Chinese Origin Threat Actors Target FIFA World Cup 2026

Executive Summary

With the FIFA World Cup 2026 tournament scheduled to begin on June 11, 2026, a highly active, multi-tenant ticket fraud operation has been identified targeting prospective attendees globally.  According to research by CloudSEK’s TRIAD, threat actors have deployed a scalable phishing and card-skimming infrastructure designed to mimic legitimate FIFA ticketing platforms. The operation utilizes typosquatted domains, a commercially developed multi-tenant administrative system hosted at admin-zone[.]tbpay[.]uk, and embedded live chat support (tawk[.]to) (a legitimate service) to appear genuine during fraudulent victim interactions.

Technical analysis of the operational infrastructure reveals:

• Convincing Brand Mimicry: High-fidelity clones of the official FIFA website dynamically mirroring legitimate tournament news, match structures, and stadium schedules to deceive security-conscious users.
• Real-Time Skimming Capabilities: An active backend management system tracking victim navigation states and capturing payment card details (PAN, Expiry, CVV) during simulated checkouts.
• Distributed Reseller Ecosystem: A multi-tenant reseller scheme supporting at least 15 active, unique operator instances.

The platform functions as an active, real-time Man-in-the-Middle (MitM) phishing and OTP bypass framework rather than a standard credit card harvester. By tracking live victim sessions, operators can intercept and relay One-Time Passwords (OTPs) to bypass SMS-based 2FA, enabling full account compromise.

Target traffic is driven through Facebook and Instagram in-app browsers. Simplified Chinese localizations, operator geolocations, and backend naming conventions suggest the threat actors are based in the People's Republic of China (PRC). The core payment routing hub, tbpay[.]uk, lacks financial regulatory authorization, consistent with historical malicious patterns linked to its sibling domain, tbpay[.]site.

Diamond Model of Intrusion Analysis

‍

‍

1. Threat Actor Assessment

Attribution Confidence: MODERATE-HIGH  

Likely Origin: China (PRC)

Key Indicators:

- Backend panel UI rendered entirely in Simplified Chinese (平台管理系统 = "Platform Management System"; 数据中心 = "Data Center"; 仪表盘 = "Dashboard"; 租户管理 = "Tenant Management"; 角色权限 = "Role Permissions"; 监控管理 = "Monitoring Management")

- Operator admin access repeatedly from IP `222[.]167[.]244[.]34` (CN) confirmed across at least 6 sessions (Jan–May 2026)

- The Data Center view (Image 5) shows IP `222[.]167[.]244[.]34` performing card-skimming administrative operations as recently as May 12, 2026

- Tenant "xfkj / XFKJ" (Tenant ID 5) linked to IP `222[.]167[.]244[.]34` and payment processor `tbpay[.]uk`

- Additional operator/scanning IPs: `27[.]150[.]251[.]195`, `123[.]100[.]137[.]38`

‍

2. Infrastructure — Detailed Analysis

2.1 Phishing Frontend & Brand Mimicry

Screenshot from `hxxps://sdf-26fifa[.]top/en/tournaments/mens/worldcup/canadamexicousa2026` confirms a pixel-perfect clone of the official FIFA website, including:

- FIFA World Cup trophy logo and full navigation bar (QUIZ, MATCH SCHEDULE, TEAMS STADIUMS, SELLING TICKETS, TICKETS, FIFA World Cup 26, KEY DETAILS, MEXICO STADIUMS)

- Live content including real match news headlines (Congo DR, Netherlands/Bergkamp, etc.) — sourced by scraping or mirroring the real site to maintain dynamic authenticity

- The domain `sdf-26fifa[.]top` is part of the `*.sdf-26fifa[.]top` wildcard cluster identified in the IOC list

- The URL path structure exactly mirrors the official FIFA tournament pages, making the clone difficult to detect without scrutinizing the domain itself

Significance: This is not a basic phishing page — the actors have invested significantly in mirroring real FIFA content to deceive even security-aware users.

‍

2.2 Payment Cart Crash

Screenshot from `hxxps://www[.]ww-fifa[.]com/cart` shows a fully functional fake ticket purchasing interface:

- Product listed: "FIFA WORLD CUP 26™ opening ceremony" — $275[.]00 per ticket

- Match start time: 2026-06-11 08:00 (the actual World Cup opening date)

- Seating Section: FIFA Pavilion

- Quantity: 5 tickets selected → Order total: $1,375[.]00

- Payment options displayed: Visa, Mastercard, Amex, PayPal, Apple Pay — creating maximum victim confidence

- False trust signals: "In Stock" badge, "Secure checkout • Your data is protected", padlock icon

Significance: The site is timed to the real World Cup opening (June 11, 2026), maximising urgency and believability. The $275/ticket price point is plausible for premium opening ceremony seats. At $1,375 per victim transaction (5 tickets), even a small victim count generates substantial fraud proceeds. The domain `ww-fifa[.]com` is confirmed in the tawk[.]to cookie data from Image 3.

