Cybercriminals target FIFA World Cup fans online before opening match

THURSDAY, JUNE 11, 2026
Cybercriminals target FIFA World Cup fans online before opening match

FortiGuard Labs says more than 13,000 tournament-related domains were registered from January to May, with fake tickets, social media scams and malware among the risks.

  • Cybercriminals created extensive scam infrastructure months before the World Cup, registering over 13,000 new domains, with nearly 9% classified as malicious or suspicious.
  • Primary scams include fake websites that mimic official FIFA pages to sell fraudulent tickets and travel packages, aiming to steal users' personal and financial data.
  • Attackers are heavily using social media, with over 1,700 detected fake accounts, to spread phishing links, malware, and fake livestream offers to unsuspecting fans.
  • Malware is also being distributed through fake football streaming apps and online betting platforms, while fraudulent job advertisements are used to steal account credentials.

The FIFA World Cup 2026, which opens on Thursday (June 11, 2026), is not only a global sporting event attracting worldwide attention.

It is also becoming a money-making arena for cybercriminal groups that are rushing to build infrastructure for scams and digital attacks in advance.

According to the latest report by FortiGuard Labs, more than 13,000 new domains related to the FIFA World Cup 2026 were registered between January and May 2026.

About 8.8% were classified as malicious or displaying suspicious behaviour, showing that scam networks are not waiting for the tournament to begin but have been planning and acting months before the opening match.

The data points to a key trend: every global event in the digital era generates not only economic value but also an “underground economy” for cybercrime, using consumer interest as a tool for profit.

Fake websites and fake tickets spread widely

One of the most common scams is the creation of fake ticket-selling websites, exploiting demand among football fans who want to attend matches while ticket numbers are limited.

FortiGuard Labs found many websites closely imitating FIFA’s official pages, including ticket sales, travel package sales and online payment pages.

Their main aim is to steal users’ personal data, credit card details and payment information.

Advertisements selling tickets through Telegram and various online platforms were also found.

In some cases, the offers included full packages covering air tickets, hotels and match tickets, to appear more credible and push victims into transferring money quickly.

Social media becomes a channel to deceive victims

Another important channel being used as an attack tool is social media.

The report says more than 1,700 suspected accounts linked to FIFA impersonation were detected, with almost 90% on Facebook and Instagram.

These accounts were used to deceive users into buying tickets, share fake livestream links, send phishing links and spread malware, relying on trust within football fan communities where information is continually exchanged during the tournament.

Experts say the concern over social media scams lies in their subtlety, as they often hide within ordinary user conversations, making them harder to detect than traditional attacks.

Football streaming apps and betting websites carry malware risks

FortiGuard Labs also found the World Cup theme being used to distribute malware through fake applications and installer files, especially APK files for Android distributed via third-party download websites.

At the same time, executable files falsely claiming to be linked to online gambling platforms were found to show behaviour similar to ransomware-type malware.

The risk increases during the tournament because many users want access to live football streaming services, sports betting platforms or match-tracking apps, increasing the chance that they will download software from untrusted sources.

World Cup creates jobs but opens a door to fraudsters

Beyond fake ticket sales and phishing, criminal groups are also using “fake job advertisements” as an attack tool.

FortiGuard Labs found scam campaigns falsely claiming to offer jobs with FIFA and tournament sponsors, sending applicants links to a fake Google login page to steal accounts and passwords.

Checks also found links between multiple domains using the same infrastructure, indicating that the attacks are not scattered but are planned and run systematically as a network.

More than 270,000 accounts leaked

FortiGuard Labs also found more than 4,600 FIFA-related URLs in the databases of well-known information-stealing malware such as Vidar, LummaC2 and RedLine.

More than 270,000 user accounts and passwords linked to FIFA systems and football fans worldwide were also found in databases stolen by malware, along with more than 1,500 account records belonging to FIFA-related employees and organisations.

Although some of the data may be old information leaked in past incidents, it can still be reused in account takeover attacks, targeted phishing or impersonation.

Organisations and fans urged to raise security

FortiGuard Labs recommends that organisations in the sports, tourism, media, finance and retail sectors, as well as government agencies, strengthen monitoring of fake domains, brand impersonation, fake social media accounts and user data leaks.

Members of the public should buy tickets only through official channels, avoid downloading apps from external websites, verify livestream links and be cautious of offers that pressure them to transfer money or disclose personal information.

The key lesson from the 2026 World Cup is that cybercriminals never wait for a tournament to begin.

They start creating their own business opportunities before the first whistle is blown, while consumers and businesses need to raise their own defences to keep pace with threats that are evolving as quickly as today’s digital technology.

nationthailand

© 2026 All rights reserved., The Nation
Privacy Policy