World Cup Fever Creates a Perfect Target for Cybercriminals

Security researchers and law enforcement agencies are warning of a significant increase in FIFA World Cup-themed cybercrime ahead of the tournament kickoff on June 11.

With more than six million fans expected to attend matches across the United States, Canada, and Mexico, and FIFA receiving over 150 million ticket requests during the initial sales period, demand has dramatically exceeded supply.

The combination of high demand, limited ticket availability, and large financial transactions has created an ideal environment for fraud campaigns.

Thousands of Fake FIFA Websites Discovered

Researchers from Group-IB identified more than 4,300 fraudulent FIFA-related domains registered since August 2025.

At the center of the operation is a threat group known as GHOST STADIUM, a financially motivated Chinese-speaking cybercriminal operation responsible for more than 300 phishing websites.

The fraudulent sites closely mimic FIFA's legitimate portal and reproduce the organization's official single sign-on experience.

To increase credibility, attackers:

  • Use FIFA branding and imagery
  • Load images directly from FIFA servers
  • Reuse legitimate authentication parameters
  • Replicate official login workflows

The result is a highly convincing phishing experience capable of stealing user credentials.

Account Takeover and Ticket Theft

The phishing pages go beyond credential collection.

Victims are often prompted to:

  • Log in
  • Verify account information
  • Reset passwords

Once credentials are captured, attackers can:

  • Take over FIFA accounts
  • Lock legitimate users out
  • Access purchased tickets
  • Resell tickets through underground channels

Researchers estimate that premium ticket fraud alone may have generated tens or even hundreds of millions of dollars in illicit revenue.

Social Media and Advertising Fuel the Campaign

Much of the traffic to fraudulent FIFA websites originates from:

  • Facebook advertisements
  • Telegram channels
  • WhatsApp messages
  • Search engine results

Researchers observed identical advertising and tracking infrastructure reused across multiple phishing operations.

Cryptocurrency Payments Are a Major Warning Sign

Many fraudulent ticket sellers offer multiple payment options, including:

  • Credit cards
  • Money transfer applications
  • Alternative payment processors
  • Cryptocurrency

Security experts emphasize a simple rule:

Official FIFA ticket sales do not accept cryptocurrency payments.

Any seller requesting cryptocurrency should be treated as fraudulent.

More Than 13,000 World Cup-Themed Domains Registered

Additional research from FortiGuard Labs identified over 13,000 World Cup-related domains registered between January and May 2026.

Approximately:

  • 8.8% were classified as malicious or suspicious

Researchers also identified:

  • Thousands of fake social media profiles
  • Counterfeit merchandise stores
  • Fraudulent betting platforms
  • Fake FIFA employment portals

Banking Malware Hidden Inside Streaming Apps

Ticket scams are only one part of the threat landscape.

ThreatFabric and Kaspersky researchers identified malicious Android applications disguised as football streaming services.

Many impersonate popular streaming brands and unofficial sports platforms.

Instead of providing streams, the applications install banking trojans such as:

  • Massiv
  • Perseus

What the Malware Can Do

Once installed, the malware abuses Android accessibility services to gain extensive control over infected devices.

Capabilities include:

  • Credential theft
  • Banking overlay attacks
  • SMS interception
  • Multi-factor authentication bypass
  • Remote device control
  • Cryptocurrency theft

Researchers found that Perseus can additionally search note-taking applications for:

  • Passwords
  • Recovery phrases
  • Cryptocurrency wallet information

A streaming application requesting accessibility permissions should be considered highly suspicious.

Fake Merchandise and Lottery Scams

Researchers also identified numerous campaigns involving:

  • Fake World Cup merchandise
  • Counterfeit jerseys
  • Fraudulent Panini collectibles
  • Fake FIFA lottery winnings

Some phishing emails promise victims prizes worth millions of dollars in exchange for personal information or advance payments.

Stolen FIFA Credentials Already Circulating

Security researchers discovered large volumes of FIFA-related credentials within data collected by information-stealing malware families including:

  • Vidar
  • LummaC2
  • RedLine

These credentials can be used to facilitate:

  • Account takeovers
  • Ticket theft
  • Identity fraud

Public Wi-Fi Risks in Host Cities

Researchers surveying public networks in Mexico City, Monterrey, and Guadalajara found that:

  • 10–12% of wireless networks were completely open
  • Nearly half had WPS enabled

These conditions make it easier for attackers to deploy:

  • Rogue access points
  • Evil Twin hotspots
  • Traffic interception attacks

Travelers are encouraged to use mobile data whenever possible and avoid accessing sensitive accounts over public Wi-Fi.

How Fans Can Protect Themselves

Security experts recommend:

Buy Tickets Only Through Official Channels

  • Visit FIFA's website directly
  • Avoid links from advertisements
  • Verify URLs carefully

Enable Multi-Factor Authentication

Protect FIFA accounts with additional authentication layers whenever available.

Avoid Cryptocurrency Payments

Any ticket seller requesting cryptocurrency should be considered suspicious.

Download Apps Only From Official Stores

Avoid sideloading Android applications from unofficial sources.

Be Cautious on Public Wi-Fi

Use trusted networks or mobile connections when accessing:

  • Email accounts
  • Banking services
  • Payment platforms

Recommendations for Security Teams

Organizations should:

  • Monitor newly registered FIFA-themed domains
  • Detect lookalike login pages
  • Monitor stealer-log exposure involving employees
  • Prepare for increased fraud and chargeback activity
  • Watch for phishing campaigns targeting customers and staff

Researchers expect attack activity to remain elevated throughout the tournament period.

Looking Ahead

While several malicious campaigns have already been disrupted, researchers identified approximately 3,800 additional fraudulent FIFA domains that remain inactive but registered.

With phishing kits, credential theft tools, and ticket fraud services widely available, cybercriminal activity is expected to peak between:

June 11, 2026 – July 19, 2026

as fans search for tickets, accommodations, travel deals, and streaming options.

The World Cup may be one of the world's largest sporting events, but for cybercriminals, it has also become one of the year's largest opportunities for fraud.