Cybercriminals are ramping up operations around the FIFA World Cup 2026, with researchers warning that fraud campaigns, credential theft schemes, fake websites, and malware-laced applications are already active before the tournament’s opening match.
New research from FortiGuard Labs found that more than 13,000 FIFA World Cup-themed domains were registered between January and May 2026. Approximately 8.8% of those domains were identified as malicious or suspicious, indicating that attackers have spent months building infrastructure designed to exploit interest in the tournament.
The activity spans far beyond fake ticket sales. According to the report, cybercriminals are targeting fans searching for tickets, travel arrangements, merchandise, livestreams, betting services, and tournament-related jobs. At the same time, businesses involved in hospitality, transportation, media operations, customer support, and event logistics are facing increased exposure to phishing campaigns, account compromise attempts, and fraud.
Researchers found hundreds of websites impersonating FIFA and organizations connected to the tournament. Many of the domains were designed to steal credentials, collect payments, or redirect visitors to fraudulent services. Fortinet also identified more than 1,700 spoofed FIFA-related social media accounts being used to promote scams and impersonate legitimate organizations.
One of the largest concerns involves stolen credentials. FortiGuard Labs reported finding more than 4,600 FIFA-related URLs inside logs generated by credential-stealing malware. Researchers also identified over 260 FIFA employee credentials and more than 270,000 credentials belonging to users and fans who visited FIFA-related websites. The exposed data was linked to malware families including Vidar, LummaC2, and RedLine. Researchers cautioned that even older credentials can be used in account takeover attempts, phishing operations, and impersonation campaigns.
Fraud targeting job seekers has also emerged as a major theme. According to the report, attackers created fake recruitment campaigns advertising World Cup-related employment opportunities. Victims were directed to counterfeit login pages where credentials were collected after users attempted to sign in. Researchers said multiple fraudulent domains shared common tracking identifiers, suggesting coordinated activity rather than isolated scams.
Malware distribution campaigns are also leveraging tournament interest. Fortinet identified suspicious FIFA-themed Android application packages and malicious executables distributed through unofficial websites. The company said attackers are exploiting demand for livestreaming tools, betting applications, score trackers, and promotional software by disguising malware as legitimate tournament-related apps.
The findings align with warnings issued by government and private-sector security organizations. Canada’s Centre for Cyber Security assessed that cybercriminals will almost certainly exploit public interest in the tournament through phishing campaigns, fake ticket sales, fraudulent travel offers, counterfeit merchandise stores, malicious mobile applications, and credential theft operations.
Researchers say the volume of malicious activity demonstrates that attackers are treating the World Cup as a major business opportunity. Rather than waiting for kickoff, threat actors have already built the infrastructure needed to capitalize on the millions of fans expected to search for tickets, travel services, livestreams, and tournament-related information throughout the competition.