The census, not the incident

Within roughly 48 hours starting May 27, 2026, four threat-intelligence teams published in quick succession. The FBI's Internet Crime Complaint Center issued a public service announcement on World Cup ticket, job, and brand-impersonation fraud.1 Group-IB released The GHOST STADIUM Score, attributing a large phishing campaign to a Chinese-speaking operator it designated TA-1 and estimating premium-ticket-fraud losses between $71 million and $474 million.2 Palo Alto's Unit 42 mapped the broader attack surface;3 CTM360 independently counted more than 7,000 FIFA-themed domains, over a thousand of them already weaponized.4

Four advisories in a single news cycle is, by the standards of event-themed fraud, an overwhelming public response. The natural expectation is contraction: takedowns, registrar suspensions, operators going quiet. That is not what happened. Eleven days later the ecosystem had not contracted; it had grown. By June 6 it stood at roughly 14,600 event-themed domains in our Certificate Transparency and zone-file telemetry, about 85% above the pre-advisory peak, after a one-day certificate flare briefly carried it past 17,000; the steadiest measure, the zone-file registration floor, rose every single day. With the June 11 kickoff four days out, the surface was still expanding.

This is a census, not an incident report. The unit of analysis is the ecosystem and its infrastructure: how large the event-themed domain surface is, how fast it is growing, what it is being used for, who is operating the most durable pieces of it, and, the question the timing forced, whether public disclosure moved any of it. The short answers: very large; still growing, if in volatile bursts; rotating across lure themes; a shared-kit ecosystem with at least two separately-attributed operations working the same Chinese-language criminal supply chain; and, eleven days in, rotating under light enforcement pressure but not taken down.

What this is and isn't

"~14,600 domains" is a measure of event-themed attack surface, not confirmed malicious infrastructure. It is produced by deliberately broad matching and includes benign, brand-adjacent, and malicious registrations alike. Where we make attribution or maliciousness claims about specific clusters, we say so and grade the confidence. The two are not the same number, and conflating them is the most common way event-fraud reporting goes wrong.

Key judgments

How we counted

The figures in this report come from Sigil, a Certificate Transparency observatory that ingests the live CT certificate stream (roughly 18 million domains a day) alongside daily CZDS zone-file diffs across 36 generic TLDs, then materializes both into queryable Parquet partitions. Domains are matched with a deliberately broad pattern:

domain ILIKE '%fifa%' OR domain ILIKE '%worldcup%' OR domain ILIKE '%fwc2026%'

That breadth is a choice. It captures the full event-themed surface (a fan-merchandise store, a legitimate watch-party page, and a credential-harvesting clone all match), which is exactly what you want when the question is "how big is the phenomenon," and exactly what you must caveat when the question is "how much of it is criminal." It also explains why our number sits above Group-IB's and alongside CTM360's:

Source Count Methodology
CrimsonVector (this report) ~7,200–14,600 Broad substring match, event-themed attack surface
CTM3604 7,000+ FIFA-themed domains; ~1,000 assessed malicious
Group-IB (GHOST STADIUM)2 4,300+ / 300+ active Narrower, fraud-confirmed; 300+ active campaign domains, 79 published as representative IOCs

Our count and CTM360's broad count agree closely; Group-IB's smaller figure reflects a narrower, fraud-confirmed methodology. None of the three contradicts the others; they are measuring different things, and the gap between them is the finding: the malicious core is a minority of a much larger event-themed surface.

An honest data gap

Telemetry is only as good as its weakest day, and this dataset has two soft spots we disclose rather than paper over. A cutover to our v2 CT monitor around May 27 inadvertently dropped certificate/domain CSV persistence: the monitor kept ingesting, but the conversion job had nothing to read, so the May 28 and May 29 partitions contain CZDS zone-file data only and their CT-sourced domains are permanently lost. The regression was found and fixed at 07:03 UTC on May 30, which means the May 30 partition captured only about 17 hours of CT data. Consequently, the apparent "crash" from 7,922 domains on May 27 to ~3,600 on May 28–29 is a measurement artifact, not a takedown; the CZDS-only baseline across those days was essentially flat (3,617 → 3,649 → 3,664). We flag this wherever it touches a comparison.

The growth curve

With the pipeline restored, the following week told a messier, and more revealing, story than a clean climb. May 31 recorded 8,076 event-themed domains; June 1, 9,147; June 2, 10,905. Then the count began to saw-tooth: down to 9,406 on June 3, exploding to an all-time high of 17,062 on June 4, falling back to 13,419 on June 5, then edging up again to roughly 14,660 on June 6. That volatility is almost entirely certificate-driven (more on the spike below); the steadier signal sits underneath it.

