GHOST STADIUM Phishing Targets FIFA Fans With Fake

As the 2026 FIFA World Cup approaches, cybercriminals are intensifying efforts to capitalize on the global excitement. Security researchers recently uncovered a large-scale fraud operation targeting fans of the world’s premier football tournament, deploying over 300 fake domains.

The operation is sophisticated, well-funded, and built to deceive even cautious users. With billions of dollars at stake, this campaign is one of the most serious cyber threats tied to a major sporting event.

The campaign exploits the enormous demand for FIFA World Cup 2026 tickets, hosted across the United States, Canada, and Mexico.

More than 150 million tickets were requested within just the first 14 days of the sales window, creating the desperate urgency that scammers thrive on.

Fraudsters have built a wide network of fake websites designed to look exactly like official FIFA platforms, and victims who land on these pages have no easy way to tell they are on a fraudulent site.

Group-IB said in a report shared with Cyber Security News (CSN) that researchers identified six distinct fraud schemes, four independent threat actors, and over 3,500 fraudulent domains impersonating FIFA’s web presence.

At the center sits the threat actor designated GHOST STADIUM, a Chinese-speaking, financially motivated operator running a coordinated phishing campaign across more than 300 domains. The total financial losses from this campaign alone could reach into the billions.

Six separate fraud schemes are running in parallel, each targeting football fans differently. These include credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft.

Each scheme has its own monetisation method, making the entire operation difficult to dismantle with a single takedown. Together, they form a growing fraud ecosystem actively expanding as the tournament approaches.

Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets at prices between $5 and $50 per pair.

These were not stolen through targeted phishing but harvested incidentally by mass infostealer campaigns dominated by the Vidar and Lumma malware families.

Approximately 170,000 infostealer logs containing FIFA references have been identified, showing how wide the credential theft pipeline has grown well ahead of kick-off.

GHOST STADIUM Phishing Campaign

The GHOST STADIUM phishing kit is a custom React-based single-page application that clones the official FIFA website with near pixel-perfect accuracy.

Built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community, the kit replicates FIFA’s PingIdentity SSO login flow using a real client_id taken directly from the actual FIFA SSO.

After stealing credentials, a password reset function locks victims out immediately, then silently redirects them to the real FIFA site so the attack looks like a successful login.

The kit auto-detects browser language and switches its interface across 11 languages plus three Chinese variants: Simplified, Traditional, and Hong Kong Chinese.

This granular distinction is a direct attribution signal pointing to a Chinese-speaking developer.

Three shared Meta Pixel IDs were found across all 300 phishing domains, confirming a single operator controls the entire campaign and is using Facebook ads to drive targeted traffic to fake pages.

Infostealer Threat and Protective Steps

The infostealer pipeline presents a separate but equally serious danger running alongside the phishing operation. Vidar and Lumma malware are delivered through cracked software lures, malvertising networks, and Telegram cheat channels.

These stealers copy every browser-stored credential, session token, and cryptocurrency wallet seed from infected devices. FIFA credentials are harvested as incidental collateral that later feeds account takeover pipelines and dark web re-sale markets.

Group-IB researchers recommend deploying Digital Risk Protection tools for continuous monitoring and automated takedown of brand-impersonation infrastructure.

Users should only purchase tickets through official FIFA channels and enable multi-factor authentication immediately.

Financial institutions are urged to alert on transactions routed through the five identified payment channels linked to this campaign, while fans should avoid FIFA-themed ads or messages offering low prices combined with countdown pressure tactics.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.