Security researchers and the FBI are warning that a wave of FIFA-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff.Recent reports describe thousands of lookalike FIFA domains, banking m...

Security researchers and the FBI are warning that a wave of FIFA-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff.

Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies FIFA's login page well enough to take over real accounts.

It is an obvious target. More than six million fans are expected across 16 cities in the United States, Canada, and Mexico, and FIFA said it received more than 150 million ticket requests in the first 15 days, leaving the tournament around 30 times oversubscribed. Tickets are scarce, fans are anxious, and money is moving fast, which is exactly what fraud needs.

The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the center is a group it calls GHOST STADIUM, a Chinese-speaking, money-driven operation running one phishing kit across more than 300 of those sites.

The fake is good. The page is a near-perfect copy of fifa.com, and it mimics FIFA's real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads its images straight from FIFA's own servers, so the page looks authentic and slips past tools that flag copied images.

Here is the part that does the damage: the fake login page also asks to reset the password. Once a victim enters their details, the attacker can lock them out of their own FIFA account and resell any tickets tied to it.

Most of the traffic comes from Facebook ads, with the same tracking codes reused across the whole cluster, plus links on Telegram, WhatsApp, and in search results. The site takes payment in five different ways: straight card entry, outside payment gateways, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts a card payment into cryptocurrency, which is much harder to get back.

That last one is a handy tell, because FIFA's official ticketing never takes crypto, so any seller asking for it is a scam.

Group-IB puts the losses from premium and hospitality ticket fraud alone at $71 million to $474 million, and says the whole campaign could add up to billions. Those are estimates based on the infrastructure it can see, not confirmed losses.

It is not just Group-IB. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, about 8.8% of them malicious or suspicious.

Read original source