Cybercriminals deploy advanced World Cup ticket scam targeting travellers worldwide

A large-scale cybercrime operation targeting fans seeking tickets for the FIFA World Cup 2026 has employed advanced phishing and payment interception techniques capable of bypassing common security safeguards, according to new research from cybersecurity firm CloudSEK.

The company said it had uncovered a network of fraudulent websites impersonating official FIFA ticketing platforms, supported by what appeared to be a dedicated payment processing infrastructure designed to harvest cardholder data and facilitate financial fraud.

The warning came as the tournament entered its opening days and millions of football fans continued searching online for tickets, accommodation, and travel arrangements.

According to CloudSEK, the operation differed from traditional phishing campaigns because it functioned as a real-time man-in-the-middle platform, enabling threat actors to monitor a victim’s purchase journey while capturing payment card details, including card numbers, expiry dates, and security codes.

Researchers also warned that the system appeared capable of intercepting one-time passcodes (OTPs), potentially allowing attackers to circumvent SMS-based two-factor authentication.

The investigation identified at least 40 fraudulent FIFA-themed websites alongside a multi-tenant backend infrastructure supporting multiple operators. Researchers said the structure suggested a scalable fraud-as-a-service model rather than a single criminal group operating independently.

The fake websites replicated official ticketing platforms with detailed branding, match schedules, stadium information, payment options, and security messaging intended to reassure consumers during the checkout process.

Some sites also incorporated live-chat functionality to create the appearance of legitimacy and facilitate interaction with potential victims.

CloudSEK said traffic appeared to be driven largely through social media channels, particularly Facebook and Instagram, where users searching for tickets were redirected to the fraudulent domains.

The campaign’s victim base was global, with the US representing the primary target market. However, evidence of activity was also identified across Europe, Asia Pacific, the Middle East, and Africa.

Gagan Aggarwal, a threat intelligence researcher at CloudSEK Triad, said: “This campaign shows how major global events are being weaponised by organised cybercriminal groups. The threat is no longer limited to fake ticket listings or basic phishing pages.

“We are now seeing full checkout impersonation, live victim tracking, card skimming, and OTP interception capabilities being combined into one operational platform.”

The findings highlight the growing cyber risks surrounding major international sporting events, where high demand, limited ticket availability, and time-sensitive purchasing decisions can create favourable conditions for fraudsters.

Beyond the immediate financial losses associated with fraudulent ticket purchases, insurers and assistance providers may face secondary impacts linked to identity theft, payment card compromise, travel disruption, and customer support requirements.

CloudSEK said its analysis pointed to Chinese-speaking operators, citing the use of a simplified Chinese administrative interface, internal naming conventions, and repeated access from China-based internet addresses. The researchers described the attribution assessment as having moderate-to-high confidence.