Cybercriminals have launched a sophisticated multi-vector attack campaign targeting fans and teams ahead of the 2025 Belgian Grand Prix, scheduled for July 27 at the iconic Spa-Francorchamps circuit.
The threat actors have deployed an arsenal of tactics including phishing emails, fraudulent ticket websites, malicious streaming platforms, and counterfeit merchandise scams to exploit the global enthusiasm surrounding Formula 1’s premier racing event.
The campaign’s foundation was established through a significant security breach that occurred in early 2024, when threat actors successfully compromised the official Belgian Grand Prix email account.
This initial foothold enabled attackers to conduct large-scale phishing operations with enhanced credibility, as fraudulent communications appeared to originate from legitimate race organizers.
.webp)
The compromised infrastructure has since been leveraged to distribute deceptive emails promising discounted tickets and exclusive access to unsuspecting Formula 1 enthusiasts.
CloudSEK analysts identified a dramatic surge in malicious domain registrations specifically crafted to impersonate official Formula 1 and Spa-Francorchamps websites.
The researchers documented 16 suspicious domains, with 14 registered between 2024 and 2025, indicating a coordinated preparation phase leading up to the race weekend.
.webp)
These domains serve multiple malicious purposes, including hosting phishing pages designed to harvest personal and payment information, distributing malware disguised as ticket PDFs or streaming applications, and spreading misinformation to generate fraudulent revenue.
Infrastructure Analysis and Domain Spoofing Tactics
The threat actors have demonstrated sophisticated domain spoofing techniques, registering variations that closely mimic legitimate Formula 1 terminology and branding.
Analysis of the malicious infrastructure reveals a strategic approach to domain selection, with registrations accelerating in the months preceding the Belgian Grand Prix.
| Domain Name | Registrar | Creation Date | Expiration Date | Domain Age | Registrar Country |
|---|---|---|---|---|---|
| CHEERGRANDPRIX.COM | Network Solutions, LLC | 2025-06-06 | 2026-06-06 | Newly Registered | USA |
| F1GRANDPRIXNEWS.COM | Moniker Online Services LLC | 2024-06-06 | 2025-06-06 | 1 Year Old | USA |
| FORMULAGRANDPRIX.COM | OVH, SAS | 2025-05-31 | 2026-05-31 | Newly Registered | France |
| GRANDPRIXJOBS.COM | NameCheap, Inc. | 2025-05-23 | 2026-05-23 | Newly Registered | USA |
| GRANDPRIXQUADS.COM | HOSTINGER operations, UAB | 2025-06-26 | 2026-06-26 | Newly Registered | Lithuania |
| GRANDPRIXSTORE.NET | LiquidNet Ltd. | 2025-06-11 | 2026-06-11 | Newly Registered | UK |
| GRANDPRIXWATCHSHOP.COM | TUCOWS, INC. | 2025-06-26 | 2026-06-26 | Newly Registered | Canada |
| HOLIDAYGRANDPRIX.COM | Squarespace Domains II LLC | 2025-06-01 | 2026-06-01 | Newly Registered | USA |
| ONLINEGRANDPRIX.NET | NameCheap, Inc. | 2025-07-07 | 2026-07-07 | Newly Registered | USA |
| REDBULLUSGRANDPRIX.COM | Gname 240 Inc | 2025-06-03 | 2026-06-03 | Newly Registered | Singapore |
| S1GRANDPRIX.COM | Name.com, Inc. | 2025-06-28 | 2026-06-28 | Newly Registered | USA |
| SELENAGRANDPRIX.COM | ONLINE SAS | 2025-06-05 | 2026-06-05 | Newly Registered | France |
| SHOP-GRANDPRIX.COM | NameCheap, Inc. | 2025-07-16 | 2026-07-16 | Newly Registered | USA |
| VOLTGRANDPRIX.COM | Wild West Domains, LLC | 2007-04-09 | 2026-04-09 | 17+ Years Old | USA |
| WEBGRANDPRIX.COM | TUCOWS, INC. | 2024-07-01 | 2026-07-01 | 1 Year Old | Canada |
| WORLDGRANDPRIX.COM | Megazone Corp., dba HOSTING.KR | 2002-05-05 | 2026-05-05 | 22+ Years Old | South Korea |
The attackers have strategically distributed their infrastructure across multiple registrars including NameCheap, Network Solutions, and OVH to evade detection and complicate takedown efforts.
This diversification strategy, combined with the use of legitimate-sounding domain names, creates a formidable challenge for both security teams and potential victims attempting to distinguish authentic platforms from malicious alternatives.
The timing of these registrations, clustered around the race announcement and ticket sales periods, demonstrates careful planning and market awareness by the threat actors.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
