The 2026 FIFA World Cup will be one of the biggest sporting events in history. Millions of fans will be looking for tickets, hospitality packages, merchandise, streaming options, and travel deals. That level of excitement creates a huge opportunity not only for official sellers, but also for cybercriminals.
A recent investigation by cybersecurity company Group-IB warned about a large fraud ecosystem targeting football fans ahead of the tournament. The company reported more than 4,300 fraudulent domains impersonating FIFA since August 2025. More than 300 of those domains were described as actively running fraudulent infrastructure, while thousands more appeared parked or dormant.
One of the main groups identified in the report is called GHOST STADIUM. According to Group-IB, this is a Chinese-speaking, financially motivated threat actor running a phishing campaign across more than 300 domains. These fake websites are designed to look like FIFA's official pages, including ticketing and login flows.
This is not just a simple fake ticket scam. It is a full fraud operation built around urgency, brand impersonation, stolen credentials, fake payments, and social media traffic.
Why Major Sports Events Attract Cybercriminals
Big sporting events create the perfect conditions for scams.
Fans are emotionally invested. Tickets can be limited. Prices can be high. Official sales windows may feel confusing or competitive. People often act quickly because they are afraid of missing out.
Scammers understand this. They design their fraud around pressure. Their goal is to make victims click before thinking, buy before verifying, and log in before checking the website address.
For an event like the World Cup, criminals can target people in multiple ways: fake ticket sales, fake hospitality packages, counterfeit merchandise, fake livestreaming subscriptions, fraudulent betting pages, credential phishing, and malware-based credential theft.
The danger is that many of these scams look professional. A fake website may use official-looking branding, countdown timers, polished graphics, payment forms, and realistic login pages. To a fan in a hurry, it can look completely legitimate.
What GHOST STADIUM Is Accused of Doing
Group-IB's report describes GHOST STADIUM as a financially motivated phishing operation. The group allegedly uses fake FIFA-themed domains to trick users into believing they are visiting official World Cup ticketing or account pages.
The fake sites reportedly imitate FIFA's website design and login experience. A victim may arrive through an ad, a search result, a messaging app link, or a redirect from another site. Once there, the user may be prompted to buy tickets, log in, register an account, or enter payment information.
The scam can collect sensitive data including email addresses, passwords, full names, phone numbers, home addresses, payment card details, FIFA account credentials, and other personal information useful for fraud.
In some cases, after stealing the victim's login details, a fake page may redirect the person to the real FIFA website. This makes the experience feel normal and reduces suspicion. The victim may think the login simply worked. Many phishing attacks are not obvious a person may not realize they were scammed until much later, when they notice a suspicious charge or discover that their ticket never existed.
The Six Major Fraud Types Fans Should Understand
Group-IB identified several types of fraud connected to this World Cup scam ecosystem. Each works slightly differently, but they all rely on trust, urgency, and impersonation.
Credential phishing is when scammers trick people into entering usernames and passwords on a fake login page. A fan may believe they need to log in to buy tickets, check availability, or access a hospitality offer. Once the victim enters their details, the attacker can steal the credentials. If the same password is reused elsewhere, the risk spreads attackers commonly try stolen email and password combinations on banking sites, email accounts, social media platforms, and travel booking services.
Fake ticket sales are among the most common scams around major events. A fake website may claim to offer tickets that are sold out elsewhere, complete with seat maps, categories, prices, and checkout pages. The victim pays, but no real ticket is issued. Some scams simply take the money and disappear. Others collect payment information and personal details at the same time.
Fake hospitality packages are attractive targets because they are expensive. These packages can include premium seats, lounge access, food, hotel arrangements, or special experiences. Because the prices are higher, criminals can steal more from a single victim. Group-IB estimated that premium and hospitality ticket fraud alone could cause losses between $71 million and $474 million.
Counterfeit merchandise stores copy official branding or claim to sell licensed products. Victims may receive low-quality counterfeits, nothing at all, or simply have their payment details stolen. These stores often spread through social media ads and temporary domains, and rely on heavy discounts to create urgency.
Fake streaming platforms exploit fans who want to watch matches online. A fake streaming site may ask users to create an account, enter a card for a "free trial," or download a player. These sites can steal payment details, sign users up for unwanted charges, or push malware. Streaming scams are especially effective during live events because urgency helps attackers.
Fraudulent betting and casino sites advertise World Cup odds, bonuses, or free bets. Victims may deposit money and never be able to withdraw it, while also handing over identity documents or crypto payments. These scams combine financial pressure with personal data collection.
The Infostealer Angle
Group-IB also reported that 2,513 FIFA account credential pairs connected to fifa.com and fifa.org were already circulating on dark-web markets, likely collected through infostealer malware campaigns.
An infostealer is a type of malware designed to collect saved passwords, browser cookies, login sessions, crypto wallet data, and other sensitive information from a device. A person does not always have to type their password into a phishing page to lose it. If their device is infected, credentials saved in the browser may already be exposed.
