Cybercriminals are targeting the FIFA World Cup 2026

FortiGuard Labs research shows how threat actors are using tournament demand to launch scams and steal credentials.

FIFA cyber threats are already emerging ahead of the FIFA World Cup 2026 as cybercriminals launch phishing campaigns, fake ticket scams, malware attacks, and credential theft operations targeting fans and organisations worldwide. Starting June 11, the FIFA World Cup 2026 will unite fans, teams, sponsors, broadcasters, hospitality providers, and businesses in one of the world’s largest sporting events.

Major international sporting events create anticipation, attract high search volumes, evoke strong emotions, and drive large volumes of digital transactions. Fans search for tickets, travel offers, merchandise, live streams, betting sites, job openings, and event updates. Meanwhile, organisations manage logistics, staffing, travel arrangements, customer service, media activities, and third-party coordination.

Threat actors have anticipated these behaviours and have already begun exploiting them.

New research from FortiGuard Labs reveals that cybercriminal infrastructure linked to the FIFA World Cup 2026 is already operational. Between January and May 2026, threat actors registered more than 13,000 FIFA World Cup 2026-themed domains. Researchers identified approximately 8.8 percent of those domains as malicious or suspicious through pattern analysis and scam activity.

That volume demonstrates that threat actors are not waiting for the opening match. They are already here.

FIFA cyber threats are rapidly growing

FortiGuard Labs identified a significant increase in FIFA-themed domain registrations between March and May 2026. Many of these domains misuse FIFA branding and include terms related to ticketing, streaming services, betting platforms, and hospitality.

Threat actors have created hundreds of fake websites that appear legitimate enough to gain a fan’s trust for a few critical seconds. During that time, victims may search for tickets, resale options, match streams, travel packages, or official merchandise. Unfortunately, a few seconds is often all attackers need.

The report identifies several major categories of FIFA-themed threats:

• Phishing and fake ticketing websites
• Resale ticket scams promoted through Telegram and other channels
• Fake merchandise storefronts
• Malicious betting and streaming applications
• Third-party Android Package Kit (APK) downloads carrying malware risks
• Social media impersonation accounts
• Fake job postings and recruitment lures
• Cryptocurrency scams and fake airdrops
• Credential exposure tied to stealer malware and historical breach data

These findings suggest the emergence of a broad cybercrime ecosystem centred around the tournament. Furthermore, the threat extends beyond a single scam type, platform, or victim demographic.

FIFA cyber threats exploit ticket demand

Ticketing scams remain one of the most visible threats because they exploit scarcity. Fans who cannot secure tickets through official channels often turn to resale websites, social media groups, Telegram channels, search advertisements, or peer-to-peer marketplaces.

Attackers capitalise on this urgency by promoting fake limited-time discounts and exclusive offers. As a result, victims feel pressured to make quick decisions without verifying legitimacy.

FortiGuard Labs identified numerous counterfeit ticketing sites that mimic official FIFA pages. These sites collect personal information, login credentials, billing details, and payment data. In one example, a domain registered in May 2026 replicated FIFA content and used a fake checkout process to harvest sensitive information.

The report also documents ticket scams advertised on underground forums and Telegram channels. Some campaigns bundled fraudulent match tickets with counterfeit flights and hotel packages to increase credibility.

These FIFA cyber threats succeed because they mirror normal fan behaviour. Most people trying to secure tickets think like consumers, not security analysts.

FIFA cyber threats spread through social media

FortiGuard Labs identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging platforms. Nearly 90 percent of these cases appeared on Facebook and Instagram.

Attackers use these accounts to promote fake giveaways, ticket scams, fraudulent livestream links, phishing campaigns, misinformation, and malware distribution. Additionally, social media provides attackers with a low-cost method to contact potential victims directly.

Fans regularly discuss teams, matches, travel plans, and ticket availability online. Consequently, attackers can easily insert themselves into legitimate conversations.

These scams often appear convincing because they blend into trusted communities. For example, a fake ticket seller inside a fan group, a livestream link shared before kickoff, or an account using FIFA branding may appear legitimate enough to attract clicks.

