The World Cup Fraud Infrastructure is Nearly Three Times Larger Than We First Reported

May 20, 2026

By Adrian Cheek, Senior Cybercrime Researcher

Recently, we published research documenting a coordinated phishing infrastructure of 79 typosquatting and lookalike domains across 14 IP addresses, all impersonating the official FIFA website. That article walked through the fake ticketing flow, the copycat FIFA Store, and the FIFA ID login page that accepts any credentials a user types in. The takeaway was that threat actors had built a full ecosystem replica designed to extract payments and harvest account credentials ahead of the 2026 tournament.

In the days after publishing, we expanded the scope of the investigation using broader passive DNS, certificate transparency logs, and WHOIS enrichment. The picture that emerged is considerably larger and more complex than the initial set of 79 domains suggested.

The campaign is not one centrally managed operation. It has at least four distinct operator clusters, drawing on shared scam kit templates, registering fresh domains daily, and accelerating into the tournament rather than winding down.

About this World Cup Series

The United States, Canada, and Mexico have been selected to host the 2026 FIFA World Cup. As of early April 2026, the lineup of all 48 teams set to compete in the final stage is now complete. 

How are threat actors responding? What’s already emerging across deep and dark web communities?

This blog is part of Flare’s World Cup 2026 Cybercrime Series, a collection of focused research pieces examining the evolving threat landscape surrounding the tournament. The series explores key areas including phishing infrastructure, fraud and scams, infostealer attacks, illegal streaming services, illicit betting platforms, insider threats, and other cybercriminal activities targeting the 2026 World Cup.

Key Findings from the Expanded Investigation of World Cup Phishing Infrastructure

  • The infrastructure is at least 222 domains across 203 unique IP addresses. That is roughly 2.8 times the domain count and more than 14 times the hosting footprint we reported in the first report.
  • The campaign is still actively expanding. 52 additional domains were registered between April 1 and April 17, 2026, after the cutoff of our original timeline chart.
  • This is not a single centrally managed operation. The broader dataset shows at least four distinct operator clusters with different registration patterns, hosting choices, and WHOIS fingerprints. That pattern is more consistent with multiple independent threat actors exploiting the same event.
  • WHOIS privacy failures reveal named operators. Roughly 10% of the expanded dataset (21 domains) contains operator identifying information that either bypassed or was never applied to privacy redaction, giving us concrete attribution handles for ongoing monitoring.
  • Cloudflare has already flagged part of the infrastructure as phishing, providing independent validation that the activity is malicious rather than merely suspicious.
Phishing Infrastructure Detection

Detect Lookalike Domains Before They Reach Your Customers

Flare continuously monitors typosquatting domains and underground markets to surface phishing infrastructure targeting your brand.

Typosquat and lookalike domain monitoring
Automated takedown workflows

The Expanded Infrastructure Footprint

The original 79 domains were identified through typosquatting patterns that directly target the fifa.com string. A broader sweep using shared hosting infrastructure, certificate fingerprints, and landing page templates surfaces another 143 domains, bringing the confirmed total to 222. Of those, 206 are currently active.

The hosting footprint is also more distributed than first reported. Rather than 14 IP addresses, the expanded set resolves to 203 unique IPs, of which 80.6% sit behind Cloudflare. This confirms that the operators are using Cloudflare’s reverse proxy to mask their real origin servers. It also means the small number of shared IP clusters we do observe are almost certainly pointing at actual origin infrastructure rather than coincidental tenancy.

Within the dataset, five IPs host multiple domains from the campaign. The top three:

IP Address Domains Hosted
38.246.249.74
8
154.39.81.213
6
148.178.16.48
5

Four TLS certificates are also reused across two or three domains each. Shared certificates are a stronger operator linkage signal than shared IP, because obtaining and deploying the same cert across multiple domains implies a shared origin deployment rather than shared CDN tenancy.

The Campaign did not Pause after our Reporting Went Live

Our initial timeline showed an initial November 2025 spike, a dormant period through February, and a campaign launch phase beginning in March 2026. The broader dataset confirms that shape and extends it. The launch phase has not ended.

Recent registration bursts:

Date Domains Registered
March 27, 2026
34
March 28, 2026
23
April 8, 2026
19
March 20, 2026
17
April 7, 2026
10
April 11, 2026
9

Three dates alone, March 27, March 28, and November 17, 2025, account for 36.5% of all registrations in the dataset. 52 new domains were registered in the first 17 days of April 2026, with fresh additions appearing within days of this writing. The campaign is not winding down ahead of the tournament. It is accelerating into it.

