FIFA World Cup 2026 Scams: 4,300 Phishing Domains Exposed Before Kickoff

Cybersecurity researchers and the FBI are sounding the alarm on a massive wave of FIFA-themed fraud targeting World Cup 2026 fans, just days before the June 11 opening match. With more than six million fans expected across 16 host cities in the U.S., Canada, and Mexico, and FIFA reporting over 150 million ticket requests in the first 15 days alone, the tournament is roughly 30 times oversubscribed. That scarcity, combined with anxiety and fast-moving payments, has created ideal conditions for organized cybercrime.

The most detailed findings come from Group-IB, which has tracked more than 4,300 fraudulent FIFA domains registered since August 2025 and identified a Chinese-speaking, financially motivated cluster it calls GHOST STADIUM. The group runs a single phishing kit across more than 300 of those domains, producing near-perfect clones of fifa.com, including a replica of FIFA's PingIdentity single sign-on flow with the genuine client ID lifted from the live site. Images are loaded directly from FIFA's own servers, defeating basic image-based detection. The trap extends beyond credential capture: victims are also prompted to reset their password, allowing attackers to lock legitimate users out and resell any tickets tied to the account. Distribution runs through Facebook ads sharing identical tracking codes, plus Telegram, WhatsApp, and poisoned search results. Payments are accepted via direct card entry, third-party gateways, money-transfer apps including Chime and Nequi, Mexico-only processors, and a crypto conversion path that turns card payments into harder-to-trace digital assets, a clear red flag, since FIFA's official ticketing never accepts cryptocurrency. Fans who have reused passwords across services should run their credentials through a password strength and breach checker and verify any suspicious FIFA-related domain with a WHOIS lookup before entering details.

The campaign is not limited to ticket fraud. FortiGuard Labs identified more than 13,000 World Cup-themed domains registered between January and May, roughly 8.8% classified as malicious or suspicious, while the FBI has published a list of dozens of known fake FIFA domains, including misspelled lookalikes and fraudulent job listings, warning that more infrastructure is being staged. Group-IB has also mapped counterfeit merchandise stores, bogus streaming portals laced with banking malware hidden inside pirate apps, and over a thousand fake social media accounts impersonating FIFA vendors. The firm estimates losses from premium and hospitality ticket fraud alone at $71 million to $474 million, with total exposure potentially reaching into the billions.

The operational tradecraft is what makes this wave stand out. The phishing kit's reuse of the legitimate PingIdentity client ID, the mirrored asset paths, and the unified Facebook ad infrastructure all point to a single, well-resourced operator rather than scattered copycats. For defenders, the takeaways are concrete: treat any unsolicited FIFA ticket offer as hostile by default, refuse crypto or app-based payment requests, enable hardware-backed multi-factor authentication on FIFA accounts, and monitor associated email addresses with a breach exposure checker to catch credential reuse early. With kickoff days away, GHOST STADIUM and the broader ecosystem of lookalike domains are unlikely to slow down until the final whistle.