The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
GHOST STADIUM is a Chinese-speaking threat actor operating a large-scale fraud ecosystem targeting the 2026 FIFA World Cup. The campaign uses over 4,300 fraudulent domains impersonating FIFA's official website, employing a pixel-perfect clone of FIFA's authentication system to conduct credential phishing. The operation includes multiple fraud schemes such as fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,500 compromised FIFA account credentials are circulating on dark-web markets. The campaign exploits Facebook advertising for distribution and processes payments through multiple channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total losses potentially reaching billions. No direct patch or remediation is applicable as this is a fraud and phishing campaign rather than a software vulnerability.
AI Analysis
Technical Summary
Researchers identified a sophisticated fraud campaign named GHOST STADIUM targeting the 2026 FIFA World Cup. This threat actor operates over 4,300 phishing domains that mimic FIFA's official website, harvesting user credentials via cloned authentication pages. The campaign runs six parallel fraud schemes: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and credential theft via infostealers. Distribution primarily leverages Facebook advertising. Stolen credentials are sold on dark-web markets, and payments are processed through five channels including cryptocurrency. The scale of the operation suggests potential losses in the billions of dollars. This is a large-scale social engineering and fraud operation rather than a software vulnerability or exploit.
Potential Impact
The campaign results in significant financial losses due to fraudulent ticket sales and other scams, with premium ticket fraud estimated between $71 million and $474 million and total losses potentially reaching billions. Over 2,513 FIFA account credentials have been compromised and are actively traded on dark-web markets, increasing risk of account takeover and further fraud. The use of cloned authentication systems and multiple fraud schemes amplifies the threat to victims' financial and personal information. The exploitation of Facebook advertising increases the campaign's reach and effectiveness.
Mitigation Recommendations
As this threat involves social engineering and phishing rather than a software vulnerability, no patch or official fix exists. Organizations and individuals should be aware of fraudulent domains impersonating FIFA and avoid interacting with suspicious websites or unsolicited advertisements. Users should verify URLs carefully and avoid providing credentials on untrusted sites. Monitoring for compromised credentials and using multi-factor authentication on FIFA accounts can reduce risk. Facebook and other platforms should enhance detection and removal of fraudulent advertising campaigns. Check the referenced vendor advisory and threat intelligence sources for ongoing updates and guidance.
Indicators of Compromise
- domain: fifa.gold
- domain: fifa.black
- domain: fifa.tax
- domain: fifaweb.com
- domain: fifa.red
- domain: fifa.fund
- ip: 148.178.22.16
- domain: fifa-com.shop
- domain: fifa-com.site
- domain: fifa-com.store
- domain: fifa-com.website
- domain: fifa.city
- hash: 3b8bb7631b39f455d31544b55ba97b49ab1888c1
- ip: 148.178.16.48
- ip: 154.86.0.33
- domain: fifa-com.vip
- hash: 84ecdca915f1af822ccc8a04479f5179104f353c
- hash: 9bd164dd3f50d196c7dff4f6c1b0f1345ac96d9a
- ip: 137.220.224.67
- ip: 148.178.16.5
- ip: 148.178.18.23
- ip: 148.178.18.60
- ip: 207.56.1.93
- ip: 85.121.242.41
- url: http://fifa-tickets.vip/authorize.html
- url: http://fifa-tickets.vip/pay/FWC20260418A3230F12AC
- url: http://fifa-tickets.vip/tickets_shop
- url: http://www.billplz.com/bills/6e88393d1b82ede9
- domain: fifa-26-worldcup.com
- domain: fifa-com.co
- domain: fifa-com.com
- domain: fifa-com.top
- domain: fifa-com.xyz
- domain: fifa-tickets.vip
- domain: fifa-web.co
- domain: fifa.bio
- domain: fifa.cash
- domain: fifa.center
- domain: fifa.market
- domain: fifa.party
- domain: fifa.sale
- domain: fifa.shopping
- domain: fifa.show
- domain: fifa.ski
- domain: fifa2026tickets-streamlive.com
- domain: football-game.shop
- domain: football-ticket.shop
- domain: football-ticket.top
- domain: football-tickets.top
- domain: mm-fifa.top
- domain: unitycup2026.com
- domain: wc26-fifa.com
- domain: www-fifa.co
- domain: www-fifa.com
- domain: www-fifa.com.co
- domain: www-fifa.me
- domain: www-fifaworldcup.com
- domain: pay.zfxupi.net
- domain: testnet.chainugo.com
- domain: www.fifa.show
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
Description
GHOST STADIUM is a Chinese-speaking threat actor operating a large-scale fraud ecosystem targeting the 2026 FIFA World Cup. The campaign uses over 4,300 fraudulent domains impersonating FIFA's official website, employing a pixel-perfect clone of FIFA's authentication system to conduct credential phishing. The operation includes multiple fraud schemes such as fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,500 compromised FIFA account credentials are circulating on dark-web markets. The campaign exploits Facebook advertising for distribution and processes payments through multiple channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total losses potentially reaching billions. No direct patch or remediation is applicable as this is a fraud and phishing campaign rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Researchers identified a sophisticated fraud campaign named GHOST STADIUM targeting the 2026 FIFA World Cup. This threat actor operates over 4,300 phishing domains that mimic FIFA's official website, harvesting user credentials via cloned authentication pages. The campaign runs six parallel fraud schemes: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and credential theft via infostealers. Distribution primarily leverages Facebook advertising. Stolen credentials are sold on dark-web markets, and payments are processed through five channels including cryptocurrency. The scale of the operation suggests potential losses in the billions of dollars. This is a large-scale social engineering and fraud operation rather than a software vulnerability or exploit.
