Inside the Chinese-Language Gambling Infrastructure Targeting the 2026 World Cup

By Assaf Morag, Cybersecurity Researcher

We uncovered a large-scale Chinese-language gambling infrastructure using FIFA and World Cup branding to attract traffic, promote offshore betting, and scale event-driven fraud. The activity is not limited to isolated domains or opportunistic scams. Instead, it appears to rely on repeatable templates, shared providers, coordinated operator clusters, and infrastructure designed for rapid deployment ahead of the tournament.

Illegal betting is no longer just a gambling issue. It increasingly overlaps with cybercrime, financial fraud, underground payment systems, malware distribution, and organized criminal networks. The infrastructure’s reliance on a relatively small number of providers and technical patterns suggests that coordinated disruption may be possible before the tournament reaches peak global attention.

About this World Cup Series

The United States, Canada, and Mexico have been selected to host the 2026 FIFA World Cup. As of early April 2026, the lineup of all 48 teams set to compete in the final stage is now complete. 

How are threat actors responding? What’s already emerging across deep and dark web communities?

This blog is part of Flare’s World Cup 2026 Cybercrime Series, a collection of focused research pieces examining the evolving threat landscape surrounding the tournament. The series explores key areas including phishing infrastructure, fraud and scams, infostealer attacks, illegal streaming services, illicit betting platforms, insider threats, and other cybercriminal activities targeting the 2026 World Cup.

Key Findings on the Chinese-Language Gambling Infrastructure Targeting the World Cup

• The APAC betting infrastructure appears extensive, centralized, and potentially automated. We consolidated a sample of 8,867 domains containing the string FIFA in the domain name, html, headers and meta-data.
• The thousands of independent FIFA-themed gambling websites were clustered into several large Chinese-language betting infrastructure groups. The infrastructure showed strong signs of coordinated and potentially automated deployment, including shared DNS providers, repeated HTML templates, reused JavaScript resources, common favicon infrastructure, shared certificates, and concentrated registrar usage. Reverse searches using Chinese-language betting templates.
• Operators actively use camouflage and deception techniques to make gambling infrastructure appear legitimate or benign. We identified websites embedding full-screen iframe overlays displaying Chinese university-style pages while concealing betting-related infrastructure underneath. The deceptive templates incorporated academic imagery, institutional branding, and benign metadata artifacts, including favicons resembling NGOs, educational institutions, and healthcare organizations, likely intended to evade detection, reduce suspicion, and complicate automated reputation analysis.
• This infrastructure that supports this economy, is centralized and operationally dependent on a small number of providers and operator clusters. Meaningful disruption would be achievable through coordinated enforcement and infrastructure-level intervention. Despite targeting a global sporting event, the ecosystem repeatedly converged on the same DNS providers, registrars, hosting networks, certificates, and deployment templates, indicating that large portions of the operation may rely on a limited set of tightly coupled services rather than fully decentralized criminal infrastructure.

Illegal Online Betting as a Global Phenomenon

According to Forbes, gambling has evolved into one of the world’s largest economies, estimated at roughly $5.9 trillion globally when including both regulated and unregulated markets. More recently, the FBI warned that illegal and offshore online gambling platforms are deeply intertwined with organized crime and broader cyber-enabled criminal activity. 

Although sports betting has been legalized across many US states, the FBI notes that Americans still wager hundreds of billions of dollars annually through unregulated offshore markets that operate outside US jurisdiction and offer little to no consumer protection. According to the agency, these platforms are frequently associated with money laundering, human trafficking, drug and weapons trafficking, tax evasion, fraud, extortion, and the theft of personal and financial information. 

The FBI further emphasized that illegal betting ecosystems increasingly function as part of larger transnational criminal networks leveraging offshore infrastructure, cryptocurrency, underground payment systems, and cyber-enabled operations to target users globally.

A betting “experience” is offered on Telegram (Flare link to post, sign up for the free trialto access if you aren’t already a customer)

The APAC Dimension

The APAC region, particularly China and Southeast Asia, has emerged as one of the most significant hubs for this activity. Although China officially bans gambling, estimates suggest Chinese citizens wager hundreds of billions of dollars annually through offshore betting platforms operating from jurisdictions such as Cambodia, Myanmar, Laos, and the Philippines. 

According to the UN Office on Drugs and Crime and regional law-enforcement assessments, cyber scam and illegal gambling operations in Southeast Asia generated an estimated $37–44 billion annually in recent years, with many networks tied to Chinese-speaking organized crime groups. 

