2 min read

12M stolen streaming accounts hit dark web during World Cup

HUMAN Security says 12 million stolen streaming accounts tied to World Cup broadcasts are circulating on the dark web, worth nearly $220 million.

Image: TNW

More than 12 million stolen streaming accounts linked to World Cup broadcasts are circulating on the dark web, representing nearly $220 million in potential black-market sales, according to HUMAN Security.

The company’s Satori Threat Intelligence team tracked the accounts across 10 streaming services carrying tournament matches. On June 27, the final day of the group stage, threat actors released a record 802,000 accounts in a single day — an estimated $14.8 million in potential revenue.

According to the report, sellers are treating the tournament like any other high-demand retail event: increasing supply and pushing prices higher as interest peaks. Stolen accounts can sell for as little as $5, compared with legitimate subscriptions priced at $30 to $50. Some listings also include linked payment cards, loyalty points, premium tiers, and even warranties that promise replacement accounts if buyers lose access.

Lindsay Kaye, VP of threat intelligence at HUMAN Security, told Fortune that demand is rising as fans look for cheaper ways to watch.

The accounts were likely obtained through credential-stuffing attacks using stolen usernames and passwords already circulating online, or through info-stealing malware that extracts credentials saved on victims' devices. Before the tournament began on June 11, more than 4,300 fake FIFA domains and banking malware hidden in streaming apps were already targeting fans. HUMAN says the stolen-account trade is a separate layer of the same criminal infrastructure, monetizing existing credentials rather than phishing for new ones.

Recommended reading

LegacyHive zero-day lands, but not as devastating as billed

Fubo said it prepares for high-traffic events months in advance and watches for suspicious geolocation patterns, such as the same account appearing in two distant locations within a short period. Fox Sports, NBC Sports, Telemundo, FIFA, YouTube TV, and DirecTV did not respond to requests for comment.

The problem extends beyond the tournament. In May, Italian police seized a piracy app that streamed Sky, DAZN, and Netflix through hijacked real accounts, underscoring how credential-based piracy has become a broader enforcement challenge. With Sunday’s final between Spain and Argentina expected to set another viewership record, the market around these stolen accounts may be nearing its peak — but the credentials themselves will likely remain in circulation long after the match ends.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TNW

// Keep reading