FBI FIFA World Cup 2026 ticket scam warning: how Ghost Stadium's 300+ phishing sites work

The FBI PSA in 60 seconds

FBI IC3 alert PSA260527 identifies more than 300 active phishing domains targeting FIFA World Cup 2026 ticket buyers across the United States, Canada, Mexico (the three host nations), and dozens of source markets including the United Kingdom, Germany, Brazil, Argentina, the Gulf, Japan, and South Korea. The advisory attributes the bulk of the infrastructure to a Chinese-speaking criminal operation that incident responders have labelled Ghost Stadium. BleepingComputer's coverage adds that Ghost Stadium domains rotate weekly, push paid traffic through Google Search and Facebook Marketplace ads, and accept payment in mixed channels including credit cards, wire transfers, and stablecoins. Victims typically discover the fraud only when their physical or QR tickets fail to arrive in the weeks leading up to a match. The FBI confirms the only authorized sales channel is fifa.com/tickets and a small list of FIFA-approved resellers published on that portal.

How Ghost Stadium phishing actually works

The Ghost Stadium funnel is a textbook example of paid-traffic phishing layered over a credit-card harvester. The flow we see on the wire looks like this:

1. The buyer searches "world cup 2026 tickets" or "buy fifa tickets" on Google. Two or three of the top results are sponsored ads. The ad copy includes "Official FIFA Tickets", "FIFA Approved Reseller", or "Hospitality Packages 2026", and the visible URL looks plausible. Ghost Stadium routinely buys ad placement above the real fifa.com result during high-intent search windows.
2. The click lands on a lookalike domain such as fiffa[.]com, fifa-tickets-2026[.]live, worldcup-2026-tickets[.]xyz, or fifa-hospitality[.]sale. The page clones FIFA's official colour palette, navigation, and trophy imagery. A countdown timer at the top reads "Group stage tickets selling out in 14 minutes".
3. The catalogue shows a deep inventory: group-stage matches in Dallas, knockout rounds in New York and Mexico City, the final in MetLife Stadium, plus hospitality packages bundling flights and hotel nights. Pricing is plausible (USD 320 to USD 4,800 per seat). Some entries are slightly under FIFA's official price to manufacture urgency. Others are slightly over to feel premium.
4. The checkout collects full card details, billing address, passport number, and sometimes a copy of the buyer's photo ID under the pretence of "FIFA security verification". Payment is processed (or, more often, the card is captured and reused or sold; the "successful" transaction is faked at the confirmation screen).
5. The buyer receives a polished confirmation email with a fake order number, a promise that physical tickets or QR codes will be issued 30 days before the first match, and a "customer support" address that goes unanswered. The card is silently tested for further fraud over the following days.

This is structurally the same pattern as a fake login page attack against Microsoft 365, with two important differences. First, the upstream channel is paid search, not email, so secure email gateways are entirely out of the loop. Second, the credential being stolen is a credit card, not an account, so multi-factor authentication is not even a theoretical defence. The browser is the only layer that sees the moment of compromise.

The lookalike domain catalogue

Ghost Stadium's domain inventory clusters around a handful of structural patterns. From the corpus we have analysed against our 3-layer engine and public WHOIS data over the past week, the categories are remarkably consistent:

• Brand typosquats: fiffa[.]com, fifaa[.]com, fifa1[.]com, fyfa-tickets[.]com. These hit our edit-distance algorithm immediately, the same logic that flagged ledgar[.]com against the Ledger brand in our 2026-05-08 detection update.
• Event-keyword compounds: fifa-tickets-2026[.]live, worldcup-2026-tickets[.]xyz, fifa-worldcup-tickets[.]shop, fifaworldcup26[.]online. These combine the FIFA brand token with event keywords (world cup, 2026, tickets) on cheap TLDs.
• Hospitality and VIP variants: fifa-hospitality[.]sale, worldcup-vip-2026[.]com, fifa-premium-tickets[.]net, hospitality-fifa2026[.]co. These target the highest-spend buyers (USD 2,000 to USD 8,000 per package) with the largest fraud margin per victim.
• Host-city and venue lookalikes: metlife-final-tickets[.]com, dallas-worldcup-tickets[.]live, nyc-fifa-final[.]xyz. These pivot from the brand to the venue and benefit from buyers searching for specific match locations.
• Reseller impersonations: domains that copy the names of legitimate authorized resellers (StubHub, On Location, Match Hospitality) with subtle modifications. These exploit buyers who know "FIFA-approved reseller" is a real category and assume any close name is legitimate.

