Threat Research Center Insights General General 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface 12 min read Related Products Unit 42 Incident Response By: Justin Moore Published: May 28, 2026 Categories: Cybercrime General Hacktivism Insights Threat Research Tags: Fiddling Scorpius Fighting Ursa Muddled Libra Phishing QR Codes Razing Ursa Typosquatting Wiper Share The 2026 FIFA World Cup will be the largest sporting event ever staged. Across 39 days, 16 host cities in three nations will host 104 matches, an expanded 48-team tournament and an estimated five-to-six million in-venue spectators alongside a global broadcast audience approaching half the planet. The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026. This is the first World Cup to be jointly hosted by three nations. Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments. It depends on a network of municipal services, including public transit, signalized traffic, water and wastewater treatment, regional power, airport operations and emergency services. Each of those touchpoints is in scope for an adversary. Based on a review of cyber operations against prior mega-events from 2016 through the Milano-Cortina 2026 Winter Games , this assessment finds that disruptive intrusions, criminal fraud at scale and politically motivated distributed denial-of-service (DDoS) and hack-and-leak operations are highly likely. The only meaningful questions are who, against which targets and at what severity. There are three drivers in the 2026 World Cup risk picture: Iran-nexus activity. The U.S.–Israel–Iran kinetic conflict that began on Feb. 28, 2026 has reordered the threat surface for any U.S.-hosted event. The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory AA26-097A confirming an active, ongoing Iranian-affiliated campaign. The campaign targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, as well as Islamic Revolutionary Guard Corps (IRGC) targeting of Israeli-made Unitronics Vision Series PLCs at U.S. water, energy and municipal targets. These are the same categories of infrastructure that World Cup host cities will be operating under tournament load. Russia-nexus hacktivism. Since 2022, NoName057(16) has conducted over 3,700 verified DDoS attacks against governments and critical sectors in NATO member states. Documented surges keyed to politically symbolic events including the NATO Summit , the Ukraine Peace Summit and claims of intent at the Paris 2022 Olympics and the Milano Cortina 2026 Winter Olympics . Operation Eastwood (July 2025) disrupted but did not eliminate the group. The UK NCSC confirmed continued operations into 2026. The U.S., Canada and Mexico are NATO partners or allies and the World Cup is a politically symbolic event of the highest order. Financially motivated cybercrime. Group-IB identified more than 16,000 fraudulent domains and 90 compromised Hayya fan-portal accounts during World Cup 2022 in Qatar. The 2023 Muddled Libra (operators of ALPHV aka BlackCat ransomware) campaign against entertainment organizations demonstrated that the hospitality stack is a target for ransomware operators . The stack includes reservations, digital keys, point-of-sale (PoS) machines and loyalty data. Ticket fraud, accommodation fraud, transportation QR-code fraud and FanID-equivalent account takeover are prime targets at scale across all three host nations. The Paris 2024 Olympics is a strong example of a recent precedent. French authorities (ANSSI) confirmed at least 140 cyber events during the Games, including 22 confirmed unauthorized intrusions and a ransomware attack against the Grand Palais venue. None succeeded in disrupting competition, but only because of preparation that began years earlier. Preparation included exercises against 500 Games-linked facilities, and support by sustained government-industry coordination. The 2026 tournament must clear the same bar across multiple jurisdictions, regulatory bodies and languages. The Bottom Line Defenders should plan against the possibility of all of the following: Cybercriminals targeting fans and the hospitality supply chain Iran-nexus disruptive operations against ancillary U.S. infrastructure during the tournament window Pro-Russian and pro-Iran hacktivist DDoS and defacement targeting of host-city, federation and ticketing services A wiper deployed against tournament IT during a high-visibility ceremony Previous Attacks Against Major International Sporting Events Event Year Operation / Actor Documented Impact / Primary Source Rio Summer Olympics 2016 OpOlympicHacking ; Fighting Ursa (aka Fancy Bear, APT28) WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled. 300+ systems compromised. 12 hours to restore. Credentials in binary referenced 44 Pyeongchang accounts . Tokyo Summer Olympics 2020/21 Razing Ursa reconnaissance and disruption Over 450 million blocked attempts reported. No disruption to competition. Phishing/social engineering against athletes and ticket-holders persisted. FIFA World Cup, Qatar 2022 Cybercriminal ecosystem ; multiple groups Group-IB : 16,000+ scam domains, 40+ fake mobile apps, 50+ fake social-media accounts, and 90 compromised Hayya FanID accounts (RedLine and Erbium info-stealer credentials). Rugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated. No on-field disruption. Reputational and financial damage. Paris Summer Olympics 2024 Multiple cybercriminal and hacktivist groups ; one ransomware actor. ANSSI confirmed 140+ events ANSSI : 140+ events , 119 low-impact, 22 successful intrusions. Ransomware on Grand Palais venue and approximately 40 other museums. DDoS peaks at 190,000 req/sec on official site. No competition was disrupted. Milan-Cortina Winter Olympics 2026 Italian Foreign Minister Antonio Tajani said in a press conference that Italy thwarted attacks No public confirmation of disruption to competition. Italian National Cybersecurity Agency operated a dedicated command centre throughout the Games. Table 1. Previous attacks against major sporting events. Cybercriminal Threats to Fans and the Tournament Supply Chain Financially motivated cybercrime is the highest-volume, highest-likelihood threat category for the 2026 FIFA World Cup Games. Ticket Fraud and FanID-equivalent Account Takeover Based on the Qatar 2022 Games, there are five categories of ticket-themed fraud : Lookalike resale sites Fake social-media reseller accounts Lottery/giveaway phishing Fake mobile applications on official app stores Credential-stuffing attacks against the official fan portal Hospitality and Accommodation Fraud Attacks against hospitality businesses and platforms, digital key infrastructure, point of sale (PoS) and identity providers and fake short-term rental properties are another potential area of risk. QR-Code, Transportation and PoS Fraud Tournament-specific QR-code fraud is the single fastest-growing variant. There have already been observed pre-tournament listing scams , and a high potential for fake shuttle passes, parking permits and official fan transport QR codes that fail when scanned. The geographic spread of the 2026 games in various cities multiplies opportunities for transit-themed fraud relative to single-host-city games. Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2. Cybercriminal techniques that are possible during the World Cup. Geopolitical Threats: Iran-Nexus and Disruptive Hacktivism The geopolitical context for the 2026 tournament is materially different from any prior World Cup. The U.S.-Israel-Iran conflict has produced a surge in Iran-nexus cyber operations against U.S. organizations. The Russia-Ukraine war and the resulting NATO alignment of all three host nations make pro-Russian hacktivism an additional, parallel risk. Iran-Nexus: The Handala Hack Team The Handala Hack Team (aka Banished Kitten , Storm-0842 , Void Manticore and Cobalt Mystique ) and Ababil of Minab , are just two of several front personas operated by Ir