Fraud Administration & Cybercrime
,
Social Engineering
Researchers estimate losses starting from a whole bunch of tens of millions to billions
A Chinese language-language phishing-as-a-service platform scammed between $470 million to $1 billion from soccer followers forward of the 2026 FIFA World Cup beginning subsequent month.
See Additionally: How Organizations Are Strengthening Defenses Towards Scattered Spider
The financially motivated operator, tracked as Ghost Stadium by risk intel agency Group-IB, enabled the theft of as much as $10,000 per ticket from at the least 47,000 victims on premium ticket gross sales.
The risk actor additionally stolen greater than 2,500 FIFA account credentials, which now flow into in dark-web markets. It promotes a superbly cloned FIFA ticket websites on Fb Adverts. It has registered over 4,000 fraudulent domains since August 2025 and is actively operating a small portion of them.
“Area-by-domain takedowns won’t cease this – not when 3,800 alternative domains are already registered and ready,” mentioned Yuan Huang, a senior fraud analyst at Group-IB.
Ghost Stadium is a part of a broader Chinese language-language phishing ecosystem that has advanced right into a sprawling underground economic system, reducing the barrier for inexperienced actors to flood gadgets world wide with refined phishing messages and web sites (see: Chinese language Phishers Use Dwell MFA Interception for Digital Pockets Fraud).
Researchers say Ghost Stadium’s customized React-based utility can clone official FIFA websites pixel-perfectly. The phishing equipment is constructed with an open-source UI library known as Layui 2.7.6 that’s used solely inside the Chinese language developer group.
“FIFA’s respectable single sign-on service is supplied by PingIdentity, and the Ghost Stadium phishing equipment is even able to replicating this utilizing the precise client_id lifted from the true FIFA SSO,” Group-IB researchers discovered.
The phishing equipment captures e mail, handle and cellphone knowledge along with login credentials and authorizes password reset to lock victims out of their accounts instantly.
Like many Chinese language-language phishing suppliers, Ghost Stadium helps 11 languages by auto-detecting the placement of the browser and switching to its default language. The platform additionally distinguishes amongst Simplified Chinese language, Conventional Chinese language and Hong Kong Chinese language, a nuance that solely Chinese language-language builders are prone to discover significant
The phishing pages are promoted via paid social media promoting. Researchers discovered three shared Meta Pixel IDs, a novel 16-digit quantity related to Fb Advert accounts, throughout the phishing domains, which means the identical group is behind the whole marketing campaign.
The identical pages may even populate Google search outcomes, tricking the search engine with fifa.tax, fifa.social gathering, and fifa-web.co fraud domains.
Telegram and WhatsApp direct messaging are additionally channels for distributing phishing hyperlinks, with some rip-off pages slapping a festive photograph of “2026 World Cup Sizzling Deal – Restricted Seats Out there” proper on their profiles.
The marketing campaign’s presence throughout social media advertisements, search outcomes and messaging platforms makes for a sprawling, persistent fraud infrastructure. As a result of exercise is unfold throughout totally different organizations, none of them holds a whole view of the operation.
“When one financial institution flags a suspicious cryptocurrency handle, different fee channels stay untouched and different monetary establishments stay unaware,” Group-IB researchers mentioned.
Ghost Stadium is among the many most refined and outstanding actor phishing FIFA followers, however researchers have recognized different unbiased risk actors operating their very own fraud schemes. Their exercise will solely intensify because the event approaches.
“Legislation enforcement can not examine each operator. The velocity, scale, and multi-channel nature of the marketing campaign demand a coordinated response – a protection structure that mirrors the size and interconnection of the assault itself,” Group-IB researchers mentioned.
