An organized crime network has been spotted surrounding the FIFA World Cup 2026, according to a CloudSEK report. At least 40 phishing websites that falsely claim selling tickets for the tournament have been discovered to be managed by the criminal organization, with the report adding that the number of active criminals in the network is no less than 15.

The phishing sites not only engage in phishing but use sophisticated techniques to steal financial information from their visitors by using legitimate-looking websites.

The phishing sites were designed to resemble the legitimate FIFA ticket portal site. These included details of the match schedule, stadiums, shopping carts, payment gateways, and secure payment messages to make visitors believe that they are on a legitimate website.

According to the report, this is a "man-in-the-middle" phishing operation where criminals observe the complete process of purchasing tickets from start to finish, allowing them to gather critical data including the number, expiry date, and CVV code of the cards used to purchase the tickets. The process also allows criminals to steal OTPs.

CloudSEK's investigation also uncovered a major fraudulent operation involving a suspicious payment processing network and multi-tenant infrastructure, which is being used by multiple operators. According to the report, the backend system is operated through a Chinese-language administrative panel, and at least 15 different operators are involved. This suggests that this is not a simple phishing operation but a well-organized cybercrime network.

According to Gagan Agarwal, threat intelligence researcher at CloudSEK, the investigation has uncovered several clues that point to the network's possible Chinese origin. These include a backend interface in simplified Chinese, frequent administrative access from China-based IP addresses, and the platform's internal naming. He added that cybercriminals are now exploiting major global events to carry out sophisticated fraudulent campaigns, using techniques such as live tracking, card skimming, and OTP interception.

According to the report, social media assists in attracting users to the fraudulent websites. Facebook accounts for about 60-65% of users while Instagram attracts 15% of them.

The criminal organization tends to focus primarily on citizens of the USA. Other countries which have become victim of such scamming include Italy, Romania, Australia, Canada, Germany, South Korea, Saudi Arabia, and South Africa.

It is recommended that one buys tickets from the legitimate FIFA ticketing websites. Prior to payment, one should carefully inspect the website address, ensure that there is a secure connection through a proper SSL security certificate, and verify their legitimacy through official channels.