Black market hits $220M for stolen World Cup streaming accounts as prices climb
HUMAN Security says 12M+ compromised accounts tied to 10 services are driving nearly $220M in potential sales.

HUMAN Securitys Satori Threat Intelligence team found more than 12 million compromised user accounts tied to 10 streaming services broadcasting World Cup matches. The research suggests cybercriminals are scaling supply and raising asking prices as match demand spikes, creating urgent account-protection pressure for rights owners and platforms.
The World Cup is delivering highlights on the pitch, and a very different kind of scoreboard off it. According to new research from HUMAN Securitys Satori Threat Intelligence team, cybercriminals are cashing in on the tournament with stolen streaming accounts worth nearly $220 million, fueled by more than 12 million compromised user accounts tied to 10 streaming services.
The numbers get sharper as the tournament heats up. On June 27, the final day of the group stage, threat actors released a record 802,000 compromised accounts, generating an estimated $14.8 million in potential single-day black market revenue, the report said. Put simply: as demand to watch rises, the underground market treats the World Cup like a high-demand, inventory-and-pricing business.
Why does this matter to executives and boards? Because it turns “account security” from a hygiene topic into a live-event revenue and brand-risk problem. Streaming platforms and broadcasters often operate in a world where rights and distribution are tightly managed. But when some matches are free on broadcast television in the U.S. while others require a cable or streaming subscription, the incentive gap opens: viewers who do not want to pay $30, $40, or $50 may try to get access for $5. HUMAN Securitys Lindsay Kaye, VP of threat intelligence at HUMAN Security, told Fortune that rising prices for stolen streaming accounts suggest demand is growing as more fans seek cheaper access to World Cup broadcasts.
The supply side is equally relentless. HUMAN said it could not determine exactly how the compromised streaming accounts were obtained, but Kaye explained that cybercriminals commonly use stolen usernames and passwords from the dark web or credentials stolen by malware that extracts information saved on victims devices. Those credentials are then resold on dark web marketplaces, where sellers often advertise add-ons such as linked payment cards, loyalty points, premium streaming subscriptions, and even warranties promising replacement accounts if buyers lose access. For platforms, that matters because the “product” on the dark market is not just login access. It can include payment and account-adjacent value, which raises both fraud risk and the reputational damage of a customer discovering their account has been compromised.
This is also a business-model stress test for rights owners. A co-chair of Greenberg Traurig LLPs global intellectual property and technology practice group, Ian Ballon, told Fortune that broadcasters and streaming platforms face growing pressure to protect customer accounts and quickly shut down unauthorized live streams. He emphasized that rights owners know in advance when games will be, so they can be “extra vigilant” around match times to monitor for infringement and act quickly. The operational reality is that live sporting events leave little time to react once infringement is underway, so preparation and speed are the difference between disruption and deep unauthorized viewing.
Platforms say they are already planning for high-traffic windows. Fortune reported that Fox Sports, NBC Sports, Telemundo, FIFA, YouTube TV, and DirecTV did not immediately respond to a request for comment. Fubo, however, described its approach: it systematically investigates reports of suspicious account activity and may strengthen security measures if it detects unexpected behavior. In a statement to Fortune, Fubo said it prepares for high-profile events months in advance and that its team monitors platform activity even more closely than usual during high-traffic periods, across all layers of the service. The company also said it closely monitors unusual geolocation patterns, like the same account appearing in two distant locations within a short period, which can indicate account sharing or compromise.
Zoom out, and the second-order implication is uncomfortable but straightforward: boards should assume credential markets will not go away. Kaye told Fortune, “Theres never going to be a situation that I see in which there is no market for credentials. People will always want to be able to buy these accounts, get something for less.” The practical takeaway is not that security fails today, but that attackers respond to demand. As stolen accounts proliferate, the arms race shifts to making each account harder to exploit and more costly to compromise. Kaye pointed to tools like two-factor authentication and bot prevention technologies like HUMAN that can make compromise “more expensive, more challenging, and more time-consuming.”
For executives running streaming platforms, sports media businesses, or any subscription service tied to big cultural events, the World Cup case is a template. When viewing demand spikes, attackers scale supply and raise asking prices, which means your monitoring, incident response, and anti-fraud controls are no longer optional background work. They are front-line infrastructure for preserving customer trust, limiting unauthorized access, and protecting rights value during the few days when everyone is watching.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business

Uber buys Delivery Hero for nearly $15B, vaulting to top food delivery outside China
The deal doubles Uber's dual-services footprint and pushes a ride-and-eats bundling play into 50 more markets.

Epic and Google drop settlement bid, forcing rival Android app stores by July 22
Google told the court it is ready to carry third-party app stores starting Wednesday, July 22.

SK Hynix opens at $170, raises $26.5B, and tops foreign IPO records
In Friday's Wall Street debut, SK Hynix turns AI RAM demand into a $26.5B fundraising moment that rewrites comps.
