The PolySwarm Blog

Verticals Targeted: Sports, Transportation, Hospitality, Telecommunications, Financial, Technology, Media, Government
Regions Targeted: US, Canada, Mexico, Participating Nations
Related Threat Actors: Handala, CyberAv3ngers, Sandworm, NoName057(16), Cyber Army of Russia Reborn, KillNet affiliates, APT41, Volt Typhoon, Silent Ransom Group, Scattered Spider
Related Families: HANDALA, OlympicDestroyer, NKWIPER, HermeticWiper, RedLine, BlackCat (ALPHV)

Executive Summary

The 2026 FIFA World Cup presents one of the largest cyber target environments in modern history, spanning three host nations, sixteen host cities, critical infrastructure, transportation systems, hospitality providers, broadcasters, government agencies, and millions of attendees. Historical precedent demonstrates that major sporting events attract nation-state actors, hacktivists, cybercriminals, and opportunistic threat actors seeking financial gain, disruption, intelligence collection, or publicity. PolySwarm telemetry confirms continued circulation of destructive malware, infostealers, and ransomware families during the tournament period, highlighting the diverse threat landscape facing organizations supporting World Cup operations.

Key Takeaways

• Financially motivated cybercrime remains the most likely threat facing World Cup stakeholders.
• Russian-aligned hacktivist groups possess demonstrated capability and historical precedent for targeting major international events.
• Iranian-affiliated actors continue to target critical infrastructure sectors that support municipal and public services.
• Credential theft, phishing, ticket fraud, and social engineering are expected to pose greater operational risk than destructive malware.
• Supply chain compromise represents a significant risk due to the event's dependence on third-party service providers.
• The attack surface spans three nations and multiple regulatory jurisdictions, complicating coordinated incident response and creating cross-border visibility gaps that adversaries can exploit.

Background

The 2026 FIFA World Cup represents a uniquely attractive target due to its global visibility, distributed infrastructure, and dependence on interconnected public and private sector organizations. While highly disruptive attacks remain possible, the most probable cyber incidents are expected to involve credential theft, phishing, ransomware, DDoS activity, social engineering, and fraud.

Unlike previous World Cups hosted within a single nation, the 2026 FIFA World Cup is distributed across the United States, Canada, and Mexico. This tri-national hosting model significantly increases operational complexity by introducing multiple regulatory environments, telecommunications providers, transportation networks, emergency response organizations, government agencies, and critical infrastructure operators. The need to coordinate security, logistics, communications, and technology services across three countries and sixteen host cities creates a larger and more diverse attack surface than previous tournaments, increasing opportunities for threat actors to target supporting organizations, third-party vendors, and interconnected systems. The 39-day tournament, which runs from June 11, 2026 through July 19, 2026, will feature 48 teams.

The tournament's tri-national hosting model expands the attack surface beyond traditional event infrastructure, creating dependencies across transportation systems, hospitality providers, municipal governments, telecommunications networks, payment systems, and emergency services. Threat actors may exploit these interdependencies to maximize impact while avoiding heavily defended tournament infrastructure.

Scale and Attack Surface

The 2026 FIFA World Cup represents far more than a sporting event. Over the course of the tournament, millions of international visitors, government officials, corporate executives, media personnel, and support staff will interact with a vast ecosystem of transportation networks, telecommunications infrastructure, financial systems, hospitality providers, emergency services, and public-sector organizations. The scale and complexity of these interconnected operations create an expansive attack surface that extends well beyond stadium walls. For cybercriminals, hacktivists, and state-sponsored threat actors alike, the tournament presents a rare opportunity to target globally visible organizations and critical services while maximizing potential operational, financial, or reputational impact. Few events generate a comparable concentration of valuable targets and public attention, making the World Cup one of the most attractive cyber targets of 2026. The US government has designated most World Cup matches as nationally significant security events, and the final at MetLife Stadium on July 19, 2026 as a National Special Security Event, a designation that unlocks enhanced intelligence-sharing, monitoring, and emergency preparedness coordination.

