Cybersecurity research by FortiGuard Labs has found a vast horizon of dark and duplicitous hacking activity as the 2026 FIFA World Cup kicks off this week.
-
1,100+ Shady Domains: Nearly 9% of the 13,000 newly registered World Cup .com sites are fraudulent, peaking right before kickoff.
-
Credential & Ticket Theft: Fake ticketing portals and Telegram groups use realistic "login" walls and false error messages to steal credit cards and passwords.
-
Malware via Free Streams: Downloading "free 4K players" or betting trackers infects devices with infostealers that quietly drain browser passwords and crypto keys.
-
High-Level Impersonation: Scammers are using over 1,700 fake social profiles and have even breached official organizations like the Moroccan Football Federation to appear legitimate.
Excitement is ramping up in the days leading up to the World Cup, as a last-minute frenzy for tickets and a multitude of streaming options for fans watching at home unfold.
A report by FortiGuard Labs found that 13,000 World Cup domains have been registered since the start of the year, and of those, almost 9% are deemed shady.
An overwhelming majority of these are registered under “.com” domains, which creates a trusted first impression.
And when tens of millions of fans are scrambling around for streaming or ticketing links, or even job opportunities related to the event, they are more prone than ever to drop their guard. FOMO (fear of missing out) provides a ripe opportunity for cybercrime.
Handing over your credentials
Traps described in the report include copycat websites that trick you into handing over your credit card details, thinking you’re purchasing tickets, only to be duped and have your financial credentials stolen.
Another is “create a FIFA ticket profile,” which offers to check available seats, but returns fake error messages like “failed to fetch” or “incorrect password.”
That may lead to the false belief that it was just a glitch, but the hacker may have just stolen your passwords.
Some users may also want to stream a game, especially if there are restrictions in the country in question. And there’s certainly no shortage of “Free World Cup 4K Live Stream Player" type products out there.
In addition, “tournament betting trackers” can be alluring if you fancy a flutter, and to get them working, many bypass their computers' security warnings, and in the blink of an eye, something called an infostealer can go to work.
The main infostealers at play are called Vidar, LummaC2, or RedLine, which could be playing tiki-taka (soccer passing term) with your data.
This is basically malware that quietly searches your device's background, copies every password saved in your web browser, steals your crypto wallet keys, and sends it all back to the hacker, and hey presto, all your security world is their oyster.
The researchers found a sudden, sharp spike in fraudulent domain registrations between March and May 2026 as the tournament kickoff approaches.
Increasing credibility
Quite often, creating an account on a portal creates the illusion of security.
By forcing victims to sign in or create an account, hackers can legitimately capture the required login combinations, and it’s not just the FortiGuard research that confirms this.
Across dark web forums, enticing ticket packages can be found, including accommodation offers and cut-price tickets, which sound plausible, especially when it’s common knowledge that match tickets are being sold at a discount, lest stadiums be half-empty.
Thousands of subscribers are invited to join Telegram channels, with a flurry of buzz and excitement leading to irreversible psychological pressure to cut corners and purchase a whole variety of duplicitous content, from streaming to full holiday packages.
A bogus name like “tickets4sports[.]com” falsely claims it launched in 2007, when, in actual fact, the researchers found it was created in March 2026.
When requesting payment, the rapid links to widespread payment methods such as bitcoin, bank wires, Apple Pay, Zelle, and CashApp QR codes mean a diversification trap, leading the fan to fatally reach for their wallet.
Storefront facades masking cheap backend operations, with automated fake checkout invoices traced directly back to a generic personal Gmail account such as “kueteleni@gmail[.]com.”
Other tactics at play
Social media is also swarming with impersonation accounts. The researchers found over 1,700 examples of fake tournament impersonation, with the majority on Facebook and Instagram.
When applying for temporary jobs abroad, such as event staffing or hospitality roles, false Google Calendar invites are used to hook the user in and maximize engagement.
Real-time data theft is possible at any moment, whether a “failed to retrieve” error message appears at the first click or after an established series of clicks and transactions between the predator and prey.
The researchers have found 270,430 leaked credentials so far.
What’s more, some hackers have even penetrated authentic football governing bodies, in particular the Moroccan Football Federation (FRMF), to appear to be doing business with the body, further fooling the end-user.
Other institutions at risk include Mexican state authorities (as Mexico is one of the host nations alongside the US and Canada), as political hacktivists can air their disapproval of attractive tourist packages. They can, therefore, tag their data breaches with anti-establishment slogans to create digital protest banners.
Your email address will not be published. Required fields are markedmarked