Fortinet has published research showing cybercriminals are exploiting interest in the FIFA World Cup 2026. The activity is already under way across websites, social media and malware campaigns.
Its FortiGuard Labs unit found that more than 13,000 FIFA World Cup 2026-themed domains were registered between January and May 2026. About 8.8 per cent were identified as malicious or suspicious through pattern analysis and scam activity.
The findings point to a broad online fraud effort built around demand for tickets, travel, merchandise, livestreams, betting services and jobs linked to the tournament. Organisations involved in logistics, staffing, customer service, media work and third-party coordination could also face related risks.
Domain surge
FortiGuard Labs reported a sharp rise in FIFA-themed domain registrations from March to May 2026. Many misused FIFA branding and included terms linked to ticketing, streaming, betting and hospitality.
Attackers have set up hundreds of fake websites designed to look credible long enough to persuade users to click, enter information or make payments. The report grouped the main threats into phishing, fake ticketing sites, resale scams promoted through Telegram and other channels, fake merchandise shops, malicious betting and streaming apps, risky third-party Android Package Kit downloads, social media impersonation, fake job advertisements, cryptocurrency scams and credential theft.
Ticket scams were among the most visible risks. Fans who fail to secure seats through official channels often turn to resale platforms, social media groups, search adverts or peer-to-peer marketplaces, creating an opening for fraudsters.
FortiGuard Labs identified numerous counterfeit ticketing sites that copied official FIFA pages and sought personal details, login information, billing data and payment card details. In one example, a domain registered in May 2026 reproduced FIFA content and used a fake checkout process to gather sensitive information.
Some schemes advertised on underground forums and Telegram channels combined fake match tickets with counterfeit flight and hotel packages. Researchers said this was intended to make bogus offers appear more complete and believable.
Social media risk
Researchers identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging services. Nearly 90 per cent were found on Facebook and Instagram.
These accounts can be used for fake promotions, ticket fraud, fraudulent livestream links, phishing, misinformation and malware distribution. Their reach is amplified by fans discussing fixtures, travel and ticket availability in public online spaces.
Social media scams can appear convincing because they are inserted into normal conversations. A fake ticket seller inside a fan group or a livestream link shared shortly before a match may seem plausible enough to draw clicks and payments.
Malware and jobs
Malware also featured in the research. FortiGuard Labs highlighted an executable known as 1xbet.exe that showed signs of persistence, encrypted communications and possible ransomware behaviour.
It also found suspicious FIFA-themed APK files on third-party download sites. Demand for betting apps, livestreaming tools, score trackers and promotional software around major sporting events creates an opening for attackers to distribute fake or altered programs.
Another area of concern was recruitment fraud. The tournament is expected to generate interest in temporary work, contracting, hospitality, logistics and media roles, and researchers said attackers are trying to exploit that demand.
FortiGuard Labs found a credential-stealing operation that used fake FIFA-related job advertisements and sponsor recruitment posts. Victims were sent calendar invites and directed to phishing pages containing a counterfeit Google login screen, where entered credentials could be captured after a generic error message appeared.
Several domains impersonating FIFA, sponsors and affiliated organisations shared the same Google Analytics tracking ID, suggesting a coordinated campaign. The credential theft process also used Render-hosted application programming interfaces, showing how legitimate cloud services can be used in malicious infrastructure.
Exposed credentials
FortiGuard Labs detected more than 4,600 URLs associated with FIFA in stealer log telemetry, linked to malware families including Vidar, LummaC2 and RedLine. Researchers also found more than 260 FIFA employee credentials and more than 270,000 credentials from users and fans visiting FIFA-related websites in delimiter-based stealer log data.
In addition, the report found more than 1,500 records of FIFA-related employee and organisational accounts in past breach datasets. It noted that this did not mean all exposed accounts were still active or currently being exploited, but said the information could still support credential stuffing, account takeover, targeted phishing, impersonation and fraud.
Fortinet urged organisations in sports, travel, hospitality, media, retail, finance, government, transport and critical infrastructure to prepare early for tournament-related threats. Suggested steps included monitoring for lookalike domains, brand impersonation, malicious advertising, fake social media profiles and credential leaks involving staff, partners and customers.
The research also advised users to rely on official ticketing channels, avoid third-party APK downloads, treat livestream links with caution, verify job postings through official sources and be wary of urgent payment requests.
"Attackers capitalise on attention. With the FIFA World Cup 2026 attracting worldwide focus, cybercriminals are already setting up the infrastructure to take advantage. You need to prepare accordingly," FortiGuard Labs said.