Executive Summary
The 2026 FIFA World Cup, the largest sporting event in history, spanning 16 host cities across the United States, Mexico, and Canada has become one of the most heavily exploited lure themes observed this year. DeXpose has tracked a surge of phishing infrastructure, counterfeit ticketing portals, spoofed FIFA domains, and a circulating Web3 phishing kit targeting cryptocurrency wallet holders, alongside a critical access control flaw discovered in FIFA’s own Agent Platform that briefly exposed core broadcast infrastructure.
Key figures from the threat landscape:
- 13,000+ FIFA-themed malicious domains registered between January and May 2026
- 2,500+ online advertisements linked to World Cup purchase scam domains
- 33 purchase scam domains identified within a single tracked campaign
- 17 cryptocurrency wallets targeted by the observed Web3 phishing kit
- 1 critical broken access control vulnerability disclosed in FIFA’s Agent Platform, exposing broadcast and stream control infrastructure
Background: Why Major Sporting Events Attract Threat Actors
Major global events compress opportunity. Fans are rushing to buy tickets, businesses are onboarding temporary vendors, payment processors are handling unusual transaction volumes, and security teams are under pressure not to block legitimate traffic. This is precisely the environment in which social engineering, credential reuse, and poorly secured identity infrastructure become highly exploitable. The 2026 World Cup, hosting a record 48 teams across 104 matches, represents the largest single attack surface of any sporting event to date.
Threat actors operating across multiple motivations like financial crime, credential theft, espionage, and hacktivism have all been observed pre-positioning infrastructure ahead of and throughout the tournament. The attack surface extends well beyond individual fans to include corporate sponsors, hospitality providers, ticketing platforms, and public safety organizations operating across three host nations.
Campaign Cluster 1: FIFA Domain Spoofing and Typosquatting
The FBI issued a public service announcement in May 2026 confirming active spoofing attacks against the official FIFA website, with threat actors registering lookalike domains designed to harvest personally identifiable information (PII), facilitate payment fraud, and sell counterfeit event tickets and hospitality packages.
Spoofed domains rely on minor misspellings or alternate top-level domains for example, using .org instead of .com, or registering variations such as fiffa[.]com to deceive users who make small errors when typing URLs directly. Threat actors have also registered subpath-style domains such as jobs-fifa[.]com to impersonate legitimate career or administrative subdomains. The FBI noted that additional fake domains are anticipated throughout the duration of the tournament.
There are over 13,000 new FIFA World Cup 2026-themed domains registered between January and May 2026, with approximately 8.8% identified as malicious or suspicious through pattern analysis and confirmed scam activity. Categories observed include fake ticketing portals, merchandise resale scams, fraudulent betting and streaming sites, and credential-harvesting pages impersonating official event communication.
Observed lure themes across this cluster:
- Ticket fraud portals: fake ticketing gateways impersonating official resellers, exploiting extreme ticket scarcity and elevated prices to harvest payment card data and PII
- Merchandise scams: lookalike stores impersonating Nike, Adidas, and Puma, distributed primarily via WhatsApp using viral propagation mechanics and fake prize lures
- Fake employment offers: fraudulent FIFA career sites and weaponized “employee handbook” PDF documents targeting Google Workspace credentials from tournament-affiliated staff
- QR-code fraud: fake shuttle passes, parking permits, and fan transport QR codes distributed in and around host cities; identified as the fastest-growing single fraud variant for this tournament
- Cryptocurrency and Web3 scams: World Cup Coin DApp impersonation kits designed to drain crypto wallets by harvesting seed phrases, private keys, and wallet connect flows
- SMS blasters and smishing: rogue cellular infrastructure sending high-volume smishing messages impersonating event organizers, rideshare providers, and local authorities

Campaign Cluster 2: Purchase Scam Infrastructure — RetailPhish and Lookalike Stores
About 33 World Cup-themed purchase scam domains linked to approximately 2,500 online advertisements, active during April and May 2026. Unlike traditional card-skimming operations, these fake stores are integrated directly into operational payment processing infrastructure, meaning victims are actually charged for goods that never arrive while simultaneously exposing their payment card data and PII to threat actors. Stolen payment card credentials are also being leveraged by carders to fraudulently purchase legitimate event tickets for rapid resale and monetization.
A separate campaign designated RetailPhish impersonates major sports brands including Nike, Adidas, Puma, and Marathon Sport across multiple languages and regions. Distribution is primarily via WhatsApp using a structured social engineering funnel:
- Stage 1 (Brand Lure): The victim receives a WhatsApp message with a link to what appears to be an official brand promotion (impersonating Nike, Adidas, Puma, Marathon Sport, etc.). The landing page mimics the brand’s design and promises high-value World Cup 2026 merchandise, national team kits, football boots, or gift cards (often valued at EUR 250–300) in exchange for a short “eligibility quiz.”
- Stage 2 (Viral Propagation): After completing the quiz, the page requires the victim to forward the link to multiple WhatsApp contacts before the prize can be “unlocked.” This turns each victim into an unwitting distributor and accelerates organic, trust-based spread through personal networks.
- Stage 3 (PII Harvesting): The victim is then prompted to enter personal information (full name, shipping address, phone number, email, etc.) to “claim” the reward.
- Stage 4 (Payment Trap): A nominal fee (typically around EUR 2 for “shipping”) is requested. This step captures full credit/debit card details (number, expiration, CVV).
Campaign Cluster 3: Web3 Phishing Kit — World Cup Coin DApp Targeting Cryptocurrency Wallets
DeXpose has identified a threat actor distributing a free Web3 phishing kit themed around a fictitious “World Cup Coin” decentralized application (DApp). The kit is purpose-built to harvest cryptocurrency wallet seed phrases and private keys, capitalising on speculative interest in tournament-themed digital assets at the peak of World Cup media coverage.
