Threat intelligence firms, citing Check Point research, documented a coordinated registration of thousands of FIFA/World Cup‑themed domains and associated infrastructure designed to impersonate official ticketing, streaming and merchandise platforms. Security firms warn these registrations are pre‑event fraud and phishing intended to defraud fans and push malware or crypto scams.

Cybersecurity researchers and industry threat teams have identified a coordinated wave of thousands of FIFA 2026‑themed domain registrations — more than 4,300 in one dataset — and supporting infrastructure crafted to impersonate official ticketing, streaming and merchandise sites ahead of the World Cup. Analysts say perpetrators are deploying typosquatting, look‑alike domains, cloned pages and payment‑collector endpoints to harvest credentials, sell fake tickets and push malware or cryptocurrency‑related investment lures. The campaigns are described as classic pre‑event fraud that scales via bulk domain registrations, disposable hosting and automated phishing kits, with social engineering via social media ads, fake chat support and unsolicited messages. Security firms advised fans to use only official FIFA and host‑city channels, scrutinise URLs, avoid atypical payment methods and report suspicious offers. Organisers and registrars were urged to accelerate takedowns and implement defensive measures such as domain monitoring, DMARC email policies and stronger verification for ticket resale platforms to reduce pre‑event victimisation.