FIFA World Cup 2026 Cyber Threats: FortiGuard Scams and Phishing Report

Starting June 11, the FIFA World Cup 2026 will unite fans, teams, sponsors, broadcasters, hospitality providers, and businesses in one of the world’s largest sporting events. It is also presents a significant opportunity for cybercriminals.

Major international sporting events create great anticipation, attract high search volume, evoke strong emotions, and drive large volumes of digital transactions. Fans are searching for tickets, travel offers, merchandise, live streams, betting sites, job openings, and event updates. Meanwhile, organizations are busy with logistics, staffing, travel arrangements, customer service, media tasks, and coordinating with third parties. Threat actors have anticipated these scenarios and have already started exploiting them.

New research from FortiGuard Labs reveals that cybercriminal infrastructure linked to the FIFA World Cup 2026 is already operational. From January to May 2026, more than 13,000 new FIFA World Cup 2026–themed domains were registered. And about 8.8% of these domains have been identified as malicious or suspicious through pattern analysis and scam activity.

That volume shows that threat actors are not waiting for the opening match. They are already here.

A Fast-Growing Threat Landscape

Our research has revealed a significant increase in FIFA-themed domain registrations from March to May 2026, with many domains misusing FIFA branding and including terms related to ticketing, streaming services, betting platforms, and hospitality.

Threat actors have created hundreds of fake websites that appear legitimate enough to earn fans’ trust for a few critical seconds while they search for tickets, resale options, match streams, travel packages, and official merchandise. Those few seconds are often all they require.

The report identifies several major categories of FIFA-themed threats:

• Phishing and fake ticketing websites
• Resale ticket scams promoted through Telegram and other channels
• Fake merchandise storefronts
• Malicious betting and streaming applications
• Third-party Android Package Kit (APK) downloads carrying potential malware risk
• Social media impersonation accounts
• Fake job postings and recruitment lures
• Cryptocurrency scams and fake airdrops
• Credential exposure tied to stealer malware and historical breach data

These findings suggest the development of a wide-ranging cybercrime ecosystem centered around the tournament. This threat extends well beyond a single scam type, platform, or victim demographic.

Fake Ticketing Remains One of the Highest-Risk Lures

Ticketing scams are among the most visible threats because they exploit scarcity. Fans unable to secure tickets through official channels often turn to resale websites, social media groups, Telegram channels, search ads, or peer-to-peer marketplaces. Attackers capitalize on this urgency by promoting bogus limited-time discounts to pressure victims into making quick decisions.

FortiGuard Labs identified numerous counterfeit ticketing sites mimicking official FIFA pages that gather personal info, login details, billing, and payment data. In one case, a domain registered in May 2026 replicated FIFA content and employed a fake checkout to harvest victims’ sensitive information.

The report also documents ticket scams advertised on underground forums and Telegram channels. Some campaigns bundled fraudulent match tickets with counterfeit flight and hotel packages to make the offers appear more complete and credible.

These scams work because they anticipate typical fan behavior. A user trying to buy a ticket may not think like a security analyst. They are trying to secure a seat before it disappears.

Social Media Impersonation Expands the Attack Surface

FortiGuard Labs identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging platforms. Nearly 90% of these cases were on Facebook and Instagram.

These accounts can be exploited for fake promotions, ticket scams, fraudulent livestream links, phishing, misinformation, and malware distribution. Additionally, they offer attackers an inexpensive method to contact fans directly, as fans frequently discuss teams, matches, travel plans, and ticket availability.

Social media scams are particularly convincing because they often appear within legitimate conversations. For instance, a fake ticket seller in a fan group, a livestream link shared just before a match, or an account with FIFA branding can seem credible enough to prompt a click.

Malware Is Also Part of the Tournament Threat Landscape

The report highlights malicious apps linked to World Cup–related activities. One detected executable, ‘1xbet.exe,’ shows signs of persistence, encrypted communications, and possible ransomware behavior. FortiGuard Labs additionally found suspicious FIFA-themed APK files on third-party download sites.

This is crucial because major sporting events frequently increase the demand for betting apps, livestreaming tools, score trackers, and promotional apps. Attackers exploit this demand by distributing fake or trojanized software that appears to be legitimate.

Installing apps from unofficial sources can expose devices to spyware, credential theft, remote access tools, or other malware. This risk increases when users ignore security warnings to access streams, promotions, or betting platforms.

Fake Job Postings Target People Looking for Opportunity

The World Cup also generates demand for temporary workers, contractors, hospitality staff, logistics personnel, media support, and event-specific roles. This demand provides attackers with another attractive target.

For example, FortiGuard Labs identified a credential-stealing scheme that used fake FIFA-related job ads and sponsor recruitment posts. The attackers sent calendar invites and directed victims to phishing websites with a counterfeit Google login page. When victims entered their credentials, they received a generic error message, enabling the attackers to capture their information.

Multiple domains impersonating FIFA, sponsors, and affiliated organizations shared the same Google Analytics tracking ID, pointing to a coordinated campaign. The credential theft process employed Render-hosted APIs, showcasing how attackers can exploit legitimate cloud services to deploy malicious infrastructure more easily and make it difficult to differentiate from regular web activity.

Credential Exposure Raises the Stakes

The report also found evidence of FIFA-related activity within stealer log telemetry. FortiGuard Labs detected over 4,600 URLs associated with FIFA in stealer logs, connected to malware families like Vidar, LummaC2, and RedLine. Additionally, the research uncovered more than 260 FIFA employee credentials and over 270,000 credentials from users and fans visiting FIFA-related websites in delimiter-based stealer log data.

Additionally, FortiGuard Labs found over 1,500 records of FIFA-related employee and organizational accounts in past breach datasets.

This does not imply that all exposed accounts are currently active or being exploited. However, threat actors now have access to data that could facilitate credential stuffing, account takeover, targeted phishing, impersonation, and fraud. During high-profile global events, even outdated credentials can be exploited when combined with new social engineering tactics and lures.

What You Should Do Now

The FIFA World Cup 2026 threat landscape is a reminder that significant events present cyber risks well before they begin. As a result, organizations in sports, travel, hospitality, media, retail, finance, government, transportation, and critical infrastructure need to start their defensive preparations early.

Security teams need to monitor for lookalike domains, brand impersonation, malicious advertisements, fake social media profiles, and credential leaks involving employees, partners, and customers. They should also assess protections against phishing, malware, credential theft, and account takeovers.

User education is important. Fans and employees should be reminded to use official ticketing channels, avoid third-party APKs, exercise caution with livestream links, verify job postings on official websites, and be wary of urgent payment requests that seem suspicious.

For defenders, the most critical lesson is straightforward: Attackers capitalize on attention. With the FIFA World Cup 2026 attracting worldwide focus, cybercriminals are already setting up the infrastructure to take advantage. You need to prepare accordingly.

---

Read the full report: The FIFA World Cup 2026: Cyberthreat Landscape Report from FortiGuard Labs provides a deep analysis of newly registered domains, malicious infrastructure, impersonation accounts, fake ticketing processes, job scams, malware activity, credential exposure, underground forum activity, and infrastructure reuse connected to tournament-themed campaigns.