Key Takeaways
- Dual-Track Targeting: A multi-actor campaign ahead of the 2026 FIFA World Cup combines consumer-facing fraud (fake ticketing, payments, merchandise) with a novel cluster of 27+ domains impersonating FIFA enterprise IT tools — a targeting profile with no documented parallel in prior tournaments.
- Staged Infrastructure: Six distinct operator clusters spanning 70 IPs and 450+ domains show no active credential-harvest pages, but configured vhosts, live email DNS, and access-controlled subdomains indicate phishing infrastructure staged for targeted link-based activation.
- Active Email Risk: Of seven originally identified email-ready domains, five have been remediated. Two — f-ifa[.]de and fi-fa[.]de — retain live MX and SPF records with no DMARC, allowing spoofed email delivery without recipient-side rejection.
- Signal Correlation Required: No single indicator in this campaign is independently conclusive. The threat only becomes visible when registration data, DNS state, hosting patterns, and OSINT are assembled together — exceeding the capacity of manual, analyst-driven investigation at this scale.
Dataset at a Glance
70
IPs analysed — 22 rated HIGH risk
450
Domain indicators — 194 suspicious squatted
33
Typosquat domains — hyphenated + IDN variants
6
Operator clusters — distinct infrastructure sets
2
Email-risk domains: 5 of 7 remediated or dormant (live check 27 May 2026)
48
Corporate-service mail/login/VPN subdomains
78
Host-nation ccTLDs — US, CA, UK, FR, DE, AU, MX
65
Auth DNS records — DMARC, BIMI, DKIM observed
Executive Summary
The Dataminr team recently carried out a technical investigation of 70 IP addresses and 450 domain indicators confirming a sustained, multi-actor brand impersonation campaign ahead of the 2026 FIFA World Cup.
Six distinct operator clusters have been identified, differing in target profile, infrastructure, and operational readiness. The campaign spans consumer-facing fraud that leverages fake ticketing, payment pages, and merchandise scams, which is consistent with patterns documented at every World Cup since 2014. There is a separate strand targeting FIFA’s internal corporate IT systems, which has not been documented in previous World Cup tournaments.
Upon probing the 48 IPs, the Dataminr team found that they expose only ports 80 and 443, which is consistent with CDN-fronted or firewall-protected hosting. Direct content probing of every login, dashboard, checkout, and portal subdomain in this dataset found no active credential-harvest pages, however the infrastructure pattern is consistent with staged delivery awaiting activation rather than live phishing portals.
The most operationally significant finding is a cluster of 27 or more domains mimicking FIFA enterprise tools, entirely hosted on a single IP, with no consumer-facing parallel and no analogue in 2022 or 2018 primary research.
The Dataminr team re-verified its initial findings on 27 May 2026, and confirmed core infrastructure remains active. The most significant change since the initial collection occurred in the email threat vector – five of the seven original email-ready domains have been remediated or rendered dormant. However, f-ifa[.]de and fi-fa[.]de remain fully configured with live MX and SPF records but no DMARC.
This campaign poses significant risk because it is not detectable through any single control. Each cluster is individually ambiguous — consumer fraud domains blend into CDN traffic, the enterprise IT infrastructure produces no malicious signal until a link is clicked, and IDN typosquats bypass string-match blocklists by design. The signal only becomes visible when registration activity, DNS state, hosting patterns, and open-source intelligence are assembled together and filtered against an organization’s specific environment.The IOCs documented here were identified after the infrastructure was already staged. Agentic intelligence autonomously assembles signals and continuously re-evaluating them across all sources simultaneously, which moves that discovery window to the build phase when response is still low-cost.
Key Observations
Two Separate Targeting Profiles Are Present Simultaneously
As previously mentioned, the campaign is targeting both consumers and the enterprise. Consumer targeting leverages suspicious domains to target fans through fake ticketing, payment fraud, and merchandise scams — consistent with every prior World Cup.
A distinct and operationally separate cluster of 27 or more domains specifically mimics the enterprise tools FIFA staff use including: Cambium cnmaestro network controllers, Ruckus Wi-Fi dashboards, cPanel hosting panels, Exchange autodiscover, intranet portals, and webmail. Their appearance in a coordinated infrastructure cluster has no legitimate explanation within a fan-fraud campaign and no documented public parallel in 2022 or 2018 reporting.
This second cluster is entirely hosted on a single Team Internet AG IP (104.247.81[.]99), corroborated by two independent data collection pipelines, and is the most operationally significant finding in the dataset.
Email-Ready Domains — Status Significantly Changed Since Collection
Seven domains were originally assessed as fully configured to send phishing email. Live re-verification shows the picture has changed materially. The table below reflects the current DNS state as of 27 May 2026.
fifa[.]fans
REMEDIATED
Redirects to fifa[.]com. Likely FIFA/CSC-controlled. Remove from blocklist.
custmx.cscdns[.]net
v=spf1 -all
p=reject (Proofpoint)
Fifa[.]sucks
DEFENSIVE REG
Resolves to CSC IP (165.160.13[.]20). Consistent with legitimate FIFA registration.
custmx.cscdns[.]net
v=spf1 -all
p=reject (Proofpoint)
Fifa[.]digital
DEFENSIVE REG
Resolves to CSC IP. DMARC record appears malformed (multi-string TXT). Verify with CSC.
custmx.cscdns[.]net
v=spf1 -all
v=DMARC1 (partial)
F-ifa[.]de
ACTIVE
No DMARC. Unchanged from original finding. Highest remaining email risk. BLOCK.
mail.h-email[.]net
v=spf1 -all
NONE
Fi-fa[.]de
ACTIVE
No DMARC. Unchanged. BLOCK.
mailin100.dcpserver[.]de
v=spf1 include:spf.dcpserver[.]de
NONE
Fifa[.]life
DEGRADED
_dmarc record returns SPF, not DMARC. Parking MX. Low immediate risk. Verify ownership.
park-mx.above[.]com
v=spf1 -all
NONE (misconfigured)
Fifa[.]today
DORMANT
Null MX — cannot send email. For-sale page (Afternic).
null MX (0 .)
v=spf1 -all
NONE
Fifa[.]direct
DORMANT
Null MX. No email threat.
null MX (0 .)
v=spf1 -all
NONE
Fifa[.]world
DORMANT
Null MX. No email threat.
null MX (0 .)
v=spf1 -all
NONE
IDN Typosquats — Registration Confirmed, Nameservers Changed
xn--ffa-nma[.]com and xn--ffa-pdb[.]com were registered five days apart and resolve to the same IP (2.57.91[.]91). These domains render as near-identical FIFA lookalikes in browser address bars and bypass string-match blocklists. Registration dates were verified against the Verisign RDAP primary registry. The timing — ten weeks before tournament kick-off — is consistent with the domain aging strategy documented across the broader 2026 campaign and in the 2022 campaign.
The IP and Domain Datasets Independently Corroborate Each Other
The IP 104.247.81[.]99 appears in the original IP dataset and separately hosts domains from the domain dataset — two distinct collection pipelines converging on the same infrastructure. Independent corroboration from separate sources substantially increases confidence in an IOC. This IP should be treated as a high-confidence block candidate with no known legitimate traffic.
Parking Pages Dominate — No Active Portals Observed in This Dataset
Direct probing of all login, dashboard, checkout, portal, and admin subdomains returned parking pages, for-sale notices, empty bodies, bare healthcheck responses, or connection timeouts. The one confirmed live service on pay.fifa[.]cash is an unrelated Chinese-language payment platform (KODY) with no FIFA branding. No credential-harvest page or FIFA-branded login portal was directly observed.
This finding is specific to the subdomains probed in this dataset. Active phishing portals have been documented in the broader 2026 campaign by other researchers, but against different domain clusters involving direct fifa[.]com lookalikes rather than the enterprise-tool subdomains covered here.
The [.]com.ci Long-Label Cluster — Dormant, Warrants Continued Monitoring
Six entries with 80–200 character high-entropy subdomain labels under fifa[.]com[.]ci exhibit a pattern consistent with DNS tunneling infrastructure, where encoded data is passed within DNS queries to communicate with compromised systems. The specific long-label queries returned NXDOMAIN throughout investigation and again on 27 May 2026, indicating the infrastructure is either dormant, not yet activated, or the observed labels were historical passive DNS captures. The pattern cannot be confirmed as active DNS tunneling without evidence of live resolution.
Operator Clusters
A
Consumer fraud (fan-facing)
Fake ticketing, payment fraud, FIFA ID credential harvest. 200+ domains. Consistent with 2022 and 2018 consumer-fraud patterns.
Cloudflare anycast
AS13335
pay.fifa[.]cash, checkout.fifa[.]net, fifa[.]today, fifa[.]direct, fifa[.]world
B
Enterprise IT typosquat (employee-facing)
Impersonates FIFA internal tools:
Cambium cnmaestro, Ruckus Wi-Fi, cPanel, webmail, intranet, autodiscover.
27 domains on a single IP.
Confirmed live 27 May 2026.
Team Internet AG
104.247.81[.]99
AS206834
cnmaestro.f-ifa[.]de, ruckus.fi-fa[.]de, intranet.f-ifa[.]de, dashboard.f-ifa[.]de, f-ifa[.]de, fifa[.]lv
C
Artfiles-hosted fi-fa[.]de (access-controlled)
403/404 responses — configured vhosts, not publicly browsable.
Delivery likely via direct phishing links only.
Artfiles New Media
212.53.187[.]4
AS8893
ruckus.fi-fa[.]de, zdqrdwebmail.fi-fa[.]de, zonedirector.fi-fa[.]de
Da
IDN / punycode typosquats (browser spoofing)
Render as FIFA lookalikes in browser address bars.
Bypass string-match blocklists.
Registration RDAP-confirmed.
Registered 10 weeks pre-tournament.
Unknown
2.57.91[.]91
xn--ffa-nma[.]com (registered 2026-03-25)
xn--ffa-pdb[.]com (registered 2026-03-30)
Shared IP confirmed
Eb
Russian-hosted enterprise tool impersonation
FASTPANEL hosting panel confirmed live (27 May 2026). Mimics Cisco Meraki — consistent with Cluster B enterprise targeting theme.
EuroByte LLC (RU)
178.57.217[.]59
AS210079
meraki.fifa[.]su, vqfxforum.fifa[.]su, img.fifa[.]su, gugiyforum.fifa[.]su
F
.com[.]ci long-label cluster (probable DNS tunneling prep)
High-entropy subdomain labels consistent with DNS tunneling.
Long-label queries returned NXDOMAIN throughout investigation and on 27 May 2026 live check.
Infrastructure dormant or not yet activated. Monitor only.
Cloudflare proxy
104.21.85[.]179
AS13335
djwcehy.k1857e9g…fifa.com[.]ci
y-sdo5dpgi07…fifa.com[.]ci
6 entries, labels 80–200 chars
Technical Findings
Infrastructure Exposure
All 48 IPs probed via masscan and direct HTTP/HTTPS probing expose ports 80 and 443 only. All other ports — including common C2, database, remote access, and mail relay ports — were filtered. This is consistent with CDN-fronted or firewall-protected hosting rather than exposed bare-metal infrastructure. TLS port 443 was blocked outbound from the scanning environment; HTTP response headers and content were obtained via direct curl probes with correct Host headers.
Email Authentication Landscape
The dataset contains 36 DMARC records, 15 BIMI records, and 14 DKIM selector records. These are DNS observations from passive collection, not necessarily active threat-actor infrastructure — many belong to FIFA’s own legitimate email systems. The significant subset is the suspicious domains with fully configured outbound email stacks. As of 27 May 2026, only f-ifa[.]de and fi-fa[.]de meet this threshold: both have live MX and SPF records but no DMARC, a deliberate configuration that prevents recipient mail systems from applying reject policies to inbound mail claiming to originate from these domains.
An independent assessment by Proofpoint confirmed that more than one-third of official FIFA World Cup 2026 sponsors and partners lack sufficient email authentication controls, and that FIFA itself maintains a full DMARC reject policy. This corroborates the broader email attack surface concern.
Nameserver Attribution
Three domains — f-ifa[.]de, fifa[.]lv, and fifa[.]you — originally shared ParkingCrew nameservers, which would have allowed a single registrar abuse report to disrupt all three. As of 27 May 2026, f-ifa[.]de and fifa[.]lv remain on ParkingCrew nameservers, but fifa[.]you has moved to dyna-ns[.]net and is now separately operated.The fi-fa[.]de cluster continues to use Artfiles nameservers and is independently operated.
HTTP Content Findings
Direct probing of all login, dashboard, checkout, portal, and admin subdomains produced the following results. Of note, no login form, credential-harvest page, or FIFA-branded dashboard was directly observed during probing of this dataset’s specific subdomains. The infrastructure pattern — enterprise-tool naming, configured email DNS, access-controlled vhosts returning 403 — is consistent with staged phishing delivery infrastructure that activates via targeted links rather than open browsing.
login.fifa[.]fi
Parking / for-sale
Domain for SALE — Catcha.fi (confirmed unchanged 27 May 2026)
62.122.170[.]171
Parking
SNPARKING.RU
dashboard.fifa[.]nl, checkout.fifa[.]net, payment.fifa[.]direct, admin.fifa[.]sucks
Empty body / JS redirect
Stub responses only
login.fifa[.]ca, login.fifa[.]it, login.fifa[.]co
Bare healthcheck
Returns “OK” with no HTML
ruckus.fi-fa[.]de, zdqrdwebmail.fi-fa[.]de, zonedirector.fi-fa[.]de
Artfiles default 404
Unchanged 27 May 2026
cnmaestro.f-ifa[.]de, intranet.f-ifa[.]de, all dashboard.f-ifa[.]de
Connection refused / timeout
SNI required; HTTP and HTTPS both timeout (27 May 2026 live check)
pay.fifa[.]cash
Live non-FIFA service
Chinese-language payment platform (KODY, Laravel). No FIFA branding. Confirmed unchanged 27 May 2026.
fifa[.]fans
Redirects to fifa[.]com
HTTP → www.fifa[.]com. Likely FIFA/CSC-controlled. Status changed since original collection.
exchange.fifa.org[.]uk
Confirmed legitimate FIFA infra
IONOS / Microsoft Exchange
ssprodsecwaf001prd.fifa[.]org
Confirmed legitimate FIFA infra
Microsoft Azure WAF
Immediate Actions
Teams should take the following steps to ensure timely detection, containment, and disruption of infrastructure across all six operator clusters.
Block Without Collateral Risk
- Block 104.247.81[.]99 (Team Internet AG) and 212.53.187[.]4 (Artfiles New Media) at the perimeter. Live check confirms both host only typosquat or malicious infrastructure. No legitimate FIFA traffic resolves to either IP.
- Punycode and IDN registrations surface as early indicators when autonomous monitoring correlates registration timing, naming patterns, and shared infrastructure. The ten-week pre-tournament aging pattern observed here is a detectable signal at registration time, not discovery time.
- Block 185.53.179[.]146 (Team Internet, .you/.fyi cluster).
- Add IDN typosquats to DNS blocklists: xn--ffa-nma[.]com and xn--ffa-pdb[.]com. Registration RDAP-confirmed. Both still resolve to 2.57.91[.]91.
- Punycode and IDN registrations surface as early indicators when autonomous monitoring correlates registration timing, naming patterns, and shared infrastructure; the ten-week pre-tournament aging pattern observed here is a detectable signal at registration time, not discovery time.
Email Gateway — Revised Rules
- PRIORITY BLOCK: f-ifa[.]de and fi-fa[.]de. Both have live MX and SPF with no DMARC. Unchanged. These are the two highest remaining email risks in the dataset.
- Lookalike domain registration combined with live MX configuration and absent DMARC is a correlated signal cluster. Autonomous assembly of these DNS observables against a known brand target flags phishing-ready infrastructure before first use — without requiring an analyst to manually query each domain.
- RETIRE blocks for fifa[.]fans (now redirects to fifa[.]com — likely FIFA-controlled), fifa[.]sucks and fifa[.]digital (CSC infrastructure, consistent with defensive registrations), and fifa[.]today, fifa[.]direct, fifa[.]world (null MX records — these domains are physically incapable of sending email).
- The DNS state changes confirmed here required manual re-verification across nine domains. Continuous autonomous re-evaluation of flagged infrastructure propagates status changes directly into analyst workflows — blocklists stay current without recurring manual overhead.
- VERIFY fifa[.]life with CSC before taking action. The _dmarc record is misconfigured (returns an SPF record rather than a DMARC record). Low immediate risk but ownership should be confirmed.
- CONFIRM fifa[.]net is FIFA/CSC-controlled (resolves to CSC IP, Proofpoint DMARC in place) before adding to any blocklist.
- Monitor f-ifa[.]de and fi-fa[.]de as sender domains. Both have MX and SPF configured without DMARC — recipient mail systems cannot apply DMARC reject policies to inbound mail claiming to originate from these domains.
Staff Advisory — Enterprise Tool Impersonation
- Issue a targeted advisory to IT staff, network engineers, and anyone managing Cambium cnmaestro or Ruckus wireless infrastructure, cPanel hosting, or Exchange/OWA access. The cnmaestro, ruckus, intranet, webmail, and autodiscover subdomains on f-ifa[.]de and fi-fa[.]de are specifically named to deceive users of these tools. All confirmed live as of 27 May 2026.
- fi-fa[.]de vhosts return 403 or 404 — they are configured but not publicly browsable. This is consistent with delivery-only infrastructure that activates only when a user clicks a phishing link. Staff should not assume that a page failing to load means a link is safe.
UDRP and Takedown Priority
- f-ifa[.]de and fifa[.]lv still share ParkingCrew nameservers as of 27 May 2026. A single registrar abuse report targeting the ParkingCrew account disrupts both simultaneously. This remains the highest-leverage single takedown action available.
- fifa[.]you has moved to dyna-ns[.]net nameservers. File a separate registrar abuse report for this domain — a ParkingCrew-targeted action no longer covers it.
- xn--ffa-nma[.]com and xn--ffa-pdb[.]com have moved from Hosting Concepts B.V. to dns-parking[.]com nameservers since original collection. File separate takedown actions for each domain against the current registrar.
- For the Cloudflare-proxied consumer fraud cluster (Cluster A), coordinate with Cloudflare Trust & Safety at campaign level rather than domain by domain. More than 80% of those domains route through Cloudflare.
Monitor and Watch
- Watch the .com[.]ci long-label cluster for DNS resolution activity. Long-label subdomains are still returning NXDOMAIN as of 27 May 2026. If they begin resolving, that is the activation signal for potential DNS tunneling. Do not characterise this cluster as confirmed active tunneling in reporting until resolution is observed.
- Monitor 165.160.13[.]20 (CSC) for new domains incorporating checkout, pay, login, internal, or admin. Do not bulk-block this IP — it also hosts confirmed legitimate FIFA ccTLD registrations.
- Maintain elevated monitoring through the 19 July tournament final. Primary research from Check Point in 2018 and Trend Micro in 2022 confirms that campaign activity peaks pre-tournament, surges again at kick-off, and continues actively through the final. Ticket sale windows and match days are historically higher-risk periods.
Detection & Defense Alignment
The six operator clusters documented in this report represent three distinct detection challenges. Addressing them requires capabilities that go beyond what analyst-driven investigation can sustain.
Consumer Fraud Infrastructure (Cluster A) — Autonomous Pattern Recognition at Scale Two hundred or more domains across Cloudflare anycast cannot be tracked through manual processes. The detectable signal is structural — registration clustering, shared nameserver patterns, subdomain naming conventions, and keyword combinations that emerge weeks before campaigns activate.
Catching this cluster at the build phase requires autonomous monitoring that continuously assembles these patterns across registration feeds, passive DNS, and open-source sources simultaneously, without waiting for an analyst to query them.
Enterprise IT Impersonation (Clusters B, C, E) — Client-Tailored Signal Filtering The cnmaestro, ruckus, intranet, and webmail subdomains on f-ifa[.]de and fi-fa[.]de produce no obvious malicious signal in isolation. Their significance is only visible when external signals are filtered against what an organization actually runs — its specific technology stack, exposed services, and internal tool inventory.
Intelligence that continuously correlates external infrastructure observations against internal environment context elevates this cluster from generic typosquatting noise to a targeted, operationally relevant threat — and does so before staff encounter it, not after.
Dormant Infrastructure (Cluster F) — Continuous Re-evaluation Without Analyst Overhead The .com[.]ci long-label cluster is a watch item, not an immediate action. But sustaining that watch manually across a two-month tournament window is not realistic. The operational requirement here is precise: monitor a defined set of indicators for a specific state change and deliver a single alert when that change occurs.
Agentic monitoring that continuously re-evaluates infrastructure state and fires only on transition — NXDOMAIN to live resolution — meets that requirement without ongoing analyst attention and without the alert fatigue of repeated inconclusive checks.
2026 Cyber Threat Landscape Report
In a time of increasing cyber threats and AI-driven attacks, security teams need actionable insights to drive a preemptive cyberdefense strategy. This report analyzes global risks and offers the intelligence needed for a proactive cybersecurity strategy.
Download Report
