VYPR
breachPublished May 27, 2026· Updated Jun 8, 2026· 6 sources

GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains

Group-IB uncovered a Chinese-speaking threat actor operating over 300 fake FIFA domains with a custom React phishing kit, targeting 2026 World Cup fans.

As the 2026 FIFA World Cup draws closer, cybercriminals are moving fast to cash in on the excitement. Researchers at Group-IB have uncovered a massive fraud operation targeting fans of the world's biggest football tournament, with over 300 fake domains already live. The operation, designated GHOST STADIUM, is sophisticated, well-funded, and built to deceive even cautious users. With billions of dollars at stake, this campaign is one of the most serious cyber threats tied to a major sporting event.

The campaign exploits the enormous demand for FIFA World Cup 2026 tickets, hosted across the United States, Canada, and Mexico. More than 150 million tickets were requested within just the first 14 days of the sales window, creating the desperate urgency that scammers thrive on. Fraudsters have built a wide network of fake websites designed to look exactly like official FIFA platforms, and victims who land on these pages have no easy way to tell they are on a fraudulent site.

Group-IB said in a report shared with Cyber Security News that researchers identified six distinct fraud schemes, four independent threat actors, and over 3,500 fraudulent domains impersonating FIFA's web presence. At the center sits the threat actor designated GHOST STADIUM, a Chinese-speaking, financially motivated operator running a coordinated phishing campaign across more than 300 domains. The total financial losses from this campaign alone could reach into the billions.

The GHOST STADIUM phishing kit is a custom React-based single-page application that clones the official FIFA website with near pixel-perfect accuracy. Built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community, the kit replicates FIFA's PingIdentity SSO login flow using a real client_id taken directly from the actual FIFA SSO. After stealing credentials, a password reset function locks victims out immediately, then silently redirects them to the real FIFA site so the attack looks like a successful login. The kit auto-detects browser language and switches its interface across 11 languages plus three Chinese variants: Simplified, Traditional, and Hong Kong Chinese. This granular distinction is a direct attribution signal pointing to a Chinese-speaking developer.

Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets at prices between $5 and $50 per pair. These were not stolen through targeted phishing but harvested incidentally by mass infostealer campaigns dominated by the Vidar and Lumma malware families. Approximately 170,000 infostealer logs containing FIFA references have been identified, showing how wide the credential theft pipeline has grown well ahead of kick-off. Three shared Meta Pixel IDs were found across all 300 phishing domains, confirming a single operator controls the entire campaign and is using Facebook ads to drive targeted traffic to fake pages.

Six separate fraud schemes are running in parallel, each targeting football fans differently. These include credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Each scheme has its own monetisation method, making the entire operation difficult to dismantle with a single takedown. Together, they form a growing fraud ecosystem actively expanding as the tournament approaches.

Group-IB researchers recommend deploying Digital Risk Protection tools for continuous monitoring and automated takedown of brand-impersonation infrastructure. Users should only purchase tickets through official FIFA channels and enable multi-factor authentication immediately. Financial institutions are urged to alert on transactions routed through the five identified payment channels linked to this campaign, while fans should avoid FIFA-themed ads or messages offering low prices combined with countdown pressure tactics.

The FBI has now issued a formal public service alert (I-052726-PSA) echoing and expanding on those findings, warning that the threat actor network behind these spoofed FIFA domains is actively harvesting names, home addresses, and phone numbers for identity theft and financial fraud. The bureau specifically highlights new lure categories beyond ticketing, including fake job portals targeting World Cup career seekers, and advises users to manually type official URLs rather than relying on search engines, as attackers are also manipulating paid sponsored results to prioritize their malicious domains.

Group-IB's latest report, published May 28, 2026, reveals that the GHOST STADIUM campaign has expanded to over 300 active phishing domains, with an additional 3,800 domains parked for future activation. The researchers estimate that premium ticket fraud alone could affect more than 47,400 victims, with losses ranging from $71 million to $474 million, and total losses across all fraud tiers potentially reaching billions of dollars. The phishing kit, built with the Chinese Layui 2.7.6m UI library, clones FIFA's authentication flow and silently redirects users back to the real FIFA site after credential theft, while also triggering a password reset to lock victims out of their accounts.

Group-IB now estimates the campaign's financial losses at $470 million to $1 billion, highlighting the staggering scale of fraud that fake ticket and travel offers have inflicted on World Cup fans. The researchers emphasize that conventional domain-by-domain takedowns are ineffective against this persistent, Chinese-language phishing-as-a-service operation, which leverages a custom React kit across hundreds of fraudulent domains.

This new report from Intel 471 significantly expands the scope of the GHOST STADIUM campaign, identifying approximately 19,000 FIFA-themed domains registered since January 2026. Beyond the custom React phishing kit previously noted, these domains are actively being used for broader phishing efforts, including scams related to tickets, accommodation, and fraudulent gambling websites, and also encompass travel-related fraud and data extortion targeting football organizations.

This new report from Recorded Future details a sophisticated network of over 2,500 advertisements linked to 33 World Cup-themed purchase scam domains, highlighting the use of multiple merchant accounts to maintain payment infrastructure. It also describes a secondary campaign where legitimate websites are compromised to redirect users to scam domains, demonstrating an evolution in attack vectors beyond simple fake stores.

Synthesized by Vypr AI