Across all five clusters the typical Ghost Stadium domain age at the moment of victimisation is under fourteen days. Some are under 48 hours. This is the strongest server-side signal we have, and it lines up with how our Layer 2 reputation feeds behave: Google Safe Browsing, PhishTank, and URLhaus surface fresh malicious hosts within hours, often within minutes of the first credential capture.

What SafeBrowz sees on the network

Three observations from our detection engineering team that go beyond the FBI advisory itself.

First, FIFA is in our 550+ brand database, alongside the Microsoft / Coinbase / Chase / Ledger / PayPal cluster, and has been since the brand-database expansion shipped earlier this year. The structural edit-distance and suffix-strip rules that catch fiffa[.]com against FIFA are the same rules that catch ledgar[.]com against Ledger, the same rules that catch coinbase-suspend[.]com against Coinbase, and the same rules that catch chase-online-verify[.]xyz against Chase. We did not need a Ghost Stadium-specific signature. We needed FIFA on the brand list and the general lookalike pattern, and the kit family fell into the existing detection.

Second, the Layer 2 reputation signal on Ghost Stadium domains is unusually clean compared to enterprise phishing kits. Because Ghost Stadium pushes paid traffic, the domains get high visibility very quickly, get reported by burned victims, and surface in PhishTank within hours rather than days. The same paid-traffic strategy that makes the scam profitable also accelerates the takedown signal. For a SafeBrowz user with the extension installed, this means the Layer 2 block usually fires within the first 48 hours of a campaign going live.

Third, the Layer 3 AI content analysis catches the language signature reliably. The kit needs to convince a buyer that a non-fifa.com host is selling legitimate tickets. That requires written copy: "FIFA Approved Reseller", "Official Hospitality Partner", "Hospitality packages from USD 3,200 include match ticket and four-star hotel", "tickets ship via DHL on May 30, 2026", "Group A tickets selling out in 11 minutes". This is language that does not appear on legitimate ticket reseller pages in this combination. Our AI deep scan, which runs in 100+ languages, lights up on the pattern regardless of the specific host. The kit family cannot stop producing this copy and still convert buyers, which is why the detection holds even as domains rotate.

One subtle point worth naming. Sponsored ad URLs sometimes redirect through an intermediate tracking domain before landing on the Ghost Stadium host. We see redirect chains of two or three hops. Layer 1 and Layer 2 both inspect the final landing URL, so the redirect chain does not evade detection. The block fires at the actual phishing host the moment navigation completes.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures running inside the extension before the page renders. FIFA is on the brand list, alongside the major sports and ticketing brands (StubHub, Ticketmaster, On Location, Match Hospitality). Cyrillic and Punycode homograph awareness catches mixed-script lookalikes. The brand-impersonation rule family triggers on fiffa[.]com, fifa-tickets-*, worldcup-2026-*, fifa-hospitality-*, and the rest of the Ghost Stadium structural patterns, before paint.
• Layer 2 - API reputation: server-side aggregation of Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam-TLD checks. Newly registered Ghost Stadium domains (typical age under fourteen days at the moment of victimisation) surface in PhishTank and URLhaus within hours of the first credential capture. Our extension reads those signals on every navigation. Cheap-TLD penalties on .shop / .top / .xyz / .live / .click / .sale add weight.
• Layer 3 - AI deep scan (Premium): a multi-language content analyser that reads the rendered page and reasons about intent. For Ghost Stadium the signature is "lookalike FIFA branding plus event-ticket inventory plus urgency language plus payment capture". When that pattern appears on a non-fifa.com host the verdict is danger. The same engine works in 100+ languages, which matters because Ghost Stadium ships localized landing pages for Spanish, Portuguese, Arabic, German, Japanese, and Korean buyer markets.

Detection signatures come from threat-intelligence research and our brand database, not from user browsing data. Per-user URL history is never stored.

Why this scam works at scale

Step away from the kit for a moment and the question becomes: why is event-ticket fraud structurally easier than bank fraud or crypto fraud? Five reasons, in our team's analysis.

Tournament approaching equals panic buying. The closer the tournament, the higher the willingness to compromise on verification. A buyer who would happily wait 24 hours to confirm a bank transfer will not wait 10 minutes when a fake countdown timer says Group A tickets are selling out. The same urgency lever that drives Zelle fraud alert P2P payment scams and Chase Bank fraud alert phishing works tenfold for a one-off event with a fixed end date.

Official channel capacity is genuinely limited. FIFA's actual ticket allocation is rationed through phased sales, lotteries, and country-by-country pools. A real buyer who fails to secure tickets through fifa.com is conditioned to look at the secondary market. That conditioning is exactly what Ghost Stadium exploits. The buyer has already been told "you have to look elsewhere", and now anything that looks tangentially official feels like the answer.

International buyers cannot easily verify resellers across borders. An American buyer can sanity-check StubHub. A Saudi buyer trying to buy tickets for the final in New Jersey is operating in a market they have never used, with reseller names they have never seen, in a currency they normally do not transact in. The cognitive cost of verification is so high that "looks like FIFA" becomes the verification.

Pricing variance is enormous, so scam pricing always seems plausible. Real World Cup tickets range from USD 100 for early group stage to over USD 5,000 for premium hospitality at the final. Ghost Stadium pricing fits anywhere inside that range. There is no "this is obviously too cheap" red flag, the way there is with a USD 50 PlayStation 5. A USD 1,200 quarter-final ticket from a lookalike site is well within the band a buyer would expect.

Cross-currency payment increases complexity and reduces vigilance. Ghost Stadium accepts USD, EUR, GBP, and increasingly stablecoin payment in USDC. Mixed-currency checkout flows feel sophisticated rather than suspicious. A buyer who would spot something wrong with a Zelle P2P payment from a sketchy domain does not extend the same scepticism to a card payment that includes a euro conversion line.

What is coming next: our brand-pivot prediction

Ghost Stadium is the largest current example of event-ticket phishing, but the technique is not World Cup specific. Any major event with limited official capacity and high secondary-market demand is structurally exposed. Our detection team's prediction for the next 24 months, based on what we see in our brand database and what we are starting to find in early-stage lookalike registrations:

• Olympics 2028 (Los Angeles) ticketing. Highest-volume pivot. The Paris 2024 Olympics generated a measurable secondary market for fake hospitality packages; the LA 2028 build-up has 24 months to mature into a Ghost Stadium-scale operation. We expect typosquat-style lookalikes of la28[.]com and the eventual official ticketing partner to begin surfacing in late 2026.
• UEFA Champions League finals 2026, 2027, 2028. Annual cadence makes this the most consistent target. The Madrid 2027 final and Munich 2028 final both meet the "limited official allocation plus enormous secondary demand" pattern. Lookalike domains of the form uefa-final-2027[.]com and madrid-champions-final[.]live are the predictable structural variants.
• Super Bowl LXII (2028) in Atlanta. The Super Bowl ticket market is even more fragmented than World Cup, with a higher reliance on third-party resellers. Lookalike domains targeting both the NFL and StubHub / On Location brand cluster are likely in 2027 as the event approaches.
• Cricket World Cup and IPL ticketing. Underrated target. The annual IPL season and the rotating Cricket World Cup both have huge South Asian and Gulf demand. Our database already tracks the major cricket brand cluster; we expect Ghost Stadium-style operations targeting BCCI and ICC ticket portals within the next 12 months.
• Wimbledon, US Open, French Open, Australian Open. Premium tennis events with tight official capacity and high hospitality margins. Lookalike ticket portals for Wimbledon historically appear in the four weeks before the tournament; the pattern will not change.
• Concert and stadium tour ticketing. Taylor Swift Eras Tour residuals, Coldplay Music of the Spheres tour, and the inevitable next mega-tour all attract the same urgency-plus-scarcity dynamic. Lookalike domains for Ticketmaster, Live Nation, and AXS are already in our brand database. The Ghost Stadium playbook ports almost directly.
• Hospitality packages bundled with above. The hospitality bundle (flight + hotel + ticket) is where Ghost Stadium extracts the highest per-victim margin. Expect the same structural fraud to expand into Olympics hospitality, Champions League hospitality, and major concert VIP packages.

The economic model is the real story here. Paid-traffic phishing of event tickets requires no novel technical capability. It requires a credit card for Google Ads, a list of buyer-intent keywords, a cheap-TLD domain refresh cadence, and a hosted checkout that captures cards. The skill floor for high-yield event-ticket fraud is now near zero, and the upper bound on the addressable market is every major sporting and concert event for the foreseeable future. Browser-layer defence is the only layer that scales with that.

Gulf market relevance

One angle that the FBI advisory mentions only in passing but that matters to a meaningful share of our user base: the Gulf is one of the top five source markets for World Cup 2026 ticket purchases. The UAE, Saudi Arabia, Qatar, and Kuwait have large football-following populations, high disposable income, and well-developed travel infrastructure to the host cities. Ghost Stadium ships localized Arabic landing pages for exactly this segment.

The payment instruments used by Gulf buyers (cards issued by NBK Kuwait, QNB Qatar, Emirates NBD, Saudi National Bank, Mashreq, ADCB) are the same payment instruments we already cover in our Arabic Gulf blog series on NBK Kuwait phishing. The fraud surface extends naturally from bank-impersonation phishing to event-ticket phishing because the underlying card capture is identical; only the social-engineering pretext changes. A SafeBrowz user in Doha or Riyadh searching for World Cup tickets sees the same Layer 1 brand-impersonation block and the same Layer 3 AI verdict in Arabic that they would see for a fake QNB or Emirates NBD page.

One concrete recommendation for Gulf buyers: when paying with a regional card, enable the card-issuer's "international online purchase" toggle only for the duration of the FIFA transaction, then disable it again. This limits the blast radius of any card capture, regardless of whether the merchant turns out to be Ghost Stadium or legitimate.

What ticket buyers do right now

Specific, ordered steps for anyone trying to buy World Cup 2026 tickets in the next 12 months.

1. Buy only at fifa.com/tickets. The URL bar must read exactly fifa.com, not fiffa, not fifaa, not fifa-tickets-anything. Type it directly, do not click a search result, do not click an ad. FIFA does not need to advertise to you.
2. Authorized resellers only from the FIFA portal. FIFA publishes the list of approved resellers on the fifa.com/tickets page itself. If a reseller's name is not on that list, it is not authorized, regardless of how convincing the marketing looks. The list is the source of truth.
3. Treat every sponsored ad as hostile. Ghost Stadium ranks via Google Ads. Skipping sponsored results entirely and clicking only on the first organic result (which will be fifa.com) eliminates the most common entry point. This single habit does more for ticket safety than any browser extension, ours included.
4. Pay only with credit card if a non-FIFA channel is unavoidable. Credit cards offer chargeback rights that debit cards, wire transfers, and stablecoin payments do not. If you discover the seller was fraudulent, your card issuer can typically reverse the charge within 60 to 120 days under Visa or Mastercard chargeback policy. Wire transfer and crypto payment are effectively final.
5. If you suspect fraud already, call your card issuer immediately. Request a fraud claim, block the card, and open a chargeback dispute. FIFA also operates a fraud reporting hotline (1-833-FIFA-TIX from the United States) and a fraud-report email path documented on fifa.com/tickets.
6. Report to your national consumer protection authority. For United States buyers, file at ic3.gov and at reportfraud.ftc.gov. UK buyers report to Action Fraud at actionfraud.police.uk. French buyers use cybermalveillance.gouv.fr. Gulf buyers report to the relevant national cybercrime portal (UAE Digital Police app, Saudi National Cybersecurity Authority, Kuwait Cybercrime Directorate). Reporting is what produces the takedown signal that feeds back into our Layer 2 reputation lookups.
7. If you bought from a non-FIFA channel and the order seems to be processing, watch your card statement daily for the next 30 days. Card-capture fraud often involves small test charges before larger fraud attempts. Lock the card the moment anything looks unfamiliar.
8. Install a browser-layer scam detector. Email gateways do nothing here because the upstream channel is paid search. The browser is the only layer that sees the moment of compromise. This is exactly why SafeBrowz exists.

Frequently asked questions

What is the FIFA World Cup 2026 ticket scam in one sentence?

A network of more than 300 phishing websites, the bulk operated by a Chinese-speaking actor known as Ghost Stadium, impersonate FIFA and authorized resellers to capture credit card details from buyers searching for World Cup 2026 tickets, as warned by FBI advisory PSA260527 published on May 27, 2026.

How do Ghost Stadium phishing sites reach buyers?

Primarily through paid Google Search ads and Facebook Marketplace listings that rank above the real fifa.com result during high-intent search windows. The ad copy claims "Official FIFA Tickets" or "FIFA Approved Reseller", and the click lands on a lookalike domain such as fiffa[.]com, fifa-tickets-2026[.]live, or worldcup-2026-tickets[.]xyz. Email is not the primary channel, which is why secure email gateways do not protect against this scam.

