Threat Intelligence

ZeroFox Intelligence Assessment: FIFA Club World Cup 2025

by ZeroFox Intelligence
ZeroFox Intelligence Assessment: FIFA Club World Cup 2025
22 minute read

Executive Summary: FIFA Club World Cup 2025

The Fédération Internationale de Football Association (FIFA) Club World Cup (CWC) soccer tournament is due to take place across the United States from June 15 to July 13, 2025. While technically a new tournament, there have been other iterations of the quadrennial event, which serves as a precursor to the FIFA World Cup due to take place in the United States in 2026.

This year's event is the first-ever 32-team CWC (up from seven), which has caused controversy for placing what some see as “excessive” logistical and scheduling constraints on soccer clubs during what is traditionally the pre-season for most of them. Like other major tournaments, the FIFA CWC comes with myriad logistical issues due to the influx of fans from across the globe attending 63 matches across 11 cities.

The controversy surrounding this tournament could impact attendance, and U.S. public transportation, accommodation, tourism, and security services will be put to the test. Tournament organizers are likely also concerned about anti-FIFA demonstrations, as well as protests related to the U.S. political atmosphere—particularly the perception that the country has become less accepting of immigration. FIFA CWC attendees may also experience issues related to crime and cyber scams targeting spectators at the matches and related events.

Tournament Specifics and Background

CWC will run from June 15 to July 13, 2025, with teams from across the globe. The bulk of the matches will take place during the group stages, when all 32 participating teams will play three games across 12 stadiums in 11 cities. This contrasts with the 48 teams due to participate in the 2026 World Cup but matches the 32 teams at the 2022 World Cup and surpasses the 24 teams that participated in EURO 2024 in Germany.

  • The group stages run from Sunday, June 15 to Sunday, June 27, 2025, with (on average) four games per day.
  • Sixteen teams will then proceed to the Round of 16 held from June 28 to July 2, 2025, followed by the Quarterfinals featuring eight teams on July 4 and 5, the Semifinals on July 8 and 9, and the Final on July 13.

While the stadiums have different levels of security technology depending on the resources, they all adhere to basic security standards customary across U.S. sports venues, including X-ray scanning and clear bag policies. Some of the larger stadiums will have more cutting-edge technology, like advanced weapons detection systems (Evolv Express) and magnetometers.

Eleven cities across the country will host matches. Eight of the stadiums are located along the U.S. East Coast, while there are two stadiums in the central United States and two on the West Coast. Some stadiums—notably the Atlanta, Seattle, and Washington, D.C., locations—are situated in areas with elevated crime rates. 

The frequency of petty crime generally correlates with the level of tourist activity in the host city, and this pattern is anticipated to continue during the CWC matches. Increased law enforcement and security staffing at the matches and fan gatherings will likely result in faster-than-normal response times and deter potential criminal acts on match days.

  • Pickpocketing and related scams will remain a threat at stadiums and around fan zones or hotels.
  • Thieves are also known to operate on public transport.

Public drunkenness is common at international soccer tournaments, and there are thousands of arrests for disorderly conduct. This could range from public intoxication to acts of vandalism, as well as violent physical and sexual assault.

While large U.S. venues are typically surrounded by lots where attendees can park, these can also be inconvenient and add significant time to attending and leaving matches. ZeroFox has also observed at least one unaffiliated organization attempting to sell parking at CWC matches.

Redd’s Restaurant & Biergarten is currently selling FIFA CWC parking tickets for select matches on its website. ZeroFox is unable to confirm at this time whether the restaurant is authorized to sell parking for the semifinals matches. 

East Coast CWC Locations

Atlanta, Georgia: Mercedes Benz Stadium 

  • Capacity of 75,000
  • Hosting six matches
  • Located near Vine City, which has a violent crime rate of 22.04 per 1,000 residents—over 450 percent higher than the national average. Crimes such as assault, robbery, and homicide are more prevalent in this area.

Charlotte, North Carolina: Bank of America Stadium

  • Capacity of 75,000
  • Hosting four matches
  • Neighborhood is generally well-patrolled and safe

Miami, Florida: Hard Rock Stadium

  • Capacity of 65,000
  • Hosting eight matches, including the opening match
  • Was the scene of a violent clash during the 2024 Copa América final, when ticketless fans bum-rushed the stadium.

