The 2026 FIFA World Cup is underway. Scam operators spent months staging ticket, streaming, and crypto fraud across email, ads, and SMS, and the active layer is now in full swing. The picture is less a single campaign than a shared opportunity: dozens of unrelated operators converging on one of the year's largest events, each running its own infrastructure with no overlap between them. We mapped an active layer already reaching fans, including prize and ticket phishing, fake merchandise stores, illegal-stream bait, and an ambassador-impersonation prize scam, alongside a far larger staged layer of more than 300 FIFA and World Cup domains registered through 2026 - many still dormant, others now activating in waves as group-stage matches play out. Public advisories from the FBI, CSC, and several vendors describe the same surge; our telemetry shows where it is landing right now.
Key Findings
- The World Cup is being worked as a shared lure by many independent operators across email, Facebook, and SMS, not run as one coordinated campaign. Every operator's infrastructure appeared in only one channel, with no shared backend between them.
- An active layer is already in front of fans: ticket and prize phishing, fake stores, illegal-stream bait, and a prize scam impersonating a FIFA ambassador.
- A much larger staged layer is sitting idle. More than 300 FIFA and World Cup domains were registered through 2026, most never yet seen in real traffic and carrying no threat-feed history.
- The strongest email operators avoid putting the World Cup theme in their sender or link domains at all, relying on throwaway domains and trusted cloud object storage to carry the payload.
- FIFA registers its real domains through corporate brand-protection registrars. The lookalikes we found all sit on commodity registrars behind WHOIS privacy.
Background
Major sporting events are a recurring fraud magnet, and the World Cup is the largest of them. Ticket scarcity, an audience in the billions, official-versus-unofficial resale confusion, demand for streams in restricted regions, and a rush on fan merchandise all hand operators a ready-made pretext. The pattern repeats every cycle: ESET and Bitdefender documented fake-lottery and ticket fraud around the 2022 tournament, and ahead of 2026 the FBI's Internet Crime Complaint Center, Fortinet, Cyble, and others have all published advisories describing the same build-up. Domain-intelligence firm CSC counted tens of thousands of FIFA-containing domains registered since 2022, none by FIFA itself.
FIFA sells World Cup tickets only through its official ticketing site. Scammers exploit the gap between that single official channel and the crowded secondary market by standing up lookalike "official resale" and "ticket shop" domains that collect card and personal data. The defensive advice fans are given - navigate directly to the official site rather than trusting a search result or an email link - runs straight into the human habit of trusting a URL that merely contains the word "fifa."
Several legitimate platforms recur in this landscape because their trust is borrowable:
- Google Cloud Storage (
storage.googleapis[.]com) and Linode/Akamai object storage (linodeobjects[.]com) let anyone serve files over HTTPS with little verification. A phishing page parked in a bucket inherits the provider's TLS certificate and reputable parent domain, slipping past reputation systems, and the bucket can be abandoned after the campaign burns. - Google Blogger (
blogspot[.]com) and Vercel (vercel[.]app) provide free, instantly deployed, TLS-backed hosting under high-reputation parent domains, ideal for one-shot streaming-bait pages and fake checkouts that rotate as fast as they are blocked. - Pump.fun and the Solana memecoin ecosystem are where "World Cup coin," "raydium," and "dex" lookalikes point. Independent analyses have found that the overwhelming majority of tokens launched on these venues are pump-and-dumps or outright rug pulls, where insiders drain the liquidity pool once enough retail money arrives.
- Socolive is itself a piracy streaming brand, not a rights-holder, so the
socolive-wc2026clones we found are illegitimate copies of an already illegitimate service. - Link shorteners add a redirect hop that hides the final destination and lets an operator swap the landing page without changing the advertised link.
Discovery and Infrastructure
We started from the registration feed and from real scan traffic, then separated the two. Token-matching on sender and link domains badly undercounts this kind of fraud, because the active operators deliberately keep the theme out of their domains. The signal that mattered was content: subject lines, ad creative, and the resolved destinations behind them.
Cross-channel correlation was the clarifying step. We checked every confirmed operator domain across email, Facebook, and SMS, and each one appeared in exactly one channel. There is no shared backend tying these operators together. What unifies them is the calendar, not a command structure. That is why the right frame here is a landscape rather than a campaign.
The active operator domains we confirmed in real traffic:
| Indicator | Role | Notes |
|---|---|---|
worldcupmx[.]shop | Fake store | World Cup branding, no WHOIS record |
buyjerseysstore[.]com | Fake store | Counterfeit jerseys, registered weeks before kickoff |
besttopixs[.]com | Clickbait network | Fake NBC/ABC/CNN/Fox sports portals; active since late 2024 |
elephtv[.]life | Streaming piracy | Unauthorized IPTV |
hdonlive[.]com | Streaming piracy | Event-stream impersonation |
topiptv[.]xyz | Streaming piracy | IPTV reseller |
tivi-one[.]net | Streaming piracy | Same reseller cluster |
ftatv[.]net | Streaming piracy | Arabic-market IPTV |
goodstreem[.]org | Streaming piracy | High-reach stream aggregator |
viprize[.]org | Prize scam | FIFA-ambassador impersonation lander |
fifacoinsltd[.]com | Email sender | Aged domain repurposed with a redirector kit |
The staged layer is larger and quieter. More than 300 FIFA and World Cup domains were registered through 2026, organized into recognizable clusters: brand-impersonation typosquats, ticket-fraud shapes, crypto-token lookalikes, and streaming clones. Most have no traffic history and no threat-feed coverage yet. They are inventory, registered ahead of the event and waiting to be switched on.
