Threat intelligence researchers at CloudSEK have identified a large-scale cyber fraud operation targeting football fans searching for FIFA World Cup 2026 tickets, warning that the campaign combines phishing, payment card theft and potential one-time password (OTP) interception capabilities.
According to the company’s findings, the operation leverages a network of fraudulent websites designed to closely mimic legitimate FIFA ticketing portals. Researchers believe the campaign is linked to threat actors of Chinese origin and operates through a scalable fraud-as-a-service model supporting multiple criminal operators.
The discovery comes as demand for FIFA World Cup 2026 tickets remains high, creating opportunities for cybercriminals to exploit fans seeking tickets and travel packages online.
Beyond traditional phishing
CloudSEK researchers noted that the operation differs from conventional phishing campaigns by functioning as a real-time man-in-the-middle (MitM) framework.
The fraudulent infrastructure is reportedly capable of monitoring victims throughout the ticket-purchasing process, capturing payment card information, including card numbers, expiry dates and CVV details. Researchers also noticed signs that the platform might be able to send one-time password (OTP) requests instantly, which could help attackers get around SMS-based two-factor authentication.
Fake ticketing websites replicate legitimate FIFA branding, tournament information, stadium schedules, ticket listings, shopping carts and payment options to increase credibility and encourage victims to complete purchases.
Researchers identified at least 40 fraudulent domains associated with the campaign, alongside a dedicated payment-processing infrastructure and multiple operator accounts supporting the broader operation.
Multi-tenant criminal infrastructure
According to CloudSEK, the campaign appears to be supported by a centralised backend platform that enables multiple threat actors to manage independent fraud operations.
The infrastructure reportedly includes a Chinese-language administrative interface and supports at least 15 active operator instances, suggesting a reseller-style cybercrime ecosystem rather than a single phishing campaign.
Investigators also identified several indicators linking the operation to Chinese-origin actors, including administrative activity originating from China-based IP addresses and Chinese-language backend systems. CloudSEK assessed its attribution confidence as moderate to high.
Social media driving victim traffic
The research indicates that social media platforms play a significant role in directing victims to the fraudulent websites.
CloudSEK observed that a substantial proportion of traffic originated from in-app browsers within social networking platforms, with Facebook accounting for the majority of observed activity and Instagram representing another notable source of referrals.
The campaign has targeted users globally, with the United States identified as the primary victim geography. Researchers have observed additional activity across multiple countries, including Italy, Romania, Australia, Canada, Germany, South Korea, Saudi Arabia, South Africa, and several others.
Financial and security risks
Researchers classified the payment infrastructure used by the operation as a high-confidence fraudulent payment processing platform designed to harvest cardholder information rather than facilitate legitimate transactions.
The operation also reportedly leverages legitimate live-chat services to create the appearance of customer support and improve the credibility of the fraudulent websites during the purchase process.
Gagan Aggarwal, Threat Intelligence Researcher at CloudSEK, noted that the campaign demonstrates how cybercriminal groups are increasingly combining multiple attack techniques, including checkout impersonation, payment card harvesting and authentication interception, within a single operational framework.
Recommendations for users and organisations
CloudSEK has advised football fans to purchase FIFA World Cup 2026 tickets exclusively through official FIFA channels and to exercise caution when accessing ticketing websites through links shared on social media platforms.
The company also warned users to scrutinise domain names carefully, particularly those containing variations of FIFA branding or unfamiliar payment-processing services.
For financial institutions and fraud prevention teams, the researchers recommend monitoring transaction activity linked to the identified infrastructure and reviewing fraud detection mechanisms for indicators associated with the campaign.
Growing trend of event-themed cybercrime
The findings highlight a broader trend in which cybercriminals increasingly exploit major global events to launch large-scale fraud campaigns.
High-profile sporting tournaments, entertainment events and international gatherings frequently attract large numbers of consumers searching for tickets online, creating opportunities for threat actors to deploy sophisticated phishing, payment fraud and social engineering schemes.
Security researchers warn that as cybercriminal operations become more organised and technologically advanced, traditional phishing campaigns are evolving into complex fraud ecosystems capable of mimicking legitimate online purchasing experiences while harvesting financial and personal information in real time.