What the 2026 World Cup is revealing about synthetic identity fraud

Every four years, for a few weeks, the FIFA World Cup does something to unite humanity that nothing else can: it brings about the same feelings in a grandfather in Sao Paolo, a teenager in Seoul, and a family in Manchester, all caring about the same goal, in the same game, in the same instant. It’s the most watched event in human history, drawing more eyes than the Super Bowl, Tour de France, or even the Olympics. The world's game and that universal vision it inspires are organic, borderless, shared, and supposed to belong to everyone.

But in 2026, for millions of people, that vision has already been shattered.

Many fans who tried to get tickets and ensure they could be part of that moment found themselves locked out, through no fault of their own. They lost out in the ticket lottery to criminal networks that had put together AI-powered botting infrastructure to swarm the systems with synthetic identities and secure the tickets ahead of the real fans. Access to the world’s game had been compromised on multiple levels, all while the institutions responsible for protecting it were, effectively, guarding the wrong door.

Here’s the story of how it happened, told the way it unfolded, in four acts.

Act 1: The Farm - 6 to 18 months before the tournament

This fraud started not with fake tickets, which are what most people think of when they think of ticketing fraud, but with fake people. Criminal networks began assembling armies of synthetic identities well in advance, specifically for their World Cup plans. Synthetic identity fraud is different from the “regular” identity theft you might think about – instead of using the information from a real victim, synthetic identities are stitched together from real and fabricated information, like combining a real Social Security number with a fake address and fake documents, to create a fictional but plausible person. Fraudsters then nurture these identities over time, opening small accounts and letting them age and accumulate history, until they look more ordinary and realistic.

The infrastructure laid down early on for these scams also included registering numerous website domains with FIFA-themed URLs. Security researchers traced almost 4,300 of these registered since August 2025, part of a pool of over 7,000 fraudulent FIFA sites. Older domains are important for appearing legitimate, not just for websites but also for sending emails that aren’t marked as risky or spam if fraudsters wanted to use them for ticket-lottery-themed phishing schemes to obtain personal information.

In our new report with Datos Insights, this is called out as the “preparation phase” of the fraud kill chain. The report also warns that AI-assisted synthetic identity construction can precede detection by months, even years, due to most fraud detection technologies missing the subtle red flags and warning signs. Because of this, by the time the fraud becomes visible, the identity is already mature and trusted.

Act 2: The Lottery Disaster

More than 20 million people entered the FIFA World Cup ticket lottery. Unfortunately, with not enough tickets to go around, that meant 19.7 million people lost. In this kind of setup, which combines high emotions with scarcity, urgency, and pressure, a fertile environment for fraud is created.

This is when the fraud rings jumped into action, using the resources they’d carefully prepared. Bot armies, made up of the synthetic identities created in Act 1, were able to sweep up ticket allocations faster than real fans could. And the domains that were registered earlier were used to host websites with fake ticket waitlists, create fake ticket sales marketplaces, and send out cloned confirmation emails and QR codes. Even though the FBI had issued a warning to the public that spoofed FIFA websites were being used to impersonate official channels, these warnings may not have reached or not been taken seriously by passionate fans who were already planning their trips and missed out on tickets from the official channels.

The Datos report makes it clear that this industrial-scale lottery and market manipulation is made significantly easier with the use of AI. Fraud rings that could formerly manage a limited number of synthetic identities can now use AI assistance to manage thousands of them, thus leaving real people with no tickets in hand, and almost nowhere to turn – other than the equally fake markets fraudsters had created to harvest their personal information and credit card info.

Act 3: Match Day – The gate will hold, but that was never the point

When the World Cup ends, if you ask FIFA, they will probably say their ticketing security was a rousing success. At the stadium, it’s safe to anticipate that their security will be functional. Their use of dynamic QR codes and identity matching is designed to ensure that counterfeit tickets were easily caught and that entry to a match remains orderly. If you judge the security of their operation based on what you will see at the stadium on any given match day, you might think their ticketing operations are successful.

That’s because, as we’ve seen, the damage was already done well before match day. The synthetic accounts had been used, the money had been moved, and the victims had already filed their reports and tried to move on. To use an analogy, FIFA has put a deadbolt on the front door, but far too many of the wrong people had already gotten access.

This analogy can also serve as the reframe that this entire story needs. Putting security at your point of entry but leaving enrollment wide open to fraud is like installing a deadbolt on a house without walls. The small amount of protection provided by being able to answer “Is this ticket real at the gate?” did nothing to stop the massive amount of fraud that happened because no one checked “Is this identity that’s being used to secure tickets real?” at the moment it was allowed into the ticketing ecosystem. That moment of document verification and identity proofing at enrollment is exactly where Mitek operates, and the World Cup has validated the need for these checks in real-time. The Datos research states it bluntly: detection approaches that are calibrated to the wrong moment are already losing ground as their adversaries move upstream, into the enrollment window that their systems weren’t built to watch.

Act 4: The Harvest

The least-covered part of this story may be the most alarming, because for many victims, their loss exposure will be far more extensive than the cost of a ticket. Every time a fan visited a fake website that impersonated a ticket lottery, waitlist, or resale market, and then entered their personal information like date of birth, passport numbers, payment card info and more, they provided fraudsters with the raw material they needed for their next wave of identity theft.

These fans’ information might subsequently be used, resold in whole or in part, and even recombined with other breached information to build even more convincing synthetic identities for a wave of loan applications, a mule (money-moving) network, or cornering the market on tickets for another big event or concert tour. Looking at the downstream scale of synthetic identity fraud, Datos Insights found that the average fraud event includes three mule accounts, and one fraud executive estimated that a third of their institution’s total first-party check fraud losses were due to synthetic identities. It’s clear to see how one fan’s information can result in many losses, in many places.

And for fraud rings, no amount of fraud is ever enough. Fraudsters are also looking ahead to how they can capitalize on the next wave to harvest more information – some have even already registered domains related to the 2030 World Cup. The Datos report lays out exactly how synthetic identity fraud has become a structural underpinning of financial crimes, rather than a cyclical event. It’s driven by market forces, the low cost of the elements of stolen personal data needed to create a synthetic identity, and the ease of use of AI tools to round out and manage those identities.

Even when the trophy for this year’s event is lifted, the fraud attempts will go on.

The cost is bigger than one tournament

The fraud around the World Cup ticketing process is just one big example in a very large fraud ecosystem. The numbers are massive across anything involving banking, finance, or payments. Datos Insights has estimated that US unsecured-credit synthetic identity fraud losses skyrocketed from $1.8 billion in 2020 to $2.94 billion in 2025, with a projected loss of $3.12 billion in 2026. Eighty-four percent of fraud execs consider synthetic identities a high or moderate threat to their operations, and 40% of financial institutions are seeing attack rates increase due to the prevalence of generative AI tools.

The World Cup simply served as an emotional backdrop to a problem that shows up across many different types of “onboarding”. With the World Cup, every ticket sold to a synthetic identity rather than a real person kept a parent from taking their child to their first match, or a group of friends from making memories together. But the problem is endemic, and can happen when opening an account, getting a loan, joining a marketplace, enrolling in benefits, or buying concert or event tickets or a high-demand, limited-edition product. No matter the venue, the identity problem stays the same.

Fraudsters know they don’t need to break into the chain at the end, because they can build something instead that gets invited in at the start. To protect against synthetic identity fraud, organizations will need secure every avenue fraudsters can take, not just the final door.