East Rutherford, New Jersey: MetLife Stadium

Orlando, Florida: Camping World Stadium

  • Capacity of 65,000
  • Hosting four matches
  • Stadium has a reputation for being understaffed and having underdeveloped logistics

Orlando, Florida: Inter&Co Stadium 

  • Capacity of 25,000
  • Hosting two matches

Philadelphia, Pennsylvania: Lincoln Financial Field

  • Capacity 69,000
  • Hosting eight matches

Washington, D.C.: Audi Field

  • Capacity 20,000
  • Hosting three matches
  • Some visitors have expressed concerns about safety when walking to and from the stadium
  • The nearest metro station is nearly a mile away, and surrounding areas may feel unsafe (especially at night). Many opt for ride-share services despite occasional challenges with pick-up locations.

Central Region CWC Locations

Cincinnati, Ohio: TQL Stadium

  • Capacity of 26,000
  • Hosting four matches
  • On game days, several streets around the stadium close approximately three hours before kickoff and reopen about one hour after the event to manage traffic and pedestrian flow.

Nashville, Tennessee: GEODIS Park  

  • Capacity of 30,000
  • Hosting three matches

West Coast CWC Locations

Los Angeles, California: Rose Bowl Stadium 

  • Capacity of 88,500
  • Hosting six matches
  • Parking is limited and distant from the stadium.

Seattle, Washington: Lumen Field 

  • Capacity of 69,000
  • Hosting six matches
  • Ahead of the tournament, security officials have proposed expanding security perimeters around the stadium to control access and prevent unticketed fans from clustering near entry points, a concern highlighted by issues at the 2024 Copa América final in Miami.

Ticketing and Scams

Major international soccer games have been impacted by ticketless fans attempting to enter stadiums. Ahead of the Copa América final between Argentina and Colombia at Hard Rock Stadium in Miami last year, tens of thousands of fans without tickets breached security gates, overwhelming police and stadium staff. Fans jumped over railings and rushed entry points, delaying the match by over an hour. Despite deploying over 550 law enforcement officers, the stadium and local authorities were unable to handle the crowd surge.

While the prospect of a similar fan rush or fake ticket scandal at the CWC is very unlikely, it cannot be ruled out. 

FIFA is the only authorized seller of CWC tickets, with tickets available on the official CWC website or FIFA[.]com and its foreign-language websites. Participating clubs' websites also link their supporters to these websites. Previous large soccer tournaments like EURO 2024 or World Cup 2022 in Qatar had dedicated apps, and national team federations were also selling tickets. This may be contributing to the type of ticket scams ZeroFox has observed for the CWC.

  • The Facebook post below is likely a scam. It is using unofficial methods like WhatsApp and direct messages to sell FIFA CWC 2025 tickets, likely leading to revenue loss. The page is not verified, and the excessive hashtags may be an attempt to appear legitimate.
  • The post advertises FIFA CWC 2025 tickets through direct messages, which raises concerns about the authenticity of the offer. Although the group admin requests ticket verification, the lack of official sales channels warrants caution.
  • A website called “fanpass" claims to sell tickets for the tournament. However, it does not appear to have any official authorization to do so. Moreover, ZeroFox Intelligence observed that the platform has a negative online reputation.
  • Another website that appears to lack official authorization, “FootballTicketNet”, also appears to be selling tickets for FIFA CWC.

DDW Impacts on Fraudulent Ticket Sales, Years Later

ZeroFox uncovered a dataset containing 1,048,576 records of people who allegedly attended the 2018 FIFA World Cup circulating on the deep and dark web (DDW). On December 2, 2023, a Russian-speaking member of the vetted DDW forum xss, “Dominion”, sought the dataset, which was originally published on the currently defunct forum BreachForums. The name of the thread in BreachForums is “Database of Visitors to the 2018 FIFA World Cup.”

  • This dataset can likely be leveraged by capable actors to disseminate spam and phishing letters to potential CWC attendees. Dominion’s post also highlights how threat actors seek out information available on the DDW to use in current scams, sometimes years after the original breach.

