Chinese-speaking Operators Clone FIFA's World Cup 2026 Ticketing Site To Steal Fan Logins and Card Data

The 2026 FIFA World Cup is here, and ticket demand has created exactly the kind of urgency phishing operators thrive on. Fans still searching for tickets, resale seats, or last-minute hospitality packages are meeting a wave of convincing lookalike sites. Group-IB first documented the largest of these and named it GHOST STADIUM, a kit carrying Chinese-language artifacts that impersonates FIFA's official World Cup 2026 ticketing portal across a fleet of lookalike domains. This post builds on that work with our own infrastructure hunting.

What makes it worth a closer look is not its technical sophistication, which is very limited. The operators chose scale over stealth: instead of hand-building a convincing fake, they cloned FIFA's real website wholesale and dropped the same uncustomized build onto hundreds of cheap lookalike domains. That makes each site convincing to a victim, but it also means every site carries the same fingerprint, which is exactly what we use against them.

Before walking through the kit's code and the HuntSQL queries built from it, here is what the hunt turned up.

Key Observations

• A criminal group is running a large, coordinated fraud campaign that impersonates the official FIFA World Cup 2026 ticket website to steal account logins and payment-card details from football fans.

• Using Hunt.io's HuntSQL, we identified and analysed a fleet of fake websites that are all built from one shared toolkit. Nearly every site in our sample shared one identical website signature, which strongly suggests a common toolkit and likely shared operational control rather than independent copies.

• Each site is a near-perfect copy of FIFA's real ticketing portal, so victims cannot tell it apart from the genuine site by sight, and anyone who enters a login or payment on one is handing that data to the operators rather than to FIFA.

• Victims are likely to associate any resulting fraud with the FIFA brand rather than the criminals behind it, since the cloned sites are visually indistinguishable from the real thing, and stolen card data and credentials lead to fraudulent charges and account takeover.

• Several independent indicators, Simplified Chinese code comments, a Chinese UI framework, Chinese-locale handling, and China-oriented hosting and registrars, converge to support an assessment that this campaign is run by a Chinese-speaking operator.

With those points in mind, the next section lays out exactly what our sample covers and how the figures in this report should be read.

Scope and Dataset

The crawler observations were collected between 14 May and 02 June 2026, and the WHOIS and IP/ASN records reflect that same window, so the 2025 and early-2026 registration dates referenced later are historical relative to the analysis, not future-dated.

Three different counts appear in this report and they measure different things, so they are worth fixing in mind up front:

• Initial samples. A confirmed set exported with their full crawler field set (HTML, loaded resources, headers, favicon and structural hashes, screenshots). All per-site statistics, including the favicon clustering, are measured against this set.

• Detection-rule. The live result count of the structural rules (the /fifa/ build path, Layui, common_main.js) run across the whole crawler, shown in Figures 2 to 4 and 7.

• Wider markup net. The result count of the hand-authored-markup rules (the fifaindexopen pop-up, /fifa/host.html), shown in Figures 5 and 6, which also catch older clones whose other files were later changed.

Finally, a note on limits: this report is built on passively crawled front-end data. We did not capture live POST requests, back-end endpoints, or server-side code, so statements about where harvested data is sent are inferred from the client-side markup and described as such.

What the Attacker Wants

Before the code, it is worth stating plainly what the operators are trying to achieve. The fake "ticket shop" is a funnel, and stealing a single ticket payment is only the surface goal. Based on the kit's design, it is built to capture several things from each victim. It is set up to collect FIFA account credentials, the email and password entered at the fake login, which because of password reuse can put banking and email accounts at risk too.

It collects payment-card and billing data at the fake checkout, suitable for direct fraud or resale. It collects personal information such as names, phone numbers, and addresses during registration and checkout, which can feed identity fraud and future scams. It takes the victim's money, and victims are unlikely to receive legitimate tickets in return. The harvested data also has resale value in underground markets, a revenue stream independent of whether any single victim pays.

Finally a Meta Pixel on every site gives the operators audience data, so they can measure which lures convert and retarget more people. The rest of this section shows, in the kit's own client-side code, how each of these is set up. (As noted in the scope, we observed the front-end markup, not the server-side collection itself.)