Strip out the noisy Certificate Transparency component and look at the zone-file registration floor (newly registered domains visible in ICANN zone files, which the CT-pipeline outage never touched), and the picture is unambiguous: it rises every single day, from 3,265 on May 9 to 3,884 on June 6, climbing straight through both the advisory window and the instrumentation gap. Roughly 9,800 of the domains added since June 1 were still present on June 6. The ecosystem is not just churning in place; its durable floor is steadily lifting.

Fig 1. Daily unique event-themed domains, May 9 – June 6, 2026. The shaded band marks the CT-pipeline gap (CZDS-only days); the gold node is the June 4 all-time high of 17,062, a transient certificate flare, and the lower blue line is the zone-file registration floor, which rises every day. Hover any point for detail.

Churn is where the volatility shows. Between June 4 and June 5 alone, 11,809 domains disappeared while 8,166 appeared, gross daily turnover near twenty thousand. That flood-and-recede is the certificate flare washing through: a one-day wave of fresh registrations, most of them gone within twenty-four hours. What persists underneath it is the steadily rising zone-file floor and the ~9,800 durable additions since June 1. The ecosystem is not merely large and static; it is large, churning hard, and, on the measures that don't evaporate, still growing as kickoff approaches.

About the June 4 spike

The one-day jump to 17,062 is real, but it is not durable infrastructure. Of the ~11,600 domains that first appeared on June 4, 87.6% carried certificates issued in the days just before (fresh issuance, not a backfill of old domains into the logs) on templated fifa2026 / worldcup names (www-, web-, wap-, official- prefixes). They were spread thinly across many small hosts and mostly gone by June 5. We treat 17,062 as a transient flare and ~14,600 as the honest current number; the durable story is the zone-file floor. The June 6 tick back up to ~14,660 is largely that same flare population resurfacing (98.7% of that day's new domains carry certificates issued since June 1, dominated by the June 4 burst), plus a fresh June 6 issuance pulse, which is why we read it the same way: a volatile certificate total riding on a steadily rising floor.

"Four advisories landed in one news cycle. Eleven days later the surface had grown about 85% past the alert-day level, with a one-day flare briefly carrying it above 17,000, straight into kickoff week."

What it's all for, and how that's shifting

Classifying the surface by lure theme reveals a mix that is actively rotating. Through May 31, betting and gambling was the fastest-growing vertical. By June 1 betting had begun to contract while two other categories surged: streaming ("watch the match") rose 77% day over day, and account/brand credential lures rose 76%. The operators are repositioning from "place your bet" toward "stream the game" and "log in to your account" as the tournament nears and consumer intent shifts.

That rotation, though, was a snapshot, not a trend. By June 5 the mix had shifted again: betting had rebounded to 671 and no single vertical dominated. The more durable pattern is a naming shift that evades theme classification altogether: roughly 85% of the June 5 surface, 96% of everything new since June 1, and 89% of the fresh June 6 burst classify as generic "other", plain fifa / worldcup strings carrying no fraud-keyword token at all. The operators are increasingly registering names that say nothing about their purpose, which blunts keyword-based detection and is itself the tell.

Fig 2. Themed-vertical rotation across three early-window partitions (May 30 is a ~17h partial CT capture; May 31 and June 1 are full days). Betting contracts as streaming and account/brand credential lures surge, a snapshot that shifted again by June 5 (see text). Generic-brand "other" (5,679→7,416 here, ~12,000 by June 5) is excluded for scale; "merch/store" is inflated by .shop/.store TLDs.
Theme 05-30 05-31 06-01 06-05 Trend
Betting / gambling447549418671Contracted, then rebounded
Streaming5682145198Climbing
Account / brand122132233216Surged, then flat
Tickets / sales285318304364Slow growth
Merch / store*594612628712Slow growth (TLD-inflated)
Jobs / HR3239Minimal
Other / generic brand5,6796,3817,41611,983+4,567 since 06-01 (keyword-evading surge)

June 5 theme counts are tallied over CT+zone source rows (~5% above the 13,419 distinct-domain total, from cross-source duplicates); read them as approximate. The surge into "other" reflects keyword-evading generic names, not a single new vertical.

TLD distribution underlines a parallel dynamic. By June 5, .com led at 5,865 domains, followed by a striking .cn at 2,851, up from 332 on May 30 and 1,173 on June 1, a steady climb rather than a blip. The earlier contraction in Chinese-language registrations was largely a CT-window artifact; the cluster kept re-expanding, driven by systematic families like Beijing Xinnet's 2026worldcup-[suffix].com.cn and numbered betting domains such as 12betworldcup[N].shop. These families matter less as individual domains than as fingerprints of the operations behind them, which is where the rest of this report goes.

GHOST STADIUM: the phishing operation

Group-IB's TA-1, GHOST STADIUM, is the best-documented malicious cluster in the ecosystem: a Chinese-speaking operator serving a pixel-accurate FIFA ticketing clone (HTTP title "FIFA World Cup 2026™ Tickets | Host Cities, Dates, Teams, Tickets"; per Group-IB, built on Layui 2.7.6 and a React single-page app) across a fleet of hosting IPs. Group-IB published 14 hosting IPs plus a redirector, and 79 representative domains. We took every one of those indicators and ran them through Shodan and Silent Push passive DNS. The map below assembles what came back; it is the spine of the next three sections.

