Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 28, 2026 · 6 min read

FIFA 2026: 4,300 Fake Sites Are Now Hunting Your Inbox

Security researchers have tracked more than 4,300 fraudulent FIFA domains launched since August 2025, with a coordinated campaign called Ghost Stadium stealing 270,000 fan credentials via clone login pages. Every attack starts with an email.

More than 4,300 fraudulent FIFA domains are live right now. That number, tracked by Group-IB since August 2025, does not include the thousands of additional lookalike sites registered in the first half of 2026. It does not include the Android banking trojans disguised as streaming apps. And it does not include the AI-generated phishing emails — written in English, Spanish, and French — landing in the inboxes of fans across the United States, Canada, and Mexico. The 2026 FIFA World Cup, running from June 14 to July 19, is the biggest sporting event in a generation. It is also the largest coordinated phishing operation security researchers have ever seen tied to a single sporting event.

Key Takeaways

  • Group-IB tracked more than 4,300 fraudulent FIFA domains registered since August 2025, with new sites appearing continuously as the tournament progresses.
  • The FBI issued Public Service Announcement PSA260527 on May 27, 2026, warning fans about typosquatting sites like fifa[.]cab, fifa[.]pink, and fiffa.com impersonating FIFA's official ticketing infrastructure.
  • A coordinated campaign called Ghost Stadium operates 300+ phishing pages that clone FIFA's login system, with 270,000 fan credentials confirmed stolen and 260 FIFA employee credentials compromised.
  • Attackers collect names, home addresses, phone numbers, banking details, and payment card information from victims who believe they are purchasing genuine tickets.
  • Android banking trojans named Massiv and Perseus, disguised as unofficial streaming apps, can read saved passwords and cryptocurrency recovery phrases from victims' devices.

What Is the Ghost Stadium Campaign?

Ghost Stadium is the name Group-IB gave to what appears to be a financially motivated operation running a single phishing kit across 300 or more fraudulent sites. The pages are not rough fakes. They are near-perfect clones of fifa.com that mimic FIFA's real single sign-on login — operated by PingIdentity — down to the genuine client ID copied from the live site. Images load directly from FIFA's own servers, so the page looks authentic and evades tools that flag copied assets.

The results have been severe. So far, 260 FIFA employee credentials have been confirmed compromised. More than 270,000 fan and user credentials have been stolen through FIFA-related phishing infrastructure. The FBI's full advisory, PSA260527, named specific domain examples: fifa[.]cab, fifa[.]pink, worldcup2026-tickets.com[.]mx, fifaworldcup26[.]sale.

Laptop screen showing multiple browser tabs each displaying slightly different versions of a football website login page, representing the scale of fake FIFA phishing sites

How Are Fans Being Targeted?

The attacks arrive through four main vectors.

  • Fake ticket sales. Fraudulent sites offer World Cup tickets and premium hospitality packages. Fans who enter payment details hand over their banking information and card numbers.
  • Job scams. Sites impersonating FIFA's careers portal — including fifaworldcup-careers.com — advertise fake employment opportunities and collect the personal data of applicants who believe they are applying for legitimate World Cup positions.
  • Streaming fraud. Fake streaming sites promise free live coverage and either harvest login credentials on arrival or install malware during the session.
  • Android banking trojans. Security researchers identified two malware families — Massiv and Perseus — distributed through unofficial streaming apps. Perseus is built on leaked Cerberus trojan code and can read note-taking apps for saved passwords and cryptocurrency recovery phrases. Download an unofficial stream app, and you may hand an attacker access to your bank account and crypto wallet simultaneously.

Why Inbox Users Should Care

Every one of these attacks starts with an email. Fake ticket confirmations, hospitality offers, job application responses — the fraud arrives in your inbox first, styled to look exactly like official FIFA correspondence. The FBI specifically named email phishing as a primary delivery method in PSA260527.

What most fans do not realize is that the email itself can do damage before you click anything. Phishing emails routinely embed invisible tracking pixels — tiny, transparent image files that fire a silent signal back to the attacker the moment you open the message. That signal confirms your email address is active, that you read the email, and often your approximate location and device. With that confirmation, attackers know your inbox is live and mark you as a higher-priority target for follow-up attacks. Our guide on how to detect email tracking pixels in Gmail explains what these beacons look like and how to stop them from firing.

This is also not the first time email has been weaponized as a staging ground for a major phishing wave. AI-generated phishing now accounts for 82% of inbox attacks — and attackers have learned that combining AI generation with major news events like the World Cup dramatically increases open rates. The fake World Cup careers portals are one flavor of a broader trend: fake recruiter emails stealing Google logins use the same job scam hook to harvest credentials.

The Typosquatting Playbook

Typosquatting is simple and effective. Attackers register domain names that look like fifa.com but differ by one or two characters. Victims searching for tickets via Google often click a sponsored result — a paid advertisement — and land on one of these clones without noticing the URL difference.

The scale here distinguishes this campaign from typical event-based fraud. There are not dozens of fake domains — there are thousands, many of them parked and waiting to activate during the tournament's busiest weeks. A parked domain looks dormant to automated scanners. Flip it live during a high-traffic weekend and it evades takedown long enough to collect thousands of victims.

How to Protect Yourself Right Now

  1. Type fifa.com directly into your browser address bar. Never use a search engine to navigate to FIFA's site. Sponsored search results have been used to promote fake domains during this tournament.
  2. Check the full URL before entering any information. Look past the first word. "fifaworldcup26.sale" contains "fifa" and "worldcup" but it is not FIFA's site.
  3. Never download unofficial streaming apps. Massiv and Perseus spread through apps that do not appear in official app stores. Any app promising free World Cup streams that is not from a verified broadcaster carries significant risk.
  4. Save the real site as a bookmark. Once you have verified you are on fifa.com, bookmark it and return via that bookmark every time.
  5. Treat every FIFA email as suspect until verified. If you receive a ticket confirmation, hospitality offer, or job response via email, navigate to fifa.com directly and check your account there. Do not click links in the email.

The World Cup should be worth watching. The inbox campaigns surrounding it are not.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.