When you open the page source of one of these sites, the first impression is that you are looking at FIFA's real website, because for the most part you are. The interesting work is in the handful of places where the operators had to change something to turn a marketing site into a harvesting tool.

Those edits are where both the intent and the fingerprints live. We will walk through them in the order a victim hits them, and call out what each one tells us about the attacker's goals.

A facade built from FIFA's own code. The page loads FIFA's genuine compiled front end, the same React bundle, the same fonts, the same look. The one change the operators made is that they re-hosted the whole build under their own /fifa/ directory instead of FIFA's real /static/ path, and added a Chinese UI framework (Layui) and a couple of their own scripts on top:

<link href="/fifa/main.c56d670b.css" rel="stylesheet">
<link rel="preload" href="/fifa/noto-sans-regular.bfa96228235216443a93.woff2"
      as="font" type="font/woff2" crossorigin>
<script src="/layui/layui/layui.js"></script>
<script src="/fifa/jquery.min.js"></script>
<script src="/fifa/common_main.js"></script>

                
Copy

Because the visuals are FIFA's own, there is nothing for the victim to notice, and the trust people place in the FIFA brand transfers straight to the fake. From a researcher's chair, though, that /fifa/ path is a gift: the real site never serves its build from there, so the moment we see a FIFA-branded page loading /fifa/main.*.css we know we are looking at the clone and not the original. The operators even made a small mistake here. They forgot to copy FIFA's /media/ folder, so those preloaded fonts are actually 404 on every clone, and that broken but consistent behaviour becomes a durable tell we lean on later.

Manufacturing urgency, the "BUY NOW" trap. World Cup tickets are scarce, and the kit leans on that fear of missing out. A pop-up pushes the visitor toward an immediate purchase, linking to the ticket-purchase path:

<div id="fifaindexopen" class="buy-popup">
  <a href="/tickets_shop?aedda9bb-276d-49d4-92e8-294903503419/Design-ohne-Titel-1">
    BUY NOW
  </a>
</div>

                
Copy

Two details here are pure operator fingerprint: the fifaindexopen element id, and the leftover Canva export name Design-ohne-Titel-1 (German for "design without title"). Neither exists on the real FIFA site, because they are things the attacker wrote, which makes them excellent hunting strings. The German filename is also a quiet tell about the tooling the operators reuse.

The heart of the theft, a login that says FIFA but lives on the attacker's host. This is the part that actually steals the password, and it is worth slowing down on. On the real FIFA site, clicking "Sign In" hands you off to a separate, dedicated authentication server, auth.fifa.com, so your password only ever travels to FIFA.

The clone copied FIFA's sign-in configuration verbatim, including FIFA's genuine client_id, but it serves the login form from its own domain:

<a href="/as/authorize?client_id=35072598-fc20-4142-a469-1b940db47e6f
 &redirect_uri=https://www.fifa.com/auth&response_type=code">
  Sign In
</a>
<a href="/register?client_id=35072598-fc20-4142-a469-1b940db47e6f
 &redirect_uri=https://www.fifa.com/auth">
  Register
</a>

                
Copy

Read that markup the way the browser does and the trick falls out. The login link is relative ( /as/authorize), so it resolves against the fake host, which means a login submitted here goes to the attacker's domain rather than to FIFA.

The redirect_uri still points at the genuine https://www.fifa.com/auth, and that is the tell: the host serving the login is not FIFA, but the login claims to be FIFA's. That host-versus-redirect_uri mismatch is the structural signature of the whole campaign, and it is the one thing the attacker cannot remove without giving up the credential theft.

The copied client_id looks legitimate precisely because it is legitimate, it is FIFA's own value, which is also the trap for a hunter: it sits on the real site too, so on its own it detects nothing. It is good for clustering, useless for detection. To be precise about the evidence: what we can demonstrate from the crawled page is a FIFA-branded login served same-origin on a non-FIFA host, which has no legitimate purpose.

We did not capture the POST itself or the back-end that receives it, so the credential collection is a strong inference from the markup rather than an observed exfiltration. This same-origin login is still the single observation we build the most important detection rule on later.

Cashing out, the fake checkout. Once the victim has signed in, the kit walks them through a checkout that mimics a normal online store, so handing over card details feels like a routine purchase rather than a hand-off to criminals.

