Skip to main content

World Cup 2026 Scams: Phishing, Crypto Drainers and Ticket Fraud

|

0 minutos de lectura

See how Forcepoint protects from inbound email threats
  • Lydia McElligott

Major sporting events have always attracted fraud. The World Cup is no exception, and threat actors don't wait for the opening match to start running campaigns.

Forcepoint X-Labs has identified three active attack types exploiting World Cup 2026 excitement: a crypto wallet drainer impersonating a well-known gambling platform, a typosquatted ticket-selling site targeting fans looking for match access, and a pair of advance fee fraud emails claiming FIFA lottery winnings.

Each uses a different lure and delivery method, but all three follow the same playbook: exploit a high-interest event, borrow the credibility of a trusted brand and move fast before defenses catch up.

Here's what we found.

Threat #1: Crypto Wallet Drainer, Stake.com Impersonation

Threat TypeDetail
Threat TypePhishing / Crypto Wallet Drainer
Brand ImpersonatedStake.com
LureWorld Cup 2026 Token Farming Event

This campaign begins with a phishing email sent from the domain web-stake[.]com, impersonating Stake.com, a legitimate online gambling and crypto betting platform. The email invites recipients to participate in a World Cup 2026 "Token Farming" event, a DeFi-style promotion designed to appeal to users already familiar with Stake's crypto offerings.

The embedded link doesn't go directly to the drainer. Instead, it routes the recipient through a Vercel-hosted redirect at hxxps://ilvvtestetd[.]vercel[.]app/. The use of Vercel is deliberate. As a legitimate and widely used development platform, Vercel carries a positive reputation score with many email security filters, making the redirect harder to flag at the gateway level.

The final destination is a fraudulent DeFi landing page at hxxps://get[.]rpc-stake[.]com/farm. Victims who connect their cryptocurrency wallet on this page trigger a wallet drainer, a script that transfers digital assets directly to an attacker-controlled address. Once the transaction executes, it cannot be reversed.

 

Fig. 1: Phishing email, sender domain web-stake[.]com

  

Fig. 1.5: Drainer landing page at get[.]rpc-stake[.]com/farm


IOCs

IndicatorDetails
Sending domainrewards[@]web-stake[.]com
Redirect (in email)hxxps://ilvvtestetd[.]vercel[.]app/
Drainer payloadhxxps://get[.]rpc-stake[.]com/farm

What to watch for

Verify the sender domain against the official platform, not just the display name. Never connect a crypto wallet via a link received in an unsolicited email. A recognizable infrastructure provider appearing in a URL, such as Vercel, does not indicate the destination is safe. Redirect chains through legitimate platforms are a common and effective evasion technique.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

  • Stage 2 (Lure) — Phishing/Spam emails are blocked by analytics.
  • Stage 3 (Redirection) — The redirected Vercel URL is blocked by Real-Time Scanning.
  • Stage 4 (Phishing URL) — The Crypto Wallet Drainer URL is blocked by Real-Time Scanning.

 

Threat #2: Ticket Phishing, SeatGeek Impersonation

Threat TypeDetails
Threat TypePhishing / Financial Fraud
Brand ImpersonatedSeatGeek
Lure50% off World Cup tickets, expires tomorrow

Ticket fraud is a predictable feature of every major sporting event, but the execution here is worth examining closely. This campaign impersonates SeatGeek, a mainstream ticket marketplace, and promotes a 50% discount on World Cup match tickets paired with artificial scarcity: "2 tickets left" and a next-day expiry on the offer.

The embedded link directs users to seatgaek[.]com, a typosquatted domain that differs from the legitimate seatgeek[.]com by a single transposed letter. SeatGeek has itself warned users about this lookalike domain in its own scam advisories, which suggests the domain has been active long enough to generate public complaints.

Victims who attempt to purchase tickets on the fraudulent site submit payment card details to an attacker-controlled platform. No tickets are delivered.