Historical Cyber Activity Targeting Major Sporting Events

Pyeongchang Winter Olympics (2018)

The 2018 Winter Olympics in Pyeongchang, South Korea, remain one of the most notable examples of cyber activity impacting a major international sporting event. During the opening ceremony, the OlympicDestroyer malware disrupted portions of the Olympic environment, affecting ticketing systems, wireless networks, internet connectivity, and supporting operational services. Although event organizers were able to restore many affected systems before significant long-term disruption occurred, the incident demonstrated how threat actors can leverage globally visible events to maximize attention and operational impact. The attack remains a frequently cited example of how cyber operations can target the supporting infrastructure surrounding a sporting event rather than the competition itself.

FIFA World Cup Qatar (2022)

The 2022 FIFA World Cup generated substantial cybercriminal activity targeting fans, travelers, and organizations associated with the tournament. Security researchers documented widespread fraud campaigns involving fake ticketing platforms, fraudulent domains impersonating official World Cup services, credential harvesting operations, counterfeit mobile applications, and account compromise activity. Rather than targeting tournament infrastructure directly, most observed campaigns focused on exploiting public interest in the event to conduct financial fraud, steal credentials, and distribute malicious content. The activity highlighted how major sporting events create lucrative opportunities for cybercriminals seeking to capitalize on increased online engagement, urgency, and consumer demand.

Paris Olympics (2024)

The 2024 Summer Olympics in Paris demonstrated the continued attractiveness of globally visible sporting events to a diverse range of threat actors. French authorities reported more than 140 cyber events during the Games, including confirmed intrusions, distributed denial-of-service (DDoS) attacks, ransomware activity, and other malicious cyber operations targeting organizations associated with the event. While organizers successfully prevented any major disruption to Olympic competition, the volume and variety of observed activity underscored the persistent interest of cybercriminals, hacktivists, and state-sponsored actors in exploiting high-profile international events. The Paris Olympics reinforced the importance of proactive cybersecurity planning, cross-organizational coordination, and continuous monitoring throughout large-scale global tournaments.

Threat Actor Landscape

Iran-Aligned Actors

Risk Rating: Moderate Probability

The escalation in US-Israel-Iran tensions following the kinetic conflict that began February 28, 2026 has materially reordered the threat surface for any US-hosted event. Additionally, CISA advisory AA26-097A documents an ongoing Iranian-affiliated campaign targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers in US critical infrastructure. Separately, IRGC-affiliated actors have targeted Israeli-made Unitronics Vision Series PLCs at US water, energy, and municipal facilities, which are among the same categories of infrastructure operating under tournament load in host cities. Although direct World Cup targeting has not been publicly confirmed, the overlap between recently targeted infrastructure sectors and services supporting tournament operations elevates concern.

Potential Targets:

• Water utilities
• Energy providers
• Municipal governments
• Transportation support systems
• Emergency services

Representative Actors:

• Handala
• CyberAv3ngers
• IRGC-linked operators
• MOIS-associated clusters
  

Russia-Aligned Actors

Risk Rating: Moderate Probability

Russia possesses the strongest historical association with cyber activity targeting major sporting events. Sandworm directly deployed the OLYMPICDESTROYER wiper at the 2018 Pyeongchang Winter Olympics, disabling Wi-Fi at the opening ceremony, taking down the official ticketing system, disrupting broadcast drone operations, and compromising over 300 systems, requiring 12 hours to restore.

Potential Targets:

• Public-facing portals
• Transportation services
• Government websites
• Broadcasters
• Ticketing systems

Representative Actors:

• Sandworm
• NoName057(16)
• Cyber Army of Russia Reborn
• KillNet affiliates
  

Chinese State-Sponsored Actors

Risk Rating: Moderate Probability

Chinese state-sponsored cyber operations are generally more likely to focus on intelligence collection, strategic access, and long-term espionage objectives than overt disruption. The 2026 FIFA World Cup will bring together government delegations, multinational corporations, telecommunications providers, media organizations, and critical infrastructure operators from around the world, creating a rare concentration of potential intelligence targets. The tournament's reliance on interconnected communications networks, transportation systems, cloud infrastructure, and third-party service providers may provide opportunities for espionage-focused actors to conduct reconnaissance, collect information, or establish access to networks of strategic interest. Although disruptive activity is considered less likely, the event's scale and international significance make it an attractive environment for intelligence gathering and cyber espionage operations.

