Back to Feed
Threat IntelligenceJun 30, 2026

What the Numbers Say About FIFA 2026 Cyber Risk

FIFA World Cup 2026 faces pre-planned cyber threats targeting partners, fake apps, and travel sites.

Summary

Ahead of the FIFA World Cup 2026, threat actors had pre-planned and deployed significant fraud infrastructure. Research indicates over a third of FIFA partners lack DMARC enforcement, enabling email impersonation. Fake sportsbook apps surged 60x above baseline, with coordinated multi-brand operations and Russian-language Telegram tipster services routing users to fraudulent deposits. Additionally, FIFA-themed lookalike domains for travel and hospitality services were registered months in advance, with a notable preference for the .top TLD.

Full text

What the Numbers Say About FIFA 2026 Cyber Risk The Hacker NewsJun 30, 2026Phishing / Impersonation The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling. Here are three findings worth reading carefully. 1 in 3 FIFA Partners Can't Block Email Impersonation Pre-tournament research by Proofpoint found that more than one-third of official FIFA World Cup 2026 partners lack sufficient DMARC enforcement to prevent domain spoofing. That means attackers can send an email that appears to come from a sponsor, a vendor, or a logistics partner, with no technical barrier stopping it. The World Cup supply chain is enormous. Airlines, hotels, broadcast partners, merchandise contractors, and catering companies. Every procurement email traveling that chain is a potential interception point. High transaction volumes, tight deadlines, and the operational chaos of a global event create exactly the conditions that suppress payment verification rigor. Check Point's attack surface management and digital brand protection capabilities are built for this kind of external exposure, continuously monitoring partner ecosystems for authentication gaps and impersonation infrastructure before attackers can use them. Fake Sportsbook Apps Surged 60x Above Baseline A controlled comparison across eight major sportsbook brands, covering 60-day windows in 2025 and 2026 using identical methodology, found zero impersonator app detections in the non-tournament baseline. The pre-tournament window found 64. That is roughly 60 times the baseline rate, concentrated in April and May 2026, and concentrated on Google Play. At least five distinct developer accounts published apps spoofing two or more different sportsbook brands within hours or days of each other. This is a coordinated multi-brand operation, timed to tournament activation. The attack surface here extends well beyond the app stores. Check Point Exposure Management also identified active Russian-language Telegram channels operating as fake tipster services, routing followers through referral links to generate affiliate commissions on fraudulent deposits. The channels split their picks across the audience, so roughly half the subscribers always "win" enough to keep depositing. The sportsbook pays the affiliate commission on every conversion. Check Point's dark web monitoring covers Telegram channels at this depth, giving security and fraud teams visibility into the operations before the tournament window-branded content fully activates. The Fake Hotel and Travel Sites Were Built Two Months Before Kickoff Check Point Exposure Management tracked monthly registrations of FIFA-themed lookalike domains targeting travel and hospitality services from November 2025 through May 2026. April 2026 alone accounted for 21.9% of the entire 12-month sample, eight weeks before kickoff. March and April together represent 34%. Hotel and lodging brands account for 56% of the total Travel and tour brands account for another 27%. The sites were built to intercept fans at the point of purchase, when urgency was highest, and verification habits were the weakest. A small number of registrars carry most of the infrastructure. GoDaddy, Hostinger, Namecheap, Porkbun, and IONOS together host 56% of the fraudulent domains. One interesting finding worth flagging is .top TLD accounts for 28% of registrations. .top is a phishing-favored generic TLD with low abuse-response thresholds and cheap registration costs. Actors who want infrastructure that stays up choose it deliberately. A subset of the domains also has MX records configured. That means they can receive email, run reply-path impersonation, and intercept password-reset flows from victim accounts. These are active phishing infrastructures, registered and staged before the tournament started. Check Point's phishing and brand protection capabilities continuously monitor for this kind of pre-positioned infrastructure, with a 99% takedown success rate and an average mean time to remediation of 12 hours. For organizations whose brands are being cloned at scale ahead of a global event, detection speed and remediation speed are the only variables that matter. What This Means Security teams supporting any organization in the financial, travel, hospitality, or gambling sectors should treat the current period as elevated, not because the threat landscape changed with the opening match, but because threat actors were already positioned before it started. Read the full FIFA World Cup 2026 Cyber Threat Report or contact Check Point Exposure Management if you're seeing escalation. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Brand Impersonation, Check Point, DMARC, Domain Spoofing, Phishing, Proofpoint, Telegram ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Entities

Check Point Research (vendor)Proofpoint (vendor)GoDaddy (vendor)Hostinger (vendor)Namecheap (vendor)