FIFA World Cup and Mega-Events: When the Urgency Is Real, but the Infrastructure Isn't

Attackers don't have to manufacture urgency when mega-events can produce this on a global scale.
Many social engineering techniques use urgency. A bank account compromised, a suspicious log in, or an impending project deadline. These attacks focus on activating our general knowledge, hoping that it will align with the victim’s daily experience. Mega-events don’t need this pretext. The urgency is real. People see it in the media and their physical environment. Attackers don’t need to convince targets when the world has already done so. The urgency is real, it just needs to be diverted.
Urgency runs through the 2026 FIFA World Cup. Whether in a breakaway, a well-timed shot, or finding a seat at a bar. From the outside, fans often take the coordination for granted - unless they are in a host city. As a distributed, global-scale event with 104 matches in 16 cities it has unfolded over months. During the Random Selection Draw window that ran from December 11, 2025 to January 13, 2026, FIFA received more than 500 million ticket requests, an average of roughly 15 million per day across the 33-day window. Each application was validated against a unique credit card. The sheer volume of transactions for a single series of coordinated events has few precedents.
People are used to scams around sporting events, whether unhonored bets or scalpers selling fake tickets. With half a billion requests and only six million seats, the tension is quantifiable. This also defines the attack surfaces that attackers have exploited.
Claiming that the victims of these scams should have known better fuels our ignorance of social engineering. It focuses on a person and ignores the situation. It assumes that people are ‘irrational’ and could have seen the signs. By doing so, hindsight bias shifts resources away from the situational solutions that can reduce social engineering.
But each victim is someone who had a legitimate want, used their money, and tried to make legitimate purchases. The FIFA World Cup shows the scale of this problem and suggests there is a common cause. Organizations must support their customers and their employees by developing methods that secure the verification decision itself, rather than leaving it to the individual.
The Diversion, not the invention
GHOST STADIUM, a Chinese-speaking, financially motivated operator built a near-perfect clone of FIFA's official website, reproducing the single sign-on flow, pulling brand images directly from FIFA's own content delivery network, and translating automatically into 11 languages. This is the same approach used in enterprise attacks. A fan who visits one of these pages is unlikely to tell them apart. Unless they strip it down to the code, the surface seems real.
GHOST STADIUM used this kit on more than 300 domains. It exists inside a wider ecosystem of 4,300 fraudulent FIFA-themed domains, 6 unique fraud schemes, and four independent threat actors. Many of the domains appeared to have remained dormant, ready for kickoff. This reduces the chances an analyst will find them and understand their threat.
With so many fans wanting tickets, attackers only need to find a small percent that will fall into their fraud funnel. Premium and hospitality ticket fraud alone has been estimated to produce losses between $71 million and $474 million, based on roughly 47,400 victims across 79 sites. The final campaign could cost billions.
Instead of a kick, the attack started with paid advertising. Facebook Ads promised seats normally priced in the thousands for as little as $60, paired with "first come, first served" messaging. The gap between the real cost and the discount might seem like it should raise concerns, but deal sites and re-sellers often overpromise, and sometimes it pays off.
If a fan who has been excluded from an oversubscribed seat draw finds a cheap seat and a countdown, they know the scarcity and urgency are real. The tickets might be gone if they wait. This is a real marketing tactic that organizations use, FIFA included. Attackers just divert that emotion to an artfully constructed illusion.
From turnstile to concourse: how the attack works
The mirage of a Ghost Stadium needs to be convincing. Even in online interactions, diverted fans must still pass through two gates. As they pass through, they face many small decisions. People are so used to making them, they often go unnoticed. If the environments they find fail to match their expectations, they will turn back. But if they look familiar or ‘right’, the motivational momentum will carry them forward.
Verification is a specific decision process. When presented with a complicated task, we try to winnow it down until it is manageable. We substitute an easy problem for a hard problem. We don’t look at pixels, URLs, or site certificates; we look for overall visual and behavioral patterns. If something is recognizable, we use this default mode.

