Fraud Administration & Cybercrime
,
Social Engineering
Researchers estimate losses starting from lots of of thousands and thousands to billions
A Chinese language-language phishing-as-a-service platform scammed between $470 million to $1 billion from soccer followers forward of the 2026 FIFA World Cup beginning subsequent month.
See Additionally: How Organizations Are Strengthening Defenses In opposition to Scattered Spider
The financially motivated operator, tracked as Ghost Stadium by risk intel agency Group-IB, enabled the theft of as much as $10,000 per ticket from a minimum of 47,000 victims on premium ticket gross sales.
The risk actor additionally stolen greater than 2,500 FIFA account credentials, which now flow into in dark-web markets. It promotes a wonderfully cloned FIFA ticket websites on Fb Adverts. It has registered over 4,000 fraudulent domains since August 2025 and is actively working a small portion of them.
“Area-by-domain takedowns is not going to cease this – not when 3,800 substitute domains are already registered and ready,” stated Yuan Huang, a senior fraud analyst at Group-IB.
Ghost Stadium is a part of a broader Chinese language-language phishing ecosystem that has developed right into a sprawling underground economic system, decreasing the barrier for inexperienced actors to flood units all over the world with refined phishing messages and web sites (see: Chinese language Phishers Use Reside MFA Interception for Digital Pockets Fraud).
Researchers say Ghost Stadium’s customized React-based software can clone official FIFA websites pixel-perfectly. The phishing equipment is constructed with an open-source UI library referred to as Layui 2.7.6 that’s used solely inside the Chinese language developer neighborhood.
“FIFA’s official single sign-on service is offered by PingIdentity, and the Ghost Stadium phishing equipment is even able to replicating this utilizing the precise client_id lifted from the actual FIFA SSO,” Group-IB researchers discovered.
The phishing equipment captures e-mail, deal with and cellphone knowledge along with login credentials and authorizes password reset to lock victims out of their accounts instantly.
Like many Chinese language-language phishing suppliers, Ghost Stadium helps 11 languages by auto-detecting the situation of the browser and switching to its default language. The platform additionally distinguishes amongst Simplified Chinese language, Conventional Chinese language and Hong Kong Chinese language, a nuance that solely Chinese language-language builders are more likely to discover significant
The phishing pages are promoted via paid social media promoting. Researchers discovered three shared Meta Pixel IDs, a novel 16-digit quantity related to Fb Advert accounts, throughout the phishing domains, that means the identical group is behind all the marketing campaign.
The identical pages may even populate Google search outcomes, tricking the search engine with fifa.tax, fifa.occasion, and fifa-web.co fraud domains.
Telegram and WhatsApp direct messaging are additionally channels for distributing phishing hyperlinks, with some rip-off pages slapping a festive picture of “2026 World Cup Scorching Deal – Restricted Seats Obtainable” proper on their profiles.
The marketing campaign’s presence throughout social media advertisements, search outcomes and messaging platforms makes for a sprawling, persistent fraud infrastructure. As a result of exercise is unfold throughout totally different organizations, none of them holds a whole view of the operation.
“When one financial institution flags a suspicious cryptocurrency deal with, different fee channels stay untouched and different monetary establishments stay unaware,” Group-IB researchers stated.
Ghost Stadium is among the many most refined and outstanding actor phishing FIFA followers, however researchers have recognized different impartial risk actors working their very own fraud schemes. Their exercise will solely intensify because the event approaches.
“Legislation enforcement can not examine each operator. The pace, scale, and multi-channel nature of the marketing campaign demand a coordinated response – a protection structure that mirrors the size and interconnection of the assault itself,” Group-IB researchers stated.
