The census, not the incident
Within roughly 48 hours starting May 27, 2026, four threat-intelligence teams published in quick succession. The FBI's Internet Crime Complaint Center issued a public service announcement on World Cup ticket, job, and brand-impersonation fraud.1 Group-IB released The GHOST STADIUM Score, attributing a large phishing campaign to a Chinese-speaking operator it designated TA-1 and estimating premium-ticket-fraud losses between $71 million and $474 million.2 Palo Alto's Unit 42 mapped the broader attack surface;3 CTM360 independently counted more than 7,000 FIFA-themed domains, over a thousand of them already weaponized.4
Four advisories in a single news cycle is, by the standards of event-themed fraud, an overwhelming public response. The natural expectation is contraction: takedowns, registrar suspensions, operators going quiet. That is not what happened. Eleven days later the ecosystem had not contracted; it had grown. By June 6 it stood at roughly 14,600 event-themed domains in our Certificate Transparency and zone-file telemetry, about 85% above the pre-advisory peak, after a one-day certificate flare briefly carried it past 17,000; the steadiest measure, the zone-file registration floor, rose every single day. With the June 11 kickoff four days out, the surface was still expanding.
This is a census, not an incident report. The unit of analysis is the ecosystem and its infrastructure: how large the event-themed domain surface is, how fast it is growing, what it is being used for, who is operating the most durable pieces of it, and, the question the timing forced, whether public disclosure moved any of it. The short answers: very large; still growing, if in volatile bursts; rotating across lure themes; a shared-kit ecosystem with at least two separately-attributed operations working the same Chinese-language criminal supply chain; and, eleven days in, rotating under light enforcement pressure but not taken down.
"~14,600 domains" is a measure of event-themed attack surface, not confirmed malicious infrastructure. It is produced by deliberately broad matching and includes benign, brand-adjacent, and malicious registrations alike. Where we make attribution or maliciousness claims about specific clusters, we say so and grade the confidence. The two are not the same number, and conflating them is the most common way event-fraud reporting goes wrong.
- Scale (high confidence). ~14,600 event-themed domains on June 6 (~2.7% filter noise), ~85% above the alert-day level, after a transient one-day peak above 17,000. The confirmed-malicious core is far smaller (300+ active per Group-IB; ~1,000 per CTM360).
- Persistence (high). Eleven days after four advisories, the core infrastructure was not taken down: the GHOST STADIUM kit is rotating under light Cloudflare pressure (flagships down, but redirector and betting backbone still live), and no seizure or law-enforcement action has surfaced.
- Two operations (moderate–high). A GHOST STADIUM phishing cluster and a Hong Kong betting backbone, attributed separately: distinct ASNs, registration channels, and naming, with no certificate link between them.
- Footprint & tradecraft (high / moderate). A favicon fingerprint ties the GHOST STADIUM kit across more hosts than the 14 published IPs; a separate reseller-hosted leg weaponizes aged, recycled legitimate-business domains that score clean on reputation tools.
- Persistent operator layer (moderate).
dk9873[.]topis management/staging infrastructure connected to GHOST STADIUM via shared DNS control (bybanking[.]com); its exact function is unobserved. - Supply chain (moderate). The betting operator looks like a downstream customer of the Vigorish Viper "baowang" gambling-technology ecosystem, not its core.
How we counted
The figures in this report come from Sigil, a Certificate Transparency observatory that ingests the live CT certificate stream (roughly 18 million domains a day) alongside daily CZDS zone-file diffs across 36 generic TLDs, then materializes both into queryable Parquet partitions. Domains are matched with a deliberately broad pattern:
domain ILIKE '%fifa%' OR domain ILIKE '%worldcup%' OR domain ILIKE '%fwc2026%'
That breadth is a choice. It captures the full event-themed surface (a fan-merchandise store, a legitimate watch-party page, and a credential-harvesting clone all match), which is exactly what you want when the question is "how big is the phenomenon," and exactly what you must caveat when the question is "how much of it is criminal." It also explains why our number sits above Group-IB's and alongside CTM360's:
| Source | Count | Methodology |
|---|---|---|
| CrimsonVector (this report) | ~7,200–14,600 | Broad substring match, event-themed attack surface |
| CTM3604 | 7,000+ | FIFA-themed domains; ~1,000 assessed malicious |
| Group-IB (GHOST STADIUM)2 | 4,300+ / 300+ active | Narrower, fraud-confirmed; 300+ active campaign domains, 79 published as representative IOCs |
Our count and CTM360's broad count agree closely; Group-IB's smaller figure reflects a narrower, fraud-confirmed methodology. None of the three contradicts the others; they are measuring different things, and the gap between them is the finding: the malicious core is a minority of a much larger event-themed surface.
