www.it-connect.fr
GHOST STADIUM: 4,300 Fake FIFA Sites Target the 2026 World Cup
The FIFA World Cup 2026 is coming, and cybercriminals are already ready! Several campaigns, including the one run by GHOST STADIUM, rely on more than 4,300 fraudulent domains to try to trap fans, steal their credentials, and extort money from them.
A pixel-perfect clone of the FIFA website
The campaign run by the hacker nicknamed GHOST STADIUM was set up for profit, not to spread malware. The target: the FIFA World Cup, hosted in three countries (the United States, Canada, and Mexico) from June 11 to July 19, 2026. More than 6 million fans are expected in the stadiums, and ticket demand is extremely high: more than 150 million people applied within 15 days of tickets going on sale.
"This massive demand - and the urgency it creates among fans desperate to get tickets - has made this football tournament a real magnet for fraudsters.", explains GROUP-IB in its report on this campaign. It is precisely these fans that GHOST STADIUM is directly targeting.
The hacker developed a React-based phishing kit capable of generating an almost perfect copy of the official fifa.com website. That is indeed the site through which fans are supposed to purchase tickets. According to the researchers, this is not just a basic FIFA site clone.
It also reproduces FIFA's official single sign-on (SSO) flow, normally provided by PingIdentity, even going so far as to reuse the client identifier (client_id) extracted from the legitimate site. "It is important to note that the phishing page parameters include p1:reset:userPassword, which authorizes password reset - allowing the attacker to immediately block legitimate users from accessing their accounts after capturing their credentials.", the report states.
GHOST STADIUM is not just a handful of malicious domains. No, it is much more than that, especially since there appear to be at least 3 groups involved. Here are some figures showing the scale of this campaign, which began in August 2025:
- More than 4,300 fraudulent domains mimicking the FIFA website have been registered.
- More than 300 domains are actively running this infrastructure.
- About 3,800 domains are currently on standby, ready to be activated as the tournament approaches.
There are deceptive domain names (typosquatting), such as www-fifa[.]com[.]co instead of fifa.com.
These attackers are reportedly running several types of scams, including credential theft (via infostealer), the sale of fake tickets (with prices ranging from $1,500 to more than $10,000 per ticket), counterfeit merchandise stores, and fake streaming platforms. All of this uses the context of the 2026 World Cup to lure fans in.
"Financial losses linked solely to premium and VIP ticket fraud (about 25% of the total) are estimated between $71 million and $474 million for the entire campaign. The total losses caused by the GHOST STADIUM phishing campaign, across all levels, could reach several billion dollars.", the report says.
Facebook Ads and a sense of urgency as a trap
To drive traffic to its phishing domains, the GHOST STADIUM campaign relies on advertising, especially on Facebook through the Facebook Ads program. This allows them to sponsor posts and push them to as many people as possible, with the goal of directing users to the fake pages.
To encourage victims to click, the attackers exploit FOMO:
- Displaying ridiculously low prices, for example $60 for tickets whose official value is in the thousands.
- Countdown timers paired with messages like "first come, first served."
Once on the site, the user is taken through a flow that simulates a legitimate purchase process: match selection, seat category selection, then redirection to a fake login page. If the victim tries to buy tickets, a form collects extensive personal data (first name, last name, email, phone number, full address, city, state/province, postal code, country, and delivery instructions) via a POST request before sending them to a fake payment page.
These are common tactics, but they still work. Especially when there are tens of millions of potential buyers.
