Verify a decision

{"actor":"system:backfill","investigation_id":"17102b24-39c3-44be-b318-78c365dd82a8","kind":"publish","page_slug":"fifa-world-cup-2026-crypto-streaming-scam-network","published_at":"2026-06-23T23:36:49.219Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"FIFA World Cup 2026 Crypto Streaming Scam Network","sections":[{"content":"The FIFA World Cup 2026 Crypto Streaming Scam Network is a broad designation for an interconnected set of fraud operations that exploit global interest in the 2026 FIFA World Cup, hosted across the United States, Canada, and Mexico from June 11 to July 19, 2026. Security researchers at Malwarebytes, Group-IB, Cyble, CybelAngel, TRM Labs, FortiGuard Labs, and Kaspersky have collectively documented the campaign, which spans at least six fraud typologies: fake ticket sales, fraudulent streaming platforms, play-to-earn and token giveaway schemes, fixed-match betting fraud, fake employment listings, and World Cup-branded cryptocurrency token manipulation. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May 2026, approximately 8.8% of which were assessed as malicious or suspicious. Group-IB separately tracked more than 4,300 fraudulent FIFA-specific domains registered since August 2025. The campaign targets fans globally, with specific regional variants documented for Kenyan, Indonesian, and Nigerian audiences.","heading":"Overview and Scope","severity":"critical","sources":[{"credibility":2,"name":"The 2026 World Cup scam economy is already running before the first whistle — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/threat-intel/2026/05/the-2026-world-cup-scam-economy-is-already-running-before-the-first-whistle"},{"credibility":2,"name":"GHOST STADIUM Score: Billions At Stake — Group-IB","type":"research","url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"credibility":2,"name":"FIFA World Cup 2026 Scams Surge As Fake Sites Target Fans — Cyble","type":"research","url":"https://cyble.com/blog/fifa-world-cup-2026-scams/"}]},{"content":"The most technically sophisticated component of the broader fraud ecosystem is a campaign attributed by Group-IB to a Chinese-speaking, financially motivated threat actor designated GHOST STADIUM, first observed in November 2025. The actor operates a custom React-based single-page application phishing kit built on the Layui 2.7.6 framework — a Chinese open-source UI library described as virtually unknown outside the Chinese developer community. The kit replicates the official FIFA website pixel-for-pixel, cloning the PingIdentity SSO authentication flow including password reset authorization, which immediately locks the victim out of their legitimate account and enables resale of any attached tickets. The site auto-detects browser locale, supports 11 languages plus three Chinese regional variants (mainland, Taiwan, Hong Kong), and loads imagery directly from FIFA's official CDN to evade visual detection. Attribution evidence includes Chinese-language source code comments, shared SSL certificates and Meta Pixel IDs across 300+ domains (Pixel IDs 927432823410218, 1842358649811605, and 1569148414168343), and an identical Tawk.to live-chat Property ID (6976ccbaba77e8198a866266) embedded across 79 hospitality-focused domains. As of June 9, 2026, CybelAngel confirmed 344 clone domains, with 125 actively serving content and 146 using Cloudflare nameservers to resist IP-level blocking. Sample active domains documented by Group-IB and CybelAngel include: fifa[.]bio, fifa[.]center, fifa[.]gold, fifa[.]tax, fifa-com[.]co, www-fifa[.]com, fifa-tickets[.]vip, football-ticket[.]top, football-ticket[.]shop, football-game[.]shop. The campaign was distributed primarily through paid Facebook advertising offering tickets at prices as low as $60 for seats officially priced in the thousands, using first-come-first-served pressure messaging. Bankinfosecurity reported that thousands of FIFA account credentials were compromised. Group-IB documented 2,513 FIFA credential pairs circulating on dark-web markets priced at $5 to $50 per pair. Extrapolating from 600+ observed registrations at a single domain, Group-IB estimates 47,400 or more victims in the premium ticket fraud tier alone, with losses ranging from $71 million to $474 million for that category. The