The cyber threats surrounding the 2026 FIFA World Cup are extending beyond fan-focused scams, with attackers increasingly targeting host-city staff, suppliers and organisations connected to the tournament, according to new research from Arctic Wolf Labs.
The security research found that cybercriminals have already built a substantial ecosystem around the tournament months before kickoff. Researchers observed more than 10,000 newly registered World Cup-themed domains since January 2026. The activity includes phishing operations, malware distribution, credential theft campaigns and scams aimed at both consumers and organisations linked to the event.
Mobile threats
Arctic Wolf found that many campaigns now rely on mobile devices as the primary attack vector. Rather than directing victims immediately to malicious websites, attackers are using social media posts that appear legitimate and then funnelling users into messaging platforms such as WhatsApp, Telegram and Discord.
Researchers said these platforms are becoming a preferred environment for attackers because malicious activity is harder to detect and users often place greater trust in content delivered through messaging applications. The campaigns commonly promote free match streams, discounted tickets, betting opportunities and cryptocurrency offers linked to the tournament.
The report also found that many of the websites supporting these campaigns appear to have been generated using artificial intelligence tools. Researchers said generative AI is reducing the cost and effort required to create convincing websites, content and applications at scale.
Since January, Arctic Wolf has tracked approximately 2,000 new World Cup-themed domains being registered each month. While many are legitimate, the volume has increased the challenge for defenders attempting to identify malicious infrastructure.
Timing tactics
One of the recurring patterns identified in the research is the deliberate use of timing to increase the likelihood of success.
Several campaigns encourage users to subscribe to channels that promise access to free streaming links shortly before matches begin. Attackers then release links only minutes before kickoff, when fans may be less likely to scrutinise the destination or legitimacy of a website.
Researchers found evidence of operations that specifically advertise stream links becoming available five minutes before matches. According to the report, the approach is designed to exploit urgency and excitement around major fixtures.
The report warns that a significant proportion of World Cup-related threats may emerge during the tournament itself, particularly in the minutes leading up to matches.
Supply chain targets
The research also highlights a shift towards attacks on organisations involved in delivering the event.
Arctic Wolf recovered a malicious PDF document disguised as an employee handbook aimed at staff working on tournament activities in a United States host city. The document used branding and formatting intended to resemble a legitimate human resources resource and directed recipients to scan a QR code.
The QR code redirected users to malicious infrastructure in what researchers described as a quishing attack. The document also contained social engineering elements designed to discourage recipients from sharing it with colleagues, reducing the likelihood of detection.
Researchers said the attack method could be replicated against other host cities, suppliers and organisations participating in tournament operations.
The report also identified a collection of fake FIFA recruitment websites designed to steal Google Workspace credentials. These sites impersonated hiring and recruitment processes and used real-time adversary-in-the-middle phishing techniques.
Identity theft
According to Arctic Wolf, the phishing infrastructure was capable of bypassing conventional multi-factor authentication by relaying authentication codes in real time between victims and legitimate services. Attackers were then able to establish authenticated sessions while victims remained unaware that their credentials had been compromised.
The researchers identified ten World Cup-related recruitment domains linked to these operations. The campaigns targeted corporate Google Workspace accounts and gathered information including names, email addresses, job roles and login credentials.
Desktop users also remain a target. Arctic Wolf analysed a malware campaign disguised as a World Cup ticket viewer application for Windows systems. Once installed, the software collected browser credentials, stored passwords, messaging data, Wi-Fi credentials and application information before sending the stolen data to attacker-controlled Telegram and Discord channels.
The report concludes that threat actors are treating the World Cup as both a consumer fraud opportunity and a route into organisations involved in staging the tournament. Researchers expect phishing, QR code attacks, credential theft and malware campaigns to continue throughout the competition period.