GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains

As the 2026 FIFA World Cup draws closer, cybercriminals are moving fast to cash in on the excitement. Researchers at Group-IB have uncovered a massive fraud operation targeting fans of the world's biggest football tournament, with over 300 fake domains already live. The operation, designated GHOST STADIUM, is sophisticated, well-funded, and built to deceive even cautious users. With billions of dollars at stake, this campaign is one of the most serious cyber threats tied to a major sporting event.

The campaign exploits the enormous demand for FIFA World Cup 2026 tickets, hosted across the United States, Canada, and Mexico. More than 150 million tickets were requested within just the first 14 days of the sales window, creating the desperate urgency that scammers thrive on. Fraudsters have built a wide network of fake websites designed to look exactly like official FIFA platforms, and victims who land on these pages have no easy way to tell they are on a fraudulent site.

Group-IB said in a report shared with Cyber Security News that researchers identified six distinct fraud schemes, four independent threat actors, and over 3,500 fraudulent domains impersonating FIFA's web presence. At the center sits the threat actor designated GHOST STADIUM, a Chinese-speaking, financially motivated operator running a coordinated phishing campaign across more than 300 domains. The total financial losses from this campaign alone could reach into the billions.

The GHOST STADIUM phishing kit is a custom React-based single-page application that clones the official FIFA website with near pixel-perfect accuracy. Built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community, the kit replicates FIFA's PingIdentity SSO login flow using a real client_id taken directly from the actual FIFA SSO. After stealing credentials, a password reset function locks victims out immediately, then silently redirects them to the real FIFA site so the attack looks like a successful login. The kit auto-detects browser language and switches its interface across 11 languages plus three Chinese variants: Simplified, Traditional, and Hong Kong Chinese. This granular distinction is a direct attribution signal pointing to a Chinese-speaking developer.

Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets at prices between $5 and $50 per pair. These were not stolen through targeted phishing but harvested incidentally by mass infostealer campaigns dominated by the Vidar and Lumma malware families. Approximately 170,000 infostealer logs containing FIFA references have been identified, showing how wide the credential theft pipeline has grown well ahead of kick-off. Three shared Meta Pixel IDs were found across all 300 phishing domains, confirming a single operator controls the entire campaign and is using Facebook ads to drive targeted traffic to fake pages.

Six separate fraud schemes are running in parallel, each targeting football fans differently. These include credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Each scheme has its own monetisation method, making the entire operation difficult to dismantle with a single takedown. Together, they form a growing fraud ecosystem actively expanding as the tournament approaches.

Group-IB researchers recommend deploying Digital Risk Protection tools for continuous monitoring and automated takedown of brand-impersonation infrastructure. Users should only purchase tickets through official FIFA channels and enable multi-factor authentication immediately. Financial institutions are urged to alert on transactions routed through the five identified payment channels linked to this campaign, while fans should avoid FIFA-themed ads or messages offering low prices combined with countdown pressure tactics.