World Cup crypto scams were operational before the opening whistle, with TRM Labs identifying two fake-ticketing sites and a fixed-match betting pitch tied to four crypto addresses as the 2026 tournament got underway.
As of TRM’s June 11 report, those addresses had collectively received less than $1,700, but the infrastructure was already live and waiting for volume to arrive, according to Bitcoin Foundation News citing the research.
‘Criminals always look to exploit major events and cultural moments and they don’t wait until kickoff,’ Ari Redbord, global head of policy at TRM Labs, told Cointelegraph. ‘Scammers build and position their infrastructure weeks in advance, then scale it the moment public attention peaks.’
The timing is deliberate. FIFA expects approximately 6.5 million fans to attend the tournament across Canada, Mexico and the United States, with a projected $40.9 billion in global GDP impact, a demand pool that scammers had been building towards for months before kick-off.
World Cup Crypto Scams: What TRM Found On-Chain
In one fake-ticket case, TRM Labs traced funds moving from Polygon through several swaps before landing on TRON, according to Crowdfund Insider. One Polygon address received the bulk of its funds on a single day in early April 2026, months before the tournament began. TRM also identified cases on Ethereum.
The cross-chain routing is part of a wider pattern. TRM Labs reported that scammers have moved approximately $1.9 billion through bridges across all tracked operations, using the hops to complicate tracing and maintain access to liquidity. Redbord noted that the on-chain nature of crypto payments nonetheless allows investigators and compliance teams to act before losses accumulate.
For scale on the broader fraud environment: TRM Labs reported that in 2025, approximately $35 billion flowed to scam-linked wallets out of $158 billion in total criminal crypto flows, with investment-related deceptions driving the majority of fraud inflows.
TRM has flagged additional World Cup crypto scam typologies likely to surface as the tournament progresses: fake live-streaming sites, deepfake impersonations, fake token launches, accommodation fraud, and crypto gambling schemes.
The GHOST STADIUM Operation and the Broader Threat Landscape
The scale of the domain-spoofing problem extends well beyond the addresses TRM catalogued. Cybersecurity firm BrandShield identified a 900% increase in fraudulent World Cup-related domains between March and May 2026, with more than 10,000 suspicious domains detected that imitate official FIFA branding, push fake tickets, sell counterfeit merchandise, or harvest payment and personal data.
Security researchers separately identified a threat actor group called GHOST STADIUM (described as a Chinese-speaking, money-driven operation) running a single phishing kit across more than 300 lookalike FIFA sites, according to The Hacker News. The kit is reportedly a near-perfect copy of fifa.com that mirrors FIFA’s genuine single sign-on login, run by PingIdentity, down to the live site’s client ID.
The demand signal that makes all of this viable: FIFA received more than 150 million ticket requests in the first 15 days of sales, leaving the tournament approximately 30 times oversubscribed. The gap between supply and demand is the attack surface.
The FBI’s IC3 warned in May that threat actors were spoofing FIFA websites to collect personally identifiable information (PII) including names, home addresses, phone numbers, email addresses, and banking details. The bureau advised fans to type fifa.com directly into their browser rather than follow sponsored search-engine links, and warned that additional fake domains are expected throughout the tournament.
FIFA has also cautioned that tickets bought outside its official platform may be invalidated without notice, a warning that lands harder given that the Financial Times reported 176,000 unsold tickets still sitting in official resale portals as of this week. Distressed inventory in official channels is exactly the kind of credibility gap that makes unofficial sellers look more plausible.
The infrastructure underpinning World Cup crypto scams is in place. Watch on-chain flows to the identified addresses over the knockout stages: that is where the low opening balances will either stay low or start compounding.
