The world's most-watched sporting event kicks off June 11th in cities across the United States, Canada, and Mexico—and the criminal infrastructure built to exploit it has been under construction for months.
Research from Fortinet's FortiGuard Labs, published this week, documents the scale of that preparation: more than 13,000 FIFA-themed domains registered between January and May 2026, a sharp spike in fake social media accounts, credential theft campaigns targeting both fans and tournament employees, and at least one coordinated phishing operation linked across dozens of impersonation sites by a single shared tracking ID.
The picture that emerges isn't a collection of opportunistic scams. It's an organized criminal ecosystem, built to scale, that will remain active long after the final whistle.
Infrastructure built to deceive
Of the 13,000-plus newly-registered FIFA-related domains, roughly 8.8%—approximately 1,145 domains—were classified as malicious or suspicious based on domain patterns and associated scam activity. Domain registrations spiked sharply from March through May, with April alone accounting for nearly 4,750 new registrations, signaling coordinated infrastructure buildout ahead of the tournament.
Most domains abused FIFA branding, ticketing keywords, streaming services, betting platforms, and hospitality terms to capture fans searching for tournament information. The .com TLD dominated at 87%, reflecting an attacker preference for appearing legitimate rather than hiding behind obscure extensions.
FortiGuard Labs also identified more than 1,700 suspected FIFA impersonation accounts and channels across major social media platforms, with Facebook and Instagram collectively accounting for nearly 90% of observed cases.
From the report: "The findings demonstrate that cyberthreats targeting the FIFA World Cup 2026 are already active and are expected to intensify as the tournament draws closer. Evidence of infrastructure reuse, coordinated domain registrations, and recurring scam tactics suggests that these activities are part of organized campaigns rather than isolated incidents."
The full scam taxonomy
Fake ticketing operations are the headline threat, but the attack surface extends well beyond ticket fraud. FortiGuard researchers documented active campaigns across at least six categories.
Ticket fraud: Fake sites closely mimicking official FIFA portals harvest billing details and payment card data. One impersonation site, 26-fifa[.]com, registered in May 2026, walked victims through a four-step checkout flow—complete with a fake sign-in portal to capture login credentials before reaching the payment page. Scammers also operate through carding forums and Telegram channels, where fraudulent tickets are bundled with fake flight and hotel packages, with cryptocurrency payment options to avoid traceability.
Merchandise scams: Threat actors created fake storefronts that impersonated official FIFA merchandise pages and legitimate e-commerce platforms, including a site that mimicked Brazilian retailer Panini using a lookalike domain.
Job posting scams: With the tournament driving demand for event staffing, hospitality, and media support roles, FortiGuard identified a credential-harvesting campaign distributing fraudulent job offers from fake FIFA and sponsor domains—including impersonations of Coca-Cola, Marriott, PepsiCo, and Delta—via calendar meeting invitations. Victims who clicked were directed to a phishing page embedding a fake Google login interface. Credentials entered on the page were forwarded to backend APIs hosted on Render's cloud platform. Investigators identified a single Google Analytics tracking ID (G-123NZLZV56) embedded across all sites, strongly suggesting that a single threat actor or a coordinated group is behind the entire operation.
Fake streaming: Fraudulent streaming sites, promoted through social media and Telegram just before matches begin, pressure users to register quickly or install a fake media player—either of which leads to credential theft or malware installation.
Cryptocurrency fraud: A fake "World Cup Coin" ($WORLDCUP) airdrop campaign used official-looking branding and urgent messaging to pressure users into connecting their wallets, enabling unauthorized transactions and financial theft.
Malicious applications: A trojanized version of the 1xBet betting application was observed exhibiting ransomware-related behaviors, including encrypted communications and persistence mechanisms mapped to multiple MITRE ATT&CK techniques. The executable communicated through legitimate cloud services—Supabase and Render—to blend malicious traffic with normal activity.
[RELATED: Hardening Large-Scale Events Against Deepfake Disruptions]
AI has changed the attack calculus
What makes this threat cycle distinct from prior tournaments is AI's role as an operational accelerator.
