Two reports released yesterday arrive at the same unsettling conclusion from different directions: the security controls organizations have long relied on to stop phishing are failing, and attackers are using the 2026 FIFA World Cup as the pressure point to prove it.
Zimperium's zLabs threat intelligence team documented three active, technically sophisticated phishing campaigns targeting World Cup fans through mobile channels. And Darktrace, drawing on telemetry from its sports-sector customer base and a survey of 875 security professionals, found that 84% of professional sports organizations experienced at least one cyber incident in the past year—and that 84% of the malicious emails reaching those organizations passed DMARC authentication checks. The authentication layer meant to stop spoofed email is, in practice, not stopping it.
Read together, the two reports sketch a threat environment in which DMARC isn't blocking malicious email, MFA isn't stopping credential theft, and the mobile devices employees carry into work every day have become the vector connecting consumer-facing scams to enterprise networks.
The scale of fan demand for the 2026 tournament has created conditions that attackers can reliably exploit. Of approximately six million available tickets, Zimperium reports that more than five million have already been allocated. For the final in New York/New Jersey, face-value seats reached $10,000 at launch, with premium category tickets topping $30,000. More than 150 million ticket requests were filed in the opening two weeks of sales alone.
That scarcity drives fans toward unverified channels—Telegram resellers, social media listings, search ads—where they're far easier to deceive.
Mika Aalto, Co-Founder and CEO at Hoxhunt, connects the pattern to a broader phenomenon his firm has tracked: temporal phishing, timed to real-world events, converts at dramatically higher rates than generic campaigns. Earlier this year, Hoxhunt observed a 400% spike in tax-themed phishing around the U.S. filing deadline, with simulated attacks in that window drawing roughly four times the click rate of non-deadline equivalents.
The World Cup runs for a month, and the emotional urgency doesn't fade between match days—it compounds.
[RELATED: FIFA World Cup 2026 Is a Cybercriminal's Dream Scenario]
Zimperium documented three distinct campaigns, each targeting a different point in the fan lifecycle.
The first, attributed by Group-IB to a Chinese-speaking threat actor and independently flagged by the FBI's Internet Crime Complaint Center, involves production-grade typosquatting sites that replicate the complete FIFA ticket purchase experience. These aren't crude credential-harvesting pages. Zimperium's analysis found that the phishing kit—likely sold through underground forums—is built as a React single-page application, uses FIFA's actual OAuth2 client ID to clone the PingIdentity authentication framework FIFA uses for its real SSO, and incorporates a live-chat module (SaleSmartly, a Chinese SaaS platform) that lets operators interact with victims in real time during the fake purchase flow. One particularly damaging capability is that the kit requests the p1:reset:userPassword OAuth scope, allowing attackers to lock victims out of their legitimate FIFA accounts immediately after credential capture.
The second campaign, which Zimperium designates RetailPhish, impersonates Nike, Adidas, Puma, and Marathon Sport across multiple languages and regions. It distributes via WhatsApp, forces victims to share the link with contacts before unlocking a fake prize—turning each victim into a distributor—and closes with a nominal €2 shipping fee that captures full card details. Nine campaign domains share identical WHOIS privacy tokens, meaning a single registrant controls the entire infrastructure behind Cloudflare obfuscation.
The third vector is the one that most directly threatens enterprise environments. The OffsideHire campaign deploys four fraudulent career portals that impersonate FIFA's recruitment channels—targeting the hiring wave needed to staff a tournament spread across three countries. The kit doesn't target consumers; it explicitly rejects personal email addresses and only accepts corporate or custom-domain accounts. Once a victim clicks "Continue with Google," the backend relays credentials against Google's real infrastructure in real time, intercepts whatever second factor Google triggers, and captures the fully-authenticated session. Stolen data is exfiltrated immediately to a Telegram bot. The C2 server was confirmed active at the time of analysis.
The Darktrace data puts numbers on what the Zimperium campaign analysis illustrates in technical detail. Between October 2025 and March 2026, Darktrace detected more than 116,000 phishing emails targeting sports organizations across its customer base—a volume 19% higher than in other sectors. Of those malicious emails, 84% passed DMARC authentication. More than a third used novel social engineering tactics, including AI-generated content tailored to specific teams, venues, and executives. QR code phishing increased 33% in Q1 2026 compared to Q4 2025, exploiting the QR infrastructure that has become standard in ticketing and fan engagement.
