The FIFA World Cup 2026 started today. The tournament is the most widely viewed sporting event in the world, with a global audience of over 3.5 billion people. The tournament runs for 39 days from June 11 through July 19, hosted across 16 US cities, two Canadian cities (Toronto and Vancouver), and Mexico City. Media reports that it is the most expensive tournament ever staged.

The World Cup draws an international fanbase, and its massive scale attracts a parallel economy of scams every four years. 2018 ran on fake ticket markets, and 2022 wrapped phishing around Qatar’s Hayya Fan ID system. This blog documents the ads and malvertising behind the 2026 World Cup scam clusters. This time, there are a few notable changes:

1. A larger event: The FIFA World Cup 2026 marks the largest reconstruction in the tournament’s history, expanding from 32 to 48 teams and jumping from 64 to a massive 104 matches. It introduces a new Round of 32 knockout stage that forces the eventual finalists to survive a gruelling eight-game route to the trophy.

2. The ticketing environment: FIFA’s 2026 ticketing introduced dynamic pricing with a queue-based flow that generated documented consumer backlash. Recent reports from the Financial Times reveal that while thousands of tickets remain unsold, there is an extreme scarcity of affordable options, with the cheapest seats for some USA games hovering near $2,000. This prices out the average fan, driving desperate buyers to secondary markets where final listings have cleared $2 million. The Athletic quoted fans describing it as “hard not to feel scammed.”

3. Legal Jurisdiction: North America hosting means the 🇺🇸 FBI, 🇨🇦 RCMP, and dozens of local law enforcement agencies are all operating within scope. These agencies have regularly published bulletins in the weeks leading up to kickoff. This year, they explicitly call out malvertising as a delivery vector for World Cup scams. In at least one case, a domain picked up by Confiant appeared independently in an FBI advisory, covered in detail later in this blog.

The result is a set of conditions where the fan base is primed to be scammed: high scarcity, high intent, no guarantee of tickets, and a built-in sense of having already been misled by the official process. In such an environment, scams do not need to be sophisticated to close.

Scale: By the Numbers

Leading up to the event, Worldwide search interest in “FIFA” significantly accelerated in the first week of June.

This surge in global fan interest creates the perfect environment for opportunistic threat actors. As millions of fans rush online to secure tickets and merchandise, cybercriminals have scaled up their infrastructure to match. Fortinet FortiGuard recently reported 13,000+ FIFA World Cup 2026-themed domains registered from January through May 2026

Law Enforcement Advisories

Several Law Enforcement agencies issued independent public warnings in the weeks before kickoff.

• May 27, 2026: The FBI released PSA I-052726, naming 36 specific spoofed FIFA domains—including typosquat variants and fake employment portals—and explicitly calling out malvertising as a primary delivery channel (FBI IC3).

• March 30, 2026: The RCMP and the Canadian Anti-Fraud Centre issued a formal fraud warning three months before kickoff, explicitly highlighting fake ticket portals and merchandise fraud targeting Canada-hosted matches (CAFC).

• Monday, June 1, 2026: Toronto Police made arrests in connection with the largest known seizure of counterfeit soccer jerseys in Canadian history.

FBI PSA I-052726 is worth reading directly. It specifically names advertising as a delivery channel, lists 36 domains, and advises fans to use caution when looking for tickets or merchandise. Screenshots of the report are below.

Malvertising Enabled FIFA World Cup Scam clusters tracked by Confiant

The range of scams we found is well aligned with law enforcement advisories: a wide and opportunistic surface where scammers try to exploit different fan behaviors: buying tickets, shopping for gear, collecting stickers, and following the betting action.

The threats we observed are not particularly sophisticated, but they are highly timely. Each cluster uses different infrastructure, TTP’s, and targets different audiences in different countries. The four categories we documented:

1. Fake ticket portals - domains impersonating FIFA ticketing and hospitality infrastructure, running through programmatic ads

2. Counterfeit merchandise storefronts - fake FIFA kit and gear stores ranging from basic impersonation to full “VastiMarti” cloaked campaigns, confirmed overlapping with FBI PSA I-052726.

3. The Panini cluster - impersonating the Italian sticker brand’s FIFA commerce, targeting Brazil, the biggest football market in the world. Hosted on free platforms with disposable TLDs

4. Deepfake gambling ads - unlicensed gambling platforms using fabricated athlete endorsements and, in one case, a football-themed captcha pre-filter to bypass ad review entirely.