total campaign across all six fraud vectors is described as potentially reaching into the billions.","heading":"GHOST STADIUM Phishing Campaign","severity":"critical","sources":[{"credibility":2,"name":"GHOST STADIUM Score: Billions At Stake — Group-IB","type":"research","url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"credibility":2,"name":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","type":"research","url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"credibility":2,"name":"Chinese Phishing Service Scams Thousands of FIFA World Cup Fans — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/chinese-phishing-service-scams-thousands-fifa-world-cup-fans-a-31819"},{"credibility":2,"name":"Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans — The Record (Recorded Future News)","type":"news_article","url":"https://therecord.media/chinese-speaking-fraud-gang-fifa-world-cup-scam"},{"credibility":2,"name":"GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/ghost-stadium-phishing-campaign-targets-fifa-world-cup-fans/"}]},{"content":"A parallel strand of the fraud network involves fake streaming websites and sideloaded Android applications that allegedly offer free or low-cost access to World Cup matches. Malwarebytes identified more than 40 websites that were effectively identical, using different World Cup-themed domain names but running the same page template, code, and advertising infrastructure. Rather than delivering match content, these sites funnel visitors through malicious advertising networks that serve fake virus warnings, bogus software update prompts designed to install malware, fake prize and verification pages, and forced subscription traps. Two Android banking trojan families — Massiv and Perseus — have been embedded in sideloaded streaming applications distributed outside Google Play. Perseus is derived from leaked source code of the older Cerberus trojan and has been observed reading note-taking applications to extract saved passwords and cryptocurrency recovery phrases (seed phrases). Both trojans exploit Android Accessibility Services to overlay fake bank login screens and intercept one-time authentication codes. Malwarebytes noted the first derivatives of Massiv appeared in February 2026. A critical behavioral warning sign identified by researchers is any streaming application requesting Accessibility access, for which no legitimate streaming function exists. The fake streaming sites themselves do not universally require cryptocurrency payments, but some serve interstitial pages that solicit wallet connections or present fake prize claims requiring wallet confirmation — a tactic that can drain connected wallets without requiring the victim to disclose a seed phrase directly.","heading":"Fake Streaming Sites and Malicious Applications","severity":"critical","sources":[{"credibility":2,"name":"Free World Cup stream sites are serving scams, not football — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football"},{"credibility":2,"name":"FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html"},{"credibility":2,"name":"Free, no-signup World Cup streams serve scams instead of football — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/"},{"credibility":2,"name":"Free World Cup Streams Are Actually Malware Traps as More Than 40 Scam Sites Are Exposed — IBTimes UK","type":"news_article","url":"https://www.ibtimes.co.uk/fake-world-cup-streaming-sites-cybersecurity-risks-1803245"}]},{"content":"TRM Labs identified four cryptocurrency wallet addresses linked to three active fraud operations as of early June 2026. One Polygon address received approximately $1,562, with nearly all funds arriving in a single day on April 1, 2026, consistent with a short burst of victim conversions. A separate Bitcoin address linked to a fake ticketing operation remained live but had not yet converted victims at the time of TRM's report. A third Bitcoin address was associated with a fixed-match betting scheme, receiving small payments across multiple days in the January through May 2026 period; proceeds were routed to custodial exchange accounts rather than self-hosted wallets. Total observed on-chain inflows across the four identified addresses amounted to less than $1,700 as of early