TL;DROver 4,300 fake FIFA domains, banking malware in pirate streaming apps, and credential-harvesting phishing operations are already targeting World Cup 2026 fans ahead of the 11 June kickoff. The FBI, Group-IB, Fortinet, and Kaspersky have all published warnings.
The most oversubscribed sporting event in history is also the most phished. With more than 150 million ticket requests in the first 15 days and just six million seats across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created exactly the conditions that fraud thrives on: scarcity, urgency, and money moving fast.
Security researchers, the FBI, and multiple cybersecurity firms have published warnings in the past week describing a fraud infrastructure that is already operational, well-resourced, and scaling. The picture that emerges is not a handful of opportunistic phishing pages. It is a layered ecosystem of fake domains, banking malware, credential theft, and social media impersonation, all converging on the same window.
One operator, 300 cloned FIFA sites
The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the centre is a group it calls Ghost Stadium, a Chinese-speaking, financially motivated operation running a single phishing kit across more than 300 of those sites.
