Our Investigation of FIFA World Cup 2026 Fraud [Threat Report]
Table des matières
344 domains are currently impersonating the official FIFA World Cup 2026 website. A Chinese-speaking threat actor has been running a coordinated phishing campaign against ticket buyers since November 2025. And a fake US visa portal is collecting passport scans and demanding cryptocurrency payment, with the operation amplified on TikTok.
These are not predictions. CybelAngel analysts observed and documented each of these operations ahead of the tournament opening. This post is a summary of our threat note, FIFA World Cup 2026: Four Fraud Vectors in Play, which covers the fraud landscape we tracked through early June 2026 and includes 468 indicators of compromise now incorporated into our IOC feeds.
What is happening around FIFA 2026?
The World Cup is a fraud event as much as a sporting one. The tournament creates a concentrated surge in transactions that people genuinely expect to make: buying tickets, booking travel, applying for visas, and finding work. Every one of those transactions has been weaponised.
CybelAngel identified four active fraud vectors targeting fans, travellers, bettors, and jobseekers ahead of the tournament. Most fraud types were already present at Qatar 2022, but the infrastructure has changed significantly. Since the acceleration of AI adoption in 2023, phishing sites, cloned voices, fabricated identities, and fraudulent domains can be generated at industrial scale in minutes rather than days or weeks. The attack volume at FIFA 2026 reflects that shift directly.
An outline of the four fraud vectors we investigated
I. Ticket fraud: 344 confirmed clone domains
CybelAngel identified 344 domains with content actively mimicking the official 2026 World Cup website. As of 9 June 2026, 125 of those domains were live and serving content.
The campaign is linked to Ghost Stadium, a Chinese-speaking, financially motivated threat actor first observed in November 2025. Ghost Stadium operates a custom React phishing kit that replicates FIFA’s site almost exactly, including cloned authentication flows, fake ticket-purchase pages, and support for 11 languages. Victims are funnelled toward at least five payment channels, including direct card capture and cryptocurrency on-ramps.
The registration dates are not random: 30 domains were registered on a single day, 29 April 2026, and March 2026 alone saw 78 new registrations. That pattern tracks a coordinated campaign escalating ahead of the tournament. 146 domains use Cloudflare nameservers, which defeats IP-level blocking and forces slower domain-level suspension. One domain, fifa[.]city, appears to have been running a login page since at least 2019.
Group-IB publicly documented Ghost Stadium on 27 May 2026.
II. Travel and visa fraud: three visa regimes, one expanded attack surface
FIFA 2026 is hosted across three countries with three separate visa regimes, and that complexity is being actively exploited by fraudsters.
The domain usavisaworldcup[.]com presents as a “World Cup visa” application portal, prompting visitors to upload passport scans and pay in cryptocurrency to obtain a US entry authorisation. The same IP hosts at least 20 further event-themed malicious domains, indicating shared infrastructure rather than an isolated operation. It is amplified on TikTok via the handle visa.applications.usa. The premise is itself a tell: legitimate US entry authorisations are issued only through official government channels and are never settled in cryptocurrency. The combination of identity-document collection with an irreversible crypto payment points directly to identity theft as the objective.
On criminal forums, CybelAngel observed listings advertising flights, hotels and FIFA tickets at 22% of face value, payable in Litecoin, Bitcoin, or Monero, consistent with the resale of fraudulently obtained or non-existent inventory and a cash-out channel for stolen payment card data.
III. Betting and gambling fraud: a fake platform built to look like the real thing
CybelAngel identified a cluster of Telegram channels presenting as the official FIFA World Cup betting platform (2026[.]com). The operation is structured like a genuine service: promotional channels drive traffic, a bot handles deposits and withdrawals, and a “customer service” handle manages complaints. It uses World Cup trophy imagery and fabricated “official regional partner” badges for major clubs. None of the claimed affiliations are real.
Monetisation is deposit-driven, with inflated bonus offers used to attract initial deposits and fabricated “withdrawal approved” messages used as social proof. Victims who deposit find that withdrawals never materialise. A companion Android app titled “2026 Sports” contacts a rotating set of look-alike domains and reports to a control server over a non-standard channel designed to evade monitoring and survive domain blocks. The app profiles the device before operating, behaviour typical of software built to resist inspection.
