The 2026 FIFA World Cup is about to begin, and the Pirates are ready. Cybersecurity researchers have uncovered more than 4,300 fake sites imitating the official FIFA platform, designed to steal tickets, banking details and identities. The FBI also sounded the alarm.
The 2026 FIFA World Cup doesn’t begin until June 11, 2026, but cybercriminals have already started exploiting the event as part of their activities. Researchers from Group-IB, one of the world’s cybersecurity specialists, have discovered a mountain of sites imitating the official fifa.com website. It is through the website of the Fédération Internationale de Football Association that supporters can buy tickets for sporting events.
Three shared #MetaPixel IDs are embedded identically across all 300+ GHOST STADIUM domains, confirming the same adversary is actively paying #Facebook to promote phishing pages through paid ads. This exploitation of Meta’s advertising platform as the primary traffic acquisition… pic.twitter.com/zmRQbO0WeE
— Group-IB Global (@GroupIB) May 27, 2026
Also read: All users of this pirate VPN have been identified by the police
Thousands of fake websites are flooding the Internet
More than 4,300 fraudulent domains were discovered by researchers during their investigations. All these domains were registered after August 2025. There is an almost perfect copy of the official site, with a login page, visual identity, logos, and even a Google Translate widget to inspire confidence in Internet users. The sites are available in 11 different languages. This is proof that this is a global campaign.
The procedure is classic, but extremely effective. Concretely, when a victim arrives on one of these fake sites, they are greeted by an urgent pop-up window. This highlights ticket offers at ridiculously low prices. For example, places officially sold for several thousand euros are offered for the modest sum of 60 euros. To encourage Internet users to buy without thinking, pirates display a countdown, suggesting that the number of remaining places is limited.
“Major sporting events attract fraud like a magnet. Huge demand, a limited number of tickets and the fear of missing their country’s match are pushing fans to act quickly. The scammers know it »explains Yuan Huang, global head of fraud intelligence at Group-IB.
Facebook ads as a starting point
To make the purchase, the victim enters their FIFA identifiers. With the collected credentials, hackers can log in to the account and steal any real tickets already purchased by the victim. Then, the target is redirected to a fake payment form which collects the name, address, telephone number, and banking details.
To spread fraudulent sites, cybercriminals distributed a mountain of sponsored ads on Facebook. Group-IB researchers noticed that the same advertiser was behind the advertisements. The scams are also distributed on Telegram and WhatsApp. Some of these fake sites even appear in Google search results. They managed to slip into real Google results for FIFA-related queries, alongside the official website.
Also read: More than a year of cyberattacks – Glassworm, the almost indestructible Russian botnet, was neutralized by CrowdStrike and Google
An operation signed “GHOST STADIUM”
Behind this large-scale operation, we find a Chinese group, called “GHOST STADIUM” by Group-IB researchers, and which is at the origin of a phishing kit of the same name. However, GHOST STADIUM is only the tip of the iceberg. Group-IB has in fact identified four distinct criminal groups operating simultaneously and targeting Internet users interested in the Football World Cup. These small criminal groups have mainly put fake banknote sites online. The report pinpoints sites that were able to do more 47,400 victimsfor losses estimated between $71 and $474 million. Losses “Total campaign figures, all levels combined, could reach billions”indicates Group-IB.
Data theft and criminal kits
The investigations also detected fake streaming platformswhich promise free or paid access to live matches, counterfeit merchandising stores, or even fraudulent betting sites. These sites have resulted in massive collection of personal data. According to Group-IB, around 130,000 stolen data files containing FIFA references have been identified. In addition, more than 2,513 pairs of FIFA identifiers are already for sale on dark web markets, between $5 and $50 each.
Prior to the discovery of all these criminal operations, researchers identified ready-made phishing kitsautomated bots for purchasing tickets, and fraudulent email templates on underground forums. These criminal tools were put up for sale by an entity calling itself “Dark Web Kit Seller”. Anyone can run their own FIFA scam without any technical skills.
“The phishing page settings include password reset, which allows the attacker to immediately lock legitimate users’ accounts after stealing their credentials”explains the Group-IB researcher.
Also read: Google disclosed a security flaw by mistake, your browser is surely in danger
The FBI’s warning
Mirroring Group-IB, the FBI pinpointed a multitude of criminal areas seeking to take advantage of the excitement around the 2026 FIFA World Cup. The US federal police say new fraudulent domains will continue to appear until the end of the tournament on July 19, 2026, and probably beyond. The FBI therefore invites Internet users to exercise the greatest caution.
The Group-IB report adds that “When one phishing site goes offline, hundreds of others remain operational and thousands await activation”. You should expect a “peak during the match window from June 11 to July 19”.
“The safest approach for consumers is to assume that any offer of tickets outside of official channels involves risk. Always check web addresses carefully, avoid clicking on social media ads, and never rush to buy under the guise of “limited time” offers. If an offer seems too good to be true, it almost certainly is”says Yuan Huang.
The FBI recommends that Internet users enter “fifa.com” directly into the address bar of their browser, never click on sponsored results in search engines, and never provide personal or banking information on a site whose authenticity has not been verified beforehand. Furthermore, it is strongly recommended to activate double authentication on your FIFA account, to avoid intrusions from hackers who have stolen your credentials.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
