Ghost Stadium fraud targets 2026 FIFA World Cup fans
🎯 Group-IB has identified over 4,300 fraudulent domains impersonating FIFA since last August, organized across six schemes and four threat actors targeting 2026 World Cup fans. The main operator, dubbed Ghost Stadium, uses a Chinese-speaking developer and a phishing kit that clones fifa.com, including its PingIdentity SSO flow, and leverages paid Facebook ads. Other actors include domain squatters, a PhaaS supplier and infostealer campaigns, which have already harvested around 2,500 FIFA credentials. Group-IB warns ticket fraud losses could reach into the hundreds of millions and advises fans to buy only from fifa.com, avoid crypto-based offers and enable MFA.
