Scammers using AI are expanding their attacks on consumers who are interested in the World Cup, according to threat researcher Arctic Wolf.
Since January, Arctic Wolf observed more than 10,000 World Cup themed domains pop up, at a rate of roughly 2,000 new domains per month. Not all are malicious, but with generative AI now producing the sites, the content, and even the apps, attack automation has reached a new level.
The threat has moved to the phone
The dominant attack surface of 2026 is the mobile device. Lures live as deceptively “clean” posts on social media, which then funnel victims into WhatsApp, Telegram, or Discord. This is where the actual fraud or malware delivery happens, out of sight of platform moderation, and in an environment where users trust what they see and cyber defenses are weaker.
Timing is a weapon.
Many malicious operations are designed to detonate at the last moment. Channels recruit subscribers with a promise to drop a “free stream” link five minutes before each match begins: the timing banks on excited fans not stopping to check whether a link is malicious.
Organizers are being targeted, not just fans.
Arctic Wolf identified a weaponized “Employee Handbook” PDF aimed at staff of a U.S. host city, and a cluster of fake “FIFA careers” sites engineered to steal corporate Google Workspace accounts. This demonstrates targeting of the event’s own supply chain.
The desktop infostealer is alive and well.
Arctic Wolf found a World Cup ticket lure which delivers a Windows stealer that exfiltrates everything of value on a victim machine to attacker-controlled Telegram and Discord channels.
The findings suggest threat actors are treating the World Cup not just as a consumer scam opportunity, but as a supply-chain and identity-theft opportunity aimed at the organizations helping run the event.
We’ve asked FIFA for comment.
Disclosure: I have family working at FIFA.