2026 World Cup Fans Under Threat from Chinese Fraud Gang
A Chinese-speaking fraud gang, designated as GHOST STADIUM by cybersecurity firm Group-IB, has built a near pixel-perfect clone of FIFA's official website across more than 300 domains in an attempt to steal credentials and payment details from fans seeking tickets to the 2026 World Cup.
The operation, one of four independent campaigns detailed by Group-IB, could put billions of dollars at risk when accounting for credential theft, fake ticket sales, counterfeit merchandise, fraudulent streaming sites, and unlicensed gambling platforms.
The Scale of the Fraud
The potential scale of the fraud mirrors the scale of the 2026 World Cup, which is set to be the largest edition of the tournament in history, with 48 teams competing across 104 matches in the United States, Canada, and Mexico.
The group behind it, first observed in November 2025, is one of four independent threat actors identified by Group-IB targeting the tournament. Collectively, those criminals have registered more than 4,300 fraudulent domains impersonating FIFA's official web presence since August 2025.
More than 300 of those domains are actively running fraudulent infrastructure, while approximately 3,800 more are parked or dormant, pre-positioned for activation as the tournament approaches.
GHOST STADIUM's Tactics
GHOST STADIUM uses a phishing kit developed with Layui 2.7.6m, a Chinese open-source UI library that Group-IB said was “virtually unknown outside the Chinese developer community.”
The phishing kit clones FIFA's login system by replicating the authentication flow used by FIFA's identity provider by silently redirecting the user back to the real FIFA website, making the interaction appear to be a successful login.
The phishing page also requests a password reset parameter, enabling the attacker to immediately lock the victim out of their own account. Any legitimate tickets associated with the compromised account can then be resold.
Infrastructure Analysis
Infrastructure analysis found shared SSL certificates and Meta Pixel tracking IDs embedded identically across all 300-plus domains, tying the entire network to the same Facebook advertising accounts.
Among the 300-plus phishing domains identified by the researchers, 79 were exclusively selling premium and hospitality-tier tickets, priced between $1,500 and $10,000 or more.
Group-IB said that with more than 600 victim registrations observed at a single domain, they estimated the potential victim count exceeding 47,400 people for premium ticket fraud alone — with losses estimated at between $71 million and $474 million.
Distribution and Prevention
Group-IB said the GHOST STADIUM campaign was primarily being distributed through paid advertising on Facebook offering tickets as cheaply as $60 for seats officially priced in the thousands, with “first come, first served” messaging designed to pressure purchases.
Group-IB advised fans to buy tickets only through fifa.com, typed directly into a browser, and to treat any domain using a hyphenated variant of the FIFA name as fraudulent.
The firm said it notified relevant authorities and that its investigation ran from March to May 2026.
- Buy tickets only through fifa.com, typed directly into a browser.
- Treat any domain using a hyphenated variant of the FIFA name as fraudulent.
“This is not a crude phishing page — it is a meticulously engineered impersonation,” the company warned.
The firm's investigators said total losses across all fraud tiers, including credential theft, lower-tier ticket sales, and downstream monetization, “could reasonably reach into the billions.”
Source: The Record