Thousands of Fake FIFA Domains Target World Cup Fans

Group-IB analysis found more than 4,300 fraudulent domains impersonating FIFA, run by at least four operators including a Chinese-speaking actor called Ghost Stadium that uses cloned fifa.com pages promoted via paid Facebook ads; campaigns include phishing kits, PhaaS offerings and infostealer infections (Vidar, Lumma) that have harvested ~2,500 FIFA credentials, with monetization via crypto on-ramps and estimated losses from ticket fraud into the millions or higher. The report recommends buying only from fifa.com, enabling MFA, monitoring dormant domains for activation, and pursuing registrar-level takedowns.