TL;DR
More than 4,300 fake FIFA domains, banking malware in pirated streaming apps and credential-harvesting phishing operations are already targeting fans of the June 11, 2026 World Cup. FBI, Group-IB, Fortinet and Kaspersky have all published alerts.
The most oversubscribed sporting event in history is also the most underrated sporting event. with Over 150 million ticket requests With a total of six million seats in the first 15 days and 16 cities in the United States, Canada and Mexico, the 2026 FIFA World Cup has created the conditions in which fraud thrives: scarcity, urgency and fast money.
Security researchers, the FBI and several cybersecurity firms have issued warnings in the past week that describe an already operational, well-resourced and scalable fraud infrastructure. What emerges is not a few opportunistic phishing pages. It’s a layered ecosystem of fake domains, banking malware, credential theft, and social media impersonation all coming together in one window.
One operator, 300 cloned FIFA sites
The most detailed findings come from here Group-IBTracks over 4,300 fake FIFA domains registered since August 2025. At the center is a group called Ghost Stadium, a Chinese-language, financially motivated operation that runs a single phishing kit on more than 300 sites.
Fake is good. The page is a near perfect copy of it fifa.comMimicking FIFA’s real single sign-on powered by PingIdentity, right down to the real customer ID copied from the live site. It downloads images directly from FIFA’s own servers, so the page looks authentic and removes tools that flag copied assets.
The damage is in the details: the fake login also asks for a password reset. After the victim enters the credentials, the attacker removes them from the real FIFA account and resells all the tickets associated with it. Most of the traffic comes from Facebook ads with reused tracking codes, plus links in Telegram, WhatsApp and search results. Payment options include card access, money transfer apps like Chime and Nequi, Mexican-only processors, and a crypto option that converts card payments to cryptocurrency. This last is reliable information, because official FIFA ticket sales never accept cryptocurrency.
13,000 domains and counting
FortiGuard Labs It counted more than 13,000 World Cup-themed domains registered between January and May, about 8.8% of which were classified as malicious or suspicious. The FBI public service announcement lists dozens of fake FIFA domains, from misspelled lookalikes to fake business pages, and warns that more are coming.
Ticket fraud is just one piece. Group-IB also found fake merchandise stores, fake streaming sites that charge subscription fees and then install malware, and fake betting platforms that collect passport scans and selfies for identity theft. Bitdefender is tracked separately FIFA lottery emails promise payouts of up to $2 million.
Group-IB estimates losses from award and hospitality ticket fraud alone at $71 million to $474 million, and the broader campaign could potentially run into the billions. These are projections based on visible infrastructure, not confirmed losses.
Banking malware in streaming apps
For fans following free match streams, the bigger threat is on the phone. ThreatFabric Around the last Champions League final, many saw a rise in malicious unofficial streaming apps posing as the popular RojaDirecta, and expect it to repeat itself on a larger scale at the World Cup.
Kaspersky split these programs into two Android banking Trojan families: Massif and Perseus. Neither is distributed through Google Play, so you have to click through Android’s built-in warnings to install one. Once installed, the malware uses accessibility tools to disguise fake bank login screens in real apps, record keystrokes, capture one-time codes from SMS and authenticator apps, and remotely control the screen.
Based on the leaked code of the old Cerberus trojan, Perseus even reads loggers to recover stored passwords and cryptocurrencies. The simplest red flag, according to ThreatFabric, is streaming software that requires accessibility logins. No legitimate streaming software needs this.
Social media, stolen credentials and open Wi-Fi
Fortinet counted more than 1,700 fake FIFA accounts. About 90% on Facebook and Instagrammoreover, the scheme, which uses fake FIFA job ads and a calendar, invites applicants to be redirected to a similar Google login. Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram pushing fake kits, fake Panini stickers and phishing pages.
Stolen FIFA logins are now in circulation. Fortinet found hundreds of thousands of user credentials, plus more than 4,600 FIFA-related URLs, in data collected through credential theft. malware families Including Vidar, LummaC2 and RedLine.
Host-city Wi-Fi is its own problem. A Kaspersky survey It found 10-12% of traffic networks around Mexico City, Monterrey and Guadalajara were open and passwordless, with the WPS pairing feature still active in about half. Both leave openings for rogue “evil twin” hotspots that copy the real network and silently intercept traffic.
What to look for
Scams leave clear statements. Buy tickets only through fifa.com, not through ads or search results. Enable multi-factor authentication and treat any seller that asks for cryptocurrency as a scam. Deny accessibility permissions for streaming apps on Android. Use mobile data for banking and email on open Wi-Fi in host cities.
Meta says it now shows warning pop-ups when people search for FIFA tickets on Facebook, and is partnering with Visa to take down the Facebook network linked to fake World Cup gambling sites. The FBI is asking victims to come forward IC3.
The biggest concern is what hasn’t been activated yet. Group-IB counted approximately 3,800 fake FIFA domains parked and unused, ready to be launched. With ready-made cheat kits and ticketing bots already on sale, it’s easy to predict the peak window: June 11 to July 19, when ticket, streaming and travel searches will peak.
