GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains - CyberSecurityNews

HomeCyber Security News GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains By Tushar Subhra Dutta May 27, 2026 As the 2026 FIFA World Cup draws closer, cybercriminals are moving fast to cash in on the excitement. Researchers have uncovered a massive fraud operation targeting fans of the world’s biggest football tournament, with over 300 fake domains already live. The operation is sophisticated, well-funded, and built to deceive even cautious users. With billions of dollars at stake, this campaign is one of the most serious cyber threats tied to a major sporting event. The campaign exploits the enormous demand for FIFA World Cup 2026 tickets, hosted across the United States, Canada, and Mexico. More than 150 million tickets were requested within just the first 14 days of the sales window, creating the desperate urgency that scammers thrive on. Fraudsters have built a wide network of fake websites designed to look exactly like official FIFA platforms, and victims who land on these pages have no easy way to tell they are on a fraudulent site. Group-IB said in a report shared with Cyber Security News (CSN) that researchers identified six distinct fraud schemes, four independent threat actors, and over 3,500 fraudulent domains impersonating FIFA’s web presence. At the center sits the threat actor designated GHOST STADIUM, a Chinese-speaking, financially motivated operator running a coordinated phishing campaign across more than 300 domains. The total financial losses from this campaign alone could reach into the billions. Example of a fraudulent domain (Source – Group-IB) Six separate fraud schemes are running in parallel, each targeting football fans differently. These include credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Each scheme has its own monetisation method, making the entire operation difficult to dismantle with a single takedown. Together, they form a growing fraud ecosystem actively expanding as the tournament approaches. Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets at prices between $5 and $50 per pair. GROUP-IB RESEARCHERS HAVE UNCOVERED A CHINESE-SPEAKING THREAT ACTOR, DESIGNATED #GHOSTSTADIUM, OPERATING OVER 300 FRAUDULENT DOMAINS WITH A PIXEL-PERFECT REACT BASED #PHISHING KIT BUILT ON THE LAYUI 2.7.6 FRAMEWORK, A CHINESE UI LIBRARY VIRTUALLY UNKNOWN OUTSIDE THE CHINESE… PIC.TWITTER.COM/17YOL6P5XT — Group-IB Global (@GroupIB) May 27, 2026 These were not stolen through targeted phishing but harvested incidentally by mass infostealer campaigns dominated by the Vidar and Lumma malware families. Approximately 170,000 infostealer logs containing FIFA references have been identified, showing how wide the credential theft pipeline has grown well ahead of kick-off. GHOST STADIUM Phishing Campaign The GHOST STADIUM phishing kit is a custom React-based single-page application that clones the official FIFA website with near pixel-perfect accuracy. Built on the Layui 2.7.6 framework, a Chinese UI library virtually unknown outside the Chinese developer community, the kit replicates FIFA’s PingIdentity SSO login flow using a real client_id taken directly from the actual FIFA SSO. Example of a fake Log In – Sign Up page (Source – Group-IB) After stealing credentials, a password reset function locks victims out immediately, then silently redirects them to the real FIFA site so the attack looks like a successful login. The kit auto-detects browser language and switches its interface across 11 languages plus three Chinese variants: Simplified, Traditional, and Hong Kong Chinese. This granular distinction is a direct attribution signal pointing to a Chinese-speaking developer. Three shared Meta Pixel IDs were found across all 300 phishing domains, confirming a single operator controls the entire campaign and is using Facebook ads to drive targeted traffic to fake pages. Infostealer Threat and Protective Steps The infostealer pipeline presents a separate but equally serious danger running alongside the phishing operation. Vidar and Lumma malware are delivered through cracked software lures, malvertising networks, and Telegram cheat channels. These stealers copy every browser-stored credential, session token, and cryptocurrency wallet