Major sporting events have long attracted cybercriminal activity, and the 2026 FIFA World Cup is no exception. Throughout the lead-up to the tournament, we have observed a growing number of FIFA- and World Cup-themed domains associated with betting operations, fake streaming services and apps, credential theft, and other forms of brand abuse. Public reporting has likewise documented concerns around ticket and merchandise scams, fraudulent hospitality offers, and phishing campaigns targeting fans and travelers.

The domains highlighted in this research were identified through our Emergent Threats feed, which aggregates intelligence from multiple sources, including newly registered domains, newly observed domains, certificate issuance activity, and other early-warning indicators. This allows defenders to identify potentially malicious infrastructure as it emerges, often before it becomes widely recognized or actively weaponized.

With the tournament soon underway, organizations should expect continued abuse of FIFA branding and related event infrastructure. Security teams should monitor for World Cup-themed domains, particularly those leveraging ticketing, hospitality, streaming, betting, and account-related lures.

Official FIFA World Cup Infrastructure

One of the simplest ways to reduce risk is to maintain an allowlist of known legitimate FIFA and World Cup-related infrastructure. While organizations should always validate domains independently and avoid overly broad allowlisting practices, the domains below represent official FIFA properties, tournament resources, hospitality platforms, and host-city websites associated with the 2026 FIFA World Cup.

These domains can serve as a useful baseline when reviewing newly registered domains, investigating user reports, tuning detections, or identifying suspicious lookalike registrations. Domains that closely mimic these properties, particularly those containing terms such as “official,” “tickets,” “hospitality,” “login,” “vip,” or host-city names, should be reviewed carefully for potential phishing, fraud, or brand-abuse activity.

FIFA

• fifa.com
• www.fifa.com

Official World Cup Pages

• fifa.com/en/tournaments/mens/worldcup/canadamexicousa2026
• fifa.com/en/tournaments/mens/worldcup
• fifa.com/tickets
• fifa.com/en/tournaments/mens/worldcup/canadamexicousa2026/articles/resale-ticket-exchange-marketplace (Ticket Resale/Exchange Marketplace)
• fifa.com/hospitality

Host Cities

• atlantafwc26.com
• bostonfwc26.com
• dallasfwc26.com
• houstonfwc26.com
• kansascityfwc26.com
• losangelesfwc26.com
• miamifwc26.com
• nynjfwc26.com
• philadelphiasoccer2026.com
• bayareahostcommittee.com
• seattlefwc26.org
• vancouverfwc26.ca
• torontofwc26.ca

Hospitality

• fifaworldcup26.suites.fifa.com

What We’re Seeing

Analysis of World Cup-themed domains reveals several recurring categories:

• Betting and gambling sites using FIFA and World Cup branding to promote sportsbooks, casinos, odds platforms, and wagering services.
• Credential theft and phishing portals incorporating keywords such as “login,” “register,” “official,” and “account.”
• Fake streaming and live broadcast sites leveraging terms such as “tv,” “live,” “zhibo,” and “kanqiu.”
• General FIFA brand abuse designed to capture search traffic, impersonate official services, or redirect users to unrelated content.

Common Domain Patterns

Many suspicious domains appear to be generated from templates, combining FIFA-related keywords with generic modifiers, geographic identifiers, betting terms, or randomly generated strings.

Examples include:

fifa + worldcup + tickets
fifa + official + login
fifa + live + tv
fifa + 2026 + bet
fifa + host city + hotels

Security teams should also watch for clusters of similarly named domains, sequential registrations, domains hosted on free platforms such as Pages.dev, and domains combining FIFA branding with local language terms for betting, streaming, or sports content.

Useful hunting patterns for newly registered and newly observed domains can be found below in the Hunting/Regex section.

Download the Dataset

To assist defenders, we analyzed and categorized thousands of FIFA- and World Cup-themed domains identified through our Emergent Threats feed. Unlike traditional newly registered domain datasets, this feed combines multiple early-warning sources, including newly registered domains, newly observed domains, certificate issuance activity, and other indicators of emerging infrastructure.

The resulting data includes domains categorized as betting, streaming, phishing risk, Club World Cup, and general World Cup brand abuse. Organizations can use this data as a practical starting point for detection engineering, threat hunting, enrichment, and proactive monitoring.

Download the categorized domain list here.

