A sophisticated phishing operation aimed at the 2026 FIFA World Cup has expanded significantly, according to security experts. Initially documented as comprising 79 fake domains, the campaign has now grown to encompass 222 domains across 203 unique IP addresses, almost tripling in size.
Deceptive Tactics and Goals
These cybercriminals have developed realistic imitations of FIFA’s website, including counterfeit ticketing portals and fraudulent login pages. The primary aim is to extract financial information and personal data from football fans eager to participate in the upcoming event.
Flare researchers, sharing their findings with Cyber Security News, revealed the breadth of this operation by analyzing passive DNS records, certificate transparency logs, and WHOIS data. Their investigation uncovered a decentralized fraud network with at least four distinct operator groups all targeting the World Cup.
Ongoing Expansion and Security Alerts
The campaign continues to escalate. By mid-April 2026, 52 new domains were registered, with new ones appearing almost daily. Notably, March 27, March 28, and November 17, 2025, accounted for over a third of the new domain registrations.
As the tournament approaches, the infrastructure supporting these scams keeps expanding. Both security teams and the public are advised to remain vigilant as indications suggest the fraud operations are intensifying.
Detailed Investigation Findings
The original analysis identified 79 domains hosted on 14 IP addresses. This has now increased to 222 domains resolving to 203 unique IPs. Notably, 80.6% of these IPs are behind Cloudflare, which is used to obscure the true server locations.
Five IP addresses were found to host multiple fraudulent domains, with one linked to eight sites. Additionally, Cloudflare has flagged three domains as probable phishing sites, reinforcing the malicious nature of this activity.
GNAME.COM and GoDaddy are the primary registrars, managing 94 and 42 domains respectively. Together, they control 61% of the network’s infrastructure. Experts suggest that reporting abuse in bulk to these registrars is an effective way to dismantle a significant portion of the operation.
Operator Clusters and Future Outlook
The investigation revealed at least four independent operator clusters. Cluster A is the most prominent, with about 86 domains mimicking fifa.com. Cluster B operates under generic names, while Cluster C appears to be China-based, and Cluster D uses a fictitious identity linked to the World Cup.
Each cluster employs similar templates but operates independently, suggesting a shared scam toolkit rather than a single orchestrated group. Detection efforts now need to focus on the campaign level, incorporating template and TLS certificate fingerprinting.
With the World Cup drawing near, the urgency for robust digital security measures has never been higher. Stakeholders are urged to enhance their monitoring strategies to mitigate potential threats.