An honest data gap
Telemetry is only as good as its weakest day, and this dataset has two soft spots we disclose rather than paper over. A cutover to our v2 CT monitor around May 27 inadvertently dropped certificate/domain CSV persistence: the monitor kept ingesting, but the conversion job had nothing to read, so the May 28 and May 29 partitions contain CZDS zone-file data only and their CT-sourced domains are permanently lost. The regression was found and fixed at 07:03 UTC on May 30, which means the May 30 partition captured only about 17 hours of CT data. Consequently, the apparent "crash" from 7,922 domains on May 27 to ~3,600 on May 28–29 is a measurement artifact, not a takedown; the CZDS-only baseline across those days was essentially flat (3,617 → 3,649 → 3,664). We flag this wherever it touches a comparison.
The growth curve
With the pipeline restored, the following week told a messier, and more revealing, story than a clean climb. May 31 recorded 8,076 event-themed domains; June 1, 9,147; June 2, 10,905. Then the count began to saw-tooth: down to 9,406 on June 3, exploding to an all-time high of 17,062 on June 4, falling back to 13,419 on June 5, then edging up again to roughly 14,660 on June 6. That volatility is almost entirely certificate-driven (more on the spike below); the steadier signal sits underneath it.
Strip out the noisy Certificate Transparency component and look at the zone-file registration floor (newly registered domains visible in ICANN zone files, which the CT-pipeline outage never touched), and the picture is unambiguous: it rises every single day, from 3,265 on May 9 to 3,884 on June 6, climbing straight through both the advisory window and the instrumentation gap. Roughly 9,800 of the domains added since June 1 were still present on June 6. The ecosystem is not just churning in place; its durable floor is steadily lifting.
Churn is where the volatility shows. Between June 4 and June 5 alone, 11,809 domains disappeared while 8,166 appeared, gross daily turnover near twenty thousand. That flood-and-recede is the certificate flare washing through: a one-day wave of fresh registrations, most of them gone within twenty-four hours. What persists underneath it is the steadily rising zone-file floor and the ~9,800 durable additions since June 1. The ecosystem is not merely large and static; it is large, churning hard, and, on the measures that don't evaporate, still growing as kickoff approaches.
The one-day jump to 17,062 is real, but it is not durable infrastructure.
Of the ~11,600 domains that first appeared on June 4, 87.6%
carried certificates issued in the days just before (fresh issuance, not a backfill of old domains into the logs) on templated fifa2026 / worldcup names
(www-, web-, wap-,
official- prefixes). They were spread thinly across many
small hosts and mostly gone by June 5. We treat 17,062 as a transient
flare and ~14,600 as the honest current number; the durable story is the
zone-file floor. The June 6 tick back up to ~14,660 is largely that same
flare population resurfacing (98.7% of that day's new domains carry certificates issued since June 1, dominated by the June 4 burst), plus a fresh June 6 issuance pulse, which is why we read it the
same way: a volatile certificate total riding on a steadily rising floor.
"Four advisories landed in one news cycle. Eleven days later the surface had grown about 85% past the alert-day level, with a one-day flare briefly carrying it above 17,000, straight into kickoff week."
What it's all for, and how that's shifting
Classifying the surface by lure theme reveals a mix that is actively rotating. Through May 31, betting and gambling was the fastest-growing vertical. By June 1 betting had begun to contract while two other categories surged: streaming ("watch the match") rose 77% day over day, and account/brand credential lures rose 76%. The operators are repositioning from "place your bet" toward "stream the game" and "log in to your account" as the tournament nears and consumer intent shifts.
That rotation, though, was a snapshot, not a trend. By June 5 the mix had
shifted again: betting had rebounded to 671 and no single vertical
dominated. The more durable pattern is a naming shift that evades
theme classification altogether: roughly 85% of the June 5
surface, 96% of everything new since June 1, and 89% of the fresh June 6
burst classify as generic "other", plain fifa / worldcup strings
carrying no fraud-keyword token at all. The operators are increasingly
registering names that say nothing about their purpose, which blunts
keyword-based detection and is itself the tell.
.shop/.store TLDs.
| Theme | 05-30 | 05-31 | 06-01 | 06-05 | Trend |
|---|---|---|---|---|---|
| Betting / gambling | 447 | 549 | 418 | 671 | Contracted, then rebounded |
| Streaming | 56 | 82 | 145 | 198 | Climbing |
| Account / brand | 122 | 132 | 233 | 216 | Surged, then flat |
| Tickets / sales | 285 | 318 | 304 | 364 | Slow growth |
| Merch / store* | 594 | 612 | 628 | 712 | Slow growth (TLD-inflated) |
| Jobs / HR | 3 | 2 | 3 | 9 | Minimal |
| Other / generic brand | 5,679 | 6,381 | 7,416 | 11,983 | +4,567 since 06-01 (keyword-evading surge) |
June 5 theme counts are tallied over CT+zone source rows (~5% above the 13,419 distinct-domain total, from cross-source duplicates); read them as approximate. The surge into "other" reflects keyword-evading generic names, not a single new vertical.