Turnstile Cloning: Fans first reach a turnstile. A turnstile needs a credential: it reads a valid ticket and admits the holder. Online, this takes the form of a login page, the single sign-on screen, and the payment badge. The fan relies on fast, perceptual decisions. When the sign-in page appears and it matches a template held from every prior purchase, it’s game time. No reasoning required. This ease of recognition becomes the evidence of authenticity, referred to as processing fluency.
User experience (UX) and user interface (UI) can help scam success: when UX works, so does fraud. Users know to check the domain, look for the official brand and payment page, notice poor spelling or an unfamiliar interface. Each of these steps requires time and attention. The more features need to be assessed, the further attention is strained. If too many features don’t match their mental model, that cognitive friction tells them they’re entering the wrong gate.
Table 1. Verification cues and the design principles that make them successful.
Until recently, each one is a reliable cue with fakes discrepant. Even with wider knowledge of AI text- and image-generation abilities, the notion of ‘AI slop’ reinforces the limited realism. When the cloned sites are FIFA's real images and the real SSO flow is reproduced, the distinction dissolves. Cues lose their diagnosticity. Whatever cues are available no longer allow them to distinguish authentic from artful fakes.
Coordination is distributed across multiple venues, vendors, and payment processors. No single party understands the whole picture. While this is true for any larger enterprise, it is strained to the point of breaking for mega-events. Mega-event logistics stretches this even further.
On the surface, the math is simple. Only fifa.com/tickets is a legitimate primary seller. Compared against 4,300 faked FIFA domains, the task seems simple. But the market for secondary sellers creates an opportunity. It’s simply a numbers game. When 15 million requests are made per day, if only a small fraction of people can be diverted it will pay off.
Concourse Staging: Once they pass the turnstile, a fan reaches the concourse. Uncertain fans read the crowd. They watch the flow of traffic and draw from their memories. A social media post that mentioned ‘an amazing deal’, reselling sites, or a friend sending a link (”have you seen this?”) is all the proof they need. They are at a tipping point, already committed to the decision with their investment of time (sunk cost), and the pull to finish grows stronger as the purchase nears completion (the goal-gradient effect).
Like a wave of chants and applause that work their way through the crowd, each fan is caught in an informational cascade. No one verifies, everyone mimics when it’s their turn. Confidence grows with each testimonial. As the clock ticks down for game time, the urgency is created by others. The popular persuasion is self sustaining. There are only so many tickets, and only one main event.
Stories of being duped should be powerful reminders of the potential for peril. The stories of fraud can be withheld. Like organizations compromised by cyberattacks, few people want to admit that they were duped. But those tales of deception can also be discounted. When they happen to psychologically distant people, they lack realism. Most people think they can identify deception despite evidence that they cannot. That’s the power of confirmation bias: we can pick and choose what evidence we want to use to maintain our model of the world and our sense of self.
When All Roads Lead to Cognition Compromise
The World Cup campaigns are not about gullible fans or about a one-time event. The delivery of goods and services has never been more de-localized, and trust has never been spread thinner. By pushing the logistic coordination to an extreme, these events show the problems of intra- and inter-organizational collaboration.
When most organizations use third-parties for help desks, overseas fulfillments, and payment processing, the boundaries are left to customers to interpret. By pushing the verification problem onto consumers, they are increasing their own threats making the least knowledgeable stakeholders the one most responsible for defense.
In times when streaming services, retailers, banks merge and acquire each other, we cannot expect consumers to keep pace. Organizations must send clear signals to consumers and strategically weigh how they communicate security warnings against marketing. They must communicate their expertise to their customers.
Businesses must realize that most people do not have the luxury to read through every email notification or security tip. Sending reminders and notifications is only the first step. They must develop comprehensive strategies for defending their extended human attack surface or both customers and employees. When every person is an end-point in a social network, they must all be defended.
The key to the success of turnstile cloning isn’t that it creates urgency. Rather, it exploits it. Like employees working against a deadline, a pretext doesn’t need to be sophisticated. If they are working on a deadline and receive an email or pop-up that is standing between them and their KPIs, they will push forward.