The Registrar Footprint is Broader than First Reported

Our initial reporting identified seven registrars, with GNAME.COM PTE. LTD. accounting for 45 of the 79 domains. The expanded set surfaces 26 distinct registrars, though the concentration at the top has become even more pronounced:

Registrar Domain Count Share
GNAME.COM PTE. LTD. (all variants)
94
GoDaddy.com, LLC
42
Spaceship, Inc.
15
WebNIC
15
Alibaba Cloud / HiChina
14
Metaregistrar BV
12
NameSilo, LLC
5
NameCheap, Inc.
4
Other (18 registrars)
21

Two registrars that did not appear in the original reporting, Spaceship and WebNIC, each match Metaregistrar’s volume and together account for 30 additional domains. Both are worth flagging for any abuse teams currently working World Cup-related takedowns.

The continued dominance of GNAME.COM is consistent with our earlier observation about its payment flexibility, including cryptocurrency, and it reinforces the value of coordinated takedown outreach with that registrar specifically. A single well-documented bulk abuse report to GNAME.COM would cover roughly 42% of the known infrastructure.

This is Not One Operation, it is at Least Four

One of the most important updates to our initial analysis: the expanded data does not support the hypothesis of a single centrally managed operation. Instead, we observe at least four distinct operator clusters with meaningfully different signatures.

Cluster A: the fifa.com Typosquat Core

This is the cluster our initial report focused on. Roughly 86 domains directly typosquat the fifa.com string (for example fifa-com.vip, vww-fifa.com, ww-fifa.vip, www-fifa-com.vip). They were registered primarily through GNAME.COM in the March to April 2026 window, hosted behind Cloudflare, and serve the templated FIFA World Cup 2026 Tickets landing page. This is the most visible and most active cluster.

Cluster B: the [email protected] Shop Cluster

A second cluster shows a completely different operational signature and would have been missed by a fifa* naming heuristic. Fourteen .shop domains, none of which contain fifa in the name, all share:

  • Identical registrant email: [email protected]
  • Identical registrant contact name: Bill John (almost certainly a placeholder identity rather than a real person)
  • Identical city: Newark
  • Identical registrar: WebNIC
  • Registration window: primarily May 15, 2025 (11 domains on the same day), with additions through September 2025

The domains themselves look like generic drop-shipping inventory: floridagiftssw.shop, cairnspringsw.shop, protectlysw.shop, bexiapparelsw.shop, and so on. What ties them to the World Cup fraud campaign is that they all now serve the same templated FIFA World Cup 2026 landing page.

One domain in this cluster, dustdigitalsw.shop, was originally registered in July 2015 and now points at the same FIFA scam infrastructure. This suggests the operator maintains aged, legitimate looking domain inventory and repurposes it for whatever campaign is active. That is a more sophisticated pattern than fresh event driven typosquatting, and one that defeats detection rules keyed to recent registration dates.

Cluster C: the [email protected] .cn Cluster

A smaller but distinct cluster of three .cn domains: https-fifa.cn, ww-fifaweb.cn, and fifawebsite.cn. All three were registered on March 28, 2026 through Web Commerce Communications Limited, and all share the same Gmail address as registrant contact. The use of a country-code TLD, a different registrar, and shared operator identifying data points to a China based actor working in parallel with Cluster A rather than under shared coordination.

Cluster D: 888 World Cup Management Co Ltd

Three domains (www-fifaworldcup.one, www-fifaworldcup.vip, fifa-com.one) share a registrant organization listed as 888 shi jie bei guan li you xian gong si, pinyin for 888 World Cup Management Co Ltd. The operator appears confident enough in the campaign’s cover to reference the World Cup directly in their fake registrant identity.

These four clusters share landing page templates and a common target, but their registration patterns, hosting choices, and operator fingerprints are inconsistent with a single centralized campaign manager. The more likely interpretation is a distributed ecosystem of operators drawing on shared scam kit templates, which is a scaling pattern we have observed in other event driven fraud operations: a successful template gets shared or sold, and multiple independent actors deploy it simultaneously.