Anne Cutler, Cybersecurity Evangelist at Keeper Security, described the shift plainly: "Phishing emails that are grammatically perfect, contextually accurate, and personalized with your name and your team can be written by an AI tool in seconds. A text message from a friend or family member urgently asking for money for tickets may not be from whom you think. The old advice about looking for bad spelling and awkward phrasing is obsolete."
Pyry Åvist, Co-founder and CTO at Hoxhunt, put a timeline on the acceleration. "We observed explosive growth in AI-assisted phishing beginning in late 2025," he said. "Attackers can now generate realistic messages in multiple languages, tailor them, blend into specific corporate workflows, and produce many variations of the same lure"—a combination that makes filtering harder and raises the likelihood that at least one version lands.
The organizational exposure problem
The risk doesn't stop with individual fans. Organizations connected to the tournament—sponsors, broadcasters, vendors, host-city suppliers—face a distinct and underappreciated threat surface.
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, offered a blunt assessment of the defensive gap: "Over a third of FIFA's own sponsors and suppliers have no DMARC record on their mail domains, which means a criminal crew does not need to forge anything to spoof them. Paris 2024 saw 140 successful cyber incidents at roughly a quarter of this footprint. The hard part is not knowing what to do. It is counting how many places have to do it."
The credential exposure data from FortiGuard underscores that point. Stealer log telemetry identified more than 260 credentials tied specifically to FIFA employees, more than 270,000 credentials from fans visiting FIFA-related websites, and more than 1,500 FIFA-associated employee and organizational accounts in historical breach datasets. Those credentials don't expire when the tournament ends.
Cutler captured the delayed risk: "Attackers know exactly who to target. They know the accounts you're creating right now for streaming and ticketing almost certainly share a password with another more valuable account. Those credentials get harvested, verified, and deployed weeks or months later—long after the final whistle and long after anyone connects the breach to a World Cup ticketing site. A fan who cuts corners in June becomes the entry point in September."
Rex Booth, CISO at SailPoint, framed the issue at the organizational level. "The true danger lies in the ability to grant attackers access to credentials, enabling them to masquerade as trusted insiders," he said, adding that organizations need to treat identity as the primary control plane, not an afterthought.
Mobile as the primary attack vector
Kern Smith, Vice President of Global Solutions at Zimperium, argued that the tournament demands a mobile-first security posture. With an estimated 6.5 million fans traveling across three host nations, mobile devices serve as the primary surface for ticketing, payments, authentication, and communications—and the volume of legitimate activity makes anomalous behavior harder to spot.
"Attacks increasingly start on the mobile device itself," Smith said. "Mobile-targeted phishing, malicious applications, session hijacking, and AI-assisted social engineering allow attackers to bypass traditional controls and operate inside legitimate user activity." His guidance: avoid installing applications from QR codes or links received through messaging channels, update devices before travel, and treat unexpected authentication prompts as indicators to verify before acting.
What security teams should do now
FortiGuard's recommendations track closely with what the experts above emphasized. For organizations with any surface area connected to the tournament:
-
Monitor newly-registered domains and track impersonation activity against your brand continuously—not just during the tournament window. The infrastructure is already live.
-
Enforce DMARC in reject mode on every owned domain. Hogue-Spears' point about spoofing legitimate sponsor domains without any technical forgery is not theoretical—it's an active risk with no excuse for remaining unaddressed.
-
Prioritize phishing-resistant MFA on every vendor, volunteer, and partner account. Password reuse between a fan's ticketing account and their corporate credentials is a real and documented attack path.
-
Run purple-team exercises against identity and email paths before the tournament begins. As Hogue-Spears noted, organizations that get hit won't have lost to a sophisticated adversary—they'll have lost to a checklist they didn't finish.
For individual fans, the baseline is straightforward: use only official apps and sites, avoid transactions over public Wi-Fi, use unique passwords, and enable MFA on every account created for tournament-related activity.