Potential Impact
The campaign results in significant financial losses due to fraudulent ticket sales and other scams, with premium ticket fraud estimated between $71 million and $474 million and total losses potentially reaching billions. Over 2,513 FIFA account credentials have been compromised and are actively traded on dark-web markets, increasing risk of account takeover and further fraud. The use of cloned authentication systems and multiple fraud schemes amplifies the threat to victims' financial and personal information. The exploitation of Facebook advertising increases the campaign's reach and effectiveness.
Mitigation Recommendations
As this threat involves social engineering and phishing rather than a software vulnerability, no patch or official fix exists. Organizations and individuals should be aware of fraudulent domains impersonating FIFA and avoid interacting with suspicious websites or unsolicited advertisements. Users should verify URLs carefully and avoid providing credentials on untrusted sites. Monitoring for compromised credentials and using multi-factor authentication on FIFA accounts can reduce risk. Facebook and other platforms should enhance detection and removal of fraudulent advertising campaigns. Check the referenced vendor advisory and threat intelligence sources for ongoing updates and guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/ghost-stadium-football-fraud/"]
- Adversary
- GHOST STADIUM
- Pulse Id
- 6a16d67df4a69d07c59516be
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainfifa.gold | — | |
domainfifa.black | — | |
domainfifa.tax | — | |
domainfifaweb.com | — | |
domainfifa.red | — | |
domainfifa.fund | — | |
domainfifa-com.shop | — | |
domainfifa-com.site | — | |
domainfifa-com.store | — | |
domainfifa-com.website | — | |
domainfifa.city | — | |
domainfifa-com.vip | — | |
domainfifa-26-worldcup.com | — | |
domainfifa-com.co | — | |
domainfifa-com.com | — | |
domainfifa-com.top | — | |
domainfifa-com.xyz | — | |
domainfifa-tickets.vip | — | |
domainfifa-web.co | — | |
domainfifa.bio | — | |
domainfifa.cash | — | |
domainfifa.center | — | |
domainfifa.market | — | |
domainfifa.party | — | |
domainfifa.sale | — | |
domainfifa.shopping | — | |
domainfifa.show | — | |
domainfifa.ski | — | |
domainfifa2026tickets-streamlive.com | — | |
domainfootball-game.shop | — | |
domainfootball-ticket.shop | — | |
domainfootball-ticket.top | — | |
domainfootball-tickets.top | — | |
domainmm-fifa.top | — | |
domainunitycup2026.com | — | |
domainwc26-fifa.com | — | |
domainwww-fifa.co | — | |
domainwww-fifa.com | — | |
domainwww-fifa.com.co | — | |
domainwww-fifa.me | — | |
domainwww-fifaworldcup.com | — | |
domainpay.zfxupi.net | — | |
domaintestnet.chainugo.com | — | |
domainwww.fifa.show | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip148.178.22.16 | — | |
ip148.178.16.48 | — | |
ip154.86.0.33 | — | |
ip137.220.224.67 | — | |
ip148.178.16.5 | — | |
ip148.178.18.23 | — | |
ip148.178.18.60 | — | |
ip207.56.1.93 | — | |
ip85.121.242.41 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3b8bb7631b39f455d31544b55ba97b49ab1888c1 | — | |
hash84ecdca915f1af822ccc8a04479f5179104f353c | — | |
hash9bd164dd3f50d196c7dff4f6c1b0f1345ac96d9a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://fifa-tickets.vip/authorize.html | — | |
urlhttp://fifa-tickets.vip/pay/FWC20260418A3230F12AC | — | |
urlhttp://fifa-tickets.vip/tickets_shop | — | |
urlhttp://www.billplz.com/bills/6e88393d1b82ede9 | — |
Threat ID: 6a16fd3ae29bf47b50c23c66
Added to database: 5/27/2026, 2:18:34 PM
Last enriched: 5/27/2026, 2:54:25 PM
Last updated: 5/27/2026, 3:56:42 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.