World Cup Fraud Campaign: 4,300+ Fake FIFA Domains
A Chinese-speaking cybercriminal group has been running a sustained phishing and fraud campaign targeting fans of the 2026 FIFA World Cup, registering more than 4,300 fraudulent domains that impersonate FIFA's official web presence. The campaign, active since at least August 2025, is designed to steal personal and financial information from soccer fans seeking tickets, merchandise, travel packages, or official match information.
Researchers tracking the campaign told The Record that the scale and consistency of domain registrations suggest an organized, well-resourced operation — not opportunistic individual actors.
Campaign Overview
| Detail | Information |
|---|---|
| Threat actor language | Chinese-speaking |
| Domains registered | 4,300+ |
| Active since | August 2025 |
| Target | FIFA World Cup 2026 fans globally |
| Method | Fraudulent domains impersonating FIFA official web presence |
| Goal | Financial fraud, credential theft, personal data harvesting |
| 2026 World Cup | Hosted jointly by USA, Canada, and Mexico |
The 2026 World Cup — hosted across the United States, Canada, and Mexico — is one of the most anticipated sporting events in recent history, with record global viewership and ticket demand expected. This makes fans a high-value target for fraud: millions of people are actively searching for tickets, accommodation, and travel packages, often through unfamiliar third-party websites.
How the Fraud Works
Domain Squatting at Scale
The fraudsters have registered domains that closely mimic FIFA's official web addresses, relying on common typosquatting and lookalike domain techniques:
- Slight misspellings of "fifa" or "worldcup" (e.g.,
f1fa-tickets.com,fiffa2026.com) - Adding geographic or event-specific terms (e.g.,
fifa2026usa.net,worldcup2026tickets.org) - Using official-looking TLDs or country-code domains that appear legitimate at first glance
- Cloning the visual design and branding of FIFA's real web presence to pass visual inspection
Victim Journey
- Fan searches for World Cup tickets, travel, or merchandise through a search engine or social media
- Fraudulent domain appears in paid search results or social media advertisements
- Fan visits the lookalike site, which appears identical to FIFA's real portal
- Fan enters personal information (name, address, email, phone) and payment details to complete a "purchase"
- No legitimate goods or tickets are delivered; data is harvested for financial fraud or sold on criminal forums
- In some variants, credentials entered on the fake site are used to attempt account takeover on legitimate platforms
Scale of Harm
With over 4,300 domains in operation and the World Cup drawing a global audience of hundreds of millions, the potential victim pool is enormous. Even a small conversion rate on a campaign of this size translates to millions of dollars in fraudulent transactions and data theft.
Attribution Context
The campaign is attributed to a Chinese-speaking cybercriminal group based on linguistic analysis of domain registration metadata, hosting infrastructure patterns, and operational security practices observed in the campaign's infrastructure. This does not necessarily indicate state sponsorship — Chinese-speaking cybercriminal ecosystems include a large number of financially motivated independent actors and organized criminal groups operating outside state direction.
Sports event fraud is a well-established criminal niche. Previous major events — the Tokyo Olympics, FIFA World Cups in Russia (2018) and Qatar (2022), and UEFA championships — all attracted similar domain squatting and phishing operations, typically peaking in the months before ticket sales and during the event itself.
The registration of domains beginning in August 2025, well ahead of the June 2026 tournament, suggests the group is following a deliberate lead-time strategy: building domain authority, seeding content, and establishing credibility before the peak traffic period when fans are most actively searching.
Threat Landscape: Sports Event Phishing
Why Sporting Events Are Prime Phishing Targets
- High-value purchases — Tickets to major international sporting events can cost hundreds or thousands of dollars, making victims willing to transact on unfamiliar sites
- Urgency — Limited ticket availability creates FOMO (fear of missing out) that pushes fans to act quickly without proper verification
- Global audience — International events attract victims from many countries, complicating jurisdiction for law enforcement
- Secondary market confusion — The existence of legitimate secondary ticket markets normalizes purchasing from third-party websites
- Long run-up period — Years of build-up mean a long window of opportunity for sustained fraud campaigns
2026 World Cup Risk Factors
The 2026 World Cup presents elevated fraud risk specifically because:
- It is the first 48-team World Cup, with more matches and more cities than any previous edition
- The tri-nation hosting format (USA/Canada/Mexico) means fans may be navigating multiple official websites and ticket systems
- Demand for tickets is expected to far exceed supply, intensifying urgency-driven purchasing behavior
- The North American hosting context makes English-language fraudulent domains particularly convincing
How to Protect Yourself
Verify Before You Buy
- Only purchase World Cup tickets directly through FIFA's official website (verify the URL is exactly
fifa.com— bookmark it directly rather than searching) - Do not click ticket links in unsolicited emails, social media ads, or messages from unknown contacts
- Use your browser's address bar to manually type the official URL rather than relying on search results for ticketing pages
Spot Lookalike Domains
Before entering payment information on any site:
- Check the full URL carefully — look for extra words, number substitutions (1 for i, 0 for o), or unusual TLDs
- Verify the site has a legitimate SSL certificate issued to the correct organization
- Search for the domain's registration date using WHOIS lookup tools — newly registered domains (within the past year) claiming to be official FIFA sites are red flags
Payment Safety
- Use a credit card rather than a debit card or bank transfer for any online ticket purchase — credit cards offer stronger fraud protection and chargeback rights
- Consider using a virtual credit card number (offered by many banks) for single-use transactions on unfamiliar platforms
- Never pay for tickets via wire transfer, cryptocurrency, or gift cards — these payment methods are preferred by fraudsters because they are irreversible
If You Suspect Fraud
- Report fraudulent domains to your national cybercrime reporting center (IC3.gov in the US, CAFC in Canada, Action Fraud in the UK)
- Contact your bank or card issuer immediately if you have entered payment details on a suspected fraudulent site
- Report suspicious domains impersonating FIFA to FIFA's official anti-fraud channels
Industry Response
Domain registrars and hosting providers have been increasingly cooperative in rapid takedown operations for event-themed fraud infrastructure, but the volume of domains in this campaign — 4,300 and growing — illustrates the difficulty of keeping pace with organized domain squatting operations. Takedown of individual domains is often quickly offset by registration of new variants.
Effective defense ultimately requires a combination of consumer education, search engine and ad platform fraud detection, and proactive domain monitoring by official event organizers.
Source: The Record