Potential Targets:

• Government officials
• Corporate sponsors
• Telecommunications providers
• International organizations

Representative Actors:

• APT41
• Volt Typhoon
• Salt Typhoon
  

Financially Motivated Cybercrime

Risk Rating: High Probability

Financially motivated cybercrime represents the most likely threat category affecting the 2026 FIFA World Cup ecosystem. The event's global visibility, large volume of attendees, and extensive digital infrastructure create numerous opportunities for cybercriminals to conduct credential theft, ransomware attacks, fraud, social engineering, and influence operations. Credential theft campaigns may target ticketing platforms, travel accounts, hotel reservations, corporate VPNs, and payment systems through phishing campaigns, fraudulent websites, malicious applications, and infostealer malware such as RedLine, Lumma, Vidar, Stealc, and Raccoon. At the same time, ransomware operators may seek to exploit the operational pressures associated with a globally significant event, targeting hospitality providers, transportation organizations, municipal governments, broadcasters, and managed service providers. Representative ransomware groups capable of conducting such operations include DragonForce, Akira, Qilin, Play, Medusa, and INC Ransom. Identity-centric attacks also continue to increase in prevalence and may pose a significant risk throughout the tournament. Threat actors such as Silent Ransom Group and Scattered Spider have demonstrated the effectiveness of social engineering techniques including help desk impersonation, voice phishing, credential theft, MFA fatigue attacks, and account compromise.

Potential Targets:

• Ticketing platforms and marketplaces
• Travel and airline accounts
• Hotel reservation systems
• Hospitality providers
• Transportation organizations
• Municipal governments
• Broadcasters and media organizations
• Payment processors and financial services
• Corporate VPNs and identity providers
• Managed service providers (MSPs)
• High-profile individuals, including athletes, government officials, sponsors, and executives

Representative Actors:

• Silent Ransom Group

• Scattered Spider

• Various ransomware and extortion groups
  

PolySwarm Telemetry and Malware Observations

PolySwarm telemetry identified continued circulation of the following malware families associated with destructive attacks, credential theft, and ransomware activity during the period leading up to and coinciding with the tournament.

A list of associated hashes is available in the IOCs section at the end of this report.

Supply Chain Risk

The 2026 FIFA World Cup relies on a complex network of third-party providers that support nearly every aspect of tournament operations. Ticketing platforms, payment processors, telecommunications providers, cloud service operators, broadcast partners, hospitality vendors, managed service providers, and stadium technology companies all play critical roles in delivering services to organizers, attendees, sponsors, and host cities. This interconnected ecosystem creates opportunities for threat actors to target trusted suppliers rather than attempting to compromise heavily defended tournament infrastructure directly.

Recent cyber incidents have demonstrated that attacks against a single vendor can have cascading effects across multiple downstream organizations. A compromise involving a cloud provider, telecommunications operator, ticketing platform, payment processor, or technology supplier could disrupt services across multiple host cities simultaneously, potentially impacting transportation, communications, broadcasting, venue operations, or attendee services. Because many organizations supporting the tournament share common providers and technology platforms, supply chain compromises may offer attackers a more efficient path to achieving widespread operational or financial impact.

Threat actors ranging from ransomware groups and financially motivated cybercriminals to state-sponsored operators have increasingly targeted third-party providers to gain access to larger ecosystems of victims. The distributed nature of the 2026 World Cup, spanning three countries and sixteen host cities, further amplifies this risk by increasing reliance on a broad network of vendors, contractors, and service providers responsible for supporting tournament operations. As a result, organizations should consider supply chain security, vendor monitoring, and third-party risk management as critical components of their overall defensive strategy.

Tournament Infrastructure Dependencies

The successful operation of the 2026 FIFA World Cup depends on a complex network of interconnected systems and service providers that extend far beyond stadiums and event organizers. From ticket validation and venue access control to transportation networks, emergency services, telecommunications infrastructure, and hospitality platforms, numerous technologies and organizations must function reliably throughout the tournament. Disruption affecting any of these dependencies could impact attendee experience, tournament operations, public safety, or supporting services, making them attractive targets for cybercriminals, hacktivists, and state-sponsored threat actors.

