Preparations for the 2026 FIFA World Cup, hosted in Canada, the United States and Mexico are in full swing: match schedules are set, match tickets are purchased, hotels and accommodations are booking up, and, unsurprisingly, threat actors are running fraud campaigns targeting almost every digital aspect of the tournament. While fans around the world are keeping their eyes on Brazil, France, Spain, England, and the other 44 teams participating in this year’s tournament, HUMAN’s Satori Threat Intelligence team is keeping an eye on a variety of different threat models frequently connected to major events like the World Cup.
Ahead of the World Cup
Events like the World Cup draw global attention and viewership from a large, geographically diverse audience, both physical and virtual, with tens of thousands of spectators attending the games in person and millions more watching them at home.
Whether targeting fans planning to attend in person or at home, there are several threat models cybercriminals can make use of for fraud campaigns and scams.
Fake or Stolen Inventory
One of the most enduring challenges of 2026 has been getting a ticket to a World Cup match. For many fans, the allure of getting a good deal on the ticket is proving impossible to refuse. But as is often the case with “too good to be true” deals, offers for heavily discounted tickets on the dark web are most certainly based in fraud.
Our researchers are keeping a close eye on three particular threat models, all of which could leave a true fan in the dust.
The first of these is the resale of real tickets that were purchased with a stolen payment card. In this scenario, the threat actor purchases access to a victim’s payment card information and uses it to get tickets to a game at face value. The tickets are then quickly resold to a real fan on a secondary market, often at or even below face value. Since the threat actor never put up any “real” money for the tickets, even a “discounted” sale nets the threat actor some cash. The cardholder, however, may be out the money, not to mention the inconvenience of canceling the card.
The second model is based on account takeover. World Cup tickets are managed in part through a dedicated app, and a threat actor looking to take advantage of the demand for tickets could make it a goal to break into user accounts on that app, transfer the tickets to their own account, and resell the stolen tickets to yet another party.
Finally, clever threat actors are capable of faking tickets entirely, creating a world of heartbreak when the scanners at the gate don’t recognize the bar code.
Accounts for Sale
For the fans watching the Cup from home, the accounts they use to watch the games or to place bets on the outcomes may be the places where they’re hit hardest by threat actors. Accounts on betting and streaming sites are valuable to a threat actor, especially if they have stored balances or payment card information attached.
Researchers have been monitoring dark web marketplaces for accounts for these betting and streaming sites for several months, and will observe whether price points change as the World Cup begins, which would indicate an increased interest—or depleting inventory—of accounts for sale. We’ll post our observations of the dark web prices of these accounts during the World Cup and again afterward, offering a holistic perspective on how threat actors targeted these platforms.
And it’s also important to note that many of these attacks may be conducted using AI tools or agentic browsers. Satori has observed several instances of threat actors using these tools to augment their existing attacks, including making them more scalable, and easier to execute.
Conclusion
The 2026 FIFA World Cup is an exciting event that many of us are looking forward to, but it’s critical to ensure that you (and your organization!) can experience it safely. How can you avoid getting scammed?
Organizations that care about visibility into what agents, bots, and humans are doing need the ability to distinguish trusted activity from suspicious behavior, respond appropriately without adding unnecessary friction, and protect both revenue and customer trust, should reach out at humansecurity.com.