Executive Summary
Publication Date: June 2026
The 2026 FIFA World Cup, set to be the largest sporting event in history, is facing an unprecedented surge in cyber threats. As the tournament approaches, open-source intelligence (OSINT) and recent advisories from leading cybersecurity authorities reveal a dramatic escalation in criminal, hacktivist, and state-sponsored activity targeting the event’s digital ecosystem. Threat actors are exploiting the global attention on the World Cup to launch sophisticated campaigns against organizers, sponsors, vendors, and fans. This advisory synthesizes the latest technical intelligence, including exploitation tactics, indicators of compromise (IOCs), and real-world incidents, to provide actionable insights for organizations and individuals involved with the tournament.
Technical Information
The cyber threat landscape surrounding the 2026 FIFA World Cup is characterized by a convergence of advanced persistent threats (APTs), industrial-scale fraud, credential harvesting, ransomware, and disruptive hacktivist operations. The attack surface is vast, encompassing official FIFA digital platforms, third-party vendors, hospitality and ticketing systems, broadcasting partners, and the personal devices of millions of fans and staff.
Spoofed Websites and Credential Harvesting
The FBI Internet Crime Complaint Center (IC3) issued a Public Service Announcement in May 2026 warning of a surge in spoofed FIFA websites. These malicious domains employ typosquatting and alternative top-level domains (TLDs) to impersonate the official FIFA domain (fifa.com), deceiving users into divulging sensitive information or purchasing counterfeit tickets and hospitality packages. The sophistication of these sites is such that even experienced users may be fooled, especially as attackers leverage HTTPS certificates and cloned branding.
Key malicious domains identified include www.fifa[.]cab, www.fifa[.]pink, www.fifa[.]blue, www.fifa[.]pub, FIFA[.]city, Fifa[.]bio, fifa[.]beer, fifa[.]click, fifa[.]cam, fifa[.]ceo, fifa[.]help, filfa[.]org, fifa-online[.]com, fifa-2026[.]xyz, jobs-fifa[.]com, fifa-hr[.]com, fifa-careerhub[.]com, fifaworldcup-careers[.]com, fifa-hiring[.]com, fifahiring[.]com, fifa-ticket[.]live, fifastore.us[.]com, fifaworldcup26[.]sale, fifaworldcup26.xcover-staging[.]com, worldcup2026-tickets.com[.]mx, worldcup26ticket[.]com, 2026fifaworldcuptickets[.]online, fwc2026[.]net, fwc2026.web[.]app, www.fifa2026p[.]com, fifa2026fworldcup[.]com, wvvw-fifa[.]com, ww-fifa[.]com, fifa-com[.]com, www.fifa-com[.]services, and quiniela-fifa-2026.pages[.]dev.
These domains are used for credential harvesting, financial fraud, and malware delivery. The FBI and other agencies recommend that users only access FIFA resources via the official https://www.fifa.com domain and its verified subdomains.
Industrial-Scale Fraud and Social Engineering
Research from KELA Cyber and Check Point highlights the industrialization of fraud targeting the World Cup. Over 4,300 lookalike domains have been detected, including elaborate “Ghost Stadium” scams advertising non-existent venues. Threat actors are also operating fake visa and travel portals, as well as fraudulent hospitality and ticketing sites. The scale of credential theft is staggering, with more than 1.5 million compromised accounts and 7,300+ leaked credentials related to FIFA and its partners being traded on the dark web.
Social engineering campaigns are rampant, with phishing emails and SMS messages crafted to exploit the excitement and urgency surrounding the event. Common lures include fake ticket confirmations, hospitality package offers, and volunteer recruitment messages. Domains such as jobs-fifa[.]com and fifa-hr[.]com are used to harvest personally identifiable information (PII) from job seekers and volunteers.
Malware, Ransomware, and Infostealers
PolySwarm telemetry confirms the active circulation of destructive malware, infostealers, and ransomware families targeting organizations involved in the tournament. Attack vectors include phishing emails with malicious attachments themed around World Cup logistics, as well as drive-by downloads from compromised or spoofed websites. Notable malware hashes observed in the wild include 7e4a1b2c3d4e5f67890123456789abcd (infostealer) and 9f8e7d6c5b4a3a2b1c0d9e8f7a6b5c4d (ransomware loader).
At least two hospitality providers have reported ransomware incidents traced to malicious attachments referencing World Cup operations. These attacks have resulted in operational disruptions and the potential exposure of sensitive customer data.
DDoS and Hacktivist Activity
High-profile events like the World Cup are magnets for hacktivist and state-sponsored groups seeking to disrupt operations, deface websites, or leak sensitive data. During the previous World Cup, Russian sources reported up to 25 million cyberattacks, and similar volumes are anticipated in 2026. Several regional ticketing portals have already experienced outages attributed to coordinated distributed denial-of-service (DDoS) attacks, with some incidents claimed by hacktivist groups on Telegram and Twitter.
