With 48 teams playing 104 matches in three countries, the FIFA World Cup 2026 is an event of unprecedented scale and ticket scarcity. Dynamic pricing of tickets can push seats at the final match to $30,000, six times the ceiling for ticket prices in 2022. The demand vacuum drives desperate fans to turn to unofficial channels—such as Telegram, social media, and unverified listings—to obtain tickets. This massive tournament and the surrounding circumstances create the perfect environment for attackers to carry out malicious activity.
Campaigns Built to Exploit Desperation
Mobile security company Zimperium recently published a blog post describing attacks that are designed to enable attackers to benefit from the chaos and demand surrounding the World Cup. The post details three particular campaigns that demonstrate the sophistication and scale of these malicious efforts.
- The “Ghost Stadium” ticket fraud campaign, previously analyzed by Group-IB, clones FIFA’s actual single sign-on and OAuth flow in a typosquatting attack in order to harvest credentials and lock victims out of their real accounts.
- A RetailPhish campaign across multiple languages and regions takes advantage of fans’ desire for merchandise related to the World Cup, impersonating brands like Nike and Adidas through WhatsApp messages requiring targets to pass on the link, turning victims into unwitting distributors of the campaign.
- OffsideHire recruitment fraud uses an Adversary-in-the-Middle (AitM) platform like fifajobs.com to hijack corporate Google Workspace sessions in real time by intercepting multi-factor authentication (MFA) communications.
How Personal Phones Become Corporate Backdoors
While these campaigns are largely targeting individuals due to the nature of the social engineering in play and the goals of the attackers, organizations are by no means insulated from the damage. Many employees in bring-your-own-device (BYOD) setups use their personal devices for ticket-hunting on their lunch breaks, bypassing VPNs and firewalls entirely and forming a connection between the personal and professional uses for their devices.
Attackers compromising these devices can use their access to employee accounts to infiltrate organizations. “The danger of many phishing schemes, like those leading up to and during the 2026 FIFA World Cup, lies in their ability to grant attackers access to credentials, enabling them to pretend to be trusted insiders,” says Rex Booth, Chief Information Security Officer at SailPoint, an Austin, Texas-based enterprise identity security provider.
In 2026, some estimates place the rate of password reuse as high as 80-85%, indicating a significant risk that can spread far beyond the initial compromise. Recycled credentials across multiple accounts, especially between personal and business environments, can turn a simple attack like the World Cup jersey scam into an organizational entry point for ransomware. Mobile phishing operates in a blind spot that traditional perimeter-based defenses are unable to reach.
The Bigger Picture: Sports Organizations Are Already Losing This Fight
According to data from cybersecurity firm Darktrace, 84% of professional sports organizations have been hit by a cyber incident in the past year, with 57% being hit multiple times. A similarly staggering 84% of malicious emails passed DMARC checks, due in part to attackers using legitimate infrastructure rather than spoofed domains. The security measures in place are not effective in protecting against attacks in the modern threat landscape.
Ransomware is an increasingly insidious threat that is particularly difficult for sports organizations to defend against. Threat actors are constantly advancing their tools and tactics to evade security measures and ensure the continued success of their attacks. One ransomware deployment within a sports organization saw the attackers dwelling and exfiltrating data for two weeks before triggering encryption. In an attack like this, the detection or disclosure of the ransomware attack comes too late for organizations to do anything to stop it.
AI Adoption Outpacing AI Governance
The ongoing AI explosion, with rapidly growing usage by individuals and companies for personal and business purposes, has had a wide range of impacts on many organizations. Darktrace reports that 35% of surveyed security professionals are already deploying or planning to deploy AI into stadium operations, which includes critical functions that are some of the most damaging if compromised. Almost three-fourths (72%) of those surveyed said they expect AI to increase risk, but the widespread use of shadow AI involving sensitive data remains largely ungoverned.
The adoption of AI tools and agents by organizations is one avenue of risk, but cybercriminal usage of AI continues to advance at the same speed—or faster—and introduces significantly increased risk. More and more attackers are using AI tools to scale their phishing efforts, relying on AI to compose and distribute convincing phishing messages at a faster pace than ever before.
When Digital Disruption Becomes Physical Danger
The cyberattacks taking advantage of the World Cup are not completely confined to the cyber sphere, but have the potential to bleed into the physical realm. The convergence of IT and OT blurs the lines between digital and physical attacks, creating an environment where CCTV, access control, and lighting are now all run over IP. This means that attackers compromising accounts and systems can have an impact on the real operations of critical technologies.
Recent geopolitical tensions—like the conflict in Ukraine, Russia’s exclusion from the tournament, and Iran’s participation—introduce the prospect of additional motives for cyberattacks. Nation-state actors and allies may see fit to carry out malicious activity related to the World Cup. The tournament also provides a fixed, unmovable "D-Day" that doesn’t allow for replay or postponement—every minute of delay in the detection of these attacks counts.
What Defense Looks Like When the Clock Can't Stop
It is crucial for organizations to implement security strategies that protect against the risks of these attacks related to the World Cup. Behavioral visibility across IT and OT must replace perimeter-based assumptions that continuously fall short against evolving threats in modern environments. Identity is the new control plane in an era where most attacks begin with credentials rather than malware. Mobile threat defense should advance to close the gap created by BYOD setups before the next major global event arrives for attackers to take advantage of.
