Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | FIFA World Cup 2026 Fraud Campaigns
Jul 17, 2026
52 Mins Read
Moon

FIFA World Cup 2026 Fraud Campaigns

Between April and July 2026, the SOCRadar Threat Research Unit (STRU) tracked the fraud ecosystem built around the FIFA World Cup 2026 spanning counterfeit merchandise stores, FIFA portal impersonation, and ticketing/betting infrastructure. Rather than peaking during the tournament’s biggest matches, fraud activity peaked before kickoff, as operators activated infrastructure that had been prepared weeks in advance. Seventy-nine percent of the domains observed at the peak had been registered within the previous 30 days, demonstrating that threat actors pre-positioned infrastructure during May before launching campaigns at the tournament’s opening.

Executive Summary

Our central measurement is a continuous daily view of World Cup-related domain activity between 1 June and 16 July 2026. It shows that the abuse was front-loaded around the tournament’s opening rather than distributed across individual matches, and that it faded throughout the competition rather than intensifying with it. Activity roughly doubled in the run-up to the 11 June opening, then declined without recovering, falling below its own baseline during the knockout rounds (0.8× at the quarterfinals and 0.6× at the semifinals). The most-watched matches attracted the least fraudulent infrastructure.

Critically, 79% of the domains observed at the peak had been registered within the preceding 30 days. The infrastructure was quietly pre-registered during May and activated when the tournament began, rather than being deployed match by match. This refines pre-tournament forecasts that anticipated a threat peak spread across the June to July match window.

Beneath that single curve, the campaigns share neither actor, platform, nor business model. Counterfeit storefronts registered and abandoned infrastructure within five days. The portal impersonation cluster, consistent with the GHOST STADIUM phishing-kit lineage, but differing in tracking infrastructure and session architecture, pre-positioned its infrastructure two months in advance and is tracked here across 850+ domains (compared to the 300+ previously reported), with two kit generations whose sequence and rationale are documented through the developer’s own code comments.

The ticketing and betting network neither builds nor abandons infrastructure. Instead, it rotates daily, relying on expired domains repurchased on the open market, rather than compromised servers, to leverage their retained search engine authority.

Across the merchandise cluster, we further demonstrate country-segmented targeting, evidenced by dedicated per-country domains and in-site navigation (United States, Mexico, Argentina), providing stronger victimology evidence than kit language alone.

Volumetric analysis counts submissions whose domains match a curated set of World Cup-related terms (fifa, worldcup, mundial, wc26, fifa26, fifa-26, copa2026, and related variants), while excluding the legitimate fifa.com infrastructure. The daily value represents the number of observed scans and is treated as a relative activity signal. Campaign-level analysis relies on historical scans, DOM content, in-page JavaScript, request trees, response bodies, resource hashes, and screenshots, all of which remain available after a domain goes offline, allowing kit reconstruction even after the infrastructure has disappeared.

Key Points

  • The fraud landscape is front-loaded around the tournament’s opening and steadily declines throughout the competition. Activity roughly doubled before the 11 June opening, then declined without recovering, reaching 0.8× the baseline during the quarterfinals and 0.6× during the semifinals. The tournament’s climax attracted the least fraudulent infrastructure.
  • 79% of the domains observed at the peak were less than 30 days old (987 out of 1,257 on 8 June), having been pre-registered during May and activated at the tournament’s opening.
  • The signal is independent of platform noise. A neutral control term remained flat at the platform’s result ceiling throughout the observation period, ruling out scanning cadence as the cause.
  • Several campaigns operated simultaneously despite having incompatible business models. Merchandise campaigns burn infrastructure within five days and steal payment card data, portal impersonation campaigns pre-position infrastructure for two months and steal credentials, while ticketing and betting campaigns follow a different operational model.
  • The impersonation cluster is consistent with the GHOST STADIUM lineage, tracked here across 850+ domains (compared to the 300+ previously reported), with two kit generations whose evolution is documented through the operator’s own code comments, including a bug fix and an OPSEC migration.
  • The betting network relies on expired domains rather than compromised ones. Entry points are ordinary businesses whose domains expired and were repurchased for their retained SEO authority, creating a supply chain that is legal, frictionless, and largely beyond the reach of technical controls.
  • Country-segmented targeting is evidenced by dedicated per-country domains and in-site navigation, rather than being inferred solely from the kit’s language.
  • Three of the most striking correlations uncovered during this investigation turned out to be false. A shared Telegram bot token, an identical registrant identifier, and a common template all proved to be artifacts of shared infrastructure. In an ecosystem this noisy, the important question is which of those similarities required deliberate action by the operator, rather than what the domains have in common.

World Cup Fraud Campaigns Timeline

World Cup-related domain activity did not intensify as the tournament progressed. Instead, it steadily declined throughout the competition. During the observation period, spanning from before the tournament (1 June) through 16 July 2026, after the semifinals, activity peaked around the tournament’s opening and then declined consistently, falling below its own baseline during the knockout stage. These figures were derived by tracking campaigns that shared similar patterns across the campaigns analyzed by STRU. Consequently, the actual scale of activity is significantly greater than the numbers presented here.

Using a tournament baseline of approximately 564 scans per day, activity nearly doubled during a sustained period between 7 and 13 June, reaching local peaks on 8 June (1,257) and 12 June (1,254). These dates immediately preceded the opening match and followed the first tournament weekend, coinciding with the highest levels of infrastructure deployment observed during late May and early June. From mid-June onward, the curve declined without recovering. The Round of 32 and Round of 16 averaged 1.2× the baseline, the quarterfinals 0.8×, and the semifinals 0.6×. In relative terms, the pre-tournament period (1 to 10 June) accounted for 31.3% of all observed activity in just ten days, averaging 1.8× the baseline, compared to 1.3× during the seventeen-day group stage, with activity falling below the baseline thereafter.

The increase is modest in absolute terms. However, two characteristics distinguish it as a meaningful signal rather than ordinary fluctuation.

On 8 June, 987 of the 1,257 observed domains (79%) had been registered within the previous 30 days. This represents pre-positioned infrastructure being activated, rather than renewed scanning of existing infrastructure. Registrations cluster in May, while activations coincide with the start of the tournament. The delay between domain acquisition and activation is deliberate.

Figure 1. World Cup 2026 fraud infrastructure activity by tournament phase, relative to the 564 scans/day baseline. The final is projected. FIFA World Cup 2026

Figure 1. World Cup 2026 fraud infrastructure activity by tournament phase, relative to the 564 scans/day baseline. The final is projected.

The operational implication for defenders is specific and counterintuitive. For event-driven fraud such as World Cup campaigns, the critical monitoring window is the period before the tournament begins, when pre-registered infrastructure is activated en masse, rather than during the tournament itself, and certainly not during its peak matches. Each campaign discussed in the following sections is positioned along this curve, illustrating which theme contributed to each stage of the activity. Nevertheless, monitoring throughout the entire tournament made it possible to identify new kit versions and infrastructure rotations carried out by the threat actors.

Parallel Campaigns

The graph presented above allows us to place the activity of multiple threat actors within the World Cup ecosystem. However, it does not reveal which campaigns were the most prevalent or how they operated. Beneath this single activity wave coexist operations that share neither actor, infrastructure, nor business model. Instead, they represent multiple parallel campaigns exploiting the same event calendar in different ways and pursuing different objectives.

