GHOST STADIUM Phishing Targets FIFA World Cup Fans in Canada

GHOST STADIUM: Chinese-Linked Phishing Operation Deploys 300+ Fake FIFA Domains to Defraud World Cup Fans

A large-scale, financially motivated phishing campaign has been uncovered targeting fans of the 2026 FIFA World Cup, with researchers identifying over 300 fraudulent domains engineered to steal credentials, payment information, and ticket access. The operation, attributed to a threat actor designated GHOST STADIUM, is one of the most technically sophisticated fraud ecosystems ever tied to a major sporting event and carries serious implications for Canadian fans attending or following matches hosted on Canadian soil.

Threat intelligence firm Group-IB published findings on May 27, 2026, confirming the existence of four distinct threat actors, six parallel fraud schemes, and more than 3,500 total fraudulent domains impersonating FIFA’s official web presence. GHOST STADIUM sits at the centre of this web, controlling a tightly coordinated phishing infrastructure designed to defeat even security-aware users.

How GHOST STADIUM Built a Convincing Fraud Network

The GHOST STADIUM phishing kit is a custom-built, React-based single-page application that replicates the official FIFA website with near pixel-perfect visual accuracy. The kit runs on the Layui 2.7.6 framework, a Chinese UI library with virtually no adoption outside the Chinese developer community. This technical choice is a direct attribution signal linking the operation to a Chinese-speaking developer or development team.

What makes this campaign particularly dangerous is how it handles FIFA’s authentication system. The kit clones the official PingIdentity SSO login flow, using a real client_id extracted directly from FIFA’s live SSO infrastructure. When a victim enters their credentials, the kit silently resets their password to lock them out, then redirects them to the genuine FIFA website. From the victim’s perspective, the login appeared to succeed. The theft goes undetected until the account has already been drained or resold.

The phishing kit auto-detects browser language settings and renders its interface across 11 languages, including three variants of Chinese: Simplified, Traditional, and Hong Kong Chinese. That granularity is a strong operational fingerprint pointing to the campaign’s origin.

Further linking all 300-plus domains to a single operator, Group-IB discovered three shared Meta Pixel IDs embedded across the entire phishing domain cluster. The operator is actively using Facebook’s advertising platform to push targeted traffic directly to fraudulent pages, amplifying reach far beyond organic search discovery.

Six Fraud Schemes Running in Parallel

The operation does not rely on a single attack vector. Instead, it runs six separate monetisation schemes simultaneously, making it resistant to any single takedown effort.

Credential Phishing and Account Takeover

Fake FIFA login pages harvest account credentials in real time. Over 2,513 confirmed FIFA account credential pairs are currently circulating on dark web markets, priced between $5 and $50 per pair. These are used for account takeover, ticket resale fraud, and lateral credential attacks.

Fake Ticket Sales

Fraudulent ticket storefronts exploit the genuine scarcity of World Cup tickets. More than 150 million ticket requests were submitted in the first 14 days of the official sales window alone. Fake sites use this urgency, often with countdown timers and artificially low prices, to push victims into completing fraudulent purchases.

Counterfeit Merchandise and Fake Streaming Platforms

Separate fraudulent storefronts sell fake FIFA-branded merchandise, while phoney streaming sites collect payment details under the guise of subscription access to match broadcasts.

Fraudulent Betting and Infostealer Pipelines

Fake sports betting platforms harvest both credentials and financial data. Running alongside these is a separate but interconnected infostealer pipeline using the Vidar and Lumma malware families. These stealers are distributed through cracked software lures, malvertising networks, and Telegram channels. They silently extract browser-stored credentials, session tokens, and cryptocurrency wallet seeds from infected devices. FIFA credentials become incidental but valuable collateral, feeding directly into account takeover and dark web resale operations. Approximately 170,000 infostealer logs containing FIFA-related data have been identified ahead of the tournament.

Why Canada Is Directly in the Crosshairs

Canada is one of three official host nations for the 2026 FIFA World Cup, with matches scheduled at venues in Toronto and Vancouver. This makes Canadian fans a high-value target demographic for every fraud scheme active in this campaign.

