Reported by
Just days before the kickoff of the 2026 World Cup, cybersecurity experts are raising the alarm over a massive, highly sophisticated surge in digital fraud targeting soccer fans worldwide, offering them fake tickets, nonexistent travel packages, counterfeit merchandise, suspicious betting apps on websites impersonating FIFA.
The tournament, which has drawn unprecedented global interest, has become the "perfect bait" for opportunistic hackers and criminal syndicates, according to David Gonzalez Cuautle, the awareness and research manager at the cybersecurity firm ESET.
“Cybercriminals tend to operate in seasons and with specific themes,” Gonzalez Cuautle said in an interview with OCCRP, adding that the World Cup presents a uniquely lucrative opportunity for bad actors to cast a wide net.
The scope of the threat is vast. Experts warn that fans are navigating a digital minefield that includes fake tickets and nonexistent VIP travel packages, counterfeit merchandise sold through spoofed vendor portals, suspicious betting applications designed to harvest financial data as well as fraudulent streaming apps that install spyware or malicious code onto devices or imposter websites meticulously designed to mirror official FIFA platforms.
The scale of the digital counterfeiting is staggering. By 2025, specialized cybersecurity firms had already detected roughly 4,300 fake domains tied to the tournament. The threat reached such a critical level that in late May, the Federal Bureau of Investigation issued a formal alert warning the public that "cyber threat actors are conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA) website in advance of the 2026 FIFA World Cup."
To lure unsuspecting fans, scammers are registering domains that incorporate words associated with FIFA, paired with seemingly legitimate extensions like .online, .shop, .store, or .football.
The tactics are also becoming increasingly localized.
“Now we are seeing that different languages are also starting to gain ground on these websites, which suggests that it could be done regionally,” Gonzalez Cuautle noted. While local cyber police forces are tasked with analyzing and tracing these pages, the perpetrators often remain steps ahead.
“It's important to understand what the scammers do,” he explained. “Sometimes they use pseudonyms or disposable email addresses, so they can generate a temporary email and use that to register the website. That email is difficult to trace.”
The financial toll of purchasing a nonexistent ticket is only the beginning. For many victims, the true cost of the fraud is the permanent compromise of their digital identities.
In a recent exercise, ESET researchers analyzed a sample of fake World Cup websites and discovered that at least ten of the reported portals were not merely momentary cash grabs. Instead, they functioned as sophisticated data-harvesting operations, quietly siphoning banking credentials and valuable personal information from the user.
Mobile users face similar perils. Fraudulent applications masquerading as sports broadcast portals or betting platforms often request excessive device permissions, allowing them to install malicious code or actively spy on the user.
Perhaps most alarmingly for consumers, standard markers of internet safety are no longer reliable. Gonzalez Cuautle warned that the familiar security padlock icon in web browsers—traditionally a guarantee that a site’s communication is encrypted and its identity certified—is no longer enough to determine whether a page is legitimate.
“Certificates,” he warned, “can be cloned.”
