NEWS

FIFA World Cup 2026 Fraud Is Live and Scaling Before Kickoff

FIFA World Cup 2026 fraud is live before kickoff. Researchers found 270,000 stolen fan credentials and 3,800 dormant fake domains primed to activate on June 11.

Published

4 hours ago

June 7, 2026

Logan Pierce

Fortinet’s FortiGuard Labs counted more than 13,000 FIFA World Cup 2026-themed domains registered in the five months before the June 11 opening match, with roughly 8.8% already flagged as malicious or suspicious. Group-IB separately documented 4,300 fraudulent FIFA domains built by four independent threat actor groups, and estimates that losses from premium ticket fraud alone could reach $71 million to $474 million, with the broader campaign potentially climbing into the billions of dollars.

The most telling figure in either report is 3,800: fake FIFA domains currently parked and dormant, pre-positioned to activate once the tournament opens and search traffic peaks.

A Tournament 30 Times Oversubscribed

FIFA received more than 150 million ticket requests in the first 15 days of its sales window. Six million seats are available across 16 cities in the United States, Canada, and Mexico, making the 2026 edition approximately 30 times oversubscribed, per the firm’s event scale overview. That disparity between demand and available supply is the condition every fraud operation catalogued in these reports is exploiting.

Scarcity produces urgency fast. A fan who can’t get a seat through official channels and then spots a “last seats available” listing at $60 for premium inventory officially priced in the thousands is not checking the URL. Attackers built their offers around that dynamic, seeding fake pages with countdown timers and “first come, first served” messaging calibrated to narrow the decision window before skepticism can catch up.

The domain registration timeline tells you how early the infrastructure was in place. FortiGuard Labs’ FIFA cyberthreat landscape report documented a sharp spike in FIFA-themed registrations from March through May 2026. The .com top-level domain accounts for 87% of the malicious registrations catalogued, a deliberate preference for credibility over concealment. One specific domain FortiGuard flagged, registered in May 2026, walked users through a four-step checkout with a fake sign-in portal placed before the payment page to harvest credentials first.

Paris 2024 provides a partial benchmark. French authorities confirmed at least 140 cyber incidents during the Games, including 22 unauthorized intrusions and a ransomware attack against the Grand Palais venue. None disrupted competition, but that event attracted roughly a quarter of this tournament’s expected audience footprint. The 2026 World Cup covers three host nations, 104 matches, and an average of 450,000 visitors per host city.

FIFA World Cup 2026 cybercrime phishing fake ticket domains

GHOST STADIUM Ran This for Months

Group-IB first observed the threat actor it designated GHOST STADIUM in November 2025. By March 2026, when the firm’s formal three-month investigation began, the group had already deployed more than 300 active phishing domains running on a single shared kit. Researchers describe it as a Chinese-speaking, financially motivated operation, with two specific technical markers making that attribution concrete: Chinese-language comments embedded throughout the kit’s source code, and a UI framework called Layui 2.7.6, a library the firm says is “virtually unknown outside the Chinese developer community.”

The kit’s central feature is its authentication layer. It replicates FIFA’s PingIdentity single sign-on (SSO) flow, the login system behind all FIFA ticket accounts, using a legitimate client ID extracted directly from the real FIFA website. When a fan enters credentials on one of these pages, the kit captures them, triggers an immediate password reset to lock the victim out, and silently redirects to the actual FIFA site so the interaction looks like a normal successful login. Any existing tickets on the compromised account can then be relisted at premium prices.

Three shared Meta Pixel tracking IDs run across all 300-plus GHOST STADIUM domains, connecting the entire network to a single set of Facebook advertising accounts. The firm’s full GHOST STADIUM investigation found campaigns promoting premium seats as cheaply as $60. Of the 300-plus active phishing domains, 79 focused exclusively on premium and hospitality-tier inventory priced between $1,500 and $10,000. With more than 600 victim registrations observed at a single domain, researchers extrapolated a potential victim count exceeding 47,400 people for premium fraud alone.

GHOST STADIUM is the most technically sophisticated of four independent threat actor groups the investigation identified, but a phishing-as-a-service supply chain runs alongside all of them, selling ready-made scam kits and automated ticket-buying bots to operators with no technical capability. That commercial layer means the count of fraudulent domains keeps growing faster than any individual takedown effort can reduce it.

Six Attack Paths Running at Scale

Ticket theft gets the headline, but the fraud ecosystem documented across both reports covers every stage of a fan’s tournament experience. Bitdefender, a cybersecurity company, tracked more than 55 football-themed advertising campaigns on Facebook and Instagram pushing counterfeit kits, fake Panini sticker packs, and phishing pages, and the firm separately detected FIFA-themed lottery emails promising payouts of up to $2 million. The six documented attack schemes break down as follows:

Attack Type	Primary Delivery Channel	What Attackers Take
Fake ticketing sites	Lookalike .com domains, search ads, Facebook	Payment card data, FIFA login credentials
Malicious streaming apps	Third-party Android APK downloads, Telegram	Banking credentials, SMS codes via Android trojans
Counterfeit merchandise shops	Social media ads, lookalike e-commerce domains	Payment details, personal data
Social media impersonation	Facebook, Instagram (90% of 1,700+ spoofed accounts)	Traffic to phishing pages, malware distribution
Fake job postings	Counterfeit sponsor domains, calendar meeting invites	Google account credentials
Fake betting and streaming sites	Social media, Telegram, search results	Passport scans, selfies, payment data, malware installs

The mobile threat is the one most fans won’t anticipate. ThreatFabric, a fraud detection firm, observed a spike in malicious unofficial streaming apps around the recent Champions League final, many impersonating RojaDirecta, and expects a significantly larger wave during the World Cup window. Kaspersky linked similar apps to two Android banking trojans named Massiv and Perseus, which use Android’s accessibility tools to overlay fake bank login screens on top of legitimate banking apps, log keystrokes, and intercept one-time SMS codes. These apps are not on Google Play, so installing one requires tapping past explicit Android sideloading warnings.

