Exposing mass FIFA-themed phishing scams on the eve of the 2026 World Cup
Introduction
Group-IB recently published a detailed report on GHOST STADIUM, a phishing kit targeting World Cup fans and ticket buyers:
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
Their analysis describes the kit mechanics, identifies heuristics suggesting a Chinese-speaking threat group, and reports roughly 4,300 fraudulent domains, with around 300 active at publication time.
Using a sample of IOCs from the report, we expanded the infrastructure set with Validin pivots, response-body hunting, path searches, and lookalike-domain enumeration. At the time of analysis, we estimate that 3079 domains remain active. Within this cluster, we see a variety of domains across different themes. A small subset directly pose as English-lanugage ticket vendors, the vast majority are non-English and look to be posing as streaming or gambling sites. We specifically observe Chinese and Indian language sites. Of note, FIFA did not officially finalize broadcast deals with India and China until very recently.
Initial Pivoting
We started with a representative domain from the initial report, fifa-ticket-26[.]com, and used Validin to pivot across observable host response features.
Group IB noted that many of the responses were byte-for-byte identical. Leveraging this information, we can use extracted features to find related infrastructure. Two pivots were immediately useful:
HTML Title
FIFA World Cup 2026™ Tickets | Host Cities, Dates, Teams, Tickets
Favicon Hash
1ea068c804e8ba88b84f6e9598e3172d
Figure 1. Results in Validin Search for domains that had this title tag
Both pivots produced overlapping clusters of domains serving similar content. This gave us a high-confidence starting set for broader kit-based hunting.
YARA Hunting
Based on the observed HTML responses, we were able to find some unique strings in the HTML:
rule FifaPhishing {
meta:
description = "World Cup 2026 Tickets Phishing Kit"
reference = "https://www.group-ib.com/blog/ghost-stadium-football-fraud/"
strings:
$a = "FIFA World Cup 2026TOfficial Hospitality"
$b = "Experience the best of the World Cup with premium tickets food &drinklounge entry and more!"
condition:
any of them
}
Both strings are strong fingerprints for this phishing kit. The first string contains the anomalous 2026TOfficial token; and the second string is a malformed marketing phrase unlikely to appear in legitimate FIFA content.
Running this rule across Validin response history returned matches, every one of which was serving content from the same FIFA-like path that redirected from the site homepage:
/en/tournaments/mens/worldcup/canadamexicousa2026
The repeated use of this path across unrelated domains strongly indicates shared kit deployment.
We also corroborated Group-IB’s observation of Chinese-language developer artifacts by matching Google Translate initialization comments left in the kit JavaScript. This rule matches on many additional domains that are outside the set of FIFA phishing domains, so is not enough on its own to convict domains. However, we can use it to broadly hunt for additional candidate domains:
rule GoogleTranslate_Chinese_Comments {
meta:
description = "Detects Google Translate init code with Chinese-language developer comments"
date = "2026-06-11"
strings:
$comment_init = "Google翻译初始化函数" wide ascii
$comment_lang = "网站默认语言" wide ascii
condition:
$comment_init or $comment_lang
}
These comments translate roughly to “Google Translate initialization function” and “website default language.” Because they are embedded in developer-facing JavaScript comments rather than user-visible content, they are useful secondary fingerprints for kit variants.
Path-Based Expansion
The path itself proved to be a productive search primitive:
/en/tournaments/mens/worldcup/canadamexicousa2026
Figure 2. The results for the redirect path pivot
Searching Validin response history for this path returned approximately 600 domains hosting content at that location.
A second variant also produced useful results:
/en/tournaments/mens/worldcup/canadamexicousa2026.html
This pivot returned another 22 domains:
boecey[.]com
fifa[.]buzz
restributor[.]com
wkhby[.]one
wkhby[.]vip
worldcupticket[.]vip
restributor[.]vip
wgss[.]lat
muksne[.]com
worldcupticket[.]one
www.fifa[.]buzz
www.wkhby[.]vip
www.boecey[.]com
www.wkhby[.]one
worldcupticket[.]cc
www.muksne[.]com
fifa[.]beer
fifa[.]ceo
fifa[.]click
fifa[.]help
www.fifa[.]click
www.fifa[.]beer
This subset is interesting because many domains do not follow the obvious FIFA-ticketing naming patterns. That suggests the operators may be mixing direct brand abuse with other phishing domains to reduce detection by simple domain-name heuristics.
