A new research from FortiGuard Labs have revealed that cybercriminal infrastructure linked to the FIFA World Cup 2026 is already operational.
From January to May 2026, over 13,000 new FIFA World Cup 2026-themed domains were registered, with approximately 8.8% classified as malicious or suspicious due to pattern analysis and scam activities. This indicates that threat actors are proactively targeting the event ahead of its opening match.
A Fast-Growing Threat Landscape
The research has revealed a significant increase in FIFA-themed domain registrations from March to May 2026, with many domains misusing FIFA branding and including terms related to ticketing, streaming services, betting platforms, and hospitality.
Threat actors have created hundreds of fake websites that appear legitimate enough to earn fans’ trust for a few critical seconds while they search for tickets, resale options, match streams, travel packages, and official merchandise. Those few seconds are often all they require.
The report identifies several major categories of FIFA-themed threats:
- Phishing and fake ticketing websites
- Resale ticket scams promoted through Telegram and other channels
- Fake merchandise storefronts
- Malicious betting and streaming applications
- Third-party Android Package Kit (APK) downloads carrying potential malware risk
- Social media impersonation accounts
- Fake job postings and recruitment lures
- Cryptocurrency scams and fake airdrops
- Credential exposure tied to stealer malware and historical breach data
These findings suggest the development of a wide-ranging cybercrime ecosystem centered around the tournament. This threat extends well beyond a single scam type, platform, or victim demographic.
Fake Ticketing Remains One of the Highest-Risk Lures
Ticketing scams exploit the urgency of fans seeking tickets, often leading them to turn to resale websites and social media. Scammers promote fake limited-time discounts to pressure victims into quick purchases, making these scams particularly prominent.
FortiGuard Labs reported the emergence of counterfeit ticketing websites imitating official FIFA pages to collect personal and financial information. One identified domain, registered in May 2026, used a fake checkout to deceive users. Additionally, the report highlights ticket scams promoted on underground forums and Telegram, where fraudulent tickets were often bundled with counterfeit travel packages to enhance their legitimacy.
These scams work because they anticipate typical fan behavior. A user trying to buy a ticket may not think like a security analyst. They are trying to secure a seat before it disappears.
Social Media Impersonation Expands the Attack Surface
FortiGuard Labs identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging platforms. Nearly 90% of these cases were on Facebook and Instagram.
Social media accounts are susceptible to exploitation for various scams, including fake promotions, ticket scams, and phishing. Attackers can easily engage fans discussing sports topics, using tactics like fake ticket sales or misleading livestream links, which often appear credible amid genuine conversations.
Malware Is Also Part of the Tournament Threat Landscape
The report highlights malicious apps linked to World Cup–related activities. One detected executable, ‘1xbet.exe,’ shows signs of persistence, encrypted communications, and possible ransomware behavior. FortiGuard Labs additionally found suspicious FIFA-themed APK files on third-party download sites.
This text highlights the increased demand for betting apps and related tools during major sporting events, which attackers exploit by distributing fake or trojanized software. Installing apps from unofficial sources can lead to significant risks, including spyware and malware, especially when users overlook security warnings to access streams or promotions.
Fake Job Postings Target People Looking for Opportunity
The World Cup also generates demand for temporary workers, contractors, hospitality staff, logistics personnel, media support, and event-specific roles. This demand provides attackers with another attractive target.
FortiGuard Labs uncovered a credential-stealing scheme using fake FIFA job ads and sponsor recruitment posts. Attackers sent calendar invites leading victims to phishing sites featuring a counterfeit Google login page. Victims received generic error messages upon entering their credentials, allowing attackers to capture their information. Multiple domains impersonating FIFA and sponsors used the same Google Analytics tracking ID, indicating a coordinated operation. The scheme utilized Render-hosted APIs, illustrating how legitimate cloud services can be exploited to create malicious infrastructure, complicating differentiation from normal web activity.
Credential Exposure Raises the Stakes
The report also found evidence of FIFA-related activity within stealer log telemetry. FortiGuard Labs detected over 4,600 URLs associated with FIFA in stealer logs, connected to malware families like Vidar, LummaC2, and RedLine. Additionally, the research uncovered more than 260 FIFA employee credentials and over 270,000 credentials from users and fans visiting FIFA-related websites in delimiter-based stealer log data.
FortiGuard Labs identified over 1,500 FIFA-related accounts in previous breach datasets. While not all accounts are currently active or exploited, the data could be used for credential stuffing, account takeovers, phishing, impersonation, and fraud. Outdated credentials may still be vulnerable during major global events when used with social engineering tactics.
What You Should Do Now
The FIFA World Cup 2026 threat landscape is a reminder that significant events present cyber risks well before they begin. As a result, organizations in sports, travel, hospitality, media, retail, finance, government, transportation, and critical infrastructure need to start their defensive preparations early.
Security teams need to monitor for lookalike domains, brand impersonation, malicious advertisements, fake social media profiles, and credential leaks involving employees, partners, and customers. They should also assess protections against phishing, malware, credential theft, and account takeovers.
User education is important. Fans and employees should be reminded to use official ticketing channels, avoid third-party APKs, exercise caution with livestream links, verify job postings on official websites, and be wary of urgent payment requests that seem suspicious.
For defenders, the most critical lesson is straightforward: Attackers capitalize on attention. With the FIFA World Cup 2026 attracting worldwide focus, cybercriminals are already setting up the infrastructure to take advantage. You need to prepare accordingly.