Surge in Phishing Activities Ahead of the 2026 FIFA World Cup
Recent research has found that phishing activities targeting the upcoming 2026 FIFA World Cup have significantly escalated, revealing a far more intricate and widespread threat landscape than was previously understood. Initially identified as a cluster of 79 malicious domains, the situation has evolved into a complex phishing ecosystem that now spans 222 distinct domains mapped to 203 unique IP addresses. This dramatic increase has nearly tripled the number of domains in question and expanded the hosting infrastructure by more than 14 times.
Analytical follow-up using passive DNS data, certificate transparency logs, and WHOIS enrichment has confirmed that 206 of these 222 identified domains remain active. Furthermore, a notable spike in activity has been observed, with 52 new domains registered between April 1 and April 17, 2026. This suggests that the phishing campaign is not only operational but is intensifying as the highly anticipated tournament approaches.
Fragmented Phishing Operations
One of the most significant findings is the fragmented nature of this phishing operation, differing from traditional campaigns that often rely on centralized control. Researchers have pinpointed at least four distinct clusters of operators, each exhibiting unique patterns in terms of infrastructure, domain registration, and attribution markers. This indicates that multiple independent threat actors are utilizing shared phishing kits designed to closely resemble FIFA’s official platforms.
According to reports from security firm Flare, the phishing infrastructure is intricately distributed across 203 unique IP addresses, with a staggering 80.6% of these domains being routed through Cloudflare. This reliance on reverse proxy services allows attackers to obfuscate the origin servers, thereby complicating efforts to dismantle and attribute the malicious activities.
Among the identified IP addresses, a smaller subset hosts multiple phishing domains. For instance, 38.246.249.74 is responsible for eight phishing domains, while 154.39.81.213 hosts six, and 148.178.16.48 supports five. The reuse of TLS certificates across multiple domains further strengthens the link between seemingly separate phishing sites, showcasing a shared backend infrastructure.
Categorization of Threat Clusters
In-depth analysis has segmented this campaign into specific clusters:
-
Cluster A primarily targets users through direct typosquatting of legitimate "fifa.com" domains, such as
fifa-com.vipandww-fifa.vip. These domains are predominantly registered via GNAME.COM and are actively used in fraudulent ticket sales. -
Cluster B employs generic
.shopdomains, such asfloridagiftssw.shop, linked to a single registrant email. These domains are often older, bolstering their credibility and aiding them in evading detection mechanisms. -
Cluster C consists of a smaller group of
.cndomains, registered with shared Gmail identifiers, suggesting a geographically distinct group of operators. - Cluster D utilizes phony organizational names, exemplified by “888 World Cup Management Co Ltd,” to lend an air of legitimacy to their domain registrations.
This diverse clustering reflects a growing trend where phishing kits are not only reused but also sold across underground communities, enabling rapid scaling by multiple actors simultaneously.
Potential for Disruption
The expanded dataset highlights a total of 26 registrars involved in this phishing effort, although a small number of them dominate the landscape. GNAME.COM accounts for an impressive 42.3% of the domains involved, followed by GoDaddy at 18.9%. Other registrars, including Spaceship, WebNIC, and Alibaba Cloud, also play roles in this ecosystem.
This concentration suggests that targeted takedown efforts aimed at key registrars could significantly disrupt the ongoing campaign. Cloudflare has taken steps to flag several domains as malicious, such as fifa-com.store and fifa-com.site, replacing them with warning pages. However, this intervention addresses only a minor fraction of the total infrastructure, underscoring the challenges associated with domain-by-domain detection.
Implications for Users
The emergence of sophisticated phishing scams around globally recognized events like the FIFA World Cup illustrates the lucrative opportunities that cybercriminals exploit. The utilization of scalable phishing kits, a distributed infrastructure model, and sophisticated identity obfuscation tactics enable attackers to grow their operations while eluding traditional cybersecurity measures at an alarming pace.
For organizations and individuals alike, the most pressing risk lies in highly convincing replicas of official FIFA services. This includes fraudulent ticket portals, counterfeit merchandise stores, and mock login pages specifically designed to capture user credentials and payment information.
As the tournament approaches, it becomes increasingly crucial for security teams to focus on proactive strategies. This includes monitoring for lookalike domains, implementing brand protection protocols, and educating users to recognize and avoid fraudulent websites before they engage with them. The need for vigilance has never been more critical as the countdown to one of the world’s most significant sporting events continues.