// Ghost Stadiums: FIFA World Cup 2026 Fraud Networks Expand Using Fake Domains

Ghost Stadium Operation

At the center of the activity is a threat actor tracked as GHOST STADIUM, described by researchers as a Chinese-speaking financially motivated operation managing more than 300 fraudulent domains.

The infrastructure reportedly uses a custom phishing kit built as a React-based single-page application designed to closely replicate FIFA’s official website and authentication flow. Researchers stated that the phishing pages imitate FIFA’s PingIdentity single sign-on system and use a legitimate client identifier copied from the real FIFA SSO environment.

Victims arriving on the domains are presented with aggressive ticket and hospitality prompts featuring fake limited-time purchase offers intended to pressure immediate action. After credentials are submitted, the phishing system reportedly triggers password reset mechanisms that lock victims out of their accounts before redirecting them to FIFA’s legitimate website, making the interaction appear authentic.

Group-IB also claimed that the phishing infrastructure contains support for 11 languages alongside multiple Chinese language variants, including Simplified Chinese, Traditional Chinese, and Hong Kong Chinese. Researchers suggested this may indicate the background of the developers involved in the campaign.

Meta Advertising and Traffic Acquisition

Researchers stated that the operation is actively using Facebook advertising infrastructure to distribute phishing links and attract victims. Three shared Meta Pixel identifiers were reportedly discovered across the phishing network, which Group-IB said links the domains to a single coordinated operator. According to the report, Facebook Ads currently functions as the primary traffic acquisition mechanism for the campaign, allowing phishing pages to be promoted directly to users searching for World Cup-related content.

Parallel Fraud Ecosystem

The report describes the broader ecosystem as more than a standard phishing campaign. Alongside credential theft operations, researchers identified fake ticket marketplaces, counterfeit merchandise stores, fraudulent betting and casino platforms, and fake streaming websites impersonating official tournament services. Group-IB also referenced a separate ecosystem involving phishing-as-a-service vendors and bulk domain squatters registering typo-based FIFA domains ahead of the tournament. Researchers stated that over 2,500 FIFA credential pairs are already circulating on dark web marketplaces, with listings priced between $5 and $50 depending on account quality and associated access.

Infostealer Malware Activity

The report additionally links the growing volume of stolen FIFA credentials to large-scale infostealer malware campaigns rather than targeted intrusions. According to the findings, malware families including Vidar and Lumma are being distributed through cracked software downloads, malvertising campaigns, and Telegram-based distribution channels. Once installed, the malware reportedly extracts browser credentials, session tokens, cryptocurrency wallet data, and saved authentication information from infected systems. Group-IB stated that approximately 170,000 infostealer logs containing FIFA-related references have already been identified prior to the start of the tournament, indicating that credential collection activity is already operating at scale.

Conclusion

With the 2026 FIFA World Cup approaching, researchers expect fraud activity tied to the tournament to continue expanding. The combination of phishing infrastructure, large-scale credential theft, fake commerce platforms, and paid advertising campaigns suggests that threat actors are treating the event as a high-value monetisation opportunity well before kickoff. The scale of the infrastructure identified so far also indicates that multiple independent actors are operating simultaneously rather than a single centralized campaign, making disruption efforts significantly more difficult as the tournament draws closer.