Fig 3. Infrastructure relationship graph. The GHOST STADIUM phishing cluster (red), the dk9873[.]top persistent layer (purple), the Hong Kong betting operation (blue), and the reseller-hosted recycled-domain farm (bronze) are shown together; the gold thread is the bybanking[.]com shared-DNS-control link, and dashed edges are hosting/kit overlaps, not operator links. The clusters are attributed separately. Scroll to zoom, drag to pan, hover for detail.

How the lure converts

A census of infrastructure says little about how victims actually lose money, so it is worth tracing the conversion path Group-IB documented on the GHOST STADIUM kit. Acquisition is paid: the kit carries Meta (Facebook) Pixel identifiers and the campaign ran Facebook ad sets; this is malvertising-driven traffic, not only typosquatting and search. The landing page is the pixel-accurate ticket clone; checkout funnels victims into card and account-credential capture and into payment rails that include a crypto gateway (ChainUGO) alongside conventional processors. CTM360 separately reported a companion Android malware family, BTMob, disguised as IPTV/streaming apps, which dovetails with the streaming-lure surge in our own data as kickoff nears. These monetization details are reported by Group-IB and CTM360 and are not independently verified here; the Pixel and ad identifiers are, however, a concrete disruption avenue, since they can be reported to Meta to pull the ad accounts behind the traffic.

Live verification of the published IOCs

Of the 14 Group-IB hosting IPs, 12 still returned the FIFA kit's HTTP title on May 31, ten with current FIFA-themed DNS records, two serving the kit without current FIFA bindings. (A caveat worth stating plainly: bare-IP scans against some of these hosts now return 400/404, but that is the expected virtual-host response to a probe lacking the FIFA Host header, not evidence of takedown. Where DNS resolves and the kit serves with the correct host, the infrastructure is live.) The infrastructure clusters across three primary providers, with a clear staging-to-production workflow:

IP (defanged) Provider / ASN PADNS FIFA domains Role
43.98.183[.]110Alibaba Cloud SG · AS4510238~30Redirector, [prefix]-fifa.shop/.top
148.178.16[.]48Zillion Network · AS5480125~18Production (fifa[.]monster/.pet/.kim)
148.178.18[.]23Zillion Network · AS54801283Production; prior WhatsApp phishing
154.86.0[.]33HK Lightlayer · AS13964618~15Production (fifa-com[.]top)
65.49.223[.]138IT7 / 16clouds · AS2582015~12Staging / rotation
104.225.235[.]49IT7 / 16clouds · AS2582084fifa[.]center/.gold · BaoTa panel :888
89.208.250[.]38IT7 / 16clouds · AS2582030~25Staging IP (403 on last scan)
137.220.224[.]67CTG Server HK · AS1521949530Shared gambling host (serves kit)

Representative rows from the full 14-IP + redirector analysis. Zillion Network (AS54801) is the production host; IT7 / 16clouds (AS25820, BaoTa panel confirmed on port 888) is staging and rotation; the remainder are miscellaneous. Domains were observed migrating staging→production, fifa[.]show moved from an IT7 IP (March 1) to a Zillion IP (March 16).

A fuller per-IP picture than the published IOCs

The redirector deserves a careful sentence, because it is easy to overstate. The IP 43.98.183[.]110 (attributed to GHOST STADIUM in Group-IB's report text, though not included in their published IP-IOC list) carries 38 passive-DNS A records, roughly 30 of them FIFA-themed (including www. variants), following a systematic [prefix]-fifa.shop/.top scheme: a-, b-, cr-, d-, f-, gx-, lv-, mm-, wz-, zd-, and so on, plus football-ticket / -tickets / -game redirectors. The prefixes plausibly encode geo-targeting or affiliate identifiers (cr, lv, mm, ap read readily as country and region codes) and with the tournament hosted across the United States, Canada, and Mexico, geo-segmented lure delivery to a North American victim pool is the obvious design.

A calibration note

Passive DNS routinely surfaces more domains per IP than a vendor's published IOC list, because published IOCs are representative, not exhaustive, Group-IB stated 300+ active campaign domains and published 79 as samples. The right reading of "38 records where the public list named a handful" is a more granular per-IP enumeration and a newly visible naming scheme, not a claim that the campaign is an order of magnitude larger than reported. We map the footprint more finely; we do not correct Group-IB's scope.

