Chinese Origin Threat Actors Target FIFA World Cup 2026

Executive Summary

With the FIFA World Cup 2026 tournament scheduled to begin on June 11, 2026, a highly active, multi-tenant ticket fraud operation has been identified targeting prospective attendees globally.  According to research by CloudSEK’s TRIAD, threat actors have deployed a scalable phishing and card-skimming infrastructure designed to mimic legitimate FIFA ticketing platforms. The operation utilizes typosquatted domains, a commercially developed multi-tenant administrative system hosted at admin-zone[.]tbpay[.]uk, and embedded live chat support (tawk[.]to) to establish legitimacy during fraudulent victim interactions.

Technical analysis of the operational infrastructure reveals:

• Convincing Brand Mimicry: High-fidelity clones of the official FIFA website dynamically mirroring legitimate tournament news, match structures, and stadium schedules to deceive security-conscious users.
• Real-Time Skimming Capabilities: An active backend management system tracking victim navigation states and capturing payment card details (PAN, Expiry, CVV) during simulated checkouts.
• Distributed Reseller Ecosystem: A multi-tenant reseller scheme supporting at least 15 active, unique operator instances.

The platform functions as an active, real-time Man-in-the-Middle (MitM) phishing and OTP bypass framework rather than a standard credit card harvester. By tracking live victim sessions, operators can intercept and relay One-Time Passwords (OTPs) to bypass SMS-based 2FA, enabling full account compromise.

Target traffic is driven through Facebook and Instagram in-app browsers. Simplified Chinese localizations, operator geolocations, and backend naming conventions suggest the threat actors are based in the People's Republic of China (PRC). The core payment routing hub, tbpay[.]uk, lacks financial regulatory authorization, consistent with historical malicious patterns linked to its sibling domain, tbpay[.]site.

Diamond Model of Intrusion Analysis

‍

‍

1. Threat Actor Assessment

Attribution Confidence: MODERATE-HIGH  

Likely Origin: China (PRC)

Key Indicators:

- Backend panel UI rendered entirely in Simplified Chinese (平台管理系统 = "Platform Management System"; 数据中心 = "Data Center"; 仪表盘 = "Dashboard"; 租户管理 = "Tenant Management"; 角色权限 = "Role Permissions"; 监控管理 = "Monitoring Management")

- Operator admin access repeatedly from IP `222[.]167[.]244[.]34` (CN) confirmed across at least 6 sessions (Jan–May 2026)

- The Data Center view (Image 5) shows IP `222[.]167[.]244[.]34` performing card-skimming administrative operations as recently as May 12, 2026

- Tenant "xfkj / XFKJ" (Tenant ID 5) linked to IP `222[.]167[.]244[.]34` and payment processor `tbpay[.]uk`

- Additional operator/scanning IPs: `27[.]150[.]251[.]195`, `123[.]100[.]137[.]38`

‍

2. Infrastructure — Detailed Analysis

2.1 Phishing Frontend & Brand Mimicry

Screenshot from `hxxps://sdf-26fifa[.]top/en/tournaments/mens/worldcup/canadamexicousa2026` confirms a pixel-perfect clone of the official FIFA website, including:

- FIFA World Cup trophy logo and full navigation bar (QUIZ, MATCH SCHEDULE, TEAMS STADIUMS, SELLING TICKETS, TICKETS, FIFA World Cup 26, KEY DETAILS, MEXICO STADIUMS)

- Live content including real match news headlines (Congo DR, Netherlands/Bergkamp, etc.) — sourced by scraping or mirroring the real site to maintain dynamic authenticity

- The domain `sdf-26fifa[.]top` is part of the `*.sdf-26fifa[.]top` wildcard cluster identified in the IOC list

- The URL path structure exactly mirrors the official FIFA tournament pages, making the clone difficult to detect without scrutinizing the domain itself

Significance: This is not a basic phishing page — the actors have invested significantly in mirroring real FIFA content to deceive even security-aware users.

‍

2.2 Payment Cart Crash

‍

Screenshot from `hxxps://www[.]ww-fifa[.]com/cart` shows a fully functional fake ticket purchasing interface:

- Product listed: "FIFA WORLD CUP 26™ opening ceremony" — $275[.]00 per ticket

- Match start time: 2026-06-11 08:00 (the actual World Cup opening date)

- Seating Section: FIFA Pavilion

- Quantity: 5 tickets selected → Order total: $1,375[.]00

- Payment options displayed: Visa, Mastercard, Amex, PayPal, Apple Pay — creating maximum victim confidence

- False trust signals: "In Stock" badge, "Secure checkout • Your data is protected", padlock icon

Significance: The site is timed to the real World Cup opening (June 11, 2026), maximising urgency and believability. The $275/ticket price point is plausible for premium opening ceremony seats. At $1,375 per victim transaction (5 tickets), even a small victim count generates substantial fraud proceeds. The domain `ww-fifa[.]com` is confirmed in the tawk[.]to cookie data from Image 3.

2.3 Operational Security Failure: Exposed Server Environment

A PHP debug/error page was inadvertently exposed on one of the phishing domains, leaking the following sensitive server environment data:

Significance: The exposed database name `fifa_ming` is a direct operational security failure. The leaked credentials could allow access to the backend MySQL database storing all harvested card data and victim PII. The Cloudflare headers confirm the infrastructure uses Cloudflare as a reverse proxy for CDN and IP masking. The `PHP_APP_DEBUG = 1` setting indicates the application was left in debug mode in production — an OPSEC error.

‍

2.4 The Payment Backend

Payment Backend — tbpay[.]uk Admin Dashboard (Image 4)

‍

The dashboard (titled 平台管理系统 — "Platform Management System") shows the fraud operator's command and control panel with the following metrics visible:

- Merchant ID: 1

- API Address: `hxxps://admin-zone[.]tbpay[.]uk`

- Frontend Live: 0 (no active frontend sessions at time of capture)

- Backend Live: 2 (two active backend operator sessions)

- Today's Visits: 0

- Intercepted: 0

- Paying Users: 0 (付款人数)

- Payment Transactions: 0 (付款笔数)

The dashboard includes a domain visit statistics chart (域名访问统计) tracking "Visits" (访问) vs "Paid" (已支付) — a conversion funnel typical of fraud-as-a-service kits. The time range shown is 06/02–06/08, 2026. Left navigation includes: Dashboard (仪表盘), Access Control (访问控制), Data Center (数据中心), Order Statistics (订单统计), Accounts & Roles (账号&角色), Monitoring Management (监控管理), System Settings (系统设置).

Significance: The "Intercepted" counter (已拦截) strongly suggests the platform has a function to intercept and relay OTP/2FA codes entered by victims — a classic MitM (man-in-the-middle) real-time phishing capability. This elevates the threat from simple card capture to active authentication bypass.

2.5 Live Session & OTP Interception Flow

Data Center — Live Card Skimming Records (Image 5)

‍

This is the most operationally significant information captured. It shows the real-time card harvesting log with full victim payment card details:

Sample Record (Entry #21037):

‍