The card number, expiry, CVV, and billing address are submitted through the kit's ticket-purchase paths (/tickets_shop and custom payment endpoints), which sit on the attacker's own domain. As with the login, we observed the purchase flow in the markup rather than capturing the payment POST, so the card harvesting is inferred from the page. Either way, victims are unlikely to receive legitimate tickets in return.

The quieter goals, tracking and translation. Not every goal is about the immediate steal. A few things in the code show the operators thinking about scale and reach. Every clone embeds a Meta Pixel, and since the real FIFA site we observed used Adobe and AppsFlyer, not Meta Pixel, seeing fbevents.js here tells us two things at once: it is not the real site, and the operators are measuring which lures convert so they can retarget and expand.

<script>
  !function(f,b,e,v,n,t,s){/* ... Meta Pixel loader ... */}
  (window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js');
  fbq('init', '959589006457351');
  fbq('track', 'PageView');
</script>

                
Copy

They also want every victim in every language. A bolted-on Google Translate layer silently renders the page in the visitor's own language, and the notable detail, the clearest environmental indicator in the kit, is that the initialisation code is commented in Simplified Chinese:

// 语言检测  (language detection)
function detectLanguage() {
 // 获取浏览器语言  (get browser language)
 var lang = navigator.language || navigator.userLanguage;
 // 支持的语言列表  (list of supported languages)
 var supportedLangs = ['en', 'es', 'fr', 'ru', 'zh-CN', 'zh-TW', 'zh-HK'];
 // 隐藏Google的原始横幅  (hide Google's original banner)
  hideGoogleTranslateBanner();
}

                
Copy

The explicit handling of zh-CN, zh-TW, and zh-HK, the Chinese comments, and the Chinese Layui framework all line up. The last comment is the most telling, "hide Google's original banner", because it shows the operator's intent in plain language (Note: "my favourite" doesn't convert cleanly to "our favourite" without sounding odd, so I rephrased to "the most telling." Also flag: you have British spelling "favourite" and "behaviour" throughout, worth checking that's intentional and consistent with your other posts.): make the translation look native so the fake feels local, not foreign.

To round it off, the kit fakes a living tournament without a real back end, shipping static all-zero standings tables and dead links (javascript:void(0)) while hot-linking live assets straight from FIFA and embedding a Flourish visualisation (/fifa/host.html?id=123) that doubles as a templated payload page.

Infrastructure and Registration Patterns

Everything below comes directly from the Hunt.io crawl data for the sample. Most sites returned a cloudflare server header and resolved to Cloudflare ranges (104.21.0.0/16, 172.67.0.0/16), which hides the true origin and defeats IP-based pivoting, so those addresses are never worth clustering on.

Every Cloudflare-fronted hit was routed through the IAD (Washington, D.C.) edge. More usefully, two sites, fifa[.]center and fifa[.]gold, resolved directly to an nginx server on 104.225.235.49, an address outside Cloudflare's ranges, which we treat as a suspected origin. A shared origin like this is a high-value pivot because it ties otherwise-separate domains to the same back-end host, though it is worth keeping in mind that shared hosting and reverse proxies can also put unrelated sites on one address,

So an origin pivot still needs the fifa and structural filters to stay clean. Our HuntSQL screenshots below surface a second suspected shared origin, 65.49.223[.]138, behind both fifa[.]shopping and www.fifa[.]sale.

The domains themselves are mass-generated from a handful of naming templates: brand plus TLD (fifa.center, fifa.cash, fifa.gold, fifa.sale, fifa.shopping); fifa-com. <tld> (fifa-com.com, fifa-com.vip, fifa-com.xyz); subdomain-lookalike prefixes (ww-, www-, https-, as in ww-fifa.com, https-fifa.cn, www-fifa.website); and ticket or host themes (dt-fifa26.shop, lg-fifa26.shop, fc-fifa26.shop). They favour premium and country TLDs (.vip, .gold, .cash, .black, .shop, .cn, .co, .me, .help) to spread takedown effort.

Pulling the IP and ASN data for the whole fleet confirms the two-layer setup and, more importantly, points to where the hosting likely sits. The overwhelming majority of the domains resolve to Cloudflare (AS13335), anycast addresses that tell us nothing about the operator.