Part 1: Fake Ticket Portals

Fans from all around the world travel to watch games, and so hospitality package products are deliberately selected by attackers. On Location packages are high-ticket items bundling match access, hotels, and fan experiences. Victims who land on this page and complete a form are submitting payment details for a product worth thousands of dollars.

Following confusion around FIFA’s official ticketing covered in the earlier section, we detected several spoofed FIFA websites. Some had cloaking capabilities, while others did not.

1. Ad Domain: www-fifa[.]space
   Targeted Geo: Mexico🇲🇽, USA🇺🇸, Canada 🇨🇦

   This cloaked campaign impersonates On Location, the official FIFA hospitality package provider. It uses cloaking to only send real users to the ‘Money page’ (www-fifa[.]one). Scanners and security researchers are sent to a ‘White Page’ benign Snock London clothing site.

   

2. Ad Domain / Landing Page: fifa-com[.]homes
   Targeted Geo: United Kingdom 🇬🇧

   

3. Ad Domain / Landing Page: fifaa[.]live
   Targeted Geo: India 🇮🇳

   

   

4. Ad Domain / Landing Page: fifa-wc26[.]com
   Targeted Geo: USA🇺🇸, Canada 🇨🇦

   

5. Ad Domains: fifatickets[.]xyz, zhengpinjie[.]cn
   Targeted Geo: India 🇮🇳

Part 2: Counterfeit Merchandise

We picked up several fake merchandise storefronts that exploit demand for kits and merchandise. Campaigns range from basic storefront impersonation to cloaked campaigns with a white-page/money-page separation.

1. Ad Domain / Landing Page: fifastore[.]us[.]com
   Targeted Geo: USA 🇺🇸
   On May 27, FBI PSA I-052726 independently listed this domain among its 36 named domains.

   

   They make the same observation we did: malvertising as a targeted mechanism for delivering these landing pages to victims. In contrast to the in-person retail experience, CTV News recently reported no price tags on items at the FIFA World Cup merch store in Vancouver.

2. Ad Domain: worldcupfankits[.]com
   Targeted Geo: New Zealand 🇳🇿

   We attribute this domain to a cluster tracked as VastiMarti, known for Retail Impersonation Powered by Video Ads by using Modular ‘Holiday Skins’ Kits.

   

   This campaign used cloaking and was targeted at mobile users in New Zealand, showing a decoy basketball jersey storefront to non-targeted users.

   

   Read more on VastiMarti here.

3. Ad Domain / Landing Page: wcfifa26[.]com
   Targeted Geo: USA 🇺🇸

   This is the latest entry in the merchandise cluster, active in June 2026. The Ad describes these as “Official WC 2026 Jerseys.“ The landing page hero image immediately flags the problem for anyone who knows football: the model is wearing a FC Barcelona kit.

   

4. Ad Domain / Landing Page: meifiron[.]com
   Targeted Geo: Qatar 🇶🇦
   This campaign has an additional layer of abuse: Deepfake Celebrity Misrepresentation. The ads depict IShowSpeed, a popular streamer and football fan.

   

   In March, an unauthorized, AI-generated ad featuring IShowSpeed promoting an online casino aired on live TV during a Sacramento Kings vs. San Antonio Spurs broadcast.

   

5. Ad Domain / Landing Page: worldcupfans2026[.]com
   Targeted Geo: Netherlands 🇳🇱
   This campaign used multiple ads depicting players Messi, Ronaldo, Mbappé, and Neymar in national team kits to sell counterfeit merchandise.

   

   The ad landing page and the bare domain are two sides of the same infrastructure, split by traffic source: ad traffic lands at the Jersey storefront; the bare domain itself exposes the actual counterfeit luxury goods catalogue. This is typical of counterfeit and skinned e-commerce sites.

6. Ad Domain / Landing Page: fifaoutlet-club[.]com
   Targeted Geo: Egypt 🇪🇬

Part 3: The Panini Cluster

Targeted Geo: Brazil 🇧🇷

Panini is an Italian company, founded in Modena in 1961. It has been the official FIFA World Cup sticker partner since 1970 - over five decades of continuous licensing, covering every tournament. Its sticker albums are distributed globally: La Liga, Serie A, the EFL, Copa América, the UEFA Nations League. Panini is a European collectibles institution that has enormous popularity all over the world, especially in South America, because the continent follows football obsessively.

We detected a cluster in Brazilian Portuguese impersonating Panini storefronts. The choice of Brazilian Portuguese is audience-specific: Brazil is the largest football market in the world, and Panini sticker collecting is deeply embedded in tournament culture there.

