GHOST STADIUM

GHOST STADIUM is a Chinese-speaking, financially motivated threat actor tracked by Group-IB as part of a broader Chinese-language phishing ecosystem targeting the 2026 FIFA World Cup. Group-IB reported the actor was first observed in November 2025 and identified it as one of four independent threat actors targeting the tournament. The actor operated a coordinated phishing and ticket-fraud campaign across more than 300 active domains, while the wider infrastructure included more than 4,000 fraudulent domains registered since August 2025, with thousands reportedly parked for later activation. According to the reporting, GHOST STADIUM used a custom React-based phishing kit built with the Layui 2.7.6/2.7.6m UI framework to create near pixel-perfect clones of FIFA ticketing and authentication pages. The kit replicated FIFA’s PingIdentity-based single sign-on flow using a real client_id from the legitimate service, harvested credentials and personal data including email addresses, physical addresses, and phone numbers, and in some cases abused password reset functionality to lock victims out of their FIFA accounts. The phishing workflow then redirected victims to the legitimate FIFA site to make the compromise appear successful. Distribution and victim acquisition relied on Facebook Ads as a primary channel, along with search engine poisoning, Google search results, Telegram, and WhatsApp. Group-IB linked campaign infrastructure through shared Meta Pixel IDs, shared SSL certificates, identical HTML content, and a shared Tawk.to property ID. The phishing pages supported 11 languages and distinguished among Simplified Chinese, Traditional Chinese, and Hong Kong Chinese; Group-IB also reported Chinese-language comments in the source code as an attribution signal. The campaign targeted football fans seeking FIFA World Cup tickets, especially premium and hospitality tickets, and also stole FIFA account credentials. Reporting cited at least 47,000 victims, theft of up to $10,000 per ticket, and more than 2,500 FIFA account credentials circulating on dark-web markets. Group-IB estimated losses ranging from tens or hundreds of millions of dollars for premium-ticket fraud alone, with broader campaign losses potentially reaching into the billions. Known alias in the provided content: Ghost Stadium.