TLD distribution underlines a parallel dynamic. By June 5, .com
led at 5,865 domains, followed by a striking .cn at
2,851, up from 332 on May 30 and 1,173 on June 1, a steady
climb rather than a blip. The earlier contraction in Chinese-language
registrations was largely a CT-window artifact; the cluster kept
re-expanding, driven by systematic families like Beijing Xinnet's
2026worldcup-[suffix].com.cn and numbered betting domains such
as 12betworldcup[N].shop. These families matter less as
individual domains than as fingerprints of the operations behind them,
which is where the rest of this report goes.
GHOST STADIUM: the phishing operation
Group-IB's TA-1, GHOST STADIUM, is the best-documented malicious cluster in the ecosystem: a Chinese-speaking operator serving a pixel-accurate FIFA ticketing clone (HTTP title "FIFA World Cup 2026™ Tickets | Host Cities, Dates, Teams, Tickets"; per Group-IB, built on Layui 2.7.6 and a React single-page app) across a fleet of hosting IPs. Group-IB published 14 hosting IPs plus a redirector, and 79 representative domains. We took every one of those indicators and ran them through Shodan and Silent Push passive DNS. The map below assembles what came back; it is the spine of the next three sections.
dk9873[.]top persistent layer (purple), the Hong
Kong betting operation (blue), and the reseller-hosted recycled-domain farm (bronze)
are shown together; the gold thread is the bybanking[.]com
shared-DNS-control link, and dashed edges are hosting/kit overlaps, not operator links.
The clusters are attributed separately. Scroll to zoom, drag to pan, hover for detail.
How the lure converts
A census of infrastructure says little about how victims actually lose money, so it is worth tracing the conversion path Group-IB documented on the GHOST STADIUM kit. Acquisition is paid: the kit carries Meta (Facebook) Pixel identifiers and the campaign ran Facebook ad sets; this is malvertising-driven traffic, not only typosquatting and search. The landing page is the pixel-accurate ticket clone; checkout funnels victims into card and account-credential capture and into payment rails that include a crypto gateway (ChainUGO) alongside conventional processors. CTM360 separately reported a companion Android malware family, BTMob, disguised as IPTV/streaming apps, which dovetails with the streaming-lure surge in our own data as kickoff nears. These monetization details are reported by Group-IB and CTM360 and are not independently verified here; the Pixel and ad identifiers are, however, a concrete disruption avenue, since they can be reported to Meta to pull the ad accounts behind the traffic.
Live verification of the published IOCs
Of the 14 Group-IB hosting IPs, 12 still returned the FIFA kit's
HTTP title on May 31, ten with current FIFA-themed DNS
records, two serving the kit without current FIFA bindings. (A caveat
worth stating plainly: bare-IP scans against some of these hosts now
return 400/404, but that is the expected virtual-host response to a probe
lacking the FIFA Host header, not evidence of takedown.
Where DNS resolves and the kit serves with the correct host, the
infrastructure is live.) The infrastructure clusters across three primary
providers, with a clear staging-to-production workflow:
| IP (defanged) | Provider / ASN | PADNS | FIFA domains | Role |
|---|---|---|---|---|
43.98.183[.]110 | Alibaba Cloud SG · AS45102 | 38 | ~30 | Redirector, [prefix]-fifa.shop/.top |
148.178.16[.]48 | Zillion Network · AS54801 | 25 | ~18 | Production (fifa[.]monster/.pet/.kim) |
148.178.18[.]23 | Zillion Network · AS54801 | 28 | 3 | Production; prior WhatsApp phishing |
154.86.0[.]33 | HK Lightlayer · AS139646 | 18 | ~15 | Production (fifa-com[.]top) |
65.49.223[.]138 | IT7 / 16clouds · AS25820 | 15 | ~12 | Staging / rotation |
104.225.235[.]49 | IT7 / 16clouds · AS25820 | 8 | 4 | fifa[.]center/.gold · BaoTa panel :888 |
89.208.250[.]38 | IT7 / 16clouds · AS25820 | 30 | ~25 | Staging IP (403 on last scan) |
137.220.224[.]67 | CTG Server HK · AS152194 | 953 | 0 | Shared gambling host (serves kit) |
Representative rows from the full 14-IP + redirector analysis. Zillion
Network (AS54801) is the production host; IT7 / 16clouds
(AS25820, BaoTa panel confirmed on port 888) is staging and rotation; the remainder
are miscellaneous. Domains were observed migrating staging→production,
fifa[.]show moved from an IT7 IP (March 1) to a Zillion IP (March 16).
A fuller per-IP picture than the published IOCs
The redirector deserves a careful sentence, because it is easy to
overstate. The IP 43.98.183[.]110 (attributed to GHOST STADIUM in Group-IB's report text, though not included in their published IP-IOC list) carries 38 passive-DNS A records,
roughly 30 of them FIFA-themed (including www.
variants), following a systematic [prefix]-fifa.shop/.top
scheme: a-, b-, cr-, d-,
f-, gx-, lv-, mm-,
wz-, zd-, and so on, plus
football-ticket / -tickets / -game
redirectors. The prefixes plausibly encode geo-targeting or affiliate
identifiers (cr, lv, mm, ap read readily as country and region codes) and with
the tournament hosted across the United States, Canada, and Mexico,
geo-segmented lure delivery to a North American victim pool is the obvious
design.
