A warning said cybercrime aimed at the 2026 Fédération Internationale de Football Association (FIFA) World Cup is accelerating.
Security firm Fortinet said on the 9th that cybercrime threats targeting the FIFA World Cup 2026 are increasing. According to a study by FortiGuard Labs, Fortinet's threat intelligence unit, conducted from January to May this year, more than 13,000 new domains related to the FIFA World Cup 2026 were registered during this period. About 8.8% of them were classified as malicious or suspicious domains.
Fortinet said World Cup–related cybercrime is not confined to a single type but is being run like a criminal ecosystem. It said phishing sites, fake ticket sales, Telegram scalping scams, sham merchandise shops, malicious betting and streaming apps, impersonated social media accounts, fake job postings, and cryptocurrency scams are appearing at the same time.
The most common case is fake ticket sales sites. Attackers create pages that mimic FIFA's official site and entice users to pay by touting discounts or limited quantities. In the process, personal information, login credentials, and payment details can be stolen. In one domain registered in May, the operator copied FIFA content as is and collected victim information through a bogus payment process.
Impersonated social media (SNS) accounts are also among the main threat paths. Fortinet detected more than 1,700 FIFA-related accounts and channels suspected of impersonation on social media and messaging platforms, with about 90% of them concentrated on Facebook and Instagram. These accounts are used for a range of purposes, including fake ticket sales, bogus broadcast L.I.N.C, phishing, and malware distribution.
As demand grows for betting, streaming, and match information apps, threats against them are also rising. According to Fortinet, numerous malicious FIFA-related apps (APKs) distributed via third-party sites were identified, and some showed encrypted communications and ransomware-like behavior.
Actual leaks of login credentials also appeared to be substantial. FortiGuard Labs found more than 4,600 FIFA-related URLs in data collected by information-stealing malware. Analysis showed that more than 270,000 login credentials of users of FIFA-related sites were exposed. Separately, more than 1,500 accounts of FIFA officials and organizations were additionally found in previously leaked data.
Fortinet advised using FIFA's official channels when buying tickets and avoiding installing third-party apps and accessing broadcast L.I.N.C from unknown sources. It also noted that messages urgently demanding payment are likely scams and require particular caution. It said security teams at corporations should continuously monitor for look-alike domains, brand impersonation, malicious ads, fake social media accounts, and any exposure of employee and customer login credentials.