More than 4,300 fraudulent domains impersonating FIFA's official web presence have been registered since last August, according to new analysis from Group-IB — a surge the company ties to organized schemes targeting fans of the 2026 FIFA World Cup.
Scope and timing: six schemes, four operators, many sites dormant
Group-IB's analysis finds the activity spans six distinct fraud schemes and four independent threat actors working the same event in parallel. Most of the registered domains currently sit dormant, "ready to switch on as kickoff nears," the firm reports, and it flagged a comparable surge of scam sites ahead of the 2022 Qatar World Cup. The scale and timing suggest a coordinated effort to stockpile infrastructure well before demand peaks.
Ghost Stadium: a Chinese‑speaking actor cloning fifa.com down to SSO
At the center of Group-IB's findings is an actor the company tracks as Ghost Stadium. Described as Chinese‑speaking and profit‑driven, Ghost Stadium runs more than 300 phishing domains built on a single kit that reproduces fifa.com as an almost flawless replica. The kit replicates the site's PingIdentity single sign‑on (SSO) flow and pulls FIFA logos and product images directly from the brand's official content network, a technique Group-IB says is used to make pages look authentic while sidestepping image‑matching detection.
Group-IB notes Chinese‑language notes left in the source code and an interface able to switch across 11 languages, including three Chinese variants, as indicators pointing toward a Chinese‑speaking developer behind the kit.
Paid Facebook ads and shared Meta tracking codes tie campaigns together
The analysis identifies paid Facebook ads as the main engine for Ghost Stadium's distribution. Hundreds of domains are tied back to the same advertising accounts through shared Meta tracking codes, a linkage that connects multiple fraudulent landing pages to a common ad infrastructure. That advertising funnel appears designed to steer users to the cloned sites where credential theft or ticket scams can be executed.
Infostealers, stolen logins, and opaque money flows
Beyond phishing pages, Group-IB found a wider fraud economy at play. Other operators include a bulk domain squatter, a phishing‑as‑a‑service (PhaaS) supply chain selling ready‑made kits, and broad infostealer campaigns built specifically for credential theft. Those infections are dominated by the Vidar and Lumma infostealer families and have, the firm reports, swept up around 2,500 FIFA logins now trading on dark‑web markets.
Money is routed through several channels, including a cryptocurrency on‑ramp that Group-IB says settles funds beyond recovery. The firm estimates that premium and hospitality ticket fraud alone could cost victims between $71 million and $474 million, and warns losses across the full campaign could reach into the billions.
What this means for fans and for brand protection and fraud teams
- Fans: Group-IB's recommendations for supporters are concrete and narrow: buy only through fifa.com; treat any ticket offer that demands cryptocurrency as a scam; and turn on multi‑factor authentication (MFA) before the rush begins.
- Brand protection and fraud teams: The firm advises watching the large set of dormant domains for signs of activation and pursuing takedowns at the registrar level rather than chasing individual sites one by one.
Group-IB's findings paint a coordinated playbook: mass‑registered domains held in wait, turnkey phishing kits that reproduce legitimate SSO flows, commercial advertising funnels that centralise traffic, and established infostealers moving credentials into dark‑market inventories. With many domains inactive today but built and linked, the company's primary recommendations — register and monitor related domains, enforce MFA, prefer official purchase channels, and prioritize registrar‑level takedowns — are aimed at constraining the moment when that infrastructure is flipped into live fraud.




