The FIFA World Cup 2026 starts this summer across 16 cities in three countries. While the world watches football, a different kind of game has been running quietly in the background for nearly a year.
ThreatMon spent that time monitoring dark web forums, infostealer logs, underground Telegram channels, and malicious domain registrations. What they found isn’t a future threat. It’s already here.
Over 21,600 FIFA-themed malicious domains were catalogued between July 2025 and June 2026. That’s more than what surrounded the entire Qatar 2022 tournament. About 75% of those registrations happened during 2025 alone, with the pace picking up as the tournament approached.
The breakdown matters. Roughly 11,000 domains use generic World Cup branding. Another 9,000 are specific to “FIFA 2026.” Nearly 900 are typosquats domains like fiffa.com or f1fa.com that exist purely to catch people who mistype in a hurry. Seventy-four domains are built around authentication themes: login pages, account portals, member registration.
That last group is the dangerous one. You mistype a URL under a tight deadline, and you’re handing your credentials to someone who spent months building a page that looks exactly like the real thing.
Three actors from the report give a clear picture of how the criminal supply chain works at this level.
X Forum Bot is distributing bulk credential dumps. A June 2026 listing advertised 536,000 URL-email-password combinations. A separate listing from July 2025 claimed SMTP access to smtp.fifa.com. These credentials feed downstream phishing campaigns and account takeover operations.
TopSCT posted World Cup group-stage tickets at up to 60% discount in June 2026, routing buyers to a private Telegram channel. This isn’t a one-off scam the actor has been active since 2024 selling fraudulent airline tickets, compromised loyalty accounts, and carding tutorials across multiple countries. The World Cup listing is just one product in a broader fraud catalog.
Clown is more technical. This vendor sells a multi-session browser bot specifically built to bypass FIFA’s ticket queue system concurrent searches, proxy management, bot-detection evasion. The vendor has been active since 2022 with thousands of forum posts and a strong reputation score. The ticket bot sits alongside forged identity documents, KYC bypass methods, and crypto cash-out services.
ThreatMon documented active Facebook and Instagram ads promoting “FIFA Investment Programs” during the monitoring period. One promised 30% daily returns on USDT deposits. Another offered tiered packages up to $5 million, with daily returns reaching 85%. The call-to-action: “Join the Squad Now.”
The associated platforms fifainvestments.top and fifainvestments.vip had full registration pages and fake dashboards showing fabricated project returns.
The low impression counts on these ads aren’t a sign of small operations. They’re intentional. Small, fragmented ad sets slip through automated content moderation more easily than high-volume campaigns. It’s a deliberate evasion tactic.
Infostealer logs from 2023 to 2026 showed credential exposure across FIFA’s own authentication subdomains. About 36% of identified records were linked to auth.fifa.com the central single sign-on point that grants access across all FIFA services. Another 15.6% were linked to volunteer.fifa.com.
This doesn’t mean FIFA’s servers were hacked. It means people whose devices were infected with infostealer malware had stored FIFA credentials on those devices. Those credentials were captured and are now trading in criminal markets, ready for account takeover attempts or phishing operations.
The geographic spread of infected hosts shifted noticeably by 2026. Ecuador accounted for 31.2% of identified records, Turkey for 8.1%, with additional spread across Egypt, Morocco, and other regions. These are where compromised devices were found not where the attackers are.
Of 100 publicly accessible Docker container images examined as part of the attack surface review, five contained sensitive material: RSA private keys, AWS access identifiers, Telegram bot tokens, and hardcoded passwords. Several also contained direct references to production endpoints including api.fifa.com and tickets.fifa.com.
None of these were tested to confirm active validity. Standard practice is to treat every exposed secret as live until proven otherwise, rotate everything, and investigate. Even expired credentials carry value they reveal service relationships and naming conventions that help attackers map infrastructure.
The report is written for security teams. But the practical takeaways for anyone attending or watching are straightforward.
Tickets at 40–60% discounts through Telegram channels or social media ads are fraud. The credentials you use to buy from secondary sources may already be compromised. Telegram bots that ask for your name and redirect you to a “support administrator” are running social engineering scripts. And anything promising FIFA-branded investment returns above 5% annually let alone 30% daily is a crypto scam dressed in football branding.
The broader warning from the report applies here too: AI-generated content has made visual quality an unreliable signal of legitimacy. A professionally designed ad, a polished email, a convincing video endorsement can all be synthetic. Verify through official channels before entering payment information anywhere.
The fraud infrastructure for this tournament was built patiently, over many months, before a single match was played. The World Cup is a target not because of its security weaknesses, but because of its audience size, emotional intensity, and concentrated timeline. All of those factors make it easier to exploit people and harder to stop.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