Maintain situational awareness. Organizations should understand both the legitimate and illegitimate markets for their product. As much as they understand competition, they must also understand how adversaries will exploit it. This requires not only who adversaries are, but also what their tactics are. Clone websites were advertised. Monitor the paid-ad and search channels where your business is represented beyond your own domains for signs of brand impersonation Adversaries will want to use familiar channels to wrap their fakes in ambient trust.
Acquire related domains. Scams are based on similarity, whether in terms of impersonation, procedural manipulation, or website appearance. Combating these requires acquiring similar domains to maintain integrity. Similarity must be defined in terms of memory and psychomotor skills: people can conflate similarly sounding names, they can also make typos. Acquisition is practically unbounded. Your organization must prioritize by likelihood of confusion. Homophones (similarly-sounding names), common misspellings, and the TLDs your real domain already uses, rather than every permutation.
Centralize and distribute strategically. Responsible design [and business] requires remaining accountable to stakeholders. Suggesting that security is another stakeholders problem cannot hold up to long-term scrutiny. The most effective companies understand their supply chains. Identify the human and technical attack surface requires the same efforts. Adversaries will use OSINT and [reconnaissance] to develop these maps. Organizations should take advantage of their insider knowledge to do so first. If no single fragmented party can see the whole surface the attacker exploits, you must assign one owner for the end-to-end verification path across vendors and processors.
Build authentication channels/mechanisms. Just like organizations build the brand, they must build the means to authenticate vendors, third-parties, and partners. This requires more than a text and logo that can be copied or a sequence that can be duplicated. A copyable logo signals familiarity and nothing about who controls the channel, so assurance must live in signals the consumer cannot be asked to judge. Trust is a product like any other and it must be operationalized in technologies that can provide assurance. If your organization has not done so, it should conduct audits and identify gaps between partner organizations. Co-design solutions that preserve trust.
What is feature engineering
In practice, feature engineering is both science and a bit of witchcraft. It often involves both iteration and experimentation to uncover hidden patterns and relationships within the data. For instance, a data scientist might transform raw sales data into features such as average purchase value, purchase frequency, or customer lifetime value, which can significantly boost the performance of a churn prediction model. By thoughtfully engineering features, practitioners can provide machine learning models with the most informative inputs, ultimately leading to better accuracy and more robust predictions.
What’s more?
- Incorporate more and more data sources
- Feature engineering platform
What is data engineering
As we mentioned above, feature engineering is certainly a subset of data engineering. It involves the ingestion of data from a source, applying a series of transformations, and making the final result available to be queried by a model for training purposes. You can construct feature engineering pipelines to resemble data engineering pipelines, having schedules, specific source and sink destinations, and availability for querying. However, this configuration would only really apply once you have surpassed the experimentation stage and determined a need for a consistent flow of new feature data.
What is feature engineering

1. Functions
Functionally, there is nothing to differentiate data vs features - data points (link). Where feature engineering and data engineering really differ is in the objectives and motivations for constructing the pipelines. In general, data engineering serves a broader, more unified purpose than feature engineering. Data engineering platforms are constructed to be flexible and universal, ingesting various types and sources of data into a unified storage location where any number of transformations and use cases can be applied. The intent of a well constructed fact table or gold layer in a data lake is to provide a single source of truth that answers many different questions, produces many reports, and can be consumed by many downstream customers.
2. Practise
And in practice, an organization’s data engineering team will be responsible for the curation and maintenance of all data pipelines, not just those that relate to machine learning. These pipelines may power BI dashboards used by C-Suite, auditing reports that feed payroll, or event logs that show a user’s history of actions within the application.
Feature engineering, on the other hand, serves a specific purpose, finding the tailored inputs and columns that will generate the best predictive results for a machine learning model. Data scientists and machine learning engineers are not tasked with developing a universal data model that will ingest all data points throughout an organization, they just need to select, curate, and clean the data needed to power their models.
3. Machine learning
Now, as machine learning teams grow and begin to incorporate more and more data sources into their models, their feature engineering platform may start to resemble a larger data engineering platform in the tools and methodologies they employ. But, the intent is not to establish flexible data models that can be used throughout the organization - it is simply to power their machine learning models.






