A large-scale phishing campaign targeting the 2026 FIFA World Cup has grown far beyond what security researchers originally thought. What began as a documented set of 79 fraudulent domains has ballooned into a network of at least 222 domains spread across 203 unique IP addresses, making it nearly three times larger than first reported.
The campaign is built to deceive. Threat actors have constructed convincing replicas of the official FIFA website, complete with fake ticketing pages, copycat stores, and fraudulent login pages that silently accept any credentials entered by users.
The goal is clear: steal payments and harvest account details from football fans eager to attend the tournament.
Researchers at Flare said in a report shared with Cyber Security News (CSN) that they identified the full scale of the operation after expanding their investigation using passive DNS records, certificate transparency logs, and WHOIS data enrichment.
What they uncovered was not a single coordinated attack but a distributed fraud ecosystem with at least four distinct operator clusters all targeting the same event.
The campaign is not slowing down. In just the first 17 days of April 2026, 52 new domains were registered, with fresh additions appearing almost daily. Three dates alone, March 27, March 28, and November 17, 2025, accounted for over 36 percent of all domain registrations in the dataset.
With the tournament approaching fast, the infrastructure keeps growing. Security teams and fans alike are being urged to stay alert, as the fraud operation shows every sign of accelerating rather than winding down ahead of kickoff.
The original investigation identified 79 typosquatting domains hosted across just 14 IP addresses. The expanded dataset now confirms 222 domains, of which 206 are currently active, resolving to 203 unique IP addresses.
That is roughly 2.8 times the domain count and over 14 times the hosting footprint from the first report. A striking 80.6 percent of those IPs sit behind Cloudflare, which researchers say the operators are using as a reverse proxy to hide their real servers.
Five IP addresses were found hosting multiple domains from the campaign, with the top address alone tied to eight separate fraudulent sites. Cloudflare has also flagged three domains in the dataset as suspected phishing pages, offering independent confirmation that the activity is malicious.
The registrar picture has expanded as well. GNAME.COM remains the dominant registrar, accounting for roughly 94 domains, or about 42 percent of the known infrastructure.
GoDaddy follows with 42 domains, meaning just two registrars control around 61 percent of the total. Researchers recommend brand protection teams prioritize bulk abuse reporting to these two as the fastest path to removing the largest share of the network.
One of the most revealing findings is that this is not a single, centrally run operation. Analysis shows at least four separate operator clusters with different registration patterns, hosting choices, and digital fingerprints.
Cluster A is the most visible, running roughly 86 domains that directly mimic the fifa.com address. Cluster B is harder to detect, operating 14 .shop domains with generic-sounding names that show no FIFA connection yet serve the same fraudulent landing page.
Cluster C is a smaller group of three .cn domains registered through a single Gmail address, pointing toward a China-based actor working independently. Cluster D uses a fake registrant identity, “888 World Cup Management Co Ltd,” referencing the tournament openly in its cover.
All four clusters share the same page templates and target the same victims, but their fingerprints suggest independent actors exploiting a shared scam kit rather than one coordinated group.
The detection must now operate at the campaign level, not domain by domain. Teams are advised to look beyond naming patterns, incorporate TLS certificate reuse and page template fingerprinting into detection rules, and treat any newly registered domain matching known WHOIS indicators as part of the active campaign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 38.246.249.74 | Top hosting IP, tied to 8 campaign domains |
| IP Address | 154.39.81.213 | Hosting IP tied to 6 campaign domains |
| IP Address | 148.178.16.48 | Hosting IP tied to 5 campaign domains |
| IP Address | 154.86.0.33 | Shared campaign hosting IP |
| IP Address | 104.225.235.49 | Shared campaign hosting IP |
| [email protected] | Registrant email linked to 14 Cluster B .shop domains | |
| [email protected] | Registrant email linked to 3 Cluster C .cn domains | |
| Registrant Organization | 888 shi jie bei guan li you xian gong si | Cluster D fake registrant identity (888 World Cup Management Co Ltd) |
| Registrant Contact | Bill John / Newark | Cluster B placeholder identity tied to 14 .shop domains |
| TLS Certificate Hash | 1b02595c66a13a4a5a523a76de25803bdb950623 | Shared across 3 campaign domains |
| TLS Certificate Hash | fc1db8def38bb08010bb8f8ac14d5e498ff8ff43 | Shared across 2 campaign domains |
| TLS Certificate Hash | 3b8bb7631b39f455d31544b55ba97b49ab1888c1 | Shared across 2 campaign domains |
| TLS Certificate Hash | fb0498ab592232747a4d90aa150ee4e0506869ca | Shared across 2 campaign domains |
| Domain | fifa-com.store | Cloudflare-flagged suspected phishing domain |
| Domain | fifa-com.site | Cloudflare-flagged suspected phishing domain |
| Domain | fifa-com.shop | Cloudflare-flagged suspected phishing domain |
| Domain | dustdigitalsw.shop | Cluster B domain originally registered July 2015, repurposed for World Cup fraud |
| Domain | https-fifa.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | ww-fifaweb.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | fifawebsite.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | www-fifaworldcup.one | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
| Domain | www-fifaworldcup.vip | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
| Domain | fifa-com.one | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses appeared first on Cyber Security News.
Hackers are using telecom networks and hosting providers across the Middle East as a foundation…
Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range…
A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS…
A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems,…
A newly discovered banking trojan is targeting Brazilians by disguising itself as a legitimate electronic…
Kilmar Abrego Garcia arriving at a downtown Nashville courthouse with his wife, Jennifer Vasquez Sura,…
This website uses cookies.