GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With Fake Sites
6 min. read 
Published on
A large phishing campaign is targeting fans looking for FIFA World Cup 2026 tickets, hospitality packages, merchandise, streams, and betting offers. Security researchers say the wider fraud ecosystem now includes more than 4,300 domains impersonating FIFA, while the GHOST STADIUM operation controls a more sophisticated cluster of 300+ active phishing domains.
Group-IB says the campaign is built around fake FIFA login pages, ticket offers, counterfeit merchandise stores, bogus streaming sites, fraudulent betting pages, and stolen credentials harvested by infostealer malware. The goal is simple: steal FIFA accounts, payment data, personal details, or money from fans before and during the tournament.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The warning comes as the 2026 FIFA World Cup approaches in the United States, Canada, and Mexico. Demand for tickets has created the perfect pressure point for scammers, especially when fake ads promise cheap seats, VIP packages, or limited-time access.
GHOST STADIUM Uses Fake FIFA Sites to Steal Accounts and Payments
The campaign is dangerous because it does not rely on crude, low-quality scam pages. Researchers say GHOST STADIUM uses a custom React-based phishing kit that closely copies FIFA’s website and login flow. Some pages imitate FIFA’s single sign-on process closely enough to make a fake login look routine.
The FBI warning says spoofed FIFA websites may use small spelling changes, alternative domain endings, or fake subdomains to trick users. These websites can collect names, home addresses, phone numbers, email addresses, banking information, and other personal details.
Fans searching for standard tickets should start from the official FIFA tickets page. Fans looking for premium ticket-inclusive packages should use the official FIFA World Cup 2026 hospitality site rather than links from ads, social media posts, Telegram groups, or unknown sellers.
How Big Is the World Cup Phishing Operation?
According to Group-IB’s technical analysis, the wider fraud network includes four independent threat actors and six types of scams. More than 4,300 FIFA-themed domains have been identified, with over 300 actively running fraudulent infrastructure and about 3,800 parked or dormant for possible use as the tournament gets closer.
The report also says 2,513 FIFA account credential pairs are already circulating on dark web markets. Another risk comes from infostealer malware, including Vidar and Lumma, which can collect browser-stored passwords, cookies, autofill data, session tokens, and cryptocurrency wallet data from infected devices.
| Fraud type | What it targets | Main risk for fans |
|---|---|---|
| Credential phishing | FIFA account logins | Account takeover and possible ticket theft |
| Fake ticket sales | Fans trying to buy match tickets | Lost payments and stolen personal data |
| Counterfeit merchandise | Fans buying jerseys or World Cup products | Card theft and undelivered goods |
| Fake streaming sites | Fans looking for live matches | Subscription fraud, malware, or stolen cards |
| Fraudulent betting sites | Users placing World Cup bets | Stolen deposits and identity data |
| Infostealer logs | Saved passwords and browser data | Credential resale and wider account compromise |
Why Fans Are More Likely to Fall for These Scams
World Cup scams work because they target urgency. Many fans know tickets are limited, prices are high, and official sales can move quickly. Criminals use that pressure to push people toward fake checkout pages before they check the domain name.
Researchers also found that paid social media ads help drive traffic to phishing sites. Some ads promote tickets at unrealistic prices and use countdown timers or “first come, first served” wording. This makes a fake offer feel time-sensitive and more believable.
The FBI says fans should type the official FIFA address directly into the browser instead of relying on search results, ads, or forwarded links. The public service announcement also urges users to check the exact domain before entering personal or payment information.
How to Avoid Fake FIFA World Cup Ticket Sites
The safest approach is to treat every unofficial offer as suspicious until proven otherwise. A polished website, a working cart, or a professional-looking login screen does not prove that the seller is connected to FIFA.
- Type FIFA’s website address directly into the browser instead of clicking ads.
- Check the domain carefully before entering login or payment details.
- Avoid FIFA-themed links sent through social media, Telegram, WhatsApp, or email.
- Be suspicious of tickets priced far below normal market expectations.
- Do not pay for tickets with cryptocurrency, gift cards, or peer-to-peer transfers.
- Use a unique password for your FIFA account and enable multi-factor authentication.
- If you entered details on a suspicious site, change your password and contact your bank immediately.
Official Buying Channels Matter More Than Ever
For standard World Cup tickets, fans should use FIFA’s official ticketing route through the FIFA ticket portal. For premium ticket-inclusive packages, FIFA’s hospitality website states that On Location is the official hospitality provider and warns that packages and tickets from unofficial sales channels may not be valid.
That warning is important because scammers often copy official wording, FIFA branding, and stadium imagery. They can also use domain names that contain words like “fifa,” “worldcup,” “tickets,” or “hospitality” to appear legitimate.
Fans considering premium packages should verify availability through the official hospitality portal and avoid third-party sellers that cannot prove authorization. If a seller pressures buyers to move quickly, switch payment method, or leave the official platform, that should be treated as a major red flag.
What This Means for FIFA World Cup Fans
The GHOST STADIUM campaign shows how cybercriminals are preparing for the 2026 FIFA World Cup before the tournament begins. The threat is not limited to one fake website or one bad ad. It is a larger fraud ecosystem built around ticket demand, social media promotion, stolen credentials, and fake payment flows.
Fans still have a simple defense: slow down before paying. Check the domain, avoid sponsored shortcuts, use official channels, and never trust a World Cup ticket offer just because it looks professional. For an event this large, the safest ticket is the one bought through a verified FIFA route.
FAQ
GHOST STADIUM is a phishing campaign targeting FIFA World Cup 2026 fans with fake FIFA websites, ticket offers, login pages, and payment flows. Researchers say the campaign uses 300+ active phishing domains inside a wider fraud ecosystem of more than 4,300 FIFA-impersonation domains.
Fake FIFA ticket sites often copy official branding, login pages, ticket listings, and checkout flows. Some use slightly altered domain names, sponsored ads, countdown timers, or unrealistic ticket prices to pressure fans into entering personal information or payment details.
Fans should use official FIFA ticketing channels for standard tickets and FIFA’s official hospitality route for ticket-inclusive hospitality packages. They should avoid ads, social media sellers, unknown marketplaces, and sellers requesting unusual payment methods.
Users should change their FIFA account password immediately, enable multi-factor authentication, check for unauthorized account activity, and contact their bank or card provider if they entered payment details. They can also report the suspected scam to the FBI’s IC3 portal.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages