Group-IB finds 4,300 FIFA-impersonating domains and warns losses could hit billions

Saudi fans traveling to the 2026 FIFA World Cup are being urged to stay vigilant as impersonation scams ramp up, and the scale is the scary part. Group-IB says it uncovered a “massive, sophisticated” fraud campaign and researchers identified more than 4,300 fraudulent domains impersonating FIFA’s official web presence, alongside six parallel fraud schemes and four independent threat actors. The firm estimates potential losses could run into the billions of dollars.

That isn’t abstract cyber anxiety. The fraud timing lines up with a tournament that is already being treated like a scarce commodity: the event runs June 11 to July 19, 2026 across 16 cities in the US, Canada, and Mexico, and FIFA expects more than 6 million fans to attend matches. FIFA also said more than 150 million tickets were requested in the first 15 days of sales, making this edition roughly 30 times oversubscribed compared with previous tournaments. When demand spikes and fans feel urgency to secure tickets, that emotional lever becomes a business model for scammers.

Group-IB says the campaign is not just theoretical. Researchers report that thousands of fraudulent domains were registered since August 2025, with more than 300 actively deploying phishing infrastructure and about 3,800 parked and ready for activation. “Parked” is a particularly important detail for executives, because it means capacity exists to scale the attack quickly, even if defenders disrupt the first wave. At the center of the operation is a group Group-IB calls GHOST STADIUM, described as Chinese-speaking, profit-driven, and using the same phishing kit across hundreds of sites.

To make those sites harder to detect, the fake pages closely mimic fifa.com and replicate FIFA’s single sign-on login. Group-IB reports that the pages use a genuine client ID copied from the live site. They also load images directly from FIFA’s own servers, which can make the pages look authentic in ways that standard security tooling struggles with. In plain terms: the scammers are borrowing enough legitimacy from FIFA’s actual infrastructure and design that victims are more likely to trust what they see, especially when they are trying to move fast.

The lures are familiar, but the execution sounds dialed-in. Group-IB says fraudsters heavily use Facebook ads, fake urgency, and sharply discounted ticket offers to pull victims into cloned login portals, where their details can be stolen and FIFA accounts accessed. Once stolen credentials are in circulation, the fraud becomes self-perpetuating. Group-IB says more than 2,500 valid FIFA account credential pairs are already circulating on dark-web markets, in part because of infostealer malware campaigns. That matters for risk planning because it suggests multiple paths to compromise: phishing websites for entry, then malware and stolen credentials for follow-on access.

Money is already being modeled by the researchers. Group-IB estimated losses from premium and hospitality ticket fraud alone between $71 million and $474 million, while warning the wider campaign could generate losses in the billions of dollars. Beyond ticketing, cybercriminals are also targeting fan merchandise and streaming platforms, particularly in Latin American markets, where counterfeit storefronts and malicious sites are being used to spread malware. This is the part that should make boards and C-level leaders pay attention: the “World Cup” is becoming a cross-industry fraud stage, not just a ticketing problem.

And it is not only Group-IB sounding the alarm. Proofpoint said that on Friday more than 36 percent of official sponsors, suppliers, partners, and supporters linked to the tournament do not have adequate email security protections in place to guard against domain impersonation. Proofpoint is California-based, has expanded across the Middle East in recent years, and opened a local data center in Saudi Arabia in 2025. It told Arab News it expects a surge in attacks and urged Saudi fans to increase vigilance.

Abdullah Aljandal, country manager for Saudi Arabia at Proofpoint, told Arab News that as more Saudi fans travel to support Saudi Arabia’s Green Falcons in the US, “awareness becomes just as important as technology.” He also warned that major events tend to attract cybercriminals, who impersonate brands and official partners to send fake offers designed to steal personal or financial information. Aljandal added that AI is making scams more convincing and easier to scale, including highly personalized phishing emails and fake communications that are harder to identify. The second-order implication for executives is straightforward: even if one organization perfects its own defenses, partners and email ecosystems can still provide attackers a nearby door through domain impersonation.

There is also a broader timing and incentives story hiding under the cyber headlines. FIFA’s ticket demand has created a high-intent audience, and high-intent audiences are what fraud teams want. With FIFA preparing to stage the tournament across North America and with Saudi Arabia preparing to welcome the world for the FIFA World Cup 2034, Proofpoint’s framing about digital trust and cybersecurity awareness becoming increasingly important is not just PR. For leaders, the operational stake is whether security controls, identity flows, and partner readiness can hold up under a concentrated, global demand spike. Because if credential theft and domain impersonation keep scaling while domain counts are already in the thousands, the fraud machine does not need to be “better.” It only needs to be persistent enough to monetize the next wave of urgency.