Security researchers have traced an unprecedented surge in domain registrations linked to the upcoming 2026 FIFA World Cup. The newly minted sites—often masquerading as legitimate ticketing portals or live‑stream platforms—are part of a broader cyber campaign aimed at harvesting credentials, distributing malware and siphoning financial data from unsuspecting fans.
How the attack unfolds
The attackers are registering deceptive domains up to eighteen months in advance, using host‑city names and FIFA branding to establish credibility. Once visitors click on what appear to be official ticketing sites, they may unwittingly download malicious payloads or provide personal information that can later be exploited.
Scale of the threat
Analysts at BeforeAI identified more than 498 suspicious domains containing keywords such as “fifa,” “worldcup,” and host‑city names. Registrations peaked in August 2025, with top registrars like GoDaddy.com, Namecheap and low‑friction TLDs such as .online and .shop hosting the bulk of these sites.
"These domains are distributed across top registrars including GoDaddy.com and Namecheap, as well as low-friction TLDs like .online and .shop," says security researcher Tushar Subhra Dutta.
What this means for fans
As interest in match schedules and ticket availability spikes, the risk of falling prey to phishing or malware attacks increases. Fans are urged to verify URLs carefully, use official FIFA channels, and keep security software up to date.