IV. Employment and task fraud: a vector that barely existed in 2022
Task scams accounted for just 1.6% of job-scam reports at Qatar 2022. By the first half of 2024 that figure had risen to 38.8%, and for some CybelAngel customers, task-fraud domains now represent up to 68% of alerted fraudulent domains. FIFA branding has now been folded into this model.
The mechanics are straightforward: actors pose as employers and offer victims small online tasks such as liking videos or clicking links, in exchange for micro-payments. After a few genuine-looking payouts, victims are pressured to deposit their own funds to “unlock” higher-value tasks or withdraw earnings that never arrive. Cryptocurrency payouts remove any prospect of a chargeback, and victims are incentivised to recruit others, extending the scheme’s reach while lending it a veneer of legitimacy.
Separately, CybelAngel identified a cluster of domains cloning FIFA’s official recruitment portal. The same phishing kit has been re-skinned to impersonate Coca-Cola, Netflix, Spotify, Hilton, and UEFA, among others. It is not a FIFA-specific kit; the tournament’s hiring surge is the draw. At least one instance used the real name, photograph, and a spoofed email address of a genuine FIFA Recruitment Manager, who publicly confirmed the misuse of their identity.
Le FTC’s 2024 spotlight on task scams notes that new job-seekers, people re-entering work, and immigrants are most exposed to this vector.
What ties all four vectors together
Each fraud type hijacks a transaction that users would legitimately expect to make around the tournament and converts it into either an upfront payment via irreversible cryptocurrency or the theft of personal data and credentials. The target populations are distinct but the underlying logic is identical across all four vectors.
Infrastructure is industrialised and deliberately reused. The same phishing kit is re-skinned for different brands, the same shared IP hosts dozens of malicious domains, and the same platform-hopping behaviour (going dark on Telegram while staying live on Facebook) allows operations to survive individual takedowns. This lowers the cost and time required to rebuild after disruption, which is why takedown activity alone is insufficient during an active tournament window.
What CybelAngel has gathered
Through this investigation, CybelAngel identified 468 indicators of compromise across all four fraud vectors: 355 related to ticketing (including the 344 confirmed clone domains and 13 heuristic STIX naming patterns for catching future registrations), 87 for betting and gambling infrastructure, 14 for employment and task fraud, and 12 for travel and visa operations. These IOCs have been incorporated into CybelAngel’s IOC feeds for subscribed clients.
| Indicator | Type | Fraud vector | Threat score | Contexte |
|---|---|---|---|---|
fifa[.]city | Domain | Ticketing | High | Long-lived clone active since ~2019; content shifted to target WC2026 in March 2026 |
154.39.81[.]213 | IPv4 | Ticketing | Moyen | Shared-IP cluster hosting fifa[.]{TLD} et flfa[.]{TLD} naming patterns across 15+ domains |
{prefix}fifa26[.]{TLD} | Heuristic pattern | Ticketing | Moyen | STIX LIKE expression for catching newly registered clone domains as they surface |
185.158.133[.]1 | IPv4 | Travel / visa | High | German host flagged by multiple security vendors; shared across 20+ event-themed malicious domains including usavisaworldcup[.]com |
@globalresidency_footballnetwork | Telegram account | Travel / visa | High | “Global Residency and Football Network” persona advertising fake visa and travel facilitation for all three host nations |
2026[.]com | Domain | Betting | High | Standalone fake WC2026 betting platform; uses Messi imagery and fabricated club partner badges to manufacture credibility |
@FIFA_2026com_29607 | Telegram account | Betting | High | Promotional channel for the 2026[.]com fake betting platform; became active May 2026 |
APK om[.]ixpcg[.]e2888[.]imyfzsjx | Android package | Betting | High | “2026 Sports” app; contacts rotating look-alike domains over a non-standard channel to evade monitoring |
fifa-hr[.]com | Domain | Employment | High | Cloned FIFA careers page using a reusable phishing kit also re-skinned for Netflix, Spotify, Hilton, and UEFA |
fifaworldcup-careers[.]com | Domain | Employment | High | Same recruitment phishing cluster; “Continue with Google” button assessed to harvest Google account credentials |
Get in touch to access the full threat note and 468 IOCs
If your organisation is a FIFA sponsor, partner, host-city contractor, or operates in hospitality, financial services, or travel, now is the time to check your external footprint for impersonation activity. CybelAngel REACT is monitoring the threat environment throughout the tournament window.
À propos de l'auteur
