As billions of football fans tuned into the opening matches of the World Cup, a dark web marketplace for accounts to watch the games has risen quickly. As we described in our pre-World Cup blog post, threat actors are eager to run highly large-scale credential stuffing and account takeover (ATO) campaigns. In fact, they’ve been aggressively harvesting accounts for weeks, releasing stolen credentials bit by bit to accommodate demand connected to real-world broadcasting schedules.
Satori researchers have found more than 12 million user accounts available on the dark web, covering 10 streaming services showing matches. In total, threat actors are charging buyers almost $220 million for access to these stolen accounts. And this is before a single knockout game kicks off.
Streaming account fraud is a complex, event-driven ecosystem:

Above, a chart mapping the number of streaming accounts and the cost-per-account in the weeks before the tournament and during the first two-thirds of the group stage. There’s an obvious jump in availability and price in the days immediately preceding the first games, and the offerings have leveled off since then.
On the last day of the group stage (June 27), threat actors released more than 800,000 accounts, driving potential single-day dark web revenue to a high (to date) of $14.8 million.
Some other observations of dark web price and supply:
Before the First Kickoff (May 29 – June 10)
Before the first match began, cybercriminals had already accumulated all the necessary credentials to support their supply chain.

From May 29 to June 3rd, the market climbed from 25,000 accounts available for sale to nearly 90,000, with accounts going for a little less than $10 each. On June 3rd, a batch of premium accounts were listed for sale adding 75,249 accounts and driving average prices to an early peak of $15.03. Just a couple days later, threat actors added a massive wave of more than 700,000 accounts the week before kickoff, bumping prices above $20/account.
Peak Interest (June 11 – June 16)
When the tournament began on June 11th, consumer interest rose dramatically as would-be viewers sought to avoid geographical restrictions and paywalls for game coverage.

On opening day, the average price per account climbed even further, reaching $21.54. Available stock was managed perfectly by cybercriminals, holding steady between 435,000 and 491,000 available accounts.
During this period, the opening match (Mexico v South Africa) and the first matches for the other host countries (Canada v Bosnia and Herzegovina, United States v Paraguay) saw the biggest surge in both account availability and demand as fans searched for ways to watch without paying streaming service fees.
Leveling Off (June 17 – June 27)
As the group stage games continued, high-profile matches saw dramatic increases in both supply and demand, followed by a stabilizing of the market.

Average prices spiked briefly on June 17th to $21.70, driven chiefly by premium listings as well as the dynamic and high-profile England v Croatia match. Likely in an effort to respond to the spike and satisfy waves of new buyers, threat actors dumped a new high of 744,788 concurrent accounts on June 18th, roughly $14 million worth of sales, and just in time for the second Canada and United States group stage games.A final wave of high-profile group stage matchups pushed average account prices back up to an early-tournament peak of $21.82.
As groups D, E, and F battled for knockout positions, demand reached a fever pitch. Average prices across 10 platforms hit their absolute tournament high to date of $24.06 across 2,284 individual listings.
On June 27, at the conclusion of the group stage, threat actors executed the largest coordinated distribution, dumping 802,000 accounts simultaneously, pushing potential single day dark web revenue to $14.8 million.
Final Whistle
The group stages have demonstrated that event-driven cybercrime is organized, responsive and profitable. However, the true test of streaming infrastructure and credential security still lies ahead as we move into the high-stakes knockout rounds.
Satori researchers are actively monitoring accounts for these streaming platforms on underground marketplaces through every stage of the tournament. We’ll follow up after the tournament with a comprehensive recap, so stay tuned.
