Chinese Phishing Service Scams Thousands of FIFA World Cup Fans
In the lead-up to the highly anticipated 2026 FIFA World Cup, a sophisticated Chinese-language phishing-as-a-service platform, dubbed Ghost Stadium, has reportedly defrauded soccer fans of an estimated $470 million to $1 billion. This alarming figure reflects a growing trend in which cybercriminals exploit major events to prey on unsuspecting individuals, leveraging the excitement surrounding such occasions to facilitate fraudulent activities.
According to cybersecurity researchers at Group-IB, Ghost Stadium has orchestrated operations that involve stealing as much as $10,000 per ticket from a staggering 47,000 victims who sought premium ticket sales. The impact of this scam extends beyond monetary losses; it has also seen the theft of over 2,500 FIFA account credentials, which have reportedly begun circulating on dark web markets. Central to this undertaking are meticulously crafted cloning techniques that replicate legitimate FIFA ticket sales sites. The platform promotes these fraudulent websites primarily through Facebook Ads, having registered more than 4,000 counterfeit domains since its inception in August 2025.
Experts have expressed concern about the futility of merely executing domain takedowns. Yuan Huang, a senior fraud analyst at Group-IB, indicated that such measures are largely ineffective against Ghost Stadium’s operations. "Domain-by-domain takedowns will not stop this—not when 3,800 replacement domains are already registered and waiting," he stated, emphasizing the sheer scale of this ongoing fraud.
Ghost Stadium is identified as part of a more extensive Chinese-language phishing ecosystem that has burgeoned into a full-blown underground economy. This ecosystem has streamlined the process for inexperienced cybercriminals to inundate devices worldwide with sophisticated phishing messages and websites. Researchers note that Ghost Stadium utilizes a custom React-based application capable of creating near-perfect clones of official FIFA sites. Notably, the phishing kit employs an open-source UI library named Layui 2.7.6, predominantly utilized within the Chinese developer community, heightening its allure and effectiveness.
Ghost Stadium’s phishing kit has proven adept at replicating FIFA’s legitimate single sign-on service, which is managed by PingIdentity. The fraud toolkit can even leverage genuine client identifiers sourced from FIFA’s actual systems. As a result, victims unwittingly surrender sensitive information, including email addresses, physical addresses, phone numbers, and login credentials. Additionally, the toolkit can authorize password resets, rapidly locking victims out of their accounts after sensitive data is captured.
This platform is designed for effectiveness and reach, supporting 11 languages and employing auto-detection to switch languages based on the user’s browser location. It varies its offerings between Simplified Chinese, Traditional Chinese, and Hong Kong Chinese—nuances likely only grasped by native speakers.
The promotion of phishing pages occurs through paid social media advertising, with researchers discovering shared Meta Pixel IDs across various fraudulent domains. This suggests a cohesive effort among the perpetrators behind the scam. Further complicating the landscape, these fraudulent pages can also appear in Google search results, misleading users with web addresses such as fifa.tax, fifa.party, and fifa-web.co among others.
Also, the phishing links are disseminated via Telegram and WhatsApp, often featuring flashy promotional messages such as "2026 World Cup Hot Deal – Limited Seats Available" on their profiles. The pervasive nature of this campaign, intertwined across social media, search engines, and instant messaging platforms, culminates in an extensive and persistent fraud network. This multifaceted distribution strategy renders it nearly impossible for any one institution to fully grasp the scope of the operation or coordinate an effective response.
As noted by researchers at Group-IB, "When one bank flags a suspicious cryptocurrency address, other payment channels remain untouched, and other financial institutions are unaware." Ghost Stadium stands out as one of the most sophisticated phishing threats targeting FIFA fans, yet researchers have observed other independent threat actors conducting their schemes. The proximity of the World Cup is expected to escalate these activities further.
Experts are calling for a coordinated response to combat this epidemic, pointing out that law enforcement agencies cannot feasibly investigate every operator involved in such cases. The rapid pace, extensive scale, and intricate multi-channel characteristics of these cybercrimes necessitate a defense infrastructure that mirrors the interconnected nature of these attacks. Without collaborative efforts, the same vulnerabilities that have enabled these scams will continue to threaten victims—especially during significant global events like the FIFA World Cup.