The 2026 FIFA World Cup hasn’t kicked off yet, but cybercriminals are already miles ahead. Since January, roughly 19,000 domains containing “fifa” have been registered — and a significant chunk of them are designed to steal your money, your data, or both.
The Scale of the Problem
Intel 471, the threat intelligence firm that’s been tracking this activity, doesn’t mince words. They call the 2026 tournament — spread across 16 host cities in the US, Canada, and Mexico with an estimated 6 billion spectators — “the largest and most complex cyberattack surface in sporting history.” That’s not hyperbole. You’ve got millions of travelers, billions of viewers, hundreds of official vendors, and a massive digital footprint spanning three countries. Every single touchpoint is a potential attack vector.
The FBI and Meta have both issued warnings. Meta even partnered with Visa to disrupt a scam network using official FIFA 2026 branding to funnel users into fraudulent gambling sites. But that’s just the tip of the iceberg.
Tickets, Travel, and Total Fraud
The phishing domains are brazen. Researchers spotted lookalike sites like fifa.pink, fifaticket2026vip.com, fifa.moe, fifa.buzz, fifa-web.co, and fifa-com.xyz — all impersonating official World Cup resources to harvest credentials and payment details from fans chasing tickets and merchandise.
On underground markets, the fraud goes deeper than phishing. Sellers are offering hotel bookings at 40–65% off Booking.com and Agoda prices, flights at 50–80% off standard rates, and rental cars at 60% discounts. If that sounds too good to be true, it is. There’s also a thriving trade in fraudulent border-crossing assistance and fake visa procurement — with prices ranging from $8,000 to $20,000 for illegal US entry routes and $6,000 per person for counterfeit World Cup visas.
Football Organizations Under Direct Attack
It’s not just fans getting hit. In April 2026, a threat actor claimed to have breached the Fédération Royale Marocaine de Football, publishing sample files containing names, nationalities, dates of birth, addresses, email addresses, phone numbers, passport numbers, and FIFA IDs. Around the same time, another attacker leaked a dataset allegedly from the Asian Football Confederation — thousands of passport records, contract files, and registration forms. The samples even purportedly included passport information connected to FIFA President Giovanni Vincenzo Infantino.
Malware Lurking in Streaming Lures
Intel 471 also flagged BTMOB, an Android remote access trojan sold as a malware-as-a-service package. It’s compatible with Android 12 through 16 and can read messages, execute commands, and access device victims’ cameras. Campaigns in May 2026 were distributing it through streaming-related lures — a classic move during major sporting events when people are desperate to watch matches.
What You Should Do
If you’re planning to attend or follow the 2026 World Cup, treat every unsolicited offer with suspicion. Only buy tickets through fifa.com directly. Verify URLs carefully — scammers count on you not noticing the difference between “fifa.com” and “fifa-com.xyz.” Don’t click links in emails or social media posts about ticket deals. And if you’re traveling, book through reputable platforms, not underground forums.
On the enable two-factor authentication on every account linked to your travel — airline, hotel, FIFA ticketing, everything. Use an authenticator app, not SMS. And keep your phone’s OS updated if you’re Android, especially given the BTMOB RAT targeting newer Android versions.
What’s Next
Expect the threat volume to spike as the tournament approaches. Past events like the 2022 Qatar World Cup and the 2026 Winter Olympics saw concentrated DDoS campaigns against hotels, restaurants, transport companies, and Olympic committees. The 2026 World Cup’s multi-country footprint makes it an even richer target. Security teams at host cities, sponsors, and tournament infrastructure providers should be on high alert — and fans should be even more cautious with their wallets and their clicks.