But a small number of addresses break that pattern and point to suspected origin infrastructure: 104.225.235[.]49 and 89.208.250[.]38, both on AS25820 (Cluster Logic Inc), both with reverse DNS under 16clouds.com (104.225.235.49.16clouds.com and 89.208.250.38.16clouds.com). 16clouds is a small China-oriented hosting provider, which fits the same environmental picture as the in-code artifacts, though we hold it as a characteristic of the hosting choice rather than proof of who is behind it. The detail that matters for hunting is that Hunt.io's IOC Hunter has already flagged both of these addresses, while every Cloudflare front IP in the set is clean.

The signal lives on the suspected origin, not the proxy, so the most durable network pivot here is not any single IP but the hosting itself: AS25820 and the *.16clouds.com reverse-DNS pattern, both of which survive domain and certificate rotation.

The registration data tells the campaign's story over time. The WHOIS creation dates cluster into clear batches rather than a steady trickle, which is the signature of automated, scripted registration. The first large wave landed on 2025-11-17, when the operators registered most of the brand-plus-premium-TLD domains in a single day (fifa.center, fifa.cash, fifa.gold, fifa.market, fifa.red, fifa.fund, fifa.sale, fifa.black, fifa.ski, fifa.city, fifa.cafe).

A second wave ran from 2026-03-20 to 2026-03-31, bringing the fifa-com.* domains and the ww-/www- prefix lookalikes (fifa-com.com, fifa-com.vip, fifa-com.xyz, fifa-com.services, ww-fifa.com, www-fifa.me, www-fifa.website and others), with fresh registrations such as ww-wfifa.com appearing as recently as 2026-05-18. Each wave maps neatly onto one naming template, which tells us the operators generate and register their domains in themed batches.

The registrars are concentrated. Three names dominate: Beijing Lanhai Jiye Technology Co., Ltd and Alibaba Cloud / HiChina (www.net.cn), both Chinese, alongside GoDaddy. The split is consistent, with the November premium-TLD wave largely on the Chinese registrars and the March fifa-com.* wave on GoDaddy. That concentration is a soft pivot in its own right and fits the same environmental picture as the rest of the kit, while again being a characteristic of the operation's tooling rather than an actor identifier.

One outlier is worth flagging so it is not mistaken for a hit: fifa.jpn.com was created back in 1998 and is almost certainly an aged or repurposed domain rather than part of this campaign, which is a good reminder to date-check a candidate before actioning it.

The core question for every indicator is not whether it matched my sample, but whether the attacker is forced to keep it. We rank indicators by how hard they are to change and only detect the durable ones. The structural invariants are safest to detect on: a FIFA-branded page, served from a non-fifa.com host, harvesting credentials and payment same-origin.

That can never change without breaking the fraud. Next come kit-structural artifacts baked into the cloned build that change only on a full rebuild, such as the /fifa/ re-hosted bundle, the Layui dependency, the operator scripts, and the 404 web-fonts. Operator habits like the Canva artifact, the Chinese comments, and FIFA asset hot-linking are sticky but not strictly required, so they corroborate rather than detect. Finally, trivially rotated values such as the domain, the certificate, the Meta Pixel id, and the copied client_id are for clustering only, never detection, and anything copied verbatim from FIFA's real site (fonts, client_id, favicon) falls here for detection even though it is highly useful for clustering.

From Code to HuntSQL: Hunting the Infrastructure

Reading the code told us what the operators were forced to keep. Now we turn each of those forced choices into a HuntSQL query and let Hunt.io's crawler find every other site that shares it. There is a discipline to this. We only write detection on artifacts the attacker cannot drop without breaking the kit, and we keep every rule cheap by leading with the indexed title field before ever touching the page body.

Each screenshot shows the rule running live against the crawler, with its real result count, and notice how a handful of strings pulled out of one page source each return dozens of domains.

A quick note on the LIKE syntax, because one pattern looks unusual. In HuntSQL % is the wildcard and the dot is a literal character, so body LIKE '%/fifa/main.%.css%' reads as "the text /fifa/main., then any characters, then .css", which is exactly how it matches the build file /fifa/main.c56d670b.css regardless of the rotating hash. The screenshots confirm the pattern behaves as intended rather than over-matching: Figures 2 and 7 show it returning a clean, bounded set of FIFA clones.