Each campaign emerged opportunistically at a different stage of the tournament. Some appeared weeks before the opening match, while others remained active throughout much of the competition. Understanding when and how each campaign operated provides the context necessary to identify its attack window, examine how the adversaries behaved, determine how long they maintained their operations using the same modus operandi and infrastructure, and understand the objectives pursued by each threat actor.

Fraudulent Merchandise Sales

Figure 2. Attack window of the fraudulent merchandise campaigns: infrastructure concentrated before the opening match, with residual domains persisting into the tournament.

Figure 2. Attack window of the fraudulent merchandise campaigns: infrastructure concentrated before the opening match, with residual domains persisting into the tournament.

The first campaign consists of fraudulent storefronts impersonating FIFA’s official store (store.fifa.com) to sell counterfeit FIFA World Cup 2026 jerseys and merchandise that are never delivered, while simultaneously harvesting victims’ personal and payment card information.

Unlike the other campaigns analyzed, this is not a single operation. Under the same theme, we identified more than four independent groups, each with its own technical platform, distinct set of artifacts, and separate geographic strategy. Their activity is concentrated in the period leading up to the opening match and during the tournament’s first week, coinciding with the ascending phase and the peak of the activity curve described in the previous section. Some of these campaigns have remained partially active, or their portals are still accessible, although the payment functionality is no longer operational.

Figure 3. Fraudulent storefront cloning FIFA's official store, localized in French for the 2026worldcup.fr deployment.

Figure 3. Fraudulent storefront cloning FIFA’s official store, localized in French for the 2026worldcup.fr deployment.

Initial Information

One of these campaigns serves as a documented example of the pre-positioning and activation at the tournament’s opening pattern that characterizes the entire activity wave. The lifecycle of 2026worldcup.fr was reconstructed by correlating registration records, certificate data, on-site artifacts, and observation telemetry:

Time Evidence Source
2 Jun 2026, 02:40 UTC Domain registration WHOIS (created)
3 Jun 2026 TLS certificate issued (3-month validity) Certificate (WE1 / Google Trust Services)
4 Jun 2026, 07:31 UTC World Cup content uploaded dateModified in the DOM
4 Jun 2026, 08:58 UTC First public observation urlscan.io (API submission)
7 Jun 2026, 02:42 UTC Domain blocked by the .fr registry WHOIS (last-update, status: BLOCKED)

The operational lifespan of this campaign is less than one week per domain. This lifecycle mechanically explains why the aggregate activity curve does not persist throughout the tournament. The infrastructure is not designed for longevity. Domains are registered, activated, exploited over a period of a few days, and then either abandoned or taken down. The site’s entire content resides under /wp-content/uploads/2026/06/, indicating that it was uploaded in bulk during June onto an infrastructure prepared in advance. This campaign belongs to the 79% of domains registered within the previous 30 days that make up the activity peak observed between 6 and 10 June.

Modus Operandi

The core group is built on WordPress 6.8.3 with WooCommerce 10.2.1 and the commercial Sober theme, complemented by Elementor 3.32.2, Slider Revolution 6.7.34, Contact Form 7, Mailchimp for WP, and the sober-addons and wcboost-* modules (wishlist, comparison, and variant selectors). There is no custom development. Instead, this is a standard e-commerce deployment assembled from commercial components with injected content. Other campaigns, however, operate on Shopify (xajes1-55.myshopify.com), confirming that they neither share the same kit nor the same operator.

Figure 4. Checkout flow on a Shopify-based storefront localized for Japanese visitors, presenting a functional payment card form.

Figure 4. Checkout flow on a Shopify-based storefront localized for Japanese visitors, presenting a functional payment card form.

The site’s primary visual asset is a resource taken directly from FIFA’s official store and re-hosted on the attacker’s server. Its filename preserves the original CDN naming convention, including the UUID identifier and dimensions, demonstrating that the asset was copied in bulk rather than recreated. The result is a replica of FIFA’s official visual identity with no connection to the legitimate FIFA infrastructure.

In many cases, the impersonation extends to the site’s declared name, which presents itself as the official store.

Figure 5. Fake storefront presenting itself as the official store, including a fabricated fifa.com contact address.

Figure 5. Fake storefront presenting itself as the official store, including a fabricated fifa.com contact address.

The product catalog consists of images uploaded in bulk using aggregator-style identifiers. The available products replicate the structure of the official store, including national team jerseys, host city caps, mascot footballs, posters, and host city magnets.

The operators apply price-based social engineering, where discounts are consistently moderate, ranging between 22% and 30%, and never exceeding that threshold:

€100.00 → €70.00      €55.00 → €41.95      €35.00 → €26.95
€80.00  → €60.00      €42.00 → €31.95      €28.00 → €21.00
€20.00  → €15.00      €18.00 → €13.95      €12.00 → €9.00

This is a deliberate and somewhat counterintuitive decision. Aggressive discounts tend to raise suspicion, whereas a 30% discount appears plausible within the context of a promotional campaign. This strategy is reinforced through conventional trust signals such as “Free Returns” and “Free Shipping”, along with “New” product labels. In some cases, an additional “shipping protection” product is added as an extra charge, a practice commonly seen in dropshipping operations.

The checkout flow remains native to the underlying platform, with no external redirects. In general, the DOM of the primary campaign contains no references to third-party payment gateways or external domains. During the analysis of the live site, the purchase flow was followed through to the payment stage, where a fully functional shopping cart and payment card form were presented. In other campaigns, the checkout process ultimately redirects users to a legitimate e-commerce payment gateway supporting card payments (Visa, Mastercard, American Express, and five additional brands), as well as accelerated wallet-based payment methods, all presented under the standard encrypted transaction message.

Other noteworthy artifacts found across these campaigns include resource filenames written in Portuguese (Favicon_Preto.png, Copia_de_LOGOS_7…, holanda.jpg), while the storefront itself is served in French, English, or Japanese depending on the visitor. The operator’s working language and the victim’s language do not match. In addition, the same section reveals evidence of AI-generated content, where the default generated filename was left untouched, including the original generation timestamp (30 June 2026, 14:05:12).

Figure 6. Portuguese-named resource (Favicon_Preto.png) served by a storefront operating in other languages, revealing the operator's working language.

Figure 6. Portuguese-named resource (Favicon_Preto.png) served by a storefront operating in other languages, revealing the operator’s working language.

Furthermore, the primary campaign deployment retains the unmodified social media links from the commercial theme’s demo content, still pointing to the theme author’s social media profiles. One of these links even references a social network that was discontinued in 2019. The operator deployed the storefront without reviewing the footer, behavior consistent with a mass-production model and a short infrastructure lifecycle in which deployment quality is far less important than speed.

Volume and Patterns

Pre-tournament estimates focused on large numbers of domains containing World Cup-related keywords. Our approach is the opposite. Instead of counting lexical matches, we isolate clusters linked through verifiable shared artifacts. The result is a much smaller dataset with significantly higher confidence, demonstrating that fraudulent merchandise consists of multiple independent campaigns running in parallel rather than a single operation, as discussed previously.

Group A: WordPress / WooCommerce

The primary cluster analyzed, consisting of highly similar campaigns sharing the same cloned storefront.

www.2026worldcup.fr
www.usaworldcup2026shop.com
www.argentinaworldcup2026shop.com
www.mexicoworldcup2026shop.com
...

