Scams related to the FIFA World Cup 2026 are active: fraudulent websites and malware.

      TL;DR: More than 4,300 counterfeit FIFA domains, banking malware in illicit streaming applications, and phishing operations aimed at harvesting credentials are emerging in anticipation of World Cup 2026 fans before the kickoff on June 11. The FBI, Group-IB, Fortinet, and Kaspersky have all issued warnings.

      As the most over-subscribed sporting event ever, the World Cup is also suffering from extensive phishing attempts. With over 150 million ticket requests made in just the first 15 days and only six million tickets available across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created an environment ripe for fraud: scarcity, urgency, and rapid financial transactions.

      Security experts, the FBI, and various cybersecurity companies recently released alerts detailing a fraud network that is already in place, well-funded, and expanding. The landscape reveals more than just a few opportunistic phishing websites; it is a complex web of fake domains, banking malware, credential theft, and social media impersonation, all converging on the same timeframe.

      One operator manages 300 replicated FIFA sites. The most comprehensive insights come from Group-IB, which has detected over 4,300 fraudulent FIFA domains registered since August 2025. Central to this operation is a group dubbed Ghost Stadium, a financially motivated Chinese-speaking entity that employs a single phishing kit across more than 300 of these sites.

      The counterfeit setup is highly convincing. The fake page closely resembles fifa.com, replicating FIFA’s actual single sign-on login, managed by PingIdentity, down to the legitimate client ID taken from the live website. The images are loaded directly from FIFA’s servers, making the page appear authentic and evade detection by tools that identify copied assets.

      The deception lies in the details: the false login also prompts users to reset their passwords. Once a victim admits their credentials, the attacker locks them out of their original FIFA account and resells any associated tickets. Most traffic is generated through Facebook ads utilizing reused tracking codes and links on Telegram, WhatsApp, and search results. Payment methods include card entry, money-transfer applications like Chime and Nequi, Mexico-centric processors, and a cryptocurrency option that converts card transactions into digital currency. This last method serves as a reliable indicator, as FIFA’s official ticketing system never accepts cryptocurrency.

      13,000 domains and rising. FortiGuard Labs reported over 13,000 World Cup-themed domains created from January to May, with approximately 8.8% categorized as malicious or dubious. The FBI’s public service announcement highlights numerous fraudulent FIFA domains, featuring misspelled lookalikes and false job listings, and cautions that more are likely to emerge.

      Ticket fraud is only a fragment of the issue. Group-IB also uncovered counterfeit merchandise stores, fraudulent streaming websites that charge subscription fees and then install malware, and fake betting sites that collect passport photographs and selfies for identity theft. Separately, Bitdefender tracked FIFA lottery emails that promise payouts of up to $2 million.

      Group-IB estimates that the losses from premium and hospitality ticket fraud alone could range from $71 million to $474 million, with the overall fraud campaign potentially reaching billions. These are estimations based on observable infrastructure, rather than confirmed financial losses.

      Banking malware in streaming applications. Fans seeking free match streams face greater risks on mobile devices. ThreatFabric detected an increase in malicious unofficial streaming applications, many masquerading as the popular RojaDirecta, around the recent Champions League final, and anticipates a similar situation during the World Cup, but on a larger scale.

      Kaspersky linked these applications to two Android banking trojan families: Massiv and Perseus. Neither of these is available through Google Play, meaning installation necessitates bypassing Android’s embedded warnings. Once installed, the malware employs accessibility features to superimpose fake bank login screens on legitimate applications, logs keystrokes, intercepts one-time SMS codes and authenticator app codes, and can control the screen remotely.

      Perseus, based on leaked code from the older Cerberus trojan, can even access note-taking applications for saved passwords and cryptocurrency recovery phrases. A straightforward warning sign, according to ThreatFabric, is a streaming application that requests accessibility access, as legitimate streaming apps do not require it.

      Social media, stolen credentials, and open Wi-Fi. Fortinet documented over 1,700 spoofed FIFA accounts, with nearly 90% found on Facebook and Instagram, alongside a scheme that utilized fake FIFA job listings and calendar invites to redirect applicants to a counterfeit Google login. Bitdefender identified more than 55 football-themed ad initiatives on Facebook and Instagram promoting counterfeit kits, fake Panini stickers, and phishing websites.

      Stolen FIFA login details are already in circulation. Fortinet discovered hundreds of thousands of user credentials and over 4,600 FIFA-related URLs in data accumulated by credential-stealing malware families such as Vidar, LummaC2, and RedLine.

      Host