Vojtěch Šimeček, Oscar Herranz
Whalebone Threat Intelligence
The 2026 World Cup has opened a marketplace. A typical phishing wave impersonates one brand and chases one type of victim. What we are watching unfold during this tournament is different: dozens of unrelated operators, all pulling on the same thread of anticipation, each monetizing it a different way. Tickets, merchandise, streaming, resale. One event, many scams.
The pattern is familiar to anyone who has watched a major sporting or entertainment event. Demand spikes, official channels sell out or feel out of reach, and a gap opens between what people want and what they can easily get. That gap is exactly where fraud lives.
On 27 May 2026, the FBI’s Internet Crime Complaint Center issued a public advisory warning that threat actors were already spoofing FIFA-branded websites ahead of the tournament, listing a batch of look-alike domains built to harvest personal and payment data. That advisory lines up closely with what we have been seeing in newly registered domain telemetry and our own DNS traffic, which is the most direct vantage point we have on which of these sites people are actually trying to reach.
This is not one organized group running one phishing kit. It is an ecosystem, and the barrier to entry has never been lower. With AI now doing the work on layout and product imagery, a convincing storefront can be stood up in hours by someone with no real technical skill, sitting alongside the work of established phishing crews. Below, we break down the most evident vectors we are actively tracking, and the tactics behind each.
Real fixtures, real venues, and a checkout engineered to be cashed in at the moment money changes hands.
The most evident threat we are monitoring, and the one the FBI advisory centers on, is fraudulent ticket sales. The sites we have looked at present themselves as trustworthy third-party ticket dealers.
The mechanics lean on urgency and authenticity in equal measure. A site presents real match pairings, real venues, and real dates, then wraps them in scarcity cues: limited seats, tiers “selling fast,” prices climbing. The victim is walked through what feels like a normal checkout, and the trust is built precisely so it can be cashed in at the moment money changes hands.
Two website-based examples we have observed:
fifa-ticket[.]live
fifa-ticket[.]live presents authentic fixtures and venues to build trust before checkout.
fifa2026tickets1[.]com leans on scarcity cues: tiers “selling fast” and climbing prices.
Rather than the card processor you would expect from a ticketing platform, one of the sites routes buyers to a manual bank transfer, presenting a “Euro Virtual Bank Account” with a beneficiary name, IBAN, and SWIFT/BIC that have nothing to do with FIFA. A bank transfer is irreversible in a way a card payment is not, which is exactly why it is the preferred collection method once the victim’s trust has been secured.
The payment screen routes buyers to a manual transfer into a “Euro Virtual Bank Account” unrelated to FIFA.
Before any ticket is “bought,” the site collects a full set of personal details under the guise of setting up a FIFA ID. Even a victim who hesitates at the payment screen has, by that point, already handed over enough PII to be useful for follow-on fraud or account creation in their name.
The site looks like a startup. The deal happens in WhatsApp, where there is no oversight and no buyer protection.
A second strand moves the conversation off the website and into a chat window. Here the lure is resale of tickets that are sold out through official channels, offered by a professional-looking third party that promises a transparent, secure matching platform between fans who have spare tickets and fans who need them.
The sites are styled to look like ticket-resale startups, complete with mission statements and dashboards, but the actual transaction is deliberately pushed into WhatsApp, where there is no platform oversight and no buyer protection.
Example we have observed in this category:
fifa-2026[.]me is dressed up as a polished resale platform, complete with branding and a matching pitch.
At the point of sale, the conversation is funneled into WhatsApp, away from any oversight or audit trail.
The move into WhatsApp is the entire point. It isolates the victim with the scammer, removes any audit trail, and lets the operator apply pressure in real time. Once payment is sent for a ticket that does not exist, there is nothing to dispute and no one to dispute it with.
If a random site is giving the whole tournament away for free, it is making its money somewhere else, and that somewhere is usually you.
Not everyone is trying, or able, to attend the championship. Far more people just want to watch, and that demand has spawned a wave of look-alike streaming sites promising every match live, in HD, for free, with no sign-up and apparently no catch.
The catch is that these pages are rarely in the business of streaming football at all. Where a stream loads, it is usually an embed pulled from a third-party piracy service the site neither controls nor vets. The real machinery is the advertising and tracking layer wrapped around the video player: aggressive pop-ups, hidden ad calls, and forced redirects routed through low-reputation ad networks.
On their own, these are not “malware” in the classic sense, but the redirect chains are a well-worn delivery route for exactly that. The typical payoff is a notification-permission prompt. Grant it once, and the site gains a standing channel to push fake antivirus alerts, fake update prompts, and further scam pages straight to the device, long after the user has closed the tab. Other variants lean on fake message notifications or crypto “play-to-earn” bait with guaranteed-return promises that no legitimate financial product would ever make.
Example observed:
freeworldcupstream[.]xyz promises every match free in HD. The value is in the ad and redirect layer, not the football.
A useful rule of thumb for users: broadcast rights are expensive, so a random site giving everything away for free is making its money somewhere else, and that somewhere is usually you.
Hundreds of storefronts a day, engineered to feel trustworthy down to the smallest detail. Most ship nothing.
The last vector targets the most emotionally invested victims of all: fans who simply want to wear their national team’s shirt to the next match. There are hundreds of these storefronts appearing daily, and they are engineered to feel trustworthy down to the smallest detail: fabricated review counts, “guaranteed safe checkout” badges, countdown timers reserving the cart, and a delivery date conveniently timed to land before the next fixture.
Most ship nothing and disappear soon after, leaving the victim with two losses rather than one: no merchandise, and a set of card details now in someone else’s hands.
Examples we have observed:
fifa2026fworldcup[.]com mimics an official kit store, down to trust badges and checkout flow.
tiendaofficialfifa[.]com pairs fabricated review counts with countdown timers to manufacture urgency.
The localization is notable. The same operation adapts currency, language, and shipping country per visitor. The merchandise pages we examined switched between Spanish and English and offered checkout in everything from Argentine pesos to Czech-region delivery. It is the same playbook we see across other large-scale, template-driven phishing kits: build once, localize everywhere.
What ties these four vectors together is not shared infrastructure or a single operator. It is a shared opportunity. A major event compresses the timeline from “brand worth impersonating” to “live, convincing scam” down to hours, and it draws in everyone from organized phishing crews to opportunistic newcomers, all of them now armed with AI tooling that erases the old quality gap between a real storefront and a fake one.
For the individual fan, the defensive advice is unglamorous but effective: type official addresses directly rather than trusting search results or ads, be deeply skeptical of any payment routed to a personal bank transfer or pushed into a private chat, and treat any deal that is too good to be true as exactly that, even, and especially, when it promises to bring you one step closer to something you care about.
Every one of these vectors, the ticket shop, the resale chat link, the stream redirect, and the counterfeit store, requires the victim’s device to resolve a malicious hostname first. A DNS resolver with the right threat intelligence can refuse that lookup before any page loads, any card is entered, or any notification permission is granted. It is protection that runs quietly in the background, and the user never sees the page they were saved from.
These domains appear by the hundred or thousand each day and disappear just as fast. Whalebone Threat Intelligence will continue to track them across the tournament and block them at the DNS level, so our users can follow the football without following the scammers.
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.