Bigger than fourteen IPs

Passive DNS gave a finer view of the published hosts; a favicon fingerprint gave a wider one. The GHOST STADIUM ticket kit ships a specific bundled favicon (mmh3 hash -309449305), and pivoting on that hash across internet-wide scan data returns 17 distinct hosts, 15 of them serving the verbatim kit title, spread across roughly eight autonomous systems (Alibaba Cloud, SpectraIP, QuadraNet, HostUS, two Zillion ranges, IT7, and one more). That is materially more infrastructure than the fourteen IPs Group-IB enumerated, and it surfaces kit domains the published list never named: fifa[.]xin, fifa2026[.]cam, fifa-bs[.]shop, qh-fifa[.]shop, and others. The same hash returns zero hits on legitimate CDN infrastructure (Akamai, Cloudflare, Amazon), which confirms it is the kit's own icon, not FIFA's. Independent reporting from Flare, published before Group-IB's, separately lists three of our GHOST STADIUM hosts and shares a TLS certificate fingerprint with our anchor, an outside cross-check on the cluster.

A second calibration note

The wider footprint is, once again, a property of a shared kit, not proof of one larger operator. Group-IB attributes the kit to a phishing-as-a-service vendor (TA-4) that sells it; a favicon shared across eight autonomous systems attributes the kit, which many customers can deploy, not a single operator. We read it as the kit footprint being broader than first published, and as a durable hunt signature (the favicon hash and kit title are now reliable pivots), not as a rewrite of who runs GHOST STADIUM.

Shared host, not shared operator

One Group-IB IP, 137.220.224[.]67, is instructive precisely because it complicates a tidy story. It carries 953 passive-DNS records, essentially none FIFA-themed. It is a Chinese gambling host (the "91" brand: 91da[.]today, 91le[.]today) with .cn gambling history back to 2020, and it happens to also serve the GHOST STADIUM kit. That pattern fits Group-IB's own model of TA-4 as a phishing-as-a-service supply layer: the kit is a product deployed across shared infrastructure. The lesson generalizes across this whole investigation: identical kit deployment is evidence of a shared supplier, not necessarily a shared operator.

SilentPush Total View enrichment dashboard for IP 137.220.224[.]67 showing 953 PADNS A records and the FIFA World Cup 2026 ticket-kit HTML title on a CTG Server Hong Kong host
Fig 4. SilentPush enrichment for 137.220.224[.]67, 953 passive-DNS A records, almost none FIFA-themed, on a Chinese gambling host that nonetheless serves the GHOST STADIUM kit (note the "FIFA World Cup 2026™ … Host Cities, Dates, Teams" HTML title in Web Search Highlights). Shared host, not shared operator. Captured 2026-05-31.
GHOST STADIUM infrastructure timeline
timeline
    title GHOST STADIUM Infrastructure · First-Seen Timeline (Silent Push)
    section Prior tenants
        2020–2023 : 137.220.224[.]67 · Chinese gambling (.cn)
                  : 148.178.22[.]16 · tempp / dede
        2022–2023 : 104.225.235[.]49 · clearwind / clearfire
        2025-03 : 148.178.18[.]23 · WhatsApp phishing ([prefix]-whatsapp)
        2025-08 : dk9873[.]top stands up on same IP (3-mo gap)
    section FIFA build-out
        2026-01 : 104.225.235[.]49 · fifa[.]center / fifa[.]gold (first FIFA infra)
                : 89.208.250[.]38 · staging begins (fifa[.]city / fifa[.]cash)
        2026-03 : Migrations to Zillion production IPs
        2026-04 : 43.98.183[.]110 · [prefix]-fifa.shop cluster (38 records)
    section Disclosure
        2026-05-27 : Federal and vendor advisories
        2026-06-04 : Peak 17,062 (transient cert flare)
        2026-06-06 : Kit rotating under Cloudflare pressure, not down
          

dk9873[.]top: the persistent layer

Disposable phishing domains are, by design, disposable. What is far more expensive for an operator to replace is the durable management layer that outlives any single campaign. We assess, with moderate confidence, that one such asset, the domain dk9873[.]top, is management or staging infrastructure connected to the GHOST STADIUM operation. The hedge in that sentence is deliberate and load-bearing.

dk9873[.]top (registered via Gname.com on 2025-08-22, Hong Kong) has run continuously for nine-plus months. It exposes a WebSocket subdomain (ws.dk9873[.]top) and an admin-style subdomain (dk.dk9873[.]top), returns HTTP 400 to ordinary visitors, and serves the HTML title "腾讯文档" (Tencent Docs) as a masquerade. Its current IP, 45.200.17[.]159 (Zillion Network), was still resolving on June 6. These are characteristics consistent with a management backend, but a ws. subdomain is common and does not, by itself, indicate command-and-control. We did not observe beacon traffic, phishing-page callbacks, or any admin-to-victim communication. The domain's specific function is not directly observed.

SilentPush Total View enrichment dashboard for the domain dk9873[.]top showing low ASN and IP diversity and an HTTP 400 response
Fig 5. SilentPush enrichment for dk9873[.]top, a stable, low-diversity profile (minimal ASN/IP change) returning HTTP 400 to public visitors, consistent with a persistent management asset rather than a victim-facing site. Captured 2026-05-31.

