World Cup Phishing Campaign Nearly Triples With 203 Unique IP
A large-scale phishing campaign targeting the 2026 FIFA World Cup has expanded dramatically, now nearly tripling in size compared to initial assessments. What security researchers first identified as...
A large-scale phishing campaign targeting the 2026 FIFA World Cup has expanded dramatically, now nearly tripling in size compared to initial assessments. What security researchers first identified as 79 fraudulent domains has since evolved into a sprawling network of at least 222 domains, distributed across 203 unique IP addresses. This significant escalation is detailed in a <
The campaign is built to deceive. Threat actors have constructed convincing replicas of the official FIFA website, complete with fake ticketing pages, copycat stores, and fraudulent login pages that silently accept any credentials entered by users.
The goal is clear: steal payments and harvest account details from football fans eager to attend the tournament.
Researchers at Flare said in a report shared with Cyber Security News (CSN) that they identified the full scale of the operation after expanding their investigation using passive DNS records, certificate transparency logs, and WHOIS data enrichment.
What they uncovered was not a single coordinated attack but a distributed fraud ecosystem with at least four distinct operator clusters all targeting the same event.
The campaign is not slowing down. In just the first 17 days of April 2026, 52 new domains were registered, with fresh additions appearing almost daily. Three dates alone, March 27, March 28, and November 17, 2025, accounted for over 36 percent of all domain registrations in the dataset.
With the tournament approaching fast, the infrastructure keeps growing. Security teams and fans alike are being urged to stay alert, as the fraud operation shows every sign of accelerating rather than winding down ahead of kickoff.
World Cup Phishing Campaign
The original investigation identified 79 typosquatting domains hosted across just 14 IP addresses. The expanded dataset now confirms 222 domains, of which 206 are currently active, resolving to 203 unique IP addresses.
That is roughly 2.8 times the domain count and over 14 times the hosting footprint from the first report. A striking 80.6 percent of those IPs sit behind Cloudflare, which researchers say the operators are using as a reverse proxy to hide their real servers.
Five IP addresses were found hosting multiple domains from the campaign, with the top address alone tied to eight separate fraudulent sites. Cloudflare has also flagged three domains in the dataset as suspected phishing pages, offering independent confirmation that the activity is malicious.
The registrar picture has expanded as well. GNAME.COM remains the dominant registrar, accounting for roughly 94 domains, or about 42 percent of the known infrastructure.
GoDaddy follows with 42 domains, meaning just two registrars control around 61 percent of the total. Researchers recommend brand protection teams prioritize bulk abuse reporting to these two as the fastest path to removing the largest share of the network.
Four Distinct Operator Clusters Behind the Fraud
One of the most revealing findings is that this is not a single, centrally run operation. Analysis shows at least four separate operator clusters with different registration patterns, hosting choices, and digital fingerprints.
Cluster A is the most visible, running roughly 86 domains that directly mimic the fifa.com address. Cluster B is harder to detect, operating 14 .shop domains with generic-sounding names that show no FIFA connection yet serve the same fraudulent landing page.
Cluster C is a smaller group of three .cn domains registered through a single Gmail address, pointing toward a China-based actor working independently. Cluster D uses a fake registrant identity, “888 World Cup Management Co Ltd,” referencing the tournament openly in its cover.
All four clusters share the same page templates and target the same victims, but their fingerprints suggest independent actors exploiting a shared scam kit rather than one coordinated group.
The detection must now operate at the campaign level, not domain by domain. Teams are advised to look beyond naming patterns, incorporate TLS certificate reuse and page template fingerprinting into detection rules, and treat any newly registered domain matching known WHOIS indicators as part of the active campaign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 38.246.249.74 | Top hosting IP, tied to 8 campaign domains |
| IP Address | 154.39.81.213 | Hosting IP tied to 6 campaign domains |
| IP Address | 148.178.16.48 | Hosting IP tied to 5 campaign domains |
| IP Address | 154.86.0.33 | Shared campaign hosting IP |
| IP Address | 104.225.235.49 | Shared campaign hosting IP |
| [email protected] | Registrant email linked to 14 Cluster B .shop domains | |
| [email protected] | Registrant email linked to 3 Cluster C .cn domains | |
| Registrant Organization | 888 shi jie bei guan li you xian gong si | Cluster D fake registrant identity (888 World Cup Management Co Ltd) |
| Registrant Contact | Bill John / Newark | Cluster B placeholder identity tied to 14 .shop domains |
| TLS Certificate Hash | 1b02595c66a13a4a5a523a76de25803bdb950623 | Shared across 3 campaign domains |
| TLS Certificate Hash | fc1db8def38bb08010bb8f8ac14d5e498ff8ff43 | Shared across 2 campaign domains |
| TLS Certificate Hash | 3b8bb7631b39f455d31544b55ba97b49ab1888c1 | Shared across 2 campaign domains |
| TLS Certificate Hash | fb0498ab592232747a4d90aa150ee4e0506869ca | Shared across 2 campaign domains |
| Domain | fifa-com.store | Cloudflare-flagged suspected phishing domain |
| Domain | fifa-com.site | Cloudflare-flagged suspected phishing domain |
| Domain | fifa-com.shop | Cloudflare-flagged suspected phishing domain |
| Domain | dustdigitalsw.shop | Cluster B domain originally registered July 2015, repurposed for World Cup fraud |
| Domain | https-fifa.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | ww-fifaweb.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | fifawebsite.cn | Cluster C .cn domain, registered March 28, 2026 |
| Domain | www-fifaworldcup.one | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
| Domain | www-fifaworldcup.vip | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
| Domain | fifa-com.one | Cluster D domain, registrant org: 888 World Cup Management Co Ltd |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.