Ticket Scams to Infrastructure Attacks: FIFA World Cup Cyber Risks

One of fútbol’s premier events is about to hit North America this summer with the FIFA World Cup 2026 stretching across the U.S., Canada, and Mexico.

The tournament will feature 48 national teams competing to become champions – up from 32 in previous tournaments – across 16 host cities. It will be the first time the tournament is hosted across three separate nations.

These 48 teams across 16 cities in three countries represent patriotic and civic pride, but they can also represent significant attack vectors for threat actors.

Criminal fraud, financial scams and DDoS attacks likely to rise

Hundreds of players and millions of fans present opportunities for exploitation and breaches that can lead to financial distress, fraud, and politically motivated distributed denial-of-service (DDoS) attacks.

The tournament’s success depends not only on the security of dozens of venues that will host the matches but also on networks of municipal services such as public transit, signalized traffic, water and wastewater treatment, regional power, airport operations, and emergency services. All surfaces that are vulnerable to adversaries to exploit.

On the bright side, public and private organizations are working to ensure that the public is informed and protected once the tournament kicks off.

Threats before the games begin

The U.S. Federal Bureau of Investigation (FBI) has recently issued a public service announcement (PSA) on threat actors spoofing FIFA websites.

These spoofed websites are designed to appear legitimate and are used by malicious actors for illegal activities, including the theft of personal information and financial scams.

According to the FBI, threat actors will create spoofed websites by slightly altering characteristics of legitimate website domains. They will collect personally identifiable information (PII) that users enter on the site, which they can then harvest, sell, or use.

The Bureau provides tips to protect yourself, along with a reporting link.

This is just one example of how threat actors seek early opportunities to exploit civilians who simply want to participate in this event.

Data risks pose threat to soccer organizations

While some threat actors pose a risk to the general public, fútbol organizations are also at risk.

As recently as April 2026, one hacker group claimed credit for publishing an alleged data leak targeting the entire Asian Football Confederation (AFC) and Al Nassr FC, a top club in both the men’s and women’s Saudi Premier Leagues.

The breach allegedly includes 150,000+ player and coach passports IDs, verified email addresses, contracts, and competition registration forms.

AFC members Japan, South Korea, Australia, Iran, and Saudi Arabia are competing in the FIFA World Cup, while four players from Al-Nassr FC play for Portugal, Senegal, Croatia, and Spain.

According to Dataminr, player registration data, passport documentation, and contact details held by the AFC directly overlap with the personal and travel infrastructure underpinning World Cup participation.

FIFA’s player eligibility and registration systems maintain data-sharing relationships with confederations including the AFC, which means the breach could extend into FIFA’s tournament operations and the integrity of competition documentation.

Malicious FIFA-themed domains already active

The FBI PSA and the prior data breach indicate how vulnerable the FIFA World Cup is before it gets underway.

If that wasn’t enough, research from Fortinet’s FortiGuard Labs found that cybercriminal infrastructure linked to the FIFA World Cup is already operational. 

From January to May 2026, more than 13,000 new FIFA World Cup 2026-themed domains were registered, and 8.8 percent of those domains have been identified as malicious or suspicious through pattern analysis and scam activity.

What security experts should be wary of during the tournament

Palo Alto Networks’ Unit 42, a threat research center, recently shared information on the World Cup’s risk picture, based on a review of cyber operations against prior events from 2016 through the Milano-Cortina 2026 Winter Games.

The assessment indicates that disruptive intrusions, large-scale criminal fraud, DDoS attacks, and hack-and-leak operations are highly likely during the 2026 World Cup.