Hunting/Regex

General
(?i)(?=.*(fifa|worldcup|world-cup|fwc26|fifawc|wc2026|copa[-_.]?mundial|mundial2026|shijiebei))(?=.*(ticket|tickets|hospitality|vip|login|register|official|tv|live|stream|bet|odds|casino|slot|togel|apk|download|hotel|travel|boletos|entradas|zhibo|kanqiu|h5|wap|app))
False Positive Suppression
(?i)(afifa|khafifa|hafifa|amalfifa|fifabric|fifamily|fifashion|defifa|fifarm|hififa|ififa)
Core FIFA / World Cup seed terms
(?i)(^|[-_.])(fifa|fwc26|fifawc|fifawcup|wc2026|worldcup|world-cup|fifaworldcup)([-_.]|$)
FIFA + 2026 permutations
(?i)(fifa[-_.]?(2026|26)|(2026|26)[-_.]?fifa|fwc[-_.]?26|wc[-_.]?2026)
World Cup 2026 permutations
(?i)(world[-_.]?cup[-_.]?(2026|26)|(2026|26)[-_.]?world[-_.]?cup|fifa[-_.]?world[-_.]?cup[-_.]?(2026|26))
Fake official / portal lures
(?i)(fifa|worldcup|fwc26|wc2026).*(official|offical|portal|account|login|signin|register|verify|auth|admin|secure|access)
Ticketing / hospitality / travel
(?i)(fifa|worldcup|fwc26|wc2026).*(ticket|tickets|resale|refund|hospitality|vip|suite|pass|entry|hotel|hotels|lodging|apartment|travel|parking|transport|limo)
Streaming / live scores
(?i)(fifa|worldcup|fwc26|wc2026).*(tv|live|stream|streaming|watch|broadcast|score|scores|schedule|fixture|match|zhibo|kanqiu|tiyu|shijiebei)
Betting / gambling
(?i)(fifa|worldcup|fwc26|wc2026).*(bet|odds|casino|slot|slots|togel|poker|stake|parlay|jackpot|gacor|bola|cuan|rtp|sbobet)
APK / game download lures
(?i)(fifa|worldcup).*(apk|android|download|mobile|app|mod|hack|coin|coins|generator|ultimate[-_.]?team|ppsspp)
Cloudflare Pages / disposable hosting
(?i)^(?=.*(fifa|worldcup|fwc26|wc2026)).*\.pages\.dev$
(?i)(fifa|worldcup|fwc26|wc2026).*\.workers\.dev$
Host-city abuse
(?i)(fifa|worldcup|fwc26|wc2026).*(atlanta|boston|dallas|houston|kansas[-_.]?city|los[-_.]?angeles|miami|new[-_.]?york|nyc|new[-_.]?jersey|philadelphia|philly|seattle|vancouver|toronto|guadalajara|monterrey|mexico[-_.]?city|cdmx)
Spanish/Mexico-focused terms
(?i)(fifa|worldcup|mundial|copa[-_.]?mundial).*(boleto|boletos|entrada|entradas|hotel|viaje|vip|transmision|en[-_.]?vivo|apuesta|apuestas)
Chinese-language targeting
(?i)(fifa|worldcup|shijiebei|???).*(zhibo|kanqiu|tiyu|saicheng|yuce|jingcai|touzhu|maiqiu|zh|zhcn|zhs|h5|wap)
High-volume generated campaign pattern
(?i)^(cn|ch|hk|jp|kr|th|us|global|intl|official|m|h5|wap|web|app|live|tv|score|login|register)[-_.].*(fifa|worldcup|fifawc|cwcfifa|wc2026)
Numbered / template-generated domains
(?i)(fifa|worldcup|fwc26|wc2026).*[0-9]{2,4}
(?i)(fifa|worldcup|fwc26|wc2026).*(88|888|999|234|777|138|168|303|365|789)
Club World Cup overlap
(?i)(fifa|cwc|club[-_.]?world[-_.]?cup|fcwc).*(2025|2026|ticket|tv|live|bet|official|app|login)
“Official” Impersonation Cluster
(?i)(official|offical|auth|verify|portal|secure|account|login).*(fifa|worldcup)
H5 / WAP Pattern
This is extremely common in Asian-focused campaigns.
(?i)(^h5-|^wap-|^m-|mobile|app).*(fifa|worldcup)
Country/Language Prefix Campaigns
(?i)^(cn|ch|hk|jp|kr|th|tw|vn|sg|id)[-_.]
combined with:
(?i)(fifa|worldcup|fifawc|wc2026)
Number-Based Gambling Naming
(?i)(fifa|worldcup).*(88|888|168|365|777|789|123|138|303)
High-Abuse TLDs
.cfd
.click
.xyz
.pw
.cam
.fun
.space
.shop

Free subdomain providers
(?i)(fifa|worldcup).*\.(uk|us|sa|za|ru)\.com$