Common infection paths include downloading fake streaming software, opening malicious email attachments, installing cracked or pirated apps, clicking fake browser updates, running unknown files shared through Telegram or Discord, and installing browser extensions from untrusted sources.
How These Scams Reach Victims
Group-IB says Facebook Ads were a major traffic source for the GHOST STADIUM campaign. Many people assume paid ads are safer than random links. In reality, malicious ads can still appear before platforms detect and remove them.
Scammers also use social media posts, search engine ads, fake resale communities, Telegram and WhatsApp messages, redirect chains, email campaigns, and impersonated customer support accounts.
The first page a victim sees may not look suspicious. Some scams use redirect chains a person clicks one link and is silently forwarded through several domains before landing on the final fake site, making it harder to understand where they actually ended up.
Red Flags of a Fake World Cup Website
The domain looks slightly wrong. Scammers register domains that look close to the real brand, adding words like "tickets," "vip," "hospitality," "worldcup," or "official." Watch for extra words, misspellings, strange domain endings, hyphens used to imitate official branding, or recently created domains. A professional-looking website does not prove the domain is safe.
The offer feels too good to be true. Huge discounts, guaranteed seats, instant VIP access, or sold-out tickets suddenly becoming available should raise concern.
The site creates pressure. Countdown timers, "only 2 tickets left," or "complete payment now" messages are tools designed to stop you from checking.
The payment method is unusual. Be careful if a seller asks for payment through crypto, wire transfer, peer-to-peer apps, gift cards, or direct bank transfer. These methods are often harder to reverse.
The login page appeared after clicking an ad. It is safer to open a new tab and manually navigate to the official site rather than trusting the link from an ad or social post.
Defensive Steps for Fans
Use official ticketing channels only. For World Cup tickets, start from official FIFA channels. Type the address directly into your browser or use a trusted bookmark you created yourself.
Check the website address before logging in. Before entering a password or payment details, look carefully at the actual domain not just whether the page has the FIFA logo. Logos can be copied. The domain cannot be faked if you type it yourself.
Do not reuse passwords. Use a unique password for your FIFA account and any ticketing-related account. A password manager can help create and store strong unique passwords.
Turn on multi-factor authentication where available. Even if a password is stolen, the attacker may not be able to access the account without a second factor. Use an authenticator app where possible SMS is better than nothing but weaker than app-based authentication.
Be skeptical of social media ads. A polished ad does not guarantee legitimacy. Instead of clicking the ad, manually visit the official website and look for the same offer there.
Keep your device clean. Avoid downloading unofficial streaming apps, cracked software, or unknown browser extensions. Keep your browser, operating system, and security software updated.
Do not trust screenshots as proof. A scammer may send screenshots of tickets, invoices, or QR codes. These can be edited or stolen from real buyers. A screenshot is not proof that a ticket is valid or transferable.
Slow down before paying. Scammers win when people rush. Before sending money, verify: Is this an official website? Did I reach it through a trusted path? Is the domain correct? Is the payment method normal? Can I find the same offer through official channels?
What to Do if You Already Entered Your Information
If you entered a password: Change it immediately from the official website. If you reused it elsewhere, change it on those accounts too prioritize email, banking, payment apps, social media, and travel accounts.
If you entered card details: Contact your bank or card provider. Explain that your details may have been entered on a fraudulent website. Ask whether the card should be frozen, replaced, or monitored. Check recent transactions carefully.
If you downloaded a file: Disconnect from sensitive accounts and run a malware scan. Consider changing passwords from a different, trusted device. On an infected machine, new passwords may also be captured.
If you bought fake tickets: Save evidence the website address, emails or receipts, payment records, screenshots, and any seller profiles or ad links. Report the fraud to your bank, the platform where you found the ad, and the relevant fraud reporting authority in your country.
Why Parked Domains Still Matter
Group-IB reported that many suspicious FIFA-themed domains were parked or dormant. That does not mean they are harmless.
Scammers often register domains early and activate them when public interest spikes. A parked domain today can become a phishing site the moment ticket sales open or a high-demand match approaches. Fans should stay cautious throughout the entire tournament cycle, not only during the first sale window.
The Bigger Lesson
The GHOST STADIUM campaign shows how modern event fraud works. Scammers do not rely on a single fake website. They build networks of domains, ads, phishing pages, payment flows, and stolen credential markets.
The main lesson for fans is simple: excitement should not replace verification. The more urgent an offer feels, the more carefully it should be checked.
One question worth asking before trusting any World Cup page: would I still trust this site if the FIFA logo were removed? A scam website often depends entirely on copied branding. If the trust disappears when the logo disappears, the site may not have real credibility.
Sources: - Group-IB GHOST STADIUM: Football Fraud Campaign Targeting FIFA World Cup 2026 Fans