Cloudflare has Already Flagged Part of the Infrastructure

At the time of writing, three domains in the dataset (fifa-com.store, fifa-com.site, and fifa-com.shop) are serving Cloudflare’s Suspected phishing site warning page rather than the fraud landing page. All three were registered through GoDaddy on March 20, 2026.

This is meaningful for two reasons. First, it provides independent third-party validation that this infrastructure is being used for phishing, not merely lookalike branding. Second, the asymmetry is instructive: Cloudflare has flagged three domains while continuing to serve traffic for roughly 176 others in the same cluster. That illustrates the scale challenge facing both CDN providers and brand protection teams. Detection has to operate at the campaign level, not domain by domain.

What to Watch for Between Now and Kickoff

Based on the expanded dataset, we expect the following in the weeks before the tournament:

  • Continued registration bursts. Given the rate of April registrations, we anticipate further batches of typosquat domains, likely concentrated on GNAME.COM and GoDaddy, timed to coincide with official ticket sale windows.
  • Activation of parked domains. A subset of domains in the dataset resolve but do not yet serve the scam template. These are likely being held in reserve.
  • Migration to fresh infrastructure. As takedowns progress, operators will rotate to new IPs and domains. The repurposed .shop pattern in Cluster B shows they maintain inventory for exactly this purpose.
  • Parallel channels. Our team is also tracking associated illicit streaming services, counterfeit merchandise operations, and betting adjacent scams targeting the same audience. Several of these use overlapping infrastructure with the ticketing fraud described here.

Recommendations for Brand Protection and CTI Teams

For security teams monitoring this campaign, the expanded findings shift the priorities:

  • Expand detection beyond fifa* naming patterns. The Cluster B .shop domains show that legitimate-looking, aged, non FIFA named domains can be weaponized against the same brand. Detection rules should incorporate landing page template fingerprinting and TLS certificate reuse alongside string based typosquat matching.
  • Prioritize registrar level engagement. Two registrars, GNAME.COM (42 percent) and GoDaddy (19 percent), account for roughly 61 percent of the known infrastructure. Bulk abuse reporting to these two will remove the largest share of the infrastructure for the least effort.
  • Treat WHOIS leakage as actionable attribution. The [email protected], [email protected], and 888 shi jie bei fingerprints are strong enough to pivot on for ongoing monitoring. Any new domain registered with these indicators should be assumed to be part of the campaign.
  • Coordinate with CDN providers. Given the 80.6% Cloudflare concentration, origin level takedown coordination with Cloudflare’s trust and safety team will be more effective than targeting individual domains.

The scope of infrastructure built around the 2026 World Cup continues to exceed what we and others have published so far. We will keep updating this series as the tournament approaches, and as new operator clusters, streaming piracy operations, and betting fraud surface. If you are a brand protection or CTI team working on World Cup related threats and would benefit from an expanded IOC feed, contact our team directly. We are sharing enriched infrastructure data with affected organizations and law enforcement partners.

Phishing Infrastructure Detection

Detect Lookalike Domains Before They Reach Your Customers

Flare continuously monitors typosquatting domains and underground markets to surface phishing infrastructure targeting your brand.

Typosquat and lookalike domain monitoring
Automated takedown workflows

Updated Indicators of Compromise

222 IOCs covering domains, IPs, TLS certificate hashes, and operator fingerprints are available in the attached feed. Key operator attribution indicators:

  • Email: [email protected] (14 domains)
  • Email: [email protected] (3 domains)
  • Registrant organization: 888 shi jie bei guan li you xian gong si (3 domains)
  • Registrant contact placeholder: Bill John / Newark (14 domains, Cluster B)
  • Shared IPs: 38.246.249.74, 154.39.81.213, 148.178.16.48, 154.86.0.33, 104.225.235.49
  • Shared TLS certificate hashes: 1b02595c66a13a4a5a523a76de25803bdb950623 (3 domains), fc1db8def38bb08010bb8f8ac14d5e498ff8ff43 (2), 3b8bb7631b39f455d31544b55ba97b49ab1888c1 (2), fb0498ab592232747a4d90aa150ee4e0506869ca (2)
Share article

Related Content

View All
07.07.2026

Mycelium Framework: First Ever Witnessed AI-as-a-Service Botnet

07.06.2026

15,000+ Leaked Healthcare Secrets Found: Code Blue in the Server Room

07.02.2026

$4 Social Security Numbers on the Dark Web Carry 30 Year Sentences: The Stolen Data Courts Punish the Most Severely