Cybercriminals are not waiting for kick-off. FortiGuard Labs has exposed a highly co-ordinated cybercrime ecosystem leveraging lookalike domains, malicious Android app downloads from unofficial sources (third party APK downloads) and fake social media channels across Facebook and Instagram to target unsuspecting fans and organisations.

More than 13 000 new Fifa World Cup-themed domains were registered between January and May alone – and nearly 9% of them are already flagged as malicious or suspicious. Cybercriminals are not waiting for the June 11 opening match. Their cybercrime infrastructure is fully operational and actively targeting fans and organisations globally.

A wide-ranging cybercrime ecosystem

Major international sporting events drive massive volumes of digital transactions and emotional urgency. Cybercriminals have anticipated these scenarios. Hundreds of fake websites have been engineered to look completely legitimate, earning a user’s trust for the few critical seconds required to steal credentials or data.

According to the report, this rapidly expanding threat ecosystem includes:

• Phishing, fake ticketing websites and Telegram-based resale scams.
• Fake merchandise storefronts, cryptocurrency scams, and fake airdrops.
• Malicious betting, score trackers, and streaming applications (including third-party Android downloads).
• Social media impersonation, fake job postings and credential exposure from stealer malware.

Ticket scams and social media exploitation

Ticketing scams remain one of the highest-risk threats because they exploit scarcity. Attackers capitalise on fan urgency by promoting bogus, limited-time discounts or bundling fraudulent match tickets with counterfeit flight and hotel packages.

FortiGuard identified numerous counterfeit sites mimicking official Fifa pages. One specific domain registered in May 2026 replicated official Fifa content and utilised a fake checkout page to harvest sensitive payment and billing details.

Concurrently, social media impersonation has expanded the attack surface. Researchers detected more than 1 700 suspected Fifa-related impersonation accounts and channels across messaging platforms, with nearly 90% found on Facebook and Instagram. These profiles allow attackers to directly drop malicious livestream links or fake promotions right into legitimate fan conversations.

Malware, fake job scams and exposed credentials

The tournament’s digital threat landscape actively uses malicious software. FortiGuard detected a specific executable, ‘1xbet.exe’, exhibiting persistence, encrypted communications, and potential ransomware behaviour, alongside suspicious Android files on third-party sites.

Furthermore, attackers are targeting job seekers looking for temporary tournament roles. A co-ordinated credential-stealing campaign used fake Fifa-related job ads and sponsor recruitment posts to send calendar invites directing victims to a counterfeit Google login page. This operation uses application programming interfaces – tools that let different online systems communicate – hosted on Render, a cloud platform, to abuse legitimate services. It also tracks victims using the same Google Analytics tracking ID, so their activity looks like normal website traffic and is harder to spot.

The data stakes are incredibly high. FortiGuard uncovered extensive evidence of Fifa-related activity within stealer log telemetry (linked to malware families like Vidar, LummaC2, and RedLine), including:

• Over 4 600 Fifa-associated URLs in stealer logs.
• Over 260 exposed Fifa employee credentials.
• Over 270 000 credentials from fans and users visiting Fifa-related websites.
• Over 1 500 records of historical breach data tied to organisational accounts.

While not all accounts are currently active, this data gives cybercriminals the ammunition needed for credential stuffing, account takeover and targeted fraud.

What defenders and fans should do

Because cyber risks start well before the first whistle blows, organisations in sports, travel, hospitality, media, retail, finance, government, transportation and critical infrastructure must launch defensive preparations early.

Security teams need to actively monitor for lookalike domains, brand impersonations, malicious advertisements and credential leaks. Simultaneously, user education must be prioritised. Fans and employees should be reminded to stick to official ticketing channels, avoid unofficial Android app downloads, verify recruitment ads on official sites and remain highly sceptical of urgent payment requests or unverified streaming links. Attackers capitalise on global attention and defenders must prepare accordingly.

Breaking news at your fingertips… Follow Caxton Network News on Facebook and join our WhatsApp channel.

Nuus wat saakmaak. Volg Caxton Netwerk-nuus op Facebook en sluit aan by ons WhatsApp-kanaal.