At risk tournament infrastructure includes:

• Stadium Operations
• Ticket validation
• Access control
• Communications
• Digital signage
• Network infrastructure
• Transportation
• Airports
• Rail systems
• Public transit
• Traffic management
• Hospitality
• Hotels
• Booking platforms
• Payment systems
• Public Safety
• Emergency communications
• Municipal services
• Law enforcement
• Mobile networks
• ISPs
• Cloud infrastructure
  

Verticals at Risk

The World Cup's expansive ecosystem creates exposure across numerous industries and sectors that support tournament operations either directly or indirectly. While stadium operators and event organizers are obvious targets, threat actors may find greater opportunities by targeting critical infrastructure providers, transportation organizations, hospitality services, government agencies, telecommunications operators, financial institutions, and other supporting entities. These sectors collectively enable the movement of attendees, operation of venues, delivery of essential services, and execution of tournament-related activities across all host locations.

At risk verticals include:

• Critical Infrastructure
• Energy
• Water
• Transportation
• Logistics
• Hospitality
• Sports
• Government
• Telecommunications
• Financial Services
• Media
  

Regions at Risk

Although the tournament is hosted in the United States, Canada, and Mexico, the potential impact of cyber activity extends well beyond the host nations themselves. The global nature of the World Cup creates a broad geographic threat landscape encompassing participating countries, international transportation hubs, multinational sponsors, media organizations, and service providers supporting tournament operations. As a result, cyber incidents affecting the World Cup ecosystem may have operational, financial, or reputational consequences across multiple regions simultaneously, particularly where organizations maintain direct connections to tournament infrastructure, attendees, or supporting services. A full list of countries with teams participating in FIFA World Cup 2026 can be found on the FIFA website.

Current vs Historical Threat Comparison

As noted above, previous international sporting events have attracted a wide range of cyber activity, from credential theft and financial fraud to disruptive attacks and influence operations. Although historical incidents do not guarantee future activity, they provide useful context for assessing which threats are most likely to affect the 2026 FIFA World Cup. The following comparison evaluates historically observed threat categories and their anticipated relevance to the current tournament environment.

Most Likely Attack Scenarios

The most likely cyber incidents affecting the 2026 FIFA World Cup will occur outside stadium walls. Credential theft, phishing, ticket fraud, social engineering, ransomware, and supply chain compromise represent the greatest operational risks to organizations supporting tournament operations. While nation-state actors and hacktivist groups remain important considerations, historical evidence suggests cybercriminals will continue to exploit the event's visibility, urgency, and scale to target fans, businesses, and service providers. PolySwarm telemetry demonstrates continued circulation of malware families associated with destructive attacks, credential theft, and extortion, reinforcing the need for proactive monitoring and rapid incident response capabilities throughout the tournament period.

Ticketing and Credential Theft

Threat actors may leverage phishing campaigns, fraudulent websites, malicious mobile applications, and infostealer malware to harvest credentials associated with ticketing platforms, travel services, loyalty programs, and financial accounts. Compromised accounts could be used to facilitate fraud, account takeover, or secondary market ticket resale schemes. The FBI's IC3 issued PSA260527 on May 27, 2026, formally warning that threat actors are conducting active spoofing attacks against the FIFA website, registering typosquatted domains to harvest PII, sell fake tickets, and facilitate financial fraud. A list of these domains is available in the IOCs section at the end of this report.

Hospitality and Travel Disruption

Hotels, airlines, booking platforms, and transportation providers may be targeted by ransomware operators or social engineering groups seeking financial gain. Disruption affecting a major travel provider could impact thousands of visitors without directly targeting tournament infrastructure.

Public-Sector Service Disruption

Hacktivist and state-sponsored actors may target municipal websites, public transit systems, tourism portals, or emergency communications systems in host cities to generate publicity or undermine confidence in tournament operations.

Emerging Areas of Concern

While phishing, ransomware, and DDoS attacks remain well-established threats during major international events, several emerging trends may increase risk during the 2026 FIFA World Cup. The tournament's unprecedented scale, tri-national hosting model, and reliance on digital services create opportunities for threat actors to leverage evolving tactics that extend beyond traditional cybercrime and network intrusion activity.

