Attacks on Sports-Betting Platforms Ramp Up Amid 2026 FIFA World Cup
Major sporting events don’t just attract fans. They also attract attackers.
The 2026 FIFA World Cup is driving record traffic to sports-betting platforms worldwide, and DataDome has observed a sharp increase in bot attacks targeting this sector. For one major European platform, blocked traffic averaged around 200,000 requests per day in early June, climbing steadily throughout the month to total nearly 19 million malicious requests blocked in just three weeks.
On June 10, the eve of the World Cup’s opening match, the platform was hit by something more acute: a flash DDoS that fired 786K requests in 87 seconds, peaking at nearly 18,000 requests per second. It was over before most detection systems would have collected enough data to recognize that something was wrong.
The attack originated from Biterika Group LLC, a Russia-based hosting provider previously linked to a DDoS attack against media organizations. DataDome telemetry shows that 91% of traffic from this provider is malicious. Some bot attacks try to stay invisible, spreading requests over hours, pacing each IP well below detection thresholds, blending into background noise. This one did the opposite.
DataDome detected and blocked both the sustained attack wave and the flash DDoS in real time. DataDome’s Galileo threat research team analyzed the event and identified a botnet built on known proxy infrastructure, with one of our AI detection models proving decisive against the broader campaign.
Key findings
- Bot attacks on sports-betting platforms have surged since the start of the 2026 FIFA World Cup, with nearly 19 million requests blocked for one major European platform in three weeks.
- On the eve of the opening match, the platform was hit by a flash DDoS firing 786K requests in 87 seconds, driven primarily by Russian hosting provider Biterika Group LLC.
- Traffic was overwhelmingly web-focused (99.79%), with minimal probing of login (0.21%) and account creation (0.01%) endpoints, pointing to platform disruption as the primary objective.
- DataDome’s Turing model mitigated over 10 million requests alone, detecting the sustained attack wave through time-based signal patterns.
Attack timeline
The blocked traffic chart below tells the story of the broader trend. From late May, requests blocked for this platform began climbing steadily, slowly at first, then sharply from June 5 onward as the World Cup approached. By June 9, daily blocked volume had increased nearly tenfold from where it stood at the start of the month.
Zooming into June 10—the day before the World Cup’s opening match—reveals a single spike that dwarfs everything around it: over one million requests in one bucket, more than three times the highest point of the preceding days.
Russia-origin traffic spikes to approximately 18,000 requests per second in a near-vertical wall with no ramp-up, no warm-up period, no gradual escalation.
Within seconds, the geographic composition begins to broaden. US, German, Indonesian, Singaporean, and a dozen other country-origin sources join the stream, each adding hundreds to low thousands of requests per second.
The aggregate settles into a sustained tail of roughly 1,000 req/s, which is still far above any legitimate baseline, but calmer than the initial spike.
The attack’s shape is telling. There is only one real spike, a single coordinated pulse rather than repeated waves or escalating pressure. This suggests the operator did not adapt in real time; they fired their full payload at once and did not retry with meaningful force when it was blocked.
The geographic diversification that follows the initial Russian spike may serve a different purpose: by rapidly spreading the source footprint across multiple countries, the attack makes any single-country block largely ineffective. Perhaps it is a deliberate attempt to dilute attribution and outlast a geo-based response.
Infrastructure: Known proxies and Russia host
The attack drew entirely on known proxy infrastructure, data centers, and ISP proxies that carry a prior negative reputation across threat intelligence networks. This is not opportunistic reuse; it is a pre-assembled operation, deliberately sourced from providers with an established history of malicious traffic.
None of these geolocations reflects the platform’s legitimate user base. A European-regulated betting platform does not receive its traffic from Russia, Indonesia, or South Korea. Every country in this table is proxy-routed or datacenter-hosted infrastructure with geolocations entirely unrelated to the operator’s actual location.
Not all ASNs contributed equally. While the attack spanned 625 autonomous systems, one dominated the source distribution by a wide margin: Russia-based Biterika Group LLC (AS35048), accounting for 76.4% of all attack traffic. The remaining ASNs (including familiar names like Alibaba, Tencent, QuickPacket, and Oracle) each contributed less than 7% individually, serving more as noise than as meaningful infrastructure.
Biterika is a Russian internet hosting and proxy provider based in Zelenograd, Moscow. It primarily provides server infrastructure, public proxies, and anonymization services. According to its commercial website proxy[.]house, Biterika claims to be the largest Russian provider of proxy servers.
While it operates on paper as a standard commercial hosting company, Biterika is primarily known in the cybersecurity community for its abuse-tolerant infrastructure, its connections to sanctioned Russian entities, and its alleged involvement in state-aligned cyberattacks.
In June 2025, a DDoS attack targeting two media organizations was traced back to Biterika infrastructure. The organizations had just published an investigation into an underage sex trafficking network, exposing how high-profile clients—including Russian oligarchs—had escaped justice.