The re-hosted build path. In the code we saw the React build served from /fifa/ instead of FIFA's real /static/. The attacker re-hosted the entire bundle there, and to change it they would have to re-path every asset in the kit, which makes it both durable and, because the genuine site never uses /fifa/, phishing-only. It is the single strongest string in the report.

SELECT url, hostname, ip, title
FROM crawler
WHERE title LIKE '%FIFA World Cup 2026%'
 AND  body  LIKE '%/fifa/main.%.css%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

Fifty-five domains from one path string, every one a FIFA-branded page serving a build the real site would never serve from /fifa/.

The Layui framework. Layui is a Chinese UI framework the operators bolted on top of FIFA's React app. The genuine FIFA stack is pure React and contains no Layui at all, so its mere presence on a FIFA-branded page is damning. It is also one of the hardest things for the operators to remove, because their own pop-ups and widgets are built on it, and ripping it out would mean rebuilding their custom UI.

SELECT url, hostname, ip, title
FROM crawler
WHERE title LIKE '%FIFA World Cup 2026%'
 AND  body  LIKE '%/layui/layui/layui.js%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

The operator's own script. common_main.js is not part of FIFA's build. It is a script the operators wrote and shipped from their /fifa/ directory, the closest thing the kit has to a signature file, and it is loaded on all 35 sites in our sample.

SELECT url, hostname, ip, title
FROM crawler
WHERE title LIKE '%FIFA World Cup 2026%'
 AND  body  LIKE '%/fifa/common_main.js%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

The "BUY NOW" pop-up element. fifaindexopen is the element id the operators gave their fake purchase pop-up, markup they authored by hand, which means it cannot appear on the genuine site. This rule returns 82 domains, more than the build-path rules, because the pop-up markup survived onto sites where the operators later swapped out other files, so it casts a slightly wider net across the campaign's history.

SELECT url, hostname, ip, title
FROM crawler
WHERE title LIKE '%FIFA World Cup 2026%'
 AND  body  LIKE '%fifaindexopen%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

The templated payload page. /fifa/host.html is the Flourish-embedded page the operators use to fake the live tournament data. It is part of the kit's own structure rather than anything FIFA ships, and like the pop-up it casts a wide net at 82 domains. Pairing it with the pop-up rule is a good way to confirm a site really belongs to this campaign and not some other FIFA lookalike.

SELECT url, hostname, ip, title
FROM crawler
WHERE title LIKE '%FIFA World Cup 2026%'
 AND  body  LIKE '%/fifa/host.html%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

Two phishing-only artifacts, dropping the title entirely. Every rule above starts from the page title, which is cheap but assumes the operators keep FIFA's title. If they ever change it to dodge title-based hunting, those rules go blind, so we built a fallback that requires two phishing-only body strings together, the /fifa/ build path and Layui. That pairing is specific enough that we can drop the title filter completely and still trust the result. This is the rule that survives the operators getting smarter.

SELECT hostname, ip, title
FROM crawler
WHERE  body  LIKE '%/fifa/main.%.css%'
 AND  body  LIKE '%/layui/%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

Pivoting from one confirmed site to the whole fleet. Detection finds clones; pivoting clusters them. Once we have a confirmed hit, we want every sibling that shares its infrastructure, even ones our detection strings missed. The best pivot turned out to be the favicon. Across the 35-domain sample, 34 shared one identical favicon (favicon_phash = c79a386d396664c9), so a single query sweeps the cluster. We guard it with a phishing-only marker, because that favicon is FIFA's own copied file and an unguarded query would drag in the real site.

SELECT url, hostname, ip, title
FROM crawler
WHERE favicon_phash == 'c79a386d396664c9'
 AND  body  LIKE '%/fifa/main.%.css%'

                
Copy

Output example:

A quick word on a pivot that failed, because it is as instructive as the one that worked. We assumed the page's structural hash (structural_id) would be the perfect cluster key, same kit, same structure. In practice it was almost unique per host, because the kit varied its markup slightly on each deployment, so it clustered nothing. The lesson worth relearning is to always test a pivot against real data before trusting it. Here the favicon was durable and the structure was not.

