Executive Summary
Threat actors are increasingly leveraging the 2026 FIFA World Cup as a lure across multiple attack types, most notably sports betting scams, phishing, and fraudulent ticket sales.
Abuse of the FIFA and World Cup brands spans coordinated domain clusters, social media offers, Telegram channels, and cybercriminal forum discussions.
Most of the infrastructure Netcraft has identified is currently in a staging phase, indicating that operators are positioning for activation as the event approaches.
Why the World Cup
As the World Cup fast approaches, the economies that power it are kicking into gear. This includes ticket vendors, hotels, and sports betting services for whom this time is a major financial opportunity. However, threat actors see it that way too. The volume of industries and money flow surrounding World Cup fixtures creates a timely, high pressure, and wide attack surface.
Main Attack Types
The World Cup lure spans a wide range of attack types, from classic phishing to SEO content farming. The categories below are not exhaustive. They are the techniques Netcraft has assessed as having the greatest near-term impact based on current staging activity and observed actor interest.
Ticket and Hotel Scamming
Ticket and hotel resale scams exploit the urgency of securing access to sold-out fixtures. Threat actors advertise last-minute tickets or accommodation, often at a premium, and either disappear after payment or harvest payment card details for downstream fraud. Resale markets sit outside much of the consumer protection that applies to official channels, which makes them attractive both to legitimate secondary sellers and to operators running outright scams.
For example, Netcraft has identified a domain registration cluster covering hotel availability in each of the host cities. The domains do not currently serve live content but exhibit clear staging indicators consistent with preparation for fraudulent use. FIFA maintains official hospitality partnerships with a limited number of hotels, but it has become common for unaffiliated providers to market their own “World Cup packages.” This blurring of official and unofficial offerings creates a perception of endorsement that scammers are well positioned to exploit.
The domains in this cluster share a uniform naming convention ('fifaworldcup2026[city]hotels[.]com') and were registered on the same date, 19 May 2025, similarity consistent with a single operator or affiliated group. Netcraft will continue to monitor the cluster as the tournament approaches.
Domains involved in this cluster:
fifaworldcup2026bostonhotels[.]com
fifaworldcup2026dallashotels[.]com
fifaworldcup2026guadalajarahotels[.]com
fifaworldcup2026hotel[.]com
fifaworldcup2026hotels[.]com
fifaworldcup2026houstonhotels[.]com
fifaworldcup2026losangeleshotels[.]com
fifaworldcup2026mexicocityhotels[.]com
fifaworldcup2026miamihotels[.]com
fifaworldcup2026monterreyhotels[.]com
fifaworldcup2026newyorkhotels[.]com
fifaworldcup2026philadelphiahotels[.]com
fifaworldcup2026seattlehotels[.]com
fifaworldcup2026torontohotels[.]com
fifaworldcup2026vancouverhotels[.]com
Additionally, the ticket sale market has been polluted with several scammers spinning up sites to sell tickets to World Cup matches. In the below example, a scam site claims to be from an official FIFA partner and directs customers to inquire via WhatsApp. Despite the popularity and sold-out status of these matches, the site claims tickets are available for all matches.
Figure 1. worldcup2026ticket[.]shop.
The ticket-scam sites Netcraft has identified do not exhibit the registration or naming consistency seen in the hotel cluster. This suggests that there are many threat actors attempting to exploit ticket-seekers.
Ticket sales have also been observed on Telegram, for example via channels such as “t[.]me/FIFAWorldCup_Tickets.” These channels direct users to sites such as “fifacollect[.]info,” which appear to offer World Cup tickets for sale. Although users may ultimately be redirected to the legitimate collect.fifa.com website, individuals seeking to purchase tickets should use official FIFA platforms directly, as the true intent behind these intermediary sites remains unconfirmed at time of reporting.
Figure 2. t[.]me/FIFAWorldCup_Tickets Telegram channel
Financially motivated actors are also advertising ticket sales across social media platforms including Facebook and X (formerly Twitter). While not every listing is fraudulent, there is a significant risk of scams associated with World Cup and other event ticket sales on social media. Users should exercise caution and purchase tickets only through trusted, legitimate platforms.
Figure 3. Threat actors promising tickets may also be using this tactic with other popular events, as seen above.
Additionally, users on cybercriminal forums have been observed claiming to sell discounted tickets using cryptocurrency payments and Telegram-based transactions. These offers should be treated with extreme caution, as there is no assurance that the tickets being sold are legitimate.
Additional Monetization
Users on cybercriminal forums are also discussing ways to monetise traffic during the World Cup. In one discussion, a user stated that during the previous FIFA World Cup they used “Nwmedia.io” to monetise FIFA- and sports-related blogs, but noted that the platform now appears inactive. The user then requested recommendations for alternative CPA or affiliate-based platforms that pay affiliates for driving user sign-ups, specifically for services where users register and pay to watch live streams.
Another user recommended MGID, an online advertising and marketing platform. A separate response promoted AdMaven, with the user claiming the company was already seeing increased demand ahead of the FIFA World Cup 2026 related to sports, streaming, and live-score traffic. The post further stated that major sporting events typically generate substantial traffic spikes across multiple regions and encouraged publishers to prepare their monetisation strategies in advance. The user also advertised higher revenue potential, global traffic coverage, premium advertising demand for sports and streaming-related traffic, and performance-based bonuses during high-volume periods.
Gambling and Scambling
Sports betting is one of the highest-volume gambling categories globally, and threat actors have built two distinct operating models around it. The first is the unregulated platform: a functional-looking betting site that accepts deposits but selectively denies withdrawals. The second is the impersonation site: a clone of a legitimate operator designed to harvest credentials and drain funds from genuine accounts at the real service.
The following example appears to be imitating Dexsport, a legitimate cryptocurrency gambling platform. This website appears to have been at least partially generated with AI, including slight image issues and heavy code commenting typically associated with AI-generated sites. The site currently has only partial functionality, with some links redirecting to Dexsport. The geo-blocking Dexsport enforces is absent here, suggesting the operator may be deliberately targeting users in regions where this form of betting is otherwise prohibited.
Figure 5. worldcup2026bitcoinbettingpredictions[.]net
The normalization of cryptocurrency’s use in sports betting, including through team sponsorship, is likely to make its use less suspicious to those looking to bet. This reduces friction for scams using crypto to avoid disruptive action against their financial infrastructure.
Evidence of this activity has also been observed on cybercriminal forums. In one forum thread, a user asked how cloaking works for gambling offers promoted through Facebook ads. Another user responded by claiming they had an article on running Facebook betting ads for the 2026 World Cup, but were unsure whether they were allowed to share it.
What to Expect Next
Netcraft assesses that scam activity targeting the 2026 FIFA World Cup is almost certain to rise sharply as kick-off approaches. The infrastructure is being staged now. Fake FIFA-branded websites, ticket promotion domains, abusive SEO content, and lookalike gambling platforms are positioned to be activated once matches are underway.
While this is some of the most visible current staging activity, Netcraft also expects to see fake streaming services to surface as the games begin. These fake streams have previously been observed using sports events to serve malware or phishing credential phishing pages. Netcraft expects to see an evolving and active threat landscape with FIFA and the 2026 World Cup being some of the most impersonated entities in the near term.