Physical Security Preparations

U.S. security forces are charged with protecting millions of fans and players at 12 stadiums and fan zones. CWC is expected to draw on a significant number of local, state, and federal public safety partners to ensure a safe atmosphere for event attendees and participants. ZeroFox assesses that the increased presence of public safety personnel will likely help deter criminal activity at the stadiums and in the immediate surrounding areas. However, the risk of crime and physical attacks against large-scale public events can never be ruled out.

  • FIFA has placed a strong emphasis on stadium safety and security for the CWC. According to its website, FIFA is working closely with host cities, local authorities, and emergency services to ensure coordinated security efforts both inside and outside stadiums.
  • The influx of international fans and high-profile teams increases the risk of crowd surges, public order incidents, and opportunistic crime near stadiums.
  • All stadiums have similar security requirements, wherein attendees will be required to pass through metal detectors prior to entering the venue, with additional wait times likely. A bag restriction policy will be in place at all stadiums, limiting patrons to one bag of various sizes (clutch, wallet size, or around 12” x 6” X 6”). Prohibited items include backpacks, firearms, knives, pepper spray, and weapons of any kind. In addition, noisemakers, umbrellas, coolers, signs, banners, flags, poles, and animals are prohibited.

Terrorism

ZeroFox has not identified any specific terrorism threat to the CWC. However, the risk of terrorism, both from domestic and international terror groups, remains.

The ongoing Israel-Hamas war likely increases the probability of an attack. On May 21, 2025, a gunman shot dead two Israeli diplomats in Washington, D.C. Later, an attacker threw firebombs at a vigil in Colorado held for Israeli hostages still captive in Gaza.

In terms of potential methods, a terrorist attack on a match would likely involve the use of easily accessible materials such as bladed weapons, firearms, or improvised explosive devices (IEDs) rather than a coordinated assault. In addition, according to the U.S. State Department, endogenous (lone-actor) attacks pose the most significant current threat.

The primary concern for CWC organizers is mainly radicalized individuals, known as lone wolves or lone actors, who have become indoctrinated online rather than individuals or groups who have received training and instruction from IS and AQ. 

  • Lone-wolf attacks are difficult to identify and mitigate due to the limited circle that has knowledge of the attack planning.
  • Following such attacks, terrorist organizations will frequently claim the attack as their own to garner additional publicity and outwardly portray their strength. Further investigations later call into question the claimed affiliation.
  • A lone wolf terrorist attack would most likely involve the use of easily accessible materials, such as bladed weapons, firearms, or rudimentary IEDs. It is also possible that vehicles could be used as weapons to target spectators or related events that are not protected by road closures.

Given the current politically charged atmosphere in the United States, there is an unlikely chance that domestic terrorists could target the FIFA CWC. Again, attackers will likely act alone, as was the case with the arson attack on the Governor’s Mansion in Pennsylvania on April 13, 2025.

Boycott and Protest Activity

While no specific physical protests have been officially announced for the CWC, ongoing legal disputes, institutional opposition, and political criticisms create a context wherein protests or demonstrations could occur, especially in host cities. Physical security teams should remain alert to potential spontaneous or organized actions related to these controversies.

Anti-FIFA Protests

Players union FIFPRO Europe strongly opposed the CWC in an already overloaded calendar because the tournament expands from seven to 32 teams and is scheduled for June-July 2025, effectively eliminating the traditional offseason for many players—especially in Europe.

  • Critics argue that the extended season will cause physical and mental fatigue, increase injury risk, and disrupt players' personal lives. FIFPRO has initiated legal action against FIFA.
  • The tournament's timing in the summer compresses players’ rest and preseason preparation, raising concerns about early-season injuries.
  • England’s Premier League and Spain’s La Liga have threatened to boycott the tournament and have demanded rescheduling or legal action, reflecting institutional opposition that could inspire protests or fan actions. European leagues and player unions have petitioned the European Commission, alleging FIFA’s misuse of its dual role as commercial organizer and regulator.
  • Legal challenges are underway in courts such as the Brussels Court of Commerce and potentially the European Court of Justice, focusing on player rights and calendar management.

Critics accuse FIFA of prioritizing revenue generation instead of player safety.