Four domains that are effectively identical apart from the domain name itself, linked through shared content and the graphical resource copied from the official FIFA store and re-hosted in each deployment (discussed later in the pivoting section). They follow the naming convention {country}worldcup2026shop.com, with 2026worldcup.fr serving as the localized variant. Their scanning profile is highly consistent: approximately 4 MB, around 130 requests, 4 to 5 IP addresses, and 2 autonomous systems. All are hosted behind Cloudflare (AS13335).

Other Groups

  • Group B: Shopify

Figure 7. Group B storefront (worlcupfifashop.com) built on Shopify, selling counterfeit World Cup jerseys.

Figure 7. Group B storefront (worlcupfifashop.com) built on Shopify, selling counterfeit World Cup jerseys.

worlcupfifashop.com   (typosquat: missing the "d" in "world")
aurevia-eu.store      (observed redirection destination)
...
  • Group C: Latin America-focused
fifa-uruguay.shop
fifa-mexico.shop
fifa-bolivia.shop
...
  • Group D: Similar patterns, different appearance

Figure 8. Group D storefront (shopworldcupatl.com) following similar patterns with a different appearance.

Figure 8. Group D storefront (shopworldcupatl.com) following similar patterns with a different appearance.

shopworldcupatl.com
trivelaprime.shop
skiesticket.com
...

The fraudulent merchandise campaign encapsulates the behavior that defines the broader World Cup fraud landscape. Its economic unit is the deployment built on top of the domain, rather than the domain itself: a standard e-commerce installation assembled from off-the-shelf components without custom development, deployed on a domain registered only days earlier and secured with a short-lived free TLS certificate. The barrier to entry is extremely low, which explains why the aggregate activity curve does not persist throughout the tournament.

During the investigation of this campaign type, at least four distinct clusters were identified that share neither platform, artifacts, operational language, nor market strategy. These are multiple independent operators exploiting the same event calendar, rather than a single operation with multiple branches.

Victim segmentation further reinforces this conclusion. Each cluster solves the same problem using a different design decision. Some use dedicated domains for individual national teams, others automatically adapt content based on the visitor’s geolocation, while others rely on country-specific naming conventions. In the cluster analyzed in greatest depth, fan segmentation is embedded directly into the site’s navigation, with dedicated sections for each national team within a storefront localized into a single language.

FIFA Official Portal Impersonation

Figure 9. Attack window of the FIFA portal impersonation campaign: domains registered two months before the opening match and active throughout the tournament.

Figure 9. Attack window of the FIFA portal impersonation campaign: domains registered two months before the opening match and active throughout the tournament.

The second campaign abandons the improvised storefront model and instead targets the source directly by cloning FIFA’s official portal. Rather than merely imitating its visual style, it reproduces the site page by page and overlays it with its own account system, requiring victims to register before purchasing tickets, exactly like the legitimate FIFA ID platform. As a result, the user experience closely matches what visitors expect from the genuine portal.

The cluster is consistent with the GHOST STADIUM lineage documented in May 2026. It shares the use of Layui and Meta Pixel tracking, but diverges in its tracking infrastructure, registrars, and session architecture. The campaign has evolved over time, with two generations of the same kit appearing five weeks apart. Their sequence and motivation are documented by the developer’s own code comments.

Figure 10. Cloned FIFA portal reproducing the official website page by page, including the hospitality promotion overlay.

Figure 10. Cloned FIFA portal reproducing the official website page by page, including the hospitality promotion overlay.

Unlike the merchandise campaign, where domains were registered and burned out within days, this one is launched two months before the tournament and remains available throughout the entire World Cup in its various forms.

Initial Information

Among the various campaigns identified under this theme, two key findings stand out, representing two successive generations of the same kit:

Field fifa-com.food (v1) fifa-gs.com (v2)
Registration 2026-04-08 09:16 UTC 2026-05-13 09:13 UTC
Registrar Gname.com Pte. Ltd. (Singapore) NameSilo, LLC (United States)
Registrant China, all registrant fields contain the hash ddb75a553547a419 United States, PrivacyGuardian.org proxy (Phoenix, AZ)
DNS Cloudflare (indie/sean) Cloudflare (nadia/wesley)
Last Updated 2026-06-02 2026-06-08
Expiration 2027-04-08 2027-05-13
Status Taken down Active

The fifa-com.food domain, along with the domains identified through pivoting, was registered in April, two months before the opening match. In contrast to the five-day lifecycle observed in the merchandise campaign, this infrastructure was designed for persistence. Both operational models coexist within the same activity wave. The latest update dates, which consistently fall in June, align precisely with the rising edge and peak of the activity curve described in the first section. Infrastructure from both campaigns reaches operational readiness when public attention is at its highest.

Between v1 and v2, the operator migrated from a Singapore-based registrar with a registrant declared in China to a US-based registrar protected by a commercial privacy proxy. The WHOIS record of v1 is itself an indicator, every registrant field contains the same hash (ddb75a553547a419), creating a pivotable artifact across domains registered through the same provider, a point revisited in the pivoting section.

Modus Operandi

The kit’s architecture is not a manual recreation of the original website. Instead, it maintains a strict structural relationship with it by automatically mirroring fifa.com. The evidence is visible in the filenames themselves, where the original URL query string has been flattened directly into the filename:

Original (fifa.com):
  /tickets_shop?p=fifaplus&c=webheader-fwc2026&sc=morefifa&ssc=ticketing&da=04052023&l=en

Mirror (fifa-gs.com):
  /tickets_shop-p_fifaplus_c_webheader-fwc2026_sc_morefifa_ssc_ticketing_da_04052023_l_en.html

The same behavior is observed in graphical assets:

v1: hub.fifa.com/transform/efbff237-.../FWC26_PA2_Article_Hero_Slider?&io=transform:fill,aspectratio:1x1

v2: static/picture/FWC26_PA2_Article_Hero_Slider-transformfillaspectratio1x1width1536_75

This is a clear indicator of automated website mirroring using tools such as wget –mirror or HTTrack. The developer explicitly confirms the deployment scale in a code comment:

/**
 * 兼容:所有页面 header 里都有 <div id="my-account"><div id="login-label">...</div></div>
 *      不动现有 200+ 个 HTML 文件,所有逻辑在这里完成。
 * No changes to the existing 200+ HTML files. All logic is handled here.
 */

The comment explicitly states that the deployment consists of more than two hundred static HTML files. It also explains the architectural decision behind v2. Since the mirrored website is entirely static, dynamic functionality cannot reside within the HTML itself and is therefore injected globally through JavaScript.

Another artifact reveals the operator’s workflow. Both kit generations still contain content inherited from the previous tournament:

Hospitality at Al Bayt Stadium on December 18, 2021

Al Bayt is a Qatar 2022 stadium. An otherwise highly polished clone still contains an event from four years earlier, mirrored without review.

Differences Between Kit Generations

Version 1 does not host the content locally. Instead, it retrieves it live from FIFA’s infrastructure. The DOM of fifa-com.food references 95 resources hosted on digitalhub.fifa.com and performs 84 requests to api.fifa.com, including legitimate data endpoints:

Figure 11. Version 1 hotlinking national team flags directly from FIFA's legitimate api.fifa.com infrastructure.

Figure 11. Version 1 hotlinking national team flags directly from FIFA’s legitimate api.fifa.com infrastructure.

