27.05.2026
2 min
117
With only weeks left before the start of the 2026 FIFA World Cup, cybercriminals are already cashing in on football fans. Researchers have uncovered thousands of fake FIFA domains, sophisticated phishing schemes, and fraudulent ticket-selling websites that could generate billions of dollars for scammers.
Researchers at Group-IB uncovered a massive wave of scam campaigns disguised as official FIFA services. According to the company, at least six different fraud schemes linked to four separate threat groups are currently operating at the same time. Experts also identified more than 4,300 domains impersonating the official FIFA website and related services.
The researchers paid special attention to a campaign known as GHOST STADIUM. The Chinese-speaking threat actor built a large phishing infrastructure spanning more than 300 domains. The attackers created an almost pixel-perfect clone of the official FIFA website, complete with a fake SSO authentication system and support for 11 languages.
Users who land on these websites are immediately greeted with aggressive pop-ups offering “official” VIP tickets or hospitality packages. Victims are then pushed through a fully fake purchasing process designed to steal account credentials and bank card information.
According to Group-IB, the premium ticket scam alone could cause financial losses ranging from $71 million to $474 million. When all related campaigns are taken into account, the overall damage could reach billions of dollars.
Researchers also observed extensive use of Facebook ads to promote phishing pages. The malicious infrastructure contained three separate Meta Pixel IDs, indicating that the attackers were systematically using Meta’s advertising platform to lure victims to fake websites.
At the same time, GHOST STADIUM is not operating alone. Other groups are involved in mass-registering typo-squatted domains, selling phishing-as-a-service kits, and harvesting FIFA credentials through infostealer malware.
According to the researchers, scammers are currently running multiple attack schemes simultaneously, including:
FIFA account phishing;
fake ticket sales;
counterfeit merchandise stores;
fraudulent streaming platforms;
scam betting and casino websites;
credential theft through infostealer malware.
Even before the tournament begins, more than 2,500 pairs of FIFA account usernames and passwords are already being sold on dark web forums.
Although some fans have canceled hotel bookings and high ticket prices have reduced overall interest in the tournament, FIFA says more than 150 million ticket requests were submitted during the first 15 days of sales. Researchers believe this enormous audience makes the World Cup a perfect target for cybercriminals.
Security experts advise fans to purchase tickets only through official FIFA channels, carefully verify website addresses, and avoid clicking links from advertisements or suspicious messages.
