In the lead-up to the 2026 Milano–Cortina Winter Olympics, numerous phishing domains impersonating official Olympic ticketing platforms and merchandise stores were detected. These websites actively mimicked official branding elements and used discount promotions and limited-time offers to build trust, ultimately attempting to harvest payment details and personal information.
Rather than focusing on individual malicious URLs, this report analyzes the case from a campaign-level infrastructure perspective using AI-driven cyber threat intelligence from Criminal IP Domain Search and Asset Search.
Analysis Summary: Different Domains, Repeating Patterns
As shown in the image above, the phishing site was not a low-quality landing page but a highly polished replica.
The upper section displayed a homepage closely resembling the official Olympic website, while the lower section mimicked an official merchandise store layout.
The phishing site aggressively imitated the following elements:
- Layout and color schemes similar to the official Olympic logo placement
- Use of misleading keywords such as "Official Ticket," "Winter 2026," and "Limited Sale"
- Product thumbnails and pricing formats similar to the official store
- Fully implemented e-commerce UI components (cart, login icons, etc.)
- Responsive design functioning naturally on mobile devices
Some products were listed at significantly lower prices than the official website, accompanied by urgency-driven phrases such as "UP TO 50% OFF" and "Limited Offer." Without carefully inspecting the URL, it would be difficult for general users to distinguish the phishing site from the legitimate one based solely on visual quality.
However, despite strong visual similarities, clear anomalies were identified at the domain and infrastructure level.
Real-Time URL Scan Risk Analysis
Using Criminal IP Domain Search, multiple suspicious domains were compared and analyzed. Structurally similar metadata patterns were identified across the following domains:
1. Overall Risk Assessment
- Domain Scoring: 80.0% (Dangerous)
- Possibility of Similar Domains: 99.99%
A Domain Score of 80% indicates a high probability of malicious activity. The 99.99% Similar Domains probability strongly suggests that these domains are not operating independently but are likely part of a campaign cluster sharing similar structural characteristics.
This aligns with common phishing campaign patterns observed during large-scale global events such as international sports competitions, expos, and world tournaments.
2. Obfuscated Script Detection
Analysis revealed the presence of obfuscated scripts within the webpage.
Obfuscation is typically used to:
- Evade security analysis
- Hide malicious code
- Conceal automatic redirection logic
- Mask data collection routines
Excessive script obfuscation is uncommon for official international event websites. This significantly increases the likelihood that the site was designed to conceal malicious behavior rather than operate as a legitimate commercial platform.
3. Fake Favicon Detection
A forged favicon was also detected.
This technique leverages psychological trust signals:
- Inserting icons similar to official branding
- Creating visual familiarity
- Inducing trust through address bar icon recognition
Official organizations have no reason to deploy forged brand assets. Therefore, Fake Favicon detection serves as a strong indicator of brand impersonation-based phishing.
4. Newborn Domain Characteristics
The domain was created shortly before the event.
Typical characteristics of newly registered phishing domains include:
- No long-term operational history
- Limited reputation data
- Minimal search engine visibility
In contrast, legitimate international event websites generally have:
- Long-standing operational records
- Accumulated brand reputation
- High search engine rankings
- Certificates issued by trusted Certificate Authorities (CAs)
This domain exhibited a short-term operational profile consistent with typical phishing infrastructure.
IP Infrastructure Analysis: Single-IP Campaign Indicators and CDN-Based Obfuscation
Further analysis using Criminal IP Asset Search revealed that multiple Olympics-themed phishing domains were observed within the same CDN IP environment, with creation timestamps concentrated within a similar timeframe.
Common characteristics identified:
- Multiple domains connected to the same IP address
- Domain creation timestamps clustered within 2–3 days
- Repeated use of keywords such as "olympic," "2026," "sale," and "hot"
- Hidden registration information (Registered agency: none)
These patterns strongly suggest automated bulk registration and deployment under a campaign-based infrastructure rather than independent site operation.
Attackers commonly develop a phishing page template, generate multiple domains with similar keyword combinations, and connect them to shared infrastructure. When one domain is blocked, traffic is immediately redirected to another, enabling evasion.
Although the environment operated under a CDN-based reverse proxy structure, external intelligence sources identified a separate IP classified as a potential Real IP (origin server). This suggests that, beyond the CDN edge layer, parts of the underlying infrastructure may have been exposed. However, it cannot be definitively concluded that the identified IP represents the final attacker infrastructure. It should be interpreted as a potential origin server candidate.
How to Prevent Olympics-Themed Phishing Attacks
During major global events, phishing pages often feature polished UI, integrated payment systems, and social media advertising, making detection more challenging.
Recommended checks include:
- Verify whether the domain is newly registered
- Check domain reputation and risk scoring
- Confirm the issuing authority of the HTTPS certificate
- Search for event-related keyword domains
- Analyze IP association with other suspicious domains
- Identify similar domain clusters
Criminal IP Domain Search and Asset Search enable campaign-level infrastructure tracking beyond simple URL-based blocking.
Conclusion
The 2026 Milano–Cortina Winter Olympics phishing case represents more than isolated ticket scams. It demonstrates organized campaign-level infrastructure operations.
Even after the event concludes, domain generation patterns and infrastructure templates are likely to be reused. Therefore, defensive strategies should shift from simple URL blocking to campaign-level intelligence approaches.
In relation to this, you can refer to Illegal Webtoon Sites Evading Blocks with Domain Swaps — How to Detect Fraudulent Sites.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/30053