Chinese-speaking fraudsters have built a near pixel-perfect clone of FIFA's official website across more than 300 domains in an attempt to steal credentials and payment details from fans seeking tickets to the 2026 World Cup.

The operation — one of four independent campaigns detailed Wednesday by cybersecurity firm Group-IB — could put billions of dollars at risk when accounting for credential theft, fake ticket sales, counterfeit merchandise, fraudulent streaming sites and unlicensed gambling platforms, said the Singapore-based company.

The potential scale of the fraud mirrors the scale of the 2026 World Cup, which is set to be the largest edition of the tournament in history, with 48 teams competing across 104 matches in the United States, Canada and Mexico.

The group behind it, which Group-IB designated GHOST STADIUM and first observed in November 2025, is one of four independent threat actors the firm identified targeting the tournament. Collectively those criminals have registered more than 4,300 fraudulent domains impersonating FIFA's official web presence since August 2025.

More than 300 of those domains are actively running fraudulent infrastructure. Approximately 3,800 more are parked or dormant, pre-positioned for activation as the tournament approaches, said the researchers.

“This is not a crude phishing page — it is a meticulously engineered impersonation,” the company warned.

GHOST STADIUM uses a phishing kit developed with Layui 2.7.6m, a Chinese open-source UI library that Group-IB said was “virtually unknown outside the Chinese developer community.”

The phishing kit clones FIFA's login system by replicating the authentication flow used by FIFA's identity provider by silently redirecting the user back to the real FIFA website, making the interaction appear to be a successful login.

The phishing page also requests a password reset parameter, enabling the attacker to immediately lock the victim out of their own account. Any legitimate tickets associated with the compromised account can then be resold, said the researchers.

Chinese-language comments were found embedded throughout the source code, said Group-IB. Infrastructure analysis found shared SSL certificates and Meta Pixel tracking IDs embedded identically across all 300-plus domains, tying the entire network to the same Facebook advertising accounts.

Among the 300-plus phishing domains identified by the researchers, 79 were exclusively selling premium and hospitality-tier tickets, priced between $1,500 and $10,000 or more. Group-IB said that with more than 600 victim registrations observed at a single domain, they estimated potential victim count exceeding 47,400 people for premium ticket fraud alone — with losses estimated at between $71 million and $474 million.

Those figures only cover approximately a quarter of the active GHOST STADIUM campaign. Group-IB said total losses across all fraud tiers, including credential theft, lower-tier ticket sales and downstream monetization, “could reasonably reach into the billions.”

According to the company’s investigators, the GHOST STADIUM campaign was primarily being distributed through paid advertising on Facebook offering tickets as cheaply as $60 for seats officially priced in the thousands, with “first come, first served” messaging designed to pressure purchases.

Group-IB advised fans to buy tickets only through fifa.com, typed directly into a browser, and to treat any domain using a hyphenated variant of the FIFA name as fraudulent. The firm said it notified relevant authorities and that its investigation ran from March to May 2026.