Cyber Threat Trends During the Winter Olympics 2026

Cyber Threat Trends During the Winter Olympics 2026

Table of Contents

Your move →
Share with your peers!

LinkedIn
Twitter

Executive Summary: Cyber Threat Trends During the Winter Olympics 2026

Date: March 2026
Source: PreCrime™ Labs

With the conclusion of the Winter Olympics, PreCrime Labs provides a retrospective analysis of domain registration activity that reveals clear event-driven patterns both in the six months leading up to the Games and in the immediate post-event window. A large ecosystem of “Olympics” themed domains before and right after the event was concluded, specifically registered between September 2025 and February 2026 (6 months). This included a dataset across dozens of registrars and TLDs, many clearly unrelated to the official organizing International Olympic Committee or its affiliates. This cluster presents material risk for brand abuse, counterfeit ticketing, accommodation scams, merchandise fraud, and potential phishing or malware distribution ahead of Milano Cortina 2026 and LA28.


To Note:

The domain name abuse targeting the Olympics is overwhelmingly focused on imminent and upcoming events. The high volume of suspicious domains directly referencing specific Olympic years indicates a calculated strategy by threat actors to capitalize on the public’s focus and the beginning of official marketing and sales campaigns. The next 2-3 years will be the peak window for malicious activity targeting the 2026 (45 occurrences) and 2028 (61 occurrences) Olympic events.

As the 2026 and 2028 events conclude, the focus of domain-related abuse is predicted to immediately shift to the next major cycles, specifically the years 2030 (7 occurrences) and 2032 (14 occurrences), also the next most frequently mentioned years. Threat actors will follow the public attention and official marketing cadence to maximize the impact of their campaigns.

Emerging Tech Top Use Cases in Preemptive Cyber Defense

PreCrime™: The Original Preemptive Cybersecurity

Get complimentary access to the Gartner report, Emerging Tech: Top Use Cases in Preemptive Cyber Defense

Numbers at a glance:

Top-Level Domains (TLD)

Across 1623 suspicious domains, majority used keywords highly relevant to the event, (e.g., “olympic”, “olympics”, “la28”, “milanocortina”). Alongside, several hundred domains, from legacy .com/.org to newer TLDs (“.shop”, “.store”, “.ai”, “.world”, “.app”, “.cloud”, “.top”, “.xyz”, “.games”, “.global”) were seen.

Summer vs Winter vs Generic domains

While the threat infrastructure for the Winter Olympics is imminent with 79 domains, we observe a growing focus on the Summer Games with 14 domains. Crucially, the largest category remains generic, with 1,529 domains, indicating a generalized, exploitable threat that can be leveraged at any time.

PreCrime analytics & key patterns

Domain registrations peaked from December 2025 through February 2026, especially for 2026 and 2028 event strings (e.g., “2026‑olympics[.]store”, “2026olympics[.]store”, “2028olympics.*”). Additionally, newly registered domains referencing future Olympic cycles (2030–2038), including examples such as 2030frenchalpsolympics[.]com, 2034olympics[.]com, and 2038winterolympics[.]com, suggest speculative brand targeting and potential pre-positioned infrastructure for long-term monetization or opportunistic abuse.

TLD distribution

There was a noticeably heavy concentration in generic commercial TLDs, “.com”, “.net”, “.org” remaining dominant (e.g., 2030olympics[.]com, olympicrapidrestoration[.]com, montrealolympics[.]com). Aggressive use of low‑cost and newer TLDs, “.shop”, “.store”, “.xyz”, “.world”, “.global”, “.live”, “.online”, “.cloud”, “.top” and “.buzz” are frequent for merchandise or outreach‑themed strings (e.g., 2026‑olympics[.]store, olympicp[.]shop, olympicoutreach[.]click, milanocortinaolympics[.]store).

top 10 unique tlds observed from olympics dataset

Country‑specific or niche TLDs (“.ai”, “.sk”, “.ca”, “.amsterdam”, “.app”) appear in higher‑value or tech‑focused strings such as 2028summerolympics[.]ai, olympiccasinoonline[.]sk, mfcolympics[.]ca, olympicplaza[.]amsterdam, longevityolympics[.]app. From a PreCrime perspective, short‑life, low‑cost TLDs with events alongside commerce keywords score higher than purely informational .org domains.