June 2026, though TRM notes this reflects only the fraction of activity they could directly attribute and that volumes are expected to scale significantly during the active tournament window. The GHOST STADIUM operation accepts cryptocurrency through Alchemy Pay, a regulated processor, converting card payments of approximately $195 into roughly 185 USDT settled on Binance Smart Chain — leveraging a legitimate processor's branding while routing funds into irreversible cryptocurrency settlements. Additional payment channels documented by Group-IB include direct card capture on attacker-controlled domains, third-party processors (pay.zfxupi.net accepting Cash App and Chime), peer-to-peer payment apps (Chime cashtag $Paramjit-Bains; Nequi account 3202059757), and regional rails (FIXYD for Mexico). Bitcoin, Litecoin, and Monero have been documented across different fraud sub-categories by CybelAngel. FIFA's official ticketing and merchandise platforms accept no cryptocurrency payments; any seller requesting crypto payment for World Cup tickets should be treated as fraudulent.","heading":"Cryptocurrency Payment Channels and Wallet Fraud","severity":"critical","sources":[{"credibility":2,"name":"Tracking Crypto Scammers Ahead of the 2026 World Cup — TRM Labs","type":"on_chain","url":"https://www.trmlabs.com/resources/blog/tracking-crypto-scammers-ahead-of-the-2026-world-cup"},{"credibility":2,"name":"2026 FIFA World Cup is now live, but so are crypto scams — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33006088/"},{"credibility":2,"name":"TRM Labs warns World Cup crypto scams target ticketing and betting demand — Traders Union","type":"news_article","url":"https://tradersunion.com/news/cryptocurrency-news/show/2342892-world-cup-crypto-scams-ticket-betting/"}]},{"content":"A token trading under the ticker WCUP launched on June 10, 2026, marketed as a fan-branded commemorative cryptocurrency associated with the World Cup. The token was listed on LBank and promoted on X (formerly Twitter) by multiple cryptocurrency influencers. On-chain analytics firm Bubblemaps alleges that more than 30 newly created wallets, funded from an exchange approximately 30 minutes before the token's public launch, sniped approximately 95% of the total supply at launch. These wallets then allegedly distributed holdings across more than 2,500 additional newly created addresses in a pattern consistent with obscuring beneficial ownership. Despite an available liquidity pool of only approximately $536,000, the token's market capitalization reached approximately $50 million at peak, according to reporting by Cryptopolitan and BitcoinWorld. Bubblemaps' time-node cluster analysis traced the dispersed wallets back to a single controlling entity. Many of the influencers who promoted WCUP allegedly failed to disclose that they received compensation for those endorsements, raising potential regulatory compliance concerns. The low liquidity relative to market capitalization means any coordinated sell-off by the early insiders would cause rapid and severe price collapse, leaving retail purchasers with losses. The $WORLDCUP token listed separately on LBank was identified by TRM Labs as carrying similar pump-and-dump risk characteristics. Neither token has any affiliation with FIFA or any official World Cup commercial program.","heading":"WCUP Token: Alleged Pump-and-Dump Scheme","severity":"high","sources":[{"credibility":2,"name":"95% Of World Cup Token WCUP Supply Pre-Purchased By Single Group, Bubblemaps Alleges — BitcoinWorld","type":"on_chain","url":"https://bitcoinworld.co.in/world-cup-token-wcup-scam-bubblemaps/"},{"credibility":2,"name":"95% of World Cup Token WCUP Supply Pre-Purchased by Single Group, Bubblemaps Alleges — CryptoNews.net","type":"on_chain","url":"https://cryptonews.net/news/altcoins/33000264/"},{"credibility":2,"name":"Crypto Scams Target 2026 FIFA World Cup with Fake Tickets and Memecoins — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/crypto-scams-target-2026-fifa-world-cup-with-fake-tickets-and-memecoins"},{"credibility":2,"name":"Tracking Crypto Scammers Ahead of the 2026 World Cup — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/tracking-crypto-scammers-ahead-of-the-2026-world-cup"}]},{"content":"The campaign relies