No event offers an opportunity as big as the 2026 FIFA World Cup.

More than six million fans are traveling across the US, Canada, and Mexico for the biggest and most lucrative sporting event. They are searching for tickets, accommodation, hospitality packages, merchandise, and travel deals.

For businesses, this represents an unprecedented opportunity to attract customers and drive revenue. For cybercriminals, however, the same demand and urgency have created fertile ground for fraud.

Months before the kickoff, researchers at Group-IB uncovered an expansive fraud ecosystem built around the tournament, comprising more than 4,300 World Cup-themed domains, multiple interconnected fraud schemes, and several independent threat actors targeting the same audience. 

At the center sits a highly organized operation known as Ghost Stadium, a sprawling network of phishing sites, fake ticketing platforms, and payment systems. More than 2,500 valid FIFA account credential pairs are already circulating on dark-web marketplaces.

The scale of the operation is startling. The sophistication is even more so. It’s like a startup, with a growth strategy, a customer acquisition model, localized user experiences, conversion funnels, and multiple revenue streams.
According to investigators, potential losses across the broader ecosystem could reach billions of dollars.

PRODUCT-MARKET FIT

Every successful startup starts by understanding what people want.

Ghost Stadium discovered one of the biggest gaps between supply and demand online. In just the first 15 days of ticket sales, over 150 million requests were made, making this World Cup about 30 times more oversubscribed than previous ones.

“Major sporting events create the perfect conditions for fraud: huge demand, limited ticket availability, emotional pressure, and fear of missing out,” says Yuan Huang, Global Fraud Intelligence Lead at Group-IB. “Criminals exploit this urgency by offering discounted tickets, fake hospitality packages, and time-sensitive deals that push fans to act quickly.”

Cybercriminals follow attention the same way marketers do because attention creates opportunity, says Santiago Pontiroli, Lead TRU Researcher at Acronis. “In many cases, cybercriminals are running their own version of market intelligence, identifying where people are spending money, what they are searching for online, and which brands or events are generating the most engagement.”

For real businesses, this information helps them understand customers. For criminals, it helps them pick their targets.

THE RISE OF THE FRAUD ECONOMY

For years, cybercrime was often portrayed as a collection of isolated scams orchestrated by individual actors. But that view is now outdated.

“Operation Ghost Stadium is a good example of how cybercrime has evolved from isolated scams into coordinated commercial operations,” Pontiroli says.

What makes the operation particularly notable is not simply its scale but its specialization. Rather than relying on a single scam model, investigators uncovered a system that includes fake ticketing platforms, counterfeit merchandise stores, fraudulent travel services, credential-harvesting portals, and investment scams—all exploiting the same event.

Different groups go after different sources of income. Some provide special skills, while others focus on certain types of victims. Together, they form something that increasingly resembles a business ecosystem.

“This reflects a broader trend across the cybercrime landscape,” says Pontiroli. “Threat actors increasingly operate within an underground economy where infrastructure, stolen credentials, phishing kits, malware, hosting services, and advertising capabilities can be acquired from specialist providers.”

It is hard to ignore how much this mirrors the real tech industry.

Startups outsource logistics, cloud computing, payments, and marketing.

Cybercriminals outsource phishing kits, traffic generation, hosting infrastructure, malware distribution, and credential marketplaces.

“The biggest change is not necessarily technical sophistication, but operational maturity,” Pontiroli says. “Modern cybercrime increasingly resembles a digital business ecosystem with planning cycles, specialization, customer acquisition strategies, and diversified revenue streams.”

CYBERCRIME-AS-A-BUSINESS

Cybercrime-as-a-business is no longer just a metaphor; it is an operational reality, says Morey Haber, Chief Security Advisor at BeyondTrust. “What stands out in the research is not simply the existence of fraud, but the raw industrialization of it into a thriving business.”

The Group-IB investigation found that more than 4,300 fraudulent domains have been registered since August 2025. While over 300 are already actively deploying phishing infrastructure, thousands more remain parked and ready to be activated as the tournament approaches and consumer demand intensifies.

To Haber, those numbers reveal something important. “This resembles a modern digital enterprise complete with infrastructure, customer acquisition strategies, localization, supply chain dependencies, and revenue optimization,” he says.

They increasingly resemble mature growth companies.

“They use automation, analytics, branding, market segmentation, AI, and even customer experience design through social engineering to maximize conversion rates,” Haber says.

BUILDING THE PRODUCT

Every startup focuses heavily on user experience.

Ghost Stadium does the same.

Group-IB researchers found that the operation had effectively recreated FIFA’s digital experience, building what investigators describe as a near-perfect clone of FIFA’s official website and its PingIdentity single sign-on authentication process.

The system automatically translates into 11 languages. It uses official brand images from FIFA’s network and copies real ticketing steps, hospitality offers, and checkout processes with impressive accuracy.

“The websites closely replicated the official tournament experience, including login pages, ticket selection flows, hospitality-style offers, checkout pages, official-looking imagery, social media links, and multilingual interfaces,” says Huang.

