A sophisticated, large-scale phishing campaign exploiting excitement around the 2026 FIFA World Cup has grown dramatically since it was first identified by security researchers. What began as a documented network of 79 fraudulent domains has now expanded to at least 222 domains spread across 203 unique IP addresses — nearly three times the original scope — turning it into one of the most extensive sports-themed fraud operations ever recorded.
Researchers at Flare, who expanded the investigation using passive DNS records, certificate transparency logs, and WHOIS data enrichment, found that this is not a single coordinated attack but a distributed fraud ecosystem operated by at least four distinct threat actor clusters, all simultaneously targeting the same global event.
How the Scam Works
The campaign’s infrastructure is built for deception at scale. Threat actors have constructed convincing replicas of the official FIFA website, complete with:
- Fake ticketing pages that steal payment card data from fans purchasing what they believe are legitimate tournament tickets
- Copycat merchandise stores selling fraudulent World Cup gear and collecting payment information
- Fraudulent login portals that accept any credentials entered, silently harvesting usernames and passwords for account takeover attacks
The domains use typosquatting techniques — slight variations of “fifa.com” — to trick users who mistype the URL or follow links from social media posts and emails. Over 80% of the fraudulent domains are routed through Cloudflare as a reverse proxy, deliberately obscuring the attackers’ real server infrastructure.
Four Separate Operator Clusters
One of the most significant findings from the expanded investigation is the multi-actor nature of the campaign. Analysis of registration patterns, hosting choices, and digital fingerprints reveals at least four distinct operator clusters:
- Cluster A — The largest group, running approximately 86 domains that directly mimic the fifa.com address using obvious typosquatting patterns
- Cluster B — A harder-to-detect group operating 14 generic-sounding .shop domains with no obvious FIFA connection in the name, yet serving identical fraudulent landing pages. Linked to registrant “Bill John / Newark”
- Cluster C — A smaller cluster of three .cn domains registered via a single Gmail address, pointing toward a China-based independent actor
- Cluster D — Domains registered under the fake organization “888 World Cup Management Co Ltd” (888 shi jie bei guan li you xian gong si), openly referencing the tournament
All four clusters share the same page templates and target the same victims, but their separate digital fingerprints strongly suggest independent actors using a shared scam kit — a phishing-as-a-service model that lowers the barrier to entry for cybercriminals worldwide.
Explosive Growth Rate
The campaign’s registration pace shows no signs of slowing. In just the first 17 days of April 2026, 52 new domains were registered — nearly three per day. Three particularly active registration dates (March 27, March 28, and November 17, 2025) alone accounted for over 36 percent of all domain registrations in the dataset.
The original investigation documented 79 typosquatting domains hosted across just 14 IP addresses. The expanded picture now confirms 222 domains — of which 206 are currently active — resolving to 203 unique IP addresses. That is roughly 2.8 times the domain count and over 14 times the hosting footprint from the first report.
Two registrars dominate the infrastructure: GNAME.COM controls approximately 94 domains (about 42%), and GoDaddy accounts for another 42 domains — meaning just two registrars control around 61% of the total fraudulent network. Researchers recommend brand protection teams prioritize bulk abuse reporting to these two registrars as the fastest takedown path.
Confirmed Phishing Indicators
Cloudflare has independently flagged three domains in the dataset — fifa-com.store, fifa-com.site, and fifa-com.shop — as confirmed phishing pages, providing independent validation that the activity is malicious.
Five IP addresses were found hosting multiple campaign domains, with the top address alone tied to eight separate fraudulent sites.
Detection Recommendations for Security Teams
Standard domain-by-domain detection is insufficient against a campaign of this sophistication and scale. Security teams are advised to:
- Move beyond simple domain name pattern matching; incorporate TLS certificate reuse analysis and page template fingerprinting into detection rules
- Treat any newly registered domain matching known WHOIS indicators (registrant emails, organizations) as part of the active campaign
- Use certificate transparency logs and passive DNS monitoring to catch new domains before they go fully live
- Report clusters of abuse to GNAME.COM and GoDaddy to accelerate infrastructure takedowns
Advice for Football Fans
With the 2026 FIFA World Cup approaching, fans eager to secure tickets and merchandise are particularly vulnerable. The public is urged to:
- Only purchase tickets directly through the official FIFA website (fifa.com) — bookmark the URL manually rather than following links
- Check the domain carefully before entering any payment information — look for subtle misspellings like “fifа.com” (using Cyrillic characters) or “fifa-com.store”
- Use credit cards with fraud protection for any sports-related purchases
- Enable transaction alerts on payment accounts to detect unauthorized charges quickly
- Report suspected phishing domains to your national cybercrime authority
The fraud operation shows every sign of accelerating rather than winding down ahead of kickoff. With tens of millions of fans worldwide seeking tickets and merchandise, the financial incentive for cybercriminals remains enormous — and the infrastructure to exploit them is already in place.
Source: Cyber Security News, May 22, 2026