HUMAN Security reports 12M stolen streaming accounts tied to World Cup cybercrime surge

1 hour ago 2



The biggest World Cup in history is also generating the biggest cybercrime haul in streaming history. HUMAN Security’s Satori Threat Intelligence Research Team released findings on June 30 showing a massive spike in stolen streaming credentials being traded across dark web marketplaces, with threat actors capitalizing on global demand for unauthorized access to tournament matches.

The numbers behind the breach

HUMAN Security’s Satori update cited 802,000 compromised streaming accounts released by threat actors in June 2026 alone, marking a record high. The US Department of Justice moved in parallel, seizing approximately 400 illegal streaming domains on June 29, one day before HUMAN published its report.

Federal authorities warned that these sites don’t just steal your login credentials. They actively expose visitors to malware, turning a casual attempt to watch a group-stage match into an open invitation for trojans and credential harvesters.

Thousands of fake FIFA-branded domains and credential-theft operations were documented in early June, setting the stage for what became a sprawling cybercrime ecosystem built around the tournament.

The 802,000 figure represents accounts released by threat actors during the reporting period, which is distinct from the total number of compromised accounts circulating. The broader tally of stolen streaming credentials tied to World Cup activity is substantially larger, feeding into a secondary market where bundled account credentials are sold for pennies on the dollar.

Why crypto holders should care

HUMAN Security’s research flagged a specific and growing threat to digital asset holders: malicious Android streaming apps linked to banking trojans from the Massiv and Perseus families.

These trojans piggyback on fake streaming applications, requesting permissions that let them overlay fake login screens on top of legitimate banking and crypto wallet apps. When a user opens their wallet to check a balance or approve a transaction, the trojan intercepts the interaction.

Banking trojans in this family have been documented going after crypto wallets specifically, not just traditional financial apps. Crypto transactions are irreversible, with no chargeback mechanism or fraud dispute process — once funds leave a compromised wallet, they’re gone.

Android users are disproportionately affected because sideloading apps — installing software from outside the Google Play Store — is far more common on that platform. A fan in a region without official broadcast rights might download an APK promising free match access, bundled with a trojan that sits quietly on the device, waiting for the user to interact with a financial application.

What this means for crypto investors

The intersection of streaming piracy and crypto theft creates a risk vector that most digital asset holders probably aren’t thinking about. Compromised credentials from streaming services often get reused across platforms, including cryptocurrency exchanges and wallet services. Credential stuffing attacks — where stolen username-password pairs from one breach are tested against other services — remain one of the most effective tools in a cybercriminal’s arsenal.

The Massiv and Perseus trojan families identified by HUMAN Security represent an evolution in how cybercriminals monetize major sporting events. Previous World Cup-era scams focused primarily on ticket fraud and merchandise counterfeiting. Now the playbook includes sophisticated malware campaigns that treat a streaming app as a delivery mechanism for financial theft.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Read Entire Article