The Growing Threat of Ticket Scams
As the 2026 FIFA World Cup approaches, cybercriminals are launching a large scale phishing campaign targeting football fans. Researchers have identified over 300 fake domains, part of a sophisticated operation designed to steal ticket credentials and personal data. The campaign, known as GHOST STADIUM, exploits the high demand for tickets, with over 150 million requests within the first two weeks of sales. Fraudsters have created websites that closely mimic official FIFA platforms, making it difficult for users to distinguish real from fake.
Six Schemes Operate in Parallel
Group IB researchers uncovered six distinct fraud schemes running simultaneously. These include credential phishing, fake ticket sales, counterfeit merchandise stores, fraudulent streaming platforms, illegal betting sites, and infostealer driven credential theft. Each scheme uses its own monetization method, creating a resilient fraud ecosystem that is hard to dismantle with a single takedown. Over 2,513 confirmed FIFA account credential pairs are already circulating on dark web markets, priced between $5 and $50 per pair.
Threat Actor Profile and Impact
The threat actor behind GHOST STADIUM is a Chinese speaking, financially motivated operator running over 300 domains using a React based phishing kit built on the Layui 2.7.6 framework. This Chinese UI library is rarely seen outside of China, indicating a localized development approach. The potential financial losses from this campaign could reach billions of dollars. The operation continues to expand as the tournament draws closer, underscoring the need for fans to verify website authenticity before entering personal information or making payments.
Source: Cyber Security News