2.3 Operational Security Failure: Exposed Server Environment

A PHP debug/error page was inadvertently exposed on one of the phishing domains, leaking the following sensitive server environment data:

Significance: The exposed database name `fifa_ming` is a direct operational security failure. The leaked credentials could allow access to the backend MySQL database storing all harvested card data and victim PII. The Cloudflare headers confirm the infrastructure uses Cloudflare as a reverse proxy for CDN and IP masking. The `PHP_APP_DEBUG = 1` setting indicates the application was left in debug mode in production — an OPSEC error.

2.4 The Payment Backend

The dashboard (titled 平台管理系统 — "Platform Management System") shows the fraud operator's command and control panel with the following metrics visible:

- Merchant ID: 1

- API Address: `hxxps://admin-zone[.]tbpay[.]uk`

- Frontend Live: 0 (no active frontend sessions at time of capture)

- Backend Live: 2 (two active backend operator sessions)

- Today's Visits: 0

- Intercepted: 0

- Paying Users: 0 (付款人数)

- Payment Transactions: 0 (付款笔数)

The dashboard includes a domain visit statistics chart (域名访问统计) tracking "Visits" (访问) vs "Paid" (已支付) — a conversion funnel typical of fraud-as-a-service kits. The time range shown is 06/02–06/08, 2026. Left navigation includes: Dashboard (仪表盘), Access Control (访问控制), Data Center (数据中心), Order Statistics (订单统计), Accounts & Roles (账号&角色), Monitoring Management (监控管理), System Settings (系统设置).

Significance: The "Intercepted" counter (已拦截) strongly suggests the platform has a function to intercept and relay OTP/2FA codes entered by victims — a classic MitM (man-in-the-middle) real-time phishing capability. This elevates the threat from simple card capture to active authentication bypass.

2.5 Live Session & OTP Interception Flow

This is the most operationally significant information captured. It shows the real-time card harvesting log with full victim payment card details:

Sample Record (Entry #21037):

The data center tracks full victim journey pages: 商品页 (Product page), 地址页 (Address page), 填卡页 (Card entry page), OTP验证页 (OTP verification page), 操作记录 (Action log). This confirms the platform captures the entire checkout flow and is capable of intercepting OTP verification.

Second Record (Entry #18773): CN operator testing from `127[.]0[.]0[.]1:8866` (localhost) and `222[.]167[.]244[.]34`, timestamped 2026-05-08 — further confirming the CN IP is the platform operator conducting QA testing.

Significance: The use of `41**************` (a universally-known Visa test BIN) in this record confirms the operator is testing the card capture pipeline. Real victim records would contain genuine card data. The per-victim journey tracking (product → address → card → OTP) confirms a full MitM checkout phishing kit capable of capturing card data AND bypassing SMS/OTP authentication in real time.

2.5 Tenant & Reseller Ecosystem

URL: `hxxps://admin-zone[.]tbpay[.]uk/users/tenant`

Confirms 15 total tenants (共15条) in the fraud reseller network,

Note: Image 6 provides updated last login timestamps vs. the previously captured text data, including active sessions as recently as June 3–5, 2026. Tenant 6's IP is updated to `38[.]60[.]195[.]137` (not `43[.]23[.]232[.]225` as in earlier data).

Three roles are defined in the platform:

Significance: The "Employee" role added on 2026-03-27 suggests the operation has grown to include hired staff — potentially workers recruited to manage victim interactions via the tawk[.]to live chat, process orders, or operate individual phishing campaigns. This indicates the operation has moved beyond a small group to a more structured criminal enterprise.

2.6 Victim Tracking Panel:

Confirms the victim browser monitoring panel with real-time IP blacklisting/whitelisting capability:

- Buttons: 加入黑名单 (Add to blacklist) / 移出黑名单 (Remove from blacklist) per visitor

- A "一键清空" (Clear All) button to wipe logs

- Tracks: browser platform, full user-agent, visit type (访问), IP, country, timestamp

- The CN operator IP `222[.]167[.]244[.]34` appears at the top of this log as well (most recent entry: 2026-05-12), confirming active management

The blacklist feature allows operators to block security researchers, automated scanners, or known analyst IPs from accessing the phishing pages — a defensive measure to evade detection.

Repeated Infrastructure usage:

tbpay[.]uk — Reputation & Classification

tbpay[.]uk functions as the core payment interception and management infrastructure for this fraud operation. Based on open-source intelligence:

- The sibling domain `tbpay[.]site` has been flagged by IPQS (IPQualityScore) as a phishing domain and rated low trust by ScamAdviser, with the review noting it was "reported by IPQS for phishing" and "classified as suspicious." `tbpay[.]site` was first flagged in October 2023, indicating the tbpay infrastructure family has a documented phishing history predating this FIFA operation.

- `tbpay[.]uk` itself does not appear to be registered with the UK's Financial Conduct Authority (FCA) as an authorised payment service provider — operating as a payment processor in the UK without FCA authorisation is illegal under the Payment Services Regulations 2017.

