The 2026 FIFA World Cup, the world's biggest and greatest sports festival, is just a couple of weeks away. A new report shows that cybercriminals are warmed up and ready to take advantage.

Group-IB researchers have uncovered 6 distinct fraud schemes, 4 independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence.

This includes a sophisticated phishing operation run by the Chinese-speaking threat actor GHOST STADIUM, whose campaign could result in losses of billions of dollars.

True, thousands of fans have been canceling their hotel bookings, and the demand for ridiculously expensive tickets has been lower than expected. Besides, Trump’s America doesn’t seem like an attractive destination for many fans.

Still, at least FIFA, the worldwide governing body of soccer, says that more than 150 million tickets were requested within the first 15 days of the sales window.

FIFA likes grand statements, sure, but clearly, the tournament is still going to be the biggest sporting event this year – and a magnet for fraud.

Two weeks before the opening whistle, over 2,500 FIFA account credential pairs are already circulating on dark-web markets, Group-IB said in a blog post.

At the center of this ecosystem sits a threat actor that Group-IB has designated GHOST STADIUM – a Chinese-speaking, financially-motivated operator running a sophisticated phishing campaign across more than 300 domains.

GHOST STADIUM has even built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow and multi-language support in 11 languages.

A conservative estimate based on the campaign’s observable infrastructure puts the potential financial losses from premium ticket fraud alone at $71 million to $474 million – and the total campaign losses across all tiers could reach into the billions.

The victim’s journey through the GHOST STADIUM campaign follows a carefully designed funnel. When a visitor arrives at any cluster domain, they are immediately presented with an aggressive fake pop-up mimicking official hospitality announcements, with a BUY NOW call-to-action.

GHOST STADIUM is not operating alone, though. Three additional threat actors are exploiting the same event simultaneously.

Facebook Ads serves as the primary paid traffic acquisition channel for the GHOST STADIUM campaign, with 3 Meta Pixel IDs embedded across the cluster.

This means that the attacker is actively exploiting Meta’s advertising platform to promote phishing pages to targeted victims.

They include a bulk domain squatter pre-positioning hundreds of typosquat domains, an industrialized infostealer ecosystem incidentally harvesting FIFA credentials at scale, and an underground supply chain of phishing-as-a-service (PhaaS) vendors lowering the barrier for new entrants.

“Together, they are running six parallel fraud schemes: credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting and casino sites, and infostealer-driven credential theft,” Group-IB researchers said.

---

Unlock more exclusive Cybernews content on YouTube.