The FBI Counted 4,300 Fake FIFA Sites Before the World Cup Even Kicks Off — and the Banking Malware Rides the Same LATAM Trojan Rails We've Been Blocking Since November.

The number that should reframe how you think about the 2026 World Cup is not a score. It is four-thousand-three-hundred. That is roughly how many fake FIFA domains the FBI and tracking firms counted as already live and harvesting before the June 11 kickoff, with another estimated three-thousand-eight-hundred sitting parked and registered, ready to switch on the moment ticket demand peaks. The FBI's Internet Crime Complaint Center put out a public service announcement on May 27 warning that threat actors are spoofing FIFA's websites at scale, and the scale is the story: this is not a scam, it is an industry, stood up in advance, with inventory held in reserve. Group-IB estimates losses from premium and hospitality ticket fraud alone at somewhere between seventy-one million and four-hundred-seventy-four million dollars, and the broader campaign — merchandise, streaming, betting, banking — plausibly reaches into the billions. The tournament is the lure. The fans are the target. And the infrastructure was waiting before the first whistle.

Here is the anatomy, because "be careful of scams" is useless and the specifics are what protect you. The lookalike domains are typosquats — addresses that alter a character or two of the real fifa.com to catch someone typing fast or clicking a search ad — and their job is to harvest whatever you enter: name, address, phone, email, and the banking details you hand over for a ticket that does not exist. The second vector is the dangerous one. Pirate streaming apps for the matches — the "watch every game free" downloads circulating outside the official app stores — carry banking malware, and once installed the malware uses Android accessibility permissions to overlay fake bank login screens on top of your real banking app, log your keystrokes, intercept the one-time codes arriving by SMS and authenticator, and in some builds drive the screen remotely. That is a full account-takeover kit wearing a soccer jersey. On top of that, Fortinet counted more than seventeen-hundred spoofed FIFA social accounts, nearly ninety percent on Facebook and Instagram, plus a scheme using fake FIFA job ads and calendar invites to funnel applicants into a lookalike Google login. Group-IB found fake betting platforms that collect passport scans and selfies — not for betting, for identity theft. Every surface a fan touches has a counterfeit version with a hook behind it.

Now the part that is ours, and it is the reason this is not just a re-print of the FBI's bulletin. The 2026 World Cup is hosted across the United States, Mexico, and Canada, and the Mexico leg matters for the malware half of this campaign, because Mexico and the broader LATAM region are the home turf of a specific, mature family of banking trojans — Grandoreiro, Mekotio, and Mispadu — that do exactly the overlay-and-intercept attack described above, and have been refining it against Latin American banks for years. We have carried the IOC set for that family since November 2025, and our feed picked up live Grandoreiro command-and-control infrastructure — the IP 3.208.19.130 across multiple ports — on April 23, tagged off the SSL Blacklist feed as Grandoreiro C2 and sitting in our index since. So when the reporting says "banking malware in streaming apps," a defender consuming our STIX feed is not starting from zero. The rails this World Cup banking fraud runs on are the same rails we have been blocking for half a year. The jersey is new. The engine underneath it is a trojan family we already have indicators for.

The protective read, for fans and for the security teams whose employees are about to download a sketchy stream at their desks. First, the boring move that defeats the single largest category here: type fifa.com directly into the address bar, never reach the site through a search engine or an ad, and confirm the address ends in the real domain before you enter a card. Most of the four-thousand-three-hundred die right there, because they depend on you arriving by search or link. Second, do not install streaming apps from outside the official app stores, full stop — the "free every match" app is the account-takeover kit, and the convenience is the bait. Third, treat SMS one-time codes as compromised in this context, because OTP interception is a documented capability of this malware; where your bank supports an app-based or hardware key, use it. Fourth, a "betting platform" or "ticket verifier" asking for a passport scan and a selfie is running an identity-theft operation, not a KYC check — the asymmetry is the tell. And for the SOC: our LATAM banking-trojan indicators and the Grandoreiro C2 are in the free feed; block them now, before someone on your network goes looking for a stream.

The honest 95%: we cannot give you a clean, deduplicated count of the malicious domains, because the number is a moving target across multiple trackers and the parked-but-dormant set is exactly the part designed to evade a snapshot — four-thousand-three-hundred is the live figure as reported, not a census, and it will be larger by the final. We cannot confirm that every streaming-app malware sample in this wave is one of the three LATAM families we track; banking-overlay malware is a technique, not a single author, and other crews run the same play. What we can tell you is that the technique is not new, the host region's dominant trojan family is one we have indicators for, and the infrastructure was staged before kickoff — which means the window to block it is now, while it is still mostly parked, and not in July when it is fully switched on and your fans are already entering card numbers into a site that ends in the wrong domain.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register