← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The World Cup Fraud Infrastructure is Nearly Three Times Larger Than We First Reported
WHITE PetrP.73 2026-05-21 Modified: 2026-05-21
27
IOCs
MEDIUM VOLUME
The expanded investigation into World Cup phishing infrastructure has revealed a significantly larger and more complex web of fraudulent domains than previously reported. Initially, 79 domains were identified, but further research has expanded that count to at least 222 domains operating across 203 unique IP addresses, which marks an increase of approximately 2.8 times in domain numbers and over 14 times in hosting footprint. The campaign is characterized by at least four separate operator clusters, indicating a distributed network of cybercriminals rather than a single, centralized threat actor.
world cupaprilflaremarchstrongflare academycloudflareemailreadflare platformfirstfraudspaceshipdemomexicofootprintfebruary
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (5 / 27 total)
All FileHash-SHA1 IPv4 domain
TYPEINDICATORDESCRIPTIONCREATED
IPv4 104.225.235.49 CC=US ASN=AS25820 it7 networks inc 2026-05-21
IPv4 148.178.16.48 CC=US ASN=ASNone 2026-05-21
IPv4 154.39.81.213 CC=US ASN=AS8796 kurun cloud inc 2026-05-21
IPv4 154.86.0.33 CC=DE ASN=AS136897 enjoyvc cloud group limited. 2026-05-21
IPv4 38.246.249.74 CC=US ASN=AS174 cogent communications 2026-05-21
References (1)
↗ https://flare.io/learn/resources/blog/world-cup-fraud-infrastructure-three-times-larger-than-original-reporting