The most oversubscribed sporting event in history is also the most phished. With more than 150 million ticket requests in the first 15 days and just six million seats across 16 cities in the US, Canada, and Mexico, the 2026 FIFA World Cup has created exactly the conditions that fraud thrives on: scarcity, urgency, and money moving fast.

Security researchers, the FBI, and multiple cybersecurity firms have published warnings in the past week describing a fraud infrastructure that is already operational, well-resourced, and scaling. The picture that emerges is not a handful of opportunistic phishing pages. It is a layered ecosystem of fake domains, banking malware, credential theft, and social media impersonation, all converging on the same window.

One operator, 300 cloned FIFA sites

The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the centre is a group it calls Ghost Stadium, a Chinese-speaking, financially motivated operation running a single phishing kit across more than 300 of those sites.

The fake is good. The page is a near-perfect copy of fifa.com, mimicking FIFA’s real single sign-on login, run by PingIdentity, down to the genuine client ID copied from the live site. It loads images directly from FIFA’s own servers, so the page looks authentic and slips past tools that flag copied assets.

The damage is in the details: the fake login also asks to reset the password. Once a victim enters credentials, the attacker locks them out of their real FIFA account and resells any tickets tied to it. Most traffic comes from Facebook ads with reused tracking codes, plus links on Telegram, WhatsApp, and in search results. Payment options include card entry, money-transfer apps like Chime and Nequi, Mexico-only processors, and a crypto option that converts card payments into cryptocurrency. That last one is a reliable tell, since FIFA’s official ticketing never accepts crypto.

13,000 domains and counting

FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, roughly 8.8% of them classified as malicious or suspicious. The FBI’s public service announcement lists dozens of fake FIFA domains, from misspelled lookalikes to phony job pages, and warns more are coming.

Ticket fraud is just one piece. Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware, and fake betting platforms that collect passport scans and selfies for identity theft. Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million.

Group-IB estimates losses from premium and hospitality ticket fraud alone at $71 million to $474 million, with the broader campaign potentially reaching into the billions. Those are projections based on visible infrastructure, not confirmed losses.

Banking malware in streaming apps

For fans chasing free match streams, the bigger danger is on the phone. ThreatFabric observed a spike in malicious unofficial streaming apps, many posing as the popular RojaDirecta, around the recent Champions League final and expects a repeat at the World Cup on a larger scale.

Kaspersky tied those apps to two Android banking trojan families: Massiv and Perseus. Neither is distributed through Google Play, so installing one requires clicking past Android’s built-in warnings. Once installed, the malware uses accessibility tools to overlay fake bank login screens on real apps, record keystrokes, intercept one-time codes from SMS and authenticator apps, and control the screen remotely.

Perseus, built on leaked code from the older Cerberus trojan, even reads note-taking apps for saved passwords and crypto recovery phrases. The simplest red flag, according to ThreatFabric, is a streaming app requesting accessibility access. No legitimate streaming app needs it.

Social media, stolen credentials, and open Wi-Fi

Fortinet counted over 1,700 spoofed FIFA accounts, nearly 90% on Facebook and Instagram, plus a scheme using fake FIFA job ads and calendar invites to redirect applicants to a lookalike Google login. Bitdefender found more than 55 football-themed ad campaigns on Facebook and Instagram pushing counterfeit kits, fake Panini stickers, and phishing pages.

Stolen FIFA logins are already circulating. Fortinet found hundreds of thousands of user credentials, plus more than 4,600 FIFA-related URLs, in data collected by credential-stealing malware families including Vidar, LummaC2, and RedLine.

Host-city Wi-Fi is its own problem. A Kaspersky survey that drove around Mexico City, Monterrey, and Guadalajara found 10% to 12% of networks open and password-free, with the WPS pairing feature still active on nearly half. Both leave openings for rogue “evil twin” hotspots that copy a real network and quietly intercept traffic.

What to watch for

The scams leave clear tells. Buy tickets only through fifa.com, typed directly, not via an ad or search result. Enable multi-factor authentication, and treat any seller requesting cryptocurrency as a scam. On Android, refuse accessibility permissions for streaming apps. On open Wi-Fi in host cities, use mobile data for banking and email.

Meta says it is now showing warning pop-ups when people search Facebook for FIFA tickets, and it partnered with Visa to take down a Facebook network linked to fake World Cup gambling sites. The FBI is asking victims to report at IC3.

The bigger concern is what has not yet been activated. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and ticket-buying bots already for sale, the peak window is easy to predict: 11 June to 19 July, when searches for tickets, streams, and travel will be at their highest.