What is the only safe place to buy FIFA World Cup 2026 tickets?

Fifa.com/tickets, typed directly into the browser address bar. Authorized resellers are listed on that portal itself. If a reseller name is not on the FIFA list, it is not authorized, no matter how convincing the marketing looks. Treat every sponsored ad result as hostile.

How does SafeBrowz detect Ghost Stadium domains when they rotate every few days?

Layer 1 brand impersonation rules trigger on the structural lookalike pattern, not on a specific domain. FIFA is one of the 550+ brands in our local database, and the edit-distance and suffix-strip algorithms that catch fiffa against FIFA are the same algorithms that catch ledgar against Ledger. Layer 2 reputation feeds (Google Safe Browsing, PhishTank, URLhaus) surface freshly registered hosts within hours. Layer 3 AI content analysis identifies the event-ticket social-engineering language regardless of host. The kit cannot stop producing FIFA-branded ticket-inventory copy and still convert buyers, and that copy is what we recognize.

I bought from a non-FIFA channel and the order seems to be processing. What do I do?

Call your card issuer immediately, request a fraud claim, and ask to dispute the charge under chargeback rights. Block the card and request a new one. Monitor your statement daily for the next 30 days, because card-capture fraud usually involves small test charges before larger attempts. Report the site to ic3.gov (United States), Action Fraud (United Kingdom), Cybermalveillance (France), or your national cybercrime portal. Forward the order confirmation email to FIFA's fraud-report path published on fifa.com/tickets.

Are hospitality packages safer than match-only tickets?

No, the opposite. Hospitality packages are Ghost Stadium's highest-margin product because they bundle the per-victim loss across ticket plus hotel plus flight, so each successful capture is worth two to ten times a regular ticket fraud. Treat hospitality offers from any non-FIFA channel as guaranteed-hostile until proven otherwise. FIFA's authorized hospitality partner list is published on fifa.com.

What happens to my card after Ghost Stadium captures it?

The card is typically tested with one or two small charges (under USD 5) at low-friction merchants over the following 48 hours. If the test succeeds, the card is either reused for larger fraud or sold on underground forums in batches. The initial "ticket purchase" charge may or may not actually post, depending on whether the kit operator wants to maintain the illusion of a real transaction. Watch your statement daily for 30 days after any purchase from an unverified channel.

Does SafeBrowz collect any data about the URLs my users visit?

No. SafeBrowz performs Layer 1 detection locally inside the browser, with no URL leaving the device. Layer 2 reputation checks query global blocklists with the domain only, never with identity. Layer 3 AI deep scan, available to Premium users, sends rendered content excerpts for analysis and discards them after the verdict. We do not store per-user URL history, instance identifiers, or IP-to-URL associations. Detection signatures come from threat-intelligence research and our brand database, not from user browsing data. The Chrome Web Store, AMO, and Edge listings all certify the extension as not collecting web history.

Related reading

• How to spot a fake Microsoft email - the credential-phishing pattern that shares a structural family with ticket-checkout phishing
• Chase Bank phishing email scam - the bank-impersonation cousin of event-ticket fraud, same card-capture endpoint
• PayPal account verification scam email - payment-brand impersonation playbook for comparison
• FBI Kali365 Microsoft 365 phishing warning 2026 - the AiTM and OAuth side of the FBI's 2026 advisory series
• Coinbase account suspended scam email - crypto exchange impersonation, same lookalike-domain pattern
• Zelle fraud alert text scam - P2P payment urgency, the lever Ghost Stadium uses on countdown timers
• How to tell if a website is a scam - typosquat and lookalike domain detection methodology

Bottom line: Ghost Stadium is not a clever new exploit. It is a productized abuse of paid search advertising and lookalike domain registration, executed at scale against the most predictable buyer-intent surge of 2026. The fix for buyers is concrete: buy only at fifa.com/tickets, treat sponsored ads as hostile, pay only with credit card if a non-FIFA channel is unavoidable, and install browser-layer protection that sees the moment of compromise. The FBI's PSA260527 is the warning. The 12 months between now and the World Cup final at MetLife Stadium will determine how many ticket buyers learned the lesson and how many funded Ghost Stadium's next campaign.