Domestic Political Protests

Recent nationwide protest activity in the United States throughout 2025 has been extensive and largely focused on opposition to President Donald Trump’s second administration and related policies.

One day ahead of the CWC opening match, anti-government protesters are planning a nationwide event called “No Kings” to coincide with a large military parade Trump is hosting in Washington, D.C., on June 14. The military parade will also close Washington, D.C.’s Reagan National Airport for several hours.

The largest protest movement thus far has been the Hands Off movement, which has held several large Saturday protests starting in early April 2025. They have held events in over 1,400 locations across all 50 states with an estimated three to five million participants.

Similarly, the 50501 movement (50 protests, 50 states, 1 movement) has organized hundreds of protests nationwide opposing Trump administration decisions, deportations, and workers’ rights. Its May Day event saw thousands protest in cities like Miami, Los Angeles, Philadelphia, and Washington, D.C., which are likely locations to hold protests during CWC as well.

Other individual protests have also occurred surrounding issues like budget cuts, the war in Gaza, and Tesla Takedown activists who target Tesla founder Elon Musk.

There is a roughly even chance that some of the anti-Trump protest groups will use the CWC to promote their causes. Their tactics typically include peaceful marches, rallies, general strikes, and some instances of civil disobedience, such as traffic obstruction. They often take place in major urban centers, requiring security teams to monitor multiple locations and prepare for large crowds.

Another possible source of protest activity is related to the Israel-Hamas war. However, at the time of writing, ZeroFox has observed no evidence of a coordinated effort by pro-Palestinian activists to disrupt the CWC. Since the war started in October 2023, there have been several notable pro-Palestinian protests targeting major U.S. events. With the war escalating just ahead of the start of the CWC and violent attacks on Israeli and Jewish entities escalating, there is a roughly even chance of a resumption in protests, which have been more subdued following the dismantling of university protest camps in May and June 2024.

Other politically motivated protest groups may use the matches to promote their causes; this could include protests in support of or against aid to Ukraine, immigration-related protests, or protests related to the cost of living.

Transportation and Travel

The immigration and deportation policies of the current U.S. administration, including stricter visa rules, long processing delays, and a perception that the country has become less accepting of immigration, have become a key focus for FIFA—especially for teams from the Middle East, who are concerned that some of their fans or players will not be able to attend matches. 

  • In 2017, when the United States was bidding to host the FIFA World Cup in 2026, the head of FIFA, Gianni Infantino, warned that U.S. travel bans jeopardized the U.S. bid.

In June 2025, the United States announced stricter immigration controls for individuals from 19 countries. This follows earlier proposals, yet to be implemented, of a tiered visa restrictions relating to 43 countries. No CWC participating teams come from countries that fall into the most severe category and are facing a full visa suspension. However, some do fall into the third tier, which is also a visa suspension unless the teams’ home governments meet specific U.S. requirements. These restrictions will likely prevent not only players and coaches but also fans and officials from entering the country, although the June 2025 ban has exemptions for athletes.

Even some fans that make it to the United States will likely face issues. The U.S. Embassy in Cairo issued a statement that immigration authorities will “continuously check visa holders to ensure they follow all U.S. laws and immigration rules — and we will revoke their visas and deport them if they don’t.” 

For example, raids in Nashville, Tennessee, prompted members of the Nashville SC supporters group “La Brigada de Oro” to skip their team’s home match against Charlotte FC. Not only would any issues like these occur on a bigger stage during the FIFA CWC, they would also very likely be widely covered by international media, which could exacerbate and politicize any response.

Cybersecurity Threats

As one of the world’s most anticipated and viewed sporting events, the FIFA CWC presents various opportunities for financially motivated threat actors.

In the weeks leading up to the event, threat actors have likely been registering new domain names, likely hoping to impersonate FIFA and the tournament. ZeroFox investigated 28,000 domain names registered between May 29, 2025, and June 1, 2025, for any instances of potential impersonation. 

  • Most of the domains listed below are considered “parked”; however, ZeroFox assesses there is a roughly even chance these domains can be acquired by capable actors that intend to use them as infrastructure to perform attacks.