The infrastructure pattern is simple and consistent: the use of free hosting (Netlify, Vercel) with risky TLDs (.shop, .site, .org, .sbs). That makes these domains near-zero in terms of cost to spin up, so losing individual domains does not disrupt the campaign.

Part 4: Deepfake Gambling Campaigns

Major sporting events tend to increase demand for betting platforms and score-tracking apps, and actors in the unlicensed gambling ecosystem are attempting to capitalize on this.

1. Ad Domain / Landing Page: 6jbs7hhp[.]com, a0xhy7v6[.]com
   Targeted Geo: Brazil 🇧🇷

   We attribute this domain to a cluster tracked as FauxPlays. The campaign uses two deepfake creatives: Neymar and Marquinhos, both used without affiliation.

   

   The campaign runs on Kwai, the short video platform dominant in Brazil. Users who click are redirected to a0xhy7v6[.]com - a fake Google Play Store landing page pushing a sideloaded Android APK download.

   

   The redirect URL carries Kwai attribution parameters (kwaiId, CampaignID, adSETID, CreativeID) and a from=6jbs7hhp[.]com referral tag. The APK download was staged at the time of analysis - the download was unavailable, but the LP remained active, consistent with FauxPlays’ infrastructure held in reserve ahead of the tournament.

2. Ad Domain / Landing Page: rapidclickmap[.]com
   Targeted Geo: USA 🇺🇸, Brazil 🇧🇷

   

   This campaign uses AI-generated video ads. The Layer 1 LPs are a pre-qualifier: spin-wheel teasers priming the user for a prize before the actual payload loads. The spins are fake.

   

   Clicking through takes users to planetsystem[.]vip, a Fortune Tiger-branded slot page hosted outside the original ad domain. Once again, the spin is fake and always results in a Jackpot, claiming the user has been selected for a weekly raffle with an R$20,000 PG Jackpot and displays a fake active player count.

   

   The win modal then conditions the payout on installing an APK, which turned out to be a PWA install on a desktop. This is likely a fallback for unsupported devices.

3. Ad Domain / Landing Page: quatangxemo[.]online: Football Captcha Pre-Filter to cm88[.]com / OKVIP
   Targeted Geo: Vietnam 🇻🇳
   This campaign uses a two-stage delivery. The initial landing page presents a football-themed captcha as a click-gate. A real visitor who completes the interaction gets redirected to cm88[.]com, part of the OKVIP affiliate gambling network targeting Vietnamese-speaking audiences.

   

   The cm88[.]com landing page uses an image of Luis Suarez, who has no affiliation with cm88 or OKVIP.

Conclusion

I’ve been following the World Cup since the ‘90s. I remember France winning in France in 98, the Brazil super team of 2002, Zidane’s headbutt in 2006, and the vuvuzelas in South Africa in 2010.

While the spirit of the tournament remains timeless, the conditions of 2026 have introduced a highly volatile environment. The convergence of North American law enforcement jurisdictions alongside a high-scarcity, dynamic pricing ticketing model has left an international fanbase primed to be targeted. Scammers see that; they understand the fan experience, challenges and opportunistically target victims.

Indicators of Compromise

## FAKE TICKET PORTALS
www-fifa[.]space
www-fifa[.]one
fifatickets[.]xyz
zhengpinjie[.]cn
fifa-wc26[.]com
fifa-com[.]homes
fifaa[.]live

## COUNTERFEIT MERCHANDISE
worldcupfankits[.]com
worldcupjerseydeals[.]com
meifiron[.]com
fifastore[.]us[.]com
fifaoutlet-club[.]com
worldcupfans2026[.]com
wcfifa26[.]com

## PANINI STICKER SCAM (BRAZIL)
panini-album-figurinhas[.]netlify[.]app
pt-panini[.]sbs
pani-cup2026fifa[.]vercel[.]app
panini-brazil-cup[.]vercel[.]app
lojaspanini-online[.]site
paninibrasiloficial[.]org
paninidobrasil[.]com
paninialbumcopa[.]online
album-paninioficial[.]netlify[.]app
paininioficial[.]shop
lojaspanini-online[.]shop
brpanini[.]shop
panini-online[.]netlify[.]app
albumdacopa2026[.]shop
fifa2026worldcup[.]site

## DEEPFAKE GAMBLING
6jbs7hhp[.]com
a0xhy7v6[.]com
rapidclickmap[.]com
quatangxemo[.]online