The strongest thread: bybanking[.]com

What ties dk9873[.]top to GHOST STADIUM is not the shared kit: it is DNS. A single domain, bybanking[.]com (registered via NameCheap, self-hosted nameservers), has subdomains pointing at two different providers:

SubdomainResolves toSignificance
rcsurely.bybanking[.]com89.208.250[.]38 (IT7)GHOST STADIUM staging IP
fsh1hb.bybanking[.]com45.200.17[.]159 (Zillion)dk9873[.]top operational IP

Only the controller of bybanking[.]com can create A records for its subdomains. The same domain pointing subdomains at both the GHOST STADIUM staging IP and the dk9873[.]top IP, across two unrelated hosting providers, establishes that a single entity controls DNS for assets deployed on both. That is a real, provider-crossing link. It is also precisely bounded: it establishes shared DNS control; it does not establish what dk9873[.]top does, and it does not by itself prove a single human operator stands behind both operations.

A second, weaker thread reinforces it. dk9873[.]top first appeared in August 2025 on 148.178.18[.]23, the same Zillion IP that had hosted a cluster of WhatsApp phishing domains (wh[x]-whatsapp[.]com) three months earlier. That is IP co-residence with a temporal gap, which we would normally rate low confidence. What lifts it is the naming convention: the WhatsApp cluster's [prefix]-[brand] scheme is structurally identical to GHOST STADIUM's [prefix]-fifa.shop scheme, and naming convention is an operator behavioral choice, not a kit artifact.

A third, lighter thread points the same direction. Team Cymru places dk9873[.]top's /24 and six of the GHOST STADIUM hosting IPs in the same autonomous system, AS54801 (Zillion). Shared AS is weak on its own (Zillion hosts thousands of unrelated tenants, and thousands of its IPs expose the same Windows Remote Management ports dk9873 does), so it stays in the corroboration column, not the evidence column. It changes nothing about the grade: the assessment remains moderate confidence.

Base-rate discipline

dk9873[.]top, the WhatsApp domains, and 57% of GHOST STADIUM (per Group-IB) all use the Gname.com registrar, and many use share-dns nameservers. These are tempting corroborants and weak ones: our dataset holds 1.35 million domains on share-dns nameservers and Gname is among the largest registrars for Chinese-language infrastructure. Shared registrar and shared NS are consistent with common operation but carry high base rates: context, not evidence. The bybanking cross-link and the naming-convention match do the real work; the registrar overlap rides along.

Two further details mark this as an invested asset rather than a throwaway. The operator runs self-hosted nameservers on numeric-string domains (300f938569[.]com, 1255587256[.]com), a deliberate step away from third-party DNS that could be served a takedown, and those nameservers also answer for a small cluster of .cfd gambling domains registered to a Cambodia-based registrant. And where the disposable lure hosts expose web servers, dk9873[.]top's current IP exposes only Windows Remote Management (ports 5985/5986) to Shodan: a management box, not a victim-facing one. None of this fixes the domain's exact function, but all of it is consistent with a persistent back-office layer worth protecting.

The Hong Kong betting backbone

Running in parallel to GHOST STADIUM (and, to anticipate the conclusion, not the same operation) is a distinct Chinese-language betting operation that emerged with striking coordination immediately after the advisories. Its tell is hosting. Nearly every major new betting domain resolves to IP space announced by Hong Kong-registered (APNIC) ASNs, even though the addresses sit in Latin American (LACNIC) ranges:

ASNRegistered entityIP rangesRole
AS134175Silvercorp Int'l Tower, 707–713 Nathan Rd, HK177.210/177.211/201.5/191.214.x.xPrimary backbone (53,642 hosts)
AS134548DXTL, Tseung Kwan O, HK122.10.0[.]0/18Shared betting infra
AS138415Yancy Limited, HK43.240 / 156.234 / 103.44 / 23.248Mobile / H5 lures

The 177.210.x.x, 201.5.x.x and 191.214.x.x ranges are LACNIC-region address space, they look Brazilian, announced by APNIC-registered Hong Kong ASNs, an inter-RIR transfer/lease arrangement characteristic of IP-space arbitrage: acquiring non-contiguous blocks across registries to frustrate geographic attribution. "Silvercorp International Tower" at 707–713 Nathan Road, Mongkok, is a commercial building known for virtual offices and company-formation services; the name is most likely a registration address, not a tenant.

The coordination signal is registrar convergence on shared hosting. Metaregistrar BV registered 14 .com domains in a 23-minute burst on May 28 (app-[variant]odds.com, app-[variant]cup.com). The timestamps cluster in three-second bursts consistent with automated tooling running a list. Beijing Xinnet registered sequential 2026worldcup-[suffix].com.cn domains. Web Commerce Communications mirrored the .com patterns onto .cn. Different registrars, different TLDs, different registration timelines, all landing on the same AS134175 ranges. That cross-registrar, same-IP convergence is operator-level evidence independent of any phishing kit. It is a strong inference of a single operator or tightly coordinated group; it is not, on hosting alone, proof.