Thinking about investing in a Fire TV Stick? You’ve timed it well — there’s another Amazon Prime Day fast approaching, and these little gadgets are almost certainly going to be heavily discounted during the event.

A Fire TV stick plugs into your TV’s HDMI port to turn it into a smart TV, from which you can access various apps — including not just Prime Video but all the best streaming services. It’ll also enable you to control your TV using your voice, via Alexa — a game-changer for commands that would otherwise require lengthy typing using your remote’s arrow keys (truly, is there anything more dull?).

The Denon Home 400 sits in the Japanese brand’s completely repositioned Home 2.0 range for 2026, and it doesn’t take much to see the updates as a direct challenge to Sonos and the best wireless speakers on the market. The range features three speakers — the Denon Home 200, 400 and 600 — all of which promise spatial audio from a single box. They’re all tuned by sound masters, built for native stereo playback even as singular units, deliver an immersive experience, and have refined designs.

The Denon Home 400 sits right in the middle of the range, but occupies a bit of a sweet spot. Its $599 price tag puts it at the same ball park as the Sonos Era 300, and I think Denon comes out of the comparison looking like the better option.

It’s raining blood, hallelujah.

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service.

The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN.

“We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select “Cancel” without entering any information,” Toshiba said in a short communication.

Japanese retail giant Muji published a similar announcement earlier this week, warning website visitors of suspicious authentication screens generated by the external service polyfill[.]io.

“At this time, we have not confirmed any unauthorized access or information leakage to this site, but in order to ensure the safety of our customers, we ask that you consider your response,” Muji states.

Both Toshiba and Muji have solved the issue and suspended the service.

Japanese media outlets reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were also impacted by the same issue.

Security researcher Pasquale Pillitteri says that Samsung Smart TVs and websites also displayed a login prompt on June 1.

Some reports claim that the problem was caused by the polyfill[.]io incident in 2024, when the domain was purchased by a Chinese entity and added malicious scripts that impacted more than 100,000 websites using the Polyfill service.

Polyfill is a JavaScript CDN for  legacy browsers, allowing modern sites to run on them by providing a compatibility layer for unsupported technologies.

The Polyfill code was delivered via a CDN at polyfill[.io], although the domain was not owned by the creator of the open source project, Andrew Betts. As such, when the domain expired, it could be claimed by anyone.

At the time, Betts responded publicly by recommending that website owners remove the service from their sites, and relaunched the JavaScript CDN service at a new domain, polyfill.com, and later settled at polyfill.top.

While the deactivation of the service at polyfill[.]io stopped the redirections, some sites using the service failed to clean all their pages over the past two years, so remnants of Polyfill code remained.

Pillitteri reports that, starting in late May 2026, the polyfill[.]io domain became active again and started responding with HTTP 401 authentication requests.

User browsers visiting pages such as Toshiba’s and MUJI’s interpret that as a request for a username and password, so they serve a login prompt.

At the moment, there is no indication that impacted websites were hacked or that credentials entered on these rogue login screens were stolen. However, users are strongly recommended to be cautious about unexpected authentication prompts.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

from the acceptable-collateral-damage,-I-assume dept

ICE never needed officers to disguise themselves with masks and strip themselves of identification before Trump took office for the second time. What ICE is doing now isn’t what ICE was doing during Trump’s first term, even though it’s the same hateful bigot sitting behind the Resolute Desk he thinks should be covered in gold leaf.

According to the DHS, ICE officers need to look like roving kidnapping squads because they fear for their safety. Supposedly, they’re under attack now more than ever, something not even supported by the DHS’s context-free claims of massive increases in assaults of ICE officers.

ICE has never been popular. People have been calling for ICE to be abolished for far longer than the last 18 months of its existence. But now that ICE behaves like an invading force, rather than an agency involved in immigration and customs enforcement, more people are reacting to its unwanted presence in their neighborhoods.

ICE’s excuses for mask-wearing were [cough] unmasked when ICE was asked to fill in for unpaid TSA agents. ICE officers showed up at airports without masks to stand around and milk the clock, apparently unworried about being “exposed” or subjected to threats to them or their families.

But now that the TSA is as staffed as it’s ever going to be, ICE is returning to American streets, long on masks and short on training. Criminal opportunists know a good thing when they see it. When it’s impossible to tell whether the person assaulting you/demanding access to your home/running off with your valuables is an actual federal officer or just someone with access to ski masks and camo, the criminals have the upper hand.

