The 2026 FIFA World Cup is the largest sporting event in history: 104 matches across the United States, Canada, and Mexico, more than six million fans expected in stadiums, and a ticket demand so extreme that the first sales window was oversubscribed roughly thirty times over. That combination of massive audience, high prices, and desperate urgency is exactly what fraudsters look for. And months before the opening match, they were ready.
In late May 2026, security researchers at Group-IB published an investigation into a sprawling fraud ecosystem built around the tournament. At its center sits a threat actor they named GHOST STADIUM, running a sophisticated phishing operation across more than 300 domains. But GHOST STADIUM is only one part of a landscape that includes over 4,300 fraudulent domains impersonating FIFA, four independent threat actors, six parallel fraud schemes, and thousands of pre-positioned domains waiting to activate.
What makes this campaign worth studying is not just its scale. It is that nearly every element of it is built on the DNS layer: domain impersonation, typosquatting, shared certificates, and the quiet registration of attack infrastructure long before anyone was watching. This is a case study in why domain and DNS monitoring matters, and what the warning signs look like when you know where to look.
The Scale of the Operation
The numbers from the Group-IB investigation are striking. More than 4,300 domains impersonating FIFA's web presence had been registered since August 2025. Of those, over 300 were confirmed running active fraudulent infrastructure, around 140 were flagged as suspicious, and roughly 3,800 were parked or dormant, pre-positioned for activation as the tournament approached.
That last figure is the one defenders should sit with. Nearly four thousand domains registered and held in reserve, ready to be switched on when traffic peaks during the June 11 to July 19 match window. This is not opportunistic, last-minute fraud. It is infrastructure built methodically, in advance, with the patience of an operation that knows exactly when its targets will be most vulnerable.
The GHOST STADIUM cluster alone spanned more than 300 domains, all tied together by shared technical fingerprints: identical SSL certificates, the same embedded tracking pixel IDs, byte-for-byte identical HTML pages, and a common live-chat property ID reused across dozens of sites. Each of these shared artifacts is a thread that, once pulled, unravels the whole network. That is also precisely how monitoring catches operations like this.
How GHOST STADIUM Worked
GHOST STADIUM built what researchers described as a pixel-perfect clone of the official FIFA website. The phishing kit was a custom single-page application that reproduced the real site so faithfully that the login experience was functionally indistinguishable from the legitimate one.
The most technically notable detail: the kit cloned FIFA's actual single sign-on authentication flow, even reusing the genuine client identifier lifted from the real FIFA SSO provider. When a victim logged in, the fake page captured their credentials, then silently redirected them to the real FIFA authentication page so the experience appeared to be a normal, successful login. The victim often had no idea anything was wrong.
Worse, the phishing flow requested password-reset authorization, meaning the attacker could lock legitimate users out of their own accounts immediately after stealing their credentials. For a fan with real tickets already linked to their FIFA account, this meant the attacker could change the credentials, lock them out, and resell their tickets.
To appear legitimate, the fake pages loaded all their imagery and branding directly from FIFA's official content delivery network. This is a clever evasion: it made the pages visually authentic at zero infrastructure cost, while also helping bypass detection tools that compare image fingerprints of hosted content. The footer carried real links to FIFA's actual social media accounts. Everything was engineered to build trust.
The DNS Fingerprints That Tied It Together
Here is where the campaign becomes a DNS and domain-monitoring story rather than just a phishing story. Despite spanning hundreds of domains, the GHOST STADIUM operation was bound together by infrastructure signals that monitoring is designed to surface.
Shared SSL certificates. The same certificates appeared across the cluster, cryptographically linking domains that otherwise looked independent. Certificate Transparency logs, which publicly record every certificate issued, are a powerful way to discover this kind of connected infrastructure. When a wave of certificates is issued for lookalike domains of a brand, that is a signal worth catching.
Reused tracking and chat IDs. Three advertising pixel IDs and a single live-chat property ID were embedded identically across the 300+ domains, tying them all to the same operator. One detection became the thread that revealed the entire network.
Typosquatting clusters. Analysis of the domain indicators revealed tight typosquatting groups, families of domains like fifa-com followed by a rotating set of TLDs (fifa-com.site, fifa-com.co, fifa-com.com, fifa-com.store, fifa-com.vip, fifa-com.website, fifa-com.xyz), bulk-registered together. The pattern of one brand string permuted across many TLDs is a classic impersonation fingerprint. We explored a related dynamic in our coverage of domain impersonation and lookalike registration.
Long pre-positioning windows. Some domains had been quietly held for a very long time before being weaponized. One domain in the indicator set was registered well over two years before it was reported as part of the campaign. This is the dormant-infrastructure pattern: register early, sit quiet, activate when it counts. Only continuous monitoring catches the moment a long-dormant lookalike domain suddenly comes alive.
It Was Not Just One Attacker
One of the more sobering findings is that GHOST STADIUM was not operating alone. The investigation identified four independent threat actors exploiting the same event in parallel, not a single coordinated group, but a convergence of separate operators all drawn to the same target.
Alongside GHOST STADIUM's credential phishing and fake ticket sales, researchers documented a bulk domain squatter pre-positioning typosquat domains, mass infostealer campaigns harvesting FIFA credentials as incidental collateral (with roughly 2,500 FIFA credential pairs already circulating in dark-web markets), and an underground Phishing-as-a-Service supply chain selling ready-made fraud kits to anyone willing to pay.