GROWTH MARKETING

One of the most telling parts of this operation is how it attracts people—or, more accurately, victims.

According to Group-IB, fraudsters have aggressively weaponized Facebook advertising to direct users toward fraudulent ticketing experiences, pairing artificially low prices with urgency-driven messaging.

They advertised premium seats for as little as $60, along with exclusive hospitality deals, countdown timers, and last-chance messages.

These tactics are familiar because they are straight from the digital marketing playbook.

“The democratization of the digital marketplace has made it easier than ever to build, scale, and operate a fraudulent commercial ecosystem,” says Haber.

“Threat actors are no longer waiting for victims to discover scams organically. They are actively acquiring advertisements using the same marketing techniques employed by legitimate businesses.”

Group-IB’s findings suggest the strategy is working.

“We do not have the traffic volume split; that data sits with Meta and the hosting providers,” says Huang. “What we can confirm is the outcome: more than 600 users registered on a single premium-tier phishing site alone, out of more than 300 sites in the campaign.”

It was a customer acquisition engine.

THE TRUST BUSINESS

Most companies sell products. Ghost Stadium sells trust, or at least the illusion of it.

“What fake ticketing operations teach us is that trust is often emotional before it is rational,” says Haber.

Most people do not check the technical details when buying tickets for a major event. Instead, they trust things that look real, like familiar logos, professional design, secure-looking checkout pages, recognizable images, and social proof.

“The social engineering lesson is simple,” Haber says. “People trust what feels familiar and simply looks correct on the surface.”

That understanding sits at the heart of Ghost Stadium’s success.

“When a victim sees recognizable logos, professional design, and a checkout process that mirrors a legitimate retailer, their brain often concludes the transaction is safe before performing any deeper verification,” Haber explains.

In startup-speak, this is user experience design. In cybercrime, it is conversion optimization.

THE TECHNOLOGY STACK

Today’s cybercrime ecosystem functions more like a software marketplace. 

“The operation shows a high level of maturity,” says Huang. “This was not a simple phishing campaign, but an industrialized fraud ecosystem with domain inventories, paid traffic acquisition, localized phishing kits, credential theft, fake ticketing flows, and monetization channels operating together.”

What makes that model particularly dangerous is how accessible it has become.

“Generative AI, phishing-as-a-service platforms, malware-as-a-service offerings, automated website cloning tools, stolen credential marketplaces, and cryptocurrency payment systems have significantly lowered barriers to entry,” says Pontiroli.

“A few years ago, running a sophisticated phishing campaign required technical expertise. Today, AI can generate convincing content in multiple languages, while ready-made kits provide everything from phishing pages to backend dashboards.”

THE SUPPLY CHAIN

The investigation uncovered far more than fake tickets.

Counterfeit merchandise storefronts targeted football fans across Latin America. Fraudulent travel services preyed on international visitors. Fake streaming platforms promised access to matches while secretly infecting devices with remote access malware. Behind the scenes, infostealer malware families such as Vidar and Lumma harvested credentials that were later traded on underground markets.

Taken together, these activities constitute more than a collection of scams. They form a supply chain.

Rather than operating independently, phishing infrastructure, stolen credentials, fake marketplaces, social media advertising, malware distribution, and payment systems increasingly work together to maximize profits and scale globally.

FINANCIAL ARCHITECTURE

Every business needs a payment strategy. So does fraud.

One of the most revealing discoveries from the investigation was the sophistication of the operation’s payment infrastructure.

“It tells us this operator designed for international fraud from the start, not stumbled into it,” says Huang.

Victims in different regions are routed through different payment methods, each selected to maximize trust and conversion within local markets.

Meanwhile, high-value transactions involving premium hospitality packages and expensive ticket tiers are increasingly funneled through cryptocurrency payment channels.

“No chargeback. Once paid, the money is gone,” Huang says.

The architecture is deliberate.

“That is the key design choice: diversify channels to avoid detection, localize by geography to maximize conversion, and route the biggest payments through the least reversible rail,” he explains. “That is not opportunistic, that is financial architecture.”

THE STARTUP NOBODY WANTS

Perhaps the most alarming discovery uncovered by investigators was not the technology. It was the business discipline.

“The most alarming practice was the use of a full fraud funnel, similar to a legitimate digital business,” says Huang. “Paid ads to attract victims, localized landing pages to build trust, fake checkout flows to monetize demand, and stolen credentials that could be reused or resold.”

For years, aspiring entrepreneurs looked at how startups grow, attract customers, improve experiences, and expand to new countries.

Now, cybercriminals are learning from the same strategies. They know how to spot demand, capture attention, and build trust.

And they understand that in a digital economy, the most valuable asset is not necessarily data or infrastructure. It is people’s trust.

“The technology enables the attack, but trust, urgency, and emotion are what ultimately drive the conversion,” says Haber. 

That insight helps explain why Ghost Stadium is so unsettling. It offers a look at the future of cybercrime, where scams increasingly resemble real digital businesses, with specialized teams, growth plans, international expansion, and performance tracking.

The storefront may be fake, but the business behind it is very real.