Scams related to the FIFA World Cup 2026 are currently ongoing, including counterfeit websites and malware.

      TL;DR: Over 4,300 fraudulent FIFA domains, banking malware in illegal streaming applications, and phishing operations aimed at collecting credentials are targeting fans ahead of the 2026 World Cup kickoff on June 11. Warnings have been issued by the FBI, Group-IB, Fortinet, and Kaspersky.

      As the most oversubscribed sporting event ever, the 2026 FIFA World Cup has already attracted over 150 million ticket requests in the first 15 days, with only six million seats available across 16 cities in the US, Canada, and Mexico. This situation creates ideal conditions for fraud—scarcity, urgency, and quick financial transactions. Cybersecurity experts and federal investigators have reported an active and expanding fraud network. This involves more than just a few opportunistic phishing sites; it comprises a complex ecosystem of fake domains, malware, credential theft, and social media impersonation, all converging at the same time.

      One operator is running 300 cloned FIFA websites. Group-IB's in-depth research has uncovered over 4,300 fraudulent FIFA domains created since August 2025. Central to this operation is a group known as Ghost Stadium, a Chinese-speaking, profit-driven enterprise managing a phishing kit across more than 300 of these sites.

      The imitation is strikingly accurate. The fraudulent page closely resembles fifa.com, replicating FIFA's legitimate single sign-on login powered by PingIdentity, including the authentic client ID sourced from the actual site. It loads images directly from FIFA’s servers, lending it an air of legitimacy that evades detection by asset-monitoring tools.

      The deception lies in the specifics; the fake login also prompts users to reset their passwords. When victims input their credentials, the attackers lock them out of their genuine FIFA accounts and resell any tickets associated with those accounts. Most traffic to these sites originates from Facebook ads using recycled tracking codes, along with links shared on Telegram, WhatsApp, and search results. Payment methods include card details, money-transfer applications like Chime and Nequi, Mexico-specific processors, and even a cryptocurrency option that converts card payments. The acceptance of cryptocurrency is a key indicator of fraud, as FIFA’s official ticket sales do not allow it.

      FortiGuard Labs has identified over 13,000 World Cup-themed domains registered between January and May, with about 8.8% being categorized as malicious or suspicious. The FBI's public service announcement lists numerous fake FIFA domains, including misspelled versions and fraudulent job postings, warning that more will likely appear.

      Ticket fraud is merely one aspect of these scams. Group-IB also discovered counterfeit merchandise websites, fake streaming services that charge subscriptions before installing malware, and phony betting platforms that collect personal information for identity theft. Additionally, Bitdefender tracked FIFA lottery emails claiming potential payouts of up to $2 million.

      For fans seeking free streaming of matches, the greater risk lies with mobile devices. ThreatFabric has seen an increase in harmful unofficial streaming applications, many masquerading as the renowned RojaDirecta, especially around the recent Champions League final, anticipating a similar surge during the World Cup on a larger scale. Kaspersky linked these apps to two families of Android banking trojans: Massiv and Perseus. Since these apps aren't available on Google Play, installing them requires bypassing Android's security warnings. Once active, the malware employs accessibility features to display fake bank login screens over real applications, record keystrokes, intercept SMS and authenticator one-time codes, and remotely control the screen.

      Perseus, built on leaked code from the older Cerberus trojan, can even extract saved passwords and crypto recovery phrases from note-taking applications. As ThreatFabric notes, a streaming app requesting accessibility access is a significant red flag—no legitimate streaming application should require this permission.

      Fortinet identified over 1,700 spoofed FIFA accounts, primarily on Facebook and Instagram, along with a scheme using fake FIFA job advertisements and calendar invites to redirect job-seekers to imitation Google login pages. Bitdefender documented over 55 football-themed ad campaigns on Facebook and Instagram promoting counterfeit merchandise and phishing sites.

      Stolen FIFA account credentials are already in circulation. Fortinet has uncovered hundreds of thousands of user credentials, as well as over 4,600 FIFA-related URLs generated by credential-stealing malware families such as Vidar, LummaC2, and RedLine.

      Open Wi-Fi networks in host cities pose additional threats. A Kaspersky survey spanning Mexico City, Monterrey, and Guadalajara revealed that 10% to 12% of networks were open and lacked passwords, with nearly half still having the WPS pairing feature active. This vulnerability allows for "evil twin" hotspots to mimic legitimate networks and quietly intercept traffic.

      What to look out for: The scams have recognizable signs. Purchase tickets only through fifa.com, typing the address directly rather than following an ad or search result. Enable multi-factor authentication and be cautious of sellers requesting cryptocurrency. For streaming apps on Android