Researchers at Group-IB have mapped a sprawling fraud ecosystem aimed at the 2026 FIFA World Cup, identifying more than 4,300 fraudulent domains impersonating FIFA's official web presence registered since August 2025. According to the original research, at the center sits a Chinese-speaking, financially motivated actor the firm designates GHOST STADIUM, running a coordinated phishing campaign across more than 300 domains.
A pixel-perfect FIFA clone
GHOST STADIUM's phishing kit is a custom React single-page application that clones fifa.com to near pixel-perfect fidelity, built on the Layui UI framework, a Chinese open-source library little known outside that developer community. The kit replicates FIFA's legitimate PingIdentity single sign-on flow, even reusing the genuine client_id lifted from the real FIFA SSO, so the cloned login is functionally indistinguishable from the real one. Group-IB reports the operators acquire victims primarily through Facebook Ads, embedding three Meta Pixel IDs across the cluster to target and track potential victims.
Six schemes, four actors
The investigation describes six parallel fraud schemes: credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting and casino sites, and infostealer-driven credential theft. Group-IB attributes the broader ecosystem to four independent actors, including a bulk domain squatter pre-positioning typosquats, an industrialized infostealer operation incidentally harvesting FIFA logins, and a Phishing-as-a-Service supply chain selling ready-made kits and ticket-buying bots. The firm says 2,513 FIFA credential pairs are already circulating in dark-web markets, and estimates premium and hospitality ticket fraud alone could drive losses of between $71 million and $474 million, with total campaign losses potentially reaching into the billions.
The scale aligns with a broader read of the tournament's exposure. Reviewing cyber operations against prior mega-events, Unit 42 independently assessed that fraud at scale, disruptive intrusions and politically motivated denial-of-service and hack-and-leak activity are highly likely against the 2026 event, and flagged Iran-nexus risk following the regional conflict that began in February 2026. We assess with high confidence that event-themed fraud will intensify as the June kickoff approaches and dormant domains are activated.
Salient defanged indicators from the Group-IB research include the phishing domain pattern fifa-tickets[.]vip and the infrastructure address 43[.]98[.]183[.]110. Fans should transact only through official FIFA channels, and brand-protection teams should monitor for newly activated typosquats and Meta Pixel reuse.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.