At least 40 fake FIFA World Cup 2026 ticketing websites have been linked to a wider fraud network involving 15 active cybercriminal operators, according to a new report by cybersecurity firm CloudSEK.
The report says the campaign is more advanced than normal phishing scams. Instead of simply creating fake ticket pages, the attackers are using cloned FIFA-style ticketing websites, real-time card skimming tools and possible one-time password interception methods to steal payment details from football fans.
The fake websites are designed to look like official FIFA ticket portals. They include match schedules, stadium details, shopping carts, payment pages and secure checkout messages. These details are used to make victims believe they are buying real World Cup tickets.
CloudSEK said the campaign works like a real-time man-in-the-middle phishing system. It can track a victim during the checkout process and capture sensitive payment information, including card numbers, expiry dates and CVV codes. The platform may also be able to intercept or relay OTPs, helping attackers bypass SMS-based security checks.
The investigation also found signs of a larger fraud ecosystem behind the websites. This includes a rogue payment processing network and shared infrastructure that supports multiple operators.
According to CloudSEK, the backend system is hosted through a Chinese-language administrative panel and supports at least 15 separate operator instances. This suggests the operation is not a small phishing campaign, but a scalable cybercrime platform.
Gagan Aggarwal, Threat Intelligence Researcher at CloudSEK TRIAD, said the campaign shows how global events are being abused by organised cybercriminal groups. He warned that the threat has moved beyond fake ticket listings and basic phishing pages, with attackers now combining fake checkout systems, live victim tracking, card skimming and OTP interception into one platform.
The report also noted several indicators that point to Chinese-origin threat actors. These include a backend interface in Simplified Chinese, repeated administrative access from China-based IP addresses and internal naming patterns linked to the platform.
Social media is also playing a major role in sending traffic to these scam websites. CloudSEK observed that Facebook accounted for around 60 to 65 percent of user sessions, while Instagram contributed about 15 percent.
The campaign has targeted users in several countries. The United States appears to be the main target, while activity has also been detected in Italy, Romania, Australia, Canada, Germany, South Korea, Saudi Arabia, South Africa and other markets.
With the FIFA World Cup 2026 expected to attract millions of fans worldwide, cybersecurity experts are warning users to be very careful when buying tickets online. Fans should only purchase tickets through official FIFA channels and avoid links shared through social media ads, unknown websites or direct messages.
Fake ticket websites often look professional, but small warning signs can help users stay safe. These include unusual domain names, urgent discount offers, spelling mistakes, suspicious payment pages and requests for sensitive banking information outside trusted platforms.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
As cybercriminals continue to use major sporting events for online fraud, fans should verify every ticketing website before entering personal or financial details.