Passive DNS routinely surfaces more domains per IP than a vendor's published IOC list, because published IOCs are representative, not exhaustive, Group-IB stated 300+ active campaign domains and published 79 as samples. The right reading of "38 records where the public list named a handful" is a more granular per-IP enumeration and a newly visible naming scheme, not a claim that the campaign is an order of magnitude larger than reported. We map the footprint more finely; we do not correct Group-IB's scope.
Bigger than fourteen IPs
Passive DNS gave a finer view of the published hosts; a favicon
fingerprint gave a wider one. The GHOST STADIUM ticket kit ships a
specific bundled favicon (mmh3 hash -309449305), and pivoting
on that hash across internet-wide scan data returns 17 distinct
hosts, 15 of them serving the verbatim kit title,
spread across roughly eight autonomous systems (Alibaba
Cloud, SpectraIP, QuadraNet, HostUS, two Zillion ranges, IT7, and one
more). That is materially more infrastructure than the fourteen IPs
Group-IB enumerated, and it surfaces kit domains the published list never
named: fifa[.]xin, fifa2026[.]cam,
fifa-bs[.]shop, qh-fifa[.]shop, and others. The same
hash returns zero hits on legitimate CDN infrastructure (Akamai,
Cloudflare, Amazon), which confirms it is the kit's own icon, not FIFA's.
Independent reporting from Flare, published before Group-IB's,
separately lists three of our GHOST STADIUM hosts and shares a TLS
certificate fingerprint with our anchor, an outside cross-check on the
cluster.
The wider footprint is, once again, a property of a shared kit, not proof of one larger operator. Group-IB attributes the kit to a phishing-as-a-service vendor (TA-4) that sells it; a favicon shared across eight autonomous systems attributes the kit, which many customers can deploy, not a single operator. We read it as the kit footprint being broader than first published, and as a durable hunt signature (the favicon hash and kit title are now reliable pivots), not as a rewrite of who runs GHOST STADIUM.
Shared host, not shared operator
One Group-IB IP, 137.220.224[.]67, is instructive precisely
because it complicates a tidy story. It carries 953 passive-DNS
records, essentially none FIFA-themed. It is a Chinese
gambling host (the "91" brand: 91da[.]today, 91le[.]today)
with .cn gambling history back to 2020, and it happens to also
serve the GHOST STADIUM kit. That pattern fits Group-IB's own model of
TA-4 as a phishing-as-a-service supply layer: the kit is a product
deployed across shared infrastructure. The lesson generalizes across this
whole investigation: identical kit deployment is evidence of
a shared supplier, not necessarily a shared operator.
137.220.224[.]67, 953 passive-DNS A records,
almost none FIFA-themed, on a Chinese gambling host that nonetheless serves the
GHOST STADIUM kit (note the "FIFA World Cup 2026™ … Host Cities, Dates, Teams"
HTML title in Web Search Highlights). Shared host, not shared operator. Captured 2026-05-31.
timeline
title GHOST STADIUM Infrastructure · First-Seen Timeline (Silent Push)
section Prior tenants
2020–2023 : 137.220.224[.]67 · Chinese gambling (.cn)
: 148.178.22[.]16 · tempp / dede
2022–2023 : 104.225.235[.]49 · clearwind / clearfire
2025-03 : 148.178.18[.]23 · WhatsApp phishing ([prefix]-whatsapp)
2025-08 : dk9873[.]top stands up on same IP (3-mo gap)
section FIFA build-out
2026-01 : 104.225.235[.]49 · fifa[.]center / fifa[.]gold (first FIFA infra)
: 89.208.250[.]38 · staging begins (fifa[.]city / fifa[.]cash)
2026-03 : Migrations to Zillion production IPs
2026-04 : 43.98.183[.]110 · [prefix]-fifa.shop cluster (38 records)
section Disclosure
2026-05-27 : Federal and vendor advisories
2026-06-04 : Peak 17,062 (transient cert flare)
2026-06-06 : Kit rotating under Cloudflare pressure, not down
dk9873[.]top: the persistent layer
Disposable phishing domains are, by design, disposable. What is far more
expensive for an operator to replace is the durable management layer that
outlives any single campaign. We assess, with moderate
confidence, that one such asset, the domain
dk9873[.]top, is management or staging infrastructure
connected to the GHOST STADIUM operation. The hedge in that
sentence is deliberate and load-bearing.
dk9873[.]top (registered via Gname.com on 2025-08-22, Hong
Kong) has run continuously for nine-plus months. It exposes a WebSocket
subdomain (ws.dk9873[.]top) and an admin-style subdomain
(dk.dk9873[.]top), returns HTTP 400 to ordinary visitors, and
serves the HTML title "腾讯文档" (Tencent Docs) as a masquerade.
