The U.S. Department of Justice has announced the seizure of nearly 400 domains that were illegally streaming live matches from the 2026 FIFA World Cup. Running under “Operation Offsides,” the effort is being led by the National Intellectual Property Rights Coordination Center alongside Homeland Security Investigations, with a seizure warrant filed in the Eastern District of Virginia. The total number of domains taken down to date is roughly five times the amount taken down during the 2022 Qatar tournament, and HSI has warned that the streams can expose viewers to malware and connections capable of stealing financial data.

The 2026 tournament is being co-hosted by the U.S., Canada, and Mexico, giving U.S. authorities firmer jurisdiction than they held when the event was held in Qatar. Investigators traced the streaming infrastructure to servers in Peru and Bulgaria, with supporting takedowns in Croatia, Romania, Poland, and Colombia. FIFA identified the offending domains, and beIN Media Group, NBCUniversal, the Motion Picture Association's Alliance for Creativity and Entertainment, UFC, and Warner Bros. all helped supply further information.

Assistant Attorney General A. Tysen Duva of the Justice Department's Criminal Division said the seizures reflected the country's duty “as a host nation to protect the FIFA World Cup from criminals.” Domain seizures are a limited tool against operations that rotate addresses and fall back to redundant copies, hence why enforcement bodies suddenly pounce on hundreds of domains at once rather than one at a time.

Authorities have increasingly gone after the people running the streams and, in some cases, their customers. U.S. courts have separately tested the limits of piracy liability, with the Supreme Court ruling that ISPs aren’t liable for their subscribers’ infringement in March. Meanwhile, a Greek court jailed a torrent-site operator for five years last year, and an Irish court ordered Revolut to unmask more than 300 subscribers of a pirate IPTV service in March.

A 2021 Webroot analysis of illegal sports-streaming sites found that 92% carried some form of malicious content, typically delivered through the ad networks that fund the operations. Following the 2024 World Cup, Microsoft Threat Intelligence traced a December 2024 maladvertising campaign that reached nearly 1 million devices back to illegal streaming sites, where redirectors embedded in video frames funneled users through several hops to information stealers such as Lumma and Doenerium hosted on GitHub. Microsoft found the campaign hit both consumer and enterprise machines.

Infections like these often need nothing more than a simple click on a play or unmute button to start the redirect chain, with no download prompt and no need to enter any credentials. Operation Offsides remains active, and the Justice Department said it will continue to pursue the operators behind the seized sites.