The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages.
Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling. Here are three findings worth reading carefully.
1 in 3 FIFA Partners Can’t Block Email Impersonation
Pre-tournament research by Proofpoint found that more than one-third of official FIFA World Cup 2026 partners lack sufficient DMARC enforcement to prevent domain spoofing. That means attackers can send an email that appears to come from a sponsor, a vendor, or a logistics partner, with no technical barrier stopping it.
The World Cup supply chain is enormous. Airlines, hotels, broadcast partners, merchandise contractors, and catering companies. Every procurement email traveling that chain is a potential interception point. High transaction volumes, tight deadlines, and the operational chaos of a global event create exactly the conditions that suppress payment verification rigor.
Check Point’s attack surface management and digital brand protection capabilities are built for this kind of external exposure, continuously monitoring partner ecosystems for authentication gaps and impersonation infrastructure before attackers can use them.
Fake Sportsbook Apps Surged 60x Above Baseline
A controlled comparison across eight major sportsbook brands, covering 60-day windows in 2025 and 2026 using identical methodology, found zero impersonator app detections in the non-tournament baseline. The pre-tournament window found 64. That is roughly 60 times the baseline rate, concentrated in April and May 2026, and concentrated on Google Play.
At least five distinct developer accounts published apps spoofing two or more different sportsbook brands within hours or days of each other. This is a coordinated multi-brand operation, timed to tournament activation.
The attack surface here extends well beyond the app stores. Check Point Exposure Management also identified active Russian-language Telegram channels operating as fake tipster services, routing followers through referral links to generate affiliate commissions on fraudulent deposits. The channels split their picks across the audience, so roughly half the subscribers always “win” enough to keep depositing. The sportsbook pays the affiliate commission on every conversion.
Check Point’s dark web monitoring covers Telegram channels at this depth, giving security and fraud teams visibility into the operations before the tournament window-branded content fully activates.
The Fake Hotel and Travel Sites Were Built Two Months Before Kickoff
Check Point Exposure Management tracked monthly registrations of FIFA-themed lookalike domains targeting travel and hospitality services from November 2025 through May 2026. April 2026 alone accounted for 21.9% of the entire 12-month sample, eight weeks before kickoff. March and April together represent 34%.
Hotel and lodging brands account for 56% of the total Travel and tour brands account for another 27%. The sites were built to intercept fans at the point of purchase, when urgency was highest, and verification habits were the weakest.
A small number of registrars carry most of the infrastructure. GoDaddy, Hostinger, Namecheap, Porkbun, and IONOS together host 56% of the fraudulent domains. One interesting finding worth flagging is .top TLD accounts for 28% of registrations. .top is a phishing-favored generic TLD with low abuse-response thresholds and cheap registration costs. Actors who want infrastructure that stays up choose it deliberately.
A subset of the domains also has MX records configured. That means they can receive email, run reply-path impersonation, and intercept password-reset flows from victim accounts. These are active phishing infrastructures, registered and staged before the tournament started.
Check Point’s phishing and brand protection capabilities continuously monitor for this kind of pre-positioned infrastructure, with a 99% takedown success rate and an average mean time to remediation of 12 hours. For organizations whose brands are being cloned at scale ahead of a global event, detection speed and remediation speed are the only variables that matter.
What This Means
Security teams supporting any organization in the financial, travel, hospitality, or gambling sectors should treat the current period as elevated, not because the threat landscape changed with the opening match, but because threat actors were already positioned before it started.
Read the full FIFA World Cup 2026 Cyber Threat Report or contact Check Point Exposure Management if you’re seeing escalation.