Its current IP, 45.200.17[.]159 (Zillion Network), was still
resolving on June 6. These are characteristics consistent with a
management backend, but a ws. subdomain is common and
does not, by itself, indicate command-and-control. We did not
observe beacon traffic, phishing-page callbacks, or any admin-to-victim
communication. The domain's specific function is not directly observed.
dk9873[.]top, a stable, low-diversity profile (minimal ASN/IP
change) returning HTTP 400 to public visitors, consistent with a persistent
management asset rather than a victim-facing site. Captured 2026-05-31.
The strongest thread: bybanking[.]com
What ties dk9873[.]top to GHOST STADIUM is not the shared kit: it is DNS. A single domain, bybanking[.]com
(registered via NameCheap, self-hosted nameservers), has subdomains
pointing at two different providers:
| Subdomain | Resolves to | Significance |
|---|---|---|
rcsurely.bybanking[.]com | 89.208.250[.]38 (IT7) | GHOST STADIUM staging IP |
fsh1hb.bybanking[.]com | 45.200.17[.]159 (Zillion) | dk9873[.]top operational IP |
Only the controller of bybanking[.]com can create A records
for its subdomains. The same domain pointing subdomains at both the GHOST
STADIUM staging IP and the dk9873[.]top IP, across two
unrelated hosting providers, establishes that a single
entity controls DNS for assets deployed on both. That is a real,
provider-crossing link. It is also precisely bounded: it establishes
shared DNS control; it does not establish what
dk9873[.]top does, and it does not by itself prove a
single human operator stands behind both operations.
A second, weaker thread reinforces it. dk9873[.]top first
appeared in August 2025 on 148.178.18[.]23, the same
Zillion IP that had hosted a cluster of WhatsApp phishing domains
(wh[x]-whatsapp[.]com) three months earlier. That is IP
co-residence with a temporal gap, which we would normally rate low
confidence. What lifts it is the naming convention: the
WhatsApp cluster's [prefix]-[brand] scheme is structurally
identical to GHOST STADIUM's [prefix]-fifa.shop scheme, and
naming convention is an operator behavioral choice, not a kit artifact.
A third, lighter thread points the same direction. Team Cymru places
dk9873[.]top's /24 and six of the GHOST STADIUM
hosting IPs in the same autonomous system, AS54801 (Zillion). Shared AS is
weak on its own (Zillion hosts thousands of unrelated tenants, and thousands of its IPs expose the same Windows Remote Management ports dk9873 does), so it stays in the corroboration column,
not the evidence column. It changes nothing about the grade: the
assessment remains moderate confidence.
dk9873[.]top, the WhatsApp domains, and 57% of GHOST
STADIUM (per Group-IB) all use the Gname.com registrar, and many use
share-dns nameservers. These are tempting corroborants and
weak ones: our dataset holds 1.35 million domains on share-dns
nameservers and Gname is among the largest registrars for
Chinese-language infrastructure. Shared registrar and shared NS are
consistent with common operation but carry high base rates: context, not evidence. The bybanking cross-link and the naming-convention
match do the real work; the registrar overlap rides along.
Two further details mark this as an invested asset rather than a
throwaway. The operator runs self-hosted nameservers on
numeric-string domains (300f938569[.]com,
1255587256[.]com), a deliberate step away from
third-party DNS that could be served a takedown, and those
nameservers also answer for a small cluster of .cfd gambling
domains registered to a Cambodia-based registrant. And where the
disposable lure hosts expose web servers, dk9873[.]top's
current IP exposes only Windows Remote Management (ports 5985/5986) to
Shodan: a management box, not a victim-facing one. None of this fixes the
domain's exact function, but all of it is consistent with a persistent
back-office layer worth protecting.
The Hong Kong betting backbone
Running in parallel to GHOST STADIUM (and, to anticipate the conclusion, not the same operation) is a distinct Chinese-language betting operation that emerged with striking coordination immediately after the advisories. Its tell is hosting. Nearly every major new betting domain resolves to IP space announced by Hong Kong-registered (APNIC) ASNs, even though the addresses sit in Latin American (LACNIC) ranges:
| ASN | Registered entity | IP ranges | Role |
|---|---|---|---|
| AS134175 | Silvercorp Int'l Tower, 707–713 Nathan Rd, HK | 177.210/177.211/201.5/191.214.x.x | Primary backbone (53,642 hosts) |
| AS134548 | DXTL, Tseung Kwan O, HK | 122.10.0[.]0/18 | Shared betting infra |
| AS138415 | Yancy Limited, HK | 43.240 / 156.234 / 103.44 / 23.248 | Mobile / H5 lures |
The 177.210.x.x, 201.5.x.x and
191.214.x.x ranges are LACNIC-region address space,
they look Brazilian, announced by APNIC-registered Hong Kong ASNs,
an inter-RIR transfer/lease arrangement characteristic of
IP-space arbitrage: acquiring non-contiguous blocks across
registries to frustrate geographic attribution. "Silvercorp
International Tower" at 707–713 Nathan Road, Mongkok, is a commercial
building known for virtual offices and company-formation services; the name
is most likely a registration address, not a tenant.
