Hackers Register Domains to Target 2026 FIFA World Cup in Cyberattack

A concerning surge in malicious domain registrations designed to exploit the upcoming 2026 FIFA World Cup, with threat actors already positioning themselves more than a year before the tournament begins.

A comprehensive investigation by PreCrime Labs, the threat research division of BforeAI, has revealed that cybercriminals are systematically registering fraudulent domains to capitalize on the massive global interest surrounding the FIFA World Cup 2026.

The research, conducted in August 2025, analyzed 498 suspicious domains containing FIFA, football, and World Cup-related terminology, exposing a sophisticated pre-positioning strategy by malicious actors.

The findings emerged from observations during the FIFA Club World Cup 2025 held in the United States, which served as a preview of the cyber threats expected during the larger 2026 World Cup tournament.

This upcoming event, scheduled to be hosted across the United States, Canada, and Mexico, represents an unprecedented target for cybercriminals due to its massive scale and global audience.

The research revealed a disturbing trend: threat actors are registering domains well in advance of major sporting events, allowing these malicious websites to “age” and appear more legitimate by the time they launch their attacks.

Some domains have already been registered for FIFA tournaments scheduled as far out as 2030 and 2034, demonstrating the long-term planning involved in these criminal enterprises.

Scale of the Threat Infrastructure

The investigation uncovered several alarming patterns in domain registration activity. A significant spike occurred between August 8-12, 2025, when approximately 299 domains were registered in just five days.

The most popular registrars facilitating these registrations included GoDaddy.com LLC, Namecheap Inc., Gname.com Pte. Ltd., Dynadot Inc., and Wix.

Domain analysis revealed specific targeting strategies, with 173 domains containing “FIFA,” 212 incorporating “football,” and 129 using “worldcup” terminology.

Particularly concerning is the geographic targeting, with 23 domains specifically referencing host cities including Dallas, Atlanta, Kansas City, Philadelphia, and Texas.

The research identified multiple threat categories that fans and businesses should be aware of. Merchandise fraud represents the largest category, with 56 domains designed to sell counterfeit World Cup merchandise such as jerseys, scarves, and other fan gear.

These fake storefronts typically collect payment without delivering goods or provide low-quality counterfeit items.

Illegal streaming services constitute another major threat vector, with 55 domains promising free or “official” access to World Cup matches.

These platforms often serve as delivery mechanisms for malware, credential theft, or subscription scams targeting unsuspecting fans seeking to watch games online.

The gambling sector shows significant exploitation, with 32 domains incorporating betting, slot, or casino terminology. One of the websites uses the common “generator scam” format often seen in gaming cheats, free currency, or airdrops. 

These sites often operate without proper licensing and frequently serve as fronts for financial fraud or money laundering operations.

Technical Infrastructure and Evasion Tactics

The domain analysis revealed sophisticated evasion techniques employed by threat actors. The majority of malicious domains use .com extensions (58.9%), followed by .online (7.1%) and .football (4.7%), with attackers deliberately choosing a mix of legitimate-appearing and low-cost disposable domain extensions to avoid detection.

Typosquatting represents a particularly insidious tactic, with domains like “fifaworldcupstadiucom” (missing the “m”) and “fifaclubwccom” (missing the dot) designed to capture users who make typing errors when searching for official FIFA content.

These domains can redirect visitors to malicious sites or collect personal information through fake login pages.

The research uncovered evidence of sophisticated targeting strategies tailored to specific regions and languages.

Multiple domains feature Chinese-language content and Pinyin-style constructions, indicating targeted campaigns toward Chinese-speaking audiences.

Additionally, Spanish-language domains align with Mexico’s role as a host country, suggesting attackers are customizing their approaches based on the tournament’s international scope.

Perhaps most concerning is the discovery of domains registered for tournaments years in the future, with 41 domains specifically mentioning 2026, 10 referencing 2030, and one targeting 2034.

This long-term approach allows cybercriminals to establish seemingly legitimate web presence over time, making their eventual malicious activities more difficult to detect and more likely to succeed.

The cryptocurrency angle adds another layer of complexity, with several domains promoting fake “FIFA coin” initial coin offerings (ICOs) and staking opportunities.

These schemes typically display fabricated statistics showing millions in staked funds and hundreds of thousands of participating wallets to create false legitimacy.

Defensive Recommendations

Security experts recommend that FIFA, official sponsors, and host cities implement proactive domain monitoring systems to track suspicious registrations using event-related keywords.

Defensive domain registration across known malicious top-level domains could help prevent brand abuse and protect fans from fraud.

Fans are advised to only purchase tickets through official FIFA channels and verified partners, avoid unofficial streaming platforms, and be extremely cautious of unsolicited messages or advertisements related to the World Cup.

The combination of brand recognition, emotional investment, and limited availability makes FIFA World Cup-related scams particularly effective and financially damaging.

As the 2026 World Cup approaches, this early intelligence serves as a crucial warning that the cybersecurity landscape surrounding major sporting events continues to evolve, requiring unprecedented vigilance from organizers, sponsors, and fans alike.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.