TL;DR
Over 4,300 fake FIFA domains, banking malware in pirate streaming apps, and credential-harvesting phishing operations are already targeting World Cup 2026 fans ahead of the 11 June kickoff. The FBI, Group-IB, Fortinet, and Kaspersky have all published warnings.
The most oversubscribed sporting event in history is also the most phished. With more than 150 million ticket requests in the first 15 days and just six million seats across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created exactly the conditions that fraud thrives on: scarcity, urgency, and money moving fast.
Security researchers, the FBI, and multiple cybersecurity firms have published warnings in the past week describing a fraud infrastructure that is already operational, well-resourced, and scaling. The picture that emerges is not a handful of opportunistic phishing pages. It is a layered ecosystem of fake domains, banking malware, credential theft, and social media impersonation, all converging on the same window.
One operator, 300 cloned FIFA sites
The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the centre is a group it calls Ghost Stadium, a Chinese-speaking, financially motivated operation running a single phishing kit across more than 300 of those sites.
The fake is good. The page is a near-perfect copy of fifa.com, mimicking FIFA’s real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads images directly from FIFA’s own servers, so the page looks authentic and slips past tools that flag copied assets.
The damage is in the details: the fake login also asks to reset the password. Once a victim enters credentials, the attacker locks them out of their real FIFA account and resells any tickets tied to it. Most traffic comes from Facebook ads with reused tracking codes, plus links on Telegram, WhatsApp, and in search results. Payment options include card entry, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts card payments into cryptocurrency. That last one is a reliable tell, since FIFA’s official ticketing never accepts crypto.
13,000 domains and counting
FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, roughly 8.8% of them classified as malicious or suspicious. The FBI’s public service announcement lists dozens of fake FIFA domains, from misspelled lookalikes to phony job pages, and warns more are coming.
Ticket fraud is just one piece. Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware, and fake betting platforms that collect passport scans and selfies for identity theft. Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million.
Group-IB estimates losses from premium and hospitality ticket fraud alone at $71 million to $474 million, with the broader campaign potentially reaching into the billions. Those are projections based on visible infrastructure, not confirmed losses.
Banking malware in streaming apps
For fans chasing free match streams, the bigger danger is on the phone. ThreatFabric observed a spike in malicious unofficial streaming apps, many posing as the popular RojaDirecta, around the recent Champions League final and expects a repeat at the World Cup on a larger scale.
Kaspersky tied those apps to two Android banking trojan families: Massiv and Perseus. Neither is distributed through Google Play, so installing one requires clicking past Android’s built-in warnings. Once installed, the malware uses accessibility tools to overlay fake bank login screens on real apps, record keystrokes, intercept one-time codes from SMS and authenticator apps, and control the screen remotely.
Perseus, built on leaked code from the older Cerberus trojan, even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, according to ThreatFabric, is a streaming app requesting accessibility access. No legitimate streaming app needs it.
Social media, stolen credentials, and open Wi-Fi
Fortinet counted over 1,700 spoofed FIFA accounts, nearly 90% on Facebook and Instagram, plus a scheme using fake FIFA job ads and calendar invites to redirect applicants to a lookalike Google login. Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram pushing counterfeit kits, fake Panini stickers, and phishing pages.
Stolen FIFA logins are already circulating. Fortinet found hundreds of thousands of user credentials, plus more than 4,600 FIFA-related URLs, in data collected by credential-stealing malware families including Vidar, LummaC2, and RedLine.
Host-city Wi-Fi is its own problem. A Kaspersky survey that drove around Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and password-free, with the WPS pairing feature still active on nearly half. Both leave openings for rogue “evil twin” hotspots that copy a real network and quietly intercept traffic.
What to watch for
The scams leave clear tells. Buy tickets only through fifa.com, typed directly, not via an ad or search result. Enable multi-factor authentication, and treat any seller requesting cryptocurrency as a scam. On Android, refuse accessibility permissions for streaming apps. On open Wi-Fi in host cities, use mobile data for banking and email.
Meta says it is now showing warning pop-ups when people search Facebook for FIFA tickets, and it partnered with Visa to take down a Facebook network linked to fake World Cup gambling sites. The FBI is asking victims to report at IC3.
The bigger concern is what has not yet been activated. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and ticket-buying bots already for sale, the peak window is easy to predict: 11 June to 19 July, when searches for tickets, streams, and travel will be at their highest.