Most active domains are Cloudflare-fronted, limiting direct IP-based infrastructure analysis. However, the response-path pivots still expose a substantial active slice of the broader infrastructure reported by Group-IB and provide durable hunt primitives independent of DNS origin visibility.
Lookalike Regex Matching
Response-based pivots identify domains that have already served detectable kit content. To find staged, parked, or otherwise inactive infrastructure, we enumerated FIFA-themed lookalikes using Validin regex search.
Initial searches covered common campaign naming patterns:
| Regex | Description |
|---|---|
/^fifa-.*/ | domains beginning with "fifa-" |
/.*-fifa$/ | domains ending with "-fifa" |
/.*fifa.*/ | domains containing "fifa" |
/.*world.*cup.*/ | domains containing both "world" and "cup" |
/.*ticket.*/ | domains containing "ticket" |
/.*hospitality.*/ | domains containing "hospitality" |
/.*worldcup.*/ | domains containing "worldcup" |
/.*flfa.*/ | "fifa" with i replaced by l |
/.*f1fa.*/ | "fifa" with i replaced by 1 |
/.*tlcket.*/ | "ticket" with i replaced by l |
/.*ficket.*/ | "ticket" with t replaced by f |
/.*fif[^a].*/ | "fif" followed by a non-a character |
Finally, we used a broader structural regex to capture FIFA-branded domains with common substitutions and prefix/suffix additions:
/^([a-z0-9-]+[.-])*f[i1l]fa([a-z0-9]+|-[a-z0-9-]+)?\.[a-z]{2,}$/
This pattern returned 5,649 domains.
Figure 3. Searching this regex with Validin’s Lookalike Search finds a matching set of 5649 domains.
We enriched the result set with DNS resolution and registration data using the newly launched Validin Python SDK, then filtered for currently resolving domains and registration clusters. This helped separate likely active or staged infrastructure from expired, abandoned, or unrelated lookalikes.
You can install the Validin Python SDK with the following command:
pip install validin-sdk
import csv, sys
from validin import Client
domains = [r[0].strip().lower() for r in list(csv.reader(open("fifa_indicators.csv")))[1:] if r]
results = Client().host_responses(domains, lookback=14)
active = sum(any(r.value and r.value.port == 443 and r.value.title for r in c) for c in results)
print(f"{active}/{len(domains)} active (title on 443 in last 14 days)")
Findings
Across seed pivots, response-body matching, path search, and lookalike enumeration, we identified:
- 6,113 suspected domains
- 3,079 currently active domains (resolving, and not parked)
- All active domains observed in this set are using Cloudflare to mask origin infrastructure
- Repeated use of the FIFA-like World Cup path as a redirect or content path across phishing domains
- Chinese-language JavaScript comments consistent with Group-IB’s attribution assessment
- Domain patterns consistent with both active phishing and staged infrastructure
The infrastructure follows a familiar phishing pattern: bulk registration, selective activation, kit reuse, CDN fronting, and rapid domain cycling as detection catches up.
Notes for Defenders
For defenders, the most useful detection surfaces are:
- The anomalous
2026TOfficialHTML string - The malformed hospitality marketing phrase
- The repeated
/en/tournaments/mens/worldcup/canadamexicousa2026path - The
/en/tournaments/mens/worldcup/canadamexicousa2026.htmlpath variant - The Chinese-language Google Translate comments
- FIFA-themed lookalike domains with ticketing, hospitality, and World Cup terms
- DNS changes on recently registered domains matching FIFA-related patterns
These signals can be used independently or combined to monitor both active kit deployments and staged domains before activation.
Indicators
A full list of domains identified through this analysis is available on GitHub:
https://github.com/Validin/indicators/blob/master/GhostStadium
The list includes all the domains found through our infrastructure discovery of searches, YARA matching, and lookalike enumeration. Given the volume of domains on this list, these domains are all suspected but are not explictly confirmed as malicious phishing. Add these to blocklists with caution.