DataDome’s telemetry paints a similar picture. Over a 7-day period, more than 91% of all traffic originating from this ASN was fraudulent, making it one of the most consistently malicious autonomous systems observed across our customers.
Adversary profile
This was not a sophisticated attack but rather a blunt one. The threat actor made no attempt to pace traffic below any detection threshold, relying instead on IP breadth and burst speed to overwhelm response systems before they could react. This approach is weak against behavioral detection operating at the fleet level.
The geographic spread across multiple countries adds operational complexity for defenders attempting source-based blocking, but the total IP count is well within the detection range of a properly configured threat intelligence layer.
The highest investment was in known-proxy infrastructure and forged HTTP headers and cookies—basic techniques that leave clear server-side fingerprint mismatches. Browser fingerprints were outdated and inconsistent with modern real-user distributions.
Session environment instability (22% of threat markers) and geolocation inconsistencies (7%) signal some rotation tooling at the session layer. However, the rotation is surface-level: session environment and browser identity rotate, but device and hardware fingerprints remain stable—a pattern typical of automation frameworks that randomize user agents without maintaining deeper consistency.
Flash DDoS attacks against high-traffic platforms are not always purely destructive. They can also be used as a coercion tool designed to pressure the target into paying a ransom to avoid a larger, sustained attack.
The timing here is notable: Hitting a sports-betting platform the day before the World Cup’s opening match maximizes the perceived threat. We have no indication that a ransom demand accompanied this specific event, but sports-betting platforms should treat flash DDoS incidents around major sporting events as potential precursors to extortion attempts rather than isolated technical incidents.
How DataDome detected and stopped the attack
For the flash DDoS, DataDome’s detection operated simultaneously across four layers. At the network layer, IP reputation intelligence flagged a significant fraction of the botnet’s proxy infrastructure on contact: known-bad IPs were identified and blocked before any behavioral analysis was needed. TLS fingerprinting and header analysis identified spoofed browser presentations that survived application-layer crafting.
At the behavioral layer, the aggregate request pattern (volume, frequency distribution, session sequence anomalies) was immediately incompatible with any legitimate traffic model for this platform.
The 87-second duration is the critical constraint. A detection system requiring multi-minute analysis to build statistical confidence would still be warming up when this attack ended. Real-time detection at sub-second latency is not optional against this pattern; it is the only detection that matters. By the time a human analyst could investigate and escalate, the event would already be over.
Against the broader and sustained attack wave that preceded and followed the flash DDoS, a different challenge emerged: volume that built gradually, across many sessions, without the sharp signature of a burst event. This is where Turing, a DataDome AI model that autonomously generates detection rules from time-based signal patterns, has alone mitigated over 10 million requests for this customer since June 1.
Key takeaways for defenders
Major sporting events are attack windows
The surge in attacks coinciding with the 2026 FIFA World Cup is not coincidental. High-traffic events concentrate value and pressure on platforms simultaneously: odds change fast, users are active, and any disruption has immediate financial and reputational impact. Attackers know this. Sports-betting platforms should treat major tournament schedules as threat calendars and adjust their posture accordingly.
Flash DDoS attacks are designed to outrun response time
87 seconds allows no time for a human-in-the-loop response. Automated, real-time blocking at millisecond latency is the only viable posture against this attack pattern.
Russia-first sequencing is an operational signature worth tracking
An anomalous Russian-origin spike on a non-Russian-facing platform is a strong early signal of a possible imminent global burst. Defenders who can act on that initial spike, before the cascade broadens, have a meaningful head start.
Known proxy infrastructure is a high-confidence detection surface
This attack drew entirely on previously flagged proxy ranges. A well-maintained, continuously updated threat intelligence feed will recognize a meaningful fraction of traffic on first contact before behavioral signals even need to be evaluated.
Detection must work at two speeds
A flash DDoS and a weeks-long attack surge are different problems requiring different solutions. The flash DDoS demands a sub-second, automated response. The sustained wave demands a model that can observe traffic patterns over time, identify emerging anomalies, and generate new rules as the attack evolves. A detection layer that excels at one but not the other will leave gaps. The World Cup campaign is a reminder that both threats can arrive simultaneously, against the same target.
If your platform faces similar DDoS attacks, book a demo to see how DataDome can protect your websites, apps, APIs, and MCP without adding friction for legitimate users.
Related posts
Libération Leverages DataDome + Arc XP to Neutralize Malicious AI Scraping in <2 Milliseconds
Tell me more
Introducing Proof of Browser: How DataDome Blocked 14 Million Bypass Attempts
Tell me more
The Forrester Wave™: Bot And Agent Trust Management Software, Q2 2026: Key Findings & DataDome's Recognition as a Leader
Tell me more
DataDome Named a Leader in Top Analyst Report for Bot and Agent Trust Management, a New Category Defined by the Rise of AI Agents
Tell me more