How It Works
The strongest email operators run a three-part evasion that defeats reputation at every layer. The sender is a throwaway, often random-string domain whose local part matches the domain, so it carries no history to penalize. The payload lives in a trusted cloud bucket, so the link resolves to storage.googleapis[.]com or linodeobjects[.]com rather than anything attributable. And the display name is set to a trusted brand on a freemail account that passes its own authentication, so there is no spoofing failure to catch.
A representative ticket lure, sanitized:
From: "FIFA World Cup 2026" <info@xxnyso9w9z7lvmf99j[.]com>
Subject: Final Call: Win 2 FIFA World Cup 2026 Tickets
Link: http[:]//storage.googleapis[.]com/<bucket>/verify-ticket.html
A second cluster leans on sponsor brands rather than FIFA directly, with subjects such as "You have won a Coca-Cola World Cup 2026 Bundle" and "World Cup 2026 - Confirm your ticket," again landing on object-storage pages. A separate set of "profile has been verified as priority" messages impersonates a fictitious "U.S. 2026 World Cup Committee" across a fleet of self-matching throwaway domains.
On Facebook the lure is the ad, and the destination is the tell. Sports-fan pages advertise into the besttopixs clickbait network, whose subdomains impersonate major news outlets. Other pages push illegal IPTV and stream-aggregator sites, and one page impersonating a former World Cup-winning goalkeeper and current ambassador runs paid prize-lander ads. On SMS, a toll-free sender impersonating a major sports retailer advertised "World Cup jerseys 75% off" behind a shortened link that resolved to a counterfeit storefront.
Technical Analysis
The brand-typosquat cluster is worth a closer look because the shapes encode intent. We saw URL-bar spoofing (https-www-fifa[.]com, where the string "https www" is baked into the domain so a hurried reader parses only "fifa"), homoglyph and fat-finger variants (vvww-fifa[.]com, ww-fifa[.]com), TLD and ccTLD swaps on the real brand (www-fifa[.]me, www-fifa[.]com[.]co), a credential-harvest prefix (signin-2026worldcup[.]com), and locale-targeted prefixes aimed at non-English speakers (zh-watch-2026worldcup[.]com, zh-wc2026-official[.]com). None of these has a plausible legitimate use, and all of them sit on commodity registrars behind privacy services, in contrast to FIFA's own corporate-registrar footprint.
The crypto cluster maps cleanly onto the Solana rug-pull playbook: names built from "coin," "token," "memecoin," "dex," "pump," and "raydium" attached to the World Cup brand, on the cheap TLDs that ecosystem favors. The streaming cluster clones an existing piracy brand and adds event-timed suffixes. The ticket cluster uses the most direct shapes of all, "buy," "resale," "ticket shop," because for a ticket scam the plain-language promise is the whole pitch.
Detection Observations
The active operators split into two recognition profiles. Bottom-of-funnel scams carry strong per-message signal: prize and ticket subject lines, sponsor-brand impersonation, counterfeit-merchandise pricing, and links to known scam infrastructure. The harder cases are the ones that borrow trusted hosting, where the sender is disposable and the payload sits on a reputable cloud domain, so the content of the message is the only thing left to judge.
A few behavioral signals travel well across this landscape. A trusted-brand display name on a freshly registered or random-string sender domain is a strong combination, especially when the only link in the message resolves into object storage. On social ads, the resolved click destination is far more informative than the ad text, and a destination on a known clickbait or piracy network should weigh heavily even when the creative looks benign. For the staged layer, the registration feed itself is the leading indicator: a fixed-date global event with a months-long run-up produces a wave of lookalike registrations long before any of them sends a message, which makes a standing watch on newly registered event-themed domains worthwhile.
Mitigation and Guidance
For fans:
- Buy tickets only from the official FIFA ticketing site. Type the address directly rather than following an email, ad, or search result.
- Treat "you have won" tickets, bundles, or prizes as fraud by default. Official prizes do not require a fee, a card number, or identity verification to claim.
- There is no official World Cup cryptocurrency or token. Any "World Cup coin" is a scam.
- Watch for streams advertised as free or official on social media. These commonly lead to malware, credential theft, or paid access to pirated feeds.
For defenders:
- Weight the resolved destination of social ads and shortened links above the surface text, and treat destinations on known clickbait or piracy networks as high-risk regardless of creative.
- Treat a trusted-brand display name on a young or random-string sender domain as a strong signal, particularly when the only link resolves into cloud object storage.
- Stand up a watch on newly registered event-themed domains during the run-up to a major event, and pre-stage blocks for the unambiguous brand-typosquat shapes before they activate.