Registrar Distribution

GoDaddy and its variants (GoDaddy.com, LLC / Go Daddy, LLC) appear on a significant share of recent Olympics domains (e.g., 2028olympics[.]world, la28olympicswag[.]com, 2030frenchalpsolympics[.]com, olympicque[.]com). NameCheap, Porkbun, Sav.com, Squarespace Domains, Hostinger, Amazon Registrar, Network Solutions, Tucows, Name.com and Cloudflare collectively hold a large tail of Olympics‑themed domains. A smaller group of high‑abuse or domainer‑oriented registrars and resellers (DropCatch, NameMart, Dominet HKLimited, West263) handle domains in auction/parking or speculative status (e.g., olympicoutlet[.]com, olympics‑eu[.]shop, olympics‑hot[.]shop, olympics‑26[.]store).

Additionally, domains were masked extensively through privacy services, and cases when registrant data is exposed, it spans multiple countries including the United States, Canada, Italy, China, Iceland, Lithuania, British Virgin Islands, Tajikistan and Ukraine (e.g., milanolympic‑store[.]shop, olympicphiso[.]com, montrealolympics[.]com). Some domains resolve to clearly non‑IOC entities or personal/SMB branding (e.g., Olympic Plastic Bags Ltd, Olympic Photo Co, Olympic Peninsula Food Authority), indicating lawful but brand‑adjacent use, especially during the early Olympic period.

Popular themes observed

PreCrime analytics on this corpus supports several IOC/brand‑protection and cybercrime scenarios:

Theme
Domains
Description
Ticketing and accommodation fraud
laolympicluxuryrentals[.]com, laolympicrental[.]com, milanolympics2026apartment[.]com, la28olympicswag[.]com
Ideally positioned to impersonate official accommodation or merchandising sites.
Credential harvesting and fan account phishing
2026olympics[.]shop, 2028olympics[.]global, laolympics[.]app, olympicgameshub[.]us[.]com
Short, “official‑sounding” domains could front phishing front ends while back‑end infra changes dynamically.
Brand and sponsor abuse
2030frenchalpsolympics[.]com, australiaolympics2032[.]com, longbeacholympics[.]com, losangelessummer
olympicstouristinformation[.]com
Non‑IOC entities combining city/event names with “olympic/olympics” create confusion and potential misattribution.
Malware, scams and gray‑zone activity through exotic TLDs
memeolympic[.]xyz, olympicp[.]shop, olympics‑hot[.]shop, olympics‑eu[.]top
“.xyz”, “.top”, “.buzz”, “.cloud” and .shop variants with generic prefixes often correlate with high‑risk content in other datasets.

Notable Campaigns Seen

Domain Cluster Registration

A coordinated cluster of suspicious domains is impersonating Milano Cortina 2026 Winter Olympics retail activity. Multiple domains associated with this cluster share the common page title “Milano Cortina 2026: Winter Olympics 2026.” The infrastructure is fronted by IP address 104[.]18[.]19[.]207, operating behind Cloudflare CDN services, indicating the use of reputable content delivery networks to enhance legitimacy and resilience.

Figure 1 - Fake Olympic ticketing and merchandise stores clustering on a single IP and across common indicators
Figure 1 - Fake Olympic ticketing and merchandise stores clustering on a single IP and across common indicators

The observed activity aligns with a fake retail or fraudulent ticket sales operation, with high likelihood of payment information harvesting through deceptive storefront interfaces. All of these observed domains from a single cluster follow a specific string pattern, olympics-*.[non-primary TLD]. The campaign is operating during the early ticketing and merchandise interest phase, a period characterized by high user curiosity and search volume.

Example: A recent chatter on social media and posting platforms highlighted how a scam involving a hotel booking in Milan, where attackers sent a WhatsApp message containing accurate reservation details (including confirmation ID) and a malicious link urging urgent confirmation. The message appeared professional and leveraged time-based pressure (24-hour deadline) to induce action.