 

Fig. 2: Phishing email linking to seatgaek[.]com

 

IOCs

IndicatorDetails
Phishing domainhxxps://seatgaek[.]com
Legitimate domainhxxps://seatgeek[.]com

What to watch for

Verify the domain character by character before entering payment information on any ticketing site. Navigate directly to the official platform rather than following links from email. Urgency and scarcity messaging like "expires tomorrow" and "X tickets left" are deliberate pressure tactics designed to compress the time a potential victim has to scrutinize what they're looking at.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

  • Stage 2 (Lure) — Phishing/Spam emails are blocked by analytics.
  • Stage 3 (Phishing URL) — Embedded URLs are blocked by Real-Time Scanning.

 

Threat #3: Advance Fee Fraud, FIFA Lottery Impersonation

Threat TypeDetails
Threat TypeAdvance Fee Fraud / PII Harvesting
Brand ImpersonatedFIFA
LureWorld Cup lottery prize: $2,000,000 / £4,000,000

X-Labs identified two separately distributed emails claiming recipients had won multi-million-dollar or multi-million-pound World Cup lottery prizes. Both were sent from free personal email accounts, including Gmail, Yandex and AtomicMail, to undisclosed recipients with no affiliation with FIFA.

Despite differences in prize amounts, wording and contact details, the two variants share the same underlying fraud model. Each email requests extensive personal information upfront: full name, address, telephone number, occupation and employer details. That data alone has value. It can be sold or used to build a more convincing follow-on fraud. The more familiar outcome is an advance fee scheme, in which victims are later instructed to pay a processing or administrative fee to unlock their supposed winnings.

The structural similarities between the two variants point to a common template or coordinated distribution, and reflect how easily World Cup-themed lottery campaigns can be adapted and redistributed by different actors with minimal effort.

  

Fig. 3: Lottery scam, $2,000,000 variant (sent from Gmail)
 

 

Fig. 3.5: Lottery scam, £4,000,000 variant (sent via AtomicMail / Yandex)

 

IOCs

IndicatorDetails
Sending address (v1)lulchevar[@]gmail[.]com
Contact email (v1)mrrichardwerner[@]gmail[.]com
Contact email (v2)fifa2026[@]atomicmail[.]io
Contact email (v2)ukhouse[.]ahe[@]yandex[.]com

What to watch for

No legitimate lottery notifies winners by unsolicited email, and FIFA does not run prize draws of any kind. Any unsolicited email requesting personal information in exchange for prize winnings should be treated as fraud regardless of the branding it carries. The request for employer details in particular is a signal: that information serves no purpose in a legitimate prize claim and significant purpose in targeted social engineering.

Protection Statement

Forcepoint customers are protected against this threat at the following stage of attack:

  • Stage 2 (Lure) — Phishing/Spam emails are blocked by analytics.

 

Conclusion

These three campaigns share a structural logic that X-Labs sees repeat across every major global event. Threat actors don't build new infrastructure for World Cup scams. They adapt existing fraud operations, including wallet drainers, typosquatting kits and advance fee templates, to a new event context, swap in a relevant brand and distribute. The turnaround time between event announcement and active campaign is shrinking.

During the World Cup, organizations should anticipate an increase in themed phishing campaigns targeting employees and consumers alike. The lures will invoke urgency, scarcity and brand recognition. The defenses remain consistent: domain verification, skepticism toward unsolicited offers and user awareness that major events are a reliable signal for elevated phishing activity.

X-Labs will continue monitoring World Cup-themed threat activity through the tournament.

  • Lydia McElligott

    Lydia McElligott

    Lydia McElligott is a Security Researcher with the Forcepoint X-Labs Threat Research team. She focuses on researching cyberattacks which target the web and email, particularly focusing on URL analysis, email security and malware campaign investigation.

    Leer más artículos de Lydia McElligott

X-Labs

Reciba información, novedades y análisis directamente en su bandeja de entrada.

Al Grano

Ciberseguridad

Un podcast que cubre las últimas tendencias y temas en el mundo de la ciberseguridad

Escuchar Ahora