heavily on social media platforms for victim acquisition. The Hacker News and Bitdefender reporting documents more than 55 fraudulent advertising campaigns running on Facebook and Instagram, and researchers found that nearly 90% of approximately 1,700 spoofed FIFA-branded social media accounts appeared on Facebook and Instagram. GHOST STADIUM specifically used paid Facebook advertising offering fraudulently priced tickets at $60 when official prices run into the thousands, with first-come-first-served language designed to suppress due diligence. Telegram and WhatsApp have also been used to distribute scam links, particularly for fixed-match betting schemes and play-to-earn promotions. Search engine result poisoning through keyword advertising has driven traffic to clone domains. Fake FIFA job postings directing applicants to credential-harvesting pages have been documented as a separate social engineering vector. For the WCUP token, promotion relied primarily on paid influencer posts on X with alleged undisclosed compensation. Malware-laden streaming app links have circulated through informal sports fan communities and messaging groups. Kaspersky documented FIFA lottery emails promising fictitious payouts of up to $2 million as an additional email-based distribution channel.","heading":"Social Media Promotion and Distribution Tactics","severity":"high","sources":[{"credibility":2,"name":"FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html"},{"credibility":2,"name":"FBI Warns Fans About FIFA Scams Ahead of 2026 World Cup — Bitdefender","type":"news_article","url":"https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-fifa-scams-2026-world-cup"},{"credibility":2,"name":"World Cup 2026: watch out for these scams — Kaspersky","type":"research","url":"https://www.kaspersky.com/blog/world-cup-scam-2026/55986/"},{"credibility":2,"name":"TRM Warns Crypto Scammers Are Seeding World Cup 2026 Ticket And Betting Traps — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/trm-world-cup-2026-crypto-scams-ticket-betting/"}]},{"content":"The FBI's Internet Crime Complaint Center (IC3) issued Public Service Announcement I-052726-PSA on May 27, 2026, warning that cyber threat actors are conducting spoofing attacks against the FIFA website to collect personally identifiable information, sell counterfeit World Cup tickets and hospitality products, and facilitate additional malicious activity. The FBI documented over 40 fraudulent domains in the PSA, including fifa.city, fifa.beer, fifa.click, fifa-ticket.live, fifaworldcup26.sale, worldcup2026-tickets.com.mx, and 2026fifaworldcuptickets.online. The PSA advises consumers to type fifa.com directly into browser address bars, avoid clicking sponsored search results, verify that URLs use the .com top-level domain, and report incidents to ic3.gov. The FBI confirmed it collects cryptocurrency addresses associated with complaints for investigative purposes. BleepingComputer reported separately on the FBI warning, amplifying awareness of the spoofed site threat. No arrests or indictments had been publicly announced as of June 23, 2026. Group-IB stated that its evidence package combining phishing kit forensics, infrastructure mapping, financial flow analysis, and identity attribution was built to a standard suitable for law enforcement referral and prosecution.","heading":"FBI and Law Enforcement Warnings","severity":"high","sources":[{"credibility":1,"name":"IC3 PSA I-052726-PSA: Threat Actors Spoofing FIFA Websites — FBI/IC3","type":"regulatory","url":"https://www.ic3.gov/PSA/2026/PSA260527"},{"credibility":2,"name":"FBI warns of fake FIFA websites running World Cup fraud schemes — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fifa-websites-running-world-cup-fraud-schemes/"},{"credibility":2,"name":"FBI alerts FIFA World Cup fans amid Crypto scams surge — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fbi-alerts-fifa-world-cup-fans-crypto-scams/"}]},{"content":"CybelAngel catalogued 468 total indicators of compromise across four active fraud vectors as of their June 15, 2026 report. These include 355 ticketing-related IOCs, 87 betting and gambling IOCs, 14 employment and task fraud IOCs, and 12 travel and visa IOCs. GHOST STADIUM infrastructure is hosted across 14 identified