The coordination signal is registrar convergence on shared hosting.
Metaregistrar BV registered 14 .com domains
in a 23-minute burst on May 28 (app-[variant]odds.com,
app-[variant]cup.com). The timestamps cluster in
three-second bursts consistent with automated tooling running a list.
Beijing Xinnet registered sequential
2026worldcup-[suffix].com.cn domains. Web Commerce
Communications mirrored the .com patterns onto
.cn. Different registrars, different TLDs, different
registration timelines, all landing on the same AS134175
ranges. That cross-registrar, same-IP convergence is operator-level
evidence independent of any phishing kit. It is a strong inference of a
single operator or tightly coordinated group; it is not, on hosting alone,
proof.
The naming is unambiguously gambling, in Chinese: maiqiu
(买球, "place bets"), kaiyun (开云, the Kaiyun platform brand),
jinnianhui (金年会). A June-1 expansion into a multi-brand
.com.cn lottery-and-betting lure cluster (riding the same AS134175/AS134548 backbone plus two additional geographically misleading legs, and registering through the same Web Commerce and Beijing Xinnet channels) reinforces the read of one coordinated operation,
likely an affiliate network sharing a common hosting and technology supply
chain.
The recycled-domain farm
A third hosting leg sits beside the phishing kit and the betting backbone, and its tradecraft is the most novel thing in this report. On a reseller-brokered autonomous system (AS142286, address space associated with the "Cloud Innovation" IPv4 broker and an abuse-tolerant Hong Kong reseller, OCTOPUS WEB SOLUTION), roughly 820 hosts serve FIFA "official portal" pages and Chinese-language World Cup betting kits. What earns the leg a section is not its size but where its domains come from.
They are not typosquats. They are aged, lapsed, legitimate-business
domains, registered a decade or more ago, abandoned by
their original owners, then re-registered and weaponized. Wayback Machine
history confirms the pattern: bankofquanzhou[.]com hosted a
Fujian bank's website from around 2010 until it lapsed, and now serves a
World Cup betting kit; grupomundoprint[.]com was a Madrid
print shop (2004–2019); praxesindia[.]com an Indian
engineering firm (2011–2019); suleymanpekin[.]com a
Turkish personal site. Two of them, grupomundoprint and
praxesindia, historically redirected to the same
gateway with identical archived content, which ties them to a common
operator within this leg.
Each recycled domain carries its own valid certificate (the certificate subject matches the domain) and scores 0 of 91 on VirusTotal. That combination defeats the two heuristics defenders lean on hardest: the domain is old, so new-domain age filters pass it, and it has no abuse history, so reputation filters pass it too. The takeaway is uncomfortable but concrete, an aged domain abruptly serving World Cup content should be treated as high-signal regardless of its registration age or clean reputation score.
A boundary on the finding, in keeping with the rest of this report:
"Cloud Innovation" is an IP-address broker, not a proven operator, and
shared brokered address space is no more evidence of a shared operator than
shared hosting is. We confirmed four domains as weaponized
recycled assets and hold roughly forty more as candidates pending content
review; one apparent member (00200hk[.]com) turned out to be
an ordinary stock-ticker squat rather than a recycled domain, and we cut
it. The TTP is the finding; the precise headcount will move.
The Vigorish Viper connection, and its limits
One domain names the supply chain explicitly. app-kaiyun-fifa[.]com
(Metaregistrar, May 29, on AS134175) references Kaiyun
(开云), a brand within the Vigorish Viper ecosystem,
the Infoblox-designated network (formerly Yabo Group, later folded into
Ponymuah) that operates 170,000+ domains and provides a "baowang" (包网)
technology stack: DNS, hosting, payments, apps, and templates sold to
gambling operators.5 The broader
Vigorish Viper ecosystem has been linked to forced-labor operations in
Cambodia and to front-company sponsorships of European football
clubs.6
Two limits keep this connection honest. First, the FIFA betting cluster runs on different ASNs (AS134175 / AS134548 / AS138415) than Vigorish Viper's core infrastructure (AS140227 / AS213840 / AS147019), which places the FIFA operator as a downstream customer of the baowang platform, not the Viper core team. Second, and to be explicit: this investigation found no evidence connecting the specific FIFA betting operator to the forced-labor or human-trafficking activities documented in the wider Vigorish Viper ecosystem. The connection we can support is at the technology-supply level. We will not stretch it further than that.
What the certificates don't show
CrimsonVector's CT work usually leans on behavioral fingerprinting, operator artifacts embedded in certificate subdomain labels. Against this ecosystem, that lens returned a meaningful negative. Our discovery pathways (first-label aggregation, SAN-list clustering, targeted keyword sweep) found zero FIFA-related fingerprints. These operators use commodity DV certificates (Let's Encrypt at 75%, plus Amazon and Google Trust) with no distinctive subdomain patterns or SAN bundling, unlike, say, the Russian phishing clusters that leave strong CT signatures. The methodological takeaway is worth stating: certificate behavioral fingerprinting is powerful against operators who build persistent infrastructure with distinctive certificate habits, and ineffective against commodity-infrastructure fraud. For this class, the productive surface was domain-name and network-infrastructure analysis, which is what this report runs on.
