GHOST STADIUM Fraud Network Targets FIFA World Cup Fans

Security researchers at Group-IB have exposed a massive fraud operation targeting FIFA World Cup 2026 fans across more than 4,300 malicious domains. The Chinese-speaking threat actor GHOST STADIUM operates pixel-perfect replicas of FIFA's official website, running six parallel scams that researchers estimate could generate losses in the billions of dollars.

The investigation identified four distinct threat actors, over 2,500 stolen FIFA credentials already circulating on dark web markets, and a sophisticated infrastructure designed to scale fraud operations as the tournament approaches.

Six Parallel Fraud Schemes

GHOST STADIUM and associated actors operate a diverse portfolio of scams:

Scheme	Method	Scale
Credential Phishing	Cloned FIFA.com with replicated SSO flow	300+ active domains
Fake Ticket Sales	Premium hospitality tickets at $1,500-$10,000+	79 premium-tier domains
Counterfeit Merchandise	Fake branded gear via storefronts and Telegram	~56 domains
Fake Streaming	Subscription services delivering malware	~55 domains
Fraudulent Betting	Unlicensed sportsbooks exploiting FIFA branding	~32 domains
Infostealer Pipeline	Mass credential harvesting including FIFA accounts	~130,000 logs

The ticket fraud poses the greatest financial risk. Premium hospitality packages for World Cup matches command prices from $1,500 to over $10,000—Group-IB's conservative estimate places potential losses from ticket fraud alone between $71 million and $474 million.

Technical Sophistication

GHOST STADIUM's phishing infrastructure demonstrates unusual attention to detail. The cloned FIFA website replicates the authentic PingIdentity single sign-on flow, capturing credentials through a convincing authentication sequence. Attribution signals include:

• Chinese-language comments in source code
• Layui 2.7.6 UI framework (primarily used by Chinese developers)
• Granular locale support for mainland China, Taiwan, and Hong Kong
• 11 language options matching FIFA's official site

The phishing kit includes the scope parameter p1:reset:userPassword, enabling attackers to immediately lock victims out of their legitimate accounts after credential capture. Stolen accounts can then be used to purchase tickets with stored payment methods or sold on dark web marketplaces for $5-$50 each.

Traffic Acquisition

Facebook Ads serves as GHOST STADIUM's primary traffic source, with three Meta Pixel IDs embedded across the fraudulent infrastructure. The campaign also leverages:

• Search engine optimization through typosquatting (fifa[.]bio, fifa[.]center, fifa[.]gold)
• Direct messaging via Telegram and WhatsApp
• Organic ranking for FIFA-related search terms

Researchers identified four shared redirector domains using IP 43.98.183[.]110, suggesting centralized infrastructure management across the operation.

Payment Diversification

The fraud network accepts payments through five channels to maximize reach and complicate tracing:

1. Direct credit card capture on phishing domains
2. Third-party payment gateways (pay.zfxupi[.]net)
3. Peer-to-peer apps (Chime cashtag: $Paramjit-Bains; Nequi: 3202059757)
4. Region-specific rails (FIXYD for Mexico)
5. Cryptocurrency on-ramps converting to USDT on Binance Smart Chain

The cryptocurrency integration through Alchemy Pay demonstrates how threat actors increasingly bridge traditional payment fraud into blockchain-based laundering.

Four Threat Actors Identified

Actor	Type	Activity
GHOST STADIUM	Phishing kit operator	Credential theft, fake tickets
Pre-Registration Wave	Bulk domain squatter	Streaming, merchandise, betting
Infostealer Operators	Malware campaigns	Mass credential harvesting
Dark Web Kit Sellers	PhaaS vendor	Supply chain enablement

The ecosystem approach—with separate actors handling infrastructure, phishing operations, and monetization—mirrors patterns we've seen in ransomware affiliate programs. This division of labor makes the overall operation more resilient to takedowns.

How to Avoid Getting Scammed

FIFA tickets should only be purchased through the official FIFA.com website or authorized resellers. Before entering credentials anywhere:

1. Verify the URL — Official FIFA domains end in fifa.com, not fifa.bio, www-fifa.com, or similar variations
2. Check for HTTPS — Though phishing sites often have valid certificates, missing HTTPS is an immediate red flag
3. Avoid social media links — Navigate directly to FIFA.com rather than clicking ads or posts
4. Question "urgent" deals — Scarcity tactics pressure victims into bypassing verification
5. Use unique passwords — If you've used your FIFA credentials elsewhere, change them immediately

For organizations wanting to detect similar threats targeting their brand, services like Greyphish can identify lookalike domains in real-time.

Why This Matters

Major sporting events consistently attract fraud operations, but the scale of infrastructure targeting World Cup 2026 exceeds previous campaigns. The FBI has issued warnings about World Cup ticket scams, and the 4,300+ domains identified represent just the currently active threats—3,800 additional parked domains await activation as the tournament approaches.

The financial stakes are substantial. Fans traveling internationally for the World Cup are particularly vulnerable: someone who has booked flights and hotels is more likely to pay inflated ticket prices or trust suspicious sources out of desperation.

This campaign also demonstrates how phishing techniques continue evolving. Pixel-perfect clones with replicated authentication flows defeat casual inspection—only careful URL verification can protect users from these sophisticated attacks.