IP addresses. Shared tracking identifiers across the 300+ GHOST STADIUM domains provide strong linkage evidence: three Meta Pixel IDs (927432823410218, 1842358649811605, 1569148414168343) and a single Tawk.to live-chat Property ID (6976ccbaba77e8198a866266) appear on 79 of the hospitality-focused phishing domains. Redirector domains registered in a coordinated batch on April 27, 2026 include football-ticket[.]top, football-ticket[.]shop, football-game[.]shop, and football-tickets[.]top. A notable domain fifa[.]city has been active since approximately 2019 and was incorporated into the current campaign. Information-stealing malware families Vidar, LummaC2, and RedLine are separately documented as harvesting FIFA account credentials from compromised machines, with 2,513 credential pairs confirmed circulating in dark-web markets at prices of $5 to $50 per pair. The third-party payment processor subdomain pay.zfxupi.net was documented as a component of the GHOST STADIUM payment infrastructure.","heading":"Infrastructure Indicators of Compromise","severity":"high","sources":[{"credibility":2,"name":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","type":"research","url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"credibility":2,"name":"GHOST STADIUM Score: Billions At Stake — Group-IB","type":"research","url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"credibility":2,"name":"Active Exploitation Alert: FIFA World Cup 2026 — Rescana","type":"research","url":"https://www.rescana.com/post/active-exploitation-alert-fifa-world-cup-2026-targeted-by-fake-ticket-sites-banking-malware-and-credential-theft"}]},{"content":"While the fraud network targets a global audience, several security firms have documented specific targeting of fans in developing markets where formal digital payment literacy may be lower and where tournament interest is high. Tech-ish reported on June 23, 2026, that fake streaming sites and betting platforms had specifically targeted Kenyan fans. MEXC blog posts documented crypto giveaway scam tactics aimed at Indonesian and Nigerian fan communities, including World Cup token airdrop and play-to-earn promotions circulated through local WhatsApp groups and Telegram channels. The GHOST STADIUM phishing kit's 11-language support and three Chinese locale variants indicate intentional preparation for broad multinational deployment. The FBI PSA notes that spoofed domains have used country-specific top-level domains such as .com.mx for apparent targeting of Mexican audiences, which is particularly relevant given Mexico's co-host status. Spider Labs issued a separate fraud warning as fake streaming sites surged, indicating that the problem spans beyond a single research firm's visibility.","heading":"Regional Targeting and At-Risk Audiences","severity":"medium","sources":[{"credibility":2,"name":"World Cup 2026: The Fake Streaming and Betting Sites Targeting Kenyan Fans — Tech-ish","type":"news_article","url":"https://tech-ish.com/2026/06/23/world-cup-2026-scams-kenya/"},{"credibility":3,"name":"Crypto Giveaway Scam Warning: How Nigerian Fans Can Spot Fake World Cup Tokens — MEXC Blog","type":"community_report","url":"https://blog.mexc.com/crypto-knowledge/crypto-giveaway-scam-warning-how-nigerian-fans-can-spot-fake-world-cup-tokens/"},{"credibility":2,"name":"Spider Labs Issues Fraud Warning as Fake World Cup Streaming Sites Surge — Jonesboro Sun","type":"news_article","url":"https://www.jonesborosun.com/news/national/spider-labs-issues-fraud-warning-as-fake-world-cup-streaming-sites-surge/article_957ad02e-7824-5673-9cc4-1e88571fe2df.html"},{"credibility":3,"name":"World Cup Token Scam: How Indonesian Fans Can Spot Fake Giveaways — MEXC Blog","type":"community_report","url":"https://blog.mexc.com/crypto-knowledge/world-cup-token-scam-how-indonesian-fans-can-spot-fake-giveaways/"}]},{"content":"Multiple security organizations and the FBI have issued consistent guidance for fans. FIFA's official ticketing platform accepts only conventional payment methods — no cryptocurrency — making any request for crypto payment an unambiguous fraud indicator. Consumers should navigate directly to fifa.com by typing the address manually rather than clicking search advertisements or social media links. Applications