Verification with the hotel confirmed a system compromise or data leak, suggesting that attackers had access to legitimate booking data. This highlights a highly convincing social engineering campaign targeting travelers, likely exploiting compromised hospitality or booking platform systems during the heightened activity around major events like the Olympics.

reddit post on scams

Association with potential scam funnels

Several domains hosted on free developer hosting provider Cloudflare invoked an external JavaScript file (invoke.js) from a separate domain, under a randomized, hash-like directory path. This behavior is commonly observed in traffic distribution systems (TDS), redirect frameworks, or staged scam funnels. At the same time, there are pop-ups, presumably malicious, indicating potential monetization or secondary-stage payload delivery. The infrastructure suggests:

  1. Low-cost rapid deployment
  2. Disposable campaign infrastructure
  3. Possible automated subdomain generation
  4. SEO poisoning for sports and olympic keywords
Figure 2 - Malicious pop-ups and redirections themed campaigns leveraging the theme of Winter Olympics using CloudFlare hosting
Figure 2 - Malicious pop-ups and redirections themed campaigns leveraging the theme of Winter Olympics using CloudFlare hosting

Domains observed:

  • winter-olympics-schedule[.]pages[.]dev
  • 2026-winter-olympics-womens-single-skating-free-skating-5sn[.]pages[.]dev
  • 2026-winter-olympics-womens-single-skating-free-skating[.]pages[.]dev
  • when-do-the-winter-olympics-end[.]pages[.]dev

Coins and casino

Figure 3 - Cryptocurrency ecosystems introducing memecoins for luring enthusiastic users into financially fraudulent investments
Figure 3 - Cryptocurrency ecosystems introducing memecoins for luring enthusiastic users into financially fraudulent investments
Figure 4 - Fake domains leveraging “Olympics” keyword to promote gambling apps and reward-based betting
Figure 4 - Fake domains leveraging “Olympics” keyword to promote gambling apps and reward-based betting

Another set of domains leveraging the keywords such as “bet”, “casino”, and its variations were found to be newly registered or fully operational, resembling a kind of casino or gaming app listing, rather than anything officially connected to the Olympics Games. The page structure and metadata listed are typical of third-party Android download sites or gambling-related app listings, not sports event information or policy.

Many casino, gaming, and betting domains will use popular terms like “Olympic” or “World” purely for search engine appeal, even when they have no legitimate connection to the sporting event. Such domains should be treated as unofficial gaming/gambling infrastructure, potentially harmful if it distributes APKs or promotes unauthorized software.

Ticket and Merchandise Sale

This is the most direct financial threat, with 10 domains containing “ticket” and 7 domains containing “sale.” These domains are designed to impersonate official ticket vendors or sales channels, potentially leading to credit card theft or the sale of fake tickets. A large-scale threat involving unauthorized retail includes 42 domains containing “shop” and 36 domains containing “store.” This campaign uses the brand to sell counterfeit or unofficial merchandise, infringing on trademarks and diluting the official brand message. Examples: “olympicmascots-sale.shop”, “2026-olympics.store”, “olympics28tickets.org”, “olympicssale.top”.

Example: A 2024 insight from BBC highlights a significant rise in event-driven purchase scams, with high-demand themes such as Olympics and Taylor Swift tickets emerging as primary lures. According to UK Finance, consumers lost £86 million in 2023, a 28% increase from the previous year, across more than 156,000 cases.

Figure 5 - Fake domains being set up to lure Winter Olympics enthusiasts into purchasing collections
Figure 5 - Fake domains being set up to lure Winter Olympics enthusiasts into purchasing collections

A certain set of domains seen within the dataset attempted to attract users with sleek, event-driven e-commerce storefront centered around “USA Hockey Olympic Gold Champions” merchandise, immediately tying the brand to Olympic success and national pride.

Figure 6 - Domains leveraging previous victories to psychologically target winning countries into impulsively purchasing
Figure 6 - Domains leveraging previous victories to psychologically target winning countries into impulsively purchasing

Rentals and Services

A significant cluster of domains referencing the 2028 Los Angeles Summer Olympics have been identified, primarily themed around tourism, transportation, hospitality, and local event services. The keywords and naming conventions strongly align with future large international sporting events and high-demand service categories during it such as:

  1. Parking and transport (parking, rental cars, air taxis)
  2. Tourism and travel packages
  3. Local accommodation and luxury rentals
  4. Restaurant listings and hospitality guides
  5. Location-specific targeting (e.g., Leimert Park LA)

 

The inclusion of “2028” and “Los Angeles” keywords indicates SEO-driven intent, positioning these domains to capture organic search traffic as public interest grows closer to the event. Even though the 2028 Olympics are several years away, the domains are registered and under construction.

Figure 7 - Under construction domains as a part of pre-registered infrastructure targeting 2028 Olympics event
Figure 7 - Under construction domains as a part of pre-registered infrastructure targeting 2028 Olympics event
Figure 8 - Under construction domains as a part of pre-registered infrastructure targeting 2028 Olympics event
Figure 8 - Under construction domains as a part of pre-registered infrastructure targeting 2028 Olympics event

Other 7 identified domains target a specific audience who prefer high-value accommodation searches during peak travel demand. An important observation within this campaign cluster is the preference for standard, high-trust Top-Level Domains (TLDs) such as “.com” over “.xyz”, to increase the likelihood of user trust, especially when combined with event-specific keywords (e.g., “LA,” “Olympic,” “luxury rentals”). As from a user psychology perspective, “.com” domains are strongly associated with established businesses and legitimate commercial operations.

Figure 9 - A section of domains targeting luxury seeking individuals looking for services in the 2028 Olympics
Figure 9 - A section of domains targeting luxury seeking individuals looking for services in the 2028 Olympics
Figure 10 - A section of domains targeting luxury seeking individuals looking for services in the 2028 Olympics
Figure 10 - A section of domains targeting luxury seeking individuals looking for services in the 2028 Olympics

AI x Olympics

Recent observations show domains positioning themselves as other services than sporting (for example, competitive AI platforms), framing to borrow the prestige and symbolism of the Olympics while operating independently of any official Olympic affiliation, making it an opportunistic brand abuse.

Similarly, login-style portals branded as “OlympicGPT” combine Olympic imagery (including ring-style visuals) with generative AI terminology. This page presents email and verification-based login flows, implying official digital services tied to Olympic participation or engagement. The integration of Olympic branding with AI terminology creates a powerful legitimacy signal, especially during peak event interest cycles.

Figure 11 - AI merged keywords with “Olympics” either for leveraging brand abuse and Olympic GPT themed page harvesting logins
Figure 11 - AI merged keywords with “Olympics” either for leveraging brand abuse and Olympic GPT themed page harvesting logins
Figure 12 - AI merged keywords with “Olympics” either for leveraging brand abuse and Olympic GPT themed page harvesting logins
Figure 12 - AI merged keywords with “Olympics” either for leveraging brand abuse and Olympic GPT themed page harvesting logins

PreCrime™ Labs Recommendations

For Organizations:

  1. Engage in continuous monitoring for domains combining Olympic keywords with high-risk modifiers such as AI, GPT, tickets, rentals, travel, parking, packages, login, and support. Include AI-event combinations in brand monitoring rules.

  2. Implement image-based scanning to detect misuse of Olympic rings, typography styles, or official branding across newly registered domains.

  3. Clearly communicate official domains and digital services through verified channels. Maintain a centralized page listing authorized platforms and AI partnerships.

  4. Establish rapid takedown channels with registrars and hosting providers to shorten abuse lifecycle once activation is detected.

For the Public (Fans, Travelers, Digital Users):

  1. Only access Olympic-related services through official websites announced by recognized Olympic organizers or verified sponsor platforms.

  2. Not every AI-branded Olympic tool is official. If asked to enter email, verification codes, or payment details, validate the domain carefully.

  3. Look for subtle variations or long keyword-stuffed domains (e.g., “olympictravelpackages2028[.]com”) that may not be officially affiliated.

  4. Purchase tickets, travel, and accommodation only via trusted and widely recognized booking platforms or official event channels, for example, Booking, Airbnb, Skyscanner, etc.

  5. If a site uses Olympic branding but seems unofficial or requests sensitive information, report it to event organizers or national cybercrime portals.

Explore our latest PreCrime™ Labs report:

Suspicious Domain Activity in Lead up to 2026 FIFA World Cup Tournament

Phishing Campaign Imitating U.S. Department of Education G5

Your move → Share with your peers!

LinkedIn
Twitter
See PreCrime™ in action

Just sign up, talk to one of our experts, and deploy in minutes.
No coding skills or training required. Works right out of the box!