The strongest pivot of all is an origin that slips out from behind Cloudflare, because it points to the operators' likely hosting rather than a shared proxy. Looking at the IP and ASN data for the fleet, the suspected origins sit on the same small network: 104.225.235.49 and 89.208.250.38, both on AS25820 (Cluster Logic Inc) with reverse DNS under 16clouds.com, plus 65.49.223.138 behind fifa.shopping and www.fifa.sale. So the durable move is to pivot on the hosting itself, the AS25820 / *.16clouds.com infrastructure, and treat a FIFA-themed site landing there as a strong candidate for the same operation, confirmed with the structural rules. Hunt.io's IOC Hunter independently flags those addresses while leaving the Cloudflare front IPs clean, which is exactly what you want from a pivot, with the caveat that a small shared host can still carry an unrelated tenant, so the fifa and structure filters stay on.

Turning that origin into more infrastructure is a two-tier move. HuntSQL has no standalone IP table, so the ASN-and-reverse-DNS view itself (AS25820, the *.16clouds.com pattern) comes from Hunt.io's IP lookup rather than a query. That lookup gives the candidate origins the operators are using or are likely to rotate to: 104.225.235.49, 89.208.250.38, and any siblings on the same small network.

The HuntSQL query then resolves those origins back into confirmed clones in the crawler. Two things make it precise: it pins the known origin IPs, and it requires the hostname to contain fifa, so that an unrelated tenant sharing the same host cannot slip into the results:

SELECT url, hostname, ip, title
FROM crawler
WHERE ip IN ('104.225.235.49', '89.208.250.38', '65.49.223.138')
 AND hostname LIKE '%fifa%'
 AND timestamp gt '2026-01-01'

                
Copy

Output example:

Running the same hostname-anchored query across every address the fleet has resolved to (the Cloudflare front plus the two suspected origins) returns 43 FIFA pages. We use the Cloudflare fronts here only to enumerate known co-resolving hosts, not as a durable pivot.

This is the pivot I trust most for staying ahead of the campaign. The Cloudflare front rotates freely and cheaply, but the operators' suspected hosting on AS25820 does not, so anchoring on the ASN and the *.16clouds.com reverse-DNS pattern, rather than on any single domain, is the best chance of catching the next wave before its domains are even known.

Threat Actor and Attribution

We assess that this campaign is operated by a Chinese-speaking threat actor. The assessment does not rest on any single clue but on several independent indicators, spanning the code, the infrastructure, and the registration data, that all point in the same direction:

• Simplified Chinese code comments written directly into the kit's own JavaScript, for example 语言检测 ("language detection"), 获取浏览器语言 ("get browser language"), and 隐藏Google的原始横幅 ("hide Google's original banner"). These are the developer's internal working notes rather than anything a victim would see, which makes them a strong signal of the language the kit was built in.

• Layui, a UI framework developed in and used predominantly by the Chinese development community, embedded on every sampled site, where the genuine FIFA stack uses none.

• Chinese-locale targeting in the language auto-switch, which explicitly handles zh-CN, zh-TW, and zh-HK alongside the international languages.

• China-oriented hosting: Hosting tied to a China-facing provider: the suspected origin servers carry reverse DNS under 16clouds.com, a provider marketed to Chinese customers. We weight the *.16clouds.com naming convention here, not the IP geography, since the ASN itself is US-registered.

• Chinese registrars: most of the fleet was registered through Beijing Lanhai Jiye Technology and Alibaba Cloud / HiChina (www.net.cn).

• A neighbouring Chinese-language operation: the broad discovery sweep surfaced a large, separate Chinese World Cup gambling cluster reusing the same brand, consistent with a Chinese-speaking criminal ecosystem forming around this event.

Any one of these in isolation could be inherited or coincidental, but the convergence of code-level, hosting, and registration evidence makes a Chinese-speaking operator the most likely explanation.

We do still separate the toolkit from the people behind it on one point: the uniform, un-customized build across every sampled domain shows a single shared kit and coordinated operational control, which is consistent with a single operator but also with a kit that is sold or resold and redeployed by affiliates. In other words, the attribution speaks to a Chinese-speaking actor running a shared operation, not to a confirmed headcount.

