Graphic showing fake FIFA World Cup domains used in cyberattacks targeting fans and organizations

Security researchers have detected a sharp rise in suspicious domain registrations linked to the 2026 FIFA World Cup. Cybercriminals are creating fake ticketing, merchandise, and streaming sites to steal credentials, spread malware, and capture financial data.

Graphic showing fake FIFA World Cup domains used in cyberattacks targeting fans and organizationsGraphic showing fake FIFA World Cup domains used in cyberattacks targeting fans and organizations

These deceptive domains, registered up to 18 months in advance, often reuse aged domains from past events to avoid detection. Over 498 suspicious domains containing keywords like “fifa” and “worldcup” were identified, spread across popular registrars and low-barrier TLDs.

Graphic showing fake FIFA World Cup domains used in cyberattacks targeting fans and organizationsGraphic showing fake FIFA World Cup domains used in cyberattacks targeting fans and organizations

The attack involves malicious JavaScript on compromised sites that selectively delivers polymorphic malware loaders, which persist via Windows Registry entries and use in-memory techniques to evade detection. Command-and-control traffic mimics legitimate HTTPS, with fallback DNS tunnels for data exfiltration.

This sophisticated campaign highlights the growing cyber threats targeting major global events. Ongoing monitoring and domain blacklisting are essential to protect fans and organizations ahead of the tournament.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security