Security researchers and the FBI are warning that a wave of FIFA-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff.
Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies FIFA's login page well enough to take over real accounts.
It is an obvious target. More than six million fans are expected across 16 cities in the United States, Canada, and Mexico, and FIFA said it received more than 150 million ticket requests in the first 15 days, leaving the tournament around 30 times oversubscribed. Tickets are scarce, fans are anxious, and money is moving fast, which is exactly what fraud needs.
One Operator, 300 Cloned FIFA Sites
The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the center is a group it calls GHOST STADIUM, a Chinese-speaking, money-driven operation running one phishing kit across more than 300 of those sites.
The fake is good. The page is a near-perfect copy of fifa.com, and it mimics FIFA's real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads its images straight from FIFA's own servers, so the page looks authentic and slips past tools that flag copied images.
Here is the part that does the damage: the fake login page also asks to reset the password. Once a victim enters their details, the attacker can lock them out of their own FIFA account and resell any tickets tied to it.
Most of the traffic comes from Facebook ads, with the same tracking codes reused across the whole cluster, plus links on Telegram, WhatsApp, and in search results. The site takes payment in five different ways: straight card entry, outside payment gateways, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts a card payment into cryptocurrency, which is much harder to get back.
That last one is a handy tell, because FIFA's official ticketing never takes crypto, so any seller asking for it is a scam.
Group-IB puts the losses from premium and hospitality ticket fraud alone at $71 million to $474 million, and says the whole campaign could add up to billions. Those are estimates based on the infrastructure it can see, not confirmed losses.
Thousands of Domains, Many Kinds of Scams
It is not just Group-IB. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, about 8.8% of them malicious or suspicious.
The FBI advisory lists dozens of fake FIFA domains, from misspelled lookalikes to phony FIFA jobs pages, and warns more are coming. Other researchers have mapped thousands more lookalike sites and over a thousand fake social accounts.
Ticket fraud is just one piece. Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware that hands control to the attacker, and fake betting sites that collect passport scans and selfies for identity theft.
Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million. Group-IB also flagged a "phishing-as-a-service" market that sells ready-made scam kits and ticket-buying bots, so taking down one operator barely helps.
The pieces fit together: fake domains catch the ticket searches, ads and search results push the traffic, stolen-password dumps feed account takeovers, and sideloaded apps turn stream-hunting into bank fraud.
Banking Malware Hidden in Streaming Apps
For fans chasing free match streams, the bigger danger is on the phone. ThreatFabric saw a spike in malicious unofficial streaming apps, many pretending to be the popular RojaDirecta, around the recent Champions League final, and expects a repeat at the World Cup on a bigger scale.
Kaspersky tied those same apps to Android banking trojans, malware made to drain money from banking and crypto apps, and named two families: Massiv and Perseus. These apps are not on Google Play, so installing one means clicking past the warnings that would normally block it.
Once installed, the malware uses Android's accessibility tools to take over the phone. It can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.
Perseus, built on the leaked code of an older Trojan called Cerberus, even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, ThreatFabric says, is a streaming app asking for accessibility access. It has no honest reason to need it.
Social Scams, Stolen Logins, and Risky Wi-Fi
Social media is just as crowded with scams. Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram, pushing counterfeit kits, fake Panini stickers, and phishing pages; two of the merchandise operations traced back to Chinese operators through their ad-tracking tags.
Fortinet counted over 1,700 spoofed FIFA accounts, nearly 90% of them on Facebook and Instagram, plus a scheme that used fake FIFA job ads and calendar invites to send applicants to a lookalike Google login.
Stolen FIFA logins are already in circulation. Fortinet found hundreds of thousands of user logins, plus more than 4,600 FIFA web addresses, in data swept up by credential-stealing malware like Vidar, LummaC2, and RedLine.
Host-city Wi-Fi is its own problem. A Kaspersky survey that drove around Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and password-free, with the WPS pairing feature still on across nearly half. Both leave easy openings for rogue "evil twin" hotspots that copy a real network and quietly read its traffic.
What to Watch For
These scams leave clear tells. Buy only through fifa.com, and type the address in yourself instead of trusting an ad or a search result. Switch on multi-factor login, and treat any seller who wants payment in cryptocurrency as a scam, since FIFA's ticketing never asks for it.
On Android, the clearest red flag is a streaming app asking for accessibility access it has no reason to need. On open Wi-Fi in the host cities, stick to mobile data when you can, and avoid logging into bank or email accounts.
For security teams, the job is straightforward: watch for new FIFA-themed domains and lookalike login pages, flag any staff or customer logins that show up in Vidar, LummaC2, or RedLine stealer logs, and get fraud teams ready for ticket and chargeback spikes through mid-July.
Meta says it is responding too. It is now showing warning pop-ups when people search Facebook for FIFA tickets, and it teamed up with Visa to take down a Facebook network linked to fake World Cup sites pushing bogus gambling. The FBI is asking anyone who has been scammed to report it at IC3.
The bigger worry is what is still waiting. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and bots already for sale, the busy window is easy to call: June 11 to July 19, when searches for tickets, streams, and travel will be at their peak.