Group-IB found fake betting platforms collecting passport scans and selfies under the pretext of identity verification. That data feeds identity theft pipelines.

270,000 Fan Credentials Before a Ball Is Kicked

Infostealers are credential-stealing programs spread through cracked software downloads, malvertising campaigns, and Telegram channels. They harvest every browser-stored password, session token, and saved payment detail from an infected machine, compiling it for sale on dark-web markets. FIFA credentials appear in those logs as incidental sweep, collected alongside everything else the browser holds. FortiGuard Labs’ stealer log telemetry, covering three malware families, Vidar, LummaC2 (LummaC Stealer 2, a credential-theft tool sold as a service on cybercrime forums), and RedLine, produced the following counts from logs collected before the tournament began:

270,000+ credentials from fans visiting FIFA-related websites, recovered from stealer log data
260+ credentials tied specifically to FIFA employees
1,500+ FIFA-associated employee and organizational accounts found in historical breach datasets
4,600+ FIFA-associated URLs confirmed active inside those stealer logs

The researchers put the count of FIFA login pairs already circulating on dark-web markets at roughly 2,500. Collin Hogue-Spears, senior director of solution management at Black Duck, a software supply chain security firm, identified a structural gap amplifying the credential risk: about a third of FIFA’s sponsors and suppliers have no DMARC record on their mail domains. DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is the email authentication standard that prevents third parties from credibly spoofing a domain’s outbound address. Without it, a criminal sending email that appears to come from an official tournament sponsor doesn’t need to forge anything, because there’s no authentication mechanism to defeat.

The logins created this summer for ticketing and streaming services almost certainly share passwords with accounts elsewhere. The exposure doesn’t close on July 19 when the final ends.

The Job Ad That Ends at a Fake Google Page

Temporary staffing demand rises sharply ahead of any major sporting event, and the most methodical credential campaign in the FortiGuard report was built entirely around that. Attackers registered fake domains impersonating FIFA and several official sponsors, specifically Coca-Cola, Marriott, PepsiCo, and Delta, then circulated fraudulent job postings for event, hospitality, and media roles. Victims who responded received calendar meeting invitations linking to a page embedding a counterfeit Google login screen, where entered credentials were captured after a generic error message appeared and then forwarded to backend application programming interfaces (APIs) hosted on Render, a legitimate US cloud platform.

A single Google Analytics tracking ID, G-123NZLZV56, was embedded identically across all the impersonating sites, per the cyberthreat report. That shared identifier connects the entire operation to a single group and ties it to the Facebook advertising accounts distributing the fake job offers. Using Google’s own analytics infrastructure as the connective thread made the network coherent to operate and significantly harder to flag, because the tracking calls looked no different from analytics traffic on any legitimate website.

Using a legitimate cloud platform to host the credential collection API is part of a broader evasion pattern. Attackers increasingly route malicious components through trusted services because those domains are almost never blocked by enterprise or consumer security tools. Security teams across the sectors the cyberthreat report cited as exposed, including sports, travel, hospitality, media, retail, finance, and government, face a detection challenge where credential theft traffic and normal cloud usage can look identical at the network layer.

Host-city infrastructure adds a physical dimension. Kern Smith, vice president of global solutions at Zimperium, a mobile security firm, noted that the sheer volume of legitimate mobile activity during a major tournament “can make malicious behavior significantly harder to detect as attacks blend into normal traffic patterns.” A Kaspersky survey of public Wi-Fi networks in Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and unencrypted, with WPS (Wi-Fi Protected Setup, a pairing protocol with documented vulnerabilities) still active on nearly half.

3,800 Domains on Standby for June 11

Of the 4,300-plus fraudulent FIFA domains the investigation mapped, only a fraction are actively running fraud infrastructure. The other 3,800 are dormant, pre-positioned for the June 11 to July 19 match window, when searches for tickets, streams, and travel will be at their peak.

Domain-by-domain takedowns will not stop this – not when 3,800 replacement domains are already registered and waiting.

Yuan Huang, a senior fraud analyst at Group-IB, laid out the operational asymmetry. Individual domain takedowns require legal coordination and processing time; the replacement infrastructure is already registered, costs almost nothing to activate, and waits behind no procedural gate. The firm identified five separate cryptocurrency payment rails tied to the group’s campaign, meaning that when one financial institution flags a suspicious wallet address, the other four channels keep processing funds while the broader financial system has no visibility into what is moving through them.

The FBI published its own public service advisory listing dozens of confirmed fake FIFA domains and warning that additional sites are expected throughout the tournament. Its advisory flagged typosquatting as the primary registration tactic: domains built around common misspellings, with “fiffa[.]com” as a documented example, or alternative top-level domains substituted for .com. The FBI’s guidance for fans is direct: type fifa.com manually into a browser rather than clicking through search or social media links, treat any offer that requires cryptocurrency payment as fraudulent, and enable multi-factor authentication on FIFA accounts before the tournament begins.

The parked domains haven’t gone live, and the window they were built for opens Thursday.