Fake FIFA World Cup Sites Target Soccer Fans with Phishing Kits and Typosquatting Domains
ESET researchers uncovered a network of fraudulent FIFA World Cup websites using typosquatting and phishing kits to steal money and personal data from fans seeking tickets and merchandise ahead of the 2026 tournament.

ESET researchers have uncovered a sprawling network of fake FIFA World Cup websites designed to steal money and personal data from soccer fans hunting for tickets and merchandise. The fraudulent sites closely mimic official sales portals, tricking victims into entering payment details and login credentials. The campaign, active ahead of the 2026 World Cup, leverages sophisticated phishing kits and typosquatting domains to lure unsuspecting users.
The attack vector relies on brand impersonation via lookalike domains that differ from the official FIFA site by just a few characters. For example, domains like "fifa-worldcup2026[.]com" or "fifaworldcuptickets[.]org" redirect users to pages that replicate the look and feel of legitimate FIFA ticket and merchandise stores. Once victims attempt to purchase tickets or merchandise, they are prompted to enter credit card numbers, billing addresses, and even login credentials for FIFA accounts.
ESET's analysis reveals that the phishing kits behind these sites are modular and include features such as real-time credential capture, payment form harvesting, and redirection to legitimate pages after data theft to avoid immediate suspicion. The kits are hosted on compromised web servers and use SSL certificates to appear trustworthy. The campaign appears to be automated, with new domains registered daily and indexed by search engines to attract organic traffic.
The impact is potentially massive, given the global popularity of the World Cup and the high demand for tickets. Fans who fall victim may suffer financial loss, identity theft, or account takeover. The stolen credentials could also be used for further fraud, including accessing other online services where victims reuse passwords. ESET warns that the campaign is likely to intensify as the tournament approaches, with attackers refining their techniques to evade detection.
No specific CVE is associated with this campaign, as it relies on social engineering rather than software vulnerabilities. However, the attack vector—brand impersonation via typosquatting and phishing kits—is well-documented and increasingly common for major events. ESET recommends that fans only purchase tickets and merchandise through official FIFA channels, verify URLs carefully, and enable multi-factor authentication on their accounts.
This campaign fits a broader pattern of cybercriminals exploiting major sporting events, including the Olympics and the Super Bowl, to defraud fans. The 2026 World Cup, co-hosted by the United States, Canada, and Mexico, presents a particularly large attack surface due to its scale and the influx of international visitors. Law enforcement and cybersecurity agencies are likely to ramp up takedown efforts, but the rapid proliferation of new domains makes complete eradication challenging.
For now, soccer fans are urged to remain vigilant and report suspicious websites to authorities. ESET's findings serve as a timely reminder that even the most anticipated events can be weaponized by cybercriminals, and that a healthy dose of skepticism is the best defense against these increasingly convincing scams.
Flare's expanded investigation reveals the campaign has grown to at least 222 fraudulent domains across 203 unique IP addresses—nearly three times the size initially reported by ESET. The analysis identified four distinct operator clusters (A–D) that share scam kits but operate independent infrastructure, with 80.6% of IPs using Cloudflare as a reverse proxy. GNAME.COM and GoDaddy control roughly 61% of the domains, and 52 new domains were registered in just the first 17 days of April 2026, indicating the operation is accelerating as the tournament approaches.
Group-IB's new analysis, which tracks the campaign under the name Ghost Stadium, reveals a far larger operation than previously understood: over 4,300 fraudulent domains registered since August 2025, involving four distinct threat actors running six fraud schemes in parallel. The firm identified a Chinese-speaking actor operating more than 300 phishing domains that clone fifa.com's PingIdentity SSO flow, with paid Facebook ads serving as the primary distribution channel. Group-IB warns that premium ticket fraud alone could cost victims between $71 million and $474 million, with total losses potentially reaching billions.
This new report from The Hacker News expands on the FIFA World Cup 2026 scam landscape by detailing the inclusion of banking malware distributed through pirate streaming applications, alongside the previously reported fake websites and credential harvesting operations. The FBI has also issued warnings about the sophistication of these attacks, highlighting thousands of lookalike domains and highly realistic login page replicas designed to compromise user accounts and financial data.