Fifa[.]com and  Fifa[.]org Email Addresses Available in Info-Stealing Logs Traded in DDW

On the automated DDW marketplace Russian Market, ZeroFox Intelligence identified 28 unique corporate email addresses using the fifa[.]org email domain, as well as 15 unique corporate email addresses using the fifa[.]com email domain present in logs derived from compromised systems infected with info-stealing malware. 

  • Russian Market is similar to other botnet automated marketplaces but also offers compromised carding data, remote desktop protocol (RDP) instances, and credential-stuffing malware in addition to botnet logs.

Threat actors that purchase this data from underground marketplaces potentially gain access to the entirety of a victim’s login credentials and cookies, allowing them to emulate the victim’s browser session and user agent to achieve unauthorized access in account takeover attacks.

  • The presence of this data for sale increases the likelihood of lateral movement, privilege escalation, phishing, spam, and other types of attacks.

ZeroFox extracted all affected email addresses, which are partially obfuscated, along with corresponding screenshots. The most recent log affecting fifa[.]org dates back to March 24, 2025, and contains data associated with four unique fifa[.]org email addresses. The freshest log which affects fifa[.]com dates back to May 1, 2025. There is a roughly even chance that the email addresses of interest were used for logging in to third-party services as well as internal infrastructure.

Exposed Fifa[.]com and Fifa[.]org Records on Telegram

ZeroFox observed and exported 1,005 compromised login credentials utilizing fifa[.]org corporate email addresses from the private Telegram channel “GoldPack.” The threat actor who operates the Telegram channel compiles data from various undisclosed sources. The Telegram channel publishes data with passwords in both plaintext and hashed formats. In addition, ZeroFox identified and obtained more than 207 instances of compromised logins containing corporate email addresses using the fifa[.]com email domain. 

  • The Telegram channel is operated by the well-regarded threat actor “Chucky”, who is also the administrator of the compromised data-focused forum LeakBase.
  • Capable actors may attempt to access internal infrastructure using the exposed email address and plaintext password combinations directly or may perform credential-stuffing attacks.

Russian-Speaking Threat Actor Sought Fifa[.]com Accesses to Corporate Mailboxes

Since June 2024, a Russian-speaking threat actor using the alias “Псина” has been searching for cracked fifa[.]com corporate email addresses—and therefore access to the mailbox of the email address—for undisclosed reasons on the xss forum.

The actor claimed to be ready to pay up to USD 100 for each email address and provided contact information on the Telegram channel @newgroppp, which is currently inaccessible. Псина seeks corporate mail accesses to entities engaged in sport (the actor published a complete list of entities in which they are interested on cdn-wl-emails.s3.amazonaws[.]com/lotoru/The-list-of-official-websites_RUS_page-0001%20%282%29[.]pdf). “Псина” most recently visited xss in late January 2025.

Conclusion

The 2025 FIFA CWC was already highly controversial due to concerns over player health, perceived financial motivations, and legal challenges. These controversies have sparked protests from players and some leagues. Visitors are likely also concerned that heightened U.S. border controls and security measures could impact fans from certain countries. While there are no confirmed threats or planned protests, the scale of the event—featuring 32 teams and millions of fans—raises the likelihood of large gatherings, spontaneous demonstrations, or activism—particularly around issues such as player welfare, tournament expansion, or U.S. political issues.

ZeroFox Intelligence Recommendations

  • Purchase tickets from official FIFA outlets only, and be mindful of ticketing scams.
  • Arrive at matches well in advance, as parking and going through security take time.
  • Ensure accommodation and travel reservations are made ahead of time to avoid the risk of not being able to secure bookings closer to the event.
  • Ensure accommodation and travel bookings are made on legitimate apps or websites and not through third parties.
  • Limit the amount of personal belongings brought to matches, and keep them somewhere that they cannot be easily pickpocketed
  • Remain cautious of deals that seem too good to be true. Extremely low prices on secondary markets are often a red flag signaling a scam.
  • Be mindful that public drunkenness can turn violent and that these locations are at an elevated risk for a terror attack and criminal activity.
  • For foreign visitors, maintain easy access to visa, other travel information, and matchday tickets in case authorities ask for them.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 9:30 AM (EDT) on June 6, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

ZeroFox Intelligence

Tags: Dark Web MonitoringThreat Intelligence

See ZeroFox in action