A Chinese-linked cybercrime operation is using fake FIFA World Cup ticket websites to monitor victims as they shop, harvest payment card details, and intercept security codes used by banks to verify transactions. The scam is using Facebook and Instagram as its main channels.

The warning comes as the FIFA World Cup 2026 enters its opening days, with the US set to play Paraguay on Friday, with millions of fans still on the scout for online for tickets, hospitality packages, and travel deals.

According to researchers at security firm CloudSEK, the operation goes far beyond a typical phishing scam.

Behind dozens of cloned FIFA websites sits a Chinese-language fraud platform that allows operators to track a victim’s journey through the checkout process in real time, capturing card numbers, expiry dates, and security codes as they are entered.

Researchers say they’ve identified at least 40 FIFA-themed phishing domains and a fraud infrastructure supporting at least 15 active operators.

“Fraud-for-all” platform with user journey monitored

At the heart of the scam is a central control system that can be used by dozens of criminal groups. While it appears to function like an online payment gateway, CloudSEK says its real purpose is to collect victims’ card details rather than process legitimate purchases.

The fake websites are designed to closely mimic FIFA’s official ticketing platform. Researchers found cloned sites featuring authentic-looking tournament schedules, stadium information, live news content, and realistic ticket listings. All the usual payment platforms are listed including Visa, Mastercard, Amex, PayPal and Apple Pay.

One example advertised opening ceremony tickets for $275 each, with shopping carts showing transactions worth more than $1,300.

“The $275/ticket price point is plausible for premium opening ceremony seats. At $1,375 per victim transaction (5 tickets), even a small victim count generates substantial fraud proceeds,” CloudSEK notes.

The scam operators appear to have a high level of visibility over the victims as CloudSEK’s analysis found backend systems capable of tracking a visitor’s progress through product pages, address forms, payment screens, and dedicated one-time password verification pages.

Real-time “man-in-the-middle” attack

Researchers say this indicates a real-time “man-in-the-middle” phishing capability designed to capture both payment details and the verification codes banks use to approve transactions.

Researchers also found that the operators were abusing legitimate services to boost credibility.

The phishing sites integrated the tawk.to live chat function, allowing criminals to interact directly with victims during the purchasing process and provide the appearance of customer support.

While the chatbot is an authentic tool used by many legitimate operators, tawk.to is not used on the official FIFA ticketing platforms, and CloudSEK has said the chatbot's live chat widgets as a red flag indicating a fraudulent or fake World Cup ticketing website.

Professional admin, weak security

The scam operation appears to have been professionally organized with an Admin panel viewed during the investigation, including separate user roles for super administrators, guests, and employees, suggesting the platform has evolved beyond a small phishing crew into a big-time fraud enterprise.

The infrastructure also includes monitoring systems, blacklisting tools, and support functions used to manage campaigns and evade security detection.

Less professional, however, was an exposed PHP debug page the researchers spotted, which revealed internal service information, database credentials, and application secrets. So, while the criminals are harvesting other people’s financial information, their own database appears to be leaking sensitive data because of poor security practices.

Links to China

CloudSEK attributes the operation to Chinese-origin threat actors with “moderate to high confidence,” with cited evidence including a backend interface written entirely in Simplified Chinese, repeated administrative access from China-based IP addresses, and naming conventions embedded within the platform itself.

Social media platforms are the primary source of the campaign, with CloudSEK observing up to 65% of traffic originating from Facebook's in-app browser, while Instagram accounted for another 15%.

Victims were identified across multiple countries, with the US appearing to be the primary target, with traffic also coming from Italy, Romania, the Philippines, Sweden, Australia, Lithuania, Canada, South Africa, Austria, Saudi Arabia, Germany, South Korea, and Hong Kong.

“This campaign shows how major global events are being weaponized by organized cybercriminal groups. The threat is no longer limited to fake ticket listings or basic phishing pages,” said Gagan Aggarwal, a threat intelligence researcher at CloudSEK TRIAD.

"We are now seeing full checkout impersonation, live victim tracking, card skimming, and OTP interception capabilities being combined into one platform."

Gagan Aggarwal, a threat intelligence researcher at CloudSEK TRIAD

“We are now seeing full checkout impersonation, live victim tracking, card skimming, and OTP interception capabilities being combined into one operational platform,” Aggarwal added.

FIFA-themed domain boom fuels wider scam ecosystem

The CloudSEK findings come as browser security firm Guardio reports a record-breaking surge in newly registered domains containing references to FIFA and the World Cup.

According to Guardio, many of the domains are tied to crypto investment scams, fake merchandise stores, suspicious betting platforms, and fraudulent ticket resale operations.

Researchers say scammers frequently register domains months before major sporting events to establish a veneer of legitimacy before public interest peaks.

Last month Cybernews reported another China-linked phishing operation, GHOST STADIUM – a financially-motivated operator running a sophisticated phishing campaign across more than 300 domains.

---

Unlock more exclusive Cybernews content on YouTube.