These ecosystems increasingly overlap with investment fraud, phishing campaigns, fake betting applications, cryptocurrency laundering, and mobile malware distribution spread through Telegram, WeChat, WhatsApp, and social media, particularly during major sporting events. Authorities across the region have dismantled thousands of illegal gambling platforms, while investigations have linked some syndicates to large scam compounds employing trafficked workers under coercive conditions.

Why Illegal Betting Matters for Cybersecurity

From a cybersecurity perspective, illegal online betting ecosystems present significant risks beyond gambling itself. They facilitate:

• Large-scale laundering of cybercrime proceeds
• Credential theft
• Financial fraud
• Malware distribution through betting applications and advertising networks
• Abuse of cryptocurrency infrastructure
• Underground payment processing and shadow banking

In many cases, these operations thrive in weakly governed jurisdictions that enable cross-border organized crime groups to combine cyber capabilities with financial and human exploitation. As a result, the APAC illegal online betting ecosystem represents far more than a gambling problem. It has evolved into a hybrid criminal economy where cybercrime, financial fraud, organized crime, and digital infrastructure increasingly converge into one of the world’s largest cybercrime-adjacent underground industries.

FIFA-Containing Domains: Chinese-Language Gambling Infrastructure Revealed

We consolidated a sample of 8,867 domains that contain the string “fifa.” While one would assume that these domains in our dataset may be used as part of a typosquat campaign, aimed to target English-speaking ticket and consumer goods buyers, we soon discovered that the majority of these domains are part of a Chinese-language sportsbook and link-farm network using the FIFA brand and the 2026 World Cup as lure, built on shared DNS, shared hosting, and shared certificate infrastructure. 

Acceleration of Registration

While our research ended on April 24, 2026, we noticed that the registration was accelerated as the tournament approached: 

• 4,834 of the domains (54.5%) were created in 2026
• 2,741 in March-April 2026

Moreover, we found four distinct operator clusters account for the majority of the activity. This is a strong indicator that these domains were created as part of a single infrastructure or rather several adjacent infrastructures. Roughly 53% of all domains use share-dns.com or share-dns.net as their primary nameserver, and four registrars (Name SRS AB, GMO Internet, Gname, Metaregistrar) account for 55% of registrations. 2,704 domains (36% of scored records) carry a risk score of 90 or higher, and 387 are at the maximum score of 100. 54% are currently serving HTTP 200 with live content.

Website Templates and Content Analysis

The clearest tell is the website content itself. 

Of 4,186 domains with a captured HTML title, 3,764 (89.9%) contain Chinese characters. The most common title tokens:

English-language phishing indicators are comparatively rare. The string “bet” appears in only 17 titles.

Unofficial FIFA-themed betting infrastructure with the domain fifa-worldcup[.]com[.]cn

Titles are heavily templated. The top 100 unique titles cover roughly 1,700 domains, and near-duplicate variants recur hundreds of times. 

Examples include: 

• 2026世界杯官方(买球)有限公司 2026 World Cup appears on 103 domains, 
• 2026国际足联世界杯买球 – 世界杯投注官网 | FIFA World Cup appears on 54 domains 
• 世界杯-世界杯(FIFA WC)官网-2026世界杯直播平台 appears on 49 domains 

The templating is consistent with a small number of operators deploying the same landing page kit across hundreds of throwaway domains.

This website mx-cwc-fifa[.]com has this string in its title “2026世界杯官方(买球)有限公司” and mx= Mexico, cwc= world cup and FIFA in the domain name

Formulaic Domain Naming Conventions

After removing the “fifa” string from the domains, analysis of the remaining text reveals formulaic naming:

• zh: 1,577
• fifaworldcup: 1,137
• cn: 680 
• fifaclub: 369 
• worldcup: 320
• fifa2026:307 
• ea: 305
• fifacwc: 286
• ultimate: 243
• fifawc: 240 
• football: 227 
• cwc: 219 
• uk: 205 

The recurring zh and cn strings explicitly signal Chinese-language targeting. The ea and ultimate tokens reference EA Sports FIFA Ultimate Team, a separate gaming brand, suggesting the operators also harvest traffic looking for game-adjacent content.

Beyond FIFA-Named Domains: The Broader Infrastructure

The original research focused on domains containing the string “FIFA.”The broader question, though, is what is the scope of this FIFA related infrastructure? To answer this, we searched for two Chinese-language betting templates (世界杯 and 买球) across all live domains, regardless of whether they contain “fifa” in the name. The results were dramatically larger. We found 33,726 IP addresses in Shodan that resulted from this search, out of which 31,652 IP addresses served 200 HTTP results.

