As the countdown to the 2026 FIFA World Cup begins, threat actors are already on the field, building digital infrastructure designed to exploit fan excitement, disrupt ticketing, and siphon revenue from one of the world’s largest sporting events.
New research from Check Point Research, the threat intelligence arm of Check Point Software Technologies, reveals a coordinated campaign to establish thousands of fake domains, botnets, and phishing tools, all masquerading as legitimate FIFA and host city assets.
This is not speculation. The campaign has already begun.
The early play: Fraud infrastructure in motion
Since 1 August 2025, Check Point has identified more than 4,300 newly registered domains spoofing FIFA, “World Cup,” or tournament host cities like Dallas, Miami, Toronto, and Mexico City. These registrations are not organic. They come in synchronised waves, often using identical DNS infrastructure, and are tightly clustered across a handful of bulk-friendly registrars like GoDaddy, Namecheap, Dynadot, and Gname.
Many of these domains are designed for long-term use, including references to FIFA 2030 and 2034. This “domain aging” strategy allows fraudsters to build passive credibility over time, a tactic often seen in targeted brand abuse.
Real-time risk: Presale phishing incoming
FIFA’s first ticketing phase is already underway. Fans who entered the early presale draw (September 9 to 19) will be notified of their results on September 29, with ticket purchases opening for selected users on 1 October.
This window presents an ideal opportunity for fraud.
Threat actors are expected to flood inboxes and search engines with phishing emails, spoofed ticket confirmations, and fake queue portals, all timed to coincide with real FIFA communications. The likelihood of success increases when urgency is high, and expectations are real.
“What we’re seeing isn’t isolated cybercrime. Its infrastructure is being built, at scale, to exploit global interest before the World Cup even kicks off,” said Amit Weigman, evangelist at Check Point Software Technologies. “Threat actors are not waiting for 2026. They are matching their timeline to FIFA’s.”
What Check Point Research found
4,300+ FIFA-related domains registered in less than 60 days, with peak activity between 8-12 August and again in early September.
- Registrar concentration across GoDaddy, Namecheap, Gname, and Dynadot enables bulk automation and rapid deployment.
- Linguistic targeting splits by audience: English for streaming, Spanish and Portuguese for ticketing and merchandise, French for European markets.
- Top-level domains include .com, .shop, .store, .online, and .football — often chosen for low cost and low friction.
- DNS overlaps suggest centralised control by small numbers of semi-professional operators using scripted fraud kits.
- Telegram channels and dark-web forums are already promoting fake tickets, counterfeit gear, and payment fraud toolkits.
Ticketing disruption
Beyond simple scams, Check Point uncovered evidence of systemic attacks designed to destabilise FIFA’s ticketing infrastructure.
Botnets are being trained to flood pre-sale queues, scoop up high-demand inventory, and manipulate dynamic pricing models. On underground markets, customised toolkits and proxy farms are being sold with FIFA-specific instructions, an echo of tactics used to disrupt major ticketing platforms like Ticketmaster.