A cybercrime group known as GHOST STADIUM has built more than 4,300 fake websites impersonating FIFA to steal login credentials and payment details from fans trying to buy 2026 World Cup tickets. Researchers first spotted the group in November 2025, and more than 300 of those fraudulent sites are currently running live infrastructure. Evidence in the malicious code — including Chinese-language comments and a Chinese open-source design library — points to a Chinese-speaking operation.
The scam works like this: victims see Facebook ads offering deeply discounted World Cup tickets, sometimes as low as $60 for seats worth thousands of dollars. Clicking the ad leads to a convincing fake FIFA login page that harvests your username and password. Once the attackers have your credentials, they can lock you out of your real FIFA account and resell your legitimate tickets. Researchers estimate the scheme could account for losses of $71 million to $474 million across approximately 47,400 victims for premium tickets alone.
How to check if you’re affected
Affected products include any FIFA.com account or ticket purchase made through a third-party website or a link from a social media ad. If you’ve clicked a Facebook or Instagram ad offering World Cup tickets, treat that site as suspicious. Legitimate FIFA ticket sales happen only at fifa.com — type the address directly into your browser and never follow links from ads or emails. If you entered your FIFA login credentials on any other site, change your password immediately at fifa.com and enable two-factor authentication. Any domain using a hyphenated variant of the FIFA name (e.g., fifa-tickets-2026.com) should be treated as fraudulent.