We also used certificates as an attribution test between the two big clusters. If GHOST STADIUM and the betting operation shared an operator, they might occasionally co-occur on a single certificate's SAN list. They do not: across 18,860 FIFA-related certificates on June 5, exactly zero bundle a GHOST STADIUM domain with a betting-cluster domain. On its own this is a weak signal (commodity DV certificates carry roughly one name each, so even a single operator would rarely co-bundle two brands), but it means no certificate link was found, consistent with the separation the harder evidence already implies: distinct ASNs, distinct registration channels, and distinct naming conventions. Shared kit, shared registrars, a shared criminal ecosystem: none of it collapses into "one operator."
Eleven days on: rotation, not retreat
Return, finally, to the question the timing posed. Eleven days after four coordinated advisories, the core infrastructure has not been taken down, but, unlike the snapshot a week earlier, it is visibly moving, and the change is worth stating precisely, because the easy version ("zero response") is now wrong.
On the enforcement side, there is more pressure than the first week showed.
The two flagship phishing domains, fifa[.]center and
fifa[.]gold, serving the kit as recently as June 3,
have gone NXDOMAIN, and five front-end
fifa-com.* / fifa[.]city domains now sit behind
Cloudflare "Suspected Phishing" interstitials. On the resilience side,
though, the operation simply rotated around it. The redirector at
43.98.183[.]110 still resolves and still serves the
[prefix]-fifa.shop family; fifa[.]show and
fifa-com[.]top are still up on Zillion; fifa-online[.]com
moved to AWS; dk9873[.]top and ws.dk9873[.]top
still resolve to 45.200.17[.]159; and the Hong Kong betting
backbone was not only intact but still absorbing new registrations
through June 6. No domain seizure, arrest, or law-enforcement
takedown of either the kit or the betting backbone has surfaced in
any public source.
Registrar-level enforcement remained thin: six domains in
clientHold (worldcup26ticket[.]com,
2026fifaworldcuptickets[.]online, wvvw-fifa[.]com,
fifa[.]beer, fifa[.]click, fifa-com[.]co),
and only 6 of the 36 FBI-listed domains suspended. Every FBI-listed
job-scam domain remained live. Eleven days is still short for cross-jurisdiction
takedowns, so this is a snapshot, not a verdict, but to date,
disclosure has documented and lightly pressured this infrastructure without
dislodging it. The kit is rotating, not retreating; we will revisit the
question as kickoff nears.
The durable targets are the persistent ones. Disposable lure domains
re-register in minutes; what is costly to replace is
dk9873[.]top and the 45.200.17[.]0/24 Zillion
range that hosts it and its self-hosted DNS, the bybanking cross-link
domain, the redirector at 43.98.183[.]110, and the AS134175
betting backbone. Comprehensive abuse reporting (to Gname.com, Zillion Network, IT7/16clouds, Alibaba Cloud, and the relevant registrars) should include the full passive-DNS-derived domain sets, not just
the published samples. Two hunt signatures travel well: the kit's favicon
hash (-309449305) paired with its ticket-page title, and the
recycled-domain pattern itself. An aged domain that abruptly serves
World Cup content deserves suspicion on its own, because that leg is built
to pass age and reputation checks. Hosting providers here are
infrastructure intermediaries and are not necessarily complicit in the
fraud.
Methodology & reproducibility
Everything here runs on passive data and commodity tooling. Sigil ingests the Certificate Transparency stream and daily CZDS zone-file diffs into Parquet, queried with DuckDB; enrichment draws on WHOIS/RDAP, Shodan, Silent Push passive DNS, URLScan (existing results, no submissions), and Team Cymru ASN mapping. All collection was passive; no operator infrastructure was directly accessed. Two caveats already noted bear repeating: the May 28–29 partitions are CZDS-only (a CT-pipeline regression, since fixed), and every count here measures event-themed attack surface, not confirmed malicious infrastructure. One last caveat on the headline count: roughly 2.7% of the ~14,600 are filter false positives, chiefly the personal name "Afifah" on free hosting, plus a handful of rugby/cricket and prior-tournament-year domains, so we quote it as approximate, not exact.