The research center identifies three drivers of risk during the World Cup:

1. Iran-nexus activity: The current U.S.-Israel-Iran conflict has painted a target on any U.S.-hosted event. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a joint advisory stating that there is an active, ongoing Iranian-affiliated campaign. The campaign is targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, and Islamic Revolutionary Guard Corps (IRGC) targeting of Israeli-made Unitronics Vision Series PLCs at U.S. water, energy, and municipal targets – which are the same categories of infrastructure that World Cup host cities will be operating under.
2. Russia-nexus hacktivism: Over 3,700 verified DDoS attacks – credited to NoName57(16) – against governments and critical sectors in NATO member states. Considered a politically symbolic event, the World Cup is the perfect target.
3. Financially motivated crimes: During the 2022 World Cup in Qatar, Group-IB identified more than 16,000 fraudulent domains and 90 compromised Hayya fan portal accounts. The hospitality stack is a target for ransomware operators, which includes reservations, digital keys, point-of-sale (PoS) machines, and loyalty data. Ticket fraud, accommodation fraud, transportation QR code fraud, and FanID-equivalent account takeover are targets across all three host nations.

What fans should be wary of during the tournament

Financially motivated crime is seen as the most likely and most frequent threat category during the World Cup.

Hospitality and accommodation fraud is another potential area of risk, including attacks against point-of-sale (PoS) systems and fake short-term rental properties.

QR-code fraud is a growing threat, and there is a high potential for fake shuttle passes, parking permits, and official fan transport QR codes.

Fortinet’s security report also identifies major categories of FIFA-themed threats, including:

• Phishing and fake ticketing websites
• Resale ticket scams promoted through Telegram and other channels
• Fake merchandise storefronts
• Malicious betting and streaming applications
• Third-party Android Package Kit (APK) downloads carrying potential malware risk
• Social media impersonation accounts
• Fake job postings and recruitment lures
• Cryptocurrency scams and fake airdrops
• Credential exposure tied to stealer malware and historical breach data

What cyber professionals should do

Unit 42 made a number of recommendations for the tournament organization, host-city committees, municipal operators, hospitality, venue operators, broadcast partners, and fans.

For tournament organization and host-city committees, Unit 42 recommends:

• Standing up a single, multi-jurisdictional cyber operations center with U.S. CISA, the Canadian Centre for Cyber Security, Mexico’s CERT-MX, the FBI, the RCMP, and Mexican federal cyber liaison co-located or fully integrated, replicating the ANSSI/Pairs 2024 model. 
• Inventory the full vendor and supplier graph for each host city and conduct credential-rotation, default-password, and remote-access audits across that graph. 
• Mandate that no tournament network, at any ring, permits consumer remote-access tools on production infrastructure for the duration of the tournament window.
• Pre-position DDoS scrubbing capacity, content-delivery-network failover, and rate-limiting on all fan-facing domains.
• Run a destructive-malware tabletop. Validate that backups are isolated, immutable, and recoverable inside a four-hour window.

Among the recommendations for hospitality and venue operators are:

• Treat the IT help desk as the first line of defense and the most likely point of compromise. Implement out-of-band caller-verification protocols; ban credential resets initiated by phone alone; assume that publicly identifiable employees are reconnaissance targets.
• Segregate identity-provider trust from VMware ESXi management.
• Maintain offline runbooks for property management, PoS, digital key, and reservation systems. Confirm pen-and-paper fallback works under load.

And, for fans and the traveling public, it’s recommended that they:

• Buy tickets only from the official FIFA platform or a FIFA-authorized resale partner, and do not buy through Telegram, WhatsApp, social media DMs, or peer-to-peer payment apps. Use a credit card with chargeback protection, too.
• Verify accommodation listings with major platforms; treat off-platform wire transfers and cryptocurrency requests as fraud. Cross-reference street view and listing photos. 
• Treat any QR code presented in transit, parking, or fanzone contexts with skepticism. Cross-check with the host city’s official transportation app or website before scanning.
• When utilizing public Wi-Fi, use a reputable VPN for any account-level activity or use cellular data. Disable Wi-Fi auto-join and remove networks after use.
• Patch mobile devices, avoid sideloading apps, and verify every FIFA app against the FIFA-published list of official applications.