Overview
- The FBI issued a public warning on Thursday and published examples of spoofed FIFA domains while urging victims to report incidents to the Internet Crime Complaint Center with details such as the fake domain, interaction history, and payment information.
- Group-IB reported more than 4,300 fraudulent domains registered since last August and attributed a major portion of the operation to a Chinese-speaking actor it calls Ghost Stadium that cloned fifa.com including the single sign-on flow.
- Researchers say infostealer malware families, led by Vidar and Lumma, have harvested roughly 2,500 FIFA logins that are now trading on dark-web markets and can be used to commit account takeover and identity theft.
- Fraud operators are preparing to turn many dormant domains on in the run-up to the tournament and are driving traffic with paid ads and messages on platforms such as Google Search, Facebook/Meta, Telegram, and WhatsApp to sell counterfeit tickets and hospitality or move funds via crypto on-ramps.
- Security firms and the FBI advise buying only from fifa.com, enabling multi-factor authentication, avoiding sponsored search ads, using bookmarks for official sites, and pursuing registrar-level takedowns to blunt large-scale, staged campaigns that could cost victims millions.