The naming is unambiguously gambling, in Chinese: maiqiu (买球, "place bets"), kaiyun (开云, the Kaiyun platform brand), jinnianhui (金年会). A June-1 expansion into a multi-brand .com.cn lottery-and-betting lure cluster (riding the same AS134175/AS134548 backbone plus two additional geographically misleading legs, and registering through the same Web Commerce and Beijing Xinnet channels) reinforces the read of one coordinated operation, likely an affiliate network sharing a common hosting and technology supply chain.

The recycled-domain farm

A third hosting leg sits beside the phishing kit and the betting backbone, and its tradecraft is the most novel thing in this report. On a reseller-brokered autonomous system (AS142286, address space associated with the "Cloud Innovation" IPv4 broker and an abuse-tolerant Hong Kong reseller, OCTOPUS WEB SOLUTION), roughly 820 hosts serve FIFA "official portal" pages and Chinese-language World Cup betting kits. What earns the leg a section is not its size but where its domains come from.

They are not typosquats. They are aged, lapsed, legitimate-business domains, registered a decade or more ago, abandoned by their original owners, then re-registered and weaponized. Wayback Machine history confirms the pattern: bankofquanzhou[.]com hosted a Fujian bank's website from around 2010 until it lapsed, and now serves a World Cup betting kit; grupomundoprint[.]com was a Madrid print shop (2004–2019); praxesindia[.]com an Indian engineering firm (2011–2019); suleymanpekin[.]com a Turkish personal site. Two of them, grupomundoprint and praxesindia, historically redirected to the same gateway with identical archived content, which ties them to a common operator within this leg.

Why this one is hard to catch

Each recycled domain carries its own valid certificate (the certificate subject matches the domain) and scores 0 of 91 on VirusTotal. That combination defeats the two heuristics defenders lean on hardest: the domain is old, so new-domain age filters pass it, and it has no abuse history, so reputation filters pass it too. The takeaway is uncomfortable but concrete, an aged domain abruptly serving World Cup content should be treated as high-signal regardless of its registration age or clean reputation score.

A boundary on the finding, in keeping with the rest of this report: "Cloud Innovation" is an IP-address broker, not a proven operator, and shared brokered address space is no more evidence of a shared operator than shared hosting is. We confirmed four domains as weaponized recycled assets and hold roughly forty more as candidates pending content review; one apparent member (00200hk[.]com) turned out to be an ordinary stock-ticker squat rather than a recycled domain, and we cut it. The TTP is the finding; the precise headcount will move.

The Vigorish Viper connection, and its limits

One domain names the supply chain explicitly. app-kaiyun-fifa[.]com (Metaregistrar, May 29, on AS134175) references Kaiyun (开云), a brand within the Vigorish Viper ecosystem, the Infoblox-designated network (formerly Yabo Group, later folded into Ponymuah) that operates 170,000+ domains and provides a "baowang" (包网) technology stack: DNS, hosting, payments, apps, and templates sold to gambling operators.5 The broader Vigorish Viper ecosystem has been linked to forced-labor operations in Cambodia and to front-company sponsorships of European football clubs.6

Two limits keep this connection honest. First, the FIFA betting cluster runs on different ASNs (AS134175 / AS134548 / AS138415) than Vigorish Viper's core infrastructure (AS140227 / AS213840 / AS147019), which places the FIFA operator as a downstream customer of the baowang platform, not the Viper core team. Second, and to be explicit: this investigation found no evidence connecting the specific FIFA betting operator to the forced-labor or human-trafficking activities documented in the wider Vigorish Viper ecosystem. The connection we can support is at the technology-supply level. We will not stretch it further than that.

What the certificates don't show

CrimsonVector's CT work usually leans on behavioral fingerprinting, operator artifacts embedded in certificate subdomain labels. Against this ecosystem, that lens returned a meaningful negative. Our discovery pathways (first-label aggregation, SAN-list clustering, targeted keyword sweep) found zero FIFA-related fingerprints. These operators use commodity DV certificates (Let's Encrypt at 75%, plus Amazon and Google Trust) with no distinctive subdomain patterns or SAN bundling, unlike, say, the Russian phishing clusters that leave strong CT signatures. The methodological takeaway is worth stating: certificate behavioral fingerprinting is powerful against operators who build persistent infrastructure with distinctive certificate habits, and ineffective against commodity-infrastructure fraud. For this class, the productive surface was domain-name and network-infrastructure analysis, which is what this report runs on.