That last actor matters most for the long term. A Phishing-as-a-Service supply chain means taking down one operator does not end the threat. The same kit gets redeployed by new entrants who simply bought it. The barrier to entry collapses, and the fraud surface keeps expanding. This is the industrialization of brand-impersonation fraud, and it is why defense has to focus on infrastructure patterns rather than individual takedowns.
Six Fraud Schemes, One Event
The broader ecosystem ran six distinct fraud schemes simultaneously, each targeting football fans in a different way:
- Credential phishing through the cloned FIFA single sign-on, capturing account logins and session data.
- Fake ticket sales targeting premium and hospitality tiers priced from $1,500 to over $10,000, with estimated losses for that tier alone reaching into the hundreds of millions.
- Counterfeit merchandise storefronts selling fake branded gear, localized heavily for Latin American markets, harvesting card and shipping data in the process.
- Fake streaming platforms promising free or premium match streams, charging subscription fees and in some cases delivering malware instead of content.
- Fraudulent betting and casino sites misusing FIFA branding to appear authorized, stealing deposits and harvesting identity-verification documents for later fraud.
- Infostealer-driven credential theft from mass malware campaigns that swept up FIFA credentials alongside everything else on infected machines.
Every one of these schemes needed domains to operate. Every domain needed DNS. The fraud was diverse, but its foundation was uniform: impersonation infrastructure built on the domain name system.
How Fraud Reached Victims
The campaign drove traffic through multiple channels, and a few are worth noting because they show why brand monitoring has to extend beyond your own perimeter.
Paid social media advertising was the primary engine. The operators bought ads that pushed phishing pages directly to targeted users, using classic urgency tactics: prices dramatically lower than official tickets, countdown timers, and "first come, first served" pressure messaging. Search engines were also abused, with fraudulent domains impersonating FIFA's name and favicon, copying content to rank organically in search results for FIFA-related queries. Some victims never saw an ad at all; they simply searched and clicked what looked like an official result.
There were also dedicated redirector domains, a set of football-themed domains sharing a single origin IP and a common registration date, that funneled victims toward the fraudulent sites. Redirectors like these act as resilient entry points: even if a primary phishing domain is taken down, the redirector can be quietly pointed at a replacement. From a monitoring standpoint, several domains sharing one IP and one registration date is itself a strong infrastructure signal.
What Organizations Should Learn From This
GHOST STADIUM targeted FIFA, but the playbook applies to any recognizable brand, especially around a major event, product launch, sale, or moment of heightened public attention. The lessons generalize.
Impersonation infrastructure is built early. The 3,800 parked domains and the multi-year pre-positioning windows show that attackers register their infrastructure long before they use it. Monitoring for lookalike domain registrations gives you warning during that quiet window, not after the damage is done.
Certificate Transparency is an early-warning system. When attackers stand up hundreds of phishing domains, they need TLS certificates, and those certificates land in public CT logs. Watching CT logs for certificates issued against lookalikes of your brand can surface an impersonation campaign as it is being built.
Shared infrastructure is the unraveling point. The whole GHOST STADIUM network was tied together by reused certificates, pixel IDs, and IPs. Defenders who map infrastructure relationships, rather than chasing one domain at a time, can identify an entire campaign from a single detection.
Typosquatting follows predictable patterns. One brand string permuted across many TLDs and small misspellings is the signature of organized impersonation. These patterns are detectable precisely because they are systematic.
Takedown alone is not enough. With a Phishing-as-a-Service supply chain feeding new operators and thousands of domains in reserve, individual takedowns are necessary but insufficient. Continuous monitoring across your brand's domain footprint is what keeps pace with an adversary operating at this scale.
How DNS Assistant Helps
The GHOST STADIUM campaign is a reminder of how much attacker activity happens at the DNS and domain layer. Defending against an external impersonation ecosystem this large draws on several disciplines, including brand-focused domain discovery services that hunt for lookalikes across the namespace. DNS Assistant's role is the complementary one: keeping continuous watch over the domains you own and track, so the integrity of your own DNS, certificates, and registration details is never the thing that fails you. Here is where it fits:
- WHOIS monitoring tracks the registration details of the domains you monitor, including registrar, nameserver, and status changes, so unauthorized or unexpected modifications to your own domains are caught as they happen.
- Subdomain discovery uses Certificate Transparency logs to find subdomains of the domains you monitor, helping you maintain an accurate inventory of your own footprint and catch forgotten or dangling subdomains.
- DNS record monitoring detects when the records on domains you monitor change or when a dormant domain you track begins resolving to live infrastructure, catching the moment a configuration shifts.
- Continuous visibility across your domain footprint, with real-time alerting via email, Slack, Microsoft Teams, webhooks, and SMS, so a change is caught when it happens rather than after victims report it.
The defining feature of this campaign was time: attackers built their infrastructure months ahead and waited. That same window is the defender's opportunity. Continuous monitoring of your domain and DNS posture turns that lead time from the attacker's advantage into yours.
Check Your Domain Posture
Start by understanding your own domain footprint. Use the DNS lookup tool at dnsassistant.com/tools to inspect your records, or run a Free Domain Risk Report for a comprehensive view of your DNS configuration, certificates, and email authentication.
For continuous monitoring of your domain and DNS posture with real-time alerting, sign up at dnsassistant.com.
This analysis is based on original research published by Group-IB in May 2026. The campaign details, threat actor attribution, and scale figures are drawn from their published investigation. This article examines the campaign through a DNS and domain-monitoring lens for defensive and educational purposes. If you believe you have encountered a fraudulent FIFA ticketing site, purchase tickets only through the official FIFA portal, and never trust ticket offers requiring cryptocurrency payment.
Top comments (0)