/api/v3/picture/flags-sq-1/ARG
/api/v3/picture/flags-sq-1/BRA
/api/v3/picture/flags-sq-1/MEX

This is one of the reasons why the lure is visually indistinguishable from the legitimate website. Flags, schedules, and headlines are fetched directly from FIFA at the moment the victim visits the page. Version 2 removes this dependency entirely by serving a locally hosted copy from /static/.

The kit implements a complete session management system, preventing users from viewing the shopping cart unless they have an account.

Figure 12. Mandatory login verification redirecting unauthenticated visitors to the registration page before accessing the cart.

Figure 12. Mandatory login verification redirecting unauthenticated visitors to the registration page before accessing the cart.

Victims attempting to purchase tickets are redirected to the registration page. The complete victim workflow is as follows:

tickets_shop1.html
    > choose-matches-{City}.html
    > [add to cart]
    > authorize.html?redirect=/cart
    > /api/login
    > /cart
    > /api/get_cart

The credential harvesting form reproduces the legitimate SSO authorization path:

Figure 13. Credential harvesting form replicating the legitimate FIFA ID sign-in experience.

Figure 13. Credential harvesting form replicating the legitimate FIFA ID sign-in experience.

The FIFA account system implemented in v1 even accepts arbitrary credentials that have no relationship with legitimate FIFA accounts or existing registrations.

Figure 14. Account area presented to victims after registration on the cloned portal.

Figure 14. Account area presented to victims after registration on the cloned portal.

The login form contains a hidden /as/authorize field that replicates the authorization endpoint used by PingFederate, the identity provider behind FIFA’s legitimate SSO platform. The impersonation extends down to the internal authorization path of the genuine identity provider.

Credential transmission is explicit:

// 登录表单提交
$(document).on('submit', '#frmLogin', function(e) {
  e.preventDefault();
  var accountVal  = form.find('input[name="account"]').val();
  var passwordVal = form.find('input[name="password"]').val();
  ...
  $.post('/api/login', {
      account: accountVal,
      password: passwordVal
  }, function(res) {
      if (res.success) {
          localStorage.setItem('fifa_user', JSON.stringify({
              email: accountVal, name: uName, t: Date.now()
          }));
          var redir = params.get('redirect') || res.redirect || '/tickets_shop';
          window.location.href = redir;
      } else {
          form.prepend('<div class="login-error-msg" style="color: #E40046; ...">'
                       + (res.message || 'Login failed') + '</div>');
      }
  }, 'json')

Error handling is stateful and server-side. The backend determines whether authentication succeeds and returns a corresponding message, implying the existence of a real account database rather than a simple credential collection endpoint. Even the error message color, #E40046, matches FIFA’s corporate red, demonstrating that the visual styling of authentication failures was also replicated.

Evolution Between Versions

The comparison of common_main.js between both instances leaves no doubt regarding the evolution between versions. The session validation function in v1:

function isLoggedIn() {
    // 获取uid和token                    >  "Get UID and token"
    const uidMatch   = document.cookie.match(/uid=([^;]+)/);
    const tokenMatch = document.cookie.match(/token=([^;]+)/);
    if (!uidMatch || !tokenMatch) return false;
    // 检查有效性                        > "check validity"
    if (uid === '0' || uid === 'undefined' || uid === 'null') return false;
    if (token === 'undefined' || token === 'null' || token.length < 8) return false;
    return true;
}

And in v2:

function isLoggedIn() {
    // 新架构:使用 PHP session,localStorage 里的 fifa_user 由 user_status.js 在 /api/check_login 之后写入。
    //   "NEW ARCHITECTURE: PHP session; fifa_user is stored in localStorage by user_status.js after /api/check_login"
    try {
        var u = JSON.parse(localStorage.getItem('fifa_user') || 'null');
        if (u && u.id) return true;
    } catch (e) {}
    // 兼容旧 uid/token cookie(万一存在)
    //   "Support for the OLD uid/token cookie (if it exists)"
    var uidMatch = document.cookie.match(/uid=([^;]+)/);
    ...
}

The developer labels their own code as a “new architecture” and preserves compatibility with the “old cookie”. This alone establishes the order of the versions, and the registration dates confirm it: 8 April precedes 13 May.

Several differences can be observed between both versions. The following examples were selected from the two domains initially used for pivoting.

Feature v1 (fifa-com.food) v2 (fifa-gs.com)
Session Management uid/token cookie PHP session + /api/check_login + localStorage.fifa_user
UI Full Layui framework Custom shim; Layui disabled due to stack overflow
Content Hotlinks to api.fifa.com + digitalhub.fifa.com Self-hosted static mirror
Translation Google Translate enabled Disabled
Analytics Meta Pixel 1125427529712029 Meta Pixel 1147557470844988 + TikTok D7S1RAJC77U07JNLHM3G + 51.LA 3Q0zXEDWu5m6p2AG

Both generations contain development comments in Chinese, all of them corresponding to working annotations:

简化的语言检测和cookie设置    "simplified language detection and cookie configuration"
检测语言                     "detect language"
支持的语言列表               "supported language list"
清空所有内容,只添加select    "clear all content, add only the select"
秒后停止尝试                 "stop trying after N seconds"

The list of target languages appears explicitly within the comments themselves: 俄语 (Russian), 印尼语 (Indonesian), 德语 (German), 意大利语 (Italian), 日语 (Japanese), 法语 (French), 中文相关 (Chinese-related languages), and 亚洲语言 (Asian languages). Version 1 implements translation through the Google Translate widget while hiding its banner:

隐藏Google的原始横幅 */      "hide Google's original banner"
翻译初始化函数               "translation initialization function"

Version 2 further strengthens the China nexus (GHOST STADIUM) through analytics infrastructure. In addition to the Meta and TikTok pixels, it loads 51.LA, a Chinese web analytics platform:

Figure 15. 51.LA initialization code embedded in version 2, adding Chinese analytics infrastructure to the kit.

Figure 15. 51.LA initialization code embedded in version 2, adding Chinese analytics infrastructure to the kit.

The end result mirrors what a visitor would expect from FIFA’s official website, allowing users to purchase tickets and official merchandise, producing an experience similar to that observed in the first campaign, but with a broader path focused on the full range of official products offered through fifa.com.

Figure 16. Fake ticket sales section on the cloned portal, listing group stage matches with per-person pricing.

Figure 16. Fake ticket sales section on the cloned portal, listing group stage matches with per-person pricing.

Figure 17. Merchandise checkout flow within the cloned portal, collecting personal, shipping, and payment card information.

Figure 17. Merchandise checkout flow within the cloned portal, collecting personal, shipping, and payment card information.

Just as the impersonated website can be used to sell tickets, there is an effectively unlimited market across Telegram groups and Dark Web forums where these types of transactions take place or access to compromised accounts is sold.

Figure 18. Telegram listings offering World Cup tickets and account transactions in SOCRadar Platform.

Figure 18. Telegram listings offering World Cup tickets and account transactions in SOCRadar Platform.

Volume and Patterns

Unlike the previous campaign, clustering scales exponentially here because the kit is deployed in series and leaves identical artifacts across each instance. Three patterns observed throughout the hundreds of domains identified, ordered from highest to lowest confidence:

  • Kit page title:
"FIFA World Cup 2026™ Tickets"
  • Re-hosted logo:
FIFA_Logo_White_Generic.png

The legitimate portal serves its logo from its own CDN, never from a local path. Its presence under /fifa/ (v1) or /static/picture/ (v2) can only be explained by copying.

