The Fraud Infrastructure Launched Before the Tournament Did

The FIFA World Cup 2026 doesn’t kick off until June 11, but the fraud surrounding it has been operational for months. The FBI has issued warnings. Security firms have mapped thousands of fake domains. At least one organized group has been quietly harvesting FIFA account credentials and reselling the tickets attached to them — tickets that fans paid for with real money and can no longer access.

The scale of the opportunity is not subtle. FIFA reported more than 150 million ticket requests within the first 15 days of sales for a tournament that spans 16 cities across the United States, Canada, and Mexico, with over six million fans expected to attend. That makes the tournament roughly 30 times oversubscribed. When demand outpaces supply by that margin, secondary markets flood with desperation — and fraud follows desperation like water finding a drain.

What makes this cycle different from previous tournament fraud is the sophistication of the infrastructure already in place before a single match has been played.

One Group, 300 Cloned Login Pages

Group-IB’s researchers tracked more than 4,300 fraudulent FIFA-themed domains registered since August 2025. Inside that cluster, they identified a distinct operation they call GHOST STADIUM — a Chinese-speaking group running a single phishing kit distributed across more than 300 of those domains.

The fake sites don’t look fake. GHOST STADIUM’s pages replicate fifa.com closely enough to pass a casual inspection, and the imitation goes deeper than cosmetics. The group copied the genuine client ID from FIFA’s real single sign-on system, which runs on PingIdentity infrastructure, and embedded it into their fake login pages. The site pulls its images directly from FIFA’s own servers rather than hosting copies, which means image-detection tools that flag duplicate or hotlinked assets largely miss it. The effect is a page that looks and behaves like the real thing, because in several technical respects it is partially using the real thing.

The credential-theft mechanism includes a forced password reset. A victim who logs in through the fake page doesn’t just hand over their username and password — they’re walked through a reset flow that lets the attacker lock them out entirely before they realize anything has gone wrong. Any tickets connected to that FIFA account are then available to resell. Most of the traffic reaching these pages arrives through Facebook ads, with the same tracking codes reused across the entire GHOST STADIUM cluster, supplemented by links circulating on Telegram, WhatsApp, and in organic search results.

Payment options on these sites span five methods: direct card entry, third-party payment gateways, money-transfer apps including Chime and Nequi, Mexico-specific processors, and a crypto conversion option that runs a card payment through a process that converts it into cryptocurrency. That last option matters because FIFA’s official ticketing platform does not accept cryptocurrency in any form. Any ticket seller demanding crypto payment is operating a scam — full stop. Group-IB estimates losses from premium and hospitality ticket fraud in this campaign at between $71 million and $474 million, with potential total losses reaching into the billions once the broader infrastructure is accounted for. Those figures reflect what the group can observe in the infrastructure, not confirmed theft.

13,000 Domains and a Market That Sells the Scam Kits Themselves

GHOST STADIUM is the most documented operation, but it isn’t the only one. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May 2025, with approximately 8.8% flagged as malicious or suspicious. The FBI’s advisory lists dozens of fake FIFA domains — misspelled lookalikes, pages impersonating FIFA job postings, and more — and explicitly warns that additional domains continue to be registered as the tournament approaches. Researchers across multiple firms have also mapped over a thousand fake social media accounts tied to World Cup fraud.

The fraud isn’t limited to ticket theft. Group-IB documented counterfeit merchandise stores, fake betting sites collecting passport scans and selfies under the guise of identity verification, and bogus streaming sites that charge a subscription fee and then install malware giving the attacker full remote access to the victim’s device. Bitdefender separately tracked FIFA-branded lottery emails promising payouts of up to $2 million — a lower-sophistication operation, but one running at volume.

Perhaps the most structurally concerning finding is the presence of a phishing-as-a-service marketplace selling ready-made scam kits and ticket-buying bots. This means the barrier to launching a FIFA fraud operation is essentially a purchase, not a technical skill. Taking down one operator does little when the tools to launch the next one are available for sale.

The pieces interlock. Fake domains capture fans searching for tickets. Paid ads and search results drive traffic to those domains. Dumps of previously stolen passwords feed account-takeover attempts at scale. And for fans who bypass ticket sites entirely and go looking for free streams, there’s a separate threat waiting.

Banking Trojans Hidden Inside Streaming Apps

For anyone planning to watch matches through unofficial streams rather than buy tickets, the phone has become the primary attack surface. ThreatFabric documented a spike in malicious unofficial streaming apps around the recent Champions League final — many masquerading as RojaDirecta, a widely used unauthorized streaming platform — and assessed that World Cup 2026 will produce a larger version of the same pattern.

Kaspersky connected these apps to Android banking trojans: malware engineered specifically to steal credentials from banking apps and cryptocurrency wallets. A fan who sideloads a fake streaming app looking for a free match feed can end up with malware that runs silently in the background, waiting for them to open their banking app before capturing login details and draining accounts.

What the Attack Chain Actually Looks Like

The full sequence, pieced together from multiple firms’ findings, is worth tracing in order. A fan searches for World Cup tickets or streams. A fraudulent domain — possibly pushed by a Facebook ad using GHOST STADIUM’s tracking infrastructure, possibly surfaced in organic search results — captures that click. The fan either enters credentials on a fake FIFA login page, pays for tickets that don’t exist via a non-reversible method like crypto, or downloads a streaming app that installs a banking trojan. In parallel, compromised password dumps from unrelated breaches are being run against real FIFA accounts to find reuse matches. If one hits, the attacker logs in, resets the password, and lists the tickets.

There’s no single point of failure in this chain that, if addressed, breaks the whole operation.

How to Not Become Part of the Statistics

The defensive steps here aren’t complicated, but they do require ignoring the anxiety that comes with knowing 30 people wanted every ticket.

FIFA’s official ticketing operates exclusively through fifa.com and its verified partner channels. Ticket resale is handled through an official platform at a 10% maximum markup — anything above that, or through any other channel, sits outside FIFA’s protections. Cryptocurrency is not accepted anywhere in the legitimate ticket ecosystem, so a crypto payment request is not a grey area.

For account security specifically: FIFA accounts holding tickets should have a strong, unique password not reused anywhere else, and two-factor authentication enabled. The GHOST STADIUM operation targets reused credentials and accounts without 2FA, because those are the easiest to lock out and resell from.

Streaming apps should come from official sources. During the World Cup, match broadcasting rights are held by specific licensed broadcasters per country — the official FIFA site lists them by territory. An app not affiliated with a licensed broadcaster, regardless of how legitimate it looks, carries meaningful risk of being a trojan delivery mechanism.

The FBI advisory on World Cup fraud lists specific fake domains to avoid and is worth reading in full before any ticket purchase. It was published for a reason — at least some of those sites were already collecting payments when the warning went out.

One concrete number to hold onto: the official FIFA resale platform caps markups at 10%. A ticket listed at more than 110% of face value, anywhere, is already operating outside the rules. At 200% or 300% above face value through an unofficial channel, with crypto as the only payment option — that’s not a deal. That’s the $71 million problem, one transaction at a time.