AI-Enabled Fraud and Social Engineering

Advancements in generative artificial intelligence have significantly lowered the barrier to creating convincing phishing emails, fraudulent websites, fake customer support interactions, and synthetic media. Threat actors may leverage AI-generated content to impersonate tournament organizers, ticketing providers, travel companies, sponsors, or government agencies in an effort to steal credentials, conduct financial fraud, or distribute malware. As millions of fans seek information related to tickets, travel, accommodations, and match schedules, AI-enhanced scams may prove more difficult for users to identify than traditional phishing campaigns.

QR Code Abuse

QR codes have become increasingly common across ticketing platforms, transportation systems, hospitality services, mobile payments, and venue operations. Threat actors may exploit this reliance by distributing malicious QR codes through phishing emails, fraudulent advertisements, social media campaigns, or physical sticker overlays placed in public locations. Successful abuse could redirect users to credential harvesting pages, malicious applications, fraudulent payment portals, or malware delivery infrastructure. The widespread adoption of QR-based services throughout the tournament ecosystem may create additional opportunities for opportunistic fraud.

Temporary Workforce and Third-Party Risk

Large international sporting events depend on thousands of temporary workers, contractors, volunteers, and third-party service providers to support daily operations. These personnel often require rapid onboarding and varying levels of system access, potentially creating opportunities for phishing, credential theft, social engineering, and insider-related security incidents. Threat actors have increasingly demonstrated an ability to exploit help desks, customer support personnel, and contractor relationships to gain initial access to targeted environments. The scale of temporary staffing required to support the World Cup may expand the number of potential entry points available to attackers.

AI-Generated Disinformation and Event Manipulation

The global visibility of the World Cup makes it an attractive target for influence operations designed to spread false information, amplify existing incidents, or undermine confidence in tournament operations. Advances in synthetic media generation may enable threat actors to create convincing but fraudulent images, audio recordings, videos, or news reports related to security incidents, venue disruptions, travel restrictions, or public safety concerns. Even short-lived misinformation campaigns could generate confusion among attendees, strain public resources, or create reputational challenges for host organizations.

Analyst Commentary

Whether your country knows the sport as soccer, football, fútbol, futebol, calcio, or something else entirely, the 2026 FIFA World Cup represents one of the most attractive cyber target environments of the year. Significantly, it brings together critical infrastructure providers, government agencies, telecommunications operators, hospitality organizations, transportation networks, corporate sponsors, and millions of attendees within a highly visible global event. While public attention often focuses on the possibility of disruptive nation-state operations, historical incidents associated with major sporting events suggest organizations are more likely to encounter credential theft, phishing campaigns, ticket fraud, social engineering, ransomware, and other opportunistic attacks targeting the broader tournament ecosystem.

The 2026 tournament's unique tri-national structure expands the attack surface beyond what defenders have historically encountered during major sporting events. Rather than focusing on a single host nation, security teams must consider risks across three countries, multiple regulatory frameworks and jurisdictions, numerous infrastructure providers, and thousands of supporting organizations participating in tournament operations.

PolySwarm telemetry observed continued circulation of malware families associated with prior destructive attacks, credential theft, and extortion operations during the period leading up to and coinciding with the tournament, including HANDALA, OlympicDestroyer, NKWIPER, HermeticWiper, RedLine, and BlackCat. Although the presence of these malware families does not independently indicate World Cup targeting, their continued activity highlights the diverse range of threats capable of impacting organizations supporting tournament operations.

PolySwarm's crowdsourced threat intelligence ecosystem provides defenders with visibility into emerging malware families, suspicious artifacts, and evolving threat activity identified by security vendors, independent researchers, and malware analysts worldwide. As organizations prepare for the remainder of the tournament, access to diverse threat intelligence sources can help security teams identify emerging threats more rapidly, validate suspicious files with greater confidence, and reduce the time between initial compromise and detection.

IOCs

Hashes

Below is a selection of hashes of the malware samples mentioned in the PolySwarm Telemetry and Malware Observations section of this report.

Domains

Below are FBI-Flagged spoofed Fifa Domains identified in IC3 PSA260527:

Note: According to the FBI PSA, additional domains beyond these examples have been identified but were not publicly listed. Fans and organizations should verify that all FIFA-related URLs resolve to the official FIFA website before entering any personal or payment information.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.