We also used certificates as an attribution test between the two big clusters. If GHOST STADIUM and the betting operation shared an operator, they might occasionally co-occur on a single certificate's SAN list. They do not: across 18,860 FIFA-related certificates on June 5, exactly zero bundle a GHOST STADIUM domain with a betting-cluster domain. On its own this is a weak signal (commodity DV certificates carry roughly one name each, so even a single operator would rarely co-bundle two brands), but it means no certificate link was found, consistent with the separation the harder evidence already implies: distinct ASNs, distinct registration channels, and distinct naming conventions. Shared kit, shared registrars, a shared criminal ecosystem: none of it collapses into "one operator."

Eleven days on: rotation, not retreat

Return, finally, to the question the timing posed. Eleven days after four coordinated advisories, the core infrastructure has not been taken down, but, unlike the snapshot a week earlier, it is visibly moving, and the change is worth stating precisely, because the easy version ("zero response") is now wrong.

On the enforcement side, there is more pressure than the first week showed. The two flagship phishing domains, fifa[.]center and fifa[.]gold, serving the kit as recently as June 3, have gone NXDOMAIN, and five front-end fifa-com.* / fifa[.]city domains now sit behind Cloudflare "Suspected Phishing" interstitials. On the resilience side, though, the operation simply rotated around it. The redirector at 43.98.183[.]110 still resolves and still serves the [prefix]-fifa.shop family; fifa[.]show and fifa-com[.]top are still up on Zillion; fifa-online[.]com moved to AWS; dk9873[.]top and ws.dk9873[.]top still resolve to 45.200.17[.]159; and the Hong Kong betting backbone was not only intact but still absorbing new registrations through June 6. No domain seizure, arrest, or law-enforcement takedown of either the kit or the betting backbone has surfaced in any public source.

Registrar-level enforcement remained thin: six domains in clientHold (worldcup26ticket[.]com, 2026fifaworldcuptickets[.]online, wvvw-fifa[.]com, fifa[.]beer, fifa[.]click, fifa-com[.]co), and only 6 of the 36 FBI-listed domains suspended. Every FBI-listed job-scam domain remained live. Eleven days is still short for cross-jurisdiction takedowns, so this is a snapshot, not a verdict, but to date, disclosure has documented and lightly pressured this infrastructure without dislodging it. The kit is rotating, not retreating; we will revisit the question as kickoff nears.

For defenders

The durable targets are the persistent ones. Disposable lure domains re-register in minutes; what is costly to replace is dk9873[.]top and the 45.200.17[.]0/24 Zillion range that hosts it and its self-hosted DNS, the bybanking cross-link domain, the redirector at 43.98.183[.]110, and the AS134175 betting backbone. Comprehensive abuse reporting (to Gname.com, Zillion Network, IT7/16clouds, Alibaba Cloud, and the relevant registrars) should include the full passive-DNS-derived domain sets, not just the published samples. Two hunt signatures travel well: the kit's favicon hash (-309449305) paired with its ticket-page title, and the recycled-domain pattern itself. An aged domain that abruptly serves World Cup content deserves suspicion on its own, because that leg is built to pass age and reputation checks. Hosting providers here are infrastructure intermediaries and are not necessarily complicit in the fraud.

Methodology & reproducibility

Everything here runs on passive data and commodity tooling. Sigil ingests the Certificate Transparency stream and daily CZDS zone-file diffs into Parquet, queried with DuckDB; enrichment draws on WHOIS/RDAP, Shodan, Silent Push passive DNS, URLScan (existing results, no submissions), and Team Cymru ASN mapping. All collection was passive; no operator infrastructure was directly accessed. Two caveats already noted bear repeating: the May 28–29 partitions are CZDS-only (a CT-pipeline regression, since fixed), and every count here measures event-themed attack surface, not confirmed malicious infrastructure. One last caveat on the headline count: roughly 2.7% of the ~14,600 are filter false positives, chiefly the personal name "Afifah" on free hosting, plus a handful of rugby/cricket and prior-tournament-year domains, so we quote it as approximate, not exact.

Indicators of Compromise

Indicators are defanged. GHOST STADIUM hosting IPs are reproduced from Group-IB and verified by this investigation; the technical indicators in the final table are reproduced from Group-IB and not independently verified by us.

