A major operation tied to a Chinese threat actor “tracked as Ghost Stadium” deployed more than 300 phishing sites that mimic FIFA’s official portal to sell premium-ticket fraud ahead of the 2026 World Cup, researchers told cybersecurity firm Group-IB.
Ghost Stadium operation and Group-IB findings
Group-IB’s analysis, summarized in public reporting cited by the FBI, attributed a large-scale campaign to a threat actor tracked as Ghost Stadium. According to those researchers, the operation uses “more than 300 phishing sites,” many of them clones of the real fifa.com, specifically aimed at premium ticket fraud. The scale of that single operation is one of several signals security firms flagged as the tournament approaches.
Bitdefender tracking: global targets and fraudulent offers
Bitdefender researchers reported fraudulent activity tied to the World Cup brand beginning in February. Their telemetry showed scams targeting users in the UK, Portugal, Spain, Algeria, the US, Canada, Mexico, Brazil, Germany, and Australia. The offers were broad: fake merchandise, kits and collectibles, streaming services, and Panini sticker promotions, in addition to counterfeit ticket and hospitality pitches.
How the fake sites work and what data they collect
The FBI’s public service announcement and security researchers describe a pattern: threat actors register domains that closely resemble fifa.com by using minor spelling changes (for example, fiffa[.]com) or alternative top-level domains such as .org, .xyz, .live, and .sale. Fraudsters also set up convincing employment portals with names like “jobs-fifa[.]com” and “fifa-hiring[.]com.”
Those sites routinely request and collect personal and financial information, including names, physical and email addresses, phone numbers, and banking/payment details. The FBI warns that data gathered this way can be used to create fraudulent accounts, commit identity theft, or run financial scams.
FBI advisory: concrete steps fans should follow
The FBI published a set of specific, consumer-facing recommendations to reduce the risk of falling for these scams:
- Manually type fifa.com into the browser rather than following links.
- Avoid sponsored search ads or use an ad blocker.
- Verify that the URL ends in .com.
- Use bookmarks for official FIFA sites.
- Avoid suspicious links sent via direct messages.
- Never enter sensitive data unless the site is verified as authentic.
The FBI also urged anyone who encounters fraud to report incidents to the FBI’s Internet Crime Complaint Center (IC3) and to include details such as the fake domain used, interaction history, and any payment information to help authorities act against the fraudulent portals.
Channels of distribution: malvertising, social platforms, and messaging apps
Researchers noted that the campaigns are not limited to spoofed domains. World Cup–related malvertising and promoted content appear across search and social channels: Google Search, Facebook ads, Telegram, and WhatsApp were specifically named as vectors used to funnel victims to the fraudulent pages. The FBI framed this activity as opportunistic: with public interest in the tournament surging, cybercriminals have prepared hundreds of phishing sites and related lures.
The record here is narrow but specific: multiple security firms and the FBI identify a constellation of domain impersonation, professionally dressed fake portals, and broad malvertising and messaging distribution aimed at harvesting data and selling counterfeit goods and tickets. Fans who plan to buy tickets, merchandise, or apply for jobs tied to the event should follow the FBI’s checklist and, when in doubt, report the interaction to IC3 with the domain and payment details.