What the Evidence Supports

Pulling the thread together: starting from a single page's source code, we could see what the kit is designed to steal, turn the operators' unavoidable design choices into a handful of HuntSQL queries, and follow those rules across the crawler to a consistent cluster of FIFA clones and two suspected origin servers behind Cloudflare, all from passively collected data and without ever touching the operators' infrastructure directly.

It is worth being clear about what that chain establishes. The technical evidence is strong and reproducible: a shared, un-customized kit, a same-origin FIFA login served on non-FIFA hosts, reused favicon and build artifacts, suspected origin hosting on one small network, and coordinated, batched domain registration.

On attribution, several independent indicators converge, the Simplified Chinese code comments, the Layui framework, the Chinese-locale handling, the China-oriented hosting, and the Chinese registrars, and together they support our assessment of a Chinese-speaking threat actor (set out in full in the Threat Actor and Attribution section). The one distinction we keep is between the toolkit and the headcount: the uniform build shows a single shared kit and coordinated operational control, which is consistent with a single operator but also with a kit that is sold or resold and run by affiliates. In short, the data supports a Chinese-speaking operation built on one shared toolkit and coordinated infrastructure.

Indicators of Compromise

All domains and IP addresses in this section are defanged (. written as [.]) for safe handling; re-fang them before use. Detection strings (paths, filenames, hashes) are left as-is so the HuntSQL queries remain copy-pasteable.

Durable structural indicators (detection)

• /fifa/main.<hash>.css, the re-hosted React build (real site uses /static/)

• /layui/layui/layui.js, the Chinese UI framework, absent from real FIFA, on 35/35 sampled sites (sample, not live-rule count).

• /fifa/common_main.js, the operator script, on 35/35 (sample)

• embedded.js (Flourish), on 35/35

• /fifa/host.html?id=, the templated payload page

• fifaindexopen, the operator-authored "BUY NOW" pop-up element id

• Same-origin /as/authorize and /register, the credential harvest on the attacker's host

Clustering indicators (rotate, never detect on alone)

Domains

Next Steps for Fans, Defenders, and Brand Teams

For the public and fans, buy World Cup tickets only on fifa.com. Treat any other domain, especially newly registered lookalikes such as fifa-com.vip, ww-fifa.com, or fifaofficial.help, as fraudulent. A genuine FIFA login never lives on a non-fifa.com host, so if a "FIFA" login page sits on any other domain, do not enter credentials. Reach ticketing through FIFA's official app or a bookmarked URL rather than search results or forwarded links.

For security and threat-hunting teams, hunt on the kit's structure (the /fifa/ re-hosted build, Layui, the same-origin login), not on rotating values like domains, certificates, or Meta Pixel ids. Pivot the fleet via the shared favicon and any leaked origins, then run the find, detect, expand, feed-back loop continuously. Do not rely on reputation or phishing-detection scores alone for fresh campaigns like this one. New phishing domains routinely register clean because they are too new to appear in any scoring feed, which is exactly the window when victim traffic peaks. Hunt the kit's structure instead, which is visible from the first crawl. Block confirmed domains at the email, proxy or DNS, and endpoint layers.

For brand-protection and incident-response teams, maintain a single favicon-based watchlist to track the fleet as it rotates domains, instead of chasing individual sites, since the whole campaign shares one cloned build. Batch-submit confirmed domains for takedown by registrar and hosting provider, prioritising sites with live payment flows, and consider a public advisory ahead of ticket-sale milestones when victim traffic peaks.

Summary

This campaign is a clear case of scale over stealth. By cloning FIFA's real application wholesale, the operators inherited a uniform fingerprint they cannot easily shed: a re-hosted React build, a Chinese UI framework, a same-origin credential-harvesting login, and FIFA's own favicon reused across the fleet. Every one of those is something they had to keep to make the fraud work, which is exactly what makes the kit easy to track.

Of the 35-domain confirmed sample, 34 shared one favicon, and the guarded favicon pivot expanded that to 39 clone domains across the wider crawler. The structural rules returned a 55-domain core and an 82-domain wider set. The takeaway is simple: when attackers reuse, defenders pivot.

→ Want to find lookalikes targeting your brand the same way? Book a free demo with Hunt.io.