Canadian fans purchasing tickets, merchandise, or streaming access face the same phishing infrastructure as fans globally. However, Canadian victims also carry specific legal exposure worth noting. Personal information compromised through credential theft and account takeover is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, in applicable provinces, substantially similar provincial privacy legislation. If stolen credentials result in unauthorized access to financial accounts or broader personal data, affected individuals have reporting rights, and organizations may have mandatory breach notification obligations.

The Canadian Centre for Cyber Security (CCCS) has consistently flagged major sporting and entertainment events as elevated phishing threat periods. Canadian businesses in the hospitality, travel, and retail sectors serving World Cup visitors should treat this campaign as an active and relevant threat, not a foreign problem.

Canadian financial institutions should be aware of the five payment channels Group-IB has linked to this campaign’s money movement infrastructure, including a crypto on-ramp processor identified as ChainUGO and a third-party payment gateway that redirects victims to Cash App and Chime.

Indicators of Compromise

Security teams and threat intelligence platforms should ingest and monitor the following confirmed IoCs from this campaign. All domains and IPs are defanged and should only be re-fanged inside controlled environments such as MISP, VirusTotal, or a SIEM.

Key fraudulent domains attributed to GHOST STADIUM include: fifa[.]bio, fifa[.]center, goldfifa[.]red, salefifa[.]shopping, fifa[.]show, www-fifa[.]com, www-fifa[.]shop, www-fifa[.]store, fifacash[.]city, and fifahouse[.]com.

Confirmed redirector domains linked to a Fraud-as-a-Service operator include: football-ticket[.]top, football-ticket[.]shop, football-game[.]shop, and football-tickets[.]top, all resolving to the origin IP 34.97.164[.]110 and registered in late April 2026:

Three Meta Pixel IDs were shared across the phishing cluster: and 3156091303316034. The backend tracker uses Tawk.to Live-Chat Property ID of mpnmccbabann9eohpoaomimm.

Key Takeaways

• The GHOST STADIUM threat actor, assessed as Chinese-speaking and financially motivated, is operating over 300 fraudulent FIFA domains built on a technically advanced, multilingual React phishing kit.
• Six distinct fraud schemes are running simultaneously, including credential phishing, fake ticket sales, counterfeit merchandise, fraudulent streaming, fake betting platforms, and infostealer-driven credential theft.
• Over 2,513 stolen FIFA account credential pairs are already available on dark web markets, with approximately 170,000 infostealer logs containing FIFA-related data identified.
• Vidar and Lumma infostealers are the primary tools used to harvest credentials at scale through cracked software and malvertising lures.
• Canada is a host nation for the 2026 World Cup, making Canadian fans, businesses, and financial institutions direct targets of this ongoing campaign.
• Shared Meta Pixel IDs across all phishing domains confirm a single operator is driving paid Facebook ad traffic to fraudulent pages.
• The campaign’s financial loss potential runs into the billions, given the scale of FIFA’s ticket demand and the sophistication of the fraud infrastructure.

What You Should Do Now

1. Purchase tickets and merchandise exclusively through FIFA.com. Verify the URL in your browser’s address bar before entering any login credentials or payment details. Do not click FIFA-related links from social media ads, emails, or messaging apps.
2. Enable multi-factor authentication (MFA) on your FIFA account immediately. Even if credentials are phished, MFA adds a critical barrier against account takeover.
3. Run endpoint protection capable of detecting Vidar and Lumma. If you have downloaded any cracked software or clicked on FIFA-themed advertisements recently, run a full endpoint scan.
4. Block the confirmed IoCs in your security stack. Ingest the defanged domains, Meta Pixel IDs, and IP addresses listed above into your SIEM, DNS filtering layer, or web proxy blocklist.
5. Canadian businesses serving World Cup visitors should brief staff on this campaign. Front-line employees in hospitality, retail, and travel sectors are likely to encounter customers who have already been victimized.
6. Financial institutions should flag transactions routed through ChainUGO and the payment gateway pay[.]zfxupi[.]net. Alert your fraud monitoring teams to the five payment channels identified by Group-IB.
7. Report suspected phishing domains or fraud attempts to the Canadian Centre for Cyber Security at cyber.gc.ca. Individuals who believe their personal information has been compromised should also consider reporting to the Office of the Privacy Commissioner of Canada under PIPEDA obligations.