The implication is direct: domain authentication, the foundational email security control, is not functioning as a meaningful barrier. Attackers aren't spoofing domains in ways DMARC catches; they're operating through legitimate infrastructure or compromised trusted accounts.
Rex Booth, CISO at SailPoint, frames the identity dimension in terms practitioners will recognize, saying, "Attacks targeting these events are rarely 'smash and grab' style operations; instead, they are calculated and methodical." The danger, in his framing, is that credential compromise doesn't announce itself—it enables a persistent insider posture that's hard to distinguish from legitimate access.
Booth adds a forward-looking note that the Zimperium AiTM campaign makes concrete: "The more frightening scenario is when adversary AI starts running rampant through your enterprise without the need for action by the victim." OffsideHire doesn't require victims to notice anything unusual. They see a booking confirmation, the session is already gone.
Both reports emphasize the same structural problem: the mobile device sitting in an employee's pocket is simultaneously a personal consumer device and a corporate credential store, and it operates largely outside the visibility of enterprise security controls.
Zimperium's framing is precise: these campaigns reach employees through personal channels—WhatsApp messages, SMS, social media—that never touch enterprise networks. A fan checking ticket availability on a lunch break, on a personal device, over cellular, generates no log that a corporate firewall, email gateway, or EDR platform will ever see. When that device also stores corporate email, authentication apps, and session tokens, the attack path from consumer scam to enterprise breach shortens.
"The biggest risks to large sporting events don't come from new exploits. Instead, they originate from people misusing legitimate apps, identities, and corporate processes," said Randolph Barr, CISO at Cequence Security.
Barr's broader point is that once attackers gain access through credential theft, they don't behave like attackers. They use trusted access—session tokens, OAuth grants, account permissions—in ways that blend into normal operational patterns. The Darktrace ransomware case study makes the same point from the defender side: in one documented incident, attackers exfiltrated data for two full weeks before triggering encryption. Detection that starts at the ransomware note isn't detection—it's damage assessment.
Darktrace's survey found that 72% of security professionals at sports organizations expect AI to increase their cyber risk over the next 12 months. The concern is well-grounded: Darktrace's own telemetry shows AI-generated content already appearing in targeted phishing emails tailored to specific teams, venues, and executives. Zimperium documents a live-chat social engineering layer built into the Ghost Stadium kit, allowing operators to guide victims through fake purchase flows in real time—a capability that scales with AI assistance.
The irony is that 35% of the same organizations are already deploying or planning to deploy AI into stadium operations—the area respondents identified as the one that would cause the greatest impact if compromised. Shadow AI compounds the exposure: staff are feeding performance metrics, contracts, scouting reports, and health data into tools with little governance, creating a data leakage risk that exists entirely outside existing security controls.
The two reports don't just describe a threat landscape—they identify where existing assumptions are breaking down. A few implications worth carrying into security planning for the tournament window and beyond:
DMARC passing is not a trust signal. The 84% pass rate on malicious email means authentication status cannot be treated as a reliable indicator of legitimacy. Behavioral detection—what an account does after authentication—has to carry more weight.
MFA is not sufficient against AiTM. OffsideHire bypasses MFA in real time by relaying credentials against real infrastructure. Phishing-resistant MFA (FIDO2/passkeys) is the relevant control; standard TOTP or push notification MFA is not.
Mobile is an unmonitored perimeter. BYOD devices operating on personal networks and cellular bypass most enterprise visibility. During high-emotion events, the risk that an employee clicks a malicious link on a personal device is structurally elevated—and the blast radius connects back to enterprise credentials.
The geopolitical context is elevated. Darktrace specifically flags Russia's continued exclusion from international sport, the ongoing conflict in Ukraine, and Iran's anticipated participation as factors that raise the nation-state threat profile for this tournament. Previous international sporting events have seen state-aligned actors use the cyber domain for symbolic disruption.
Third-party access is a live attack surface. For a tournament spanning three countries and hundreds of vendors, a compromised supplier is already inside the perimeter. Zimperium's Ghost Stadium campaign included a supply-chain-style element: the phishing kit reused FIFA's actual OAuth credentials, making its clone indistinguishable from the real authentication flow.
Zimperium's full research, including indicators of compromise, is available here. Darktrace's full sports sector threat report is available here.