As anticipation for the 2026 FIFA World Cup builds across the globe, cybersecurity experts are raising urgent alarms about a parallel—and far more sinister—game playing out online. In a series of coordinated investigations released in September 2025, researchers at PreCrime Labs, the threat research division of BforeAI, have uncovered an unprecedented surge in malicious domain registrations designed to exploit the fervor surrounding the world’s most-watched sporting event.
The findings are as staggering as they are sobering: 498 suspicious domains containing FIFA, football, and World Cup-related brand terms have been identified, with attackers employing sophisticated, long-term strategies to evade detection and maximize their illicit gains. According to BforeAI’s analysts, these cybercriminals aren’t just targeting the 2026 tournament. Domains have already been registered for future FIFA events in 2030 and 2034, revealing a level of planning and patience that’s rare even in the ever-evolving world of cybercrime.
The scale of the threat became particularly evident during a five-day window in August 2025, when approximately 299 domains were registered in rapid succession. "The majority of these domains are not just random; they are meticulously crafted to appear legitimate and exploit the trust and excitement of millions of fans," explained a PreCrime Labs spokesperson, as reported by CyberPress and GBHackers.
So, what exactly are these domains up to? The answer, according to multiple sources including BeforeAI and GBHackers, is a dizzying array of fraud and deception. Of the 498 domains analyzed, 56 masquerade as merchandise stores peddling counterfeit World Cup jerseys, scarves, and memorabilia. Buyers lured in by the promise of official gear often receive nothing—or worse, hand over their credit card details to criminals. Another 55 domains pose as streaming platforms, offering free or “official” access to World Cup matches. These sites frequently serve as delivery mechanisms for malware, credential theft, or subscription scams, preying on fans desperate not to miss a minute of the action.
Gambling isn’t off-limits either. At least 32 domains are dedicated to betting, slot, or casino operations, many operating in regulatory gray areas or without any licensing at all. Some even mimic the “generator scam” format familiar to gamers, promising free currency or airdrops—often as a front for financial fraud or money laundering.
The technical sophistication of these operations is striking. Attackers are leveraging domain aging, registering sites up to two years in advance so that, by the time the World Cup arrives, these domains appear trustworthy to both fans and security systems. As CyberPress notes, “Domain analysis revealed specific targeting strategies, with 173 domains containing ‘FIFA,’ 212 incorporating ‘football,’ and 129 using ‘worldcup’ terminology.”
It’s not just about English-speaking fans, either. Multilingual threats are rampant, with Mandarin Chinese-language sites targeting Asian audiences with fake streaming services and cryptocurrency scams. Spanish-language domains are also prevalent, aligning with Mexico’s role as a host country. One particularly audacious site promoted a fraudulent “FIFA coin” initial coin offering (ICO), brazenly displaying fabricated statistics that claimed $18 million had been staked across 421,000 wallets.
Typosquatting—the practice of registering domains that closely resemble official sites but contain subtle errors—remains a favored tactic. Domains like “fifaworldcupstadiucom” (missing the ‘m’) and “fifaclubwccom” (missing the dot) are designed to capture mistyped traffic and redirect users to malicious sites or fake login pages. Others, such as “fifaworldcup-login.com” and “fifaworldcup-register.com,” are set up to harvest user credentials directly.
But the threat doesn’t end there. As detailed by BeforeAI, attackers have begun employing advanced malware delivery methods. Victims who enter personal details on these fraudulent sites may find themselves redirected to servers hosting trojan droppers capable of evading even the most up-to-date signature-based detection. These payloads use polymorphic loaders—malware that changes its decryption routines with every execution, making static analysis and detection a nightmare for security teams. Once executed, the malware writes a small loader to the Windows Registry to achieve persistence, downloads additional encrypted modules, and injects them into legitimate processes such as svchost.exe. By using reflective DLL injection, the malware avoids leaving traces on disk, significantly reducing its forensic footprint.
What’s perhaps most alarming is the attackers’ ability to blend in. Many of these domains are registered through reputable companies like GoDaddy, Namecheap, and Gname, with .com extensions comprising nearly 59% of registrations. The prevalence of low-cost top-level domains such as .online, .xyz, and .shop further indicates a disposable infrastructure approach, allowing criminals to maximize reach while minimizing investment. In some cases, aged domains previously registered for other sporting events are repurposed, complicating attribution and takedown efforts even more.
Geographic targeting is another key facet of these campaigns. At least 23 domains specifically reference U.S. host cities—Dallas, Atlanta, Kansas City, and Philadelphia, to name a few—with examples like “fifawcdallas.com” and “kansascityunitycup2026.com” aiming to ensnare local fans and travelers. Attackers have even set up fake business directories targeting electric vehicle charging stations for World Cup visitors, and launched influence operations disguised as social activism, criticizing FIFA’s volunteer programs.
Security experts are unequivocal in their recommendations. Proactive monitoring of event-specific keywords—especially those combining city names with tournament years—is essential. Organizations should implement pattern-based domain detection systems and ramp up user education about official FIFA channels. As the 2026 World Cup approaches, experts warn that intensified registration waves and increasingly sophisticated social engineering attacks are all but guaranteed.
For fans, the advice is clear: always purchase tickets and merchandise through official FIFA channels and verified partners, avoid unofficial streaming platforms, and treat unsolicited messages related to the World Cup with extreme caution. The combination of brand recognition, emotional investment, and limited availability makes FIFA World Cup-related scams particularly effective—and potentially devastating.
With the world’s eyes turning toward North America for the 2026 FIFA World Cup, the digital battlefield is already heating up. The early warning signs are clear: vigilance, education, and proactive defense will be crucial to ensuring that the excitement of the beautiful game isn’t overshadowed by the dark arts of cybercrime.