Indicators of Compromise
Indicators are defanged. GHOST STADIUM hosting IPs are reproduced from Group-IB and verified by this investigation; the technical indicators in the final table are reproduced from Group-IB and not independently verified by us.
| Redirector | 43.98.183[.]110, Alibaba Cloud SG (AS45102), ~30 [prefix]-fifa.shop |
| Production | 148.178.16[.]48 · 148.178.16[.]5 · 148.178.18[.]23 · 148.178.22[.]16 · 207.56.1[.]93 (Zillion, AS54801) |
| Staging | 89.208.250[.]38 · 65.49.223[.]138 · 104.225.235[.]49 · 66.112.212[.]25 (IT7/16clouds, AS25820) |
| Other | 154.86.0[.]33 (HK Lightlayer) · 216.189.149[.]193 (HostUS) · 137.220.224[.]67 (CTG, shared) · 85.121.242[.]41 (Majestic) |
| Domain | dk9873[.]top, Gname.com, 2025-08-22, HK; ws./dk. subdomains |
| Current IP | 45.200.17[.]159 (Zillion, AS54801) |
| Cross-link | bybanking[.]com, subdomains on 89.208.250[.]38 + 45.200.17[.]159 |
| Self-hosted NS | 300f938569[.]com · 1255587256[.]com (on 45.200.17[.]120) |
| Nameservers | a5.share-dns[.]com · b5.share-dns[.]net (base-rate caveated) |
| AS134175 | Silvercorp Int'l Tower, 707–713 Nathan Rd, HK, 177.210/177.211/201.5/191.214.x.x · abuse hkstdd@gmail[.]com |
| AS134548 | DXTL, Tseung Kwan O, HK, 122.10.0[.]0/18 |
| AS138415 | Yancy Limited, HK, mobile/H5 |
| Registrars | Metaregistrar BV (.com) · Beijing Xinnet (.cn) · Web Commerce Communications (.cn) |
| Brand token | app-kaiyun-fifa[.]com, Vigorish Viper / Kaiyun baowang reference |
| Kit favicon (hunt) | mmh3 -309449305 (GHOST STADIUM kit) · -613889228 (reseller-leg FIFA kit), Shodan http.favicon.hash pivots |
| Expanded kit hosts | ~17 hosts across ~8 ASNs (Alibaba Cloud, SpectraIP, QuadraNet, HostUS, Zillion ×2, IT7), beyond the 14 published IPs |
| Reseller leg | AS142286 (Cloud Innovation broker / OCTOPUS WEB SOLUTION), ~820 FIFA-titled hosts |
| Recycled domains | bankofquanzhou[.]com · grupomundoprint[.]com · praxesindia[.]com · suleymanpekin[.]com, aged legit domains re-registered & weaponized (own cert, VT 0/91) |
| Meta Pixel | 927432823410218 · 1842358649811605 · 1569148414168343 |
| Tawk.to | 6976ccbaba77e8198a866266 |
| Kit | Layui 2.7.6 + React SPA; HTTP title "FIFA World Cup 2026™ Tickets…" |
| Crypto gateway | ChainUGO (testnet.chainugo[.]com) |
| Primary registrar | Gname.com Pte. Ltd. (57% of cluster, per Group-IB) |
Confidence assessment
| Finding | Confidence | Basis |
|---|---|---|
| Scale: ~14,600 event-themed domains (June 6), ~85% above alert day; transient peak 17,062 | High | Reproduced across full-day partitions; monotonic zone-file floor; corroborated by CTM360 & Flare |
| Core infrastructure not taken down ~11 days post-disclosure (kit rotating under light pressure) | High | Direct DNS + Cloudflare-status verification; no seizure in any public source |
GHOST STADIUM per-IP enumeration & [prefix]-fifa naming | High | Silent Push passive DNS + Shodan on published IOCs |
| GHOST STADIUM kit footprint wider than the 14 published IPs | High | Favicon-hash + kit-title pivot across ~8 ASNs / 17 hosts |
| Recycled aged-domain leg (AS142286) weaponizing lapsed legit domains | Moderate–High | Wayback-verified on 4; ~40 candidates; shared-content redirect ties two |
| HK betting operation is coordinated (single operator/group) | Moderate–High | Cross-registrar, same-IP convergence (strong inference, not proof) |
| Betting and GHOST STADIUM are separate operators | Moderate–High | Distinct ASNs, registration channels & naming; no certificate link across 18,860 certs |
dk9873[.]top connected to GHOST STADIUM | Moderate | bybanking shared-DNS control + naming match; function unobserved |
| FIFA betting operator = downstream Vigorish Viper customer | Moderate | Kaiyun brand reference; different ASNs from Viper core |
dk9873[.]top is specifically C2 | Not established | No beacon/callback/admin traffic observed |
Sources
- FBI Internet Crime Complaint Center. "Public Service Announcement," PSA I-052726-PSA, May 27, 2026. ic3.gov. ↑
- Group-IB. "The GHOST STADIUM Score: Billions At Stake At The World's Largest Football Tournament," May 27, 2026. group-ib.com. ↑
- Palo Alto Networks Unit 42. "FIFA World Cup 2026 Attack Surface Analysis," May 28, 2026. unit42.paloaltonetworks.com. ↑
- CTM360 / The Hacker News. "The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans," May 2026. thehackernews.com. ↑
- Infoblox. "Gambling Is No Game: DNS Links Between Chinese Organized Crime and Sports Sponsorships," July 2024. infoblox.com. ↑
- The Record. "Chinese cybercrime syndicate behind gambling sites advertised at European sporting events," July 2024. therecord.media. ↑
CrimsonVector, Investigative research by Diego Parra into criminal infrastructure, threat actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.