Kit capabilities:
- Supports 17 wallets including MetaMask, TrustWallet, Coinbase Wallet, and Ledger
- Full admin panel for centralized credential collection by the operator
- Exfiltration of harvested credentials via Telegram bot or email
- Cross-device compatible, functioning on both desktop and mobile browsers
- Accepts seed phrase inputs of 12 to 24 words in length
- Accepts raw private key input as an alternative to seed phrase entry
- Advertised as free to use, lowering the barrier to entry for low-sophistication operators
Kit mechanics and operator workflow
The kit presents victims with a convincing DApp interface themed around the “World Cup Coin” token, exploiting fear of missing out around limited-edition sports-themed cryptocurrencies and tournament collectibles. When a victim attempts to “connect their wallet” or “claim tokens,” they are prompted to enter their seed phrase or private key under the pretense of wallet verification or token transfer authorization.
Harvested credentials are routed in real time to the operator through a Telegram bot integration or a configured email endpoint, both manageable through the included admin panel. The kit’s free distribution model significantly expands the number of actors capable of deploying campaigns, increasing the volume of attacks reaching World Cup audiences across Telegram channels and underground forums.


Critical risk: Seed phrase and private key compromise results in complete, irreversible loss of all funds held in the targeted wallet. Unlike compromised passwords, there is no recovery mechanism once a seed phrase is in a threat actor’s possession. Any victim who has entered credentials into this kit should consider all associated addresses fully compromised and move funds immediately to a freshly generated wallet.
Campaign Cluster 4: Broadcast Infrastructure Exposure FIFA Agent Platform Access Control Vulnerability
A security researcher discovered a critical broken access control vulnerability in FIFA’s infrastructure after registering on its public Agent Platform. The flaw exposed highly sensitive systems, including the World Cup streaming management panel, live camera feed controls, RTMP ingest links and stream keys, match data and statistics, and the Commentator Information System, allowing disruption or manipulation of global broadcasts. The issue was responsibly disclosed and patched within hours.
Threat Actor Landscape
The threat landscape around the 2026 World Cup spans multiple actor tiers operating in parallel, each with distinct tooling and objectives.
Financially motivated cybercriminals represent the highest-volume tier. They operate fake ticketing portals, purchase scam domains, PhaaS kits, and card skimming infrastructure, with individual fans and consumers as the primary target population.
Hacktivist groups, particularly pro-Russian collectives such as NoName057(16), are targeting host-city and government infrastructure for DDoS attacks and reputational disruption tied to geopolitical narratives.
PhaaS operators are distributing low-cost and free phishing kits enabling volume attacks by actors with limited technical capability. AI-generated content is a force multiplier across all tiers, allowing threat actors to produce multilingual phishing emails, smishing messages, and convincing fake websites at a scale that outpaces traditional detection.
MITRE ATT&CK Mapping
| Technique ID | Technique Name |
| T1566.002 | Phishing: Spearphishing Link |
| T1566.001 | Phishing: Spearphishing Attachment |
| T1598.003 | Phishing for Information: Spearphishing Link |
| T1583.001 | Acquire Infrastructure: Domains |
| T1539 | Steal Web Session Cookie |
| T1056.003 | Input Capture: Web Portal Capture |
| T1190 | Exploit Public-Facing Application |
| T1114.002 | Email Collection: Remote Email Collection |
| T1567 | Exfiltration Over Web Service (Telegram) |
Lessons Learned
For organizations:
- Major sporting events require early monitoring of newly registered domains containing brand names, tournament keywords, or sponsor references.
- SOC teams should anticipate increased phishing activity around ticket releases, match days, and major tournament announcements.
- Dark web and Telegram monitoring can provide early visibility into phishing kits, credential sales, and infrastructure targeting event-related organizations.
- Event-themed phishing simulations can help employees recognize time-sensitive lures involving tickets, travel, employment, or tournament access.
- Payment processors should apply additional scrutiny to high-value or unusual transactions involving event-related merchandise and tickets.
For individuals and fans:
- Tickets and hospitality packages should only be purchased through official platforms and verified resellers.
- Cryptocurrency seed phrases and private keys should never be entered into websites or DApps.
- Promotions distributed through WhatsApp, SMS, or unsolicited email should be treated as suspicious, even when shared by known contacts.
- QR-code destinations should be previewed and verified before users submit credentials or payment information.
Conclusion and Key Takeaways
The 2026 FIFA World Cup represents a near-ideal exploitation environment: concentrated global attention, extreme ticket and merchandise demand, three host nations providing broad geographic coverage, and a compressed timeline that pressures both fans and organizations into lower-vigilance decision-making. The activity observed throughout the tournament demonstrated how global sporting events create an ideal environment for phishing, payment fraud, credential theft, and infrastructure abuse. Campaign volume and sophistication increased as the tournament progressed, particularly around high-demand tickets, merchandise promotions, and cryptocurrency-themed lures.
The emergence of World Cup-themed Web3 phishing kits distributed freely in underground communities reflects a maturation of the PhaaS model into cryptocurrency theft — a domain where losses are immediate, irreversible, and largely untraceable. Organizations and individuals interacting with any World Cup-branded digital asset, token, or DApp should treat it as high-risk by default until independently verified.
Beyond fan-facing fraud, the critical access control vulnerability discovered in FIFA’s Agent Platform demonstrated that tournament-related risk was not limited to consumers. The exposure of streaming controls, RTMP stream keys, and commentator systems highlighted the potential operational impact of weaknesses within core event infrastructure.
DeXpose will continue to monitor infrastructure, track kit distribution channels, and publish updated IOC feeds throughout the tournament.



