Index  ›  crime  ›  UnHerd
crime · UnHerd ↗

Cybercriminals are cashing in on the World Cup by selling stolen streaming accounts

UnHerd Published Jul 18, 2026 Reviewed Jul 19, 2026 ✓ Reviewed by citations.press editors
HUMAN Security’s Satori Threat Intelligence team found more than 12 million compromised user accounts on the dark web tied to 10 streaming services broadcasting World Cup matches, representing nearly $220 million in potential black-market sales.
12000000 compromised accounts · compromised user accounts on the dark webabout 220000000 USD · potential black-market sales HUMAN Security’s Satori Threat Intelligence team
On June 27, the final day of the tournament’s group stage, threat actors released a record 802,000 compromised accounts, generating an estimated $14.8 million in potential single-day black market revenue, according to HUMAN Security’s report.
802000 compromised accounts · compromised accounts released by threat actorsabout 14800000 USD · potential single-day black market revenue HUMAN Security’s report
Spain’s semifinal victory over France drew a then-record 11.46 million viewers on Fox before Argentina’s semifinal win over England surpassed it a day later with 15.06 million viewers.
11460000 viewers · viewers of Spain’s semifinal victory over France on Fox15060000 viewers · viewers of Argentina’s semifinal win over England
Lindsay Kaye, VP of threat intelligence at HUMAN Security, stated that stolen streaming accounts can be purchased for $5 to gain access to a streaming service for World Cup broadcasts, compared to legitimate subscription costs of $30–$50.
5 USD · price of stolen streaming accountsat least 30 USD · legitimate streaming subscription costat least 50 USD · legitimate streaming subscription cost Lindsay Kaye, VP of threat intelligence at HUMAN Security

Once every four years, fans travel across the globe to watch one of the world’s biggest sporting events: the FIFA World Cup. 

The 2026 World Cup is no exception. For the first time, the tournament has been hosted jointly by three nations—the U.S., Canada and Mexico—and marks North America’s first time hosting the competition since 1994. FIFA also expanded the tournament from 32 to 48 national teams, making it the largest World Cup in history.

Across the tournament’s 16 host cities, from Kansas City to Guadalajara and Toronto, millions of fans traveled far and wide to cheer on their countries, transforming city streets into seas of brightly colored jerseys and national flags. 

Millions are also watching the World Cup on TV, and audiences have continued to expand, with each marquee matchup setting a new viewership benchmark. Spain’s semifinal victory over France drew a then-record 11.46 million viewers on Fox before Argentina’s semifinal win over England surpassed it a day later with 15.06 million viewers,

As the tournament heads into its most anticipated match, the final, expectations are high that Sunday’s game could set yet another record.

While many World Cup matches aired free on broadcast television in the U.S., others required a cable or streaming subscription, creating demand for lower-cost ways to watch the tournament.

New research from HUMAN Security’s Satori Threat Intelligence team found more than 12 million compromised user accounts on the dark web, tied to 10 streaming services broadcasting World Cup matches. Together, those accounts represent nearly $220 million in potential black-market sales, with threat actors increasing both the number of accounts offered and their asking prices as demand for matches grows.

On June 27, the final day of the tournament’s group stage, threat actors released a record 802,000 compromised accounts, generating an estimated $14.8 million in potential single-day black market revenue, according to the report. The findings suggest cybercriminals are treating the tournament much like any other high-demand event, expanding inventory while raising prices as consumer demand grows.

Lindsay Kaye, VP of threat intelligence at HUMAN Security, told UnHerd that rising prices for stolen streaming accounts suggest demand is growing as more fans seek cheaper access to World Cup broadcasts. 

If somebody doesn’t want to pay $30, $40, or $50, they can pay $5 and have access to that streaming service in order to watch the World Cup,” she said.

While HUMAN couldn’t determine exactly how the compromised streaming accounts were obtained, Kaye said cybercriminals commonly use stolen usernames and passwords from the dark web or credentials stolen by malware that extracts information saved on victims’ devices. Those credentials are then resold on dark web marketplaces, where sellers advertise extras such as linked payment cards, loyalty points, premium streaming subscriptions and even warranties that promise replacement accounts if buyers lose access.

As stolen streaming accounts proliferate, broadcasters and streaming platforms are under growing pressure to protect customer accounts and quickly shut down unauthorized live streams.

“When you have an event like the World Cup, rights owners know in advance when the games are going to be, and it’s possible to be extra vigilant around the times of games to monitor for infringement and then to act quickly,” Ian Ballon, co-chair of Greenberg Traurig LLP’s global intellectual property and technology practice group, told UnHerd.

He said preparation is especially important for live sporting events, where there is little time to react once infringement is underway.

“Rights owners have to plan in advance, so that they know when infringement is discovered and what to do and how to act quickly to disable an unauthorized stream,” said Ballon.

Fox Sports, NBC Sports, Telemundo, FIFA, YouTube TV, and DirecTV didn’t immediately respond to a request for comment.

Fubo said it systematically investigates reports of suspicious account activity and may strengthen security measures if it detects unexpected behavior.  

“We prepare for high-profile events months in advance,” Fubo said in a statement to UnHerd. “The team monitors platform activity even more closely than usual during high-traffic periods, across all layers of the service.” 

The company said it also closely monitors unusual geolocation patterns, such as the same account appearing in two distant locations within a short period of time, which can indicate account sharing or compromise.

According to Kaye, companies can make stolen accounts more difficult to exploit by using tools such as two-factor authentication and bot prevention tools like HUMAN, making it more expensive, more challenging, and more time-consuming for threat actors to compromise user accounts.

“There’s never going to be a situation that I see in which there is no market for credentials,” she said. “People will always want to be able to buy these accounts, get something for less.”

This article was originally published by UnHerd ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error