The IP addresses themselves were either connected to a domain name, or just hosted gambling sites as part of a more robust and persistent infrastructure.

A website that mentions the FIFA World Cup without having FIFA in the domain name

Masking and Deception Techniques

We found that many pages use a full-screen iframe overlay to mask the underlying gambling-themed content. While the HTML contains betting-related metadata and branding such as xc体育, xcsports, and gambling-style descriptions, it immediately loads an external script from sjbe.njsoosd2026.com/jump.js and displays a fixed iframe from sjbe.njsoosd2026.com on top of the page. 

The overlay is styled with position: fixed, height: 100%, overflow: hidden, and an extremely high z-index, causing visitors to see an innocent-looking Chinese university-style website while the gambling infrastructure remains hidden underneath in the page source. We also saw inside the code some pictures that appear to be related to a university lab

The website’s HTML contains misleading text and pictures to appear as Chinese university-related websites

The favicon appears to depict two stylized green human figures or abstract shapes interacting around a central pink/red element, possibly resembling a handshake, ribbon, or interconnected symbol. We couldn’t find a specific entity to which we can distinctively link this logo, but it resembles that of some NGOs and educational organizations.

University-like logo

When expanding the search on the favicon we receive 1,115 IP addresses. When some are related to legitimate organizations in the UK (XS sports equipment), some betting sites (like William Hill, Bet365), random domains in the world (for instance zenithspring.com instead of zenithsprings.com).

Shared Certificate Infrastructure

Moreover, we saw a randomly created certificate CN (0476jhzx[.]com), which was shared across 170 IP addresses with the same template, all with the title FIFA世界杯2026-小组赛分组结果及赛程时间安排 (translated as FIFA World Cup 2026 – Group Stage Draw). All the websites are hosted on IPs linked to South Korea geo-location (FEDERAL ONLINE GROUP LLC).

Recommendations for Security Teams

Below are few recommendations for addressing such domains and infrastructure:

• Expand investigations beyond the initially identified domain. Malicious and impersonating infrastructure is often deployed as part of larger coordinated campaigns that reuse naming conventions, templates, DNS providers, hosting infrastructure, certificates, analytics identifiers, and favicons across hundreds or thousands of domains.
• Pivot on shared infrastructure artifacts such as SSL certificates, certificate common names (CNs), favicon hashes, Google Analytics IDs, DNS records, WHOIS patterns, HTML templates, JavaScript resources, and embedded third-party services. These indicators frequently reveal adjacent infrastructure operated by the same actors.
• Analyze website content and metadata in multiple languages. Threat actors increasingly localize phishing, gambling, fraud, and impersonation infrastructure for regional audiences, meaning English-only monitoring may miss substantial portions of a campaign.
• Look for signs of templated deployment. Near-identical HTML titles, repeated keywords, reused page structures, shared JavaScript files, and recurring visual themes can indicate centralized kits or coordinated operator clusters rather than isolated malicious domains.
• Investigate infrastructure relationships instead of focusing solely on domain names. Shared DNS providers, hosting providers, CDN configurations, registrars, redirect chains, and reverse-IP overlaps can expose broader malicious ecosystems and operational dependencies.
• Examine inactive or parked domains associated with the same operators. Threat actors often pre-register large inventories of domains ahead of major events, product launches, or campaigns and activate them opportunistically over time.
• Inspect the underlying HTML, scripts, and embedded resources for deception techniques such as iframe overlays, cloaking, hidden redirects, misleading branding, or content masking intended to evade automated scanning or appear legitimate to users.
• Correlate findings with external intelligence sources including passive DNS, Shodan, URL scanning platforms, malware sandboxes, certificate transparency logs, and threat-intelligence feeds to identify additional infrastructure and historical activity.
• Monitor messaging and social platforms such as Telegram, WhatsApp, Discord, WeChat, and social media services, which are increasingly used to distribute malicious links, betting promotions, phishing campaigns, and malware-laced applications.
• Share indicators of compromise (IOCs) and infrastructure findings with registrars, hosting providers, CERTs, brand-protection teams, payment processors, and trusted intelligence-sharing communities to improve disruption and coordinated response efforts.

This research reveals that FIFA World Cup–themed domain abuse is not primarily a traditional phishing or counterfeit merchandise problem, but rather part of a large-scale Chinese-language offshore gambling ecosystem deeply intertwined with cybercrime infrastructure. 

