Cybercriminals have already established extensive malicious infrastructure targeting the FIFA World Cup 2026, months before the tournament begins on June 11. Research from FortiGuard Labs reveals that more than 13,000 FIFA-themed domains were registered between January and May 2026, with approximately 8.8% flagged as malicious or suspicious. The threat landscape includes fake ticketing websites, phishing campaigns, malicious mobile applications, fraudulent job postings, and widespread social media impersonation targeting fans, employees, and organizations connected to the event.
Major sporting events create ideal conditions for cybercrime due to high search volumes, emotional engagement, and large-scale digital transactions. Fans searching for tickets, merchandise, live streams, and travel packages often turn to unofficial channels when official options are unavailable. Organizations managing logistics, staffing, and third-party coordination face their own risks. Attackers exploit this urgency and complexity by creating convincing fake websites and accounts that can deceive victims in seconds.
The technical infrastructure behind these campaigns is diverse and sophisticated. FortiGuard Labs identified malicious executables like '1xbet.exe' showing persistence mechanisms and encrypted communications, along with suspicious Android Package Kit (APK) files distributed through third-party download sites. One credential-stealing operation used fake FIFA job advertisements with calendar invites directing victims to phishing sites mimicking Google login pages, with multiple domains sharing the same Google Analytics tracking ID. The attackers leveraged Render-hosted APIs to deploy malicious infrastructure that blends with legitimate web traffic. Stealer log telemetry revealed over 4,600 FIFA-related URLs connected to malware families including Vidar, LummaC2, and RedLine, with more than 260 FIFA employee credentials and 270,000 fan credentials exposed.
The impact extends across multiple sectors including sports, travel, hospitality, media, retail, finance, and government. FortiGuard Labs detected over 1,700 suspected impersonation accounts, with nearly 90% on Facebook and Instagram, used to distribute fake promotions, fraudulent livestream links, and phishing content. Fake ticketing remains the highest-risk threat, with scammers promoting bogus limited-time offers through Telegram channels, underground forums, and search advertisements. Some campaigns bundled fraudulent tickets with counterfeit flight and hotel packages to increase credibility. The threat extends to fake merchandise storefronts, cryptocurrency scams, and malicious betting platforms.
Security teams should immediately begin monitoring for lookalike domains, brand impersonation, malicious advertisements, and credential leaks involving employees, partners, and customers. Organizations need to assess protections against phishing, malware, credential theft, and account takeover attacks. Users should purchase tickets only through official FIFA channels, avoid installing applications from third-party sources, verify job postings on legitimate websites, and treat urgent payment requests with suspicion. The research demonstrates that attackers do not wait for events to begin but establish their infrastructure months in advance, requiring defenders to start preparations early.
Source: http://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026