As of February, Noticias Telemundo had documented at least six cases of impostors posing as ICE agents to rob or harass immigrants. In mid-January, a man broke into a house in Pittsburgh claiming to be an ICE agent and threatening a teen with a knife. In February, police in San Diego said a man allegedly impersonated an officer and wrapped his arms around the neck of a restaurant manager, claiming the manager was in the country illegally and he was going to arrest him.

Sure, some of you may be scoffing at “six cases” since Trump won the election. But that’s only the ones where a (foreign!) news agency managed to put together the pieces to deliver reporting that should have been done much earlier by domestic new agencies.

Here’s the more damning stat:

Of the 31 impersonation cases documented in 2025, 84% involved individuals who claimed to be ICE agents. Others identified themselves as officers from Border Patrol or the Department of Homeland Security.

Thirty-one impersonations. Apparently all of them involved people pretending to be in the business of migrant deportation. And it’s not just the normal crime you’d expect from criminals seeing a flaw in the system and exploiting it. It’s also led to an increase in the sort of crime this administration will likely greet with pardons and payout from the “FUCK AMERICA $1,776 MILLION SLUSH FUND.”

The recorded incidents include intimidation, robbery and sexual assault, as well as so-called “immigration operations” carried out by armed vigilantes against what they describe as an “invasion” of foreigners in the U.S.

This was a problem the FBI recognized months ago, but rarely speaks of now because it’s being led by the only guy who has a chance at drinking Defense Department Secretary Pete Hegseth under the table. The current “leadership” has nothing to say about giving criminals more opportunities to engage in criminal acts.

Neither DHS nor ICE responded to Noticias Telemundo’s request for official statistics about cases of fake ICE agents. They also did not comment on the trends revealed by this investigation.

Not even the rote “fake news” quasi-rebuttal from this miserable assortment of inhuman asshats. Well, if DHS and ICE won’t speak for themselves, I’ll let this next quote from NBC/Telemundo speak for itself:

“You’re going back to Mexico,” a man told the immigrants in a video recorded from inside their truck. He insulted them for their appearance and for not speaking English, took their keys and snatched the immigrant’s phone when he called his boss. The manager later told the police that the fake agent had claimed to be from ICE and had warned him that all his employees were going to go to “f—–g jail.”

This isn’t fake news. This isn’t implication extrapolated from minimal inference. There are literal recordings of these impersonations.

This isn’t people imagining the worst because they’re politically opposed to the current administration. These are documented instances of the only thing that could be worse than the brutality and bigotry perpetrated by this administration: criminal acts encouraged by this government’s unwillingness to do its dirty work honestly.

Filed Under: bigotry, dhs, ice, masked officers, mass deportation, thugs, trump administration

Honorable Mentions

Photograph: G Stockstudio/Getty Images

As we said, WIRED runners pound hundreds of miles every year. Here are a few of the other shoes we’ve tested that you might want to consider if the above do not work for your foot. If you’re not familiar with a brand, we recommend going to a local running store for a test run before plunking down your credit card.

Diadora Nucleo 2 for $165: The Nucleo 2 isn’t a wow, high-energy, super springy shoe. But if you’re a fan of straightforward, no nonsense comfort and good inherent stability across a good range of paces, the Nucleo 2 delivers.

Rad R1 for $130: Made to master gym, HIIT, running and all manner of hybrid workouts, I’ve been using the Rad R1 when I’m doing my strength and conditioning work in the gym like a good boy. They work for short runs and miles on the softer treadmill belt, while being stable and supportive enough to get under the bar and offering control for drills like box jumps and lunges. They look good, too.

New Balance Rebel V5 for $145, Adidas EVO SL for $105, Kiprun Kipride Max ($160). Another top-notch all-around shoe to rival the Saucony Endorphin Speed 5, the Rebel V5 is smooth, light and capable across the whole pace range. The Adidas EVO SL is a great alternative to the Saucony Endorphin Azura and can also handle anything you throw at it. But if you like your things super soft with a bit of bounce, the Kiprun Kipride Max serves up a cushioned plush ride with a bit of pop.

New Balance Fresh Foam X 1080 v15 for $170, HOKA Clifton 9 for $164: If you’ve never run before, the Hoka Clifton 9 is my recommendation for a beginner runner. Despite Hoka’s outsized (ahem) reputation, this is a pretty minimal shoe that’s comfortable, balanced, and light. —Adrienne So

Saucony Ride 17 for $110: This is also a good older budget-shoe model.

Saucony Hurricane 25 for $135, Brooks Glycerin 23 GTS for $180: Consumer tech director and podcast host Michael Calore runs in the Brooks Glycerin. This is our alternative pick if you’re shopping for shoes that offer greater stability.

Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.

Google’s upcoming Googlebook platform could launch with a much broader range of devices than many expected.

New findings suggest the first wave may include as many as eight laptops and tablets powered by chips from Intel, Qualcomm and MediaTek – giving buyers more choice from day one.

The discovery comes from newly uncovered development boards linked to Googlebook hardware. While Google has only teased that the first devices will arrive later this year, the latest evidence points to multiple manufacturers and several form factors too.

Chrome Unboxed reports that four of the devices appear to use Intel platforms, while another three rely on Snapdragon hardware. The publication also says that an additional device was built around MediaTek’s Kompanio Ultra processor, and could take the form of a tablet rather than a laptop.

The European Commission has appointed Jim Hagemann Snabe, chairman of Siemens’ supervisory board, as its special envoy for industrial artificial intelligence. He will advise Commission President Ursula von der Leyen and tech sovereignty chief Henna Virkkunen on how to accelerate AI adoption across European industry.

The backlash was immediate. Snabe’s appointment lands weeks after Siemens was among the companies that lobbied hardest for the rollback of the EU’s AI Act, the world’s most ambitious AI regulatory framework. Critics say the appointment amounts to handing advisory power over AI policy to the same industry that successfully weakened it.

Who is Jim Hagemann Snabe

Snabe, 60, is a Danish executive who co-led SAP as co-CEO from 2010 to 2014 before moving to the supervisory board. He became chairman of Siemens’ supervisory board in 2018. Beyond those roles, he has served on the advisory board of Google Cloud, on the board of US enterprise AI firm C3.ai, and as a board of trustees member at the World Economic Forum.

The Commission says it conducted a thorough conflict-of-interest assessment before the appointment. For the duration of his mandate, which runs until 31 March 2027, Snabe will suspend his Google Cloud and C3.ai memberships. The role is unpaid.

The AI Act rollback

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The timing is what makes the appointment politically charged. On 7 May, the Council of the EU and the European Parliament reached a deal to simplify the AI Act through the so-called Digital Omnibus. The headline change was a 16-month delay to high-risk AI obligations, pushing the deadline from August 2026 to December 2027.

More significantly for Siemens, the deal introduced an industrial AI exemption. AI systems used on factory floors and embedded in machinery will now be covered by separate machinery regulations rather than the AI Act, unless a failure could directly endanger health or safety. Germany, where Siemens is headquartered, led the push for that exemption. Chancellor Friedrich Merz called for freeing industrial AI from the EU’s “regulatory straightjacket” at the Hannover Messe trade fair in April, with Siemens executives alongside him.

Virkkunen, who drove the simplification through the College of Commissioners, framed the deal as proof that Europe can maintain a rules-based approach while making regulation workable for industry. Snabe’s appointment is the next step in that direction: an explicit signal that industrial competitiveness, not regulatory caution, is now the priority.

The criticism

“My first reaction was just: Wow,” said Kim van Sparrentak, the Dutch Green lawmaker who led the Parliament’s work on the AI Act. “They fought hard against AI rules for themselves, they lobby against technological sovereignty, and now they get to decide how we are going to integrate AI.”

The concern is not only about Siemens. Snabe’s board positions at Google Cloud and C3.ai place him at the intersection of the three constituencies most directly affected by EU AI policy: European industry, US Big Tech, and the enterprise AI software market. Suspending board seats is not the same as severing ties, and critics argue that an unpaid advisory role with no formal accountability is precisely the kind of arrangement that makes revolving-door governance difficult to scrutinise.

The Commission has not disclosed the specific terms of Snabe’s conflict-of-interest assessment. It says one was carried out but has not published the methodology or findings, which makes the assurance hard to evaluate independently.

What the role involves

Snabe’s mandate is to advise on how Europe can boost industrial AI adoption, a priority that the Commission has elevated since the AI Act’s passage exposed a tension at the heart of European tech policy: the desire to regulate AI and the fear of falling behind the US and China in deploying it.

The appointment was announced alongside the Commission’s broader technology sovereignty blueprint, which includes the Cloud and AI Development Act, Chips Act 2.0, and new restrictions on US cloud providers handling sensitive European government data. Snabe’s role sits within that framework, theoretically bridging the gap between Brussels’ regulatory ambitions and the corporate reality of getting AI into European factories.

Whether a Siemens chairman is the right person to bridge that gap or simply the most obvious symptom of the gap itself is the question Brussels will be debating for the duration of his mandate.