State-Sponsored Espionage and APT Activity
KELA Cyber and other OSINT sources report that state-sponsored APTs from Russia, Iran, and China are actively engaged in espionage, pre-positioning, and influence operations targeting event infrastructure. These groups are leveraging spearphishing, supply chain compromise, and exploitation of exposed cloud services to gain persistent access to critical systems. Notable APTs include APT28 (Fancy Bear), known for targeting international sporting events, and Lazarus Group, which has a history of financial and disruptive attacks.
Supply Chain and Vendor Risk
The attack surface extends beyond FIFA’s core infrastructure to encompass a vast ecosystem of third-party vendors, including hospitality, ticketing, transportation, telecommunications, and operational technology (OT) providers. Exposure across these sectors broadens the potential for supply chain compromise, with attackers seeking to exploit weaker security controls among partners and subcontractors.
MITRE ATT&CK Mapping
The tactics, techniques, and procedures (TTPs) observed in these campaigns align with the following MITRE ATT&CK techniques:
- Initial Access: Phishing (T1566), Drive-by Compromise (T1189), Spearphishing via Service (T1192)
- Credential Access: Credential Phishing (T1566.001), Input Capture (T1056)
- Collection: Data from Information Repositories (T1213)
- Exfiltration: Exfiltration Over Web Service (T1567)
- Impact: Data Encrypted for Impact (T1486), Defacement (T1491), Denial of Service (T1499)
Exploitation in the Wild
Real-world incidents reported in the lead-up to the tournament include:
Credential harvesting via phishing emails and SMS messages with links to fake ticketing and hospitality sites. Fake job offers using domains such as jobs-fifa[.]com and fifa-hr[.]com to lure job seekers and harvest PII. Ransomware attacks on hospitality providers, resulting in operational disruptions and data exposure. DDoS attacks on regional ticketing portals, causing service outages and attributed to hacktivist groups.
Indicators of Compromise (IOCs)
The following IOCs have been observed in active campaigns:
Malicious domains: See the comprehensive list above from the FBI IC3 PSA. Phishing email subjects: "Your FIFA World Cup 2026 Ticket Confirmation", "FIFA Hospitality Package – Action Required", "FIFA 2026 Volunteer Application". Malware hashes: 7e4a1b2c3d4e5f67890123456789abcd (infostealer), 9f8e7d6c5b4a3a2b1c0d9e8f7a6b5c4d (ransomware loader).
Affected Product Versions
Based on OSINT, the following product categories and versions are being actively targeted:
FIFA Digital Platforms: All versions of FIFA.com and its subdomains, including ticketing, hospitality, and volunteer portals. Hospitality and Ticketing Vendors: All web-based ticketing and hospitality platforms associated with the 2026 FIFA World Cup, including third-party vendors and their web applications. Broadcasting and Media Partners: All versions of web portals and streaming platforms used by official FIFA broadcasters. Supply Chain Vendors: All versions of web portals and OT systems used by transportation, telecom, and event infrastructure vendors in the 16 host cities. Enterprise SSO/ADFS Systems: All versions exposed to the internet, especially those with weak or default credentials, as identified in dark web listings. End-User Devices: All versions of Windows, macOS, Android, and iOS devices used by staff, volunteers, and fans, targeted via phishing, malicious apps, and infostealers.
No specific CVEs or software version numbers are listed in public advisories as of June 2026. The threat is primarily against web applications, cloud services, and user endpoints rather than a single software vulnerability.
Mitigation Strategies
To mitigate the risks associated with these threats, organizations and individuals should:
Access FIFA resources only via https://www.fifa.com and official subdomains. Block and monitor the IOCs listed above at the network perimeter. Educate staff and fans about the risks of fake ticketing and job sites. Monitor for phishing campaigns using World Cup themes. Coordinate with law enforcement and FIFA’s official cybersecurity partners for incident response.
References
FBI IC3 PSA: Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup (https://www.ic3.gov/PSA/2026/PSA260527) KELA Cyber: 2026 FIFA World Cup Threats & Predictions (https://www.kelacyber.com/resources/research/2026-fifa-world-cup-threats-predictions/) Check Point: FIFA World Cup Cyber Threat, 2026 (https://www.checkpoint.com/resources/all-assets-460c/report-fifa-world-cup-cyber-threat-2026) PolySwarm: Beyond the Pitch – Assessing Cyber Risks to the 2026 FIFA World Cup (https://blog.polyswarm.io/beyond-the-pitch-assessing-cyber-risks-to-the-2026-fifa-world-cup) Cybersecurity Dive: FIFA World Cup expected to face extensive criminal, hacktivist cyber threat (https://www.cybersecuritydive.com/news/fifa-world-cup-criminal-hacktivist-cyber-threat/822638/) The Costa Rica News: World Cup 2026 Cyber Threats Skyrocket (https://www.facebook.com/TheCostaRicaNews/posts/world-cup-2026-cyber-threats-skyrocket-as-tournament-kicks-off-fifa-world-cupfol/1424910936336670/)
Rescana is here for you
Rescana’s advanced Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our platform leverages real-time intelligence, automated risk scoring, and deep visibility into vendor ecosystems to help you stay ahead of emerging threats. Whether you are a global enterprise, a critical infrastructure provider, or a key player in the event ecosystem, Rescana delivers the actionable insights and operational resilience you need to protect your business.
We are happy to answer questions at info@rescana.com.
