As anticipation builds for the 2026 FIFA World Cup, cybercriminals are laying the groundwork for widespread scams. Since August 1 2025, more than 4,300 new domains referencing FIFA, the World Cup or host cities have been registered.
The bulk of these registrations appear to be coordinated, with similar naming conventions and DNS infrastructure, suggesting an organized effort rather than random fan activity. Nearly 1,500 domains were acquired in just five days between August 8 and 12, 2025, followed by another spike in early September.
Where the threat is coming from
The majority of these domains were registered through a handful of retail registrars—GoDaddy, Namecheap, Gname, Dynadot and Porkbun—known for their bulk‑automation capabilities and promotional pricing. Attackers are also employing a tactic known as domain aging: registering future‑tournament names (2030, 2034) years in advance to build legitimacy before activating them.
Targeting global and local audiences
The domains often reference host nations—United States, Mexico, Canada—and key cities such as Dallas, Miami, Toronto, Vancouver and Mexico City. These geographic cues boost search relevance and lend a veneer of authenticity to fraudulent sites that aim to trick travelers looking for official information.
"The sheer volume and speed of domain registration is alarming," said a cybersecurity analyst at TechWire. "It signals a well‑funded, organized operation targeting fans worldwide."