seed from infected devices. FIFA credentials are harvested as incidental collateral that later feeds account takeover pipelines and dark web re-sale markets. Examples of scam ads abusing Facebook’s advertising platform (Source – Group-IB) Group-IB researchers recommend deploying Digital Risk Protection tools for continuous monitoring and automated takedown of brand-impersonation infrastructure. Users should only purchase tickets through official FIFA channels and enable multi-factor authentication immediately. Financial institutions are urged to alert on transactions routed through the five identified payment channels linked to this campaign, while fans should avoid FIFA-themed ads or messages offering low prices combined with countdown pressure tactics. Indicators of Compromise (IoCs):- Type Indicator Description Tawk.to Live-Chat Property ID mpnmccbabann9eohpoaomimm GHOST STADIUM phishing kit backend tracker Meta Pixel ID 1912432924230210 Shared Meta Pixel across GHOST STADIUM phishing domains Meta Pixel ID 2103242506309126 Shared Meta Pixel across GHOST STADIUM phishing domains Meta Pixel ID 3156091303316034 Shared Meta Pixel across GHOST STADIUM phishing domains Cloned FIFA SSO Client ID 74f02607-fc20-3132-a3650-1b93080bbn96f Legitimate FIFA PingIdentity client_id used in phishing kit Crypto Gateway ChainUGO (testnet.chainugo.com) Crypto on-ramp payment processor used by GHOST STADIUM Adjacent Backend Domain www[.]fifa[.]show Backend domain tied to GHOST STADIUM phishing cluster Facebook Ad ID 1063360394213924210520024 Facebook ad account tied to GHOST STADIUM campaign Redirector Domain football-ticket[.]top Fraud-as-a-Service redirector domain (Origin IP: 34.97.164[.]110, registered April 26, 2026) Redirector Domain football-ticket[.]shop Fraud-as-a-Service redirector domain (shared origin IP) Redirector Domain football-game[.]shop Fraud-as-a-Service redirector domain (shared origin IP) Redirector Domain football-tickets[.]top Fraud-as-a-Service redirector domain (shared origin IP) Fraudulent Domain (sample) fifa[.]bio GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifa[.]center GHOST STADIUM core phishing domain Fraudulent Domain (sample) goldfifa[.]red GHOST STADIUM core phishing domain Fraudulent Domain (sample) salefifa[.]shopping GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifa[.]show GHOST STADIUM core phishing domain Fraudulent Domain (sample) skififa[.]black GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifa[.]cafe GHOST STADIUM core phishing domain Fraudulent Domain (sample) fundfifa[.]market GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifa[.]tax GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifacash[.]city GHOST STADIUM core phishing domain Fraudulent Domain (sample) fifahouse[.]com GHOST STADIUM core phishing domain Fraudulent Domain (sample) www-fifa[.]com GHOST STADIUM core phishing domain Fraudulent Domain (sample) www-fifa[.]shop GHOST STADIUM core phishing domain Fraudulent Domain (sample) www-fifa[.]website GHOST STADIUM core phishing domain Fraudulent Domain (sample) www-fifa[.]store GHOST STADIUM core phishing domain Fraudulent Domain (sample) www-fifa[.]top GHOST STADIUM core phishing domain Hosting IP (Multi-Rail Fake Tickets) 183.164.164[.]110 IP hosting GHOST STADIUM multi-rail fake ticket domains Hosting IP 202.46.55.1[.]1 IP tied to GHOST STADIUM phishing infrastructure Hosting IP 9355.112.212[.]251 IP tied to GHOST STADIUM phishing infrastructure Third-party Payment Gateway pay[.]zfxupi[.]net Redirects victims to Cash App and Chime for payments Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access CISA Warns of Trend Micro Apex One Vulnerability Exploited in Attacks Indian Student Data Weaponized for Phishing, Social Engineering, and Financial Fraud Mini Shai-Hulud Attack Forces npm to Reset Bypass-2FA Publishing Tokens Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations Latest News Cyber Security News Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts Cyber Security News Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor Cyber Security News Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor ANY.RUN How Top CISOs Increase Risk Visibility for Zero Critical Incidents  Cyber Security News Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links