- Submit confirmed operator domains to threat-feed pipelines early. Much of the staged layer carries no feed coverage yet.
MITRE Fraud Matrix Mapping
Mapped to the MITRE Center for Threat-Informed Defense Fraud matrix. The framework is recent, so technique identifiers below are approximate and aligned to tactic and technique names rather than fixed IDs.
| Tactic | Technique | ID (approx.) |
|---|---|---|
| Resource Development | Acquire lookalike / typosquat domains | FT-RD |
| Resource Development | Abuse trusted hosting and object storage | FT-RD |
| Initial Contact | Phishing email and SMS | FT-IC |
| Initial Contact | Malicious social-media advertising | FT-IC |
| Trust Development | Brand and sponsor impersonation | FT-TD |
| Trust Development | Public-figure / ambassador impersonation | FT-TD |
| Manipulate Victim | Prize and ticket lure | FT-MV |
| Acquire Assets | Credential and payment-data harvest | FT-AA |
| Monetization | Counterfeit merchandise sale | FT-MON |
| Monetization | Crypto token rug pull | FT-MON |
| Concealment | Disposable senders and link redirection | FT-CO |
Indicators of Compromise
All indicators are defanged. Victim and compromised-institution data has been removed.
Senders
| Value | Role | Notes |
|---|---|---|
2026_debtrelief@fifacoinsltd[.]com | Sender | Aged domain repurposed with a redirector kit |
+1-888-515-3125 | Sender | Toll-free SMS, counterfeit-jersey lure |
Note: a large set of single-use senders on random-string and freemail accounts, with trusted-brand display names, are omitted individually because they are disposable and indistinguishable from personal addresses. The pattern is the indicator, not any single address.
Domains (active operators)
| Value | Role | Notes |
|---|---|---|
worldcupmx[.]shop | Fake store | No WHOIS record |
buyjerseysstore[.]com | Fake store | Counterfeit jerseys |
besttopixs[.]com | Clickbait | Fake news-sports portals |
elephtv[.]life | Streaming piracy | IPTV |
hdonlive[.]com | Streaming piracy | Event-stream impersonation |
topiptv[.]xyz | Streaming piracy | IPTV reseller |
tivi-one[.]net | Streaming piracy | Same reseller cluster |
ftatv[.]net | Streaming piracy | Arabic-market IPTV |
goodstreem[.]org | Streaming piracy | Stream aggregator |
viprize[.]org | Prize scam | Ambassador-impersonation lander |
fifacoinsltd[.]com | Sender domain | Redirector kit |
Hosts (clickbait subdomains)
| Value | Role | Notes |
|---|---|---|
topdaily.besttopixs[.]com | Clickbait | Sports-fan ad destination |
flysport.besttopixs[.]com | Clickbait | Sports-fan ad destination |
plant.besttopixs[.]com | Clickbait | Sports-fan ad destination |
gnews.besttopixs[.]com | Clickbait | News-brand impersonation |
nbcnews.besttopixs[.]com | Clickbait | News-brand impersonation |
abcnews.besttopixs[.]com | Clickbait | News-brand impersonation |
Domains (staged lookalikes, registered 2026)
| Value | Cluster | Notes |
|---|---|---|
https-www-fifa[.]com | Typosquat | URL-bar spoof |
vvww-fifa[.]com | Typosquat | Homoglyph |
ww-fifa[.]com | Typosquat | Fat-finger |
www-fifa-com[.]com | Typosquat | URL substitution |
www-fifa[.]me | Typosquat | TLD swap |
www-fifa[.]com[.]co | Typosquat | ccTLD swap |
2026fifa-world-cup[.]com | Typosquat | Hyphenated squat |
signin-2026worldcup[.]com | Typosquat | Credential-harvest prefix |
zh-watch-2026worldcup[.]com | Typosquat | Locale-targeted |
zh-wc2026-official[.]com | Typosquat | Locale-targeted |
buyworldcup26tickets[.]com | Ticket | Ticket-fraud shape |
worldcupticketshop[.]com | Ticket | Ticket-fraud shape |
fifaticket[.]com | Ticket | Ticket-fraud shape |
fifaticketscout[.]com | Ticket | Resale shape |
fwc26resale[.]com | Ticket | Resale shape |
fifacoinsol[.]xyz | Crypto | Solana lookalike |
worldcupcoin[.]vip | Crypto | Token lookalike |
worldcupmemecoin[.]fun | Crypto | Memecoin shape |
worldcuponpump[.]com | Crypto | Pump.fun derivative |
worldcupraydium[.]fun | Crypto | Solana DEX shape |
socolive-wc2026[.]tv | Streaming | Piracy-brand clone |
iptvworldcup[.]net | Streaming | IPTV shape |
Conclusion
The fraud around the 2026 World Cup is built less like a single operation than like a season: many hands, no shared command, all timed to the same whistle. The active scams are recognizable today, but the more telling signal is the inventory still sitting dormant, hundreds of lookalike domains registered against match dates yet to come. As the tournament progresses, expect the staged layer to come online in waves. The registration feed is the early-warning system; the operators have already told us where they intend to point.
Tags: phishing, scams, identity protection
