Latest Threats

GHOST STADIUM — FIFA World Cup 2026 Phishing Operation: 4,300+ Fraudulent Domains and 300+ Cloned fifa.com PingIdentity SSO Credential-Theft Sites — Threadlinqs Intelligence

Threat ID: TL-2026-0704 · Severity: HIGH · Status: ACTIVE · Category: PHISHING

Attribution: Ghost Stadium · FINANCIAL

Group-IB uncovered GHOST STADIUM, a Chinese-speaking, financially motivated phishing operation that registered 4,300+ fraudulent FIFA domains since August 2025 and runs 300+ live sites cloning

GHOST STADIUM is a large-scale, profit-driven phishing and fraud operation targeting fans of the 2026 FIFA World Cup. Group-IB attributes the campaign to four distinct threat-actor clusters operating six fraud schemes, with GHOST STADIUM (TA-1) as the lead actor controlling 300+ live phishing domains. Group-IB tracked 4,300+ fraudulent FIFA-themed domains registered since August 2025 — 300+ actively serving phishing content, 140+ flagged suspicious, and ~3,800 parked and pre-positioned for activation as the tournament approaches. The GHOST STADIUM phishing kit is a React-based single-page application that clones the official fifa.com site to near pixel-perfect fidelity, using the Chinese open-source Layui 2.7.6 UI framework. It replicates FIFA's legitimate PingIdentity SSO authentication flow, reusing the genuine client_id 35072598-fc20-4142-a469-1b940db47e6f. Critically, the kit's OAuth scope parameters include 'p1:reset:userPassword', which lets the operator trigger a password reset on the victim's real FIFA account immediately after capturing credentials — locking the legitimate owner out while the attacker retains control. After harvesting login credentials, email, phone, and address data, the kit performs a silent redirect to https://www.fifa.com/auth/ so the victim believes the login succeeded and never notices the compromise. The kit supports 14 locales (11 languages plus Simplified, Traditional, and Hong Kong Chinese variants), loads FIFA branding and product imagery directly from FIFA's official CDN for visual legitimacy, and embeds a Google Translate widget and authentic-looking social footer. Attribution to a Chinese-speaking actor rests on the Layui framework choice, Chinese-language source-code comments, and the granular mainland/Taiwan/Hong Kong locale distinctions. Infrastructure is heavily clustered: 300+ domains share SSL certificates, identical Meta (Facebook) Pixel IDs, a shared Tawk.to live-chat Property ID (6976ccbaba77e8198a866266), and byte-for-byte identical 415 KB HTML across 79 premium/hospitality domains. 57% of the cluster was registered through GNAME.COM PTE. LTD. Victim acquisition runs primarily through Facebook Ads and organic Google search ranking of typosquat/themed domains, with Telegram and WhatsApp for distribution and victim support. Monetization is diversified across five payment channels: direct card capture (Order ID format FWC2026XXXXXXXXX), a third-party gateway at pay.zfxupi.net (routing Cash App/Chime), peer-to-peer transfers (Chime cashtag $Paramjit-Bains, Nequi account 3202059757), region-specific rails (FIXYD Mexico via mm-fifa.top), and a crypto on-ramp via Alchemy Pay converting USD to USDT on Binance Smart Chain (ChainUGO gateway). Group-IB estimates premium/hospitality ticket fraud alone (79 domains, ~47,400 victims) at $71M–$474M, with total campaign losses potentially reaching billions. The broader ecosystem includes TA-2 (bulk domain squatter, ~143 domains for fake streaming, counterfeit merchandise, and betting), TA-3 (Vidar/Lumma infostealer operators with ~130,000 logs referencing FIFA), and TA-4 (dark-web phishing-as-a-service kit sellers active since mid-2025). 2,513 FIFA credential pairs are already circulating in dark-web markets at $5–$50 each. The FBI's IC3 PSA260527 independently warned of FIFA website spoofing via typosquatting (e.g., fiffa.com, wvvw-fifa.com homograph), alternative TLDs, and fake subdomains such as jobs-fifa.com and fifa-hiring.com.

MITRE ATT&CK Techniques

T1583 Acquire Infrastructure; T1583.001 Acquire Infrastructure; T1583.006 Acquire Infrastructure; T1583.008 Acquire Infrastructure; T1608.005 Stage Capabilities; T1588.001 Obtain Capabilities; T1587.001 Develop Capabilities; T1598.003 Phishing for Information; T1589.001 Gather Victim Identity Information; T1589.002 Gather Victim Identity Information; T1566.002 Phishing; T1566.004 Phishing; T1056.003 Input Capture; T1539 Steal Web Session Cookie; T1606 Forge Web Credentials; T1110.004 Brute Force; T1098 Account Manipulation; T1531 Account Access Removal; T1657 Financial Theft; T1656 Impersonation

Weaknesses (CWE)

CWE-290, CWE-451, CWE-1021

Target sectors: sports, entertainment, retail, consumer, ticketing, general-public

Target regions: North America, Europe, Latin America, Asia, Middle East, Global

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 48 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

PHISHING, HIGH, threat intelligence, cybersecurity, T1583, T1583.001, T1583.006, T1583.008, T1608.005, T1588.001, T1587.001, T1598.003, T1589.001, T1589.002

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison