World Cup 2026: Thousands of Fake Sites, Banking Malware

The FBI and multiple security firms warn that thousands of FIFA World Cup 2026–themed fake domains, cloned login pages and pirate streaming apps carrying banking malware are targeting fans and ticket buyers ahead of the June 11 kickoff across the United States, Canada and Mexico.

Group-IB tracked more than 4,300 fraudulent FIFA-related domains registered since August 2025 and identified a Chinese-language operation it calls GHOST STADIUM running a phishing kit across more than 300 cloned sites. Those pages replicate FIFA’s site layout and single sign-on flow and load images from FIFA servers to appear authentic. The fake login pages prompt password resets, enabling attackers to lock owners out of accounts and resell linked tickets. Payment methods on those sites include card entry, outside gateways, regional money-transfer processors and a crypto-conversion option; the presence of a crypto payment pathway is not used by official FIFA ticketing.

FortiGuard Labs counted more than 13,000 World Cup–themed domains registered between January and May 2026, marking roughly 8.8% as malicious or suspicious. Researchers have also mapped thousands of lookalike sites and identified more than a thousand fake social accounts tied to ticket and merchandise scams. Group-IB estimates premium and hospitality ticket fraud alone could range from $71 million to $474 million based on visible infrastructure, and warns the total campaign could be larger given parked domains and available scam toolkits.

Security teams report a surge in unofficial Android streaming apps distributed outside official app stores. Threat researchers observed banking trojans such as Massiv and Perseus delivered through sideloaded apps. Once installed, these trojans use Android accessibility permissions to overlay fake bank login screens, capture keystrokes, intercept one-time passcodes and take remote control of devices. Perseus has been observed reading note-taking apps for saved passwords and crypto recovery phrases. The primary indicator of compromise for users is a streaming app requesting accessibility access without a legitimate need.

Social media ads, messaging links and search results are common distribution channels. Firms documented large volumes of fraudulent ad campaigns, spoofed FIFA accounts and stolen login credentials circulating from credential-stealing malware families including Vidar, LummaC2 and RedLine. Some counterfeit sites and fake betting pages have solicited passport scans and selfies for identity theft, and some bogus streaming services charge subscription fees while delivering malware.

A survey of public Wi‑Fi in Mexico City, Monterrey and Guadalajara found a notable share of open networks and many routers with WPS enabled, which increase the risk of “evil twin” hotspots and traffic interception. Security teams advise avoiding bank or email logins on unsecured Wi‑Fi and using mobile data for sensitive transactions when possible.

Recommended precautions include buying tickets only through fifa.com typed directly into a browser, enabling multi-factor authentication, treating any seller requesting cryptocurrency as a fraud signal, and avoiding sideloading streaming apps or granting unnecessary accessibility permissions. Security teams should monitor new FIFA-themed domains and check for staff or customer credentials appearing in stealer malware logs. Meta implemented warning pop-ups when users search for FIFA tickets and removed a network of fake World Cup sites in coordination with payment partners. The FBI asks anyone who believes they have been scammed to report incidents to the Internet Crime Complaint Center (IC3). Researchers note roughly 3,800 fraudulent FIFA domains remain parked and available for activation, with the highest scam volume expected between June 11 and July 19.