FIFA 2026 World Cup Scam

Security researchers and the FBI are warning that a large-scale wave of FIFA-themed fraud is already targeting World Cup 2026 fans, despite the tournament not beginning until June 11.

The event presents an attractive opportunity for cybercriminals. More than six million spectators are expected to attend matches across 16 cities in the United States, Canada, and Mexico. FIFA reported receiving over 150 million ticket requests within the first 15 days of sales, making demand roughly 30 times greater than the available supply. Scarce tickets, anxious fans, and fast-moving transactions have created ideal conditions for large-scale fraud.

Recent investigations have uncovered thousands of FIFA-themed fraudulent domains, malware hidden inside unauthorized streaming applications, and sophisticated phishing campaigns capable of hijacking legitimate FIFA accounts.

The Rise of the GHOST STADIUM Phishing Network

Researchers have identified more than 4,300 fraudulent FIFA-related domains registered since August 2025. At the center of this activity is a financially motivated Chinese-speaking group known as GHOST STADIUM, which operates a phishing infrastructure spanning more than 300 websites.

The operation relies on a highly convincing replica of FIFA's official website. The fake pages closely imitate FIFA's PingIdentity-powered single sign-on system and even use a legitimate client ID copied from the real platform. To increase credibility, images are loaded directly from FIFA's servers, helping the sites evade some detection methods that flag copied content.

The most damaging feature is a fraudulent password-reset function. Victims who enter their credentials unknowingly hand control of their accounts to attackers, who can then lock out the rightful owner and resell any associated tickets.

Traffic is primarily driven through Facebook advertisements, with identical tracking identifiers appearing across the phishing network. Additional visitors arrive through Telegram channels, WhatsApp messages, and manipulated search results.

The scam infrastructure accepts payments through multiple channels, including direct card transactions, third-party payment gateways, money-transfer services such as Chime and Nequi, regional Mexican processors, and cryptocurrency conversion systems. The cryptocurrency option is particularly dangerous because recovering stolen funds becomes significantly more difficult.

One clear warning sign stands out: FIFA's official ticketing platform does not accept cryptocurrency. Any seller requesting crypto payments should be considered fraudulent.

Researchers estimate that premium and hospitality ticket fraud alone could generate losses ranging from $71 million to $474 million. Based on the scale of the infrastructure discovered, total damages could potentially reach billions of dollars, although these figures remain projections rather than confirmed losses.

A Growing Ecosystem of Fraud

Between January and May alone, more than 13,000 World Cup-themed domains were registered, with approximately 8.8% identified as malicious or suspicious.

The FBI has already published advisories listing numerous fraudulent FIFA-related domains, including misspelled lookalike websites and fake FIFA employment portals. Investigators expect additional malicious domains to emerge as the tournament approaches. Other security teams have also identified thousands of imitation websites and more than a thousand fake social media profiles.

Ticket scams represent only one part of a much larger criminal ecosystem. Fraudsters are also operating counterfeit merchandise stores, fake sports-betting platforms, and fraudulent streaming services that not only charge subscription fees but also distribute malware capable of granting attackers remote control over victims' devices.

Additional schemes include fake FIFA lottery notifications promising prizes of up to $2 million. Researchers have also identified an expanding phishing-as-a-service market where criminals can purchase ready-made scam kits and automated ticket-buying bots, making it easier for new actors to enter the fraud landscape.

These operations are highly interconnected. Fake domains capture ticket-related searches, advertisements and manipulated search results generate traffic, stolen credential databases enable account takeovers, and malicious mobile applications transform a search for free streams into banking fraud.

Streaming Apps That Steal More Than Attention

For fans searching for free World Cup broadcasts, mobile devices may present the greatest risk.

Researchers recently observed a surge of malicious unofficial streaming applications masquerading as popular services such as RojaDirecta around the UEFA Champions League final. Similar campaigns are expected to intensify during the World Cup.

Many of these applications have been linked to Android banking trojans, including malware families known as Massiv and Perseus. Because these apps are unavailable through Google Play, users must bypass Android's built-in security warnings to install them.

Once installed, the malware abuses Android accessibility services to gain extensive control over the device. Attackers can display fake banking login pages over legitimate applications, record keystrokes, intercept one-time authentication codes from SMS messages and authenticator apps, and remotely operate the device.

Perseus, which was developed using leaked source code from the Cerberus banking trojan, goes even further by searching note-taking applications for stored passwords and cryptocurrency recovery phrases.

A streaming application requesting accessibility permissions without a legitimate reason should be treated as a major security warning.

Social Media Becomes a Hunting Ground

Social media platforms have become a primary distribution channel for World Cup scams.

Researchers have uncovered more than 55 football-themed advertising campaigns across Facebook and Instagram promoting counterfeit jerseys, fake Panini collectibles, and phishing websites. Analysis of advertising infrastructure has linked several of these operations to Chinese operators.

Investigators have also cataloged more than 1,700 fake FIFA social media accounts, nearly 90% of which operate on Facebook and Instagram. One notable campaign used fraudulent FIFA job advertisements and calendar invitations to redirect applicants to counterfeit Google login pages.

Meanwhile, stolen FIFA credentials are already circulating in criminal marketplaces. Security researchers have linked hundreds of thousands of compromised user accounts and more than 4,600 FIFA-related web addresses to credential-stealing malware families such as Vidar, LummaC2, and RedLine.

Public Wi-Fi Risks in Host Cities

Wireless networks in World Cup host cities introduce another layer of risk.

A survey conducted across Mexico City, Monterrey, and Guadalajara found that between 10% and 12% of detected Wi-Fi networks were completely open and unsecured. Nearly half still had Wi-Fi Protected Setup (WPS) enabled, creating additional attack opportunities.

These weaknesses make it easier for criminals to deploy 'evil twin' hotspots—malicious networks designed to imitate legitimate Wi-Fi access points and secretly intercept user traffic.

How Fans and Organizations Can Stay Protected

Several warning signs can help identify World Cup-related scams before damage occurs:

• Purchase tickets only through FIFA's official website and manually enter the web address instead of relying on advertisements or search engine links. Enable multi-factor authentication on FIFA accounts and avoid any seller requesting cryptocurrency payments.
• Avoid installing unofficial streaming applications, particularly those requesting accessibility permissions. When using public Wi-Fi in host cities, rely on mobile data whenever possible and avoid accessing banking, email, or other sensitive accounts.

Organizations also have an important role to play. Security teams should monitor newly registered FIFA-themed domains, detect fraudulent login pages, identify employees or customers exposed in Vidar, LummaC2, or RedLine credential dumps, and prepare fraud response teams for increased ticket disputes and chargeback activity throughout the tournament.

The Threats Still Waiting to Activate

Perhaps the most concerning finding is that roughly 3,800 known fraudulent FIFA-related domains remain inactive and parked, ready for deployment at any time.

With phishing kits, automated bots, and stolen credentials already widely available, researchers expect the highest-risk period to run from June 11 through July 19. During that window, searches for tickets, travel arrangements, and streaming services will reach their peak, creating ideal conditions for cybercriminals to expand their operations.