The Fake Job Portal

Three of the FBI's IOC domains posed as FIFA career portals, cloning the real FIFA PinpointHQ careers platform — pixel-perfect React applications carrying the official FIFA branding:

jobs-fifa.com
fifa-hiring.com
fifahiring.com

The attack was two-stage. After submitting a job application, the site redirected victims to schedule a 30-minute interview with a fake FIFA recruiter via a cloned Calendly page — building enough legitimacy that victims trusted the next step: logging in with their real FIFA account credentials.

jobs-fifa.com — interview scheduling stage

Stage two of the job portal attack. Fake FIFA recruiter Calendly page shown after application submission.

The Live Backend: A Phishing C2 Left Unlocked

The backend powering the job portal — fifeq2026eqbackeq.onrender.com — was running openly as of June 2, 2026. The subdomain is obfuscated: fifeq2026eqbackeq decodes as fifa2026abacka — every a replaced by eq to evade keyword-based scanning. An earlier backend (fifaback2026xxx.onrender.com) had already been suspended by Render.com. The operators deployed a replacement and kept running.

FastAPI generates interactive API documentation at /docs by default. The operators left this enabled in production — the full attack schema, every endpoint, every parameter, every developer comment was publicly readable.

fifeq2026eqbackeq.onrender.com/docs — LIVE

Live Swagger UI showing all 11 phishing backend endpoints. Captured June 1, 2026.

How the Attack Works: A Human in the Loop

This is not a credential-dumping page. It is a real-time relay system with a human operator watching a Telegram feed and making active decisions for every individual victim.

Every MFA Method Covered

The API has a dedicated endpoint for each MFA variant a FIFA account can enforce. No method is safe:

The Telegram C2: Bot Token Exposed

The backend included a diagnostic endpoint, /api/get-channel-id, that proxied calls directly to the Telegram Bot API. When called with certain parameters, the backend returned Telegram's raw error response — including the full API URL with the bot token embedded. The backend exposed the token through its own error handling — no credential cracking, no authentication bypass.

https://api.telegram.org/bot8782515023:AAGnmRryDL2SvhnaFOxi7hmkj7VRIbNSgmM/getUpdates

Telegram C2 — verified live — June 2, 2026

Four-panel: getMe, getWebhookInfo (channel_post confirmed), getChat, and /api/booking live exfil response.

GHOST STADIUM: The Ticket Fraud Layer

The job portal AiTM operation connects to a larger ticket fraud campaign — GHOST STADIUM — running from 43.98.183.110 on Alibaba Cloud Singapore. The backend explicitly allows cross-origin requests from GHOST STADIUM domains (confirmed via CORS headers), establishing a shared operational link. GHOST STADIUM accounts for 300+ active phishing domains, an estimated 47,400 victims, and losses between $71M–$474M according to Group-IB research.

ai-fifa.shop — GHOST STADIUM — April 25, 2026

Popup reads "FIFA World Cup 2026TOfficial Hospitality" — ™ rendered as T, a Chinese locale encoding artifact.

The Chinese Gambling Connection

The server hosting de-fifa.com — the German-targeted FIFA phishing domain — also hosts Chinese illegal sports betting aggregators on the same IP (38.190.234.190). The same bullet-proof infrastructure serves both criminal verticals.

38.190.234.190 — co-hosted infrastructure

Chinese sports betting aggregator (开云体育 / Kaiyun Sports) on same server as de-fifa.com.

The operator behind hk-fifa.com and tw-fifa.com is identifiable from Schema.org metadata embedded across both domains: 李承泽 (Li Chengze), with offices in Shenyang and Wuhan, 84 total staff, and ICP registrations 辽ICP备21077963号-2 and 鄂ICP备20066388号-1. Both domains share identical Google Search Console and Bing Webmaster verification codes, confirming single-operator control.

Ticket Resale Credential Harvesting

A separate threat actor operated fifaticket.pages.dev — a credential-harvesting FIFA ticket marketplace active since November 2025, seven months before the tournament:

fifaticket.pages.dev — Cloudflare Pages — live since Nov 2025

Bare credential harvest login page. EmailJS exfil — different operator from Telegram-based AiTM campaign.

Indicators of Compromise

Summary

The FIFA 2026 phishing campaign is built around a real-time human-operated AiTM platform. Victims are walked through a convincing multi-stage lure — job application, fake interview scheduling, credential login — while an operator watches a Telegram feed, logs into their real accounts, defeats MFA in real-time, and captures payment data. Nothing persists server-side. By the time a victim notices something is wrong, their credentials, OTPs, and card details are already in a private Telegram channel.

The tournament begins June 11. The infrastructure was live and issuing sessions as of June 2.