  • Hero image resource:
filename:"FWC26_PA2_Article_Hero_Slider"

In v1, this resource is hotlinked directly from FIFA’s legitimate CDN, meaning the signature can also match authentic pages. For that reason, it is retained only as a supporting indicator rather than a sizing metric and requires individual verification.

The observable scale exceeds 850 domains, compared to the 300+ publicly reported for this lineage in May:

fifa-mx.com
worldbuyyouself.com
sdf-26fifa.top
fifa-min.com
...

If the merchandise campaign demonstrates the disposable infrastructure model, this campaign takes the opposite approach, where the infrastructure itself is conceived as the product. Two months of pre-positioning, a dedicated account system with its own backend, version-to-version refactoring with documented bug fixes, and a deliberate migration of both registrar and privacy service.

The key finding of this campaign is its evolutionary traceability, rather than the existence of the clone itself. The comments left by the developer in the code make it possible to reconstruct not only what changed between v1 and v2, but also to understand other technical elements such as translation, Layui, and the authentication mechanism, which migrates from cookie-based authentication to PHP sessions while preserving backward compatibility. It is uncommon to have access to the development log of a kit annotated by the threat actor.

Unlike the merchandise campaign, where effective control was preventive and focused on registration, the infrastructure here survives for months, is registered through legitimate privacy proxies, and is delivered behind a legitimate CDN. Reputation-based controls have time to act, but the kit also has time to rotate. The detection points that remain resilient are the artifacts the attacker cannot change without rebuilding the product: the re-hosted logo, the cloned SSO path, the kit title, and, for as long as the operator does not clean up their own code, the traces of their working language.

Ticketing and Sports Betting

Figure 19. Attack window of the ticketing and betting campaign: continuous registration, use, and replacement of infrastructure throughout the tournament.

Figure 19. Attack window of the ticketing and betting campaign: continuous registration, use, and replacement of infrastructure throughout the tournament.

The third campaign neither steals credentials nor charges victims for products that are never delivered, as in the previous campaigns. Its business model is traffic monetization, capturing fans searching for tickets or match predictions and directing them, through affiliate schemes, primarily to betting platforms targeting the Chinese market. Victims do not lose their data on the fraudulent portal. Instead, they lose the ability to make informed decisions about where to place their bets, convinced by official affiliations that do not actually exist.

It is also the campaign with the greatest persistence and the only one that remained active throughout the entire tournament. Whereas the merchandise infrastructure burned out within days and the portal impersonation campaign was pre-positioned months in advance, this campaign rotates daily. Its infrastructure is continuously replaced rather than defended.

Initial Information

Two complementary components define this operation: thematic portals that impersonate authority, and the network of entry points that feeds them.

One example is chcn-2026-fifa.com, registered on 17 May 2026, three weeks before the opening match, with its latest recorded update on 7 July, well into the tournament. It remains active. The registrar is Gname.com Pte. Ltd. (Singapore), the registrant is declared in China, and the domain uses SHARE-DNS name servers.

Its impersonation strategy differs completely from the previous campaigns, as it does not attempt to imitate FIFA itself.

Figure 20. Betting portal impersonating the China Sports Lottery, linking directly to an inventory of affiliate betting platforms.

Figure 20. Betting portal impersonating the China Sports Lottery, linking directly to an inventory of affiliate betting platforms.

<title>世界杯(FIFA)中国竞彩官方网站</title>
"Official Website of the China World Cup (FIFA) Sports Lottery"

中国竞彩 (“China Sports Lottery”) is China’s state-run sports lottery and the only legal sports betting channel in mainland China. The lure therefore invokes the authority of the gambling regulator rather than that of the tournament organizer. This is the logical choice for an audience where private betting is illegal. The victim needs to believe that placing bets there is officially permitted, rather than that the site belongs to FIFA.

Pivoting from this portal reveals an infrastructure whose domains have a remarkably uniform age, while their intended roles are explicitly reflected in their names:

click-2026fifalottery.com.cn        1 day     > redirect
link-sport-2026fifaworldcup.com     1 day     > link farm
news-sport-2026fifaworldcup.com     1 day     > SEO content
{m|wap|web}.zhcn-fifalottery.com    1 day     > device-specific variants
{m|wap|web}.home-fifalottery.com.cn 1 day

The entire infrastructure has an observable age of one day. It is a continuous replacement pipeline, rather than infrastructure that grows old. The subdomain segmentation (m, wap, web) appears consistently across the rest of the network and, by itself, constitutes a recognizable fingerprint.

Modus Operandi

Some of the domains used throughout these campaigns belong to expired websites that have been repurposed to host the fraudulent infrastructure. The most common entry vector relies on third-party domains repurchased after expiration rather than domains registered specifically for the tournament. The case of tcnstaffing.com documents this particularly well:

Archived content (Dec 2021):   TCN Staffing, recruitment agency
Creation date (WHOIS):         2025-03-06
Registrant country:            Netherlands
Registrar:                     INWX (Germany)

A domain that has been renewed continuously retains its original creation date. Therefore, a creation date of 2025 for a domain that previously hosted a legitimate corporate website in 2021 indicates that the domain expired, was released, and later re-registered by a third party. The same pattern is observed in m.dasartisanat.com (created on 11 May 2026, registrar Chengdu Fly-Digital) and www.autotekservice.com.

These domains do not represent compromised infrastructure. No vulnerability is exploited and no backdoor is installed on a third-party server. Instead, the operators purchase, on the open market, expired domains that still retain inbound links, search engine indexing history, and SEO authority accumulated over several years, then repurpose them as entry points. This modus operandi also explains the lack of sectoral or geographical consistency across the infrastructure. The operators do not choose the target, they buy whatever is available.

The Overlay Kit

All entry points deliver the same artifact, whose brevity remains remarkably consistent:

<head>
  <title>@</title>
  <script language="javascript" src="/sttcs/stjs.js" type="text/javascript"></script>
  <meta http-equiv="Content-Security-Policy" content="script-src 'none'">
  <style>
    html,body {width:100%;height:100%;overflow:hidden;clear:both;}
    body > *, .container { opacity: 0; }
    #divs { opacity: 1; }
  </style>
</head>
<body>
<div
style="width:100%;height:100%;position:absolute;top:0;left:0;z-index:2147483647;" id="divs">
    <iframe src="/sttcs/v2?channel=KB3&ref=https://m.dasartisanat.com/"></iframe>
  </div>
</body>

The kit and the analyzed files reveal several notable characteristics:

  • The Content Security Policy is used against the page itself: The kit first loads its own script and only then declares script-src ‘none’. This order is intentional. Its own code is already executing when the policy takes effect, meaning the restriction leaves the malicious script unaffected while preventing any other script within the document from executing. A security mechanism intended to protect the website is repurposed to neutralize it.
  • The original content is not removed, only hidden: The rule body > * { opacity: 0 } leaves the host page fully intact within the DOM, allowing search engine crawlers to continue indexing it while rendering it invisible to visitors. Meanwhile, #divs, with z-index: 2147483647 (the maximum signed 32-bit integer), ensures that the overlay completely covers the original page. The infrastructure therefore preserves the very property that makes it valuable, its indexing history, while presenting entirely different content to human visitors.
  • The iframe parameters represent the accounting layer of the operation: The channel=KB3 parameter identifies the affiliate responsible for the traffic commission, while ref= identifies the entry domain that generated the visit. Combined with the show= parameter in the initial URL, which selects the campaign, the result is a conventional traffic distribution system. The same infrastructure serves multiple campaigns for multiple affiliates, while every redirect is individually attributed for commission tracking.
  • Title: The kit uses <title>@</title>, a single-character page title that is extremely uncommon on legitimate websites.