- The admin portal at `admin-zone[.]tbpay[.]uk` is confirmed from screenshots to be a Chinese-language fraud kit that: (a) tracks victim visits by domain, (b) captures full payment card details including CVV, (c) logs victim OTP/2FA codes, (d) manages multiple operator tenants, and (e) provides blacklisting of investigator IPs.

- The platform appears purpose-built for card-present phishing — it is not a legitimate payment gateway. There is no evidence of actual payment processing to merchants; the platform's sole function is to harvest cardholder data.

- The domain `tbpay[.]uk` uses the `.uk` ccTLD to imply UK legitimacy to victims and investigators, while all operational control resides with CN-based operators.

Classification: HIGH-CONFIDENCE FRAUDULENT PAYMENT INFRASTRUCTURE

Victim Profiling & Traffic Analysis

Geographic Targeting

Primarily US-based victims, with secondary hits from: Italy, Romania, Philippines, Sweden, Australia, Lithuania, Canada, South Africa, Austria, Saudi Arabia, Germany, South Korea, Hong Kong.

Traffic Sources

Primary infection vector is social media in-app browsers:

- Facebook (iOS/Android): ~60–65% of sessions

- Instagram (iOS/Android): ~15%

- Desktop browsers (Chrome, Edge, Opera, Safari): ~15–20%

- Mobile Chrome (Android): ~5%

Earliest Activity

First victim wave on January 19, 2026 — international traffic from 10+ countries within a 45-minute window, consistent with a coordinated social media ad flight.

Live Customer Support — tawk[.]to Abuse

The operation uses tawk[.]to (legitimate live chat SaaS) to provide real-time victim support:

- Property ID: `69b2c0b49dd4d71c370f2cbf`

- Subdomain: `fifa-rbi605[.]p[.]tawkto[.]email`

- Linked domain in cookie data: `ww-fifa[.]com`

- Support ticket  (June 1, 2026): User "[REDACTED_USER]" requesting  purchase of tickets

This operation must be upgraded from a basic phishing/card-capture scheme to a full MitM real-time phishing kit with OTP bypass capability. The Data Center panel (Image 5) explicitly tracks an "OTP Verification Page" (OTP验证页) per victim, meaning the platform is designed to relay OTP codes entered by victims to the real FIFA/payment sites in real time, completing authentication on behalf of the attacker while the session is live.

This places the operation in a significantly more dangerous category — it can defeat SMS-based 2FA and is capable of facilitating account takeovers beyond simple card fraud.

‍

Key Intelligence Gaps & Limitations:

• Unknown Financial Impact: Although the platform features a highly functional payment routing interface with plausible pricing structures, the cumulative financial losses generated by this operation are unknown. The captured command-and-control dashboard displayed zero active transactions at the exact moments of capture, meaning total illicit revenue cannot be calculated from the available data.
• Unquantified Victim Volume: While database entry logs (e.g., Index #21037) imply a significant volume of historic interactions, the exact number of successfully skimmed payment cards and compromised accounts remains unverified. Without a complete, live dump of the backend SQL database (fifa_ming), it is impossible to determine how many victims have been successfully defrauded versus how many transactions failed or were blocked.
• Real-Time Operational Status: Although administrative logins were recorded as recently as June 3–5, 2026, we lack live traffic telemetry. Therefore, we cannot confirm whether all identified phishing domains and payment backends remain actively routing live victim sessions, or if portions of the infrastructure have already been taken down, abandoned, or migrated to new, unmapped nodes.
• Attribution Nuances: Linguistic indicators (Simplified Chinese) and repeated logins from China-based IP addresses strongly point to operators originating from or based in China. However, the potential use of residential proxies, VPNs, or compromised hop-points by the threat actors cannot be entirely ruled out. Furthermore, because this is a multi-tenant platform with at least 15 separate operator accounts, individual resellers may be operating independently from different geographic regions.

Domain Network (Typosquatting / Brand Impersonation)

The operation registers domains across a wide range of TLDs, all impersonating FIFA or FIFA World Cup 2026. All domains are indexed via FOFA queries matching the page title "FIFA World Cup 2026™ Tickets | Host Cities, Dates, Teams, Tickets". Details are mentioned under IOCs.

‍

IOCs

Recommendations:

For Financial Institutions / Card Networks:

- Flag all card-not-present transactions originating from the listed phishing domains

- The card BIN testing activity from `222[.]167[.]244[.]34` on May 8, 2026 should be cross-referenced against any real transactions from that IP

- Investigate `tbpay[.]uk` as a rogue payment processor; card network fraud teams should blacklist its merchant IDs

For the Public:

- Only purchase FIFA World Cup 2026 tickets through the official FIFA website (fifa[.]com)

- The legitimate FIFA site will never use domains containing "ww-fifa", "www-fifa", "sdf-26fifa", or any variant of "tbpay"

- Be extremely wary of FIFA ticket links shared via Facebook or Instagram

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia