Threat Actors Target FIFA World Cup 2026
A sophisticated fraud campaign originating from China targets FIFA World Cup 2026 attendees by deploying high-fidelity clones of FIFA ticketing websites. The threat actors use typosquatted domains and a multi-tenant phishing infrastructure to intercept payment card details and bypass SMS-based two-factor authentication in real time. The operation includes a distributed reseller ecosystem with at least 15 active operator instances and primarily leverages Facebook and Instagram in-app browsers for traffic. The core payment routing hub involved lacks financial regulatory authorization and has a history of malicious activity.
AI Analysis
Technical Summary
This campaign involves Chinese-origin threat actors conducting payment fraud against FIFA World Cup 2026 attendees through pixel-perfect website clones and a multi-tenant phishing platform. They utilize typosquatted domains and a commercially developed administrative system to impersonate legitimate FIFA ticketing platforms. The platform acts as a man-in-the-middle framework that intercepts payment card data and bypasses SMS-based two-factor authentication in real time. The distributed reseller ecosystem supports at least 15 active operators. Traffic is mainly driven via Facebook and Instagram in-app browsers. The payment routing hub tbpay[.]uk is unregulated and has a history of malicious behavior. Localization in Simplified Chinese and operator IP geolocations in China indicate PRC-based actors.
Potential Impact
The campaign enables attackers to steal payment card information and bypass SMS-based two-factor authentication, potentially leading to financial fraud and unauthorized transactions for victims attempting to purchase FIFA World Cup 2026 tickets. The use of high-fidelity website clones and typosquatted domains increases the likelihood of successful phishing. The unregulated payment hub further facilitates fraudulent financial operations.
Mitigation Recommendations
No official patch or fix is applicable as this is a fraud campaign rather than a software vulnerability. Defenders should educate users about phishing risks related to FIFA World Cup 2026 ticketing, verify URLs carefully to avoid typosquatted domains, and avoid using in-app browsers for sensitive transactions. Monitoring and blocking known malicious domains such as tbpay[.]uk and related infrastructure is recommended. Users should rely on official FIFA ticketing channels and be cautious of unsolicited social media links. Financial institutions should monitor for suspicious transactions linked to this campaign.
Indicators of Compromise
- ip: 123.100.137.38
- domain: fifa.gold
- domain: fifa-online.com
- ip: 156.226.172.223
- ip: 188.253.7.187
- domain: www-fifa.one
- domain: fifa.center
- domain: fifa.shopping
- domain: fifa.ski
- domain: fifaworldcup26.sale
- domain: ww-fifa.com
- ip: 188.253.7.92
- ip: 216.126.233.30
- ip: 216.126.233.37
- ip: 222.167.244.34
- ip: 27.150.251.195
- ip: 38.60.195.137
- ip: 43.23.232.225
- url: https://admin-zone.tbpay.uk
- url: https://admin-zone.tbpay.uk/users/tenant`
- url: https://sdf-26fifa.top/en/tournaments/mens/worldcup/canadamexicousa2026`
- url: https://www.ww-fifa.com/cart`
- domain: 1346590.com
- domain: aa-fifa.shop
- domain: gx-fifa26.shop
- domain: sdf-26fifa.top
- domain: site-fifa.site
- domain: www-fifa.asia
- domain: www-fifa.bar
- domain: www-fifa.bio
- domain: www-fifa.biz.id
- domain: www-fifa.bond
- domain: www-fifa.cfd
- domain: www-fifa.click
- domain: www-fifa.club
- domain: www-fifa.cyou
- domain: www-fifa.digital
- domain: www-fifa.icu
- domain: www-fifa.info
- domain: www-fifa.lol
- domain: www-fifa.monster
- domain: www-fifa.my
- domain: www-fifa.my.id
- domain: www-fifa.qpon
- domain: www-fifa.sbs
- domain: www-fifa.web.id
- domain: www-fifa.work
- domain: www-fifa.xin
- domain: www-fifa.xyz
- domain: wz-fifa26.shop
- domain: fifa-rbi605.p.tawkto.email
- domain: admin-zone.tbpay.uk
- domain: www.fifaworldcup.one
- domain: www.ww-fifa.com
Threat Actors Target FIFA World Cup 2026
Description
A sophisticated fraud campaign originating from China targets FIFA World Cup 2026 attendees by deploying high-fidelity clones of FIFA ticketing websites. The threat actors use typosquatted domains and a multi-tenant phishing infrastructure to intercept payment card details and bypass SMS-based two-factor authentication in real time. The operation includes a distributed reseller ecosystem with at least 15 active operator instances and primarily leverages Facebook and Instagram in-app browsers for traffic. The core payment routing hub involved lacks financial regulatory authorization and has a history of malicious activity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves Chinese-origin threat actors conducting payment fraud against FIFA World Cup 2026 attendees through pixel-perfect website clones and a multi-tenant phishing platform. They utilize typosquatted domains and a commercially developed administrative system to impersonate legitimate FIFA ticketing platforms. The platform acts as a man-in-the-middle framework that intercepts payment card data and bypasses SMS-based two-factor authentication in real time. The distributed reseller ecosystem supports at least 15 active operators. Traffic is mainly driven via Facebook and Instagram in-app browsers. The payment routing hub tbpay[.]uk is unregulated and has a history of malicious behavior. Localization in Simplified Chinese and operator IP geolocations in China indicate PRC-based actors.
