Security researchers and the **FBI** are warning that a wave of **FIFA**-themed fraud is already hitting World Cup 2026 fans, days before the June 11 kickoff. Recent reports describe thousands of lookalike **FIFA** domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies **FIFA**'s login page well enough to take over real accounts. It is an obvious target. More than six million fans are expected across 16 cities in the United States, Canada, and Mexico, and **FIFA** said it received more than 150 million ticket requests in the first 15 days, leaving the tournament around 30 times oversubscribed. Tickets are scarce, fans are anxious, and money is moving fast—precisely the conditions fraudsters exploit.  ## One Operator, 300 Cloned FIFA Sites The most detailed findings come from **Group-IB**, which tracked more than 4,300 fraudulent **FIFA** domains registered since August 2025. At the center is a group it calls **GHOST STADIUM**, a Chinese-speaking, money-driven operation running one phishing kit across more than 300 of those sites. The fake is highly sophisticated. The page is a near-perfect copy of fifa.com, mimicking **FIFA**'s real single sign-on login, run by **PingIdentity**, down to the genuine client ID copied from the live site. It loads its images straight from **FIFA**'s own servers, making the page appear authentic and allowing it to slip past tools that flag copied images. Crucially, the fake login page also prompts users to reset their password. Once a victim enters their details, the attacker can lock them out of their own **FIFA** account and resell any tickets tied to it.  Most of the traffic originates from Facebook ads, with the same tracking codes reused across the entire cluster, as well as links on Telegram, WhatsApp, and in search results. The site accepts payment in five different ways: straight card entry, outside payment gateways, money-transfer apps like Chime and Nequi, Mexico-only processors, and a cryptocurrency option that converts a card payment into crypto, which is much harder to recover. This last option is a handy tell, as **FIFA**'s official ticketing never accepts cryptocurrency. Any seller asking for it is a scam. **Group-IB** estimates potential losses from premium and hospitality ticket fraud alone at $71 million to $474 million, suggesting the entire campaign could amount to billions. These are estimates based on observed infrastructure, not confirmed losses. ## Beyond Phishing: A Deluge of Scams The threat landscape extends beyond **Group-IB**'s findings. **FortiGuard Labs** counted more than 13,000 World Cup-themed domains registered between January and May, with approximately 8.8% identified as malicious or suspicious. The **FBI** advisory lists dozens of fake **FIFA** domains, ranging from misspelled lookalikes to phony **FIFA** job pages, and warns that more are emerging. Other researchers have mapped thousands more lookalike sites and over a thousand fake social accounts. Ticket fraud is just one facet of the problem. **Group-IB** also uncovered counterfeit merchandise shops, bogus streaming sites that charge a subscription fee and then install malware, and fake betting sites that collect passport scans and selfies for identity theft. **Bitdefender** separately tracked **FIFA** lottery emails promising payouts of up to $2 million. **Group-IB** also flagged a "phishing-as-a-service" market that sells ready-made scam kits and ticket-buying bots, making takedowns of individual operators largely ineffective.  The pieces fit together: fake domains capture ticket searches, ads and search results drive traffic, stolen-password dumps feed account takeovers, and sideloaded apps turn stream-hunting into bank fraud. ## Banking Malware Lurking in Streaming Apps For fans seeking free match streams, the greater danger often lies on their mobile devices. **ThreatFabric** observed a spike in malicious unofficial streaming apps, many impersonating the popular RojaDirecta, around the recent Champions League final. They anticipate a larger-scale repeat during the World Cup. **Kaspersky** tied these same apps to Android banking trojans, malware designed to drain money from banking and crypto apps. They identified two prominent families: **Massiv** and **Perseus**. These apps are not available on Google Play, meaning installation requires users to bypass standard security warnings. Once installed, the malware leverages Android's accessibility tools to gain control of the phone. It can overlay fake bank login screens onto legitimate applications, record keystrokes, intercept one-time passwords (OTPs) from text messages and authenticator apps, and remotely control the screen.  **Perseus**, notably built on the leaked code of an older Trojan called **Cerberus**, even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, according to **ThreatFabric**, is a streaming app requesting accessibility access, for which it has no legitimate reason. ## Social Engineering, Stolen Credentials, and Public Wi-Fi Risks Social media platforms are equally crowded with scams. **Bitdefender** found more than 55 football-themed ad campaigns on Facebook and Instagram, promoting counterfeit kits, fake Panini stickers, and phishing pages. Two of the merchandise operations were traced back to Chinese operators via their ad-tracking tags. **Fortinet** counted over 1,700 spoofed **FIFA** accounts, with nearly 90% found on Facebook and Instagram, along with a scheme that used fake **FIFA** job ads and calendar invites to direct applicants to a lookalike Google login page.  Stolen **FIFA** logins are already circulating. **Fortinet** discovered hundreds of thousands of user logins, plus more than 4,600 **FIFA** web addresses, in data swept up by credential-stealing malware like **Vidar**, **LummaC2**, and **RedLine**. Host-city Wi-Fi networks pose their own set of problems. Public Wi-Fi, especially unsecured networks, can be easily exploited by attackers to intercept data, deliver malware, or conduct man-in-the-middle attacks. Users should exercise extreme caution and consider using a VPN when connecting to public networks.