Scams related to the FIFA World Cup 2026 are currently active, including fraudulent websites and malware.

      **TL;DR** Over 4,300 counterfeit FIFA domains, banking malware in unlicensed streaming applications, and credential-harvesting phishing schemes are already targeting fans of World Cup 2026 as the 11 June kickoff approaches. The FBI, Group-IB, Fortinet, and Kaspersky have issued warnings.

      The most oversubscribed sporting event in history is also the most targeted by phishers. With over 150 million ticket requests in the first 15 days and only six million seats available across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created an environment ripe for fraud: scarcity, urgency, and rapid money movement.

      In the past week, security researchers, the FBI, and various cybersecurity companies have raised alarms about a fraud operation that is already running, well-resourced, and expanding. The situation depicted is not about a few opportunistic phishing sites—it's a complex network of fake domains, banking malware, credential theft, and social media impersonation, all targeting the same period.

      **One operator, 300 cloned FIFA sites**

      Group-IB provided the most comprehensive findings, tracking over 4,300 fraudulent FIFA domains registered since August 2025. At the center of this is a group labeled Ghost Stadium, a financially motivated operation that runs a single phishing kit across more than 300 of these sites.

      The counterfeit pages are highly convincing, closely resembling fifa.com and replicating FIFA’s legitimate single sign-on login, operated by PingIdentity, including the accurate client ID copied from the live site. They directly load images from FIFA's own servers, making the pages appear genuine and evading detection tools for copied content.

      The strategy lies in the details: the fake login also prompts users to reset their passwords. When victims enter their credentials, attackers lock them out of their real FIFA accounts and resell any associated tickets. Most traffic is generated through Facebook ads with recycled tracking codes, plus links on Telegram, WhatsApp, and search results. Payment methods include card entry, money-transfer apps like Chime and Nequi, processors exclusive to Mexico, and a cryptocurrency option that converts card payments to crypto—a clear indicator, as FIFA’s official ticketing never accepts cryptocurrency.

      **13,000 domains and counting**

      FortiGuard Labs identified over 13,000 World Cup-themed domains registered between January and May, approximately 8.8% categorized as malicious or suspicious. The FBI’s public service announcement details numerous fake FIFA domains, ranging from misspelled copies to fraudulent job postings, and warns that more are on the way.

      Ticket fraud is just one facet. Group-IB also uncovered counterfeit merchandise stores, fake streaming sites that charge subscription fees while introducing malware, and fraudulent betting platforms that collect passport scans and selfies for identity theft. Bitdefender additionally tracked FIFA lottery emails offering payouts of up to $2 million.

      Group-IB estimates losses from premium and hospitality ticket fraud alone could reach between $71 million to $474 million, with the broader operations potentially costing billions. These figures are based on visible fraudulent infrastructure, not confirmed financial losses.

      **Banking malware in streaming apps**

      For fans looking for free match streams, the greater risk lies in mobile threats. ThreatFabric noted an increase in malicious unofficial streaming applications, many masquerading as the popular RojaDirecta, around the recent Champions League final, with expectations of a similar surge during the World Cup on an even larger scale.

      Kaspersky linked these apps to two Android banking trojan families: Massiv and Perseus. Neither is found on Google Play, so users must bypass Android’s built-in warnings to install them. Once installed, the malware uses accessibility features to overlay fake bank login screens on legitimate apps, records keystrokes, intercepts one-time codes from SMS and authenticator apps, and can remotely control the screen.

      Perseus, built on leaked code from the older Cerberus trojan, also reads note-taking apps to find saved passwords and cryptocurrency recovery phrases. The primary red flag, per ThreatFabric, is a streaming app requesting accessibility access, which no legitimate streaming app requires.

      **Social media, stolen credentials, and open Wi-Fi**

      Fortinet detected over 1,700 spoofed FIFA accounts, nearly 90% on Facebook and Instagram, alongside a scheme using fake FIFA job postings and calendar invites to redirect applicants to a lookalike Google login. Bitdefender identified more than 55 football-themed ad campaigns on Facebook and Instagram promoting counterfeit merchandise, fake Panini stickers, and phishing sites.

      Stolen FIFA login credentials are already circulating. Fortinet found hundreds of thousands of user names along with more than 4,600 FIFA-related URLs collected by credential-stealing malware families such as Vidar, LummaC2, and RedLine.

      Host city Wi-Fi poses its own risks. A Kaspersky survey conducted in Mexico City, Monterrey, and Guadalajara revealed that 10% to 12% of