Figure 21. Overlay kit source code with the single-character page title and the Content Security Policy declared after the kit's own script.

Figure 21. Overlay kit source code with the single-character page title and the Content Security Policy declared after the kit’s own script.

Figure 22. The single-character "@" page title repeated across entry point domains, a fingerprint of the overlay kit.

Figure 22. The single-character “@” page title repeated across entry point domains, a fingerprint of the overlay kit.

The analysis of other campaigns with similar objectives, such as modernraunch.com, which contains seven subdomains (m, wap, down, h5, mail, mail2, and the apex), the same device-based segmentation observed across the rest of the network, reveals the scale of the campaign.

The JSON files are named after the target brand, and their inventory describes the business model without ambiguity:

伟德国际(bevictor·1946)源自英国官方网站_5538.json      > BetVictor
SBOBET利记(中国)集团_2495.json                       > SBOBET
EMC易倍·(中国区)官方网站_8787.json                    > EMC
在线计划全天免费计划(中国)有限责任公司_5295.json
🦘登录🐝专属🎣国际🐔网站🦀进入🎰_9424.json           > Filler text for SEO positioning

Within these files, the JSONs associated with the domains also commonly reference government domains (zzapp.gsxt.gov.cn, user.www.gov.cn), university domains (client.vpn.nuist.edu.cn, dky.gxu.edu.cn), and established commercial brands (www.beatsbydre.com.cn, www.kookapp.cn, www.nd.com.cn). These are used as cross-references or outbound links, as these campaigns often act as central nodes linking to dozens of different pages, including ticketing and betting platforms.

The acquisition portals link directly to an inventory of betting platforms:

app-12bet.com          pc-kaiyunsports.com.cn     wap-500cp.com
app-bway880.com        mobile-biwei.com.cn        pc-vnsr.com
app-dingshengfun.com   m-beibo.com.cn             cn-vnsr.com.cn
zh-tianbosports.com.cn zsdjs.top                  bf4.yaheedu.com

The sales argument is systematically the same: an invented official affiliation. The destination platforms present themselves using tournament sponsorship badges (世界杯赞助), partnership claims with football clubs (皇马合作 / Real Madrid, AC米兰合作 / AC Milan), and fabricated certification seals (官方赛事协作认证, “Official Event Collaboration Certification”). The registration forms display the crests of Real Madrid, Inter Milan, AC Milan, and Crystal Palace. Promotional material uses images of active football players without apparent authorization. Ecosystem aggregators such as F16.CC, presented as the “2026 World Cup Premier Brand Alliance”, bring together a dozen operators under the same fabricated framework of legitimacy.

An important piece of evidence is the og:url field of chcn-2026-fifa.com, which points to chcn-2026-fifa.com.cn, while its news articles are served with the publication date embedded in the filename (news-20260618-0631-3019.html), indicating automatically generated content. The portal also integrates Yandex Metrika (ym(107069266)), Russian analytics within an operation targeting the Chinese market.

Volume and Patterns

The signatures identified in these campaigns operate on two distinct layers.

  • Thematic portal layer: content sites impersonating authority.
Title:"世界杯(FIFA)"           > 2,574
  • Traffic network layer: entry points and gateways.
Url:*show=goodluckyyds*      > 2,249     (Campaign ID)
Title:"安全跳转页面"           >    39     (Gateway)

Structural signatures derived from the kit, which are often more resilient than the previous ones because the operator cannot modify them without rebuilding part of the product:

  • Filenames
  • Titles

The campaign is a shared platform rather than a collection of isolated domains.

Campaigns Summary

The three campaigns analyzed exploit the same event calendar while maintaining three different relationships with time. The merchandise campaign registers domains and burns them within five days. The portal impersonation campaign pre-positions its infrastructure two months in advance while maintaining the product over time. This campaign neither builds nor burns infrastructure, it replaces it. Its infrastructure consistently appears to be one day old because replacement is cheaper than defense, while its raw material, expired domains with accumulated authority, is an open, legal market with an effectively unlimited supply.

The fundamental difference, however, is economic rather than temporal. The previous two campaigns extract value from the victim, their money, credentials, or payment card information. This campaign extracts value from the advertiser. The victim reaches a legitimate betting platform that processes legitimate deposits and pays legitimate affiliate commissions for every registration. The fraud lies in the consent that precedes the transaction, obtained through nonexistent sponsorships, football club crests used without authorization, and fabricated certification seals. For this reason, the lure impersonates the gambling regulator rather than the tournament organizer. The uncertainty it attempts to remove is whether placing bets there is officially permitted, rather than who owns the website.

Additional Campaigns

Throughout the tournament, several additional campaigns coexisted alongside those described above. While technically less sophisticated, they maintained a sustained global presence throughout the competition. They share the same opportunistic exploitation of the event but differ in their monetization models. Their technical capabilities and overall sophistication are considerably lower than those of the campaigns discussed previously.

Cryptocurrency

The group of cryptocurrency-related campaigns is the broadest in conceptual scope among those observed. Under the same World Cup-themed lure, several different models coexist, including the issuance of themed tokens, clones of cryptocurrency betting platforms, and monetization of streaming services through cryptocurrency payments. One example is fifa2026coin.cc, where a commemorative token is presented as a “Championship memecoin on Solana”, accompanied by a countdown to the opening match and direct links to pump.fun and Dexscreener. The contract suffix identifies its origin as a memecoin launch platform. These campaigns simply mint the asset and rely on a narrative and an event calendar, in this case the World Cup, while continuously shifting to whichever events currently attract public interest.

Figure 23. World Cup-themed cryptocurrency lures: the $FIFA2026 memecoin site and a crypto betting platform offering match predictions settled in USDT.

Figure 23. World Cup-themed cryptocurrency lures: the $FIFA2026 memecoin site and a crypto betting platform offering match predictions settled in USDT.

Some models replicate the approach already described in the previous chapter, but settle transactions in cryptocurrency, including clones of established betting platforms such as Dexsport, as well as impersonation of legitimate betting brands, such as the one identified on fifa2026.kr under the title of a well-known operator. Additional domains with straightforward naming conventions, such as fifa.casino, were also identified. Here, victims are promised participation rather than tickets or merchandise: an asset supposedly expected to appreciate during the tournament, or a betting platform operating outside the restrictions of conventional banking. Multiple Telegram channels following this same trend were also observed in SOCRadar platform.

Figure 24. World Cup-themed token campaigns amplified through Telegram channels during the tournament.

Figure 24. World Cup-themed token campaigns amplified through Telegram channels during the tournament.

The scale of this activity remains stable and does not decline throughout the tournament. Pivoting reveals hundreds of active domains operating since the beginning of the competition.

Streaming and Advertising

The second group exploits the most universal need among football fans: watching the match. Supposed streaming portals such as fifaworldcup.cfd, watchsportslive.cc, and similar domains capture users searching for live broadcasts and monetize the traffic through aggressive advertising, redirects, and pop-up windows. Alongside them operates a family of fake prize and giveaway pages following the classic “you have been selected as a winner” pattern, adapted to the tournament calendar.

