Cybercriminals create 19,000 FIFA-themed domains ahead of 2026 World Cup

Fans looking for tickets, accommodation and match broadcasts are already encountering scams tied to the 2026 FIFA World Cup.

The 2026 FIFA World Cup will bring millions of visitors and an estimated 6 billion spectators to a tournament spread across 16 host cities in the United States, Canada and Mexico. In a new report, Intel 471 describes the 2026 FIFA World Cup as “the largest and most complex cyberattack surface in sporting history.”

FIFA-themed phishing campaigns are growing

About 19,000 domains containing references to “fifa” have been created since January 2026. The activity includes phishing campaigns designed to collect credentials and payment information from fans seeking tickets and merchandise.

The FBI and Meta have issued separate warnings about World Cup-related scams. Meta said it worked with Visa to identify and disrupt a scam network that used FIFA World Cup 2026 branding to direct users to fraudulent gambling websites, while the FBI warned that threat actors were using spoofed FIFA websites, fake ticket offers and fraudulent hospitality packages to target fans.

Several domains were found impersonating official World Cup resources, including fifa.pink, fifaticket2026vip.com, fifa.moe, fifa.buzz, fifa-web.co and fifa-com.xyz.

fifaticket2026vip.com phishing website screenshot (Source: Intel 471)

Ticket scams continue to circulate on social media and online communities. Fraudsters have used fake receipts as proof of purchase and requested deposits from victims seeking access to matches.

Travel-related fraud is expanding

Underground sellers advertised hotel reservations, airline tickets and vehicle rentals at steep discounts.

One seller offered accommodations at 40% to 45% of prices listed on Booking.com, flights at 50% of prices listed on Aviasales.com and vehicle rentals at 40% of prices listed on Rentalcars.com.

Another seller advertised hotel bookings at 50% to 65% of prices listed on Agoda.com and Booking.com, along with flights at 70% to 80% of prices listed on Aviasales.com.

Underground forums also contained offers for fraudulent border-crossing assistance and visa procurement services. One post advertised routes into the United States with fees ranging from US $8,000 to US $20,000. The same offer claimed to provide O-1 visas, O-2 visas and tourist visas linked to the World Cup for US $6,000 per person.

Data extortion activity targets football organizations

In April 2026, a threat actor claimed to have compromised the Fédération Royale Marocaine de Football and published sample files allegedly containing names, nationalities, dates of birth, addresses, email addresses, phone numbers, passport numbers and FIFA IDs.

During the same month, another threat actor claimed to have leaked a dataset from the Asian Football Confederation. The dataset allegedly contained thousands of passport records, email addresses, contract files and registration forms. Samples shared online purportedly included passport information connected to FIFA President Giovanni Vincenzo Infantino.

Large sporting events continue to attract hacktivist activity

The report cites attacks during the 2022 FIFA World Cup in Qatar and the 2026 Winter Olympics. During the Winter Olympics, websites associated with hotels, restaurants, tourist attractions, transportation companies and Olympic committees were targeted in distributed DDoS attacks. Screenshots of unavailable websites were later posted online as proof of the attacks.

Host cities, tournament infrastructure and sponsors were identified as potential targets for similar activity during the 2026 FIFA World Cup.

Streaming services are also being used as lures

Intel 471 highlighted activity involving BTMOB, an Android remote access trojan offered through a malware-as-a-service model.

The malware was promoted as compatible with Android versions 12 through 16 and included capabilities such as reading messages, executing commands, displaying victim information and accessing device cameras.

In May 2026, a campaign was identified distributing BTMOB through applications presented as IPTV or streaming platforms offering access to World Cup broadcasts. Social media posts also promoted IPTV services tied to the tournament, including DoxDoxIPTV, PortalTivi and Streamlixy.

“Since broadcasting subscriptions can be expensive or restricted to a specific geographical region, fans can turn to unofficial IPTV services or streaming platforms to watch matches. In turn, threat actors are actively adjusting their server infrastructure and pricing models to illegally cash in on the massive global demand for the 2026 World Cup,” Intel 471 said.