{ "type": "Domain", "indicator": "fifa.center", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fifa.center", "alexa": "http://www.alexa.com/siteinfo/fifa.center", "indicator": "fifa.center", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4380308773, "indicator": "fifa.center", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a16d67df4a69d07c59516be", "name": "The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament", "description": "Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...", "modified": "2026-05-27T14:08:56.635000", "created": "2026-05-27T11:33:17.668000", "tags": [ "ticket fraud", "cryptocurrency fraud", "ghost stadium", "credential phishing", "facebook advertising exploitation", "fifa world cup 2026", "phishing-as-a-service" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "GHOST STADIUM", "targeted_countries": [ "United States of America", "Argentina", "Brazil", "Canada", "Colombia", "Mexico" ], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Hospitality", "Media", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "IPv4": 9, "URL": 4, "domain": 41, "hostname": 3 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1857f6160fd28fb4f69e00", "name": "The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament | Group-IB Blog", "description": "", "modified": "2026-05-28T14:57:58.703000", "created": "2026-05-28T14:57:58.703000", "tags": [ "ghost stadium", "fifa", "groupib", "fifa account", "fifa world", "august", "meta pixel", "meta", "hong kong", "buy now", "mexico", "june", "fusion", "italian", "korean", "facebook" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "IPv4": 15, "URL": 4, "domain": 44, "hostname": 4 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a17a263cacaa1c5f03cb9d0", "name": "IOC - The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament", "description": "With the 2026 FIFA World Cup just weeks away, Group-IB researchers have uncovered six distinct fraud schemes, four independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence \u2014 including a sophisticated phishing operation run by the Chinese-speaking threat actor GHOST STADIUM, whose campaign could cause losses reaching billions of dollars.", "modified": "2026-05-28T02:03:15.254000", "created": "2026-05-28T02:03:15.254000", "tags": [ "hosting ips" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "domain": 30 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/", "IOCs-MAY4.csv" ], "related": { "alienvault": { "adversary": [ "GHOST STADIUM" ], "malware_families": [ "Lumma", "Vidar" ], "industries": [ "Finance", "Media", "Hospitality" ] }, "other": { "adversary": [ "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a16d67df4a69d07c59516be", "name": "The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament", "description": "Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...", "modified": "2026-05-27T14:08:56.635000", "created": "2026-05-27T11:33:17.668000", "tags": [ "ticket fraud", "cryptocurrency fraud", "ghost stadium", "credential phishing", "facebook advertising exploitation", "fifa world cup 2026", "phishing-as-a-service" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "GHOST STADIUM", "targeted_countries": [ "United States of America", "Argentina", "Brazil", "Canada", "Colombia", "Mexico" ], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Hospitality", "Media", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "IPv4": 9, "URL": 4, "domain": 41, "hostname": 3 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386447, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1857f6160fd28fb4f69e00", "name": "The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament | Group-IB Blog", "description": "", "modified": "2026-05-28T14:57:58.703000", "created": "2026-05-28T14:57:58.703000", "tags": [ "ghost stadium", "fifa", "groupib", "fifa account", "fifa world", "august", "meta pixel", "meta", "hong kong", "buy now", "mexico", "june", "fusion", "italian", "korean", "facebook" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "IPv4": 15, "URL": 4, "domain": 44, "hostname": 4 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a17a263cacaa1c5f03cb9d0", "name": "IOC - The GHOST STADIUM Score: Billions At Stake At The World\u2019s Largest Football Tournament", "description": "With the 2026 FIFA World Cup just weeks away, Group-IB researchers have uncovered six distinct fraud schemes, four independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence \u2014 including a sophisticated phishing operation run by the Chinese-speaking threat actor GHOST STADIUM, whose campaign could cause losses reaching billions of dollars.", "modified": "2026-05-28T02:03:15.254000", "created": "2026-05-28T02:03:15.254000", "tags": [ "hosting ips" ], "references": [ "https://www.group-ib.com/blog/ghost-stadium-football-fraud/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "domain": 30 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fifa.center", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fifa.center", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173624.6246524 }