
The kit auto-detects browser language and switches its interface across 11 languages plus three Chinese variants: Simplified, Traditional, and Hong Kong Chinese.
This granular distinction is a direct attribution signal pointing to a Chinese-speaking developer.
Three shared Meta Pixel IDs were found across all 300 phishing domains, confirming a single operator controls the entire campaign and is using Facebook ads to drive targeted traffic to fake pages.
Infostealer Threat and Protective Steps
The infostealer pipeline presents a separate but equally serious danger running alongside the phishing operation. Vidar and Lumma malware are delivered through cracked software lures, malvertising networks, and Telegram cheat channels.
These stealers copy every browser-stored credential, session token, and cryptocurrency wallet seed from infected devices. FIFA credentials are harvested as incidental collateral that later feeds account takeover pipelines and dark web re-sale markets.
Group-IB researchers recommend deploying Digital Risk Protection tools for continuous monitoring and automated takedown of brand-impersonation infrastructure.
Users should only purchase tickets through official FIFA channels and enable multi-factor authentication immediately.
Financial institutions are urged to alert on transactions routed through the five identified payment channels linked to this campaign, while fans should avoid FIFA-themed ads or messages offering low prices combined with countdown pressure tactics.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Tawk.to Live-Chat Property ID | mpnmccbabann9eohpoaomimm | GHOST STADIUM phishing kit backend tracker |
| Meta Pixel ID | 1912432924230210 | Shared Meta Pixel across GHOST STADIUM phishing domains |
| Meta Pixel ID | 2103242506309126 | Shared Meta Pixel across GHOST STADIUM phishing domains |
| Meta Pixel ID | 3156091303316034 | Shared Meta Pixel across GHOST STADIUM phishing domains |
| Cloned FIFA SSO Client ID | 74f02607-fc20-3132-a3650-1b93080bbn96f | Legitimate FIFA PingIdentity client_id used in phishing kit |
| Crypto Gateway | ChainUGO (testnet.chainugo.com) | Crypto on-ramp payment processor used by GHOST STADIUM |
| Adjacent Backend Domain | www[.]fifa[.]show | Backend domain tied to GHOST STADIUM phishing cluster |
| Facebook Ad ID | 1063360394213924210520024 | Facebook ad account tied to GHOST STADIUM campaign |
| Redirector Domain | football-ticket[.]top | Fraud-as-a-Service redirector domain (Origin IP: 34.97.164[.]110, registered April 26, 2026) |
| Redirector Domain | football-ticket[.]shop | Fraud-as-a-Service redirector domain (shared origin IP) |
| Redirector Domain | football-game[.]shop | Fraud-as-a-Service redirector domain (shared origin IP) |
| Redirector Domain | football-tickets[.]top | Fraud-as-a-Service redirector domain (shared origin IP) |
| Fraudulent Domain (sample) | fifa[.]bio | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifa[.]center | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | goldfifa[.]red | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | salefifa[.]shopping | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifa[.]show | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | skififa[.]black | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifa[.]cafe | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fundfifa[.]market | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifa[.]tax | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifacash[.]city | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | fifahouse[.]com | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | www-fifa[.]com | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | www-fifa[.]shop | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | www-fifa[.]website | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | www-fifa[.]store | GHOST STADIUM core phishing domain |
| Fraudulent Domain (sample) | www-fifa[.]top | GHOST STADIUM core phishing domain |
| Hosting IP (Multi-Rail Fake Tickets) | 183.164.164[.]110 | IP hosting GHOST STADIUM multi-rail fake ticket domains |
| Hosting IP | 202.46.55.1[.]1 | IP tied to GHOST STADIUM phishing infrastructure |
| Hosting IP | 9355.112.212[.]251 | IP tied to GHOST STADIUM phishing infrastructure |
| Third-party Payment Gateway | pay[.]zfxupi[.]net | Redirects victims to Cash App and Chime for payments |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains appeared first on Cyber Security News.
