The 2026 World Cup kicks off on June 11. But for cybercriminals, the competition has already begun. Security researchers and the FBI have warned in recent days of a wave of fraud specifically targeting fans' mobile devices.
A spike in malicious streaming apps, notably imitating the popular RojaDirecta, had already been observed around the recent Champions League final, and researchers expect a repeat on a larger scale during the World Cup.
Indeed, over the past few months, Android banking trojans disguised as streaming applications have been multiplying. In February 2026, the Massiv trojan was identified in fake applications targeting France, Spain, Portugal and Turkey. The applications mimic the interface of legitimate services while overlaying fake banking login screens, recording keystrokes and taking remote control of the device.
In March, a more advanced trojan, Perseus, was also discovered. Based on the source code of the notorious Cerberus, it takes espionage even further: beyond the standard banking theft capabilities, Perseus reads the contents of note-taking apps (Google Keep, Samsung Notes, Evernote, OneNoteā¦) to extract passwords and crypto recovery phrases.
And in May 2026, another malware, BTMOB, was identified in fake streaming apps offering access to World Cup matches. Distributed this time as a malware-as-a-service, it makes this type of attack accessible to cybercriminals without advanced technical skills.
Phishing campaigns are also multiplying as the World Cup approaches. Nearly 19,000 domains containing references to FIFA have been created since January 2026, fuelling phishing campaigns designed to collect credentials and payment information from fans searching for tickets and merchandise.
At the centre of this infrastructure, a group called Ghost Stadium operates more than 300 phishing sites using a single kit that replicates FIFA's authentication system identically. The pages load images directly from FIFA's official servers, making them virtually undetectable.
When the victim enters their credentials, the attacker captures them and simultaneously triggers a password reset to lock the real account, allowing them to resell the legitimate tickets associated with it.
Fake apps and phishing links are distributed through massive social media campaigns. More than 1,700 fake FIFA accounts have been identified, nearly 90% of them on Facebook and Instagram. Sponsored posts promote fake streaming offers, "free" bets, or fictitious World Cup-related jobs.
On Telegram, fake ticket resale groups redirect to fraudulent payment portals. In every case, the mechanism is the same: a link that takes the victim outside the social media app to an external malicious site : a fake FIFA portal, an infected APK download page, or a fraudulent payment form.
The attacks linked to the World Cup exploit the same vectors as everyday mobile threats, but at a significantly increased scale and intensity.
Pradeo Mobile Threat Defense protects mobile devices against each of these vectors:
Major sporting events are accelerators of mobile threats. 150 million ticket requests for 6 million seats, millions of fans searching for streams on their smartphones, urgency and scarcity pushing people to act fast, the ideal conditions for cybercriminals. For organisations whose employees use their professional devices outside the office, the period ahead is one of heightened risk.