Cybersecurity experts and the FBI are sounding the alarm about a rising tide of FIFA-related scams targeting fans of the 2026 World Cup, even before the tournament kicks off on June 11.
Fresh reports reveal thousands of counterfeit FIFA websites, banking malware concealed within pirated streaming applications, and at least one scheme that replicates FIFA’s login portal so convincingly that it can hijack legitimate accounts.
The World Cup makes for an easy mark. Over six million fans are anticipated across 16 cities spanning the United States, Canada, and Mexico. FIFA reported receiving upwards of 150 million ticket applications in just the first 15 days of sales, meaning demand outstrips supply by roughly 30 times. Limited availability, eager fans, and rapid cash flow create the perfect conditions for fraud.
A Single Actor Running 300 Fake FIFA Websites
The most comprehensive analysis comes from Group-IB, which identified over 4,300 deceptive FIFA domains created since August 2025. Driving much of this activity is a group dubbed GHOST STADIUM, a Chinese-speaking, profit-oriented outfit operating a uniform phishing toolkit across more than 300 of these counterfeit pages.
The imitation is striking. The fraudulent page mirrors fifa.com almost flawlessly and faithfully reproduces FIFA’s actual single sign-on login system, managed by PingIdentity, including the real client ID lifted from the official page. It pulls images directly from FIFA’s own servers, making the site appear genuine and evading tools that detect duplicated visuals.
Here is where the real harm occurs: the counterfeit login page prompts users to reset their password too. Once a victim submits their credentials, the attacker can take over their FIFA account and sell off any tickets linked to it.
Most visitors arrive via Facebook advertisements, with identical tracking codes reused across the entire campaign, alongside links shared on Telegram, WhatsApp, and search engine results. Payments are accepted through five separate methods: direct entry of card details, third-party payment processors, money-transfer apps like Chime and Nequi, Mexico-specific gateways, and a cryptocurrency option that converts card payments into digital currency, which is far harder to recover.
That last detail is a useful giveaway, since FIFA’s legitimate ticketing system never accepts cryptocurrency. Any seller requesting it is running a scam.
Group-IB estimates that fraud involving premium and hospitality tickets alone has caused losses between $71 million and $474 million, and the entire operation could total billions. These figures are projections based on the infrastructure they have observed, not verified victim reports.
Thousands of Domains, a Wide Range of Schemes
Group-IB is not the only one tracking this. FortiGuard Labs identified more than 13,000 World Cup-related domains registered from January through May, about 8.8% of which were flagged as malicious or suspicious.
The FBI advisory cites dozens of counterfeit FIFA domains, ranging from subtly misspelled lookalikes to phony FIFA employment pages, and warns that more are on their way. Other analysts have catalogued thousands of additional lookalike sites and over a thousand bogus social media profiles.
Fake tickets are only part of the picture. Group-IB also uncovered knockoff merchandise stores, deceptive streaming sites that charge subscription fees and then install malware granting attackers full device access, and fraudulent betting platforms that harvest passport photos and selfies for identity fraud.
Bitdefender separately traced FIFA-themed lottery emails offering payouts as high as $2 million. Group-IB also flagged a “phishing-as-a-service” underground marketplace that sells pre-packaged scam toolkits and ticket-snatching bots, meaning dismantling a single operator barely puts a dent in the problem.
The pieces form a cohesive pipeline: counterfeit domains snag ticket searches, paid ads and search results funnel visitors, stolen password databases fuel account takeovers, and sideloaded apps turn casual streaming into banking fraud.
Banking Malware Lurking Inside Streaming Apps
For supporters hunting free live match streams, the greater threat is on mobile devices. ThreatFabric observed a sharp increase in malicious unofficial streaming apps, many masquerading as the well-known RojaDirecta platform, around the recent Champions League final, and predicts a far larger wave during the World Cup.
Kaspersky connected those same apps to Android banking trojans, malicious software designed to siphon funds from banking and cryptocurrency apps, and identified two specific variants: Massiv and Perseus. These apps are not found on Google Play, so installing one requires overriding standard security warnings.
Once on a device, the malware exploits Android’s accessibility features to seize control. It can overlay fake banking login interfaces on top of legitimate apps, capture keystrokes, grab one-time passcodes from SMS and authentication apps meant to safeguard accounts, and remotely control the display.
Perseus, built on leaked source code from an older Trojan named Cerberus, can even scan note-saved passwords and cryptocurrency recovery seed phrases. The simplest warning sign, according to ThreatFabric, is a streaming app requesting accessibility permissions. There is no legitimate reason for it to need them.
Social Media Fraud, Compromised Logins, and Unsafe Wi-Fi
Social platforms are just as packed with scams. Bitdefender identified over 55 football-themed advertising campaigns on Facebook and Instagram, pushing counterfeit jerseys, bogus Panini stickers, and phishing pages; two of the merchandise operations were linked to Chinese operators through their ad-tracking identifiers.
Fortinet catalogued more than 1,700 fake FIFA profiles, almost 90% hosted on Facebook and Instagram, along with a scheme that used fraudulent FIFA job postings and calendar invitations to redirect applicants to a counterfeit Google login page.
Stolen FIFA credentials are already circulating online. Fortinet found hundreds of thousands of user logins, plus more than 4,600 FIFA-related web addresses, exposed through credential-theft malware including Vidar, LummaC2, and RedLine.
Public Wi-Fi in host cities presents its own set of risks. A Kaspersky survey covering Mexico City, Monterrey, and Guadalajara found that 10% to 12% of networks were open and unsecured, while nearly half still had WPS pairing enabled. Both create easy entry points for rogue “evil twin” hotspots that impersonate legitimate networks and silently intercept data passing through.
Warning Signs to Keep in Mind
These scams come with recognizable red flags. Purchase tickets only through fifa.com, and manually enter the URL rather than clicking links from ads or search results. Enable multi-factor authentication, and treat any seller requesting cryptocurrency as fraudulent, since FIFA’s official ticketing system will never ask for it.
On Android, the clearest indicator is a streaming app requesting accessibility permissions it has no legitimate reason to need. On unsecured Wi-Fi networks in host cities, opt for cellular data whenever possible, and avoid accessing banking or email accounts.
For security teams, the priorities are clear: monitor newly registered FIFA-themed domains and lookalike login screens, flag any staff or customer credentials that appear in Vidar, LummaC2, or RedLine stealer databases, and prepare fraud departments for spikes in ticket-related disputes and chargebacks through mid-July.
Meta says it is taking steps as well. It now displays warning alerts when users search Facebook for FIFA tickets, and partnered with Visa to dismantle a Facebook network connected to fake World Cup sites promoting fraudulent gambling. The FBI is urging anyone who has fallen victim to report the incident at IC3.
The larger concern is what is still to come. Group-IB counted roughly 3,800 fraudulent FIFA domains currently parked and dormant, waiting to be activated. With off-the-shelf scam toolkits and automated bots already on sale, the peak window is predictable: June 11 to July 19, when ticket searches, streaming demand, and travel bookings will be at their highest.
