The FIFA World Cup 2026 Threat Landscape Report reveals a substantial increase in cybercriminal activity as the FIFA World Cup 2026 gets underway. New research from Fortinet revels cybercriminals have already established infrastructure to exploit interest surrounding the FIFA World Cup 2026 and are , building a layered ecosystem of scams, phishing operations and malware campaigns designed to capitalise on one of the world’s largest sporting events.
The findings from FortiGuard Labs suggest that the threat landscape is not emerging with the tournament—it is already operational. Between January and May 2026, more than 13,000 World Cup-themed domains were registered, with nearly 8.8% flagged as malicious or suspicious. The scale indicates a coordinated effort by threat actors to position infrastructure well ahead of peak fan engagement.
For businesses and users alike, the pattern is straightforward: where attention goes, attackers follow. And the World Cup—driven by ticket demand, travel planning, merchandise sales, streaming searches and betting activity—offers an unusually dense concentration of high-value digital behaviour.
Fake Ticketing Remains One of the Highest-Risk Lures
Ticketing scams remain the most visible threat because they exploit scarcity. Fraudulent websites impersonating official FIFA portals are being used to harvest credentials and payment data, often wrapped in urgency-driven messaging such as “limited availability” or “last chance” offers. FortiGuard Labs identified numerous counterfeit ticketing sites mimicking official FIFA pages that gather personal info, login details, billing, and payment data. In several cases, researchers found fake checkout flows designed to closely mimic legitimate ticket purchase journeys, lowering user suspicion during critical decision moments.
Social Media Impersonation Expands the Attack Surface
Beyond ticketing, the ecosystem expands across multiple vectors. Social media impersonation has emerged at scale, with more than 1,700 suspected fake accounts identified across platforms including Facebook and Instagram. These accounts are being used to distribute phishing links, fraudulent livestream access, fake promotions and resale offers, often embedded within otherwise legitimate fan discussions.
Malware Is Also Part of the Tournament Threat Landscape
Malware distribution is also part of the threat architecture. The report highlights FIFA-themed applications and executables distributed through unofficial channels, including betting and streaming-related tools exhibiting behaviours associated with credential theft, persistence, encrypted communications and potential ransomware activity.
Fake Job Postings Target People Looking for Opportunity
Job-related scams add another dimension, targeting the seasonal hiring spike around the tournament. Attackers are posing as recruiters and sponsors, directing victims to counterfeit login pages designed to capture Google and other credentials. In some cases, the campaigns are supported by coordinated infrastructure, including shared tracking IDs across multiple fraudulent domains—suggesting organised, repeatable operations rather than isolated attempts.
Credential Exposure Raises the Stakes
The report also flags a deeper risk layer with large-scale credential exposure. FortiGuard Labs has identified thousands of FIFA-related entries in stealer malware logs tied to families such as Vidar, LummaC2 and RedLine, alongside hundreds of employee credentials and a far larger pool of user data drawn from previous breaches. While not all credentials are actively exploited, they provide a ready dataset for credential stuffing, account takeover and targeted phishing campaigns timed around peak tournament activity.
The broader concern is not simply the diversity of attack methods but their convergence around a single global event. Sporting mega-events compress attention, urgency and financial transactions into a short window—creating ideal conditions for social engineering at scale.
“What this research shows is that cybercriminals are not waiting for the first match. They are preparing months in advance by building phishing infrastructure, impersonation networks, malware distribution channels and credential theft campaigns designed to capitalise on the global attention surrounding the tournament. For organisations, the challenge extends well beyond ticket scams. The FIFA World Cup creates a vast digital ecosystem involving travel, hospitality, retail, media, financial services and critical infrastructure, all of which can become targets. The most effective defence is early preparation, strong credential security, continuous monitoring and user awareness,” said Vishak Raman, Vice President of Sales, India, SAARC, SEA & ANZ at Fortinet.