Cybersecurity firm **Group-IB** has exposed a large-scale phishing operation targeting football fans eager to secure tickets for the 2026 **FIFA** World Cup. The operation, dubbed GHOST STADIUM, involves a network of over 300 fraudulent domains designed to steal credentials and payment details. **GHOST STADIUM: A Meticulous Impersonation** Observed since November 2025, GHOST STADIUM is one of four independent threat actors identified by **Group-IB** targeting the tournament. These actors have collectively registered over 4,300 fraudulent domains impersonating **FIFA**'s official web presence since August 2025. Around 3,800 of these domains are currently parked, ready for activation as the tournament draws closer. **Phishing Kit Details** The threat actors utilize a phishing kit developed with Layui 2.7.6m, a Chinese open-source UI library. According to **Group-IB**, this library is "virtually unknown outside the Chinese developer community." The kit replicates **FIFA**'s login system, redirecting users back to the legitimate site after capturing their credentials. The phishing page also requests a password reset parameter, enabling the attacker to lock the victim out of their account and resell any associated tickets. Chinese-language comments were found embedded throughout the source code. Infrastructure analysis revealed shared SSL certificates and Meta Pixel tracking IDs across all 300+ domains, linking the network to the same Facebook advertising accounts. **Financial Impact** **Group-IB** estimates that 79 of the identified phishing domains were exclusively selling premium and hospitality-tier tickets, priced between $1,500 and $10,000 or more. With over 600 victim registrations observed at a single domain, the firm estimates potential losses for premium ticket fraud alone could range from $71 million to $474 million. Total losses across all fraud tiers, including credential theft and lower-tier ticket sales, "could reasonably reach into the billions." The campaign is primarily distributed through paid advertising on Facebook, offering tickets as cheaply as $60 for seats officially priced in the thousands, with "first come, first served" messaging to pressure purchases. **Recommendations** **Group-IB** advises fans to purchase tickets only through fifa.com, typed directly into a browser, and to treat any domain using a hyphenated variant of the **FIFA** name as fraudulent. The firm has notified relevant authorities and conducted its investigation from March to May 2026. [](https://www.recordedfuture.com/?utm_source=therecord&utm_medium=ad)