The scale of phishing activity targeting the 2026 FIFA World Cup has expanded dramatically, with new research revealing a far broader and more complex threat landscape than initially reported.
What began as a cluster of 79 malicious domains has now evolved into a distributed phishing ecosystem spanning 222 domains mapped to 203 unique IP addresses nearly tripling the domain footprint and increasing the hosting infrastructure by more than 14-fold.
Follow-up analysis using passive DNS data, certificate transparency logs, and WHOIS analysis enrichment shows that 206 of the 222 identified domains are currently active.
Notably, 52 new domains were registered between April 1 and April 17, 2026, indicating that the campaign is accelerating as the tournament approaches rather than slowing down.
Unlike traditional phishing campaigns that rely on centralized control, this operation is fragmented. Researchers identified at least four distinct operator clusters, each with different infrastructure patterns, domain registration behaviors, and attribution markers.
This suggests multiple independent threat actors are leveraging shared phishing kits designed to mimic FIFA’s official platforms.
According to flare, the infrastructure is highly distributed, resolving across 203 unique IP addresses. Approximately 80.6% of these domains are routed through Cloudflare, allowing attackers to mask origin servers behind reverse proxy services. This significantly complicates takedown and attribution efforts.
A smaller subset of IPs hosts multiple phishing domains, including:
- 38.246.249.74 hosting 8 domains.
- 154.39.81.213 hosting 6 domains.
- 148.178.16.48 hosting 5 domains.
Additionally, reused TLS certificates across multiple domains indicate shared backend infrastructure, strengthening the link between seemingly separate phishing sites.
World Cup Phishing Surge
The campaign is not a single coordinated operation but a collection of at least four clusters:
- Cluster A: Focuses on direct typosquatting of “fifa.com” domains such as fifa-com. vip and ww-fifa.vip, primarily registered via GNAME.COM and actively used in ticket fraud pages.
- Cluster B: Uses generic .shop domains (e.g., floridagiftssw.shop) tied to a shared registrant email and identity, repurposed to host World Cup phishing content. This cluster includes aged domains, improving credibility and bypassing detection mechanisms.
- Cluster C: A smaller group of .cn domains registered with shared Gmail identifiers, suggesting a geographically distinct operator.
- Cluster D: Uses fake organizational identities such as “888 World Cup Management Co Ltd” to add legitimacy to domain registrations.
This distributed model reflects a growing trend where phishing kits are reused or sold across underground communities, enabling rapid scaling by multiple actors simultaneously.
The expanded dataset includes 26 registrars, though a few dominate:
- GNAME.COM accounts for 42.3% of domains.
- GoDaddy follows with 18.9%.
- Others include Spaceship, WebNIC, and Alibaba Cloud.
The concentration suggests that coordinated takedown efforts targeting key registrars could significantly disrupt the campaign.
Cloudflare has already flagged several domains as phishing, including fifa-com.store and fifa-com.site, serving warning pages instead of malicious content. However, this represents only a small fraction of the total infrastructure, highlighting the limitations of domain-by-domain detection.
This campaign demonstrates how global events like the FIFA World Cup create lucrative opportunities for cybercriminals. The use of scalable phishing kits, distributed infrastructure, and identity obfuscation techniques enables attackers to expand operations while evading traditional defenses rapidly.
For organizations and users, the key risk lies in highly convincing replicas of official FIFA services, including ticket portals, merchandise stores, and login pages designed to harvest credentials and payment data.
As the 2026 tournament approaches, security teams should prioritize proactive monitoring of lookalike domains, implement brand protection strategies, and educate users on identifying fraudulent websites before interacting with them.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
