The Setup
The FIFA World Cup 2026 tournament kicks off June 11 across the United States, Canada, and Mexico. Six million fans are expected to attend, and FIFA reported over 150 million ticket requests in the first 15 days. Tickets are scarce. Money is flowing fast. Desperation is high.
This is exactly what fraud needs.
The Scale of the Problem
Security research firms are tracking a wave of sophisticated FIFA-themed scams that started months ago:
- Group-IB found over 4,300 fraudulent FIFA domains registered since August 2025. At least 300 of them are running the same phishing kit.
- FortiGuard Labs counted over 13,000 World Cup-themed domains registered in just five months, with 8.8% flagged as malicious or suspicious.
- The FBI issued a public service alert listing dozens of fake FIFA domains and warning that more are coming.
- Other researchers mapped thousands of additional lookalike sites and over 1,000 fake FIFA social accounts.
The Ticket Fraud Operation
The most dangerous scam centers on a group researchers call GHOST STADIUM. They created phishing pages that are near-perfect clones of fifa.com, complete with a fake single sign-on login that mimics FIFA's real authentication system (powered by PingIdentity).
The fake page even loads images directly from FIFA's own servers, making it look legitimate and bypass image-copy detection tools. Once someone enters their FIFA account credentials, the attackers lock them out and resell any tickets tied to that account.
The traffic mostly comes from Facebook ads, plus links on Telegram, WhatsApp, and search results. They accept payment five different ways: card entry, outside gateways, money-transfer apps like Chime and Nequi, Mexico-only processors, and cryptocurrency. That crypto option is a giveaway—FIFA's official ticketing never takes crypto.
Researchers estimate losses from premium and hospitality ticket fraud alone could reach $71 million to $474 million. The whole campaign could top billions.
Banking Malware in Streaming Apps
For fans looking for free streams, the risk is even worse. Security researchers found spikes in malicious streaming apps, many posing as RojaDirecta (a popular football streaming site). These apps are not on Google Play, so installing them means ignoring Android warnings.
Once installed, they use Android's accessibility tools to take over your phone. The malware can:
- Display fake bank login screens over real apps
- Record everything you type
- Intercept one-time SMS codes and authenticator app codes
- Read saved passwords in note-taking apps and notes sections
- Control your phone remotely
Researchers tied these apps to Android banking trojans with names like Massiv and Perseus (built on the leaked code of an older malware called Cerberus). The simplest red flag: any streaming app asking for accessibility access has no legitimate reason to need it.
The Rest of the Scam Stack
The fraud ecosystem includes:
- Counterfeit merchandise shops selling fake official gear
- Bogus streaming sites that collect subscription fees and install malware
- Fake betting sites that demand passport scans and selfies for identity theft
- FIFA lottery emails promising payouts up to $2 million
- Phishing-as-a-service markets selling ready-made scam kits and ticket bots
- Spoofed FIFA accounts on Facebook and Instagram (over 1,700 found)
- Fake FIFA job ads sending applicants to phishing pages disguised as Google login
- Stolen FIFA credentials already circulating from credential-stealing malware
The Open Wi-Fi Problem
In host cities like Mexico City, Monterrey, and Guadalajara, research found that 10-12% of Wi-Fi networks are open and password-free, with WPS pairing still enabled on nearly half. This creates easy openings for rogue "evil twin" hotspots that copy a real network and quietly intercept traffic.
If you're in a host city, avoid logging into bank or email accounts on public Wi-Fi.
How to Protect Yourself
For ticket purchases: Buy only through fifa.com. Type the address yourself instead of trusting ads or search results. Turn on multi-factor login. Treat any seller asking for cryptocurrency as a scam.
For streaming: Avoid apps not on Google Play or Apple's App Store. Any streaming app asking for accessibility access is suspicious.
For public Wi-Fi in host cities: Use mobile data when possible. Avoid accessing banks or email on open networks.
The FBI is asking anyone who has been scammed to report it at IC3.gov. Meta says it is showing warning pop-ups when people search Facebook for FIFA tickets.
The Window of Opportunity
Researchers estimate the busy fraud window is June 11 to July 19—when searches for tickets, streams, and travel will be at peak volume. That's when scammers will be most active.
Sources
Group-IB: GHOST STADIUM — the football fraud operation exploiting World Cup 2026 tickets
FBI IC3: Public Service Announcement - FIFA World Cup 2026 Fraud
Meta: Protecting players and fans during FIFA World Cup 2026