requesting Android Accessibility Service permissions for any streaming function should be uninstalled immediately. Wallet connections on any World Cup-themed site should be treated with extreme caution, as a single malicious contract approval can enable asset drainage without further user interaction. Suspicious domains, fraudulent social media accounts, and scam emails related to the World Cup should be reported to the FBI at ic3.gov. Proton's consumer guidance and Kaspersky's blog post provide additional technical steps for identifying and avoiding phishing sites. The FBI specifically warns against using sponsored (paid advertisement) search results when looking for FIFA-related services.","heading":"Consumer Protection Guidance","severity":"low","sources":[{"credibility":1,"name":"IC3 PSA I-052726-PSA: Threat Actors Spoofing FIFA Websites — FBI/IC3","type":"regulatory","url":"https://www.ic3.gov/PSA/2026/PSA260527"},{"credibility":2,"name":"World Cup 2026: how to avoid ticket scams and fake sites — Proton","type":"other","url":"https://proton.me/blog/world-cup-2026-scams-phishing"},{"credibility":2,"name":"World Cup 2026: watch out for these scams — Kaspersky","type":"research","url":"https://www.kaspersky.com/blog/world-cup-scam-2026/55986/"}]}],"sources_used":[{"credibility":1,"name":"IC3 PSA I-052726-PSA: Threat Actors Spoofing FIFA Websites — FBI/IC3","type":"regulatory","url":"https://www.ic3.gov/PSA/2026/PSA260527"},{"credibility":2,"name":"GHOST STADIUM Score: Billions At Stake At The World's Largest Football Tournament — Group-IB","type":"research","url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"credibility":2,"name":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","type":"research","url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"credibility":2,"name":"Tracking Crypto Scammers Ahead of the 2026 World Cup — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/tracking-crypto-scammers-ahead-of-the-2026-world-cup"},{"credibility":2,"name":"FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html"},{"credibility":2,"name":"Free World Cup stream sites are serving scams, not football — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football"},{"credibility":2,"name":"The 2026 World Cup scam economy is already running before the first whistle — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/threat-intel/2026/05/the-2026-world-cup-scam-economy-is-already-running-before-the-first-whistle"},{"credibility":2,"name":"FIFA World Cup 2026 Scams Surge As Fake Sites Target Fans — Cyble","type":"research","url":"https://cyble.com/blog/fifa-world-cup-2026-scams/"},{"credibility":2,"name":"Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans — The Record (Recorded Future News)","type":"news_article","url":"https://therecord.media/chinese-speaking-fraud-gang-fifa-world-cup-scam"},{"credibility":2,"name":"Chinese Phishing Service Scams Thousands of FIFA World Cup Fans — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/chinese-phishing-service-scams-thousands-fifa-world-cup-fans-a-31819"},{"credibility":2,"name":"GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/ghost-stadium-phishing-campaign-targets-fifa-world-cup-fans/"},{"credibility":2,"name":"FBI warns of fake FIFA websites running World Cup fraud schemes — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fifa-websites-running-world-cup-fraud-schemes/"},{"credibility":2,"name":"FBI alerts FIFA World Cup fans amid Crypto scams surge — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fbi-alerts-fifa-world-cup-fans-crypto-scams/"},{"credibility":2,"name":"FBI Warns Fans About FIFA Scams Ahead of 2026 World Cup — Bitdefender","type":"news_article","url":"https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-fifa-scams-2026-world-cup"},{"credibility":2,"name":"95% Of World Cup Token WCUP Supply Pre-Purchased By Single Group, Bubblemaps Alleges — BitcoinWorld","type":"on_chain","url":"https://bitcoinworld.co.in/world-cup-token-wcup-scam-bubblemaps/"},{"credibility":2,"name":"95% of World Cup Token WCUP Supply Pre-Purchased by Single Group — CryptoNews.net","type":"on_chain","url":"https://cryptonews.net/news/altcoins/33000264/"},{"credibility":2,"name":"Crypto Scams Target 2026 FIFA World Cup with Fake Tickets and