FIFA cyber threats include malware campaigns

The report highlights several malicious applications linked to World Cup-related activities.

One detected executable, “1xbet.exe”, displayed signs of persistence, encrypted communications, and potential ransomware behaviour. Additionally, FortiGuard Labs discovered suspicious FIFA-themed APK files distributed through third-party download websites.

This trend is important because major sporting events consistently increase demand for betting applications, livestreaming tools, score trackers, and promotional apps.

Attackers exploit that demand by distributing fake or trojanised software disguised as legitimate applications.

Installing apps from unofficial sources can expose devices to spyware, credential theft, remote access tools, and other forms of malware. Furthermore, the risk increases when users ignore security warnings to access streams, promotions, or betting platforms.

FIFA cyber threats target job seekers

The FIFA World Cup also creates demand for temporary workers, contractors, hospitality staff, logistics personnel, media support teams, and event-specific roles.

Unfortunately, attackers view this demand as another opportunity.

FortiGuard Labs identified a credential-stealing campaign that used fake FIFA-related job advertisements and sponsor recruitment posts. Attackers distributed calendar invitations and directed victims to phishing websites featuring counterfeit Google login pages.

When victims entered their credentials, the sites displayed generic error messages while silently capturing usernames and passwords.

Researchers also found multiple domains impersonating FIFA, sponsors, and affiliated organisations that shared the same Google Analytics tracking identifier. This overlap suggests a coordinated campaign.

The credential theft infrastructure used Render-hosted APIs, demonstrating how attackers increasingly abuse legitimate cloud services to make malicious activity appear normal.

FIFA cyber threats increase credential exposure

The report also found evidence of FIFA-related activity inside stealer malware telemetry.

FortiGuard Labs detected more than 4,600 FIFA-associated URLs within stealer logs connected to malware families including Vidar, LummaC2, and RedLine.

Researchers also discovered more than 260 FIFA employee credentials and over 270,000 credentials belonging to users and fans who had visited FIFA-related websites within delimiter-based stealer log datasets.

Additionally, FortiGuard Labs identified more than 1,500 records associated with FIFA-related employee and organisational accounts in historical breach datasets.

This does not mean all exposed accounts remain active or compromised today. However, threat actors can use this information to support credential stuffing, account takeover attacks, targeted phishing, impersonation, and fraud.

During high-profile global events, even older credentials can become valuable when combined with new social engineering techniques.

How to defend against FIFA cyber threats

The FIFA World Cup 2026 threat landscape demonstrates that major events create cyber risks long before they begin.

As a result, organisations across sports, travel, hospitality, media, retail, finance, government, transportation, and critical infrastructure should begin preparations early.

Security teams should:

• Monitor for lookalike domains and brand impersonation
• Detect malicious advertisements and fake social media profiles
• Monitor credential leaks involving employees, partners, and customers
• Strengthen phishing and malware protections
• Review controls against credential theft and account takeovers
• Increase user awareness training before the tournament begins

Fans and employees should:

• Purchase tickets only through official channels
• Avoid third-party APK downloads
• Exercise caution when accessing livestream links
• Verify job opportunities through official websites
• Treat urgent payment requests with suspicion
• Enable multi-factor authentication where available

The most important lesson for defenders is simple. Attackers follow attention.

The FIFA World Cup 2026 will attract global attention from billions of people. Consequently, cybercriminals have already started building the infrastructure needed to exploit that interest.

Organisations and individuals should prepare accordingly.

Read the full report

The FIFA World Cup 2026: Cyberthreat Landscape Report from FortiGuard Labs provides a detailed analysis of newly registered domains, malicious infrastructure, impersonation accounts, fake ticketing operations, job scams, malware activity, credential exposure, underground forum activity, and infrastructure reuse linked to tournament-themed campaigns.

Stay Informed With Cyber News Live

Cyber threats are constantly evolving, and staying informed is critical to protecting your organisation.

Follow Cyber News Live for the latest cybersecurity news, threat intelligence, expert analysis, and practical guidance to help strengthen your cyber defences.