The operation leverages shared DNS providers, shared hosting, shared certificates, templated landing pages, Telegram distribution, and deceptive masking techniques to scale thousands of betting-related domains ahead of the 2026 FIFA World Cup. 

The infrastructure demonstrates characteristics of coordinated operator clusters rather than isolated opportunistic abuse, while also highlighting the growing convergence between illegal betting, underground financial systems, cyber-enabled fraud, and organized crime across the APAC region.

Infrastructure Analysis: TLD, Registrar, and Hosting

Registration is Accelerating into the Tournament

Registration timing is the single strongest indicator that this is an event-driven campaign. 4,834 domains were created in 2026, with another 1,297 in 2025. Together those two years account for 69% of the dataset. The bulk is concentrated in a handful of high-volume days.

Date	Domains registered
March 31, 2026	498
April 22, 2026	497
June 2, 2025	376
February 20, 2026	263
March 3, 2026	238
March 9, 2026	205
April 11, 2026	188
April 2, 2026	163

March and April 2026 alone account for 4,296 registrations. June 2025 produced 651 in a single month, likely tied to the start of ticketing announcements. The shape is not organic growth. It is batch registration timed to scheduled moments in the tournament calendar.

Domain lifetimes are consistent with disposable infrastructure. 6,536 of 7,593 domains with usable expiration data (86%) are registered for exactly 365 days. Expiration is heavily clustered in March and April 2027, with 2,226 and 2,096 domains expiring in those months, mirroring the registration spike one year earlier. Few operators are paying for multi-year renewals.

TLD Distribution

The .com TLD dominates, but the long tail is notable. Three Freenom free TLDs (.tk, .ga, .cf) appear in 476 domains combined, and the cheap-new-gTLD set (.top, .shop, .online, .xyz, .club) carries several hundred more. That distribution is typical of disposable scam networks.

TLD	Domain count	Share
.com	6,879	77.6%
.tk	426	4.8%
.ru	152	1.7%
.de	145	1.6%
.net	132	1.5%
.info	93	1.0%
.ga + .cf (Freenom)	50	0.6%
Other (160 TLDs)	990	11.2%

Registrar Concentration

The top four registrars account for 4,860 domains, or 54.8% of the total. The concentration is meaningful for takedown strategy. A single coordinated abuse report could reach 1,665 domains, roughly 19% of the network.

Registrar	Domain count	Share
Name SRS AB	1,665	18.8%
GMO Internet, Inc.	1,590	17.9%
Gname.com Pte. Ltd.	831	9.4%
Metaregistrar BV	774	8.7%
Cosmotown, Inc.	527	5.9%
Chengdu Fly-Digital Technology	215	2.4%
GoDaddy.com, LLC (all variants)	146	1.6%
Other (419 registrars)	2,764	31.2%

Name SRS AB (Sweden) pairs almost exclusively with the Shield Whois privacy service, which appears on 1,647 registrant records. GMO Internet (Japan) pairs with the onamae.com privacy service on 1,573 records. The pairings are tight enough to use as operator fingerprints even when the underlying contact data is redacted.

Hosting Concentration: Hong Kong Bulletproof-Style Providers

Of 6,625 domains with resolved IPs, 3,205 (48.4%) are hosted in Hong Kong. The United States is a distant second at 1,538, followed by the Netherlands at 385 and Brazil at 336. The Hong Kong concentration is driven by two ASNs that together account for 36.8% of all hosted domains.

ASN	Top ISP	Country	Domains	Share
138415	Yancy Limited / Redluff Llc	HK / US	1,343	20.3%
134548	Cloud Innovation Ltd / Dxtl-service	HK	1,096	16.6%
132839	Digital Core Technology Co. Limited	HK	529	8.0%
134175	HongKong Service	HK	485	7.3%
9294	Gnet Inc.	KR	431	6.5%
31624	Verotel International B.V.	NL	346	5.2%
13335	CloudFlare Inc.	US	210	3.2%

ASN 138415 (Yancy Limited and Redluff Llc) and ASN 134548 (Cloud Innovation Ltd, Dxtl-service, Dingfeng Xinhui Hk Technology Limited) are the two largest operator host providers. Both show multiple ISP names sharing the same ASN, a pattern consistent with layered reseller hosting on bulletproof-style infrastructure. ASN 31624 (Verotel International, Netherlands) is the only non-Asian hoster of significant size, and Verotel is a known adult and high-risk payment-adjacent hoster.