Memecoins — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/crypto-scams-target-2026-fifa-world-cup-with-fake-tickets-and-memecoins"},{"credibility":2,"name":"Free, no-signup World Cup streams serve scams instead of football — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/"},{"credibility":2,"name":"Free World Cup Streams Are Actually Malware Traps as More Than 40 Scam Sites Are Exposed — IBTimes UK","type":"news_article","url":"https://www.ibtimes.co.uk/fake-world-cup-streaming-sites-cybersecurity-risks-1803245"},{"credibility":2,"name":"World Cup 2026: The Fake Streaming and Betting Sites Targeting Kenyan Fans — Tech-ish","type":"news_article","url":"https://tech-ish.com/2026/06/23/world-cup-2026-scams-kenya/"},{"credibility":2,"name":"World Cup 2026: watch out for these scams — Kaspersky","type":"research","url":"https://www.kaspersky.com/blog/world-cup-scam-2026/55986/"},{"credibility":2,"name":"World Cup 2026: how to avoid ticket scams and fake sites — Proton","type":"other","url":"https://proton.me/blog/world-cup-2026-scams-phishing"},{"credibility":2,"name":"TRM Warns Crypto Scammers Are Seeding World Cup 2026 Ticket And Betting Traps — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/trm-world-cup-2026-crypto-scams-ticket-betting/"},{"credibility":2,"name":"Active Exploitation Alert: FIFA World Cup 2026 — Rescana","type":"research","url":"https://www.rescana.com/post/active-exploitation-alert-fifa-world-cup-2026-targeted-by-fake-ticket-sites-banking-malware-and-credential-theft"},{"credibility":2,"name":"Spider Labs Issues Fraud Warning as Fake World Cup Streaming Sites Surge — Jonesboro Sun","type":"news_article","url":"https://www.jonesborosun.com/news/national/spider-labs-issues-fraud-warning-as-fake-world-cup-streaming-sites-surge/article_957ad02e-7824-5673-9cc4-1e88571fe2df.html"},{"credibility":2,"name":"FIFA World Cup Crypto Scams Started Before 2026 Tournament — Bitcoin Foundation","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/fifa-world-cup-crypto-scams-started-before-2026-tournament-data-shows/"},{"credibility":2,"name":"World Cup 2026 Cyber Threats, Fake FIFA Sites, Ticket Scams, Malware Apps — PenLigent","type":"research","url":"https://www.penligent.ai/hackinglabs/world-cup-2026-cyber-threats/"},{"credibility":2,"name":"2026 FIFA World Cup is now live, but so are crypto scams — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33006088/"}],"summary":"A coordinated network of fraudulent websites, malicious streaming applications, phishing campaigns, and deceptive cryptocurrency schemes targeting FIFA World Cup 2026 fans across at least six fraud typologies. The campaign encompasses more than 4,300 registered fraudulent domains, Android banking trojans embedded in fake streaming apps, a Chinese-speaking threat actor designated GHOST STADIUM operating 300+ pixel-perfect FIFA clones, and at least one fan-branded token (WCUP) alleged to be a pump-and-dump scheme. The FBI issued a public service announcement on May 27, 2026; estimated losses from ticket fraud alone range from $71 million to $474 million, with total campaign potential described by Group-IB as reaching into the billions.","timeline":[{"date":"2019-01-01","event":"Domain fifa[.]city, later incorporated into the GHOST STADIUM campaign, is registered and begins operating, according to Group-IB.","source":"Group-IB Blog","source_url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"date":"2025-08-01","event":"Group-IB records the start of systematic fraudulent domain registrations impersonating FIFA ahead of the 2026 World Cup, with 4,300+ such domains eventually catalogued.","source":"Group-IB Blog","source_url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"date":"2025-11-01","event":"Group-IB first observes the GHOST STADIUM threat actor operating phishing infrastructure targeting FIFA World Cup fans.","source":"Group-IB Blog","source_url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"date":"2026-01-01","event":"FortiGuard Labs begins counting World Cup-themed domain registrations; by May 2026, more than 13,000 such domains are recorded, approximately 8.8% assessed as malicious or suspicious.","source":"FIFA World Cup 2026 Scams Surge As Fake Sites Target Fans — Cyble","source_url":"https://cyble.com/blog/fifa-world-cup-2026-scams/"},{"date":"2026-02-01","event":"First derivatives of the Massiv Android banking trojan are spotted embedded in pirated World Cup streaming applications, according to Malwarebytes.","source":"FIFA World Cup 2026 Scams Are Already Live — The Hacker News","source_url":"https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html"},{"date":"2026-03-01","event":"GHOST STADIUM domain registrations surge: 78 new domains registered in March 2026 alone, according to CybelAngel.","source":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","source_url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"date":"2026-04-01","event":"A Polygon wallet linked to a fake FIFA ticket phishing site receives approximately $1,562 in a single day, the largest single-day inflow TRM Labs documented across four tracked fraud wallets.","source":"Tracking Crypto Scammers Ahead of the 2026 World Cup — TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/tracking-crypto-scammers-ahead-of-the-2026-world-cup"},{"date":"2026-04-27","event":"A coordinated batch of GHOST STADIUM redirector domains is registered in a single day, including football-ticket[.]top, football-ticket[.]shop, football-game[.]shop, and football-tickets[.]top.","source":"GHOST STADIUM Score: Billions At Stake — Group-IB","source_url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"date":"2026-04-29","event":"A second coordinated domain registration event registers 30 additional GHOST STADIUM domains in a single day, according to CybelAngel.","source":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","source_url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"date":"2026-05-27","event":"FBI/IC3 issues Public Service Announcement I-052726-PSA warning of spoofed FIFA websites, documenting over 40 fraudulent domains and advising consumers to report incidents to ic3.gov.","source":"IC3 PSA I-052726-PSA — FBI","source_url":"https://www.ic3.gov/PSA/2026/PSA260527"},{"date":"2026-05-27","event":"Group-IB publishes the GHOST STADIUM research report, attributing the campaign to a Chinese-speaking threat actor and estimating potential losses of $71 million to $474 million for the premium ticket fraud tier alone.","source":"GHOST STADIUM Score: Billions At Stake — Group-IB","source_url":"https://www.group-ib.com/blog/ghost-stadium-football-fraud/"},{"date":"2026-06-09","event":"CybelAngel confirms 344 clone domains actively mimicking the official FIFA website, with 125 live and serving content; 146 use Cloudflare nameservers to resist IP-level blocking.","source":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","source_url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"date":"2026-06-10","event":"WCUP token launches on LBank; Bubblemaps alleges 95% of supply was sniped at launch by more than 30 coordinated wallets funded from an exchange 30 minutes prior; market cap reaches approximately $50 million against only $536,000 in liquidity.","source":"95% Of World Cup Token WCUP Supply Pre-Purchased By Single Group, Bubblemaps Alleges — BitcoinWorld","source_url":"https://bitcoinworld.co.in/world-cup-token-wcup-scam-bubblemaps/"},{"date":"2026-06-11","event":"FIFA World Cup 2026 tournament begins, marking the opening of the highest-risk window for scam activity. Researchers designate June 11 through July 19, 2026 as the peak fraud period.","source":"FIFA World Cup 2026 Scams Are Already Live — The Hacker News","source_url":"https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html"},{"date":"2026-06-15","event":"CybelAngel publishes full threat report cataloguing 468 indicators of compromise across four active fraud vectors.","source":"FIFA World Cup Fraud: 468 IOCs and Four Active Threat Vectors — CybelAngel","source_url":"https://cybelangel.com/blog/our-investigation-of-fifa-world-cup-2026-fraud-threat-report/"},{"date":"2026-06-23","event":"Malwarebytes, Help Net Security, and Tech-ish publish reports on fake streaming site networks, with Malwarebytes documenting more than 40 functionally identical scam streaming websites active during the tournament.","source":"Free, no-signup World Cup streams serve scams instead of football — Help Net Security","source_url":"https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/"}]},"v":1}