GHOST STADIUM: hosting & redirector IPs
Redirector43.98.183[.]110, Alibaba Cloud SG (AS45102), ~30 [prefix]-fifa.shop
Production148.178.16[.]48 · 148.178.16[.]5 · 148.178.18[.]23 · 148.178.22[.]16 · 207.56.1[.]93 (Zillion, AS54801)
Staging89.208.250[.]38 · 65.49.223[.]138 · 104.225.235[.]49 · 66.112.212[.]25 (IT7/16clouds, AS25820)
Other154.86.0[.]33 (HK Lightlayer) · 216.189.149[.]193 (HostUS) · 137.220.224[.]67 (CTG, shared) · 85.121.242[.]41 (Majestic)
Persistent operator layer (novel)
Domaindk9873[.]top, Gname.com, 2025-08-22, HK; ws./dk. subdomains
Current IP45.200.17[.]159 (Zillion, AS54801)
Cross-linkbybanking[.]com, subdomains on 89.208.250[.]38 + 45.200.17[.]159
Self-hosted NS300f938569[.]com · 1255587256[.]com (on 45.200.17[.]120)
Nameserversa5.share-dns[.]com · b5.share-dns[.]net (base-rate caveated)
Hong Kong betting backbone
AS134175Silvercorp Int'l Tower, 707–713 Nathan Rd, HK, 177.210/177.211/201.5/191.214.x.x · abuse hkstdd@gmail[.]com
AS134548DXTL, Tseung Kwan O, HK, 122.10.0[.]0/18
AS138415Yancy Limited, HK, mobile/H5
RegistrarsMetaregistrar BV (.com) · Beijing Xinnet (.cn) · Web Commerce Communications (.cn)
Brand tokenapp-kaiyun-fifa[.]com, Vigorish Viper / Kaiyun baowang reference
Footprint & tradecraft (this investigation)
Kit favicon (hunt)mmh3 -309449305 (GHOST STADIUM kit) · -613889228 (reseller-leg FIFA kit), Shodan http.favicon.hash pivots
Expanded kit hosts~17 hosts across ~8 ASNs (Alibaba Cloud, SpectraIP, QuadraNet, HostUS, Zillion ×2, IT7), beyond the 14 published IPs
Reseller legAS142286 (Cloud Innovation broker / OCTOPUS WEB SOLUTION), ~820 FIFA-titled hosts
Recycled domainsbankofquanzhou[.]com · grupomundoprint[.]com · praxesindia[.]com · suleymanpekin[.]com, aged legit domains re-registered & weaponized (own cert, VT 0/91)
GHOST STADIUM technical indicators (from Group-IB, not independently verified)
Meta Pixel927432823410218 · 1842358649811605 · 1569148414168343
Tawk.to6976ccbaba77e8198a866266
KitLayui 2.7.6 + React SPA; HTTP title "FIFA World Cup 2026™ Tickets…"
Crypto gatewayChainUGO (testnet.chainugo[.]com)
Primary registrarGname.com Pte. Ltd. (57% of cluster, per Group-IB)

Confidence assessment

FindingConfidenceBasis
Scale: ~14,600 event-themed domains (June 6), ~85% above alert day; transient peak 17,062HighReproduced across full-day partitions; monotonic zone-file floor; corroborated by CTM360 & Flare
Core infrastructure not taken down ~11 days post-disclosure (kit rotating under light pressure)HighDirect DNS + Cloudflare-status verification; no seizure in any public source
GHOST STADIUM per-IP enumeration & [prefix]-fifa namingHighSilent Push passive DNS + Shodan on published IOCs
GHOST STADIUM kit footprint wider than the 14 published IPsHighFavicon-hash + kit-title pivot across ~8 ASNs / 17 hosts
Recycled aged-domain leg (AS142286) weaponizing lapsed legit domainsModerate–HighWayback-verified on 4; ~40 candidates; shared-content redirect ties two
HK betting operation is coordinated (single operator/group)Moderate–HighCross-registrar, same-IP convergence (strong inference, not proof)
Betting and GHOST STADIUM are separate operatorsModerate–HighDistinct ASNs, registration channels & naming; no certificate link across 18,860 certs
dk9873[.]top connected to GHOST STADIUMModeratebybanking shared-DNS control + naming match; function unobserved
FIFA betting operator = downstream Vigorish Viper customerModerateKaiyun brand reference; different ASNs from Viper core
dk9873[.]top is specifically C2Not establishedNo beacon/callback/admin traffic observed

Sources

  1. FBI Internet Crime Complaint Center. "Public Service Announcement," PSA I-052726-PSA, May 27, 2026. ic3.gov.
  2. Group-IB. "The GHOST STADIUM Score: Billions At Stake At The World's Largest Football Tournament," May 27, 2026. group-ib.com.
  3. Palo Alto Networks Unit 42. "FIFA World Cup 2026 Attack Surface Analysis," May 28, 2026. unit42.paloaltonetworks.com.
  4. CTM360 / The Hacker News. "The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans," May 2026. thehackernews.com.
  5. Infoblox. "Gambling Is No Game: DNS Links Between Chinese Organized Crime and Sports Sponsorships," July 2024. infoblox.com.
  6. The Record. "Chinese cybercrime syndicate behind gambling sites advertised at European sporting events," July 2024. therecord.media.
infrastructure threat-intelligence domain-intelligence phishing certificate-transparency gambling-fraud OSINT FIFA-World-Cup-2026

CrimsonVector, Investigative research by Diego Parra into criminal infrastructure, threat actor attribution, and security research. Defanged URLs and IPs are intentionally bracketed per responsible disclosure conventions.