Potential Impact
The campaign enables attackers to steal payment card information and bypass SMS-based two-factor authentication, potentially leading to financial fraud and unauthorized transactions for victims attempting to purchase FIFA World Cup 2026 tickets. The use of high-fidelity website clones and typosquatted domains increases the likelihood of successful phishing. The unregulated payment hub further facilitates fraudulent financial operations.
Mitigation Recommendations
No official patch or fix is applicable as this is a fraud campaign rather than a software vulnerability. Defenders should educate users about phishing risks related to FIFA World Cup 2026 ticketing, verify URLs carefully to avoid typosquatted domains, and avoid using in-app browsers for sensitive transactions. Monitoring and blocking known malicious domains such as tbpay[.]uk and related infrastructure is recommended. Users should rely on official FIFA ticketing channels and be cautious of unsolicited social media links. Financial institutions should monitor for suspicious transactions linked to this campaign.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cloudsek.com/blog/chinese-origin-threat-actors-target-fifa-world-cup-2026"]
- Adversary
- null
- Pulse Id
- 6a2ae2e76dc9f990eeb985f0
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip123.100.137.38 | — | |
ip156.226.172.223 | — | |
ip188.253.7.187 | — | |
ip188.253.7.92 | — | |
ip216.126.233.30 | — | |
ip216.126.233.37 | — | |
ip222.167.244.34 | — | |
ip27.150.251.195 | — | |
ip38.60.195.137 | — | |
ip43.23.232.225 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfifa.gold | — | |
domainfifa-online.com | — | |
domainwww-fifa.one | — | |
domainfifa.center | — | |
domainfifa.shopping | — | |
domainfifa.ski | — | |
domainfifaworldcup26.sale | — | |
domainww-fifa.com | — | |
domain1346590.com | — | |
domainaa-fifa.shop | — | |
domaingx-fifa26.shop | — | |
domainsdf-26fifa.top | — | |
domainsite-fifa.site | — | |
domainwww-fifa.asia | — | |
domainwww-fifa.bar | — | |
domainwww-fifa.bio | — | |
domainwww-fifa.biz.id | — | |
domainwww-fifa.bond | — | |
domainwww-fifa.cfd | — | |
domainwww-fifa.click | — | |
domainwww-fifa.club | — | |
domainwww-fifa.cyou | — | |
domainwww-fifa.digital | — | |
domainwww-fifa.icu | — | |
domainwww-fifa.info | — | |
domainwww-fifa.lol | — | |
domainwww-fifa.monster | — | |
domainwww-fifa.my | — | |
domainwww-fifa.my.id | — | |
domainwww-fifa.qpon | — | |
domainwww-fifa.sbs | — | |
domainwww-fifa.web.id | — | |
domainwww-fifa.work | — | |
domainwww-fifa.xin | — | |
domainwww-fifa.xyz | — | |
domainwz-fifa26.shop | — | |
domainfifa-rbi605.p.tawkto.email | — | |
domainadmin-zone.tbpay.uk | — | |
domainwww.fifaworldcup.one | — | |
domainwww.ww-fifa.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://admin-zone.tbpay.uk | — | |
urlhttps://admin-zone.tbpay.uk/users/tenant` | — | |
urlhttps://sdf-26fifa.top/en/tournaments/mens/worldcup/canadamexicousa2026` | — | |
urlhttps://www.ww-fifa.com/cart` | — |
Threat ID: 6a3052ca0b89be688882691b
Added to database: 6/15/2026, 7:30:18 PM
Last enriched: 6/15/2026, 8:31:34 PM
Last updated: 6/15/2026, 10:17:14 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.