Chinese Phishing Service Scams Thousands of FIFA World Cup Fans
Data Breach TodayArchived May 30, 2026✓ Full text saved
Researchers estimate losses ranging from hundreds of millions to billions A Chinese-language phishing-as-a-service platform scammed between $470 million to $1 billion from soccer fans ahead of the 2026 FIFA World Cup starting next month. The financially motivated operator Domain-by-domain takedowns will not stop this, warned Group-IB.
Full text archived locally
✦ AI Summary· Claude Sonnet
Fraud Management & Cybercrime , Social Engineering
Chinese Phishing Service Scams Thousands of FIFA World Cup Fans
Researchers estimate losses ranging from hundreds of millions to billions
Tiffany Wang • May 29, 2026
Credit Eligible
Get Permission
iMAGE: Nattawit Khomsanit/Shutterstock
A Chinese-language phishing-as-a-service platform scammed between $470 million to $1 billion from soccer fans ahead of the 2026 FIFA World Cup starting next month.
See Also: How Organizations Are Strengthening Defenses Against Scattered Spider
The financially motivated operator, tracked as Ghost Stadium by threat intel firm Group-IB, enabled the theft of up to $10,000 per ticket from at least 47,000 victims on premium ticket sales.
The threat actor also stolen more than 2,500 FIFA account credentials, which now circulate in dark-web markets. It promotes a perfectly cloned FIFA ticket sites on Facebook Ads. It has registered over 4,000 fraudulent domains since August 2025 and is actively running a small portion of them.
"Domain-by-domain takedowns will not stop this - not when 3,800 replacement domains are already registered and waiting," said Yuan Huang, a senior fraud analyst at Group-IB.
Ghost Stadium is part of a broader Chinese-language phishing ecosystem that has evolved into a sprawling underground economy, lowering the barrier for inexperienced actors to flood devices around the world with sophisticated phishing messages and websites (see: Chinese Phishers Use Live MFA Interception for Digital Wallet Fraud).
Researchers say Ghost Stadium's custom React-based application can clone official FIFA sites pixel-perfectly. The phishing kit is built with an open-source UI library called Layui 2.7.6 that is used only within the Chinese developer community.
"FIFA's legitimate single sign-on service is provided by PingIdentity, and the Ghost Stadium phishing kit is even capable of replicating this using the actual client_id lifted from the real FIFA SSO," Group-IB researchers found.
The phishing kit captures email, address and phone data in addition to login credentials and authorizes password reset to lock victims out of their accounts immediately.
Like many Chinese-language phishing suppliers, Ghost Stadium supports 11 languages by auto-detecting the location of the browser and switching to its default language. The platform also distinguishes among Simplified Chinese, Traditional Chinese and Hong Kong Chinese, a nuance that only Chinese-language developers are likely to find meaningful
The phishing pages are promoted through paid social media advertising. Researchers found three shared Meta Pixel IDs, a unique 16-digit number associated with Facebook Ad accounts, across the phishing domains, meaning the same group is behind the entire campaign.
The same pages can even populate Google search results, tricking the search engine with fifa.tax, fifa.party, and fifa-web.co fraud domains.
Telegram and WhatsApp direct messaging are also channels for distributing phishing links, with some scam pages slapping a festive photo of "2026 World Cup Hot Deal - Limited Seats Available" right on their profiles.
The campaign's presence across social media ads, search results and messaging platforms makes for a sprawling, persistent fraud infrastructure. Because activity is spread across different organizations, none of them holds a complete view of the operation.
"When one bank flags a suspicious cryptocurrency address, other payment channels remain untouched and other financial institutions remain unaware," Group-IB researchers said.
Ghost Stadium is among the most sophisticated and prominent actor phishing FIFA fans, but researchers have identified other independent threat actors running their own fraud schemes. Their activity will only intensify as the tournament approaches.
"Law enforcement cannot investigate every operator. The speed, scale, and multi-channel nature of the campaign demand a coordinated response - a defense architecture that mirrors the scale and interconnection of the attack itself," Group-IB researchers said.