InfoSecBulletin Cybersecurity for mankind
The amount of phishing aimed at the 2026 FIFA World Cup has grown a lot. New studies show that the threats are bigger and more complicated than first thought.
What started as 79 bad domains has now turned into a widespread phishing network with 222 domains linked to 203 different IP addresses. This is almost three times the number of domains and has increased the hosting setup by over 14 times.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
A follow-up study using passive DNS data, certificate transparency logs, and WHOIS checks shows that 206 out of 222 identified domains are still active.
52 new websites were signed up from April 1 to April 17, 2026. This shows that the campaign is speeding up as the tournament gets closer instead of slowing down.
Many different threat actors are using the same phishing kits that look like FIFA’s official platforms.
Flare says the system is spread out, using 203 different IP addresses. About 80.6% of these sites go through Cloudflare, letting attackers hide where the servers really are by using reverse proxy services. This makes it much harder to shut them down and find out who is behind it.
A smaller subset of IPs hosts multiple phishing domains, including:
38.246.249.74 hosting 8 domains.
154.39.81.213 hosting 6 domains.
148.178.16.48 hosting 5 domains.
The expanded dataset includes 26 registrars, though a few dominate:
GNAME.COM accounts for 42.3% of domains.
GoDaddy follows with 18.9%.
Others include Spaceship, WebNIC, and Alibaba Cloud.
The focus shows that working together to take down important registrars could greatly stop the campaign.
Cloudflare has marked many websites as phishing sites, like fifa-com.store and fifa-com.site, showing warning pages instead of harmful content. But, this is just a tiny part of the whole system, showing the limits of checking each domain one by one.
This campaign shows how big events like the FIFA World Cup offer money-making chances for cybercriminals. With tools for phishing, shared networks, and tricks to hide identities, attackers can grow their actions quickly while avoiding regular defenses.