Figure 25. Streaming and giveaway lures: fake match-pass portals, an airtime and mobile data reward page targeting Nigeria, and the advertising chains they monetize.

Figure 25. Streaming and giveaway lures: fake match-pass portals, an airtime and mobile data reward page targeting Nigeria, and the advertising chains they monetize.

Cases such as 2026-world-cup-free-airtime-data.earnonline.pro are representative of both the technique and its business model. The page promises mobile airtime credit and free mobile data, primarily targeting countries such as Nigeria, as a “World Cup celebration reward”, and simulates an eligibility verification process using a five-second progress bar. No verification actually takes place:

setTimeout(function(){
    window.location.href="https://2026-world-cup-free-airtime-data.earnonline.pro/step1.html";
}, 5000);

The modus operandi creates the illusion of a verification process to legitimize the promised reward. The destination filename, step1.html, also reveals a multi-step funnel, a common pattern in survey and offer chains where the user never reaches the promised reward. The prize itself is appropriate for the target market: low individual value, high everyday demand, and sufficiently plausible as a mobile operator promotion. As in the previous campaign, multiple Telegram groups are used to distribute these offers as a way to attract users seeking to watch the matches.

Figure 26. IPTV bundles marketed through Telegram for World Cup streaming in SOCRadar Platform.

Figure 26. IPTV bundles marketed through Telegram for World Cup streaming in SOCRadar Platform.

The scale is comparable to that of the other verticals, and its behavior over time is identical: it begins with the tournament, remains active throughout it, and continuously rotates its infrastructure while maintaining the same appearance.

Results, Brackets and Information

The final group is the least harmful and, precisely because of that, the most widespread. It consists of platforms providing match results, tournament brackets, and predictions, often shared between users as genuine utilities to conveniently follow the standings, complete a bracket, or publish predictions. They do not impersonate anyone, do not steal credentials, and, in many cases, provide exactly the service they advertise.

The risk lies in monetization rather than fraud. The same utility that makes these platforms go viral, being widely shared through messaging applications and social media without the distrust typically associated with fraudulent shopping websites, also turns them into advertising platforms of varying quality. In the worst cases, the advertising chains they integrate ultimately redirect users to the same destinations documented in the previous campaign categories. Their inclusion in this report does not classify them as malicious. Instead, it places them on the map as the broadest and lowest-friction layer of the ecosystem, and as the point where a user who would never visit a fake merchandise store may ultimately end up, after two redirects, at the very same traffic distribution infrastructure documented in the previous section.

Pivoting

The campaigns described above, which represent only a subset of those identified overall by STRU, generally do not share the same threat actor, platform, or business model. What many of them do share, however, is the methodology used to identify and delimit them. In many cases, they attempt to resemble official websites by copying their content. Automation and the use of phishing kits make it possible to pivot across different campaigns that follow the same patterns, allowing analysts to identify threat actors using similar methodologies.

Public Credential

During pivoting on the second campaign impersonating the FIFA portal, a Telegram bot token was identified on one of the domains. The same token was simultaneously present on the website of a food delivery business in Benoni (South Africa). The relationship initially suggested that the phishing kit exfiltrated data through a reused Telegram channel and that an operational security failure linked the campaign to unrelated infrastructure.

The origin of the token is visible in the restaurant’s client-side code, where the template instructions had been left intact:

Figure 27. Telegram bot token and merchant credentials exposed in the client-side code of an unrelated business, with template instructions left in Greek.

Figure 27. Telegram bot token and merchant credentials exposed in the client-side code of an unrelated business, with template instructions left in Greek.

The comments are written in Greek (“insert the token here”), the page declares itself in Greek, and the business exposes, alongside the token, the merchant credentials for its payment gateway. It is a small business using an automatically generated template with poor security hygiene. It is not adversary infrastructure, yet it appears associated with one.

The bot’s telemetry records food orders placed on 20 and 31 March, while the domain used in Campaign 2 was not registered until 8 April. The bot was receiving hamburger orders weeks before the campaign domain even existed. Nevertheless, the token appears in logs and internal campaign files, and is also associated with other stealer log channels. Despite this, the campaign itself neither requires Telegram nor makes operational use of it.

Figure 28. Pivot chain around the exposed bot token: food orders recorded weeks before the campaign domain existed, alongside stealer log channels reusing the same credential.

Figure 28. Pivot chain around the exposed bot token: food orders recorded weeks before the campaign domain existed, alongside stealer log channels reusing the same credential.

What this case demonstrates is that once a credential is exposed in client-side code, anyone who discovers it can use it. The same telemetry later shows the bot receiving advertisements for a stolen credentials marketplace during July. In this case, the leaked token identifies the party that exposed it, rather than the threat actor.

The other two disproven correlations follow the same logic. The registrant hash ddb75a553547a419, repeated across every WHOIS field of fifa-com.food, initially suggested a reusable operator identity. Pivoting on it returns domains that share nothing beyond their registration provider, making it an artifact of how that provider populates redacted registrant fields rather than a marker of the operator. The shared template observed across the merchandise storefronts behaves identically: it is commercial demo content shipped with the theme, present by default in unrelated deployments, and establishes only that two operators purchased the same product.

Accessible Patterns

Beyond the previous case, the remaining clusters described in this report were identified using a different type of signature. The same lesson is repeated across all four campaigns: the most useful signatures are those the operator did not intentionally choose to leave behind or modify, rather than those that best describe the website.

In the second campaign, which impersonates the FIFA portal, the infrastructure repeatedly clones the main FIFA website. It reuses graphical resources from the legitimate site, which can be leveraged for pivoting and made it possible to identify the evolution of the kit used, as discussed previously.

Figure 29. Structural pivoting across the portal impersonation cluster: unrelated domains preserving fifa.com's original directory structure.

Figure 29. Structural pivoting across the portal impersonation cluster: unrelated domains preserving fifa.com’s original directory structure.

The results obtained from this valid signature reveal that the mirrors preserve the original site’s directory structure, to the point where domains with no lexical relationship to one another, such as fifa-mx.com, fifa-min.com, sdf-26fifa.top, and worldbuyyouself.com, all share the same structure. In this case, more than 850 different domains following the same structure across different versions were identified.

In the cryptocurrency campaigns, the contract address becomes the key artifact. It is immutable, public, and can be independently verified outside the scanning platform, on the blockchain explorer, on the platform where it was minted, and on the aggregator where it is listed. Most importantly, it is the product itself. The operator can rotate domains indefinitely, but cannot change the contract address without abandoning the asset being promoted. The same logic applies to the affiliate identifier in the betting campaign: whatever the business requires in order to operate becomes an effective pivoting artifact. The repeated use of the same files and recurring page titles across many campaigns also provides valuable pivoting opportunities.

In this case, the results exceeded 900 different domains throughout the World Cup period, encompassing multiple campaigns using different kits and patterns while pursuing the same objective and employing the same strategies to uncover additional indicators.

Pivoting significantly improves campaign analysis by allowing analysts to scale indicators and better map adversary infrastructure. Throughout the investigation, the signatures and queries focused on assets that the operator did not intentionally choose to leave behind: the identifier of a third-party CDN embedded in a filename, the parameter required to receive affiliate commissions, a single-character page title, an overlooked code comment, and similar artifacts.

The World Cup provides an extensive attack surface, allowing numerous threat actors to take advantage of the event to target new victims across most countries. The campaigns consistently adapt their lures to regions participating in or showing significant interest in the tournament, extending their impact on a global scale.