Individual IP addresses also show significant co-hosting. 24 IPs host 10 or more FIFA domains. The top concentrations are below:

IP address	Domains hosted	Country
203.27.227.29	39	AU
68.178.232.99	39	US
34.98.99.30	32	US
198.54.117.212	29	US
195.20.48.1	26	NL
182.16.52.26	23	HK
217.70.184.38	22	FR
109.70.26.37	21	AT

TLS Certificates Reveal Operator Fleets

TLS certificate reuse is a stronger operator linkage than shared IP, because deploying the same certificate across multiple domains requires operator-controlled infrastructure rather than shared CDN tenancy. Of 4,051 unique certificates in the dataset, 51 are shared across five or more FIFA domains. Those 51 certificates group 1,091 domains, or 21.3% of all domains with SSL. The largest clusters are concentrated on a small set of operator-controlled common names.

Certificate Common Name	Domains	Cert Hash (prefix)
platfrom-jiuyou.com.cn	97	170de6e3
www.zh-as-fifaclub.com	50	8faf5648
www.zh-bc-fifaclubsjb.com	50	95e960f5
www.zh-bc-fifaclubcwc.com	50	ec93f331
www.zh-ah-fifaclub.com	50	819a65ce
www.zh-bc-fifaclubworldcup.com	50	bc5f28f7
www.zh-bc-fifa.com	43	6bcd04e5
submit-kaiyun.com	43	300b5e02
www.zh-bc-fifacwc.com	42	8764993c
b.qsywater.com	37	fb4b3d84
china-zh-fifa.com	36	920c9142

The naming pattern across the top of the certificate list is diagnostic. Certificates cover common names in the form zh-XX-fifaclub.com, zh-bc-fifaXXX.com, and china-zh-fifa.com, where XX is a two-letter sub-code. One certificate (platfrom-jiuyou.com.cn, note the misspelling of “platform”) alone covers 97 domains. This is consistent with a single operator running a templated set keyed off a master brand identity.

Operator Clusters

Joining registrar, primary nameserver, and registrant privacy service produces four distinct operator clusters that together account for 4,697 domains (53% of the network).

Cluster	Registrar	Privacy / Registrant	NS1 Domain	Domains
Shield Whois	Name SRS AB	Shield Whois (SE)	share-dns.net / .com	1,618
onamae	GMO Internet, Inc.	Whois Privacy by onamae.com	share-dns.net / .com	1,573
Gname	Gname.com Pte. Ltd.	Mixed	share-dns.net / .com	732
Freegistry	Metaregistrar BV	Freedom Registry, Inc.	Mixed (.tk-heavy)	774

The Shield Whois and onamae clusters are strongly mutually exclusive. Only a small overlap exists where a domain was registered at Name SRS AB but uses the onamae.com privacy service or vice versa. The Gname cluster shares the same share-dns nameserver infrastructure as the other two, suggesting either a shared DNS operator or a shared kit that defaults to share-dns.

The Freegistry cluster is the outlier. It concentrates on Freenom TLDs (.tk, .ga, .cf) and uses Freedom Registry, Inc. as its visible registrant organization. This cluster shows a different operational economy, built around free domain registrations rather than paid bulk purchases. It is likely either a distinct operator or a lower-cost parallel track within the same ecosystem.

lndicators of Interest

The following indicators are worth treating as high-confidence operator artifacts for monitoring.

• Primary nameservers: share-dns.com, share-dns.net (4,720 domains combined)
• Registrar and privacy pairings: Name SRS AB + Shield Whois (1,618 domains), GMO Internet + onamae.com privacy (1,573 domains)
• ASNs of interest: 138415 (Yancy Limited / Redluff, 1,343 domains), 134548 (Cloud Innovation / Dxtl-service, 1,096), 132839 (Digital Core Technology, 529), 134175 (HongKong Service, 485)
• Certificate common names covering multiple domains: platfrom-jiuyou.com.cn (97 domains), submit-kaiyun.com (57 domains), the zh-XX-fifaclub family (six certificates, 300 domains combined)
• Shared IPs hosting 20 or more FIFA domains: 203.27.227.29, 68.178.232.99, 34.98.99.30, 198.54.117.212, 195.20.48.1, 182.16.52.26, 217.70.184.38, 109.70.26.37, 82.98.86.179
• Title template fingerprints: any page title containing a combination of 世界杯 and 买球 or 投注 or 平台 should be treated as consistent with this campaign