The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
Essential information
- Published
- 27/05/2026 11:33
- Modified
- 27/05/2026 14:30
- Tags
- 2026-05-27 credential phishing cryptocurrency fraud facebook advertising exploitation fifa world cup 2026 ghost stadium phishing-as-a-service ticket fraud
- Related entities
- 19 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 47 others
Description
Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...