By CRIS ESPARZA, MANASA PISIPATI, and RUTY DAVIDSON

The FIFA World Cup 2026 kicks off this week June 11. Across 16 cities in the US, Canada, and Mexico, billions of people will be watching, traveling, betting, and spending. Threat actors have been watching too, and for far longer.

Check Point Research and Check Point Exposure Management spent the past year tracking the cyber threat landscape building around this tournament. What emerged is a coordinated pre-positioning effort across three sectors that sit at the center of the World Cup economy: finance, travel and hospitality, and gambling. The infrastructure is already built, with most of them already live.

Financial sector: Fraud Follows the Money

The financial ecosystem around any mega-event is exactly the kind of environment threat actors prefer. Surging transaction volumes, unfamiliar merchants, compressed purchasing windows, and international flows all reduce the scrutiny that normally slows fraud down.

Around this tournament, event-driven crypto scams are scaling. Tokens like $WORLDCUP exhibit the hallmarks of rug-pull schemes: no identifiable team, no independent security audit, no FIFA affiliation, and aggressive social promotion timed to exploit pre-tournament excitement.

On the consumer side, card-not-present fraud and social engineering campaigns are replicating patterns documented at Qatar 2022 and Paris 2024, targeting ticketing, travel, and hospitality purchase flows.

At the B2B level, the picture is more acute. Proofpoint research found that more than one-third of official FIFA World Cup 2026 partners lack sufficient DMARC enforcement to prevent domain spoofing of their procurement chains. That gap is an open door for business email compromise, where fraudulent invoices and payment redirection occur with minimal friction. FinCEN has also issued warnings about elevated anti-money laundering risk, with cross-border cash flows around the tournament creating pressure on banks, fintech platforms, and payment processors operating near host cities.

Beyond fraud, financial ecosystems around the World Cup are also exposed to broader organised criminal activity. Authorities have warned that the surge in cross-border transactions and visitor flows creates opportunities for money laundering and human trafficking networks, particularly in host cities. This places additional pressure on banks, fintech platforms, casinos, and payment processors, which must monitor abnormal transaction patterns tied to exploitation activity.

Transportation and Hospitality: Zero Tolerance for Downtime, Maximum Pressure to Pay

Attackers have targeted transportation and hospitality infrastructure at every major tournament in recent memory, and the tactics have escalated each time.

At the 2014 World Cup in Brazil, Anonymous ran coordinated DDoS attacks against the official tournament website, government portals, and corporate sponsors including Emirates Airline. At PyeongChang 2018, destructive malware dubbed Olympic Destroyer took down the official Olympics website, ticketing platforms, and stadium Wi-Fi during the opening ceremony, leaving thousands unable to print tickets. At Qatar World Cup 2022, a Chinese-linked group quietly compromised the telecommunications provider supporting World Cup operations, embedding persistent access into network infrastructure that went undetected for the entire tournament.

Most recently, during the Milano-Cortina 2026 Winter Olympics, NoName057(16) ran DDoS campaigns against Italian hospitality and transit services while railway signaling infrastructure was physically sabotaged. Both were timed for the opening ceremony.

Closer to home, fan-facing fraud is already scaling. FIFA-themed lookalike domains impersonating hotels and travel booking platforms peaked in April 2026, with accommodation brands accounting for 56% of impersonation activity across the sample. These sites are built and waiting.

In a live tournament scenario such as the FIFA World Cup event, the operational impact of these attacks is live and immediate. As an example, a possible ransomware attack on an airline or airport could lead to flight delays, missed connections, and stranded fans, whilst a disruption to hotel systems could prevent check-ins across thousands of bookings which could cascade into safety risks, crowd management challenges, and global reputational damage.

With 16 host cities across three countries and millions of fans in transit, the attack surface for FIFA 2026 is larger than any prior tournament. The historical precedent is clear on what comes next.

Gambling: The Infrastructure is Staged and Waiting

The gambling sector faces a threat that is structurally different from the others: much of the fraud infrastructure is already registered, partially deployed, and waiting for activation. Domains with placeholder content, inactive landing pages, and incomplete configurations suggest attackers are timing activation to coincide with peak betting activity during the tournament

Check Point Exposure Management research analysis of a 758-domain (Open-source domain registration data) sample shows April 2026 alone accounted for 22% of the entire year's brand-lookalike domain registrations, eight weeks before kickoff. March and April together represent 34% of the annual sample. Domains are sitting with placeholder content, Cloudflare error pages, or generic gambling themes, and are consistent with operators staging infrastructure for activation in the final fortnight before June 11.

Mobile-app impersonation has surged to approximately 60 times the non-tournament baseline compared to the same window in 2025. Over 35 confirmed fake sportsbook apps were published on Google Play in a coordinated operation targeting multiple major brands with shell developer accounts. Meanwhile, Telegram-based tipster channels are already running bonus-abuse schemes, funneling followers through referral links and splitting picks across the audience to sustain the illusion of winning, while harvesting affiliate commissions from legitimate operators.

Regulatory exposure is essential. US state regulators, Ontario's AGCO, and the UK Gambling Commission have all signaled heightened enforcement during the tournament window. Operators whose affiliates breach standards can face penalties even where the operator was unaware. That's a meaningful liability when affiliate activity is surging, and vetting is under pressure.

The reason attackers are concentrating on financial services, transportation, and gambling is simple: these sectors sit at the center of the World Cup economy. They process the highest transaction volumes, operate under time pressure, and rely heavily on user trust, making them ideal targets for attacks designed to scale quickly and create visible disruption.

What This Means for Business's Security Posture

The common thread across all three sectors is timing. Threat actors are already pre-positioning infrastructure, testing entry points, and activating campaigns at moments of peak visibility and operational pressure. By the time the tournament is live, the window for preparation will have largely closed.

This report highlights a shift in how cyber threats develop around global events - attackers are no longer waiting for opportunities since they are building them in advance. For organisations, this means preparation must happen before the tournament begins. For fans, it means recognizing that trust alone is no longer enough.

Check Point's Exposure Management provides continuous monitoring across brand impersonation, exposed attack surfaces, dark web signals, and threat actor activity, giving security and marketing teams the visibility to act before staged infrastructure activates.

The full report covers all three sectors in depth, including specific incidents, threat actor profiles, historical parallels from Qatar 2022 and Paris 2024, and recommendations tailored to financial services, transportation and hospitality, and gambling operators. In an event defined by global scale and visibility, even a single cyber incident can quickly become a global story.

•Cris Esparza, Manasa Pisipati, and Ruty Davidson are Cyber Threat Intelligence Analysts, Check Point Software Exposure Management