Every World Cup Threat Report Is a Starting Point

Big events bring big phishing, and the 2026 FIFA World Cup is no exception. Domain registrations containing "FIFA" or "World Cup" in April alone topped five times the Qatar 2022 peak, and the tournament hasn't even kicked off. Attackers go where the attention is.

When attention is this high, the research follows too. In the last month alone, Flare, Check Point, Malwarebytes, and CTM360 have all published World Cup–themed threat reports. That's good for defenders — but no single team can absorb any one of those reports, let alone all four, fast enough to act on it while the campaign is still expanding. The campaign behind any given report keeps moving the day after publication; the next infrastructure layer was already there when the report shipped, one pivot away from what the researcher chose to enumerate.

Why a published report is always a starting point

Every threat report is a snapshot. It is bounded by the pivots the researcher ran, the moment they cut off enumeration, and the visibility their tooling gave them. None of that is a weakness of the researcher; it is a property of the medium. A campaign that registers domains in waves doesn't pause for a publication deadline, so by the next day the public list is already partial. Passive DNS catches up later, sometimes much later. Some of the strongest fingerprints, nameserver clusters that tie multiple registrars together, certificate reuse across cohosts, are only useful if a researcher pivots on them.

Good researchers update their work. Flare did exactly that, their April 22 piece was followed on May 20 by a passive-DNS, certificate-transparency, and WHOIS-driven expansion that nearly tripled their domain count. But the second pass is bounded by its own pivots. The way to extend any report is to run a pivot it didn't.

Three pivots on Flare's reports

On 22 April, Flare published a thorough piece on a FIFA World Cup phishing campaign: 79 lookalike domains across 14 IP addresses, more than half registered through GNAME.COM PTE. LTD. The report named individual domains, mapped the registrar distribution, and walked through the fraud flow. On 20 May, they followed up expanding the campaign to 222 domains across 203 IPs, four operator clusters, and five named shared-hosting origin IPs behind a largely Cloudflare-fronted infrastructure.

We took the IOCs from both reports and ran a series of graph pivots against Whisper's infrastructure dataset via MCP-enabled AI assistants. We worked from the public articles, narrative and the embedded IOC table on the April post, not Flare's expanded downloadable feed, which is gated behind their contact form. A handful of graph pivots later, three regions of the campaign surfaced that are not in either published article.

Pivot one: cohost on a known-bad IP

The cheapest pivot first. We listed every hostname resolving to any of Flare's original 14 IPs. Most were domains Flare had already flagged plus their www. and wp. subdomains. One was not: fifa[.]website, cohosted on 89.208.250[.]38 alongside Flare's flagged fifa[.]city and fifa[.]kim. Not in either Flare publication, but cohosted with two domains that are. Small on its own — confirmation the cohosting pivot was worth running further.

Pivot two: naming-convention prefix search

The actor's naming convention, the www-fifa.[TLD] typosquat pattern, recurs across Flare's domain set. We ran a fast prefix search against the graph for hostnames matching that shape but not in either Flare publication. Roughly forty candidates came back. We resolved each to its hosting IP. Nineteen pointed at a single address: 182.16.52[.]26, which is neither in Flare's 14 April IPs nor among the five shared-hosting IPs Flare names in their May expansion. We then ran WHOIS on a sample of those nineteen and got the same fingerprint Flare flagged on their core set: registrar GNAME.COM PTE. LTD., creation dates clustered on 17 April, nameservers in the share-dns.com / share-dns.net cluster.

The full list of cohosted domains: www-fifa[.]asia, www-fifa[.]bar, www-fifa[.]biz[.]id, www-fifa[.]bond, www-fifa[.]cfd, www-fifa[.]click, www-fifa[.]club, www-fifa[.]cyou, www-fifa[.]digital, www-fifa[.]icu, www-fifa[.]info, www-fifa[.]lol, www-fifa[.]monster, www-fifa[.]one, www-fifa[.]qpon, www-fifa[.]sbs, www-fifa[.]work, www-fifa[.]xin, www-fifa[.]xyz.

The order of the queries mattered. Cheap query first (name match), cheap query second (resolution), expensive query last (WHOIS). Each layer narrowed the candidate set and added an independent signal. No single layer would have been enough. A cohosted cluster can be a coincidence — an OVH France IP earlier in this investigation showed several cohosted fifa-com subdomains of a free-forum platform, unrelated to the campaign. A WHOIS fingerprint match can be reuse of a popular registrar. Stacked, they lock attribution.

Pivot three: full cohost set on a researcher-named IP

If pivot two extends beyond the IPs Flare named, pivot three extends underneath them. Flare's May follow-up calls out 154.39.81[.]213 as one of five multi-domain hosting IPs in their expanded dataset, hosting six campaign domains. Resolving every hostname on that IP in the graph returns ten cohosted flfa.[TLD] base domains plus fifa[.]moe: flfa[.]online, flfa[.]beer, flfa[.]fun, flfa[.]forum, flfa[.]help, flfa[.]homes, flfa[.]pro, flfa[.]lol, flfa[.]us, flfa[.]click. Same hosting infrastructure, different typosquat trick — l-for-i, a homoglyph that reads as fifa in most sans-serif fonts. The pattern doesn't appear in Flare's enumerated typosquat variants (www-, ww-, vww-, vvww-, wwww-, wc26-).

The operator fingerprints on this cluster look different from pivot two's. Eight of the ten flfa.* domains use dnsowl.com nameservers (NameSilo's free DNS) rather than share-dns. flfa[.]us is on Cloudflare. The exception is flfa[.]click, which sits on share-dns.com / share-dns.net — the bridge between the two operator regions. That looks more like multiple operators sharing hosting infrastructure than a single centralised campaign, which is the same shape Flare describes in their May follow-up. We just see one more pattern than their named taxonomy enumerates.

Two patterns from the three pivots

First, the most durable fingerprint in the www-fifa.[TLD] cluster is the nameserver cluster, not the registrar. The actor changes registrars when they need to. www-fifa2026[.]com, for example, was registered through a Swedish registrar behind a privacy proxy, but it still uses the same share-dns.com nameservers. The registrar is an operational choice the actor changes as needed. The nameserver cluster is infrastructure the actor invests in and keeps. For internal detection on this cluster, the share-dns pivot is the one worth committing to, and it is exactly the kind of pivot a passive-DNS-driven enumeration tends to underweight.

Second, every pivot has a shape, and you only see what your shape catches. A string-typosquat pivot keyed to www-fifa finds pivot two. A multi-domain-IP pivot finds pivot three's host, but only the subset of cohosts your reverse-DNS happens to enumerate. A WHOIS-registrant pivot finds Flare's "Bill John / Newark" and "888 World Cup Management" clusters. A TLS-certificate pivot finds the cert-reuse linkages Flare highlights in their May update. None of those pivots find each other. A campaign at this scale is not one infrastructure problem; it is a stack of overlapping ones. The only practical way to see across them is to run independent pivots cheaply and in parallel.