
Once every four years, fans travel across the globe to watch one of the world’s biggest sporting events: the FIFA World Cup.
The 2026 World Cup is no exception. For the first time, the tournament has been hosted jointly by three nations—the U.S., Canada and Mexico—and marks North America’s first time hosting the competition since 1994. FIFA also expanded the tournament from 32 to 48 national teams, making it the largest World Cup in history.
Across the tournament’s 16 host cities, from Kansas City to Guadalajara and Toronto, millions of fans traveled far and wide to cheer on their countries, transforming city streets into seas of brightly colored jerseys and national flags.
Millions are also watching the World Cup on TV, and audiences have continued to expand, with each marquee matchup setting a new viewership benchmark. Spain’s semifinal victory over France drew a then-record 11.46 million viewers on Fox before Argentina’s semifinal win over England surpassed it a day later with 15.06 million viewers,
As the tournament heads into its most anticipated match, the final, expectations are high that Sunday’s game could set yet another record.
As viewership climbs, so does the underground market built around it.
While many World Cup matches aired free on broadcast television in the U.S., others required a cable or streaming subscription, creating demand for lower-cost ways to watch the tournament.
New research from HUMAN Security’s Satori Threat Intelligence team found more than 12 million compromised user accounts on the dark web, tied to 10 streaming services broadcasting World Cup matches. Together, those accounts represent nearly $220 million in potential black-market sales, with threat actors increasing both the number of accounts offered and their asking prices as demand for matches grows.
On June 27, the final day of the tournament’s group stage, threat actors released a record 802,000 compromised accounts, generating an estimated $14.8 million in potential single-day black market revenue, according to the report. The findings suggest cybercriminals are treating the tournament much like any other high-demand event, expanding inventory while raising prices as consumer demand grows.
Lindsay Kaye, VP of threat intelligence at HUMAN Security, told Fortune that rising prices for stolen streaming accounts suggest demand is growing as more fans seek cheaper access to World Cup broadcasts.
“If somebody doesn’t want to pay $30, $40, or $50, they can pay $5 and have access to that streaming service in order to watch the World Cup,” she said.
While HUMAN couldn’t determine exactly how the compromised streaming accounts were obtained, Kaye said cybercriminals commonly use stolen usernames and passwords from the dark web or credentials stolen by malware that extracts information saved on victims’ devices. Those credentials are then resold on dark web marketplaces, where sellers advertise extras such as linked payment cards, loyalty points, premium streaming subscriptions and even warranties that promise replacement accounts if buyers lose access.
As stolen streaming accounts proliferate, broadcasters and streaming platforms are under growing pressure to protect customer accounts and quickly shut down unauthorized live streams.
“When you have an event like the World Cup, rights owners know in advance when the games are going to be, and it’s possible to be extra vigilant around the times of games to monitor for infringement and then to act quickly,” Ian Ballon, co-chair of Greenberg Traurig LLP’s global intellectual property and technology practice group, told Fortune.
He said preparation is especially important for live sporting events, where there is little time to react once infringement is underway.
“Rights owners have to plan in advance, so that they know when infringement is discovered and what to do and how to act quickly to disable an unauthorized stream,” said Ballon.
Streaming platforms say they’re already taking those precautions.
Fox Sports, NBC Sports, Telemundo, FIFA, YouTube TV, and DirecTV didn’t immediately respond to a request for comment.
Fubo said it systematically investigates reports of suspicious account activity and may strengthen security measures if it detects unexpected behavior.
“We prepare for high-profile events months in advance,” Fubo said in a statement to Fortune. “The team monitors platform activity even more closely than usual during high-traffic periods, across all layers of the service.”
The company said it also closely monitors unusual geolocation patterns, such as the same account appearing in two distant locations within a short period of time, which can indicate account sharing or compromise.
According to Kaye, companies can make stolen accounts more difficult to exploit by using tools such as two-factor authentication and bot prevention tools like HUMAN, making it more expensive, more challenging, and more time-consuming for threat actors to compromise user accounts.
“There’s never going to be a situation that I see in which there is no market for credentials,” she said. “People will always want to be able to buy these accounts, get something for less.”