Conclusion

Daily measurements collected throughout the tournament period lead to one main conclusion: the activity concentrated before the tournament began rather than following the match schedule. The curve peaked seventy-two hours before the opening match, declined on the day of the opener itself, showed a slight increase during the first weekend, and returned to baseline from 21 June onward, where it remained throughout the knockout stage. Neither the semifinals nor the final produced anything comparable. The composition explains why: approximately 79% of the domains observed at the peak were less than thirty days old. This reduces the phenomenon to its simplest form. The wave does not persist throughout the tournament because the infrastructure composing it was never designed to persist. The peak simply reflects the moment when an infrastructure acquired throughout May was activated simultaneously.

The decline is likely reinforced by operational realities. As fewer teams remain, fewer countries sustain peak public interest, reducing the value of maintaining broad event-themed infrastructure. By that stage, defenders have also had weeks to detect and disrupt malicious domains, making it more profitable for operators to rotate infrastructure, pivot to new lures, or simply abandon the campaign after exploiting the pre-tournament window.

The following is a summary of the most notable campaigns identified from the total number of campaigns analyzed by STRU:

Campaign Monetization Lifetime Victim Infrastructure
Merchandise Fake sales ~5 days Payment cards Disposable
Portal impersonation Credential theft Months FIFA accounts Versioned kit
Betting Affiliate commissions 1-3 days Traffic Rotating expired domains
Crypto Token promotion Weeks Investors Rotating
Streaming Advertising Weeks Viewers Disposable

Three reasonable conclusions can be drawn for future events of comparable profile.

  • The risk window precedes the event: Campaigns are created for the month of the competition. The earliest indicators are activation, certificate issuance, first DNS resolution, and similar events, rather than traffic or reputation. With operational lifespans measured in days, controls relying on accumulated reputation have virtually no opportunity to respond.
  • Different business models coexist under the same activity curve: Fake merchandise campaigns burn infrastructure within five days while stealing victims’ money and payment card information. Portal impersonation campaigns pre-position infrastructure two months in advance, maintain a version-controlled product, and steal credentials through their own backend. Ticketing and betting campaigns neither build nor burn infrastructure, they replace it daily by purchasing expired domains on an open and legal market.
  • A noisy attack surface: Three of the most striking connections identified during the investigation, a shared bot credential, an identical registrant identifier, and a common template, all turned out to be artifacts of shared infrastructure viewed from different perspectives, and all three were disproven using straightforward evidence. The signatures that ultimately proved reliable across every cluster shared one defining characteristic: they were elements that the operator did not intentionally choose to leave behind.

MITRE ATT&CK® Framework TTPs

Tactic Technique Procedure
TA0043: Reconnaissance T1594:Search Victim-Owned Websites The portal impersonation actors retrieve the legitimate fifa.com estate wholesale using automated mirroring, producing static and dynamic files per deployment.
TA0042: Resource Development T1583.001: Acquire Infrastructure: Domains Actors register World Cup themed domains ahead of the tournament through Gname.com (Singapore), NameSilo, Openprovider and Chengdu Fly Digital, and so on. Naming follows brand adjacent conventions, country segmentation and typosquatting. The betting traffic network acquires expired domains that retain indexing authority and inbound links, rather than compromising live infrastructure.
TA0042: Resource Development T1583.006: Acquire Infrastructure: Web Services The merchandise cluster deploys storefronts on Shopify to obtain a functioning checkout with genuine card processing. The crypto cluster issues its token through the pump.fun launchpad.
TA0042: Resource Development T1588.004: Obtain Capabilities: Digital Certificates TA obtain free, short lived TLS certificates to present a valid HTTPS session.
TA0042: Resource Development T1608.005: Stage Capabilities: Link Target The portal kit stages a cloned FIFA ID login page at authorize.html, reproducing the PingFederate authorization path (/as/authorize) as a hidden form field and the official brand error colour. Access to the cart is gated behind a forced login check, routing every purchase attempt through the credential form.
TA0042: Resource Development T1608.006: Stage Capabilities: SEO Poisoning The betting network stages JSON files across a single host, named after target gambling brands and padded with emoji keyword strings, all referencing a single control point.
TA0001: Initial Access T1566: Phishing Reward lures present unsolicited prize claims tied to the tournament. The airtime campaign offers a fabricated telecom reward and stages a five second eligibility verification before redirecting to a multi step funnel. The verification is a CSS animation paired with a hardcoded setTimeout redirect.
TA0005: Stealth T1684.001: Social Engineering: Impersonation Clusters impersonate the FIFA Store, the FIFA portal and the Chinese state sports lottery (中国竞彩). Betting portals display fabricated sponsorship badges (World Cup sponsor, Real Madrid partnership, AC Milan partnership), invented certification seals (官方赛事协作认证), club crests and unauthorised imagery of active players.
TA0005: Stealth T1036.005: Masquerading: Match Legitimate Resource Name or Location Mirrored portals preserve the original path structure, so lexically unrelated domains all serve /en/tournaments/mens/worldcup/canadamexicousa2026. The v1 kit renders live legitimate content inside the fake portal by hotlinking 95 assets from digitalhub.fifa.com and issuing 84 calls to api.fifa.com.
TA0006: Credential Access T1056.003: Input Capture: Web Portal Capture The portal kit captures credentials through the cloned login form and transmits them via POST /api/login to its own backend. Session state is maintained server side and written to localStorage as fifa_user following /api/check_login. Backend handling is not observable; no third party exfiltration channel is present in the kit.
TA0009: Collection T1056.003: Input Capture: Web Portal Capture Merchandise storefronts present a functional cart and card entry form. The flow was followed to the payment stage on a live instance, where card data entry was solicited.
TA0040: Impact T1657: Financial Theft Merchandise clusters solicit payment for goods that are never delivered, applying a consistent 24 to 30 percent discount band calibrated to remain plausible rather than to maximise apparent value. The betting network monetises through affiliate commission instead of direct theft, with channel= identifying the affiliate and show= identifying the campaign in each redirect, making attribution of traffic a requirement of the business model

IoCs

The rest of the indicators can be found on the SOCRadar platform.

www.2026worldcup.fr
www.usaworldcup2026shop.com
www.argentinaworldcup2026shop.com
www.mexicoworldcup2026shop.com
worlcupfifashop.com
aurevia-eu.store
xajes1-55.myshopify.com
shopworldcupatl.com
trivelaprime.shop
skiesticket.com
fifa-uruguay.shop
fifa-mexico.shop
fifa-ecuador.shop
fifa-colombia.shop
fifa-bolivia.shop
fifaworldcup2026jerseyshop.in
worldcup2026shop.us
fifa-com.food
fifa-gs.com
26-fifa.com
fifa-mx.com
fifa-min.com
sdf-26fifa.top
worldbuyyouself.com
ww-wfifa.com
chcn-2026-fifa.com
chcn-2026-fifa.com.cn
zhcn-fifalottery.com
home-fifalottery.com.cn
click-2026fifalottery.com.cn
down.hkromancedating.com
h5.onsts.com
m.dasartisanat.com
down.tcnstaffing.com
vicssubsnj.com
www.fifa2026coin.cc
www.fwc26coin.com
fifa2026.kr
fifa.casino
fifaworldcup.cfd
watchsportslive.cc
kickofftv26.com
2026-world-cup-free-airtime-data.earnonline.pro