CTM360 Uncovers 7,000 Rogue Domains as FIFA World Cup 2026 Cyber Fraud Scales Up
CTM360 warns of a coordinated fraud ecosystem targeting FIFA World Cup 2026 fans and brands ahead of the June kickoff. The Bahrain-based firm has already identified over 7,000 tournament-themed domains, 1,000+ active scam sites, and 1,000+ social media impersonation accounts across seven platforms.

Sold-out football stadium at night under floodlights in a Gulf city representing FIFA World Cup 2026 cyber fraud risks
With the FIFA World Cup 2026 less than four weeks from kickoff, CTM360, the Bahrain-headquartered digital risk protection firm, has published a sweeping threat intelligence report revealing the scale of cybercriminal activity now targeting fans, organisations, and brands connected to the tournament.
Researchers identified more than 7,000 FIFA World Cup 2026-themed domains, of which over 4,500 were registered within the past five months alone. More than 1,000 malicious or fraudulent websites are already active, operating alongside over 1,000 social media impersonation accounts spread across TikTok, Facebook, Instagram, X, YouTube, Telegram, and Pinterest.
The findings confirm that threat actors are no longer running isolated phishing attempts. They are operating structured fraud ecosystems that mirror organised cybercrime operations, cycling through infrastructure setup, brand impersonation, victim distribution, credential harvesting, and financial monetisation in repeatable sequences. This mirrors broader phishing-as-a-service trends already hitting GCC organisations, where automated platforms have made large-scale fraud campaigns accessible to a much wider range of threat actors.
Fake Ticketing and Streaming Platforms at Scale
Researchers observed attackers deploying lookalike domains in rapid succession, assembling FIFA-branded websites designed to mimic legitimate ticketing portals and live streaming services. Urgency-based messaging around limited availability, exclusive access, and free match streaming is used systematically to reduce the time victims spend scrutinising links before acting.
Of the domains identified, 89% used .com top-level domains to maximise perceived legitimacy. The infrastructure targets high-interest themes directly tied to fan behaviour: ticket sales, hospitality, travel services, merchandise, match streaming, host city tourism, and betting platforms. City-specific targeting was also observed across all three host countries, the United States, Canada, and Mexico.
Social Media as the Primary Distribution Channel
CTM360 found that social media impersonation is now the central delivery mechanism for these fraud campaigns. Fraudulent accounts promote discounted tickets, VIP packages, free streaming access, and betting promotions across all major platforms. Attackers engage victims directly through comments, private messages, and external messaging platforms before redirecting them to fraudulent payment workflows.
Critically, many of these scam operations deliberately avoid immediate redirection to malicious infrastructure. Attackers build credibility over multiple conversations within trusted platforms first, then request payments through bank transfers, cryptocurrency, or digital payment services. This social engineering layer substantially increases conversion rates by exploiting established trust before the fraud is revealed.
Mobile Malware Hidden Inside Streaming Scams
Beyond financial fraud, CTM360 identified malware campaigns disguised as World Cup streaming applications. One operation distributes malicious Android APKs associated with BTMob malware, a remote access tool capable of credential theft, notification harvesting, OTP interception, and crypto-mining. The malware is packaged as IPTV or streaming applications promising premium match access and, once installed, requests extensive device permissions including accessibility services and full notification access.
Infrastructure Built for Scale and Persistence
Domain registration data shows a sharp surge in FIFA-themed registrations between December 2025 and April 2026, with April alone accounting for more than 2,700 new domains. The operational model is designed to survive takedowns through rapid domain registration, short-lived scam infrastructure, high-volume impersonation accounts, and immediate relaunch after disruption.
This kind of coordinated, at-scale fraud campaign infrastructure is consistent with the broader command-and-control abuse patterns recently identified across Middle East hosting networks, where threat actors deliberately blend across large consumer networks and smaller providers to maintain resilience. Kuwait's CITRA has already recorded rising cyber fraud volumes in 2026, with fraudulent websites accounting for the largest single category of complaints.
CTM360 expects campaign activity to intensify significantly as the tournament approaches. Organisations across the GCC and MENA region with brand exposure to the World Cup, including sponsors, hospitality providers, financial institutions, and broadcasters, are advised to review their digital risk posture before June.
The full CTM360 report is available at ctm360.com.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.